The victims of a data breach lacked standing to bring suit against Neiman Marcus, a federal court judge in Illinois has ruled.
Hilary Remijas filed suit against the national retailer based on a notorious hacking incident that occurred during the 2013 holiday season. Styled as a class action on behalf of the estimated 350,000 customers whose payment card data and personally identifiable information were breached, Remijas charged Neiman Marcus with negligence, breach of implied contract, unjust enrichment, invasion of privacy, unfair and deceptive business practices, and violation of several state data breach laws.
Neiman Marcus moved to dismiss the suit based on a lack of Article III standing.
Siding with the retailer, U.S. District Court Judge James B. Zagel said the plaintiffs failed to convince him that the class had suffered an actual injury.
The plaintiffs asserted they were injured by the breach itself (such as the loss of time and money associated with resolving fraudulent charges and protecting against the risk of future identity theft) and were exposed to future harm (in the form of increased risk of identity theft or future fraudulent charges).
While allegations of potential harm may suffice to establish Article III standing, the plaintiffs did not have a “certainly impending” risk of future injury, Judge Zagel said. Although at least 9,200 customers were subject to fraudulent charges after the breach, that fact did not confer standing to the other plaintiffs on the grounds that they might also incur the same injury.
“To assert on this basis that either set of customers is also at a certainly impending risk of identity theft is, in my view, a leap too far,” the court said, noting that the fraudulent charges impacted just 2.5 percent of the customers involved in the breach.
As for a current injury, the plaintiffs did not allege that any of the actual fraudulent charges went unreimbursed, the court said, and the complaint lacked meaningful allegations as to the costs that were incurred to mitigate the risk of future fraudulent charges.
“Generally, when one sees a fraudulent charge on a credit card, one is reimbursed for the charge, and the threat of future charges is eliminated by the issuance of a new card, perhaps resulting in a brief period where one is without its use,” Judge Zagel wrote. “If the complaint is to credibly claim standing on this score, it must allege something that goes beyond such de minimis injury.”
The court gave the plaintiffs points for creativity for their final argument: that they paid a premium for retail goods purchased at Neiman Marcus, a portion of which should have been allocated to adequate data breach security measures. Therefore, Remijas contended, the class overpaid for their purchases and would not have otherwise made them. While the court recognized the theory of injury, he found it unavailing in the instant case.
“[A] vital limiting principle to this theory of injury is that the value-reducing deficiency is always intrinsic to the product at issue,” the judge said. “Under plaintiffs’ theory, however, the deficiency complained of is extrinsic to the product being purchased.”
Judge Zagel dismissed the suit in its entirety for lack of Article III standing.
To read the opinion in Remijas v. Neiman Marcus, click here.
Why it matters: Data breach plaintiffs continue to fight the standing battle for judicial recognition. The obstacle proved insurmountable for the Neiman Marcus plaintiffs, who failed to convince the judge they faced a threat of future harm or suffered anything more than de minimis actual harm, particularly as those who faced fraudulent charges had already been reimbursed.