Remijas v. Neiman Marcus Grp., LLC

• Decision Date: 20 July 2015
• Docket Number: No. 14–3122.,14–3122.
• Citation: Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015)
• Parties: Hilary REMIJAS, on behalf of herself and all others similarly situated, et al., Plaintiffs–Appellants, v. NEIMAN MARCUS GROUP, LLC, Defendant–Appellee.
• Court: U.S. Court of Appeals — Seventh Circuit

794 F.3d 688

Hilary REMIJAS, on behalf of herself and all others similarly situated, et al., Plaintiffs–Appellants

v.NEIMAN MARCUS GROUP, LLC, Defendant–Appellee.

No. 14–3122.

United States Court of Appeals, Seventh Circuit.

Argued Jan. 23, 2015.

Decided July 20, 2015.

Rehearing En Banc Denied Sept. 17, 2015.

Theodore W. Maya, Attorney, Tina Wolfson, Attorney, Ahdoot & Wolfson, PC, West Hollywood, CA, Joseph Siprut, Attorney, Siprut PC, Chicago, IL, for Plaintiffs–Appellants.

Daniel Craig, Attorney, Tacy Fletcher Flint, Attorney, David H. Hoffman, Attorney, Sidley Austin LLP, Chicago, IL, for Defendant–Appellee.

Before WOOD, Chief Judge, and KANNE and TINDER, Circuit Judges.

Opinion

WOOD, Chief Judge.

Sometime in 2013, hackers attacked Neiman Marcus, a luxury department store, and stole the credit card numbers of its customers. In December 2013, the company learned that some of its customers had found fraudulent charges on their cards. On January 10, 2014, it announced to the public that the cyberattack had occurred and that between July 16, 2013, and October 30, 2013, approximately 350,000 cards had been exposed to the hackers' malware. In the wake of those disclosures, several customers brought this action under the Class Action Fairness Act, 28 U.S.C. § 1332(d), seeking various forms of relief. The district court stopped the suit in its tracks, however, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution. This resulted in a dismissal of the complaint without prejudice. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 102, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998) (standing to sue is a threshold jurisdictional question); Hernandez v. Conriv Realty Assocs., 182 F.3d 121, 122 (2d Cir.1999) (“[W]here federal subject matter jurisdiction does not exist, federal courts do not have the power to dismiss with prejudice....”). We conclude that the district court erred. The plaintiffs satisfy Article III's requirements based on at least some of the injuries they have identified. We thus reverse and remand for further proceedings.

I

In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers. Keeping this information confidential at first (according to plaintiffs, so that the breach would not disrupt the lucrative holiday shopping season), it promptly investigated the reports. It discovered potential malware in its computer systems on January 1, 2014. Nine days later, it publicly disclosed the data breach and sent individual notifications to the customers who had incurred fraudulent charges. The company also posted updates on its website. Those messages confirmed several aspects of the attack: some card numbers had been exposed to the malware, but other sensitive information such as social security numbers and birth dates had not been compromised; the malware attempted to collect card data between July 16, 2013, and October 30, 2013; 350,000 cards were potentially exposed; and 9,200 of those 350,000 cards were known to have been used fraudulently. Notably, other companies had also suffered cyberattacks during that holiday season.

At that point, Neiman Marcus notified all customers who had shopped at its stores between January 2013 and January 2014 and for whom the company had physical or email addresses, offering them one year of free credit monitoring and identity-theft protection. On February 4, 2014, Michael Kingston, the Senior Vice President and Chief Information Officer for the Neiman Marcus Group, testified before the United States Senate Judiciary Committee. He represented that “the customer information that was potentially exposed to the malware was payment card account information” and that “there is no indication that social security numbers or other personal information were exposed in any way.”

These disclosures prompted the filing of a number of class-action complaints. They were consolidated in a First Amended Complaint filed on June 2, 2014, by Hilary Remijas, Melissa Frank, Debbie Farnoush, and Joanne Kao. They sought to represent themselves and the approximately 350,000 other customers whose data may have been hacked. The complaint relies on a number of theories for relief: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws. It raises claims that exceed $5,000,000, and minimal diversity of citizenship exists, because Remijas is a citizen of Illinois, Frank is a citizen of New York, and Farnoush and Kao are citizens of California, while the Neiman Marcus Group LLC, once ownership is traced through several intermediary LLCs, is owned by NM Mariposa Intermediate Holdings Inc., a Delaware corporation with its principal place of business in Texas. The district court's jurisdiction (apart from the Article III issue to which we will turn) was therefore proper under 28 U.S.C. § 1332(d)(2).

Remijas alleged that she made purchases using a Neiman Marcus credit card at the department store in Oak Brook, Illinois, in August and December 2013. Frank alleged that she and her husband used a joint debit card account to make purchases at a Neiman Marcus store on Long Island, New York, in December 2013; that on January 9, 2014, fraudulent charges appeared on her debit card account; that, several weeks later, she was the target of a scam through her cell phone; and that her husband received a notice letter from Neiman Marcus about the breach. Farnoush alleged that she also incurred fraudulent charges on her credit card after she used it at Neiman Marcus in 2013. Finally, Kao made purchases on ten separate occasions at a Neiman Marcus store in San Francisco in 2013 and received notifications in January 2014 from her bank as well as Neiman Marcus that her debit card had been compromised.

Citing Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6), Neiman Marcus moved to dismiss the complaint for lack of standing and for failure to state a claim. On September 16, 2014, the district judge granted the motion exclusively on standing grounds, and the plaintiffs filed their notice of appeal nine days later. This created a slight problem with appellate jurisdiction, because the district judge never set out his judgment in a separate document as required by Rule 58(a). Nonetheless, we have confirmed that there is a final judgment for purposes of 28 U.S.C. § 1291 and our jurisdiction is secure. (This step would not be necessary if the district court had taken the simple additional step described in Rule 58(a); we once again urge the district courts to do so, for the sake of both the parties and the appellate court.) Here, the district court clearly evidenced its intent in its opinion that this was the final decision in the case, and the clerk recorded the dismissal in the docket. Bankers Trust Co. v. Mallis, 435 U.S. 381, 387–88, 98 S.Ct. 1117, 55 L.Ed.2d 357 (1978) ; see also Kaplan v. Shure Bros., 153 F.3d 413, 417 (7th Cir.1998). As neither party has called to our attention anything that would defeat finality nor do we see anything, we are free to proceed.

II

We review a district court's dismissal for lack of Article III standing de novo. Reid L. v. Ill. State Bd. of Educ., 358 F.3d 511, 515 (7th Cir.2004). Under Rule 12(b)(1), “the district court must accept as true all material allegations of the complaint, drawing all reasonable inferences therefrom in the plaintiff's favor, unless standing is challenged as a factual matter.” Id. “The plaintiffs, as the parties invoking federal jurisdiction, bear the burden of establishing the required elements of standing.”Id. (citation omitted); see Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). In order to have standing, a litigant must “prove that he has suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, ––– U.S. ––––, 133 S.Ct. 2652, 2661, 186 L.Ed.2d 768 (2013) (citing Lujan, 504 U.S. at 560–61, 112 S.Ct. 2130 ).

These plaintiffs must allege that the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress for them. We first address these requirements of Article III standing, and then briefly comment on Neiman Marcus's argument that, alternatively, the complaint should be dismissed for failure to state a claim.

A

The plaintiffs point to several kinds of injury they have suffered: 1) lost time and money resolving the fraudulent charges, 2) lost time and money protecting themselves against future identity theft, 3) the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store's careless approach to cybersecurity, and 4) lost control over the value of their personal information. (We note that these allegations go far beyond the complaint about a website's publication of inaccurate information, in violation of the Fair Credit Reporting Act, that is before the Supreme Court in Spokeo, Inc. v. Robins, No. 13–1339, cert. granted ––– U.S. ––––, 135 S.Ct. 1892, 191 L.Ed.2d 762 (2015).) The plaintiffs also allege that they have standing based on two imminent injuries: an increased risk of future fraudulent charges and greater susceptibility to identity theft. We address the two alleged imminent injuries first and then the four asserted actual injuries.

Allegations of future harm can establish Article III standing if that harm is “certainly impending,” but “allegations of possible future injury are not sufficient.” Clapper v. Amnesty Int'l USA, ––– U.S. ––––, 133 S.Ct. 1138, 1147, 185 L.Ed.2d 264 (2013) (citation omitted). Here, the complaint alleges that everyone's personal data has already been stolen; it alleges that the 9,200 who already...