Thank You For Submiting Feedback!
United States Court of Appeals for the Seventh Circuit
January 23, 2015, Argued; July 20, 2015, Decided
[*689] Wood, Chief Judge. Sometime in 2013, hackers attacked Neiman Marcus, a luxury department store, and stole the credit card numbers of its customers. In December 2013, the company [*690] learned that some of its customers had found fraudulent charges on their cards. On January 10, 2014, it announced to the public that the cyberattack had occurred and that between July 16, 2013, and October 30, 2013, approximately 350,000 cards had been exposed [**2] to the hackers' malware. In the wake of those disclosures, several customers brought this action under the Class Action Fairness Act, 28 U.S.C. § 1332(d), seeking various forms of relief. The district court stopped the suit in its tracks, however, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution. This resulted in a dismissal of the complaint without prejudice. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 102, 118 S. Ct. 1003, 140 L. Ed. 2d 210 (1998) (standing to sue is a threshold jurisdictional question); Hernandez v. Conriv Realty Assocs., 182 F.3d 121, 122 (2d Cir. 1999) ("[W]here federal subject matter jurisdiction does not exist, federal courts do not have the power to dismiss with prejudice ... ."). We conclude that the district court erred. The plaintiffs satisfy Article III's requirements based on at least some of the injuries they have identified. We thus reverse and remand for further proceedings.
In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers. Keeping this information confidential at first (according to plaintiffs, so that the breach would not disrupt the lucrative holiday shopping season), it promptly investigated the reports. It discovered potential malware in its computer systems on January 1, 2014. Nine days later, it publicly disclosed [**3] the data breach and sent individual notifications to the customers who had incurred fraudulent charges. The company also posted updates on its website. Those messages confirmed several aspects of the attack: some card numbers had been exposed to the malware, but other sensitive information such as social security numbers and birth dates had not been compromised; the malware attempted to collect card data between July 16, 2013, and October 30, 2013; 350,000 cards were potentially exposed; and 9,200 of those 350,000 cards were known to have been used fraudulently. Notably, other companies had also suffered cyberattacks during that holiday season.
At that point, Neiman Marcus notified all customers who had shopped at its stores between January 2013 and January 2014 and for whom the company had physical or email addresses, offering them one year of free credit monitoring and identity-theft protection. On February 4, 2014, Michael Kingston, the Senior Vice President and Chief Information Officer for the Neiman Marcus Group, testified before the United States Senate Judiciary Committee. He represented that "the customer information that was potentially exposed to the malware was payment card [**4] account information" and that "there is no indication that social security numbers or other personal information were exposed in any way."
Full case includes Shepard's, Headnotes, Legal Analytics from Lex Machina, and more.
794 F.3d 688 *; 2015 U.S. App. LEXIS 12487 **
HILARY REMIJAS, on behalf of herself and all others similarly situated, et al., Plaintiffs-Appellants, v. NEIMAN MARCUS GROUP, LLC, Defendant-Appellee.
Subsequent History: On remand at, Motion denied by, Without prejudice, Costs and fees proceeding at Remijas v. Neiman Marcus Grp., LLC, 341 F. Supp. 3d 823, 2018 U.S. Dist. LEXIS 158250, 2018 WL 4404673 (N.D. Ill., Sept. 17, 2018)
Findings of fact/conclusions of law at Remijas v. Neiman Marcus Group, 2021 U.S. Dist. LEXIS 201486 (N.D. Ill., June 4, 2021)
Prior History: [**1] Appeal from the United States District Court for the Northern District of Illinois, Eastern Division. No. 14 C 1735. — James B. Zagel, Judge.
Remijas v. Neiman Marcus Group, LLC, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill., Sept. 16, 2014)
charges, fraudulent, card, injuries, customers, district court, allegations, identity theft, plaintiffs', reimbursement, exposed, credit card, monitoring, concrete, hackers, personal information, speculative, redress, stolen, future injury, debit card, consumers', traceable, mitigate, malware, numbers, Target, costs
Civil Procedure, Appeals, Standards of Review, De Novo Review, Constitutional Law, Case or Controversy, Standing, Elements, Responses, Defenses, Demurrers & Objections, Motions to Dismiss, Banking Law, Consumer Protection, Truth in Lending, Liability for Violations