Neiman Marcus Card Holders May Proceed with Hacking Lawsuit

(July 20, 2015) Neiman Marcus credit card holders whose accounts were hacked will be able to proceed with a federal class-action lawsuit against the luxury brand retailer.

The Seventh Circuit reversed a district court’s dismissal, finding that the plaintiffs sufficiently alleged they were harmed by a data breach that exposed 350,000 credit cards and where at least 9,500 accounts showed fraudulent transactions. The data breach occurred in 2013. The store was aware of fraudulent charges in December 2013 but did not discover potential malware until January 2014.

Neiman Marcus argued, and the trial court agreed, that, until the plaintiffs showed actual injury from the data breach, the court lacked the authority to hear the case. The appellate court disagreed, finding that customers should not have to wait to have standing to sue until hackers commit identity theft or credit-card fraud.

“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach,” the appellate court wrote. “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”

The Seventh Circuit observed that Neiman Marcus did not contest the fact that the data breach occurred. The court found it was “telling” that the retailer offered one year of credit monitoring and identity-theft protection to customers who had shopped at their stores between January 2013 and January 2014. “It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded,” the opinion stated.

The company also argued that the plaintiffs cannot show their injuries are traceable to the data incursion at Neiman Marcus because other retailers as well suffered data breaches around the same time. The appellate court said it was up to Neiman Marcus to prove that their actions were not the cause of plaintiffs’ injuries. “It is enough at this stage of the litigation that Neiman Marcus admitted that 350,000 cards might have been exposed and that it contacted members of the class to tell them they were at risk. Those admissions and actions by the store adequately raise the plaintiffs’ right to relief above the speculative level.”

Hilary Remijas v. Neiman Marcus Group, LLC, Seventh Cir. No. 14-3122, issued July 20, 2015.