DATA BREACH LITIGATION UPDATE: District Court Judge Rejects Remijas Settlement and Decertifies Class
A judge for the U.S. District Court for the Northern District of Illinois has dealt the latest blow to a consumer class seeking recovery from Neiman Marcus following the 2013 exposure of credit card information, as the result of a data breach. On September 17, 2018, Judge Sharon Johnson Coleman decertified the class and rejected a $1.6 million settlement reached between the class and Neiman Marcus Group LLC.
Neiman Marcus customers Hilary Remijas, Melissa Frank, Debbie Farnoush and Joanne Kao filed a class action lawsuit in March 2014 after Neiman Marcus announced that 370,385 credit card numbers had been exposed during a 3-month period in 2013 when malware was installed on the company’s computer system and used to scrape payment data from the system. Of the exposed credit cards, the suit alleged that 9,200 cards were used to make fraudulent purchases. The case was originally dismissed in September 2014 when U.S. District Judge James Zagel found that the customers lacked standing if they could not demonstrate “actual harm” resulting from the breach.
The Seventh Circuit Court of Appeals revived the case by reversing the District Court’s dismissal, stating that the potential for harm from a data breach was sufficient to “clear the low bar to establish standing at the pleading stage.” In their reasoning, the Seventh Circuit found that misuse of personal data from a data breach was likely because hackers do not infiltrate databases and steal personal information for any purpose other than to eventually make fraudulent charges or assume a consumer’s identity. The Seventh Circuit’s opinion is yet another decision highlighting the split among Circuit Courts as to whether or not data breach victims have standing to proceed with litigation.
Following the Seventh Circuit’s revival of Remijas, in 2016, the case was voluntary dismissed without prejudice by Judge Der-Yeghiayan to allow the parties more time to attempt to reach a settlement. The parties reached a settlement and, in March 2017, sought approval from Judge Coleman, who took over the case following Judge Der-Yeghiayan’s retirement. The settlement agreement provided that class members who filed a claim showing that their credit card was used during the period when malware was on Neiman Marcus’ computer system were entitled to up to $100 in monetary relief. The four class representatives were set to receive $2,500. The deal also provided that Neiman Marcus would provide a year of free credit monitoring and identity theft insurance for customers who shopped at Neiman Marcus between July 2013 and January 2014.
Judge Coleman rejected the settlement because it created conflicts between class members. More specifically, Judge Coleman explained that the class has at least two subclasses, with one class consisting of customers who made purchases outside the period when the malware was active, and a second class consisting of those customers who made purchases during the period when the malware was active. Judge Coleman found that class members who made purchases outside of the malware period had no incentive to accept the settlement terms, whereas those class members who did make purchases during the malware period would be more likely to agree to the non-monetary terms. Judge Coleman also objected to the characterization of the non-monetary benefits as settlement benefits because Neiman Marcus had already agreed to provide those benefits prior to the formation of the class.
The Remijas opinions highlights the key issues that persist in class action matters that arise from data breaches and Judge Coleman’s opinion will, no doubt, serve as a guide for future class action matters in Illinois and across the country. Litigants and practitioners will watch, with keen interest, for the next developments in this litigation.
- New Illinois Workers’ Compensation Legislation: Unconstitutional If Applied Retroactively
- TRANSPORTATION LAW CLIENT ALERT: City of Detroit Mayor Mike Duggan’s Lawsuit Challenging the Michigan No-Fault Act’s Constitutionality Gains Traction
- CYBER RISK CLIENT ALERT: Actual Harm is not Necessary Under BIPA
- Judge Grants First Summary Judgment Based on Medical Causation in NY County Asbestos Litigation
- TRANSPORTATION LAW CLIENT ALERT: The Supreme Court’s Decision in New Prime v. Oliveira
- CYBER RISK CLIENT ALERT: Will This Become a National Trend? Pennsylvania Supreme Court Rules That Employers Have a Legal Duty to Protect Employees' Electronic Data
- PROFESSIONAL LIABILITY CLIENT ALERT: Application of Judgmental Immunity in Illinois
- REAL ESTATE CLIENT ALERT: Michigan Court of Appeals Held That Non-Tenants May Not Sue Landlords Under Common Theories of Liability
- Illinois Appellate Court Concludes that Actual Harm is not Required under Biometric Information Privacy Act
- CYBER RISK CLIENT ALERT: What Companies can Learn from Uber’s Recent $148 Million Settlement
- Professional Liability
- Class Action
- Complex Commercial Litigation
- Insurance Coverage
- Insurance & Reinsurance Litigation & Counseling
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Construction Litigation & Counseling
- Pharmaceutical & Medical Device Litigation
- Social Media & Privacy
- Workers' Compensation
- Employment Litigation & Counseling
- Medical Negligence & Healthcare Liability
- Product Liability
- Discrimination, Harassment & Hostile Workplace Claims