In 2013, hackers breached the data systems of Neman Marcus, allegedly exposing 350,000 customers to possible credit fraud and identity theft. In Remijas et al. v. The Neiman Marcus Group LLC, the class of customers brought suit against the retail giant, arguing its security systems were deficient and it failed to mitigate damages by timely alerting customers of the breach.
Specifically, the plaintiffs argued that Neiman Marcus exposed them to both fraudulent charges and a heightened risk of identity theft. The U.S. District Court for the Northern District of Illinois dismissed the case in March 2014, finding that the plaintiffs did not have a concrete injury to establish standing. However, in July 2015, the Seventh Circuit Court of Appeals overruled the district court in a precedential decision, holding that such injuries qualify for constitutional standing. The Seventh Circuit found that “it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach.”
In August, Neiman Marcus asked the Seventh Circuit to reconsider its decision, relying on the 2013 U.S. Supreme Court case of Clapper v. Amnesty International, 133 S. Ct. 1138 (2013). In Clapper, the challengers alleged the injury of having to take costly steps to keep their conversations private from government intrusion. The Supreme Court ruled in favor of the retailer, holding that the challengers did not satisfy the injury requirement for constitutional standing because the challengers’ assertions that they were potential targets of surveillance was too speculative and based on a chain of events that might never occur.
Earlier this month, the Seventh Circuit denied the motion of Neiman Marcus to rehear the data-breach case and distinguished Clapper, finding that unlike potential government snooping, a data breach can directly and foreseeably result in identity fraud—concrete injuries sufficient to establish standing.
With cyber-attacks becoming increasingly prevalent, the Seventh Circuit’s holding may have vast impacts on data-breach law for corporations, and opens the door for more data-breach class-action litigation. This opinion is a good reminder of the importance of cyber security systems, protections, and procedures to protect against and minimize damages in the event of a data breach.
— Michael Paretti, J.D., Snell & Wilmer, Las Vegas, NV