Neiman Marcus Breach Class Claims Dismissed for Lack of Concrete Injury

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Sept. 17 — A federal court Sept. 16 dismissed consumer data breach class claims against high-end retailer Neiman Marcus Group Ltd. due to a failure to demonstrate concrete injury to establish standing.

U.S. District Court for the Northern District of Illinois Judge James B. Zagel rejected the plaintiffs' negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices and invasion of privacy claims, as well as claims based on the company's alleged failure to comply with several state data breach notification laws.

The court, taking the same path as most other federal trial courts considering data breach cases, relied on the U.S. Supreme Court's decision in Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013) to reject allegations of a possible future injury as a basis for standing under Article III of the U.S. Constitution.

Recently, however, the federal court in the Northern District of California took a more liberal approach. The court there acknowledged the rule from Clapper, but concluded that making plaintiffs “wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be ‘literally certain' in order to constitute injury-in-fact”.

No ‘Certainly Impending' Injury

In January, retailer Neiman revealed that it had faced a malware attack in summer 2013 that targeted the payment card data of as many as 1.1 million customers.

The complaint here sought to represent some 350,000 individuals whose payment card information was compromised by the hacking attack. According to the court, at least 9,200 cards were discovered to have been used fraudulently to make purchases elsewhere.

The court said that an increased risk of identity theft for customers who alleged only that their data may have been stolen is insufficient to confer standing. Even for the 9,200 customers whose cards were used elsewhere, there is no evidence of “certainly impending” risk of future injury demanded by Clapper, the court said.

The court also rejected allegations of injury based on the loss of time and money expended by the plaintiffs in seeking to mitigate the risk of future identity theft.

In addition, the court rejected the assertion that plaintiffs faced financial losses from purchases from Neiman that they wouldn't have made had they known of the breach in a timely manner. “The argument is creative, but unpersuasive,” the court said.

Finally, the court summarily rejected the plaintiffs' argument that the loss of control over and value of their private information amounted to injury in fact, finding that the assertion wasn't “sufficiently concrete.”

Siprut PC and Ahdoot & Wolfson PC represented the plaintiffs. Sidley Austin LLP represented the defendant.

Full text of the court's opinion is available at


Request Bloomberg Law Privacy and Data Security