HILARY REMIJAS, on behalf of herself and all others similarly situated, et al., Plaintiffs-Appellants,
NEIMAN MARCUS GROUP, LLC, Defendant-Appellee
Argued January 23, 2015.
Appeal from the United States District Court for the Northern District of Illinois, Eastern Division. No. 14 C 1735. -- James B. Zagel, Judge.
For HILARY REMIJAS, on behalf of herself and all others similarly situated, Melissa Frank, Debbie Farnoush, JOANNE KAO, on behalf of herself and all others similarly situated, Plaintiffs - Appellants: Theodore W. Maya, Attorney, Ahdoot & Wolfson, PC West Hollywood, CA; Joseph Siprut, Attorney, Siprut PC, Chicago, IL; Tina Wolfson, Attorney, Ahdoot b Wolfson, PC, West Hollywood, CA.
For NEIMAN MARCUS GROUP, LLC, a Delaware limited liability company, Defendant - Appellee: Daniel Craig, Tacy Fletcher Flint, David H. Hoffman, Sidley Austin Llp, Chicago, IL.
Before WOOD, Chief Judge, and KANNE and TINDER, Circuit Judges.
Wood, Chief Judge.
Sometime in 2013, hackers attacked Neiman Marcus, a luxury department store, and stole the credit card numbers of its customers. In December 2013, the company
learned that some of its customers had found fraudulent charges on their cards. On January 10, 2014, it announced to the public that the cyberattack had occurred and that between July 16, 2013, and October 30, 2013, approximately 350,000 cards had been exposed to the hackers' malware. In the wake of those disclosures, several customers brought this action under the Class Action Fairness Act, 28 U.S.C. § 1332(d), seeking various forms of relief. The district court stopped the suit in its tracks, however, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution. This resulted in a dismissal of the complaint without prejudice. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 102, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998) (standing to sue is a threshold jurisdictional question); Hernandez v. Conriv Realty Assocs., 182 F.3d 121, 122 (2d Cir. 1999) (" [W]here federal subject matter jurisdiction does not exist, federal courts do not have the power to dismiss with prejudice ... ." ). We conclude that the district court erred. The plaintiffs satisfy Article III's requirements based on at least some of the injuries they have identified. We thus reverse and remand for further proceedings.
In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers. Keeping this information confidential at first (according to plaintiffs, so that the breach would not disrupt the lucrative holiday shopping season), it promptly investigated the reports. It discovered potential malware in its computer systems on January 1, 2014. Nine days later, it publicly disclosed the data breach and sent individual notifications to the customers who had incurred fraudulent charges. The company also posted updates on its website. Those messages confirmed several aspects of the attack: some card numbers had been exposed to the malware, but other sensitive information such as social security numbers and birth dates had not been compromised; the malware attempted to collect card data between July 16, 2013, and October 30, 2013; 350,000 cards were potentially exposed; and 9,200 of those 350,000 cards were known to have been used fraudulently. Notably, other companies had also suffered cyberattacks during that holiday season.
At that point, Neiman Marcus notified all customers who had shopped at its stores between January 2013 and January 2014 and for whom the company had physical or email addresses, offering them one year of free credit monitoring and identity-theft protection. On February 4, 2014, Michael Kingston, the Senior Vice President and Chief Information Officer for the Neiman Marcus Group, testified before the United States Senate Judiciary Committee. He represented that " the customer information that was potentially exposed to the malware was payment card account information" and that " there is no indication that social security numbers or other personal information were exposed in any way."
These disclosures prompted the filing of a number of class-action complaints. They were consolidated in a First Amended Complaint filed on June 2, 2014, by Hilary Remijas, Melissa Frank, Debbie Farnoush, and Joanne Kao. They sought to represent themselves and the approximately 350,000 other customers whose data may have been hacked. The complaint relies on a number of theories for relief: negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy,
and violation of multiple state data breach laws. It raises claims that exceed $5,000,000, and minimal diversity of citizenship exists, because Remijas is a citizen of Illinois, Frank is a citizen of New York, and Farnoush and Kao are citizens of California, while the Neiman Marcus Group LLC, once ownership is traced through several intermediary LLCs, is owned by N.M. Mariposa Intermediate Holdings Inc., a Delaware corporation with its principal place of business in Texas. The district court's ...