Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Neiman Marcus Lawsuit: Game On, Again

Will Appeals Court Reversal Rewrite Data Breach Lawsuits?
Neiman Marcus Lawsuit: Game On, Again

Luxury retailer Neiman Marcus Group LLC has suffered a setback in its attempt to win dismissal of a class-action lawsuit related to its 2013 data breach when a federal appeals court reversed a lower-court decision to throw out the case. But legal experts say that while the ruling is significant, it likely will not dramatically reshape the data-breach litigation landscape.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

In September 2014, Judge James B. Zagel had dismissed the lawsuit on the grounds that the plaintiffs had failed to prove harm, under what's known as Article III standing. But in a July 20 opinion, three judges for the U.S. Court of Appeals For the Seventh Circuit - Diane P. Wood, Michael S. Kanne and John Daniel Tinder - wrote that "the district court erred," and reversed Zagel's decision.

"At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach," they wrote. "Why else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities. The plaintiffs are also careful to say that only 9,200 cards have experienced fraudulent charges so far; the complaint asserts that fraudulent charges and identity theft can occur long after a data breach."

Based in part on that, "the plaintiffs have adequately alleged standing under Article III," the appeals court judges wrote. "The district court's judgment is reversed and the case is remanded for further proceedings consistent with this opinion." In other words, the proposed class-action lawsuit against Neiman Marcus can now proceed.

Lawsuit Alleges Negligence, Deception

The lawsuit against Neiman Marcus, which seeks class-action status, was filed by Hilary Remijas, Melissa Frank, Debbie Farnoush and Joanne Kao in the wake of the retailer discovering a data breach in December 2013, and making a related breach notification in January 2014 (see When Did Neiman Marcus Breach Start?). In that notification, the retailer reported that 350,000 credit and debit cards appeared to have been exposed to attackers wielding point-of-sale malware.

The lawsuit by the plaintiffs - who all say their information was compromised in the Neiman Marcus breach - accuses the retailer of "negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of several state data breach acts." The lawsuit also alleges that Neiman Marcus discovered the breach in mid-December 2013, but covered it up until January 2014, so as to not disrupt lucrative holiday-season revenues.

But in his decision to dismiss the lawsuit, Judge Zagel had noted that only about 9,200 of the 350,000 exposed cards were subsequently used fraudulently, and that none of the plaintiffs had alleged that they had failed to be reimbursed by card issuers for fraudulent charges. "To satisfy their burden to establish standing, plaintiffs must show that their injury is concrete, particularized, and, if not actual, at least imminent," he wrote.

Supreme Court: Forget Future Injury

In fact, the vast majority of data breach lawsuits ultimately sputter, legal experts say, because they fail to prove Article III standing - that is, harm (see Why So Many Data Breach Lawsuits Fail). Establishing standing became more difficult still after a 2013 Supreme Court ruling - in the case of Clapper v Amnesty Int'l - which said that standing could not be based on the potential for a future injury, according to data breach and privacy attorney Linda Kornfeld, who's the managing partner of the Los Angeles office of law firm Kasowitz, Benson, Torres & Friedman.

In his September 2014 dismissal of the Neiman Marcus lawsuit, Zagel had cited Clapper. So did Judge Susie Morgan in May, when she dismissed a class-action lawsuit filed against eBay over its 2014 data breach that exposed encrypted passwords and personal information for 145 million users (see eBay Breach-Related Lawsuit Dismissed). In her related order, she ruled that the plaintiff "has not adequately alleged Article III standing" and dismissed the case.

In support of that judgment, however, Morgan cited in part Zagel's Neiman Marcus decision:

Despite the fact that thousands of Neiman Marcus customers had actual fraudulent charges on their credit cards, the court found the plaintiffs failed to allege that any of the fraudulent charges were unreimbursed, and the court was "not persuaded that unauthorized credit card charges for which none of the plaintiffs are financially responsible qualify as 'concrete' injuries."

New Legal Precedent?

In the wake of the appeals court's ruling, could that upend previous rulings such as Morgan's, or make it easier for breach lawsuits to result in courts finding in favor of plaintiffs? "Any opinion that you get out of a court of appeals is significant," says attorney Ronald Raether of the law firm Faruki Ireland and Cox PLL, which is not involved in the case.

But when it comes to this ruling's impact on future data-breach litigation, "I don't think it's a big momentum shift," he says. That said, "the court's gone a little bit farther in its opinion, to articulate some of the actual damages - harm - that a consumer might suffer in the wake of an event," and that language could potentially prove useful to the Neiman Marcus plaintiffs, he says.

To date, however, Raether says he's only aware of one data breach lawsuit that has successfully achieved class-action status; all others have either been dismissed, or the defendants have settled. Indeed, he notes that whenever plaintiffs manage to clear the "motion to dismiss" stage, then the organization that is being sued inevitably settles, before the case can progress to the "discovery" phase, in which plaintiffs can obtain evidence from the organization related to the breach.

"Why are companies settling? Because they don't want discovery into their information security practices. They don't want discovery into what their IT folks have been saying about what needs to be done or what's been happening in terms of their information security practices," Raether says. "So inevitably for the industry and for companies, if you want to avoid class-action exposure following an event, you need to have sound, good data and information security practices in place, good data governance, good documentation - you have to be ready for that discovery."

Executive Editor Marianne Kolbasuk McGee also contributed to this story.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.