Header graphic for print
Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Neiman Marcus Chides Seventh Circuit Panel

Posted in Class Action Litigation, Data Breach, Privacy Litigation

Neiman Marcus Petition Claims that Seventh Circuit Decision Invents Harm to Find Standing to Bring Data Breach Claims

Retailer Neiman Marcus has filed a petition seeking en banc review by the entire Seventh Circuit of the decision by a three-judge panel of that court in Remijas v. Neiman Marcus Group, LLC reversing dismissal of consumer data breach claims for lack of standing.   As we previously reported, the panel decision in Remijas held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit.   In so ruling, the panel rejected the district court’s holding that plaintiffs’ allegations of potential future harms arising from stolen credit card numbers were too remote to satisfy the standing requirements set forth by the Supreme Court in Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013). 

Neiman Marcus advances both legal and factual grounds for its petition.  Legally, Neiman Marcus argues that the panel misread Clapper, and instead applied an incorrect legal standard that the Supreme Court had explicitly rejected in ClapperClapper held that standing requires allegation of an injury that is “concrete, particularized, and actual or imminent . . . .”  To be “imminent,” the injury must be “certainly impending” and cannot merely be a “possible future injury.”  According to Neiman Marcus, the panel failed to apply that standard.  Instead, the panel relied on the more lenient “objectively reasonable likelihood” standard, which the Supreme Court expressly rejects in Clapper as a “novel view of standing” that is “inconsistent with our requirement that ‘threatened injury’ must be certainly impending to constitute injury in fact.”

The factual grounds for review flow from the panel’s application of that improper standard.  Neiman Marcus contends that the panel misunderstood the consequences of payment card number theft.  The panel found that consumers had a reasonable likelihood of suffering future injuries in the form of damaged credit or identity theft, despite that (i) payment card numbers are insufficient to permit identity theft; and (ii) consumers are held harmless for fraudulent charges on stolen card numbers.  Thus, Neiman Marcus asserts, there was no ground to conclude that any threatened injury was certainly impending.  Also insufficient were speculative harms posited by the panel, such as the risk that data thieves could use stolen card data to obtain new cards — which is impossible – or that banks might in the future cease holding consumers harmless for fraudulent charges.  Both of those speculative harms, Neiman Marcus argues, were unsupported by the record and, therefore, are insufficient to establish certainly impending harm that would confer standing under the standard established in Clapper.

The Neiman Marcus petition represents an effort to clarify that consumer standing in data breach cases should depend on the nature of the data that is stolen.  The petition cites a recent article in the New York Times titled “Stolen Consumer Data is a Smaller Problem Than It Seems,” which reports that, as privacy experts are well aware, “[o]nly a tiny number of people exposed by leaks [of payment card data] end up paying any costs, and for the rare victims who do, the average cost has actually been falling steadily.”  The New York Times article and the Neiman Marcus petition both distinguish the minimal-to-nonexistent consumer impact of payment card theft from the deadlier fallout resulting from theft of Social Security numbers and other personal data that make it possible for criminals to engage in identity theft.  Given the vastly different consequences that flow from those two types of data breaches, courts’ standing analyses should be particularized based on the type of data that has been stolen.  A decision by the full Seventh Circuit to grant the petition would provide an opportunity to clarify what sorts of data thefts permit consumers to maintain claims in federal court and, one hopes, limit standing to those consumers who have a real and imminent prospect of injury.