Neiman Urges Full 7th Cir. to Rethink Breach Harm

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Aug. 4 — Seeking to rebuild the proof of harm levy holding back a potential flood of data breach class actions, Neiman Marcus Group LLC Aug. 3 asked a full federal appeals court to reconsider a panel decision that a likely threat of identity theft is sufficient for a group of customers to sue over a payment card hacking breach.

The petition for rehearing en banc asserted the U.S. Court of Appeals for the Seventh Circuit panel's July 20 opinion “squarely conflicts” with the U.S. Supreme Court's “most recent and controlling decisions” on Article III cognizable injury.

The Supreme Court requires that standing be found only where there is “imminent” and “certainly impending” harm, not just merely a showing of objectively reasonable fear of harm, Neiman Marcus argued in its petition.

Putative Class of 350,000 Customers 

In January 2014, Neiman Marcus revealed that it had been a target of a malware attack specifically going after the payment card data of as many as 1.1 million customers. The plaintiffs sought to represent a class of approximately 350,000 Neiman Marcus customers affected by the hacking, involving at least 9,2000 payment cards being fraudulently used to make purchases elsewhere.

In September 2014, the U.S. District Court for the Northern District of Illinois dismissed the suit for failing to demonstrate concrete injury to establish standing. Citing the U.S. Supreme Court's decision in Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013), the district court declined to hold allegations of possible future injury as a basis for Article III standing.

Supreme Court's Clapper Standard

On appeal, a Seventh Circuit panel took a position that appeared to erode the likelihood of harm barrier that has held back most data breach class litigation. In reversing and remanding the case, the appeals court found that the plaintiffs satisfied the requirements of Article III standing, based on their alleged future injuries, and loss of time and money spent to protect themselves against fraudulent charges and future identity theft. “Customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood' that such an injury will occur,” the appeals court said, citing Clapper.

However, according to Neiman Marcus's Aug. 3 petition, the Seventh Circuit's ruling was “squarely at odds” with Clapper. The petition asserted that in Clapper, the Supreme Court “explicitly rejected” an objectively reasonable likelihood test, finding that it was inconsistent with the requirement that a potential future injury be “‘imminent' and ‘certainly impending.'”

The petition also noted that the Seventh Circuit's opinion created a circuit split with the Third Circuit's opinion in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), which held that an increased risk of identity theft from a payroll database hacking breach doesn't satisfy Article III's injury-in-fact standing requirements.

Sidley Austin LLP filed the petition on behalf of the appellants.

Full text of the petition is available at

Request Bloomberg Law: Privacy & Data Security