On July 20, the Seventh Circuit Court of Appeals ruled that a group of plaintiffs who sued Neiman Marcus over the theft of their credit card information in a data security breach had standing to sue for fraudulent charges, as well as fraud-prevention expenses and credit monitoring. The appellate court reversed a prior decision from the U.S. District Court for the Northern District of Illinois holding that the plaintiffs’ injuries via unauthorized charges were insufficient for standing purposes. The appellate decision is styled Remijas et al. v. The Neiman Marcus Group LLC, Case No. 14-3122.
In March 2014, the four named plaintiffs sued Neiman Marcus, alleging that it failed to enact proper security measures to prevent or mitigate a data breach and did not provide timely notice to consumers, thereby exposing them to fraudulent charges and an increased risk of identity theft.
In its decision, the Seventh Circuit distinguished the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA on the grounds that the plaintiffs, here, brought their claims over a data breach that undoubtedly occurred, thereby raising their claims above the threshold of “speculative harm.” The court also found that preventive costs consumers might incur such as credit monitoring and replacement card fees were sufficient, concrete injuries to confer standing. The court was skeptical, however, that the plaintiffs’ other alleged injuries (i.e., that Neiman Marcus had overcharged them because they expected adequate data security from the retailer and that their personal information has a kind of property value) could confer standing, and refrained from ruling on those claims.
“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach,” the appellate court said. “Why else would hackers break into a store’s database and steal consumers’ private information?”