News 09.26.18

Data Breach Litigation Update: District Court Judge Rejects Remijas Settlement and Decertifies Class

Neiman Marcus customers Hilary Remijas, Melissa Frank, Debbie Farnoush and Joanne Kao filed a class action lawsuit in March 2014 after Neiman Marcus announced that 370,385 credit card numbers had been exposed during a 3-month period in 2013 when malware was installed on the company’s computer system and used to scrape payment data from the system. Of the exposed credit cards, the suit alleged that 9,200 cards were used to make fraudulent purchases. The case was originally dismissed in September 2014 when U.S. District Judge James Zagel found that the customers lacked standing if they could not demonstrate “actual harm” resulting from the breach.

The Seventh Circuit Court of Appeals revived the case by reversing the District Court’s dismissal, stating that the potential for harm from a data breach was sufficient to “clear the low bar to establish standing at the pleading stage.” In their reasoning, the Seventh Circuit found that misuse of personal data from a data breach was likely because hackers do not infiltrate databases and steal personal information for any purpose other than to eventually make fraudulent charges or assume a consumer’s identity. The Seventh Circuit’s opinion is yet another decision highlighting the split among Circuit Courts as to whether or not data breach victims have standing to proceed with litigation.

Following the Seventh Circuit’s revival of Remijas, in 2016, the case was voluntary dismissed without prejudice by Judge Der-Yeghiayan to allow the parties more time to attempt to reach a settlement. The parties reached a settlement and, in March 2017, sought approval from Judge Coleman, who took over the case following Judge Der-Yeghiayan’s retirement. The settlement agreement provided that class members who filed a claim showing that their credit card was used during the period when malware was on Neiman Marcus’ computer system were entitled to up to $100 in monetary relief. The four class representatives were set to receive $2,500. The deal also provided that Neiman Marcus would provide a year of free credit monitoring and identity theft insurance for customers who shopped at Neiman Marcus between July 2013 and January 2014.

Judge Coleman rejected the settlement because it created conflicts between class members. More specifically, Judge Coleman explained that the class has at least two subclasses, with one class consisting of customers who made purchases outside the period when the malware was active, and a second class consisting of those customers who made purchases during the period when the malware was active. Judge Coleman found that class members who made purchases outside of the malware period had no incentive to accept the settlement terms, whereas those class members who did make purchases during the malware period would be more likely to agree to the non-monetary terms. Judge Coleman also objected to the characterization of the non-monetary benefits as settlement benefits because Neiman Marcus had already agreed to provide those benefits prior to the formation of the class.

The Remijas opinions highlights the key issues that persist in class action matters that arise from data breaches and Judge Coleman’s opinion will, no doubt, serve as a guide for future class action matters in Illinois and across the country.  Litigants and practitioners will watch, with keen interest, for the next developments in this litigation.