A panel of the Seventh Circuit Court of Appeals (Wood, C.J., Kanne, J. and Tinder, J.) has reversed the dismissal of a data security breach class action lawsuit against luxury department store Neiman Marcus.

This lawsuit stemmed from a hacking incident in which “350,000 cards were potentially exposed; and 9,200 of those 350,000 cards were known to have been used fraudulently.” The company provided notices to consumers and a year of free credit monitoring. A number of class action lawsuits were brought by consumers, consolidated into the lawsuit Hilary Remijas v. Neiman Marcus Group, LLC. “The plaintiffs point to several kinds of injury they have suffered: 1) lost time and money resolving the fraudulent charges, 2) lost time and money protecting themselves against future identity theft, 3) the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store’s careless approach to cybersecurity, and 4) lost control over the value of their personal information.”

The trial court dismissed the case for lack of Article III standing under Rule 12(b)(1) and declined to rule on defendant’s Rule 12(b)(6) argument. The Seventh Circuit found that at least some of plaintiffs’ alleged injuries passed Constitutional muster, even under the standards set forth in cases like Clapper v. Amnesty International USA.

As to the 9,200 who reported fraud on their cards, the panel found that even reimbursement did not make them whole. “Those victims have suffered the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.”
The panel also found that the proposed class alleged concrete harm in the form of risk of identity theft. The panel noted that the information was stolen, not lost, and in thousands of instances actually misused. The panel further turned the retailer’s offer of credit monitoring against it. “It is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity‐theft protection to all customers for whom it had contact information and who had shopped at their stores between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”

The panel did note that as to the remaining allegations of injury, “they are more problematic,” and “we are dubious.” While plaintiffs claimed that their personal information had value, the panel noted that plaintiffs cited no authority to support that. The panel similarly did not credit plaintiffs’ allegations that they would have paid less for Neiman Marcus products had it known of the security failure.

Defendant had also moved to dismiss under Rule 12(b)(6). The trial court had not addressed defendant’s arguments under this Rule. Because defendant did not cross-appeal the trial court’s failure to dismiss on Rule 12(b)(6) grounds, the Seventh Circuit did not address whether the plaintiffs failed to state a claim. However, now that the trial court has jurisdiction, defendant can present all appropriate arguments. Indeed, the Seventh Circuit in Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) found standing for data security breach claims, but that such claims failed to state a claim under the relevant substantive laws.