case no. 14-3122 united states court of … no. 14-3122 united states court of appeals ... i. the...
TRANSCRIPT
Case No. 14-3122
UNITED STATES COURT OF APPEALS
FOR THE SEVENTH CIRCUIT
HILARY REMIJAS, on behalf of herself and all others
similarly situated, et al.,
Plaintiffs-Appellants,
v.
THE NEIMAN MARCUS GROUP LLC, a Delaware limited liability company,
Defendant-Appellee.
Appeal from the United States District Court for the Northern District of Illinois,
Case No. 1:14-cv-01735, Hon. James B. Zagel
BRIEF OF DEFENDANT-APPELLEE THE NEIMAN MARCUS GROUP LLC
David H. Hoffman Tacy F. Flint
Daniel C. Craig SIDLEY AUSTIN LLP One South Dearborn Chicago, Illinois 60603 (312) 853-7000
Attorneys for Defendant-Appellee
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
CIRCUIT RULE 26.1 DISCLOSURE STATEMENT
Appellate Court No:
Short Caption:
To enable the judges to determine whether recusal is necessary or appropriate, an attorney for a non-governmental party oramicus curiae, or a private attorney representing a government party, must furnish a disclosure statement providing thefollowing information in compliance with Circuit Rule 26.1 and Fed. R. App. P. 26.1.
The Court prefers that the disclosure statement be filed immediately following docketing; but, the disclosure statement mustbe filed within 21 days of docketing or upon the filing of a motion, response, petition, or answer in this court, whichever occursfirst. Attorneys are required to file an amended statement to reflect any material changes in the required information. The textof the statement must also be included in front of the table of contents of the party's main brief. Counsel is required tocomplete the entire statement and to use N/A for any information that is not applicable if this form is used.
[ ] PLEASE CHECK HERE IF ANY INFORMATION ON THIS FORM IS NEW OR REVISED AND INDICATE WHICH INFORMATION IS NEW OR REVISED.
(1) The full name of every party that the attorney represents in the case (if the party is a corporation, you must provide thecorporate disclosure information required by Fed. R. App. P 26.1 by completing item #3):
(2) The names of all law firms whose partners or associates have appeared for the party in the case (including proceedingsin the district court or before an administrative agency) or are expected to appear for the party in this court:
(3) If the party or amicus is a corporation:
i) Identify all its parent corporations, if any; and
ii) list any publicly held company that owns 10% or more of the party’s or amicus’ stock:
Attorney's Signature: Date:
Attorney's Printed Name:
Please indicate if you are Counsel of Record for the above listed parties pursuant to Circuit Rule 3(d). Yes No
Address:
Phone Number: Fax Number:
E-Mail Address:
rev. 01/08 AK
14-3122
Remijas v. The Neiman Marcus Group, LLC
The Neiman Marcus Group LLC
Sidley Austin LLP
Neiman Marcus Group LTD LLC
N/A
s/ David H. Hoffman 12/5/2014
David H. Hoffman
Sidley Austin LLP
One South Dearborn, Chicago, IL 60603
312-853-2174 312-853-7036
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
CIRCUIT RULE 26.1 DISCLOSURE STATEMENT
Appellate Court No:
Short Caption:
To enable the judges to determine whether recusal is necessary or appropriate, an attorney for a non-governmental party oramicus curiae, or a private attorney representing a government party, must furnish a disclosure statement providing thefollowing information in compliance with Circuit Rule 26.1 and Fed. R. App. P. 26.1.
The Court prefers that the disclosure statement be filed immediately following docketing; but, the disclosure statement mustbe filed within 21 days of docketing or upon the filing of a motion, response, petition, or answer in this court, whichever occursfirst. Attorneys are required to file an amended statement to reflect any material changes in the required information. The textof the statement must also be included in front of the table of contents of the party's main brief. Counsel is required tocomplete the entire statement and to use N/A for any information that is not applicable if this form is used.
[ ] PLEASE CHECK HERE IF ANY INFORMATION ON THIS FORM IS NEW OR REVISED AND INDICATE WHICH INFORMATION IS NEW OR REVISED.
(1) The full name of every party that the attorney represents in the case (if the party is a corporation, you must provide thecorporate disclosure information required by Fed. R. App. P 26.1 by completing item #3):
(2) The names of all law firms whose partners or associates have appeared for the party in the case (including proceedingsin the district court or before an administrative agency) or are expected to appear for the party in this court:
(3) If the party or amicus is a corporation:
i) Identify all its parent corporations, if any; and
ii) list any publicly held company that owns 10% or more of the party’s or amicus’ stock:
Attorney's Signature: Date:
Attorney's Printed Name:
Please indicate if you are Counsel of Record for the above listed parties pursuant to Circuit Rule 3(d). Yes No
Address:
Phone Number: Fax Number:
E-Mail Address:
rev. 01/08 AK
14-3122
Remijas v. The Neiman Marcus Group, LLC
The Neiman Marcus Group LLC
Sidley Austin LLP
Neiman Marcus Group LTD LLC
N/A
s/ Tacy F. Flint 12/5/2014
Tacy F. Flint
Sidley Austin LLP
One South Dearborn, Chicago, IL 60603
312-853-7875 312-853-7036
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
CIRCUIT RULE 26.1 DISCLOSURE STATEMENT
Appellate Court No:
Short Caption:
To enable the judges to determine whether recusal is necessary or appropriate, an attorney for a non-governmental party oramicus curiae, or a private attorney representing a government party, must furnish a disclosure statement providing thefollowing information in compliance with Circuit Rule 26.1 and Fed. R. App. P. 26.1.
The Court prefers that the disclosure statement be filed immediately following docketing; but, the disclosure statement mustbe filed within 21 days of docketing or upon the filing of a motion, response, petition, or answer in this court, whichever occursfirst. Attorneys are required to file an amended statement to reflect any material changes in the required information. The textof the statement must also be included in front of the table of contents of the party's main brief. Counsel is required tocomplete the entire statement and to use N/A for any information that is not applicable if this form is used.
[ ] PLEASE CHECK HERE IF ANY INFORMATION ON THIS FORM IS NEW OR REVISED AND INDICATE WHICH INFORMATION IS NEW OR REVISED.
(1) The full name of every party that the attorney represents in the case (if the party is a corporation, you must provide thecorporate disclosure information required by Fed. R. App. P 26.1 by completing item #3):
(2) The names of all law firms whose partners or associates have appeared for the party in the case (including proceedingsin the district court or before an administrative agency) or are expected to appear for the party in this court:
(3) If the party or amicus is a corporation:
i) Identify all its parent corporations, if any; and
ii) list any publicly held company that owns 10% or more of the party’s or amicus’ stock:
Attorney's Signature: Date:
Attorney's Printed Name:
Please indicate if you are Counsel of Record for the above listed parties pursuant to Circuit Rule 3(d). Yes No
Address:
Phone Number: Fax Number:
E-Mail Address:
rev. 01/08 AK
14-3122
Remijas v. The Neiman Marcus Group LLC
The Neiman Marcus Group LLC
Sidley Austin LLP
Neiman Marcus Group LTD LLC
N/A
s/ Daniel C. Craig 12/5/2014
Daniel C. Craig
Sidley Austin LLP
One South Dearborn, Chicago, IL 60603
312-853-7370 312-853-7036
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
i
TABLE OF CONTENTS
JURISDICTIONAL STATEMENT ............................................................................... 1
STATEMENT OF THE CASE ....................................................................................... 2
I. Factual Background ................................................................................. 2
A. The Data Incursion ........................................................................ 2
B. Alleged Effects of the Data Incursion on Plaintiffs ...................... 4
II. Procedural History ................................................................................... 6
SUMMARY OF ARGUMENT ..................................................................................... 10
STANDARD OF REVIEW ........................................................................................... 13
ARGUMENT ................................................................................................................ 14
I. THE COMPLAINT WAS CORRECTLY DISMISSED UNDER RULE 12(B)(1) BECAUSE PLAINTIFFS LACK ARTICLE III STANDING. . 14
A. Plaintiffs Have Alleged No Future Injury That Is Both Concrete and Imminent. ............................................................................. 17
1. Plaintiffs’ Allegations of Future Fraudulent Charges Do Not Establish a Concrete Injury. ..................................... 17
2. Plaintiffs’ Allegations of Future Identity Theft Do Not Establish an Imminent Injury. ......................................... 20
a) The District Court Correctly Applied Clapper. ..... 20
b) Pisciotta Does Not Support Standing Here. .......... 25
c) The District Court Correctly Held That Plaintiffs Had Not Alleged That Any Identity Theft Was Certainly Impending. ............................................. 27
B. Plaintiffs Have Alleged No Cognizable Present Injury. ............. 30
1. Reimbursed Fraudulent Charges Do Not Constitute Present Injury. .................................................................. 31
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
ii
2. Plaintiffs’ “Overpayment” Theory Finds No Support in the Law. ................................................................................... 32
3. Allegations of loss of control and value of payment card data are insufficient to show injury. ................................ 34
4. Plaintiffs’ allegations that Neiman Marcus violated the California and Illinois data breach laws are insufficient to grant standing. .................................................................. 36
C. No Alleged Injury Can Be Fairly Traced to Action by Neiman Marcus. ......................................................................................... 38
II. IN THE ALTERNATIVE, THE COMPLAINT SHOULD BE DISMISSED UNDER RULE 12(B)(6) FOR FAILURE TO STATE A CLAIM. ................................................................................................... 42
CONCLUSION ............................................................................................................. 47
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
iii
TABLE OF AUTHORITIES
Page(s) CASES
Allison v. Aetna, Inc., 2010 WL 3719243 (E.D. Pa. Mar. 9, 2010) ............................................................ 30
Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) ................................................................... 30
Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440 (7th Cir. 2009) ............................................................................ 13, 14
Ashcroft v. Iqbal, 556 U.S. 662 (2009) ................................................................................................ 43
Askin v. Quaker Oats Co., 818 F.Supp.2d 1081 (N.D. Ill. 2011) ...................................................................... 33
Babbitt v. Farm Workers, 442 U.S. 289 (1979) .......................................................................................... 16, 22
Bankers Trust Co. v. Mallis, 435 U.S. 381 (1978) .................................................................................................. 1
Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) .......................................................................................... 42, 43
Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456 (2013) .................................................................................. 37
Bridenbaugh v. Freeman-Wilson, 227 F.3d 848 (7th Cir. 2000) ............................................................................ 33, 34
Camp v. TNT Logistics Corp., 553 F.3d 502 (7th Cir. 2009) .................................................................................. 44
Chicago Faucet Shoppe, Inc. v. Nestle Water N. Am. Inc., 2014 WL 541644 (N.D. Ill. Feb. 11, 2014) ............................................................. 33
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) ..................................................................................... passim
Cohen v. Facebook, Inc., 798 F.Supp.2d 1090 (N.D. Cal. 2011) .................................................................... 44
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
iv
DaimlerChrysler Corp. v. Cuno, 547 U.S. 332 (2006) ................................................................................................ 16
Federal Election Com’n v. Akins, 524 U.S. 11 (1998) .................................................................................................. 38
Frank v. Neiman Marcus Group, No.14-cv-233 (E.D.N.Y. Jan. 13, 2014) .................................................................. 42
Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167 (2000) .......................................................................................... 15, 16
Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 2014 WL 689703 (S.D. Ohio Feb. 10, 2014) ........................ 30
Goel v. Ramachandran, 975 N.Y.S.2d 428 (N.Y. App. Div. 2013) ................................................................ 44
Hammond v. Bank of New York Mellon Corp., 2010 WL 2643307 (S.D.N.Y. June 25, 2010) .................................................. passim
Havens Realty Corp. v. Coleman 455 U.S. 363 (1982) ................................................................................................ 38
HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 131 Ill.2d 145, 545 N.E.2d 672 (Ill. 1989) .............................................................. 44
In re Adobe Sys., Inc. Privacy Litig., 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014) .............................................. 19, 28, 29
In re Aqua Dots Prods. Liab. Litig., 654 F.3d 748 (7th Cir. 2011) .................................................................................. 33
In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013) .......................................... 17, 30, 34, 35
In re Facebook Privacy Litig., 791 F.Supp.2d 705 (N.D. Cal. 2011), affirmed in part and reversed in part, 572 Fed. Appx. 494 (9th Cir. 2014) .................................................................. 35, 36
In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill. 2011) ...................................................................... 17
In re Sony Gaming Networks and Customer Data Sec. Breach Litig. __ F.Supp.2d __, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014) ................................ 44
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
v
Johnson v. Orr, 551 F.3d 564 (7th Cir. 2008) .................................................................................. 14
Kaplan v. Shure Bros., Inc., 153 F.3d 413 (7th Cir. 1998) .................................................................................... 1
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) ................................................................................ 29
Kwikset Corp. v. Super. Ct., 51 Cal.4th 310 (2011) ............................................................................................. 44
Lipton v. Chattem, Inc., 2012 WL 1192083 (N.D. Ill. Apr. 10, 2012) ........................................................... 33
Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) .............................................................................. 15, 16, 20, 36
Marbury v. Madison, 5 U.S. (1 Cranch) 137 (1803) .................................................................................. 44
Martis v. Pekin Mem’l Hosp. Inc., 395 Ill. App. 3d 943 (2009) ..................................................................................... 44
Maya v. Centex Corp., 658 F.3d 1060 (9th Cir. 2011) ................................................................................ 33
MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118 (2007) ................................................................................................ 22
Minn-Chem, Inc. v. Agrium Inc., 683 F.3d 845 (7th Cir. 2012) .................................................................................. 14
Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010) ................................................................................................ 21
Moyer v. Michaels Stores, Inc., 2014 WL 3511500 (N.D. Ill. July 14, 2014) ..................................................... 34, 36
Muir v. Playtex Prods. LLC, 983 F. Supp. 2d 980 (N.D. Ill. 2013) ...................................................................... 33
Navellier v. Sletten, 106 Cal. App. 4th 763 (2003) .................................................................................. 44
Pennell v. City of San Jose, 485 U.S. 1 (1988) .................................................................................................... 21
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
vi
People ex rel. Madigan v. United Const. of Am., 981 N.E.2d 404 (1st Dist. 2012) ............................................................................. 38
People To End Homelessness, Inc. v. Develco Singles Apartments Assocs., 339 F.3d 1 (1st Cir. 2003) ....................................................................................... 18
Peterson v. Cellco P’ship, 164 Cal.App.4th 1583 (Cal. Ct. App. 2008) ........................................................... 44
Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) ................................................................ 25, 26, 45, 46
Price v. Starbucks Corp., 192 Cal. App. 4th 1136 (2011) .................................................................... 37, 38, 44
Reid L. v. Ill. St. Bd. Of Educ., 358 F.3d 511 (7th Cir. 2004) .................................................................................. 13
Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) ................................................................................ 25, 30
Spencer v. Kemna, 523 U.S. 1 (1998) .............................................................................................. 13, 14
Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83 (1998) .................................................................................................. 44
Sterk v. Redbox Automated Retail LLC, 770 F.3d 618 (2014) .......................................................................................... 36, 37
Storino v. Borough of Point Pleasant Beach, 322 F.3d 293 (3d Cir. 2003) .................................................................................... 24
Strautins v. Trustwave Holdings, Inc., 2014 WL 960816 (N.D. Ill. Mar. 12, 2014) ............................................................ 30
Stutman v. Chem. Bank, 95 N.Y.2d 24 (2000) ................................................................................................ 44
Summers v. Earth Island Inst., 555 U.S. 488 (2009) ................................................................................................ 15
Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014) ..................................................................................... passim
United Phosphorus, Ltd. v. Angus Chem. Co., 322 F.3d 942 (7th Cir. 2003) .................................................................................. 14
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
vii
Vides v. Advocate Health & Hospitals Corp., No. 13-CH-2701 (9th Cir. May 27, 2014) ............................................................... 38
Warth v. Seldin, 422 U.S. 490 (1975) ................................................................................................ 15
Wesley-Jessen Inc. v. Reynolds, 1974 WL 20197 (N.D. Ill. May 23, 1974) ............................................................... 44
Whitaker v. Ameritech Corp., 129 F.3d 952 (7th Cir. 1997) .................................................................................. 16
Whitmore v. Arkansas, 495 U.S. 149 (1990) ................................................................................................ 16
Wilkins v. Williams, 991 N.E. 2d 308 (Ill. 2013) ..................................................................................... 44
Yeftich v. Navistar, Inc., 722 F.3d 911 (7th Cir. 2013) .................................................................................. 43
STATUTES
28 U.S.C. § 1291 ............................................................................................................. 1
Cal. Civ. Code § 1798.82(d) ......................................................................................... 37
Cal. Civ. Code § 1798.84(b) .......................................................................................... 37
815 ILCS 505/1 ............................................................................................................. 38
815 ILCS 530/1 ............................................................................................................. 38
OTHER AUTHORITIES
Fed. R. Civ. P. 12(b)(1) .......................................................................................... passim
Fed. R. Civ. P. 12(b)(6) .......................................................................................... passim
Fed. R. Civ. P. 58 ........................................................................................................... 9
U.S. Constitution, Article III ................................................................................ passim
U.S. Constitution, 21st Amendment ........................................................................... 33
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
1
JURISDICTIONAL STATEMENT
Plaintiffs’ jurisdictional statement is not complete and correct. Plaintiffs
correctly summarize their alleged grounds for federal subject matter jurisdiction in
the district court, but the district court correctly held that it lacked subject matter
jurisdiction and dismissed the action pursuant to Fed. R. Civ. P. 12(b)(1).
Plaintiffs’ discussion of appellate jurisdiction in this Court is incomplete. Br.
1-2. Plaintiffs’ notice of appeal was filed on September 25, 2014—nine days after
entry of the order dismissing plaintiff’s First Amended Complaint (“FAC”) for lack
of standing, but before the district court entered judgment in a “separate document”
as required by Federal Rule of Civil Procedure 58. Despite the absence of a separate
document entering judgment, this Court has appellate jurisdiction under 28 U.S.C.
§ 1291. See Bankers Trust Co. v. Mallis, 435 U.S. 381 (1978) (per curiam); Kaplan
v. Shure Bros., Inc., 153 F.3d 413, 417 (7th Cir. 1998). First, the district court’s
order dismissing the FAC, from which plaintiffs appealed, “clearly evidenced [that
court’s] intent that the opinion and order … represented the final decision in the
case.” Id.; see also A10. Second, the clerk’s docket indicated that the complaint was
“dismissed” and stated that the case was “terminated.” A2. Finally, Defendant-
Appellee The Neiman Marcus Group LLC (“Neiman Marcus”) did not object below,
and does not object now, to plaintiffs’ taking this appeal in the absence of a separate
judgment. Kaplan, 153 F.3d at 417. In these circumstances, appellate jurisdiction
exists under § 1291 notwithstanding the absence of a separate judgment. Id.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
2
STATEMENT OF THE CASE
I. FACTUAL BACKGROUND
A. The Data Incursion
This case stems from an attack on Neiman Marcus’s information technology
system. As the FAC discusses (FAC ¶¶ 30-32, R.27:11-12),1 Neiman Marcus has
described the data incursion in detail in communications to customers, postings to
its website, and other public statements.2 As those documents report, in mid-
December 2013, Neiman Marcus received information that a relatively small
number of cards used at Neiman Marcus subsequently had fraudulent charges
placed on them. (Testimony of Michael Kingston before the Senate Judiciary
Committee, at 2, 4-5, R.36-1:18, 20-21). Neiman Marcus immediately began an
investigation and hired a leading forensic investigative firm, which first found
evidence of potential malware in Neiman Marcus’s system on January 1, 2014. (Id.
at 2-3, R.36-1:18-19). In the next several days, Neiman Marcus took steps to
discover, identify, analyze, and ultimately contain the cyber attack, which included
disabling the malware that appeared capable of collecting or “scraping” information
on payment cards used at certain Neiman Marcus stores. (Id. at 2-5, R.36-1:18-21).
On January 10, the company made several public announcements regarding the
1 References to “R.___:___” refer to the docket number and page number of items filed as part of the district court record. 2 The FAC specifically identifies one of Neiman Marcus’s two website postings (see FAC ¶¶ 32–33, 42, R.27:11–13) and relies on it as the source of certain allegations. The website postings are located at R.36-1:5–15. The testimony of Neiman Marcus’s Chief Information Officer before the U.S. Senate Judiciary Committee on the subject of this cyber attack, which was made public prior to the initial filing of plaintiffs’ complaint, is located at R.36-1:17–24.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
3
incursion and gave individual notification to those customers known to Neiman
Marcus who had received fraudulent charges on their cards after the incursion. (Id.
at 3, 7, R.36-1:19, 23).
In postings to its website on January 16, January 22, and February 21,
Neiman Marcus provided a detailed public update regarding its forensic
investigation. (Id. at 7-8, R.36-1:23-24, see also Neiman Marcus Group, To our
Loyal Neiman Marcus Group Customers, R36-1:11-15). Neiman Marcus confirmed
that while some “payment cards” had been exposed to the malware, “social security
numbers and birth dates were not” and “PINs were never at risk because we do not
use PIN pads in our stores.” (See Neiman Marcus Group, To our Loyal Neiman
Marcus Group Customers, R.36-1:5.) Neiman Marcus also identified the period
during which the malware appeared to have been attempting to collect payment
card data—from July 16 to October 30, 2013. (Id.) It stated that 350,000 cards
were potentially exposed to the malware, but did not state or suggest that any of the
350,000 cards were actually compromised. (See id., R.36-1:11).
Neiman Marcus explained that approximately 9,200 payment cards
potentially exposed to the malware were known to have been subsequently used
fraudulently elsewhere. (Id.). Nothing in the company’s statements, however,
indicated that the payment card data from those 9,200 cards had actually been
stolen from Neiman Marcus, or that the fraudulent charges occurred as a result of
the Neiman Marcus data incursion. (Id.) Indeed, several other companies,
including Target, had also suffered data incursions potentially impacting millions of
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
4
credit cards. (R.36:16 & n.10.) The company explained that, out of an abundance of
caution, it was “notifying ALL customers for whom [it has] addresses or email who
shopped with [the company] between January 2013 and January 2014, and offering
one free year of credit monitoring and identity-theft protection.” (R.36-1:5).
Neiman Marcus also reminded customers that “[t]he policies of the payment card
brands such as Visa, MasterCard, American Express, Discover and the Neiman
Marcus card provide that you have zero liability for any unauthorized charges if you
report them in a timely manner.” (Id.).
On February 4, 2014, Michael Kingston, Senior Vice President and Chief
Information Officer for the Neiman Marcus Group, testified along with
representatives from Target and other groups before the United States Senate
Judiciary Committee, and submitted written testimony that was made public.
(Testimony of Michael Kingston before the Senate Judiciary Committee, R.36-1:17).
In his written testimony he stated that “the customer information that was
potentially exposed to the malware was payment card account information” and
that “there is no indication that social security numbers or other personal
information were exposed in any way.” (Id. at 3, R.36-1:19).
B. Alleged Effects of the Data Incursion on Plaintiffs
Plaintiffs allege that they made purchases at Neiman Marcus while the data
incursion was in effect. Plaintiff Hilary Remijas alleged that she made purchases
using a Neiman Marcus credit card at a Neiman Marcus store in August and
December 2013. (FAC ¶ 3, R.27:3). She did not allege that any fraudulent charges
were made using this card, or that any such charges were unreimbursed. (Id.). Ms.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
5
Remijas did not allege that she provided any personally-identifiable information to
Neiman Marcus other than her payment card information. (Id.).
Plaintiff Melissa Frank alleged that she and her husband made purchases at
a Neiman Marcus store and online in December 2013 using a debit card. (FAC ¶ 4,
R.27:3). She further alleged that fraudulent charges appeared on her debit card on
January 9, 2014 (Id.), but did not allege that this charge was unreimbursed. She
alleged that her husband received a letter from Neiman Marcus regarding the
incursion in January 2014. (Id.). On January 13, 2014, she filed a complaint against
Neiman Marcus in the Eastern District of New York, in which she alleged that she
“experienced fraudulent charges on her debit card.” (R.36:24). In the FAC, she
alleged that in mid-March 2014, approximately two months after she filed her
initial complaint, she received a telephone call in which a caller, aware that her
debit card had been canceled, attempted to convince her to provide additional
payment card information. (FAC ¶¶ 5, 51. R. 27:3, 15). She did not allege that she
provided any such information to the caller. (Id.). She did not allege that she or her
husband provided personally-identifiable information other than their payment
card information to Neiman Marcus. (Id.).
Plaintiff Debbie Farnoush alleged that she made a purchase using a payment
card at a Neiman Marcus store in 2013, but did not specify a date. (FAC ¶ 5,
R.27:3). She alleged that fraudulent charges appeared on her credit card but did
not allege that these charges were unreimbursed. (Id.). She did not state whether
or not she received any notice regarding the incursion from Neiman Marcus. (Id.).
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
6
She did not allege that she provided personally-identifiable information other than
her payment card information to Neiman Marcus. (Id.).
Plaintiff Joanne Kao alleged that she made several purchases at a Neiman
Marcus store on several dates between February and December 2013. (FAC ¶ 6,
R.27:3). She did not allege that she used a payment card to make any of these
purchases. (Id.). She alleged that she received notice from her bank that her debit
card had been compromised, but did not allege that she had used that debit card at
a Neiman Marcus store. (Id.). She alleged that she received a letter from Neiman
Marcus regarding the incursion. (Id.). She did not allege that she provided
personally-identifiable information other than her payment card information to
Neiman Marcus.
II. PROCEDURAL HISTORY
The FAC, which consolidated putative class action claims asserted by
multiple named plaintiffs, was filed on June 2, 2014. (R.27). The FAC asserts six
counts and seeks a variety of injunctive relief and damages, including “actual
damages, compensatory damages, statutory damages, and statutory penalties,” as
well as punitive damages. (FAC Prayer for Relief, R.27:36).
Neiman Marcus moved to dismiss the FAC for lack of standing under Rule
12(b)(1), and for failure to state a claim under Rule 12(b)(6), on July 2, 2014. (R.35).
Neiman Marcus submitted evidence in support of its arguments against standing,
and plaintiffs’ opposition did not purport to contradict any of that evidence, relying
solely on the allegations of the FAC. The district court granted Neiman Marcus’s
motion on September 16, 2014, holding that plaintiffs lacked standing because they
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
7
failed to establish injury-in-fact. (A3).
The court first explained that plaintiffs had the burden to establish Article
III standing, and were thus required to demonstrate, inter alia, “an ‘injury in fact’
that is concrete and particularized and either actual or imminent.” (Id.). Here,
“[p]laintiffs assert[ed] four principal categories of injury”: (1) “an increased risk of
future fraudulent credit card charges, and an increased risk of identity theft”;
(2) “present injuries, including the loss of time and money associated with resolving
fraudulent charges” and “protecting against the risk of future identity theft”;
(3) “the financial loss they suffered from having purchased products that they
wouldn’t have purchased had they known of Defendant’s misconduct”; and (4) “loss
of control over value of their private information.” (Id.).
Regarding plaintiffs’ alleged future harms, the court noted that “[a]llegations
of future potential harm may suffice to establish Article III standing, but the future
harm must be ‘certainly impending.’” (A3-4 (quoting Clapper v. Amnesty Int’l USA,
133 S. Ct. 1138, 1147 (2013))). The court concluded that the FAC (1) “permits the
inference that [the 9,200 Neiman Marcus customers who experienced fraudulent
charges on their credit cards] did indeed have their data stolen as a result of the
cyber-attack on Defendant,” and (2) permits “a weaker, though in [the court’s] view
still plausible, inference that others among the 350,000 customers are at a ‘certainly
impending’ risk of seeing similar fraudulent charges appear on their credit cards as
a result of the cyber-attack on Defendant.” (A6). But, even if plaintiffs could be
said to satisfy the “imminence” requirement of injury-in-fact, the fraudulent charges
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
8
on certain plaintiffs’ credit cards still did not support standing because the
purported injury was not sufficiently “concrete”: “Plaintiffs have not alleged that
any of the fraudulent charges were unreimbursed. On these pleadings, I am not
persuaded that unauthorized credit card charges for which none of the plaintiffs are
financially responsible qualify as ‘concrete’ injuries.” (A7).
The court also held that the other potential future harm alleged by
plaintiffs—identity theft—was insufficient to establish standing, because the court
was “not persuaded that the 350,000 customers at issue are at a certainly
impending risk of identity theft.” (Id.). While the court declared itself willing to
“accept the inference … that additional customers are at a ‘certainly impending’
risk of future fraudulent charges on their credit cards,” it concluded that “to assert
on this basis that either set of customers is also at a certainly impending risk of
identity theft is … a leap too far.” (A7-8). Plaintiffs’ argument that injury-in-fact
was established through the risk of future identity theft, therefore, failed to satisfy
the requirement of imminence. (Id.).
The court next turned to plaintiffs’ claim that “the time and money allegedly
spent toward mitigating the risk of future fraudulent charges and identity theft
constitutes injury sufficient to confer standing.” (A8). That argument failed. The
court reiterated that “[t]he ‘fraudulent charge’ injury, absent unreimbursed charges
or other allegations of some attendant hardship, is not in my view sufficiently
concrete to establish standing,” and explained that “the complaint contains no
meaningful allegations as to what precisely the costs incurred to mitigate the risk of
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
9
future fraudulent charges were.” (Id.). And, because “the complaint does not
adequately allege that the risk of identity theft is sufficiently imminent to confer
standing,” “the ‘time and money spent to mitigate’ claim as to the risk of identity
theft … is not a cognizable Article III injury.” (A8-9).
The court then rejected plaintiffs’ argument that they were injured by paying
a supposed premium for “retail goods purchased at Defendant’s stores, a portion of
which Defendant was required to allocate to adequate data breach security
measures.” (A9). The court noted that this type of harm exists only when the
product purchases “possessed some sort of deficiency”—not when “the deficiency
complained of is extrinsic to the product being purchased.” (Id.). The court cited
the example of a store that allegedly had inadequate in-store security, which led to
a customer being assaulted in the parking lot: “even if no physical injury actually
befell the customer, under Plaintiffs’ theory, the customer still suffered financial
injury because he or she paid a premium for adequate store security, and the store
security was not in fact adequate.” (A9-10). The court deemed this theory of injury,
which was unsupported by precedent, to be “creative, but unpersuasive.” (A9).
Finally, the court rejected “Plaintiffs’ claim to standing based on the loss of
control over and value of their private information. Again, the injury as pled is not
sufficiently concrete.” A10.
For all these reasons, Neiman Marcus’s motion to dismiss for lack of Article
III standing was granted. Id. Having determined that jurisdiction was lacking, the
court did not address Neiman Marcus’s argument that the complaint was equally
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
10
subject to dismissal for failure to state a claim.
SUMMARY OF ARGUMENT
Plaintiffs allege that they are among the 350,000 customers who purchased
items at Neiman Marcus while Neiman Marcus was subject to an information
security attack, in which certain customers’ payment card data was exposed. But
plaintiffs have not met their burden to establish an injury that is both concrete and
actual or imminent, not to mention an injury that is traceable to Neiman Marcus.
The district court was thus correct to dismiss the FAC for lack of Article III
standing.
Plaintiffs principally argue that they have adequately shown future injuries.
For one, they contend that some of them have experienced fraudulent charges on
their credit and debit cards, and this shows they are at an increased risk of seeing
fraudulent charges on their cards in the future. Even accepting for the moment
that plaintiffs have established that any fraudulent charges occurred as a result of
the Neiman Marcus data incursion (which they have not), plaintiffs cannot show
how any fraudulent charge will injure them. That is because—as plaintiffs do not
dispute—their fraudulent charges are uniformly and fully reimbursed. In other
words, even if plaintiffs are subjected to such charges in the future, they will face
zero out-of-pocket costs. As the district court correctly held, an effect that entails no
loss whatsoever is not a “concrete” injury for purposes of Article III.
Plaintiffs also contend that they have shown future injury by pointing to the
specter of “identity theft.” But plaintiffs have failed to make any factual showing as
to how the data incursion—in which there is no indication that anything more than
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
11
payment card data was even potentially exposed—will lead to imminent identity
theft, as they are required to do. The only actual fact that plaintiffs point to—i.e.,
that some Neiman Marcus customers saw fraudulent charges on their credit and
debit cards at some point after the data incursion—is at most consistent with the
fact that the incident involved payment card data, and not the more sensitive
personal identifying information that could be used to open an account or for other
forms of identity theft. Indeed, unlike sensitive personal data, such as social
security numbers, payment card data is routinely disclosed—to waiters, websites,
and many others. Yet plaintiffs have not even alleged that they provided personal
identifying information beyond their payment card data to Neiman Marcus—much
less facts showing that their personal information was exposed, stolen, or misused.
Simply put, the fact of fraudulent charges does not bear the weight plaintiffs
place on it. Even if plaintiffs had alleged that their payment card data was actually
obtained by fraudsters through the Neiman Marcus data incursion (which plaintiffs
did not, in fact, allege), that would not support a conclusion that they suddenly face
“certainly impending” identity theft, as the Supreme Court has held is necessary if
standing is to be established solely by reliance on future injuries. See Clapper, 133
S. Ct. at 1147.
Plaintiffs’ arguments of present or “actual” injuries likewise fail. First,
plaintiffs contend that they have spent “time and money” to protect themselves
against identity theft and to ensure that fraudulent charges are resolved. But, as
the Supreme Court has held, plaintiffs cannot manufacture standing by spending
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
12
money to supposedly prevent potential injuries that do not create standing in their
own right. Id. at 1151. And plaintiffs have alleged no facts regarding the supposed
costs of resolving fraudulent charges.
Second, plaintiffs contend that they were injured by overpaying to purchase
items from Neiman Marcus when they were not aware that Neiman Marcus was
susceptible to a data incursion. This theory—which the district court called
“creative, but unpersuasive,” A9—finds no support in the law, and simply makes no
sense. Plaintiffs cannot contend that the products they purchased were in any way
defective or worth less than the price they paid, which defeats any “overpayment”
theory.
Third, Plaintiffs’ contention that they were injured through the supposed
“loss of control” over their personal data is simply a rehash of their other
arguments, because plaintiffs cannot allege that their personal data had some
monetary value that they were prevented from realizing. Finally, plaintiffs’
argument that they have “statutory standing” under California and Illinois state
laws ignores both that injury-in-fact is a federal constitutional requirement that no
state law could eliminate, and that, in any event, neither California nor Illinois
state law purports to create “statutory standing.”
Additionally, plaintiffs have equally failed to establish standing because they
have alleged no facts to show that any effects on them are traceable to Neiman
Marcus. All plaintiffs can say is that some of them have experienced reimbursed
fraudulent charges, and one received an unsuccessful phishing call. But the only
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
13
“fact” that suggests these alleged events are traceable to Neiman Marcus is their
timing—i.e., that they occurred after the data incursion. But they also occurred
after large-scale breaches of other retailers’ data, and the FAC is silent as to
whether the plaintiffs gave payment card data to any such retailer. And the
allegations regarding the phishing call to Ms. Frank actually make clear that the
caller had access to data that could not have come from Neiman Marcus.
For all of these reasons, plaintiffs lack Article III standing, and the FAC was
properly dismissed under Rule 12(b)(1). Even if the Court were to disagree,
however, the district court’s judgment can be affirmed on the alternate ground,
equally supported in the record, that plaintiffs have failed to state a claim under
Rule 12(b)(6). Each legal theory that plaintiffs advance in their six counts requires
them to establish compensable injury. The FAC fails to do that. Thus, whether it
be under Rule 12(b)(1) or Rule 12(b)(6), the FAC was properly dismissed.
STANDARD OF REVIEW
This Court “review[s] de novo a district court’s dismissal for lack of subject
matter jurisdiction.” Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443
(7th Cir. 2009). When judging a motion to dismiss for lack of standing under Rule
12(b)(1), the Court “must accept as true all material allegations of the complaint . . .
unless standing is challenged as a factual matter.” Reid L. v. Ill. St. Bd. Of Educ.,
358 F.3d 511, 515 (7th Cir. 2004). The plaintiff’s standing may not, however, “be
inferred argumentatively from averments in the pleadings.” Spencer v. Kemna, 523
U.S. 1, 10 (1998) (internal quotation marks omitted). “[I]t is the burden of the party
who seeks the exercise of jurisdiction in his favor, clearly to allege facts
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
14
demonstrating that he is a proper party to invoke judicial resolution of the dispute.”
Id. at 11 (internal quotation marks omitted).
“Where a party raises the issue of subject matter jurisdiction, a court need
not simply rely on the facts alleged in the complaint, but also may consider extrinsic
evidence to determine whether it can exercise jurisdiction.” Johnson v. Orr, 551
F.3d 564, 567 (7th Cir. 2008). Once a defendant produces evidence calling plaintiff’s
standing into question, “the presumption of correctness that [courts] accord to a
complaint’s allegations falls away, and the plaintiff bears the burden of coming
forward with competent proof that standing exists.” Apex Digital, 572 F.3d at 444
(internal citation and quotation marks omitted); see also United Phosphorus, Ltd. v.
Angus Chem. Co., 322 F.3d 942, 946 (7th Cir. 2003) (where “the contention is that
there is in fact no subject matter jurisdiction, the movant may use affidavits and
other material to support the motion”; “the court is free to weigh th[at] evidence to
determine whether jurisdiction has been established.”), overruled on other grounds
by Minn-Chem, Inc. v. Agrium Inc., 683 F.3d 845 (7th Cir. 2012).
ARGUMENT
I. THE COMPLAINT WAS CORRECTLY DISMISSED UNDER RULE 12(B)(1) BECAUSE PLAINTIFFS LACK ARTICLE III STANDING.
Plaintiffs lack Article III standing to bring their claims in federal court. “As
a jurisdictional requirement, the plaintiff bears the burden of establishing
standing.” Apex Digital, Inc., 572 F.3d at 443. To meet this burden, “a plaintiff
must show (1) it has suffered an ‘injury in fact’ that is (a) concrete and
particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
15
injury is fairly traceable to the challenged action of the defendant; and (3) it is
likely, as opposed to merely speculative, that the injury will be redressed by a
favorable decision.” Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc.,
528 U.S. 167, 180-181 (2000); accord Susan B. Anthony List v. Driehaus, 134 S. Ct.
2334, 2341 (2014); Clapper, 133 S. Ct. at 1147; Lujan v. Defenders of Wildlife, 504
U.S. 555, 560-61 (1992) (describing these elements as “the irreducible constitutional
minimum of standing”).
The requirement that a plaintiff establish injury in fact lies at the heart of
Article III:
In limiting the judicial power to “Cases” and “Controversies,” Article III of the Constitution restricts it to the traditional role of Anglo-American courts, which is to redress or prevent actual or imminently threatened injury to persons caused by private or official violation of law. …
The doctrine of standing is one of several doctrines that reflect this fundamental limitation. It requires federal courts to satisfy themselves that the plaintiff has alleged such a personal stake in the outcome of the controversy as to warrant his invocation of federal-court jurisdiction. … This requirement assures that there is a real need to exercise the power of judicial review in order to protect the interests of the complaining party.
Summers v. Earth Island Inst., 555 U.S. 488, 492-93 (2009) (citations and internal
quotation marks omitted; emphasis in original); see also Warth v. Seldin, 422 U.S.
490, 498-99 (1975) (to establish standing, a plaintiff must show “such a personal
stake in the outcome of the controversy as to warrant his invocation of federal-court
jurisdiction and to justify exercise of the court’s remedial powers on his behalf. The
Art. III judicial power exists only to redress or otherwise to protect against injury to
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
16
the complaining party”) (citations and internal quotation marks omitted); Susan B.
Anthony List, 134 S. Ct. at 2341 (“the injury-in-fact requirement … helps to ensure
that the plaintiff has a ‘personal stake in the outcome of the controversy’”).
For that reason, the plaintiff cannot establish standing by merely theorizing
about potential injuries. To the contrary, the plaintiff must establish that her
claimed injury is “concrete and particularized.” Lujan, 504 U.S. at 560. If the
plaintiff’s claim of injury is insufficiently concrete, then standing does not lie. See,
e.g., Whitaker v. Ameritech Corp., 129 F.3d 952, 959 (7th Cir. 1997) (“Whitaker
wishes us to eradicate Ameritech’s allegedly unlawful practices; yet, she alleges no
facts to show how these practices have injured her. We cannot address Whitaker’s
grievance with Ameritech as she has received no injury, and therefore has no
standing.”) (citation and internal quotation marks omitted).
The alleged injury must also be “actual or imminent, not conjectural or
hypothetical.” Lujan, 504 U.S. at 560 (citations and internal quotation marks
omitted). This requirement has particular significance where the plaintiff claims
future injury. The Supreme Court has “repeatedly reiterated that ‘threatened
injury must be certainly impending to constitute injury in fact,’ and that
‘[a]llegations of possible future injury’ are not sufficient.” Clapper, 133 S. Ct. at
1147 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990); citing Lujan, 504
U.S. at 565 n.2; DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 341 (2006); Laidlaw,
528 U.S. at 190; Babbitt v. Farm Workers, 442 U.S. 289, 298 (1979)) (brackets and
emphases in original). A possible injury does not satisfy Article III even if there is
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
17
an “objectively reasonable likelihood” that it will occur: an “‘objectively reasonable
likelihood’ standard is inconsistent with [the] requirement that ‘threatened injury
must be certainly impending to constitute injury in fact.” Clapper, 133 S. Ct. at
1147. Any potential injury that is premised on a “speculative chain of possibilities”
does not satisfy Article III. Id. at 1150.
Here, as set forth below, none of the forms of injury that plaintiffs allege
satisfies Article III. For these reasons, plaintiffs have failed to establish the
requisite injury in fact to show jurisdiction.
A. Plaintiffs Have Alleged No Future Injury That Is Both Concrete and Imminent.
1. Plaintiffs’ Allegations of Future Fraudulent Charges Do Not Establish a Concrete Injury.
Courts considering data incursion cases are united in determining that
fraudulent charges that appear on a cardholder’s account do not constitute injury if
the cardholder is reimbursed for those charges. (A7 (“unauthorized credit card
charges for which none of the plaintiffs are financially responsible [do not] qualify
as ‘concrete’ injuries”); In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013
WL 4759588, at *6 (N.D. Ill. Sept. 3, 2013) (plaintiff claiming only reimbursed
fraudulent charge “has not pled that actual injury resulted and that she suffered
any monetary loss due to the fraudulent charge”); In re Michaels Stores Pin Pad
Litig., 830 F. Supp. 2d 518, 527 (N.D. Ill. 2011) (“Plaintiffs suffered no actual injury
… if Plaintiffs were reimbursed for all unauthorized withdrawals and bank fees
and, thus, suffered no out-of-pocket losses”); Hammond v. The Bank of New York
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
18
Mellon Corp., No. 08 Civ. 6060(RMB)(RLE), 2010 WL 2653307, at *8 (S.D.N.Y.
2010) (no injury where plaintiffs “were reimbursed for the unauthorized charges”)).
The reasoning in these cases is straightforward. When a fraudulent charge is
assigned to a credit card account, but the cardholder is not required to pay or is
reimbursed for the charge, the cardholder suffers no adverse effect and therefore no
injury. This is particularly clear if one considers how such an “injury” could be
redressed. It couldn’t—because the charge has already been reimbursed. There is
no “injury” capable of redress. See People To End Homelessness, Inc. v. Develco
Singles Apartments Assocs., 339 F.3d 1, 9 (1st Cir. 2003) (no standing where
plaintiff’s “alleged injuries, to the extent they can be redressed, have already been
remedied”). For that reason, the district court was right to conclude that no
reimbursed fraudulent charge—whether it has already occurred or may occur in the
future—can support standing. (A7).
This principle has force in this case because the allegations and evidence here
confirm that no plaintiff has suffered, or has any likelihood of suffering,
unreimbursed fraudulent charges. One plaintiff, Remijas, has not alleged that she
saw any unauthorized charges on any of her accounts, much less that she was held
responsible for any such charges. The three other plaintiffs allege that they
experienced unauthorized charges, but none alleges that such charges were
unreimbursed. (See A7 (“as common experience might lead one to expect, Plaintiffs
have not alleged that any of the fraudulent charges were unreimbursed”)).
Moreover, plaintiffs do not and cannot dispute that credit card issuers uniformly
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
19
have zero-liability policies for fraudulent charges. See, e.g., Chase Debit Cards
Website, https://www.chase.com/checking/debit-cards (“Chase reimburses you for
any unauthorized card transaction made at stores, ATMs, on the phone or online
when reported promptly.”). Thus, even if plaintiffs’ allegations permitted an
inference that plaintiffs will be subject to fraudulent charges in the future, plaintiffs
have offered no allegation or evidence to support the notion that any such charge
would go unreimbursed.
Plaintiffs offer no meaningful argument to the contrary. They contend that
“the District Court did not cite any authority for its requirement that plaintiffs in
such cases allege unreimbursed fraudulent charges in order to have standing.” Br.
16. That is false. (See A7 (citing cases for the proposition that reimbursed
fraudulent charges are not “‘concrete’ injuries”)). To the contrary, it is plaintiffs
who cite no authority for the proposition that reimbursed fraudulent charges do
constitute concrete injuries.
Plaintiffs also contend that the district court’s “requirement” that charges be
unreimbursed to constitute injury “flies in the fact of established precedent” that
plaintiffs should not be “‘require[d] … to wait until they actually suffer identity
theft or [unreimbursed] credit card fraud in order to have standing.’” Br. 16
(brackets in original) (quoting In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–
05226–LHK, 2014 WL 4379916, at *8 (N.D. Cal. Sept. 4, 2014)). Here, however,
plaintiffs conflate two issues: concreteness and imminence. The district court
accepted plaintiffs’ argument that “the potential future fraudulent charges are
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
20
sufficiently ‘imminent’ for purposes of standing.” (A7). It held that standing was
nonetheless not established because the only possible inference from the evidence
and allegations was that those fraudulent charges would be reimbursed consistent
with credit card issuers’ uniform policies, such that no “‘concrete’ injuries” would
result. (Id.).
Plaintiffs cite no allegation or evidence to the contrary here. Nor could they.
Indeed, at least two of the plaintiffs have already eliminated any prospect of future
charges by canceling the allegedly compromised payment cards (FAC ¶¶ 51, 54
R.27:15), and the others could just as easily do the same.
2. Plaintiffs’ Allegations of Future Identity Theft Do Not Establish an Imminent Injury.
Plaintiffs again fail to confront both the district court’s reasoning and binding
law in arguing that they established standing by alleging future identity theft.
While the district court was willing to entertain an inference Neiman Marcus
customers faced an imminent risk of fraudulent charges on their payment cards, it
held that inferring from that fact that plaintiffs would suffer identity theft was a
“leap too far.” (A8). Nothing in plaintiffs’ brief is to the contrary.
a) The District Court Correctly Applied Clapper.
Plaintiffs’ principal argument is that the district court imposed too stringent
of an imminence requirement because it supposedly “misinterpreted Clapper.” Br.
10-13. In Clapper, the Supreme Court explained:
“Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
21
impending.” [Lujan, 504 U.S.] at 565 n. 2 (internal quotation marks omitted). Thus, we have repeatedly reiterated that “threatened injury must be certainly impending to constitute injury in fact,” and that “[a]llegations of possible future injury” are not sufficient.
133 S. Ct. at 1147 (emphases in original). The district court followed Clapper here,
holding that plaintiffs were required to show “certainly impending” identity theft—
a showing they could not make. See A7-8.
Plaintiffs argue that the court should instead have asked whether there is a
“substantial risk” of identity theft. Br. 10-11. Plaintiffs cite Susan B. Anthony List
and footnote 5 of Clapper—which acknowledged that “[i]n some instances, [the
Supreme Court has] found standing based on a ‘substantial risk’ that the harm will
occur.” Clapper, 133 S. Ct. at 1150 n.5; see also Susan B. Anthony List, 134 S. Ct. at
2341 (citing footnote 5 of Clapper). Plaintiffs argue that the district court erred
when it applied Clapper’s “clearly impending” standard because it supposedly
“ignored footnote 5 of the Clapper decision” and Susan B. Anthony List. Br. 10.
Plaintiffs’ argument goes nowhere. Susan B. Anthony List and several other
cases3 that use the “substantial risk” formulation have addressed when standing
exists to bring a pre-enforcement challenge to a law. See Susan B. Anthony List, 3 In Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010), the Court examined whether farmers of conventional and organic alfalfa had standing to challenge an agency action that had created a “substantial risk” that the genes of genetically modified alfalfa would infiltrate their plants. As the Court explained, the “substantial risk of gene flow” caused present, not future, injury to the farmers because, inter alia, it rendered them unable to market their product as non-genetically-engineered without testing confirming that fact. Thus, the Court did not have to assess whether gene flow was certainly impending or not: the plaintiffs would suffer the harm complained of “even if their crops are not actually infected with the Roundup ready gene.” Id. at 154-55.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
22
134 S. Ct. at 1334; Pennell v. City of San Jose, 485 U.S. 1, 8 (1988); Babbitt, 442
U.S. at 298. As the Supreme Court has repeatedly recognized, that specific question
has given rise over decades of case law to particularized standards. See Susan B.
Anthony List, 134 S. Ct. at 1334 (addressing the “recurring issue in our cases [of]
determining when the threatened enforcement of a law creates an Article III
injury”); MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 128-29 (2007) (“Our
analysis must begin with the recognition that, where threatened action by
government is concerned, we do not require a plaintiff to expose himself to liability
before bringing suit to challenge the basis for the threat—for example, the
constitutionality of a law threatened to be enforced.”). Neither footnote 5 of Clapper
nor Susan B. Anthony List purports to do away with the requirement that, outside
the context of pre-enforcement challenges to laws, future harms must be “certainly
impending.” Indeed, the “certainly impending” standard existed long before
Clapper. See, e.g., Whitmore, 495 U.S. at 158 (stating, in 1990, that “[a]llegations
of possible future injury do not satisfy the requirements of Art. III. A threatened
injury must be certainly impending to constitute injury in fact”) (citation and
internal quotation marks omitted). It is plaintiffs’ reading of Clapper—not the
district court’s—that ignores the text of that opinion, which holds without
circumspection that future harms must be “certainly impending,” not merely
“possible,” to satisfy Article III. 133 S. Ct. at 1147.
Here, plaintiffs cannot point to any facts establishing that they face
“certainly impending” identity theft. The FAC alleges only the following facts
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
23
regarding the data incursion: (1) Neiman Marcus collects and retains certain forms
of personally identifying information, depending on how customers access its retail
outlets (FAC ¶ 13, R.27:5-6), (2) 350,000 credit and debit cards were affected by the
data breach (FAC ¶ 41, R.27:13), (3) 9,200 of those cards subsequently had
fraudulent charges (FAC ¶ 42, R.27:13), and (4) “On information and belief,
Plaintiffs’ identifying and/or financial information was disclosed in the Data
Breach” (FAC ¶ 43, R.27:13). It alleges no further facts regarding plaintiffs’
personal identifying information.
Significantly, the FAC makes no allegation—and plaintiffs have come
forward with no evidence—to contradict the sworn testimony of Mr. Kingston that
“the customer information that was potentially exposed to the malware was
payment card account information” and that “there is no indication that social
security numbers or other personal information were exposed in any way.”
(Testimony of Michael Kingston before the Senate Judiciary Committee at 3, R.36-
1:19 (emphasis added)). Consistent with Mr. Kingston’s testimony, the FAC does
not allege that any plaintiff’s personal identifying information (other than payment
card information) has been misused in any way since the data breach. Indeed,
while the FAC alleges that plaintiffs used credit cards or debit cards to make
purchases at Neiman Marcus, it does not allege that plaintiffs provided to Neiman
Marcus any personal identifying information beyond that contained in their
payment cards. Simply put, plaintiffs can cite no facts to show that identity theft is
anything more than “possible.” That is fatal to plaintiffs’ claims—whether the
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
24
“certainly impending” or their preferred “substantial risk” standard is applied.
Nothing in plaintiffs’ brief is to the contrary. As in the district court,
plaintiffs purport to find support for their claim of future identity theft in the fact
that, after the data incursion, 9,200 customers of Neiman Marcus experienced
fraudulent charges on their credit cards. Br. 13-14. But as the district court
correctly found, that some customers’ payment card information may have been
misused does not mean that plaintiffs face imminent identity theft. In the words of
the district court, “to assert on this basis that … customers [are] also at a certainly
impending risk of identity theft is, in my view, a leap too far.” A8.4
Indeed, plaintiffs’ argument that a small number of fraudulent but fully
reimbursed payment-card charges will imminently lead to identity theft lacks
logical support and falls squarely within the class of claims that Clapper rejected as
incapable of supporting standing. See 133 S. Ct. at 1148 (discussing speculative
chain of inferences plaintiffs invoked in attempting to demonstrate injury). The
Third Circuit explained precisely this point:
As we stated in [Storino v. Borough of Point Pleasant Beach, 322 F.3d 293, 297-98 (3d Cir. 2003)], “one cannot describe how the [plaintiffs] will be injured without
4 Plaintiffs also point to a phishing call received by one plaintiff, Ms. Frank. Br. 14. As explained below, the alleged phishing incident occurred only after Ms. Frank publicly filed a complaint in federal court alleging that her debit card had been exposed, and that she had “experienced fraudulent charges on her debit card.” Infra, pp. 41-42. In fact, the allegations about the phishing call make clear that it is not traceable to the Neiman Marcus data incursion. Id. And, in any event, as the district court explained, an allegation that one plaintiff received a phishing call, “which, if she had disclosed private information, might have led to future identity theft,” is “sufficient neither to establish a ‘certainly impending’ risk of identity theft, nor to qualify as a ‘concrete’ injury for purposes of standing.” A8 n.1.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
25
beginning the explanation with the word ‘if.’ The prospective damages, described by the [plaintiffs] as certain, are, in reality, conjectural. Similarly, we cannot now describe how Appellants will be injured in this case without beginning our explanation with the word “if”: if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully, only then will Appellants have suffered an injury.
Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011) (citation omitted; second and
third brackets and emphases in original); accord id. at 44 (“Appellants’ string of
hypothetical injuries do not meet the requirement of an ‘actual or imminent’
injury.”).
b) Pisciotta Does Not Support Standing Here.
Plaintiffs also argue that this Court’s decision in Pisciotta supports their
standing argument. Br. 7-8, 14-15, citing Pisciotta v. Old Nat. Bancorp, 499 F.3d
629 (7th Cir. 2007). In that case, the Court considered claims based on theft of
information that included “name, address, social security number, driver’s license
number, date of birth, mother’s maiden name and credit card or other financial
account numbers,” id. at 631—that is, highly sensitive personal identifying
information well beyond the payment card information stolen from Neiman Marcus.
The Court then sua sponte assessed plaintiffs’ standing in light of these facts, and
determined that the plaintiffs’ allegations of loss of such sensitive personal data
were sufficient to create standing, id. at 633—though these allegations of purported
injury were insufficient to avod judgment on the pleadings, id. at 639 (“Without
more than allegations of increased risk of future identity theft, the plaintiffs have
not suffered a harm that the law is prepared to remedy.”).
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
26
Pisciotta does not support standing for plaintiffs here. As the district court
explained, Pisciotta cannot be read to hold that “any marginal increase in the risk of
future injury is sufficient to confer Article III standing.” A5 (emphasis in original).
“Though it does not expressly say so, Pisciotta was constrained by the ‘certainly
impending’ standard,” which was governing law at that time, and which has been
recently reiterated in Clapper and Susan B. Anthony List. Id. Pisciotta is thus
properly read to be consistent with that standard—not to expand Article III
standing to encompass mere “allegations of possible future injury.” Clapper, 133 S.
Ct. at 1147 (citation, brackets, and internal quotation marks omitted; emphasis in
original).
The result in Pisciotta is thus explained not by a different standard for data
incursion cases, but by the allegations there—allegations that are markedly
different from plaintiffs’ here. The information at issue in Pisciotta included highly
sensitive personal data such as social security numbers and birth dates. And, as
the district court explained, that highly sensitive data was “actually stolen (at the
very least, the Court’s analysis assumed as much). At issue with respect to the
plaintiffs’ injury, then, was whether and how likely the stolen data would actually
be misused.” (A5). By contrast here, there is no indication that personal
information beyond payment card data was exposed—much less “actually stolen.”
In the words of the district court, “this is a principled distinction that could justify
holding that Pisciotta satisfied the ‘certainly impending’ standard,” while plaintiffs’
allegations do not. (A6). In any event, to the extent that Pisciotta can be read to
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
27
support standing when plaintiffs fail to allege “clearly impending” harm—as
plaintiffs here have failed to do—it is inconsistent with Clapper and other
controlling cases.
c) The District Court Correctly Held That Plaintiffs Had Not Alleged That Any Identity Theft Was Certainly Impending.
Plaintiffs further argue that the district court erred because it supposedly
“dismissed all named Plaintiffs’ claims—even claims of those Plaintiffs who have
been told their information was compromised in the data breach and who have
suffered fraudulent charges and/or phishing as a result—because other unidentified
‘customers’ who are not members of the class may not have been affected by the
Data Breach.” Br. 14. They argue that their claims should not have been dismissed
because they “have been told their information was compromised in the data
breach” and that they “actually received notices from Neiman Marcus confirming”
that their data was actually stolen. Br. 13-14. This argument both errs in its
recitation of the facts and misreads the district court opinion.
First, as a factual matter, plaintiffs are wrong to state that Neiman Marcus
informed any plaintiff that her personal information was “actually stolen.” As
described above, Neiman Marcus gave notice of the security incident to every
customer who shopped at Neiman Marcus in 2013, in a store or online, for whom
Neiman Marcus had contact information, whether or not that customer’s
information was even potentially at risk, and these notices did not state that the
recipients’ personal information—including plaintiffs’ payment card data—was
actually compromised. (R.36-1:19). The only connection plaintiffs have alleged
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
28
between the fraudulent charges on their cards and the Neiman Marcus data
incursion is timing—i.e., the fraudulent charges occurred after the data incursion.5
Even so, however, the district court read plaintiffs’ FAC liberally to “permit
the inference that these 9,200 customers did indeed have their data stolen as a
result of the cyber-attack on Defendant.” (A6-7).6 The court nonetheless dismissed
the claims because, even accepting an inference that plaintiffs’ payment card data
was stolen, the FAC failed to establish any certainly impending identity theft—
because plaintiffs failed to allege how payment card data would or even could be
used to support identity theft. (A3-8). Thus, the court did not, as plaintiffs contend,
dismiss the claims “because other unidentified ‘customers’ who are not members of
the class may not have been affected by the Data Breach,” Br. 14, but because
plaintiffs have failed to allege certainly impending future harm of identity theft.
Because plaintiffs have entirely failed to establish that any injury from
identity theft is imminent, their case is distinguishable from the cases on which
they rely. In Adobe, the plaintiffs’ personal information—including “names,
usernames, passwords, email addresses, phone numbers, mailing addresses, and 5 Plaintiffs contend that they “allege at multiple points in the FAC that their information actually was stolen in the Data Breach.” Br. 13-14 (citing FAC ¶¶ 4, 6, R.27:3-4). Their characterization of the FAC is incorrect. The cited paragraphs simply state that plaintiffs used payment cards to shop at Neiman Marcus, subsequently experienced fraudulent charges or other indications that their payment card data had been compromised, and received a notice from Neiman Marcus about the data incursion.
6 As explained further in Part I.C, infra, Neiman Marcus disputes that inference. While the fraudulent charges occurred after the Neiman Marcus data incursion, they also occurred after attacks on the data security of other major retailers affecting millions of cardholders.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
29
credit card numbers and expiration dates” had been actually stolen. 2014 WL
4379916, at *8. Additionally, the data stolen from Adobe had already been further
disclosed on the internet, and had already been misused to attack Adobe itself. Id.
It was in these circumstances—where plaintiffs’ personal data was actually stolen,
and some data stolen from Adobe had actually been misused—that the court
concluded that plaintiffs’ faced a “certainly impending” threat of harm. Id. Here,
by contrast, the only data that was exposed was payment card data, not broader
personal information, and there is no evidence or allegation that any plaintiff’s data
was actually stolen or misused.
Similarly, in Krottner v. Starbucks Corp., a physical laptop containing
plaintiffs’ unencrypted data, including names, addresses and social security
numbers, was actually stolen. 628 F.3d 1139, 1140 (9th Cir. 2010). In other words,
the plaintiffs alleged that their most sensitive personal data had been removed from
the defendant’s control, and was freely available to the thief. Again, the record here
shows no comparable violation—but establishes only that payment card data was
exposed. There is no indication that social security numbers or other highly
sensitive information was exposed, much less actually stolen.7
In cases similar to this one, where the plaintiff alleges no particularized facts
to show “certainly impending” identity theft, courts routinely dismiss the claim for 7 While Krottner is factually distinguishable from this case, it is also notable that the Ninth Circuit opined that “the possibility of future injury may be sufficient to confer standing on plaintiffs” in some circumstances. 628 F.3d at 1142. Clapper, of course, says the opposite. See 133 S. Ct. at 1147 (“[a]llegations of possible future injury are not sufficient”) (citation and internal quotation marks omitted; emphasis and brackets in original).
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
30
lack of standing. See, e.g., Barnes & Noble, 2013 WL 4759588, at *5 (unsupported
“claim of actual injury in the form of increased risk of identity theft is insufficient to
establish standing” because “speculation of future harm does not constitute actual
injury”); Strautins v. Trustwave Holdings, Inc., No. 12 C 09115, 2014 WL 960816, at
*4 (N.D. Ill. Mar. 12, 2014) (plaintiff who failed to “allege[] facts that would
plausibly establish an ‘imminent’ or ‘certainly impending’ risk that she will be
victimized” by identity theft or fraud likewise lacked standing).8 The district court
correctly held that the same result obtains here.
B. Plaintiffs Have Alleged No Cognizable Present Injury.
Plaintiffs also contend that the data incursion “has already resulted in real
and palpable harm to members of the Class.” Br. 15. None of the purported
“harms” plaintiffs allege, however, qualifies as “actual” injury-in-fact sufficient to
establish standing.
8 See also Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 2014 WL 689703, at *5 (S.D. Ohio Feb. 10, 2014) (“an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact because Named Plaintiffs did not allege—or offer facts to make plausible—an allegation that such harm is ‘certainly impending.’”); Hammond, 2010 WL 2643307, at *7 (no standing where unencrypted data lost by transport company); see also Reilly, 664 F.3d at 43 (no standing based on future injury where hacker allegedly stole data); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1052–53 (E.D. Mo. 2009) (alleged increased risk for identity theft due to hacker accessing information insufficient to show injury); Allison v. Aetna, Inc., Civ. A. No. 09-2560, 2010 WL 3719243, at *5 (E.D. Pa. Mar. 9, 2010) (“alleged injury of an increased risk of identity theft is far too speculative” to provide standing).
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
31
1. Reimbursed Fraudulent Charges Do Not Constitute Present Injury.
As explained above, plaintiffs’ claims that they would suffer fully reimbursed
fraudulent charges on their credit cards in the future do not establish concrete
injury sufficient to create standing. For the same reason, their claim of present
injury from fully reimbursed fraudulent charges that have already occurred equally
fails. Plaintiffs now contend that, even if the reimbursed charges do not constitute
injury-in-fact, they “allege that the loss of time and money spent to resolve
fraudulent charges, to obtain replacement cards, and to monitor their accounts for
additional fraud constitutes actual injury.” Br. 17. However, as the district court
explained, “the complaint contains no meaningful allegations as to what precisely
the costs incurred to mitigate the risk of future fraudulent charges were. … If the
complaint is to credibly claim standing on this score, it must allege something that
goes beyond such de minimis injury.” (A8).
Plaintiffs also contend that they have established injury-in-fact by alleging
that they spent money for credit monitoring to prevent identity theft. Br. 17-18.
But, as the district court explained, this is an attempt at impermissible
bootstrapping: “[T]he complaint does not adequately allege that the risk of identity
theft is sufficiently imminent to confer standing. So long as that is the case, the
‘time and money spent to mitigate’ claim as to the risk of identity theft … is not a
cognizable Article III injury.” (A9). Indeed, the Supreme Court made much the
same point in Clapper: “[R]espondents cannot manufacture standing merely by
inflicting harm on themselves based on their fears of hypothetical future harm that
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
32
is not certainly impending.” 133 S. Ct. at 1151. Because plaintiffs have not
satisfied Article III by alleging any certainly impending identity theft, they cannot
“manufacture standing” by paying to avoid the speculative risk of identity theft.
2. Plaintiffs’ “Overpayment” Theory Finds No Support in the Law.
Plaintiffs allege that they suffered injury-in-fact by overpaying for the goods
that they allegedly purchased from Neiman Marcus. (See FAC ¶ 15, R.27:6-7; Br.
18-22.) Plaintiffs cannot allege that the products they purchased from Neiman
Marcus were defective, that the value of the products they purchased was
diminished in any way as a result of the data incursion, or that Neiman Marcus
charged more to customers paying by card than by cash. Their theory therefore
fails.
As the district court explained, the theory of injury by overpayment makes
sense only if the product that was purchased “possessed some sort of deficiency.”
A9. “[A] vital limiting principle to this theory of injury is that the value-reducing
deficiency is always intrinsic to the product at issue.” Id. The logic breaks down,
however, if the allegation is that the condition of the store—as distinct from the
product—is deficient. In such circumstances, whatever harm the plaintiff may
allege from the retailer’s purported misconduct is not related to the price that the
plaintiff has paid for the product, and does not support a claim of overpayment.
It is therefore unsurprising that the authorities plaintiffs rely on all adhere
to this “vital limiting principle,” and concern overpayment where the alleged defect
was intrinsic to the product. In In re Aqua Dots Prods. Liab. Litig., plaintiffs
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
33
alleged that they were injured by purchasing defective beads that could cause
severe injury and death to children if ingested. 654 F.3d 748, 749-50 (7th Cir.
2011). The court found that plaintiffs suffered financial injury because their
payments for the toys were made on the understanding that the toys were safe, and
without knowledge that the toys were defective. Id. at 751. Similarly, in Chicago
Faucet Shoppe, Inc. v. Nestle Waters N. Am. Inc., the plaintiff had suffered an injury
by overpayment where defendant had represented that the water it sold to plaintiff
was “natural spring water” that was in reality municipal tap water. 12 C 08119,
2014 WL 541644, at *3 (N.D. Ill. Feb. 11, 2014). And in Muir v. Playtex Prods. LLC,
plaintiff alleged that he was injured by paying for an indisputably key feature of a
diaper disposal product (“Proven #1 in Odor Control”) when tests revealed that
other products controlled odors better. 983 F. Supp. 2d 980, 986 (N.D. Ill. 2013).9
In stark contrast to these cases, plaintiffs here do not allege that the products they
purchased are defective or different than advertised.
9 The other cases cited by plaintiffs likewise involve alleged overpayment where the deficiency was intrinsic to the product. See Maya v. Centex Corp., 658 F.3d 1060, 1069 (9th Cir. 2011) (finding injury where houses purchased by plaintiffs had less value because developer misrepresented character of neighborhood); Lipton v. Chattem, Inc., No. 11 C 2952, 2012 WL 1192083, at *3–4 (N.D. Ill. Apr. 10, 2012) (finding injury where plaintiff unknowingly bought product containing hexavalent chromium, which can cause adverse health effects); Askin v. Quaker Oats Co., 818 F.Supp.2d 1081, 1084 (N.D. Ill. 2011) (finding that plaintiff paid more for products labeled as “wholesome” and “heart healthy” than he would have had he known that the products contained trans fats.). And Bridenbaugh v. Freeman-Wilson is a dormant commerce clause challenge to a state excise tax on liquor justified by the 21st Amendment—not a case involving the “payment of a premium price for a certain wine,” as the plaintiffs claim (Plaintiffs’ Br. at 19–20)—and is thus clearly inapposite. 227 F.3d 848, 849–50 (7th Cir. 2000).
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
34
Notably, plaintiffs’ exact overpayment theory has been rejected by two recent
decisions in the Northern District of Illinois, in addition to the district court in this
matter. In Barnes & Noble, Judge Darrah found that plaintiffs’ allegation that
“they overpaid for the products and services purchased from Barnes & Noble,
because they were paying for the security measures Barnes & Noble was supposed
to employ to protect credit and debit transactions” was insufficient to grant
standing because plaintiffs “have not pled that Barnes & Noble charged a higher
price for goods whether a customer pays with credit, and therefore, that additional
value is expected in the use of a credit card.” 2013 WL 4759588, at *5. Similarly, in
Moyer v. Michaels Stores, Inc., Judge Bucklo dismissed plaintiffs’ case after finding
that their allegation that they “overpaid for goods that Michaels supposedly priced
to reflect the added cost of protecting credit and debit card information” was
insufficient “to support an inference that Michaels charged customers a premium
for data security protection.” No. 14 C 561, 2014 WL 3511500, at *7 (N.D. Ill. July
14, 2014). As in Barnes & Noble and Moyer, plaintiffs’ allegations here are
insufficient to establish that plaintiffs overpaid for products they purchased.
3. Allegations of loss of control and value of payment card data are insufficient to show injury.
Plaintiffs also allege that they suffered “loss of control over, and loss of value
of, their private information.” Br. 22. This is no more than a recapitulation of
plaintiffs’ arguments regarding future harms and is likewise insufficient to confer
standing. The only situation in which such “loss of control” would constitute an
independent injury is if that loss of control prevented plaintiffs from realizing some
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
35
gain from their personal information that they would otherwise receive. See Barnes
& Noble, 2013 WL 4759588, at *5 (“Actual injury of this sort is not established
unless a plaintiff has the ability to sell his own information and a defendant sold
the information.”). The Barnes & Noble court explained that where plaintiffs “do
not allege their personal information was sold, nor do they allege the information
could be sold by Plaintiffs for value . . . there is no actual injury and therefore, no
standing based on deprivation of the value of the Plaintiffs’ PII.” Id.
Here, plaintiffs do not even allege that Neiman Marcus sold their personal
information. Nor do plaintiffs allege that they could have sold their own payment
card information for value. Thus, they have failed to show that they have been
deprived of any value whatsoever as a result of the cyber-security intrusion at
Neiman Marcus.10
Of course, some information could be so intensely private, such as sexual
preferences or medical information, that its exposure in itself harmful, as the tort of
public disclosure of private facts has long recognized. In contrast to such sensitive
personal data, payment card information—handed out to waiters and websites the
world over—hardly qualifies as such intensely private information whose release
would be generally harmful. Indeed, payment card information is not inherently
10 In re Facebook Privacy Litig., which plaintiffs cite, is not to the contrary. 12-15619, 2014 WL 1815489 (9th Cir. May 8, 2014). In that case, as a review of the district court opinion makes clear, plaintiffs alleged that defendant wrongfully divulged to advertisers their identities and the names of websites that they visited. 791 F. Supp. 2d 705, 711–12 (N.D. Cal. 2011). Because plaintiffs here do not, and cannot, allege that they could have sold their payment card information for value, In re Facebook Privacy Litig. is not applicable.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
36
connected to individuals in any long-term sense, and payment cards can be
cancelled and re-issued in ways that truly personal, private information cannot.
4. Plaintiffs’ allegations that Neiman Marcus violated the California and Illinois data breach laws are insufficient to grant standing.
Plaintiffs argue that, regardless of injury in fact, they have “statutory
standing” to bring claims under the California Customer Records Act and the
Illinois Personal Information Protection Act. Br. 23-25. This argument is doubly
wrong.
First, the injury-in-fact requirement is part of the “irreducible constitutional
minimum” necessary for a federal court to exercise jurisdiction under Article III.
Lujan, 504 U.S. at 560. Even if a state law purported to confer standing on a
plaintiff seeking relief from a federal court, the conferral would be ineffective: no
state law can override Article III’s limitation on federal judicial power.11
Second, and in any event, state statutes that plaintiffs point to do not purport
to confer standing in the absence of injury, but instead require plaintiffs to
demonstrate injury in order to have standing to sue. In California, Cal. Civ. Code
§ 1798.84(b), which plaintiffs claim grants them standing, “does not allow a cause of
action based solely upon a failure to comply with the statute. Rather, the law 11 The Court’s decision in Sterk v. Redbox Automated Retail LLC, 770 F.3d 618 (2014), is not to the contrary. The Court there explained that while federal law may define what constitutes injury, it “may not lower the threshold for standing below the minimum requirements imposed by the Constitution.” Id. at 623. The federal statute at issue in Sterk defined a legally protected interest, the “technical violation” of which constituted an injury under Article III. Id. The state statutes asserted by plaintiffs, however, do not provide that “technical violation” constitutes injury.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
37
expressly requires an injury resulting from a violation.” Boorstein v. CBS
Interactive, Inc., 222 Cal. App. 4th 456, 467 (2013). This is true regardless of the
remedies sought. Id. at 466-67.
Plaintiffs allege that they were injured by Neiman Marcus’s alleged
violations of three provisions of the Customer Records Act, but they explain only
one—Neiman Marcus’s alleged failure to include some of the information required
by Cal. Civ. Code § 1798.82(d) in the notification letters they received. Br. 24.
Plaintiffs do not claim that this alleged violation led them to suffer an actual injury,
economic or otherwise, but simply that the lack of information itself constitutes an
injury because they were “deprived of disclosures they [were] statutorily entitled to
receive.” Br. 24. However, the California courts squarely foreclose such a claim: an
allegation of “‘deprivation of . . . information,’ standing alone, is not a cognizable
injury.” Price v. Starbucks Corp., 192 Cal. App. 4th 1136, 1143 (2011); see Boorstein
222 Cal. App. 4th at 472, (2013) (noting lack of any California cases recognizing
“informational injury” as a cognizable injury). Instead, plaintiffs must also allege
that they suffered “an injury arising from the missing information.”12 Price, 192
Cal. App. 4th at 1143.
12 In both of the cases cited by Plaintiffs that actually found standing due to informational injury, plaintiffs alleged they suffered some harm as a result of the deprivation of information. See Federal Election Com’n v. Akins, 524 U.S. 11, 19, 21 (1998) (Congress had specifically created cause of action to challenge campaign disclosures and plaintiffs claimed “the information would help them . . . evaluate candidates for public office); Havens Realty Corp. v. Coleman 455 U.S. 363, 372-73 (1982) (plaintiffs sought the information in order to collect evidence of “unlawful steering practices” by landlords).
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
38
Similarly, plaintiffs argue that appellant Remijas has standing to bring
claims under the Illinois Personal Information Protection Act, 815 ILCS 530/1 et
seq. (“PIPA”). PIPA does not create a private right of action, but a consumer
alleging a violation of PIPA may sue under the Illinois Consumer Fraud and
Deceptive Business Practices Act, 815 ILCS 505/1 et seq. (“Consumer Fraud Act”).
Illinois courts are clear that “[p]rivate individuals have standing to litigate a
violation [of the Consumer Fraud Act] only if they have actual damages.” People ex
rel. Madigan v. United Const. of Am., 981 N.E.2d 404, 411 (1st Dist. 2012); see also
Mem. Op. & Order, Vides v. Advocate Health & Hospitals Corp., No. 13-CH-2701, at
17-18 (9th Cir. May 27, 2014) (holding that a violation of PIPA, by itself, is
insufficient to grant standing). Plaintiffs’ argument that an violation of PIPA is
enough to grant standing flies in the face of black-letter Illinois law, and should be
rejected.
C. No Alleged Injury Can Be Fairly Traced to Action by Neiman Marcus.
Even if the injuries allegedly suffered by plaintiffs were sufficient to establish
injury in fact, which they are not, plaintiffs cannot show that the alleged injuries
are fairly traceable to action by Neiman Marcus. See, e.g., Clapper, 133 S. Ct. at
1147. Importantly, plaintiffs have not pled that their alleged injuries were directly
or indirectly caused by actions taken by Neiman Marcus. In fact, two of the four
plaintiffs, Ms. Frank and Ms. Farnoush, fail to allege a purchase during a time
when the malware was active on Neiman Marcus systems, and therefore fail even to
allege a mechanism by which any action by Neiman Marcus could have caused
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
39
injury to them. (Compare FAC ¶¶ 4-5, R.27:3, with R.36-1:19). A third plaintiff,
Ms. Remijas, does not allege that any unauthorized charges ever appeared on the
account linked to the card she used at Neiman Marcus.
Nor does the FAC allege any facts that would establish that any injury
experienced by any plaintiff was the result of the cyber attack at Neiman Marcus,
as opposed to some other mechanism by which plaintiffs’ payment card information
may have been compromised. Plaintiffs’ payment card information could have been
compromised in a variety of ways that have nothing to do with Neiman Marcus—for
example, plaintiffs could have submitted the information on a website that is not
secure, the information could have been memorized and misused by an
unscrupulous store clerk or waiter at a different establishment, or plaintiffs may
have discarded a document with their payment card information printed thereon
without shredding it first.
In addition to these mechanisms by which payment card information can be
compromised at any time, there were several major data security incidents, entirely
unrelated to Neiman Marcus, announced around the end of 2013 and beginning of
2014 that could well have been the mechanism by which plaintiffs’ payment card
information was compromised, if in fact it was compromised. As Neiman Marcus
showed in its Memorandum in support of dismissal, Target, a major retailer,
announced that it had suffered the largest of these breaches on December 19, 2013,
stating that approximately forty million credit and debit card numbers may have
been impacted by its breach. (R.36:16 & n.10 (quoting Press Release, Target
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
40
Corporation, Target Confirms Unauthorized Access to Payment Card Data in U.S.
Stores (Dec. 19, 2013), available at http://pressroom.target.com/news/target-
confirms-unauthorized-access-to-payment-card-data-in-u-s-stores)). These breaches
led financial institutions, including those used by plaintiffs, to replace millions of
credit and debit cards in the first two weeks of January 2014. See id. at 16-17
(quoting Transcript, Q4 2013 JPMorgan Chase & Co. Earnings Conference Call
(Jan. 14, 2014) (JAMIE DIMON: “We have replaced 2 million debit and credit cards
I think by the end of this week, to protect our customers.”), available at
http://seekingalpha.com/article/1944961-jpmorgan-chase-ceo-discusses-q4-2013-
results-earnings-call-transcript?part=2). The two plaintiffs who allege that their
Chase payment cards were replaced—Ms. Frank and Ms. Kao—had those cards
replaced on or about January 10 and January 7, respectively (FAC ¶¶ 47, 55,
R.27:14-15), just as Chase was reissuing millions of payment cards potentially
affected by the Target breach. See id. The FAC does not state whether or not any
appellant shopped at Target or had her payment card information exposed in any
other manner, but neither does it allege any facts that, if true, would establish that
the compromise of any plaintiff’s payment card information was actually caused by
the data incursion at Neiman Marcus. Accordingly, the FAC does not allege
anything more than a “mere coincidence in timing,” which is insufficient to
establish that any alleged injury is traceable to Neiman Marcus. See Hammond,
2010 WL 2643307, at *5, 13.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
41
The FAC’s allegations that one plaintiff, Ms. Frank, experienced a “phishing”
incident highlights their inability to show that any injury they suffered is fairly
traceable to Neiman Marcus’s conduct. The FAC states:
In March 2014, Frank suffered a “phishing” incident on her cell phone. Armed with information about her deactivated Chase debit card, the caller tried to coax her into providing additional PCD. On information and belief, the caller’s goal was to conduct additional fraud and/or identity theft using Frank’s Private information.
(FAC ¶ 51, R.27:15). As explained above, this incident does not constitute injury
because there is no indication that Ms. Frank actually suffered identity theft or any
monetary damage as a result of the incident. In addition, the claimed harm is not
fairly traceable to Neiman Marcus, because the information allegedly held by Ms.
Frank’s caller could not have been obtained from Neiman Marcus—for several
reasons. First, there is no allegation that Neiman Marcus was notified by Ms.
Frank or Chase that Ms. Frank’s Chase debit card had been canceled—and indeed,
it was not so notified—so the caller must have obtained that information from
another source. Second, even if Chase and/or Ms. Frank had notified Neiman
Marcus that her card was canceled, that piece of information could not have been
stolen during the security incident, because the malware that caused the incursion
affected only payment card information, not communications with customers or
banks. Third, the malware stopped working in October 2013, several months before
Ms. Frank’s card was canceled, so it could not have captured any information about
the cancellation of Ms. Frank’s card, even had it been designed to do so. For these
reasons, the information about Ms. Frank’s canceled debit card could not have come
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
42
from Neiman Marcus. In contrast, that information was made publicly available by
Ms. Frank herself in the complaint she filed on January 13, 2014, in which she
stated that she “experienced fraudulent charges on her debit card.” Compl., Frank
v. Neiman Marcus Group, No.14-cv-233, at ¶ 7 (E.D.N.Y. Jan. 13, 2014). Any
person reading Ms. Frank’s complaint would know that she allegedly suffered a
fraudulent charge on her debit card, and could surmise that that card would
subsequently be canceled. For all these reasons, plaintiffs have failed to allege facts
sufficient to show that they have standing, and the FAC was properly dismissed.
II. IN THE ALTERNATIVE, THE COMPLAINT SHOULD BE DISMISSED UNDER RULE 12(b)(6) FOR FAILURE TO STATE A CLAIM.
Even if the district court had jurisdiction to hear plaintiffs’ claims—which, as
set forth above, it did not—dismissal of the FAC would nonetheless have been
required under Rule 12(b)(6). Under that rule, a motion to dismiss should be
granted if the complaint does not contain “enough facts to state a claim to relief that
is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). To
survive dismissal under Rule 12(b)(6), a plaintiff’s factual allegations must be
sufficient “to raise a right to relief above the speculative level.” Id. at 555. “[W]here
the well-pleaded facts do not permit the court to infer more than the mere
possibility” that the requisite elements are established, it stops short of crossing the
line from possibility to plausibility of entitlement to relief, Ashcroft v. Iqbal, 556
U.S. 662, 679 (2009), in which case “the inference of liability is merely speculative.”
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
43
Yeftich v. Navistar, Inc., 722 F.3d 911, 915 (7th Cir. 2013). All of plaintiffs’ causes
of action fail to meet this standard.13
In the district court, Neiman Marcus sought dismissal of all claims under
Rule 12(b)(6), demonstrating that the FAC failed to establish all elements of each
claim advanced—and in several cases that multiple elements were not established
by allegations in the FAC.14 Having determined that it lacked Article III
jurisdiction, the district court did not reach Neiman Marcus’s request for dismissal
for failure to state a claim. See Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83,
94 (1998) (a court that lacks jurisdiction may not examine the merits of a claim).
However, if this Court were to hold that plaintiffs do have standing, the Court
would be free to affirm the district court’s judgment on alternate grounds that are
supported by the record. Camp v. TNT Logistics Corp., 553 F.3d 502, 505 (7th Cir.
13 The FAC alleges, inter alia, that Neiman Marcus violated the consumer protection laws of all fifty states and the District of Columbia, and that Neiman Marcus violated the data breach statutes of fourteen jurisdictions within the United States. (See FAC ¶¶ 106, 138, R.27:25, 34.) This brief will confine its analysis to the claims based in California, Illinois, and New York law, the only law potentially relevant to the claims of these individual plaintiffs. 14 R.36:18-22 (establishing that negligence claims must be dismissed for failure to allege injury and causation); id. at 23-25 (establishing that breach of implied contract claims must be dismissed for failure to allege an implied agreement and damages); id. at 25-29 (establishing that unjust enrichment claims must be dismissed for inadequate pleading and for failure to allege injury to plaintiffs (i.e., unjust enrichment to defendants)); id. at 29-32 (establishing that consumer protection claims under California, Illinois, and New York laws must be dismissed for failure to allege injury, causation, and deceptiveness); id. at 32-35 (establishing that invasion of privacy claims must be dismissed for failure to allege invasion of privacy, egregious breach of social norms, and injury); id. at 35-36 (establishing that claims of violation of data breach acts of California and Illinois must be dismissed for failure to allege injury).
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
44
2009). Thus, if standing were held to exist, the Court should still affirm because
plaintiffs have failed to state a claim.
Every theory of liability that plaintiffs advance requires them to allege that
they were injured as a result of Neiman Marcus’s conduct.15 This is hardly
surprising: the purpose of civil litigation is to provide a legal forum for the redress
of injuries. Cf. Marbury v. Madison, 5 U.S. (1 Cranch) 137, 163 (1803) (“The very
essence of civil liberty certainly consists in the right of every individual to claim the
protection of the laws, whenever he receives an injury.”). No legal theory or
authority supports the awarding of relief to an uninjured plaintiff.
As explained in Part I, above, plaintiffs here have not alleged any cognizable
injury. They have failed to allege injury from past or future fraudulent charges on
their payment cards because they do not and cannot allege that any such charges
were not fully reimbursed. They have failed to allege future injury from identity
15 On negligence (Count I), see, e.g., In re Sony Gaming Networks and Customer Data Sec. Breach Litig. __ F.Supp.2d __, MDL No. 11-md-2258, 2014 WL 223677, at *10 (S.D. Cal. Jan. 21, 2014); Hammond, 2010 WL 2643307, at *9; Wilkins v. Williams, 991 N.E. 2d 308, 312 (Ill. 2013). On breach of implied contract (Count II), see, e.g., Navellier v. Sletten, 106 Cal. App. 4th 763, 775 (2003); Wesley-Jessen Inc. v. Reynolds, No. 72 C 1677, 1974 WL 20197, at *14 (N.D. Ill. May 23, 1974); Hammond, 2010 WL 2643307, at *11. On unjust enrichment (Count III), see, e.g., Peterson v. Cellco P’ship, 164 Cal.App.4th 1583, 1593 (Cal. Ct. App. 2008); HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 131 Ill.2d 145, 160, 545 N.E.2d 672, 679 (Ill. 1989); Goel v. Ramachandran, 975 N.Y.S.2d 428, 437 (N.Y. App. Div. 2013). On the consumer protection laws of California, Illinois, and New York (Count IV), see, e.g., Kwikset Corp. v. Super. Ct., 51 Cal.4th 310, 322 (2011); Martis v. Pekin Mem’l Hosp. Inc., 395 Ill. App. 3d 943, 949 (2009); Stutman v. Chem. Bank, 95 N.Y.2d 24, 29 (2000). On invasion of privacy under California law (Count V), see, e.g., Cohen v. Facebook, Inc., 798 F.Supp.2d 1090, 1097 (N.D. Cal. 2011). On the California and Illinois Data Breach Acts (Count VI), see, e.g., Price, 192 Cal. App. 4th at 1143; Martis, 395 Ill.App.3d at 949.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
45
theft because their claims as to identity theft are entirely speculative. They have
failed to allege injury from overpayment for retail goods because they allege no facts
to suggest any defect in the goods they received. In sum, plaintiffs have not alleged
injury sufficient to state a claim under any of their proposed theories. Whether
dismissal is pursuant to Rule 12(b)(1) or Rule 12(b)(6), plaintiffs’ claims should be
dismissed.
Indeed, this is clear from the cases on which plaintiffs themselves rely. For
example, as discussed above, this Court in Pisciotta (cited at Br. 7, 8, 10, 15)
determined that the plaintiffs had adequately alleged future injury to establish
Article III standing. Beyond the requirements of Article III, however, plaintiffs
were required to allege compensable injury in order to state a claim for negligence
and breach of implied contract under Indiana law. Pisciotta, 499 F.3d at 635. This
Court held that they failed to do so: the supposed injury of “data exposure” did not
give rise to a right to relief on the merits. Id. at 636. Thus, the Court explained,
“[w]ithout more than allegations of increased risk of future identity theft, the
plaintiffs have not suffered a harm that the law is prepared to remedy.” Id. at 639.
Likewise, in Moyer (cited at Br. 13), the court concluded that plaintiffs had
alleged imminent, non-speculative harm from identity theft sufficient to satisfy
Article III. 2014 WL 3511500, at *5-6. But the plaintiffs’ complaint was still
dismissed because their allegations of an increased risk of identity theft were
insufficient to state a claim: “Here, as in Pisciotta, Plaintiffs’ claims must be
dismissed because they have failed to plead a required element of their Illinois law
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
46
claims for breach of contract and consumer fraud: actual monetary damages.” Id. at
*7. Thus, the court concluded, “although Plaintiffs have standing, they have not
pled the type of actual economic damage necessary to state Illinois law claims for
breach of implied contract … or violation of the Consumer Fraud Act.” Id.
To the extent the Court determines that plaintiffs here have standing, the
same analysis applies to their claims. Because plaintiffs have not alleged and
cannot allege that they have been injured as a result of any Neiman Marcus action
in connection with the data incursion, they have failed to state a claim under each
and every theory of liability they have advanced.
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
47
CONCLUSION
For the foregoing reasons, the judgment of the district court should be
affirmed.
DATED: December 5, 2014 Respectfully submitted, s/ David H. Hoffman David H. Hoffman Tacy F. Flint Daniel C. Craig Sidley Austin LLP One South Dearborn Chicago, IL 60603 Tel: (312) 853-7000 Fax: (312) 853-7036
ACTIVE 204435383v.9
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
ACTIVE 204435383v.11
CERTIFICATE OF COMPLIANCE WITH TYPE-VOLUME LIMITATION, TYPEFACE REQUIREMENTS,
AND TYPE STYLE REQUIREMENTS
1. This brief complies with the type-volume limitation of Fed. R. App. P. 32(a)(7)(B) because it contains 12,912 words, excluding the parts of the brief exempted by Fed. R. App. P. 32(a)(7)(B)(iii).
2. This brief complies with the typeface requirements of Fed. R. App. P. 32(a)(5) and the type style requirements of Fed. R. App. P. 32(a)(6) because it has been prepared in a proportionally spaced typeface using Microsoft Word 2007 in plain, twelve-point Century Schoolbook.
s/ Daniel C. Craig Attorney for The Neiman Marcus Group LLC Dated: December 5, 2014
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60
ACTIVE 204435383v.11 1
CERTIFICATE OF SERVICE
I hereby certify that on December 5, 2014, the Brief of Defendant-Appellee
The Neiman Marcus Group LLC was filed with the Clerk of the Court for the
United States Court of Appeals for the Seventh Circuit by using the appellate
CM/ECF system.
The following attorneys are registered CM/ECF users and will be served by
the appellate CM/ECF system:
Joseph Siprut SIPRUT PC Suite 1850 17 N. State Street Chicago, IL 60602
s/ Daniel C. Craig Attorney for The Neiman Marcus Group LLC
Dated: December 5, 2014
Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60