Class action plaintiffs in a lawsuit against Neiman Marcus will now have another chance to sue the retailer over a 2013 data breach due to a Seventh Circuit Court of Appeals overturning an earlier district court dismissal of the suit for lack of standing.
The breach in December 2013 exposed potentially 350,000 credit cards of Neiman Marcus shoppers to cybercriminals, according to the Court’s decision. Of those, 9,200 cards were used to make fraudulent transactions. Plaintiffs argued that Neiman Marcus knew of the breach in December, but did not alert customers until January 10, 2014, in order to “not disrupt the lucrative holiday shopping season.”
Several affected consumers brought a class action lawsuit on behalf of the 350,000 shoppers; Neiman Marcus moved to dismiss for failure to state a claim and lack of standing. The district judge granted the motion in September 2014, prompting an appeal from the class members. The Seventh Court took up the case, noting that the plaintiffs must show actual or “certainly impending” harm to achieve Article III standing.
According to Chief Judge Wood, for 9,200 of the affected consumers, the harm is already realized in the form of time and money lost to replacing the misused credit cards, although they acknowledge reimbursement by their banks. The Court noted that the plaintiffs also argue that the rest of the class could conceivably see future fraud on their accounts.
“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach,” stated Judge Wood. “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The judge cited an earlier data breach case against Adobe Systems and the guiding case in Article III standing, Clapper v. Amnesty Int’l USA (U.S. Supreme Court, 2013), in commenting, “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”