It turns out that Neiman Marcus, one of many retailers that announced it suffered a data breach last year, will indeed face a class action lawsuit that claims the upscale department store failed to protect its system from hackers.
A decision on the case, which was initially argued in the Northern District of Illinois U.S. District Court, came down from a panel of judges at the Seventh Circuit Court of Appeals yesterday (.PDF)
The decision actually reverses a judgment from the district court that was first filed last September. The decision points out that the previous judge made an error by dismissing the data security breach class action too soon. Officials at Nieman Marcus assumed that the company had resolved its case, something that resulted in a dismissal without prejudice. If Neiman Marcus wanted a dismissal with prejudice, something which would have forbade a party from refiling the case and given Neiman Marcus additional relief, the court claims it should’ve filed a cross-appeal, something the company apparently did not do.
The case was reversed because some allegations from the plaintiffs, in this case breached customers, did cause harm and injury.
“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach,”Chief Judge Diane Wood, along with Judges Michael Kanne and John Tinder, wrote Monday. “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
When the breach was first announced in January 2014 it was believed that the credit and debit card information of upwards to 1.1 million customers may have been compromised yet in actuality the number of victims was about a third of that.
According to the ruling ultimately 350,000 payment cards were compromised in the breach but only 9,200 of those cards were used fraudulently. While only a fraction of the cards were used illegally and those victims had their funds reimbursed, the court holds that the company “inflicted concrete, particularized injury on them.”
“Those victims have suffered the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges. The complaint also alleges a concrete risk of harm for the rest,” the decision reads.
In a statement to its customers about the breach last June the company’s President and CEO Karen Katz claimed that malware was “clandestinely installed” on Neiman Marcus’ systems that attempted to collect or scrape payment card data from July 16, 2013, to October 30, 2013.
In response, four of the store’s spurned customers went on to file a First Amended Complaint against Nieman Marcus that same month, suing the company for negligence, breach of implied contract, invasion of privacy and data breach laws, among a handful of other claims.
When reached Tuesday, Ginger Reeder, VP of Corporate Communications for Neiman Marcus, said the company had no comment on the revival of the lawsuit.
The court didn’t buy all of the plaintiffs’ allegations of injury, but it bought enough to reverse the previous court’s ruling and remand the case for further proceedings.
The Court of Appeals balked in particular at one claim which accused the company of selling its products at too high a cost and not devoting any of the additional money to cybersecurity.
“This is a step that we need not, and do not, take in this case. Plaintiffs do not allege any defect in any product they purchased; they assert instead that patronizing Neiman Marcus inflicted injury on them,” the decision reads.
“We refrain from deciding whether the over‐payment for Neiman Marcus products and the right to one’s personal information might suffice as injuries… The injuries associated with resolving fraudulent charges and protecting oneself against future identity theft do,” the decision reads.