case no. 14-3122 united states court of … no. 14-3122 united states court of appeals ... i. the...

Case No. 14-3122

UNITED STATES COURT OF APPEALS

FOR THE SEVENTH CIRCUIT

HILARY REMIJAS, on behalf of herself and all others

similarly situated, et al.,

Plaintiffs-Appellants,

v.

THE NEIMAN MARCUS GROUP LLC, a Delaware limited liability company,

Defendant-Appellee.

Appeal from the United States District Court for the Northern District of Illinois,

Case No. 1:14-cv-01735, Hon. James B. Zagel

BRIEF OF DEFENDANT-APPELLEE THE NEIMAN MARCUS GROUP LLC

David H. Hoffman Tacy F. Flint

Daniel C. Craig SIDLEY AUSTIN LLP One South Dearborn Chicago, Illinois 60603 (312) 853-7000

Attorneys for Defendant-Appellee

Case: 14-3122 Document: 14 Filed: 12/05/2014 Pages: 60

CIRCUIT RULE 26.1 DISCLOSURE STATEMENT

Appellate Court No:

Short Caption:

To enable the judges to determine whether recusal is necessary or appropriate, an attorney for a non-governmental party oramicus curiae, or a private attorney representing a government party, must furnish a disclosure statement providing thefollowing information in compliance with Circuit Rule 26.1 and Fed. R. App. P. 26.1.

The Court prefers that the disclosure statement be filed immediately following docketing; but, the disclosure statement mustbe filed within 21 days of docketing or upon the filing of a motion, response, petition, or answer in this court, whichever occursfirst. Attorneys are required to file an amended statement to reflect any material changes in the required information. The textof the statement must also be included in front of the table of contents of the party's main brief. Counsel is required tocomplete the entire statement and to use N/A for any information that is not applicable if this form is used.

[ ] PLEASE CHECK HERE IF ANY INFORMATION ON THIS FORM IS NEW OR REVISED AND INDICATE WHICH INFORMATION IS NEW OR REVISED.

(1) The full name of every party that the attorney represents in the case (if the party is a corporation, you must provide thecorporate disclosure information required by Fed. R. App. P 26.1 by completing item #3):

(2) The names of all law firms whose partners or associates have appeared for the party in the case (including proceedingsin the district court or before an administrative agency) or are expected to appear for the party in this court:

(3) If the party or amicus is a corporation:

i) Identify all its parent corporations, if any; and

ii) list any publicly held company that owns 10% or more of the party’s or amicus’ stock:

Attorney's Signature: Date:

Attorney's Printed Name:

Please indicate if you are Counsel of Record for the above listed parties pursuant to Circuit Rule 3(d). Yes No

Address:

Phone Number: Fax Number:

E-Mail Address:

rev. 01/08 AK

14-3122

Remijas v. The Neiman Marcus Group, LLC

The Neiman Marcus Group LLC

Sidley Austin LLP

Neiman Marcus Group LTD LLC

N/A

s/ David H. Hoffman 12/5/2014

David H. Hoffman

Sidley Austin LLP

One South Dearborn, Chicago, IL 60603

312-853-2174 312-853-7036

[email protected]



Appellate Court No:

Short Caption:












Address:


E-Mail Address:

rev. 01/08 AK

14-3122

Remijas v. The Neiman Marcus Group, LLC


Sidley Austin LLP


N/A

s/ Tacy F. Flint 12/5/2014

Tacy F. Flint

Sidley Austin LLP


312-853-7875 312-853-7036

[email protected]



Appellate Court No:

Short Caption:












Address:


E-Mail Address:

rev. 01/08 AK

14-3122

Remijas v. The Neiman Marcus Group LLC


Sidley Austin LLP


N/A

s/ Daniel C. Craig 12/5/2014

Daniel C. Craig

Sidley Austin LLP


312-853-7370 312-853-7036

[email protected]


i

TABLE OF CONTENTS

JURISDICTIONAL STATEMENT ............................................................................... 1

STATEMENT OF THE CASE ....................................................................................... 2

I. Factual Background ................................................................................. 2

A. The Data Incursion ........................................................................ 2

B. Alleged Effects of the Data Incursion on Plaintiffs ...................... 4

II. Procedural History ................................................................................... 6

SUMMARY OF ARGUMENT ..................................................................................... 10

STANDARD OF REVIEW ........................................................................................... 13

ARGUMENT ................................................................................................................ 14

I. THE COMPLAINT WAS CORRECTLY DISMISSED UNDER RULE 12(B)(1) BECAUSE PLAINTIFFS LACK ARTICLE III STANDING. . 14

A. Plaintiffs Have Alleged No Future Injury That Is Both Concrete and Imminent. ............................................................................. 17

1. Plaintiffs’ Allegations of Future Fraudulent Charges Do Not Establish a Concrete Injury. ..................................... 17

2. Plaintiffs’ Allegations of Future Identity Theft Do Not Establish an Imminent Injury. ......................................... 20

a) The District Court Correctly Applied Clapper. ..... 20

b) Pisciotta Does Not Support Standing Here. .......... 25

c) The District Court Correctly Held That Plaintiffs Had Not Alleged That Any Identity Theft Was Certainly Impending. ............................................. 27

B. Plaintiffs Have Alleged No Cognizable Present Injury. ............. 30

1. Reimbursed Fraudulent Charges Do Not Constitute Present Injury. .................................................................. 31


ii

2. Plaintiffs’ “Overpayment” Theory Finds No Support in the Law. ................................................................................... 32

3. Allegations of loss of control and value of payment card data are insufficient to show injury. ................................ 34

4. Plaintiffs’ allegations that Neiman Marcus violated the California and Illinois data breach laws are insufficient to grant standing. .................................................................. 36

C. No Alleged Injury Can Be Fairly Traced to Action by Neiman Marcus. ......................................................................................... 38

II. IN THE ALTERNATIVE, THE COMPLAINT SHOULD BE DISMISSED UNDER RULE 12(B)(6) FOR FAILURE TO STATE A CLAIM. ................................................................................................... 42

CONCLUSION ............................................................................................................. 47


iii

TABLE OF AUTHORITIES

Page(s) CASES

Allison v. Aetna, Inc., 2010 WL 3719243 (E.D. Pa. Mar. 9, 2010) ............................................................ 30

Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) ................................................................... 30

Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440 (7th Cir. 2009) ............................................................................ 13, 14

Ashcroft v. Iqbal, 556 U.S. 662 (2009) ................................................................................................ 43

Askin v. Quaker Oats Co., 818 F.Supp.2d 1081 (N.D. Ill. 2011) ...................................................................... 33

Babbitt v. Farm Workers, 442 U.S. 289 (1979) .......................................................................................... 16, 22

Bankers Trust Co. v. Mallis, 435 U.S. 381 (1978) .................................................................................................. 1

Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) .......................................................................................... 42, 43

Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456 (2013) .................................................................................. 37

Bridenbaugh v. Freeman-Wilson, 227 F.3d 848 (7th Cir. 2000) ............................................................................ 33, 34

Camp v. TNT Logistics Corp., 553 F.3d 502 (7th Cir. 2009) .................................................................................. 44

Chicago Faucet Shoppe, Inc. v. Nestle Water N. Am. Inc., 2014 WL 541644 (N.D. Ill. Feb. 11, 2014) ............................................................. 33

Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) ..................................................................................... passim

Cohen v. Facebook, Inc., 798 F.Supp.2d 1090 (N.D. Cal. 2011) .................................................................... 44


iv

DaimlerChrysler Corp. v. Cuno, 547 U.S. 332 (2006) ................................................................................................ 16

Federal Election Com’n v. Akins, 524 U.S. 11 (1998) .................................................................................................. 38

Frank v. Neiman Marcus Group, No.14-cv-233 (E.D.N.Y. Jan. 13, 2014) .................................................................. 42

Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167 (2000) .......................................................................................... 15, 16

Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 2014 WL 689703 (S.D. Ohio Feb. 10, 2014) ........................ 30

Goel v. Ramachandran, 975 N.Y.S.2d 428 (N.Y. App. Div. 2013) ................................................................ 44

Hammond v. Bank of New York Mellon Corp., 2010 WL 2643307 (S.D.N.Y. June 25, 2010) .................................................. passim

Havens Realty Corp. v. Coleman 455 U.S. 363 (1982) ................................................................................................ 38

HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 131 Ill.2d 145, 545 N.E.2d 672 (Ill. 1989) .............................................................. 44

In re Adobe Sys., Inc. Privacy Litig., 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014) .............................................. 19, 28, 29

In re Aqua Dots Prods. Liab. Litig., 654 F.3d 748 (7th Cir. 2011) .................................................................................. 33

In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013) .......................................... 17, 30, 34, 35

In re Facebook Privacy Litig., 791 F.Supp.2d 705 (N.D. Cal. 2011), affirmed in part and reversed in part, 572 Fed. Appx. 494 (9th Cir. 2014) .................................................................. 35, 36

In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518 (N.D. Ill. 2011) ...................................................................... 17

In re Sony Gaming Networks and Customer Data Sec. Breach Litig. __ F.Supp.2d __, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014) ................................ 44


v

Johnson v. Orr, 551 F.3d 564 (7th Cir. 2008) .................................................................................. 14

Kaplan v. Shure Bros., Inc., 153 F.3d 413 (7th Cir. 1998) .................................................................................... 1

Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) ................................................................................ 29

Kwikset Corp. v. Super. Ct., 51 Cal.4th 310 (2011) ............................................................................................. 44

Lipton v. Chattem, Inc., 2012 WL 1192083 (N.D. Ill. Apr. 10, 2012) ........................................................... 33

Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) .............................................................................. 15, 16, 20, 36

Marbury v. Madison, 5 U.S. (1 Cranch) 137 (1803) .................................................................................. 44

Martis v. Pekin Mem’l Hosp. Inc., 395 Ill. App. 3d 943 (2009) ..................................................................................... 44

Maya v. Centex Corp., 658 F.3d 1060 (9th Cir. 2011) ................................................................................ 33

MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118 (2007) ................................................................................................ 22

Minn-Chem, Inc. v. Agrium Inc., 683 F.3d 845 (7th Cir. 2012) .................................................................................. 14

Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010) ................................................................................................ 21

Moyer v. Michaels Stores, Inc., 2014 WL 3511500 (N.D. Ill. July 14, 2014) ..................................................... 34, 36

Muir v. Playtex Prods. LLC, 983 F. Supp. 2d 980 (N.D. Ill. 2013) ...................................................................... 33

Navellier v. Sletten, 106 Cal. App. 4th 763 (2003) .................................................................................. 44

Pennell v. City of San Jose, 485 U.S. 1 (1988) .................................................................................................... 21


vi

People ex rel. Madigan v. United Const. of Am., 981 N.E.2d 404 (1st Dist. 2012) ............................................................................. 38

People To End Homelessness, Inc. v. Develco Singles Apartments Assocs., 339 F.3d 1 (1st Cir. 2003) ....................................................................................... 18

Peterson v. Cellco P’ship, 164 Cal.App.4th 1583 (Cal. Ct. App. 2008) ........................................................... 44

Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) ................................................................ 25, 26, 45, 46

Price v. Starbucks Corp., 192 Cal. App. 4th 1136 (2011) .................................................................... 37, 38, 44

Reid L. v. Ill. St. Bd. Of Educ., 358 F.3d 511 (7th Cir. 2004) .................................................................................. 13

Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) ................................................................................ 25, 30

Spencer v. Kemna, 523 U.S. 1 (1998) .............................................................................................. 13, 14

Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83 (1998) .................................................................................................. 44

Sterk v. Redbox Automated Retail LLC, 770 F.3d 618 (2014) .......................................................................................... 36, 37

Storino v. Borough of Point Pleasant Beach, 322 F.3d 293 (3d Cir. 2003) .................................................................................... 24

Strautins v. Trustwave Holdings, Inc., 2014 WL 960816 (N.D. Ill. Mar. 12, 2014) ............................................................ 30

Stutman v. Chem. Bank, 95 N.Y.2d 24 (2000) ................................................................................................ 44

Summers v. Earth Island Inst., 555 U.S. 488 (2009) ................................................................................................ 15

Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014) ..................................................................................... passim

United Phosphorus, Ltd. v. Angus Chem. Co., 322 F.3d 942 (7th Cir. 2003) .................................................................................. 14


vii

Vides v. Advocate Health & Hospitals Corp., No. 13-CH-2701 (9th Cir. May 27, 2014) ............................................................... 38

Warth v. Seldin, 422 U.S. 490 (1975) ................................................................................................ 15

Wesley-Jessen Inc. v. Reynolds, 1974 WL 20197 (N.D. Ill. May 23, 1974) ............................................................... 44

Whitaker v. Ameritech Corp., 129 F.3d 952 (7th Cir. 1997) .................................................................................. 16

Whitmore v. Arkansas, 495 U.S. 149 (1990) ................................................................................................ 16

Wilkins v. Williams, 991 N.E. 2d 308 (Ill. 2013) ..................................................................................... 44

Yeftich v. Navistar, Inc., 722 F.3d 911 (7th Cir. 2013) .................................................................................. 43

STATUTES

28 U.S.C. § 1291 ............................................................................................................. 1

Cal. Civ. Code § 1798.82(d) ......................................................................................... 37

Cal. Civ. Code § 1798.84(b) .......................................................................................... 37

815 ILCS 505/1 ............................................................................................................. 38

815 ILCS 530/1 ............................................................................................................. 38

OTHER AUTHORITIES

Fed. R. Civ. P. 12(b)(1) .......................................................................................... passim

Fed. R. Civ. P. 12(b)(6) .......................................................................................... passim

Fed. R. Civ. P. 58 ........................................................................................................... 9

U.S. Constitution, Article III ................................................................................ passim

U.S. Constitution, 21st Amendment ........................................................................... 33


1

JURISDICTIONAL STATEMENT

Plaintiffs’ jurisdictional statement is not complete and correct. Plaintiffs

correctly summarize their alleged grounds for federal subject matter jurisdiction in

the district court, but the district court correctly held that it lacked subject matter

jurisdiction and dismissed the action pursuant to Fed. R. Civ. P. 12(b)(1).

Plaintiffs’ discussion of appellate jurisdiction in this Court is incomplete. Br.

1-2. Plaintiffs’ notice of appeal was filed on September 25, 2014—nine days after

entry of the order dismissing plaintiff’s First Amended Complaint (“FAC”) for lack

of standing, but before the district court entered judgment in a “separate document”

as required by Federal Rule of Civil Procedure 58. Despite the absence of a separate

document entering judgment, this Court has appellate jurisdiction under 28 U.S.C.

§ 1291. See Bankers Trust Co. v. Mallis, 435 U.S. 381 (1978) (per curiam); Kaplan

v. Shure Bros., Inc., 153 F.3d 413, 417 (7th Cir. 1998). First, the district court’s

order dismissing the FAC, from which plaintiffs appealed, “clearly evidenced [that

court’s] intent that the opinion and order … represented the final decision in the

case.” Id.; see also A10. Second, the clerk’s docket indicated that the complaint was

“dismissed” and stated that the case was “terminated.” A2. Finally, Defendant-

Appellee The Neiman Marcus Group LLC (“Neiman Marcus”) did not object below,

and does not object now, to plaintiffs’ taking this appeal in the absence of a separate

judgment. Kaplan, 153 F.3d at 417. In these circumstances, appellate jurisdiction

exists under § 1291 notwithstanding the absence of a separate judgment. Id.


2

STATEMENT OF THE CASE

I. FACTUAL BACKGROUND

A. The Data Incursion

This case stems from an attack on Neiman Marcus’s information technology

system. As the FAC discusses (FAC ¶¶ 30-32, R.27:11-12),1 Neiman Marcus has

described the data incursion in detail in communications to customers, postings to

its website, and other public statements.2 As those documents report, in mid-

December 2013, Neiman Marcus received information that a relatively small

number of cards used at Neiman Marcus subsequently had fraudulent charges

placed on them. (Testimony of Michael Kingston before the Senate Judiciary

Committee, at 2, 4-5, R.36-1:18, 20-21). Neiman Marcus immediately began an

investigation and hired a leading forensic investigative firm, which first found

evidence of potential malware in Neiman Marcus’s system on January 1, 2014. (Id.

at 2-3, R.36-1:18-19). In the next several days, Neiman Marcus took steps to

discover, identify, analyze, and ultimately contain the cyber attack, which included

disabling the malware that appeared capable of collecting or “scraping” information

on payment cards used at certain Neiman Marcus stores. (Id. at 2-5, R.36-1:18-21).

On January 10, the company made several public announcements regarding the

1 References to “R.___:___” refer to the docket number and page number of items filed as part of the district court record. 2 The FAC specifically identifies one of Neiman Marcus’s two website postings (see FAC ¶¶ 32–33, 42, R.27:11–13) and relies on it as the source of certain allegations. The website postings are located at R.36-1:5–15. The testimony of Neiman Marcus’s Chief Information Officer before the U.S. Senate Judiciary Committee on the subject of this cyber attack, which was made public prior to the initial filing of plaintiffs’ complaint, is located at R.36-1:17–24.


3

incursion and gave individual notification to those customers known to Neiman

Marcus who had received fraudulent charges on their cards after the incursion. (Id.

at 3, 7, R.36-1:19, 23).

In postings to its website on January 16, January 22, and February 21,

Neiman Marcus provided a detailed public update regarding its forensic

investigation. (Id. at 7-8, R.36-1:23-24, see also Neiman Marcus Group, To our

Loyal Neiman Marcus Group Customers, R36-1:11-15). Neiman Marcus confirmed

that while some “payment cards” had been exposed to the malware, “social security

numbers and birth dates were not” and “PINs were never at risk because we do not

use PIN pads in our stores.” (See Neiman Marcus Group, To our Loyal Neiman

Marcus Group Customers, R.36-1:5.) Neiman Marcus also identified the period

during which the malware appeared to have been attempting to collect payment

card data—from July 16 to October 30, 2013. (Id.) It stated that 350,000 cards

were potentially exposed to the malware, but did not state or suggest that any of the

350,000 cards were actually compromised. (See id., R.36-1:11).

Neiman Marcus explained that approximately 9,200 payment cards

potentially exposed to the malware were known to have been subsequently used

fraudulently elsewhere. (Id.). Nothing in the company’s statements, however,

indicated that the payment card data from those 9,200 cards had actually been

stolen from Neiman Marcus, or that the fraudulent charges occurred as a result of

the Neiman Marcus data incursion. (Id.) Indeed, several other companies,

including Target, had also suffered data incursions potentially impacting millions of


4

credit cards. (R.36:16 & n.10.) The company explained that, out of an abundance of

caution, it was “notifying ALL customers for whom [it has] addresses or email who

shopped with [the company] between January 2013 and January 2014, and offering

one free year of credit monitoring and identity-theft protection.” (R.36-1:5).

Neiman Marcus also reminded customers that “[t]he policies of the payment card

brands such as Visa, MasterCard, American Express, Discover and the Neiman

Marcus card provide that you have zero liability for any unauthorized charges if you

report them in a timely manner.” (Id.).

On February 4, 2014, Michael Kingston, Senior Vice President and Chief

Information Officer for the Neiman Marcus Group, testified along with

representatives from Target and other groups before the United States Senate

Judiciary Committee, and submitted written testimony that was made public.

(Testimony of Michael Kingston before the Senate Judiciary Committee, R.36-1:17).

In his written testimony he stated that “the customer information that was

potentially exposed to the malware was payment card account information” and

that “there is no indication that social security numbers or other personal

information were exposed in any way.” (Id. at 3, R.36-1:19).

B. Alleged Effects of the Data Incursion on Plaintiffs

Plaintiffs allege that they made purchases at Neiman Marcus while the data

incursion was in effect. Plaintiff Hilary Remijas alleged that she made purchases

using a Neiman Marcus credit card at a Neiman Marcus store in August and

December 2013. (FAC ¶ 3, R.27:3). She did not allege that any fraudulent charges

were made using this card, or that any such charges were unreimbursed. (Id.). Ms.


5

Remijas did not allege that she provided any personally-identifiable information to

Neiman Marcus other than her payment card information. (Id.).

Plaintiff Melissa Frank alleged that she and her husband made purchases at

a Neiman Marcus store and online in December 2013 using a debit card. (FAC ¶ 4,

R.27:3). She further alleged that fraudulent charges appeared on her debit card on

January 9, 2014 (Id.), but did not allege that this charge was unreimbursed. She

alleged that her husband received a letter from Neiman Marcus regarding the

incursion in January 2014. (Id.). On January 13, 2014, she filed a complaint against

Neiman Marcus in the Eastern District of New York, in which she alleged that she

“experienced fraudulent charges on her debit card.” (R.36:24). In the FAC, she

alleged that in mid-March 2014, approximately two months after she filed her

initial complaint, she received a telephone call in which a caller, aware that her

debit card had been canceled, attempted to convince her to provide additional

payment card information. (FAC ¶¶ 5, 51. R. 27:3, 15). She did not allege that she

provided any such information to the caller. (Id.). She did not allege that she or her

husband provided personally-identifiable information other than their payment

card information to Neiman Marcus. (Id.).

Plaintiff Debbie Farnoush alleged that she made a purchase using a payment

card at a Neiman Marcus store in 2013, but did not specify a date. (FAC ¶ 5,

R.27:3). She alleged that fraudulent charges appeared on her credit card but did

not allege that these charges were unreimbursed. (Id.). She did not state whether

or not she received any notice regarding the incursion from Neiman Marcus. (Id.).


6

She did not allege that she provided personally-identifiable information other than

her payment card information to Neiman Marcus. (Id.).

Plaintiff Joanne Kao alleged that she made several purchases at a Neiman

Marcus store on several dates between February and December 2013. (FAC ¶ 6,

R.27:3). She did not allege that she used a payment card to make any of these

purchases. (Id.). She alleged that she received notice from her bank that her debit

card had been compromised, but did not allege that she had used that debit card at

a Neiman Marcus store. (Id.). She alleged that she received a letter from Neiman

Marcus regarding the incursion. (Id.). She did not allege that she provided

personally-identifiable information other than her payment card information to

Neiman Marcus.

II. PROCEDURAL HISTORY

The FAC, which consolidated putative class action claims asserted by

multiple named plaintiffs, was filed on June 2, 2014. (R.27). The FAC asserts six

counts and seeks a variety of injunctive relief and damages, including “actual

damages, compensatory damages, statutory damages, and statutory penalties,” as

well as punitive damages. (FAC Prayer for Relief, R.27:36).

Neiman Marcus moved to dismiss the FAC for lack of standing under Rule

12(b)(1), and for failure to state a claim under Rule 12(b)(6), on July 2, 2014. (R.35).

Neiman Marcus submitted evidence in support of its arguments against standing,

and plaintiffs’ opposition did not purport to contradict any of that evidence, relying

solely on the allegations of the FAC. The district court granted Neiman Marcus’s

motion on September 16, 2014, holding that plaintiffs lacked standing because they


7

failed to establish injury-in-fact. (A3).

The court first explained that plaintiffs had the burden to establish Article

III standing, and were thus required to demonstrate, inter alia, “an ‘injury in fact’

that is concrete and particularized and either actual or imminent.” (Id.). Here,

“[p]laintiffs assert[ed] four principal categories of injury”: (1) “an increased risk of

future fraudulent credit card charges, and an increased risk of identity theft”;

(2) “present injuries, including the loss of time and money associated with resolving

fraudulent charges” and “protecting against the risk of future identity theft”;

(3) “the financial loss they suffered from having purchased products that they

wouldn’t have purchased had they known of Defendant’s misconduct”; and (4) “loss

of control over value of their private information.” (Id.).

Regarding plaintiffs’ alleged future harms, the court noted that “[a]llegations

of future potential harm may suffice to establish Article III standing, but the future

harm must be ‘certainly impending.’” (A3-4 (quoting Clapper v. Amnesty Int’l USA,

133 S. Ct. 1138, 1147 (2013))). The court concluded that the FAC (1) “permits the

inference that [the 9,200 Neiman Marcus customers who experienced fraudulent

charges on their credit cards] did indeed have their data stolen as a result of the

cyber-attack on Defendant,” and (2) permits “a weaker, though in [the court’s] view

still plausible, inference that others among the 350,000 customers are at a ‘certainly

impending’ risk of seeing similar fraudulent charges appear on their credit cards as

a result of the cyber-attack on Defendant.” (A6). But, even if plaintiffs could be

said to satisfy the “imminence” requirement of injury-in-fact, the fraudulent charges


8

on certain plaintiffs’ credit cards still did not support standing because the

purported injury was not sufficiently “concrete”: “Plaintiffs have not alleged that

any of the fraudulent charges were unreimbursed. On these pleadings, I am not

persuaded that unauthorized credit card charges for which none of the plaintiffs are

financially responsible qualify as ‘concrete’ injuries.” (A7).

The court also held that the other potential future harm alleged by

plaintiffs—identity theft—was insufficient to establish standing, because the court

was “not persuaded that the 350,000 customers at issue are at a certainly

impending risk of identity theft.” (Id.). While the court declared itself willing to

“accept the inference … that additional customers are at a ‘certainly impending’

risk of future fraudulent charges on their credit cards,” it concluded that “to assert

on this basis that either set of customers is also at a certainly impending risk of

identity theft is … a leap too far.” (A7-8). Plaintiffs’ argument that injury-in-fact

was established through the risk of future identity theft, therefore, failed to satisfy

the requirement of imminence. (Id.).

The court next turned to plaintiffs’ claim that “the time and money allegedly

spent toward mitigating the risk of future fraudulent charges and identity theft

constitutes injury sufficient to confer standing.” (A8). That argument failed. The

court reiterated that “[t]he ‘fraudulent charge’ injury, absent unreimbursed charges

or other allegations of some attendant hardship, is not in my view sufficiently

concrete to establish standing,” and explained that “the complaint contains no

meaningful allegations as to what precisely the costs incurred to mitigate the risk of


9

future fraudulent charges were.” (Id.). And, because “the complaint does not

adequately allege that the risk of identity theft is sufficiently imminent to confer

standing,” “the ‘time and money spent to mitigate’ claim as to the risk of identity

theft … is not a cognizable Article III injury.” (A8-9).

The court then rejected plaintiffs’ argument that they were injured by paying

a supposed premium for “retail goods purchased at Defendant’s stores, a portion of

which Defendant was required to allocate to adequate data breach security

measures.” (A9). The court noted that this type of harm exists only when the

product purchases “possessed some sort of deficiency”—not when “the deficiency

complained of is extrinsic to the product being purchased.” (Id.). The court cited

the example of a store that allegedly had inadequate in-store security, which led to

a customer being assaulted in the parking lot: “even if no physical injury actually

befell the customer, under Plaintiffs’ theory, the customer still suffered financial

injury because he or she paid a premium for adequate store security, and the store

security was not in fact adequate.” (A9-10). The court deemed this theory of injury,

which was unsupported by precedent, to be “creative, but unpersuasive.” (A9).

Finally, the court rejected “Plaintiffs’ claim to standing based on the loss of

control over and value of their private information. Again, the injury as pled is not

sufficiently concrete.” A10.

For all these reasons, Neiman Marcus’s motion to dismiss for lack of Article

III standing was granted. Id. Having determined that jurisdiction was lacking, the

court did not address Neiman Marcus’s argument that the complaint was equally


10

subject to dismissal for failure to state a claim.

SUMMARY OF ARGUMENT

Plaintiffs allege that they are among the 350,000 customers who purchased

items at Neiman Marcus while Neiman Marcus was subject to an information

security attack, in which certain customers’ payment card data was exposed. But

plaintiffs have not met their burden to establish an injury that is both concrete and

actual or imminent, not to mention an injury that is traceable to Neiman Marcus.

The district court was thus correct to dismiss the FAC for lack of Article III

standing.

Plaintiffs principally argue that they have adequately shown future injuries.

For one, they contend that some of them have experienced fraudulent charges on

their credit and debit cards, and this shows they are at an increased risk of seeing

fraudulent charges on their cards in the future. Even accepting for the moment

that plaintiffs have established that any fraudulent charges occurred as a result of

the Neiman Marcus data incursion (which they have not), plaintiffs cannot show

how any fraudulent charge will injure them. That is because—as plaintiffs do not

dispute—their fraudulent charges are uniformly and fully reimbursed. In other

words, even if plaintiffs are subjected to such charges in the future, they will face

zero out-of-pocket costs. As the district court correctly held, an effect that entails no

loss whatsoever is not a “concrete” injury for purposes of Article III.

Plaintiffs also contend that they have shown future injury by pointing to the

specter of “identity theft.” But plaintiffs have failed to make any factual showing as

to how the data incursion—in which there is no indication that anything more than


11

payment card data was even potentially exposed—will lead to imminent identity

theft, as they are required to do. The only actual fact that plaintiffs point to—i.e.,

that some Neiman Marcus customers saw fraudulent charges on their credit and

debit cards at some point after the data incursion—is at most consistent with the

fact that the incident involved payment card data, and not the more sensitive

personal identifying information that could be used to open an account or for other

forms of identity theft. Indeed, unlike sensitive personal data, such as social

security numbers, payment card data is routinely disclosed—to waiters, websites,

and many others. Yet plaintiffs have not even alleged that they provided personal

identifying information beyond their payment card data to Neiman Marcus—much

less facts showing that their personal information was exposed, stolen, or misused.

Simply put, the fact of fraudulent charges does not bear the weight plaintiffs

place on it. Even if plaintiffs had alleged that their payment card data was actually

obtained by fraudsters through the Neiman Marcus data incursion (which plaintiffs

did not, in fact, allege), that would not support a conclusion that they suddenly face

“certainly impending” identity theft, as the Supreme Court has held is necessary if

standing is to be established solely by reliance on future injuries. See Clapper, 133

S. Ct. at 1147.

Plaintiffs’ arguments of present or “actual” injuries likewise fail. First,

plaintiffs contend that they have spent “time and money” to protect themselves

against identity theft and to ensure that fraudulent charges are resolved. But, as

the Supreme Court has held, plaintiffs cannot manufacture standing by spending


12

money to supposedly prevent potential injuries that do not create standing in their

own right. Id. at 1151. And plaintiffs have alleged no facts regarding the supposed

costs of resolving fraudulent charges.

Second, plaintiffs contend that they were injured by overpaying to purchase

items from Neiman Marcus when they were not aware that Neiman Marcus was

susceptible to a data incursion. This theory—which the district court called

“creative, but unpersuasive,” A9—finds no support in the law, and simply makes no

sense. Plaintiffs cannot contend that the products they purchased were in any way

defective or worth less than the price they paid, which defeats any “overpayment”

theory.

Third, Plaintiffs’ contention that they were injured through the supposed

“loss of control” over their personal data is simply a rehash of their other

arguments, because plaintiffs cannot allege that their personal data had some

monetary value that they were prevented from realizing. Finally, plaintiffs’

argument that they have “statutory standing” under California and Illinois state

laws ignores both that injury-in-fact is a federal constitutional requirement that no

state law could eliminate, and that, in any event, neither California nor Illinois

state law purports to create “statutory standing.”

Additionally, plaintiffs have equally failed to establish standing because they

have alleged no facts to show that any effects on them are traceable to Neiman

Marcus. All plaintiffs can say is that some of them have experienced reimbursed

fraudulent charges, and one received an unsuccessful phishing call. But the only


13

“fact” that suggests these alleged events are traceable to Neiman Marcus is their

timing—i.e., that they occurred after the data incursion. But they also occurred

after large-scale breaches of other retailers’ data, and the FAC is silent as to

whether the plaintiffs gave payment card data to any such retailer. And the

allegations regarding the phishing call to Ms. Frank actually make clear that the

caller had access to data that could not have come from Neiman Marcus.

For all of these reasons, plaintiffs lack Article III standing, and the FAC was

properly dismissed under Rule 12(b)(1). Even if the Court were to disagree,

however, the district court’s judgment can be affirmed on the alternate ground,

equally supported in the record, that plaintiffs have failed to state a claim under

Rule 12(b)(6). Each legal theory that plaintiffs advance in their six counts requires

them to establish compensable injury. The FAC fails to do that. Thus, whether it

be under Rule 12(b)(1) or Rule 12(b)(6), the FAC was properly dismissed.

STANDARD OF REVIEW

This Court “review[s] de novo a district court’s dismissal for lack of subject

matter jurisdiction.” Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443

(7th Cir. 2009). When judging a motion to dismiss for lack of standing under Rule

12(b)(1), the Court “must accept as true all material allegations of the complaint . . .

unless standing is challenged as a factual matter.” Reid L. v. Ill. St. Bd. Of Educ.,

358 F.3d 511, 515 (7th Cir. 2004). The plaintiff’s standing may not, however, “be

inferred argumentatively from averments in the pleadings.” Spencer v. Kemna, 523

U.S. 1, 10 (1998) (internal quotation marks omitted). “[I]t is the burden of the party

who seeks the exercise of jurisdiction in his favor, clearly to allege facts


14

demonstrating that he is a proper party to invoke judicial resolution of the dispute.”

Id. at 11 (internal quotation marks omitted).

“Where a party raises the issue of subject matter jurisdiction, a court need

not simply rely on the facts alleged in the complaint, but also may consider extrinsic

evidence to determine whether it can exercise jurisdiction.” Johnson v. Orr, 551

F.3d 564, 567 (7th Cir. 2008). Once a defendant produces evidence calling plaintiff’s

standing into question, “the presumption of correctness that [courts] accord to a

complaint’s allegations falls away, and the plaintiff bears the burden of coming

forward with competent proof that standing exists.” Apex Digital, 572 F.3d at 444

(internal citation and quotation marks omitted); see also United Phosphorus, Ltd. v.

Angus Chem. Co., 322 F.3d 942, 946 (7th Cir. 2003) (where “the contention is that

there is in fact no subject matter jurisdiction, the movant may use affidavits and

other material to support the motion”; “the court is free to weigh th[at] evidence to

determine whether jurisdiction has been established.”), overruled on other grounds

by Minn-Chem, Inc. v. Agrium Inc., 683 F.3d 845 (7th Cir. 2012).

ARGUMENT

I. THE COMPLAINT WAS CORRECTLY DISMISSED UNDER RULE 12(B)(1) BECAUSE PLAINTIFFS LACK ARTICLE III STANDING.

Plaintiffs lack Article III standing to bring their claims in federal court. “As

a jurisdictional requirement, the plaintiff bears the burden of establishing

standing.” Apex Digital, Inc., 572 F.3d at 443. To meet this burden, “a plaintiff

must show (1) it has suffered an ‘injury in fact’ that is (a) concrete and

particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the


15

injury is fairly traceable to the challenged action of the defendant; and (3) it is

likely, as opposed to merely speculative, that the injury will be redressed by a

favorable decision.” Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc.,

528 U.S. 167, 180-181 (2000); accord Susan B. Anthony List v. Driehaus, 134 S. Ct.

2334, 2341 (2014); Clapper, 133 S. Ct. at 1147; Lujan v. Defenders of Wildlife, 504

U.S. 555, 560-61 (1992) (describing these elements as “the irreducible constitutional

minimum of standing”).

The requirement that a plaintiff establish injury in fact lies at the heart of

Article III:

In limiting the judicial power to “Cases” and “Controversies,” Article III of the Constitution restricts it to the traditional role of Anglo-American courts, which is to redress or prevent actual or imminently threatened injury to persons caused by private or official violation of law. …

The doctrine of standing is one of several doctrines that reflect this fundamental limitation. It requires federal courts to satisfy themselves that the plaintiff has alleged such a personal stake in the outcome of the controversy as to warrant his invocation of federal-court jurisdiction. … This requirement assures that there is a real need to exercise the power of judicial review in order to protect the interests of the complaining party.

Summers v. Earth Island Inst., 555 U.S. 488, 492-93 (2009) (citations and internal

quotation marks omitted; emphasis in original); see also Warth v. Seldin, 422 U.S.

490, 498-99 (1975) (to establish standing, a plaintiff must show “such a personal

stake in the outcome of the controversy as to warrant his invocation of federal-court

jurisdiction and to justify exercise of the court’s remedial powers on his behalf. The

Art. III judicial power exists only to redress or otherwise to protect against injury to


16

the complaining party”) (citations and internal quotation marks omitted); Susan B.

Anthony List, 134 S. Ct. at 2341 (“the injury-in-fact requirement … helps to ensure

that the plaintiff has a ‘personal stake in the outcome of the controversy’”).

For that reason, the plaintiff cannot establish standing by merely theorizing

about potential injuries. To the contrary, the plaintiff must establish that her

claimed injury is “concrete and particularized.” Lujan, 504 U.S. at 560. If the

plaintiff’s claim of injury is insufficiently concrete, then standing does not lie. See,

e.g., Whitaker v. Ameritech Corp., 129 F.3d 952, 959 (7th Cir. 1997) (“Whitaker

wishes us to eradicate Ameritech’s allegedly unlawful practices; yet, she alleges no

facts to show how these practices have injured her. We cannot address Whitaker’s

grievance with Ameritech as she has received no injury, and therefore has no

standing.”) (citation and internal quotation marks omitted).

The alleged injury must also be “actual or imminent, not conjectural or

hypothetical.” Lujan, 504 U.S. at 560 (citations and internal quotation marks

omitted). This requirement has particular significance where the plaintiff claims

future injury. The Supreme Court has “repeatedly reiterated that ‘threatened

injury must be certainly impending to constitute injury in fact,’ and that

‘[a]llegations of possible future injury’ are not sufficient.” Clapper, 133 S. Ct. at

1147 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990); citing Lujan, 504

U.S. at 565 n.2; DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 341 (2006); Laidlaw,

528 U.S. at 190; Babbitt v. Farm Workers, 442 U.S. 289, 298 (1979)) (brackets and

emphases in original). A possible injury does not satisfy Article III even if there is


17

an “objectively reasonable likelihood” that it will occur: an “‘objectively reasonable

likelihood’ standard is inconsistent with [the] requirement that ‘threatened injury

must be certainly impending to constitute injury in fact.” Clapper, 133 S. Ct. at

1147. Any potential injury that is premised on a “speculative chain of possibilities”

does not satisfy Article III. Id. at 1150.

Here, as set forth below, none of the forms of injury that plaintiffs allege

satisfies Article III. For these reasons, plaintiffs have failed to establish the

requisite injury in fact to show jurisdiction.

A. Plaintiffs Have Alleged No Future Injury That Is Both Concrete and Imminent.

1. Plaintiffs’ Allegations of Future Fraudulent Charges Do Not Establish a Concrete Injury.

Courts considering data incursion cases are united in determining that

fraudulent charges that appear on a cardholder’s account do not constitute injury if

the cardholder is reimbursed for those charges. (A7 (“unauthorized credit card

charges for which none of the plaintiffs are financially responsible [do not] qualify

as ‘concrete’ injuries”); In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013

WL 4759588, at *6 (N.D. Ill. Sept. 3, 2013) (plaintiff claiming only reimbursed

fraudulent charge “has not pled that actual injury resulted and that she suffered

any monetary loss due to the fraudulent charge”); In re Michaels Stores Pin Pad

Litig., 830 F. Supp. 2d 518, 527 (N.D. Ill. 2011) (“Plaintiffs suffered no actual injury

… if Plaintiffs were reimbursed for all unauthorized withdrawals and bank fees

and, thus, suffered no out-of-pocket losses”); Hammond v. The Bank of New York


18

Mellon Corp., No. 08 Civ. 6060(RMB)(RLE), 2010 WL 2653307, at *8 (S.D.N.Y.

2010) (no injury where plaintiffs “were reimbursed for the unauthorized charges”)).

The reasoning in these cases is straightforward. When a fraudulent charge is

assigned to a credit card account, but the cardholder is not required to pay or is

reimbursed for the charge, the cardholder suffers no adverse effect and therefore no

injury. This is particularly clear if one considers how such an “injury” could be

redressed. It couldn’t—because the charge has already been reimbursed. There is

no “injury” capable of redress. See People To End Homelessness, Inc. v. Develco

Singles Apartments Assocs., 339 F.3d 1, 9 (1st Cir. 2003) (no standing where

plaintiff’s “alleged injuries, to the extent they can be redressed, have already been

remedied”). For that reason, the district court was right to conclude that no

reimbursed fraudulent charge—whether it has already occurred or may occur in the

future—can support standing. (A7).

This principle has force in this case because the allegations and evidence here

confirm that no plaintiff has suffered, or has any likelihood of suffering,

unreimbursed fraudulent charges. One plaintiff, Remijas, has not alleged that she

saw any unauthorized charges on any of her accounts, much less that she was held

responsible for any such charges. The three other plaintiffs allege that they

experienced unauthorized charges, but none alleges that such charges were

unreimbursed. (See A7 (“as common experience might lead one to expect, Plaintiffs

have not alleged that any of the fraudulent charges were unreimbursed”)).

Moreover, plaintiffs do not and cannot dispute that credit card issuers uniformly


19

have zero-liability policies for fraudulent charges. See, e.g., Chase Debit Cards

Website, https://www.chase.com/checking/debit-cards (“Chase reimburses you for

any unauthorized card transaction made at stores, ATMs, on the phone or online

when reported promptly.”). Thus, even if plaintiffs’ allegations permitted an

inference that plaintiffs will be subject to fraudulent charges in the future, plaintiffs

have offered no allegation or evidence to support the notion that any such charge

would go unreimbursed.

Plaintiffs offer no meaningful argument to the contrary. They contend that

“the District Court did not cite any authority for its requirement that plaintiffs in

such cases allege unreimbursed fraudulent charges in order to have standing.” Br.

16. That is false. (See A7 (citing cases for the proposition that reimbursed

fraudulent charges are not “‘concrete’ injuries”)). To the contrary, it is plaintiffs

who cite no authority for the proposition that reimbursed fraudulent charges do

constitute concrete injuries.

Plaintiffs also contend that the district court’s “requirement” that charges be

unreimbursed to constitute injury “flies in the fact of established precedent” that

plaintiffs should not be “‘require[d] … to wait until they actually suffer identity

theft or [unreimbursed] credit card fraud in order to have standing.’” Br. 16

(brackets in original) (quoting In re Adobe Sys., Inc. Privacy Litig., No. 13–CV–

05226–LHK, 2014 WL 4379916, at *8 (N.D. Cal. Sept. 4, 2014)). Here, however,

plaintiffs conflate two issues: concreteness and imminence. The district court

accepted plaintiffs’ argument that “the potential future fraudulent charges are


20

sufficiently ‘imminent’ for purposes of standing.” (A7). It held that standing was

nonetheless not established because the only possible inference from the evidence

and allegations was that those fraudulent charges would be reimbursed consistent

with credit card issuers’ uniform policies, such that no “‘concrete’ injuries” would

result. (Id.).

Plaintiffs cite no allegation or evidence to the contrary here. Nor could they.

Indeed, at least two of the plaintiffs have already eliminated any prospect of future

charges by canceling the allegedly compromised payment cards (FAC ¶¶ 51, 54

R.27:15), and the others could just as easily do the same.

2. Plaintiffs’ Allegations of Future Identity Theft Do Not Establish an Imminent Injury.

Plaintiffs again fail to confront both the district court’s reasoning and binding

law in arguing that they established standing by alleging future identity theft.

While the district court was willing to entertain an inference Neiman Marcus

customers faced an imminent risk of fraudulent charges on their payment cards, it

held that inferring from that fact that plaintiffs would suffer identity theft was a

“leap too far.” (A8). Nothing in plaintiffs’ brief is to the contrary.

a) The District Court Correctly Applied Clapper.

Plaintiffs’ principal argument is that the district court imposed too stringent

of an imminence requirement because it supposedly “misinterpreted Clapper.” Br.

10-13. In Clapper, the Supreme Court explained:

“Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly


21

impending.” [Lujan, 504 U.S.] at 565 n. 2 (internal quotation marks omitted). Thus, we have repeatedly reiterated that “threatened injury must be certainly impending to constitute injury in fact,” and that “[a]llegations of possible future injury” are not sufficient.

133 S. Ct. at 1147 (emphases in original). The district court followed Clapper here,

holding that plaintiffs were required to show “certainly impending” identity theft—

a showing they could not make. See A7-8.

Plaintiffs argue that the court should instead have asked whether there is a

“substantial risk” of identity theft. Br. 10-11. Plaintiffs cite Susan B. Anthony List

and footnote 5 of Clapper—which acknowledged that “[i]n some instances, [the

Supreme Court has] found standing based on a ‘substantial risk’ that the harm will

occur.” Clapper, 133 S. Ct. at 1150 n.5; see also Susan B. Anthony List, 134 S. Ct. at

2341 (citing footnote 5 of Clapper). Plaintiffs argue that the district court erred

when it applied Clapper’s “clearly impending” standard because it supposedly

“ignored footnote 5 of the Clapper decision” and Susan B. Anthony List. Br. 10.

Plaintiffs’ argument goes nowhere. Susan B. Anthony List and several other

cases3 that use the “substantial risk” formulation have addressed when standing

exists to bring a pre-enforcement challenge to a law. See Susan B. Anthony List, 3 In Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010), the Court examined whether farmers of conventional and organic alfalfa had standing to challenge an agency action that had created a “substantial risk” that the genes of genetically modified alfalfa would infiltrate their plants. As the Court explained, the “substantial risk of gene flow” caused present, not future, injury to the farmers because, inter alia, it rendered them unable to market their product as non-genetically-engineered without testing confirming that fact. Thus, the Court did not have to assess whether gene flow was certainly impending or not: the plaintiffs would suffer the harm complained of “even if their crops are not actually infected with the Roundup ready gene.” Id. at 154-55.


22

134 S. Ct. at 1334; Pennell v. City of San Jose, 485 U.S. 1, 8 (1988); Babbitt, 442

U.S. at 298. As the Supreme Court has repeatedly recognized, that specific question

has given rise over decades of case law to particularized standards. See Susan B.

Anthony List, 134 S. Ct. at 1334 (addressing the “recurring issue in our cases [of]

determining when the threatened enforcement of a law creates an Article III

injury”); MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 128-29 (2007) (“Our

analysis must begin with the recognition that, where threatened action by

government is concerned, we do not require a plaintiff to expose himself to liability

before bringing suit to challenge the basis for the threat—for example, the

constitutionality of a law threatened to be enforced.”). Neither footnote 5 of Clapper

nor Susan B. Anthony List purports to do away with the requirement that, outside

the context of pre-enforcement challenges to laws, future harms must be “certainly

impending.” Indeed, the “certainly impending” standard existed long before

Clapper. See, e.g., Whitmore, 495 U.S. at 158 (stating, in 1990, that “[a]llegations

of possible future injury do not satisfy the requirements of Art. III. A threatened

injury must be certainly impending to constitute injury in fact”) (citation and

internal quotation marks omitted). It is plaintiffs’ reading of Clapper—not the

district court’s—that ignores the text of that opinion, which holds without

circumspection that future harms must be “certainly impending,” not merely

“possible,” to satisfy Article III. 133 S. Ct. at 1147.

Here, plaintiffs cannot point to any facts establishing that they face

“certainly impending” identity theft. The FAC alleges only the following facts


23

regarding the data incursion: (1) Neiman Marcus collects and retains certain forms

of personally identifying information, depending on how customers access its retail

outlets (FAC ¶ 13, R.27:5-6), (2) 350,000 credit and debit cards were affected by the

data breach (FAC ¶ 41, R.27:13), (3) 9,200 of those cards subsequently had

fraudulent charges (FAC ¶ 42, R.27:13), and (4) “On information and belief,

Plaintiffs’ identifying and/or financial information was disclosed in the Data

Breach” (FAC ¶ 43, R.27:13). It alleges no further facts regarding plaintiffs’

personal identifying information.

Significantly, the FAC makes no allegation—and plaintiffs have come

forward with no evidence—to contradict the sworn testimony of Mr. Kingston that

“the customer information that was potentially exposed to the malware was

payment card account information” and that “there is no indication that social

security numbers or other personal information were exposed in any way.”

(Testimony of Michael Kingston before the Senate Judiciary Committee at 3, R.36-

1:19 (emphasis added)). Consistent with Mr. Kingston’s testimony, the FAC does

not allege that any plaintiff’s personal identifying information (other than payment

card information) has been misused in any way since the data breach. Indeed,

while the FAC alleges that plaintiffs used credit cards or debit cards to make

purchases at Neiman Marcus, it does not allege that plaintiffs provided to Neiman

Marcus any personal identifying information beyond that contained in their

payment cards. Simply put, plaintiffs can cite no facts to show that identity theft is

anything more than “possible.” That is fatal to plaintiffs’ claims—whether the


24

“certainly impending” or their preferred “substantial risk” standard is applied.

Nothing in plaintiffs’ brief is to the contrary. As in the district court,

plaintiffs purport to find support for their claim of future identity theft in the fact

that, after the data incursion, 9,200 customers of Neiman Marcus experienced

fraudulent charges on their credit cards. Br. 13-14. But as the district court

correctly found, that some customers’ payment card information may have been

misused does not mean that plaintiffs face imminent identity theft. In the words of

the district court, “to assert on this basis that … customers [are] also at a certainly

impending risk of identity theft is, in my view, a leap too far.” A8.4

Indeed, plaintiffs’ argument that a small number of fraudulent but fully

reimbursed payment-card charges will imminently lead to identity theft lacks

logical support and falls squarely within the class of claims that Clapper rejected as

incapable of supporting standing. See 133 S. Ct. at 1148 (discussing speculative

chain of inferences plaintiffs invoked in attempting to demonstrate injury). The

Third Circuit explained precisely this point:

As we stated in [Storino v. Borough of Point Pleasant Beach, 322 F.3d 293, 297-98 (3d Cir. 2003)], “one cannot describe how the [plaintiffs] will be injured without

4 Plaintiffs also point to a phishing call received by one plaintiff, Ms. Frank. Br. 14. As explained below, the alleged phishing incident occurred only after Ms. Frank publicly filed a complaint in federal court alleging that her debit card had been exposed, and that she had “experienced fraudulent charges on her debit card.” Infra, pp. 41-42. In fact, the allegations about the phishing call make clear that it is not traceable to the Neiman Marcus data incursion. Id. And, in any event, as the district court explained, an allegation that one plaintiff received a phishing call, “which, if she had disclosed private information, might have led to future identity theft,” is “sufficient neither to establish a ‘certainly impending’ risk of identity theft, nor to qualify as a ‘concrete’ injury for purposes of standing.” A8 n.1.


25

beginning the explanation with the word ‘if.’ The prospective damages, described by the [plaintiffs] as certain, are, in reality, conjectural. Similarly, we cannot now describe how Appellants will be injured in this case without beginning our explanation with the word “if”: if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully, only then will Appellants have suffered an injury.

Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011) (citation omitted; second and

third brackets and emphases in original); accord id. at 44 (“Appellants’ string of

hypothetical injuries do not meet the requirement of an ‘actual or imminent’

injury.”).

b) Pisciotta Does Not Support Standing Here.

Plaintiffs also argue that this Court’s decision in Pisciotta supports their

standing argument. Br. 7-8, 14-15, citing Pisciotta v. Old Nat. Bancorp, 499 F.3d

629 (7th Cir. 2007). In that case, the Court considered claims based on theft of

information that included “name, address, social security number, driver’s license

number, date of birth, mother’s maiden name and credit card or other financial

account numbers,” id. at 631—that is, highly sensitive personal identifying

information well beyond the payment card information stolen from Neiman Marcus.

The Court then sua sponte assessed plaintiffs’ standing in light of these facts, and

determined that the plaintiffs’ allegations of loss of such sensitive personal data

were sufficient to create standing, id. at 633—though these allegations of purported

injury were insufficient to avod judgment on the pleadings, id. at 639 (“Without

more than allegations of increased risk of future identity theft, the plaintiffs have

not suffered a harm that the law is prepared to remedy.”).


26

Pisciotta does not support standing for plaintiffs here. As the district court

explained, Pisciotta cannot be read to hold that “any marginal increase in the risk of

future injury is sufficient to confer Article III standing.” A5 (emphasis in original).

“Though it does not expressly say so, Pisciotta was constrained by the ‘certainly

impending’ standard,” which was governing law at that time, and which has been

recently reiterated in Clapper and Susan B. Anthony List. Id. Pisciotta is thus

properly read to be consistent with that standard—not to expand Article III

standing to encompass mere “allegations of possible future injury.” Clapper, 133 S.

Ct. at 1147 (citation, brackets, and internal quotation marks omitted; emphasis in

original).

The result in Pisciotta is thus explained not by a different standard for data

incursion cases, but by the allegations there—allegations that are markedly

different from plaintiffs’ here. The information at issue in Pisciotta included highly

sensitive personal data such as social security numbers and birth dates. And, as

the district court explained, that highly sensitive data was “actually stolen (at the

very least, the Court’s analysis assumed as much). At issue with respect to the

plaintiffs’ injury, then, was whether and how likely the stolen data would actually

be misused.” (A5). By contrast here, there is no indication that personal

information beyond payment card data was exposed—much less “actually stolen.”

In the words of the district court, “this is a principled distinction that could justify

holding that Pisciotta satisfied the ‘certainly impending’ standard,” while plaintiffs’

allegations do not. (A6). In any event, to the extent that Pisciotta can be read to


27

support standing when plaintiffs fail to allege “clearly impending” harm—as

plaintiffs here have failed to do—it is inconsistent with Clapper and other

controlling cases.

c) The District Court Correctly Held That Plaintiffs Had Not Alleged That Any Identity Theft Was Certainly Impending.

Plaintiffs further argue that the district court erred because it supposedly

“dismissed all named Plaintiffs’ claims—even claims of those Plaintiffs who have

been told their information was compromised in the data breach and who have

suffered fraudulent charges and/or phishing as a result—because other unidentified

‘customers’ who are not members of the class may not have been affected by the

Data Breach.” Br. 14. They argue that their claims should not have been dismissed

because they “have been told their information was compromised in the data

breach” and that they “actually received notices from Neiman Marcus confirming”

that their data was actually stolen. Br. 13-14. This argument both errs in its

recitation of the facts and misreads the district court opinion.

First, as a factual matter, plaintiffs are wrong to state that Neiman Marcus

informed any plaintiff that her personal information was “actually stolen.” As

described above, Neiman Marcus gave notice of the security incident to every

customer who shopped at Neiman Marcus in 2013, in a store or online, for whom

Neiman Marcus had contact information, whether or not that customer’s

information was even potentially at risk, and these notices did not state that the

recipients’ personal information—including plaintiffs’ payment card data—was

actually compromised. (R.36-1:19). The only connection plaintiffs have alleged


28

between the fraudulent charges on their cards and the Neiman Marcus data

incursion is timing—i.e., the fraudulent charges occurred after the data incursion.5

Even so, however, the district court read plaintiffs’ FAC liberally to “permit

the inference that these 9,200 customers did indeed have their data stolen as a

result of the cyber-attack on Defendant.” (A6-7).6 The court nonetheless dismissed

the claims because, even accepting an inference that plaintiffs’ payment card data

was stolen, the FAC failed to establish any certainly impending identity theft—

because plaintiffs failed to allege how payment card data would or even could be

used to support identity theft. (A3-8). Thus, the court did not, as plaintiffs contend,

dismiss the claims “because other unidentified ‘customers’ who are not members of

the class may not have been affected by the Data Breach,” Br. 14, but because

plaintiffs have failed to allege certainly impending future harm of identity theft.

Because plaintiffs have entirely failed to establish that any injury from

identity theft is imminent, their case is distinguishable from the cases on which

they rely. In Adobe, the plaintiffs’ personal information—including “names,

usernames, passwords, email addresses, phone numbers, mailing addresses, and 5 Plaintiffs contend that they “allege at multiple points in the FAC that their information actually was stolen in the Data Breach.” Br. 13-14 (citing FAC ¶¶ 4, 6, R.27:3-4). Their characterization of the FAC is incorrect. The cited paragraphs simply state that plaintiffs used payment cards to shop at Neiman Marcus, subsequently experienced fraudulent charges or other indications that their payment card data had been compromised, and received a notice from Neiman Marcus about the data incursion.

6 As explained further in Part I.C, infra, Neiman Marcus disputes that inference. While the fraudulent charges occurred after the Neiman Marcus data incursion, they also occurred after attacks on the data security of other major retailers affecting millions of cardholders.


29

credit card numbers and expiration dates” had been actually stolen. 2014 WL

4379916, at *8. Additionally, the data stolen from Adobe had already been further

disclosed on the internet, and had already been misused to attack Adobe itself. Id.

It was in these circumstances—where plaintiffs’ personal data was actually stolen,

and some data stolen from Adobe had actually been misused—that the court

concluded that plaintiffs’ faced a “certainly impending” threat of harm. Id. Here,

by contrast, the only data that was exposed was payment card data, not broader

personal information, and there is no evidence or allegation that any plaintiff’s data

was actually stolen or misused.

Similarly, in Krottner v. Starbucks Corp., a physical laptop containing

plaintiffs’ unencrypted data, including names, addresses and social security

numbers, was actually stolen. 628 F.3d 1139, 1140 (9th Cir. 2010). In other words,

the plaintiffs alleged that their most sensitive personal data had been removed from

the defendant’s control, and was freely available to the thief. Again, the record here

shows no comparable violation—but establishes only that payment card data was

exposed. There is no indication that social security numbers or other highly

sensitive information was exposed, much less actually stolen.7

In cases similar to this one, where the plaintiff alleges no particularized facts

to show “certainly impending” identity theft, courts routinely dismiss the claim for 7 While Krottner is factually distinguishable from this case, it is also notable that the Ninth Circuit opined that “the possibility of future injury may be sufficient to confer standing on plaintiffs” in some circumstances. 628 F.3d at 1142. Clapper, of course, says the opposite. See 133 S. Ct. at 1147 (“[a]llegations of possible future injury are not sufficient”) (citation and internal quotation marks omitted; emphasis and brackets in original).


30

lack of standing. See, e.g., Barnes & Noble, 2013 WL 4759588, at *5 (unsupported

“claim of actual injury in the form of increased risk of identity theft is insufficient to

establish standing” because “speculation of future harm does not constitute actual

injury”); Strautins v. Trustwave Holdings, Inc., No. 12 C 09115, 2014 WL 960816, at

*4 (N.D. Ill. Mar. 12, 2014) (plaintiff who failed to “allege[] facts that would

plausibly establish an ‘imminent’ or ‘certainly impending’ risk that she will be

victimized” by identity theft or fraud likewise lacked standing).8 The district court

correctly held that the same result obtains here.

B. Plaintiffs Have Alleged No Cognizable Present Injury.

Plaintiffs also contend that the data incursion “has already resulted in real

and palpable harm to members of the Class.” Br. 15. None of the purported

“harms” plaintiffs allege, however, qualifies as “actual” injury-in-fact sufficient to

establish standing.

8 See also Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 2014 WL 689703, at *5 (S.D. Ohio Feb. 10, 2014) (“an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact because Named Plaintiffs did not allege—or offer facts to make plausible—an allegation that such harm is ‘certainly impending.’”); Hammond, 2010 WL 2643307, at *7 (no standing where unencrypted data lost by transport company); see also Reilly, 664 F.3d at 43 (no standing based on future injury where hacker allegedly stole data); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1052–53 (E.D. Mo. 2009) (alleged increased risk for identity theft due to hacker accessing information insufficient to show injury); Allison v. Aetna, Inc., Civ. A. No. 09-2560, 2010 WL 3719243, at *5 (E.D. Pa. Mar. 9, 2010) (“alleged injury of an increased risk of identity theft is far too speculative” to provide standing).


31

1. Reimbursed Fraudulent Charges Do Not Constitute Present Injury.

As explained above, plaintiffs’ claims that they would suffer fully reimbursed

fraudulent charges on their credit cards in the future do not establish concrete

injury sufficient to create standing. For the same reason, their claim of present

injury from fully reimbursed fraudulent charges that have already occurred equally

fails. Plaintiffs now contend that, even if the reimbursed charges do not constitute

injury-in-fact, they “allege that the loss of time and money spent to resolve

fraudulent charges, to obtain replacement cards, and to monitor their accounts for

additional fraud constitutes actual injury.” Br. 17. However, as the district court

explained, “the complaint contains no meaningful allegations as to what precisely

the costs incurred to mitigate the risk of future fraudulent charges were. … If the

complaint is to credibly claim standing on this score, it must allege something that

goes beyond such de minimis injury.” (A8).

Plaintiffs also contend that they have established injury-in-fact by alleging

that they spent money for credit monitoring to prevent identity theft. Br. 17-18.

But, as the district court explained, this is an attempt at impermissible

bootstrapping: “[T]he complaint does not adequately allege that the risk of identity

theft is sufficiently imminent to confer standing. So long as that is the case, the

‘time and money spent to mitigate’ claim as to the risk of identity theft … is not a

cognizable Article III injury.” (A9). Indeed, the Supreme Court made much the

same point in Clapper: “[R]espondents cannot manufacture standing merely by

inflicting harm on themselves based on their fears of hypothetical future harm that


32

is not certainly impending.” 133 S. Ct. at 1151. Because plaintiffs have not

satisfied Article III by alleging any certainly impending identity theft, they cannot

“manufacture standing” by paying to avoid the speculative risk of identity theft.

2. Plaintiffs’ “Overpayment” Theory Finds No Support in the Law.

Plaintiffs allege that they suffered injury-in-fact by overpaying for the goods

that they allegedly purchased from Neiman Marcus. (See FAC ¶ 15, R.27:6-7; Br.

18-22.) Plaintiffs cannot allege that the products they purchased from Neiman

Marcus were defective, that the value of the products they purchased was

diminished in any way as a result of the data incursion, or that Neiman Marcus

charged more to customers paying by card than by cash. Their theory therefore

fails.

As the district court explained, the theory of injury by overpayment makes

sense only if the product that was purchased “possessed some sort of deficiency.”

A9. “[A] vital limiting principle to this theory of injury is that the value-reducing

deficiency is always intrinsic to the product at issue.” Id. The logic breaks down,

however, if the allegation is that the condition of the store—as distinct from the

product—is deficient. In such circumstances, whatever harm the plaintiff may

allege from the retailer’s purported misconduct is not related to the price that the

plaintiff has paid for the product, and does not support a claim of overpayment.

It is therefore unsurprising that the authorities plaintiffs rely on all adhere

to this “vital limiting principle,” and concern overpayment where the alleged defect

was intrinsic to the product. In In re Aqua Dots Prods. Liab. Litig., plaintiffs


33

alleged that they were injured by purchasing defective beads that could cause

severe injury and death to children if ingested. 654 F.3d 748, 749-50 (7th Cir.

2011). The court found that plaintiffs suffered financial injury because their

payments for the toys were made on the understanding that the toys were safe, and

without knowledge that the toys were defective. Id. at 751. Similarly, in Chicago

Faucet Shoppe, Inc. v. Nestle Waters N. Am. Inc., the plaintiff had suffered an injury

by overpayment where defendant had represented that the water it sold to plaintiff

was “natural spring water” that was in reality municipal tap water. 12 C 08119,

2014 WL 541644, at *3 (N.D. Ill. Feb. 11, 2014). And in Muir v. Playtex Prods. LLC,

plaintiff alleged that he was injured by paying for an indisputably key feature of a

diaper disposal product (“Proven #1 in Odor Control”) when tests revealed that

other products controlled odors better. 983 F. Supp. 2d 980, 986 (N.D. Ill. 2013).9

In stark contrast to these cases, plaintiffs here do not allege that the products they

purchased are defective or different than advertised.

9 The other cases cited by plaintiffs likewise involve alleged overpayment where the deficiency was intrinsic to the product. See Maya v. Centex Corp., 658 F.3d 1060, 1069 (9th Cir. 2011) (finding injury where houses purchased by plaintiffs had less value because developer misrepresented character of neighborhood); Lipton v. Chattem, Inc., No. 11 C 2952, 2012 WL 1192083, at *3–4 (N.D. Ill. Apr. 10, 2012) (finding injury where plaintiff unknowingly bought product containing hexavalent chromium, which can cause adverse health effects); Askin v. Quaker Oats Co., 818 F.Supp.2d 1081, 1084 (N.D. Ill. 2011) (finding that plaintiff paid more for products labeled as “wholesome” and “heart healthy” than he would have had he known that the products contained trans fats.). And Bridenbaugh v. Freeman-Wilson is a dormant commerce clause challenge to a state excise tax on liquor justified by the 21st Amendment—not a case involving the “payment of a premium price for a certain wine,” as the plaintiffs claim (Plaintiffs’ Br. at 19–20)—and is thus clearly inapposite. 227 F.3d 848, 849–50 (7th Cir. 2000).


34

Notably, plaintiffs’ exact overpayment theory has been rejected by two recent

decisions in the Northern District of Illinois, in addition to the district court in this

matter. In Barnes & Noble, Judge Darrah found that plaintiffs’ allegation that

“they overpaid for the products and services purchased from Barnes & Noble,

because they were paying for the security measures Barnes & Noble was supposed

to employ to protect credit and debit transactions” was insufficient to grant

standing because plaintiffs “have not pled that Barnes & Noble charged a higher

price for goods whether a customer pays with credit, and therefore, that additional

value is expected in the use of a credit card.” 2013 WL 4759588, at *5. Similarly, in

Moyer v. Michaels Stores, Inc., Judge Bucklo dismissed plaintiffs’ case after finding

that their allegation that they “overpaid for goods that Michaels supposedly priced

to reflect the added cost of protecting credit and debit card information” was

insufficient “to support an inference that Michaels charged customers a premium

for data security protection.” No. 14 C 561, 2014 WL 3511500, at *7 (N.D. Ill. July

14, 2014). As in Barnes & Noble and Moyer, plaintiffs’ allegations here are

insufficient to establish that plaintiffs overpaid for products they purchased.

3. Allegations of loss of control and value of payment card data are insufficient to show injury.

Plaintiffs also allege that they suffered “loss of control over, and loss of value

of, their private information.” Br. 22. This is no more than a recapitulation of

plaintiffs’ arguments regarding future harms and is likewise insufficient to confer

standing. The only situation in which such “loss of control” would constitute an

independent injury is if that loss of control prevented plaintiffs from realizing some


35

gain from their personal information that they would otherwise receive. See Barnes

& Noble, 2013 WL 4759588, at *5 (“Actual injury of this sort is not established

unless a plaintiff has the ability to sell his own information and a defendant sold

the information.”). The Barnes & Noble court explained that where plaintiffs “do

not allege their personal information was sold, nor do they allege the information

could be sold by Plaintiffs for value . . . there is no actual injury and therefore, no

standing based on deprivation of the value of the Plaintiffs’ PII.” Id.

Here, plaintiffs do not even allege that Neiman Marcus sold their personal

information. Nor do plaintiffs allege that they could have sold their own payment

card information for value. Thus, they have failed to show that they have been

deprived of any value whatsoever as a result of the cyber-security intrusion at

Neiman Marcus.10

Of course, some information could be so intensely private, such as sexual

preferences or medical information, that its exposure in itself harmful, as the tort of

public disclosure of private facts has long recognized. In contrast to such sensitive

personal data, payment card information—handed out to waiters and websites the

world over—hardly qualifies as such intensely private information whose release

would be generally harmful. Indeed, payment card information is not inherently

10 In re Facebook Privacy Litig., which plaintiffs cite, is not to the contrary. 12-15619, 2014 WL 1815489 (9th Cir. May 8, 2014). In that case, as a review of the district court opinion makes clear, plaintiffs alleged that defendant wrongfully divulged to advertisers their identities and the names of websites that they visited. 791 F. Supp. 2d 705, 711–12 (N.D. Cal. 2011). Because plaintiffs here do not, and cannot, allege that they could have sold their payment card information for value, In re Facebook Privacy Litig. is not applicable.


36

connected to individuals in any long-term sense, and payment cards can be

cancelled and re-issued in ways that truly personal, private information cannot.

4. Plaintiffs’ allegations that Neiman Marcus violated the California and Illinois data breach laws are insufficient to grant standing.

Plaintiffs argue that, regardless of injury in fact, they have “statutory

standing” to bring claims under the California Customer Records Act and the

Illinois Personal Information Protection Act. Br. 23-25. This argument is doubly

wrong.

First, the injury-in-fact requirement is part of the “irreducible constitutional

minimum” necessary for a federal court to exercise jurisdiction under Article III.

Lujan, 504 U.S. at 560. Even if a state law purported to confer standing on a

plaintiff seeking relief from a federal court, the conferral would be ineffective: no

state law can override Article III’s limitation on federal judicial power.11

Second, and in any event, state statutes that plaintiffs point to do not purport

to confer standing in the absence of injury, but instead require plaintiffs to

demonstrate injury in order to have standing to sue. In California, Cal. Civ. Code

§ 1798.84(b), which plaintiffs claim grants them standing, “does not allow a cause of

action based solely upon a failure to comply with the statute. Rather, the law 11 The Court’s decision in Sterk v. Redbox Automated Retail LLC, 770 F.3d 618 (2014), is not to the contrary. The Court there explained that while federal law may define what constitutes injury, it “may not lower the threshold for standing below the minimum requirements imposed by the Constitution.” Id. at 623. The federal statute at issue in Sterk defined a legally protected interest, the “technical violation” of which constituted an injury under Article III. Id. The state statutes asserted by plaintiffs, however, do not provide that “technical violation” constitutes injury.


37

expressly requires an injury resulting from a violation.” Boorstein v. CBS

Interactive, Inc., 222 Cal. App. 4th 456, 467 (2013). This is true regardless of the

remedies sought. Id. at 466-67.

Plaintiffs allege that they were injured by Neiman Marcus’s alleged

violations of three provisions of the Customer Records Act, but they explain only

one—Neiman Marcus’s alleged failure to include some of the information required

by Cal. Civ. Code § 1798.82(d) in the notification letters they received. Br. 24.

Plaintiffs do not claim that this alleged violation led them to suffer an actual injury,

economic or otherwise, but simply that the lack of information itself constitutes an

injury because they were “deprived of disclosures they [were] statutorily entitled to

receive.” Br. 24. However, the California courts squarely foreclose such a claim: an

allegation of “‘deprivation of . . . information,’ standing alone, is not a cognizable

injury.” Price v. Starbucks Corp., 192 Cal. App. 4th 1136, 1143 (2011); see Boorstein

222 Cal. App. 4th at 472, (2013) (noting lack of any California cases recognizing

“informational injury” as a cognizable injury). Instead, plaintiffs must also allege

that they suffered “an injury arising from the missing information.”12 Price, 192

Cal. App. 4th at 1143.

12 In both of the cases cited by Plaintiffs that actually found standing due to informational injury, plaintiffs alleged they suffered some harm as a result of the deprivation of information. See Federal Election Com’n v. Akins, 524 U.S. 11, 19, 21 (1998) (Congress had specifically created cause of action to challenge campaign disclosures and plaintiffs claimed “the information would help them . . . evaluate candidates for public office); Havens Realty Corp. v. Coleman 455 U.S. 363, 372-73 (1982) (plaintiffs sought the information in order to collect evidence of “unlawful steering practices” by landlords).


38

Similarly, plaintiffs argue that appellant Remijas has standing to bring

claims under the Illinois Personal Information Protection Act, 815 ILCS 530/1 et

seq. (“PIPA”). PIPA does not create a private right of action, but a consumer

alleging a violation of PIPA may sue under the Illinois Consumer Fraud and

Deceptive Business Practices Act, 815 ILCS 505/1 et seq. (“Consumer Fraud Act”).

Illinois courts are clear that “[p]rivate individuals have standing to litigate a

violation [of the Consumer Fraud Act] only if they have actual damages.” People ex

rel. Madigan v. United Const. of Am., 981 N.E.2d 404, 411 (1st Dist. 2012); see also

Mem. Op. & Order, Vides v. Advocate Health & Hospitals Corp., No. 13-CH-2701, at

17-18 (9th Cir. May 27, 2014) (holding that a violation of PIPA, by itself, is

insufficient to grant standing). Plaintiffs’ argument that an violation of PIPA is

enough to grant standing flies in the face of black-letter Illinois law, and should be

rejected.

C. No Alleged Injury Can Be Fairly Traced to Action by Neiman Marcus.

Even if the injuries allegedly suffered by plaintiffs were sufficient to establish

injury in fact, which they are not, plaintiffs cannot show that the alleged injuries

are fairly traceable to action by Neiman Marcus. See, e.g., Clapper, 133 S. Ct. at

1147. Importantly, plaintiffs have not pled that their alleged injuries were directly

or indirectly caused by actions taken by Neiman Marcus. In fact, two of the four

plaintiffs, Ms. Frank and Ms. Farnoush, fail to allege a purchase during a time

when the malware was active on Neiman Marcus systems, and therefore fail even to

allege a mechanism by which any action by Neiman Marcus could have caused


39

injury to them. (Compare FAC ¶¶ 4-5, R.27:3, with R.36-1:19). A third plaintiff,

Ms. Remijas, does not allege that any unauthorized charges ever appeared on the

account linked to the card she used at Neiman Marcus.

Nor does the FAC allege any facts that would establish that any injury

experienced by any plaintiff was the result of the cyber attack at Neiman Marcus,

as opposed to some other mechanism by which plaintiffs’ payment card information

may have been compromised. Plaintiffs’ payment card information could have been

compromised in a variety of ways that have nothing to do with Neiman Marcus—for

example, plaintiffs could have submitted the information on a website that is not

secure, the information could have been memorized and misused by an

unscrupulous store clerk or waiter at a different establishment, or plaintiffs may

have discarded a document with their payment card information printed thereon

without shredding it first.

In addition to these mechanisms by which payment card information can be

compromised at any time, there were several major data security incidents, entirely

unrelated to Neiman Marcus, announced around the end of 2013 and beginning of

2014 that could well have been the mechanism by which plaintiffs’ payment card

information was compromised, if in fact it was compromised. As Neiman Marcus

showed in its Memorandum in support of dismissal, Target, a major retailer,

announced that it had suffered the largest of these breaches on December 19, 2013,

stating that approximately forty million credit and debit card numbers may have

been impacted by its breach. (R.36:16 & n.10 (quoting Press Release, Target


40

Corporation, Target Confirms Unauthorized Access to Payment Card Data in U.S.

Stores (Dec. 19, 2013), available at http://pressroom.target.com/news/target-

confirms-unauthorized-access-to-payment-card-data-in-u-s-stores)). These breaches

led financial institutions, including those used by plaintiffs, to replace millions of

credit and debit cards in the first two weeks of January 2014. See id. at 16-17

(quoting Transcript, Q4 2013 JPMorgan Chase & Co. Earnings Conference Call

(Jan. 14, 2014) (JAMIE DIMON: “We have replaced 2 million debit and credit cards

I think by the end of this week, to protect our customers.”), available at

http://seekingalpha.com/article/1944961-jpmorgan-chase-ceo-discusses-q4-2013-

results-earnings-call-transcript?part=2). The two plaintiffs who allege that their

Chase payment cards were replaced—Ms. Frank and Ms. Kao—had those cards

replaced on or about January 10 and January 7, respectively (FAC ¶¶ 47, 55,

R.27:14-15), just as Chase was reissuing millions of payment cards potentially

affected by the Target breach. See id. The FAC does not state whether or not any

appellant shopped at Target or had her payment card information exposed in any

other manner, but neither does it allege any facts that, if true, would establish that

the compromise of any plaintiff’s payment card information was actually caused by

the data incursion at Neiman Marcus. Accordingly, the FAC does not allege

anything more than a “mere coincidence in timing,” which is insufficient to

establish that any alleged injury is traceable to Neiman Marcus. See Hammond,

2010 WL 2643307, at *5, 13.


41

The FAC’s allegations that one plaintiff, Ms. Frank, experienced a “phishing”

incident highlights their inability to show that any injury they suffered is fairly

traceable to Neiman Marcus’s conduct. The FAC states:

In March 2014, Frank suffered a “phishing” incident on her cell phone. Armed with information about her deactivated Chase debit card, the caller tried to coax her into providing additional PCD. On information and belief, the caller’s goal was to conduct additional fraud and/or identity theft using Frank’s Private information.

(FAC ¶ 51, R.27:15). As explained above, this incident does not constitute injury

because there is no indication that Ms. Frank actually suffered identity theft or any

monetary damage as a result of the incident. In addition, the claimed harm is not

fairly traceable to Neiman Marcus, because the information allegedly held by Ms.

Frank’s caller could not have been obtained from Neiman Marcus—for several

reasons. First, there is no allegation that Neiman Marcus was notified by Ms.

Frank or Chase that Ms. Frank’s Chase debit card had been canceled—and indeed,

it was not so notified—so the caller must have obtained that information from

another source. Second, even if Chase and/or Ms. Frank had notified Neiman

Marcus that her card was canceled, that piece of information could not have been

stolen during the security incident, because the malware that caused the incursion

affected only payment card information, not communications with customers or

banks. Third, the malware stopped working in October 2013, several months before

Ms. Frank’s card was canceled, so it could not have captured any information about

the cancellation of Ms. Frank’s card, even had it been designed to do so. For these

reasons, the information about Ms. Frank’s canceled debit card could not have come


42

from Neiman Marcus. In contrast, that information was made publicly available by

Ms. Frank herself in the complaint she filed on January 13, 2014, in which she

stated that she “experienced fraudulent charges on her debit card.” Compl., Frank

v. Neiman Marcus Group, No.14-cv-233, at ¶ 7 (E.D.N.Y. Jan. 13, 2014). Any

person reading Ms. Frank’s complaint would know that she allegedly suffered a

fraudulent charge on her debit card, and could surmise that that card would

subsequently be canceled. For all these reasons, plaintiffs have failed to allege facts

sufficient to show that they have standing, and the FAC was properly dismissed.

II. IN THE ALTERNATIVE, THE COMPLAINT SHOULD BE DISMISSED UNDER RULE 12(b)(6) FOR FAILURE TO STATE A CLAIM.

Even if the district court had jurisdiction to hear plaintiffs’ claims—which, as

set forth above, it did not—dismissal of the FAC would nonetheless have been

required under Rule 12(b)(6). Under that rule, a motion to dismiss should be

granted if the complaint does not contain “enough facts to state a claim to relief that

is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). To

survive dismissal under Rule 12(b)(6), a plaintiff’s factual allegations must be

sufficient “to raise a right to relief above the speculative level.” Id. at 555. “[W]here

the well-pleaded facts do not permit the court to infer more than the mere

possibility” that the requisite elements are established, it stops short of crossing the

line from possibility to plausibility of entitlement to relief, Ashcroft v. Iqbal, 556

U.S. 662, 679 (2009), in which case “the inference of liability is merely speculative.”


43

Yeftich v. Navistar, Inc., 722 F.3d 911, 915 (7th Cir. 2013). All of plaintiffs’ causes

of action fail to meet this standard.13

In the district court, Neiman Marcus sought dismissal of all claims under

Rule 12(b)(6), demonstrating that the FAC failed to establish all elements of each

claim advanced—and in several cases that multiple elements were not established

by allegations in the FAC.14 Having determined that it lacked Article III

jurisdiction, the district court did not reach Neiman Marcus’s request for dismissal

for failure to state a claim. See Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83,

94 (1998) (a court that lacks jurisdiction may not examine the merits of a claim).

However, if this Court were to hold that plaintiffs do have standing, the Court

would be free to affirm the district court’s judgment on alternate grounds that are

supported by the record. Camp v. TNT Logistics Corp., 553 F.3d 502, 505 (7th Cir.

13 The FAC alleges, inter alia, that Neiman Marcus violated the consumer protection laws of all fifty states and the District of Columbia, and that Neiman Marcus violated the data breach statutes of fourteen jurisdictions within the United States. (See FAC ¶¶ 106, 138, R.27:25, 34.) This brief will confine its analysis to the claims based in California, Illinois, and New York law, the only law potentially relevant to the claims of these individual plaintiffs. 14 R.36:18-22 (establishing that negligence claims must be dismissed for failure to allege injury and causation); id. at 23-25 (establishing that breach of implied contract claims must be dismissed for failure to allege an implied agreement and damages); id. at 25-29 (establishing that unjust enrichment claims must be dismissed for inadequate pleading and for failure to allege injury to plaintiffs (i.e., unjust enrichment to defendants)); id. at 29-32 (establishing that consumer protection claims under California, Illinois, and New York laws must be dismissed for failure to allege injury, causation, and deceptiveness); id. at 32-35 (establishing that invasion of privacy claims must be dismissed for failure to allege invasion of privacy, egregious breach of social norms, and injury); id. at 35-36 (establishing that claims of violation of data breach acts of California and Illinois must be dismissed for failure to allege injury).


44

2009). Thus, if standing were held to exist, the Court should still affirm because

plaintiffs have failed to state a claim.

Every theory of liability that plaintiffs advance requires them to allege that

they were injured as a result of Neiman Marcus’s conduct.15 This is hardly

surprising: the purpose of civil litigation is to provide a legal forum for the redress

of injuries. Cf. Marbury v. Madison, 5 U.S. (1 Cranch) 137, 163 (1803) (“The very

essence of civil liberty certainly consists in the right of every individual to claim the

protection of the laws, whenever he receives an injury.”). No legal theory or

authority supports the awarding of relief to an uninjured plaintiff.

As explained in Part I, above, plaintiffs here have not alleged any cognizable

injury. They have failed to allege injury from past or future fraudulent charges on

their payment cards because they do not and cannot allege that any such charges

were not fully reimbursed. They have failed to allege future injury from identity

15 On negligence (Count I), see, e.g., In re Sony Gaming Networks and Customer Data Sec. Breach Litig. __ F.Supp.2d __, MDL No. 11-md-2258, 2014 WL 223677, at *10 (S.D. Cal. Jan. 21, 2014); Hammond, 2010 WL 2643307, at *9; Wilkins v. Williams, 991 N.E. 2d 308, 312 (Ill. 2013). On breach of implied contract (Count II), see, e.g., Navellier v. Sletten, 106 Cal. App. 4th 763, 775 (2003); Wesley-Jessen Inc. v. Reynolds, No. 72 C 1677, 1974 WL 20197, at *14 (N.D. Ill. May 23, 1974); Hammond, 2010 WL 2643307, at *11. On unjust enrichment (Count III), see, e.g., Peterson v. Cellco P’ship, 164 Cal.App.4th 1583, 1593 (Cal. Ct. App. 2008); HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 131 Ill.2d 145, 160, 545 N.E.2d 672, 679 (Ill. 1989); Goel v. Ramachandran, 975 N.Y.S.2d 428, 437 (N.Y. App. Div. 2013). On the consumer protection laws of California, Illinois, and New York (Count IV), see, e.g., Kwikset Corp. v. Super. Ct., 51 Cal.4th 310, 322 (2011); Martis v. Pekin Mem’l Hosp. Inc., 395 Ill. App. 3d 943, 949 (2009); Stutman v. Chem. Bank, 95 N.Y.2d 24, 29 (2000). On invasion of privacy under California law (Count V), see, e.g., Cohen v. Facebook, Inc., 798 F.Supp.2d 1090, 1097 (N.D. Cal. 2011). On the California and Illinois Data Breach Acts (Count VI), see, e.g., Price, 192 Cal. App. 4th at 1143; Martis, 395 Ill.App.3d at 949.


45

theft because their claims as to identity theft are entirely speculative. They have

failed to allege injury from overpayment for retail goods because they allege no facts

to suggest any defect in the goods they received. In sum, plaintiffs have not alleged

injury sufficient to state a claim under any of their proposed theories. Whether

dismissal is pursuant to Rule 12(b)(1) or Rule 12(b)(6), plaintiffs’ claims should be

dismissed.

Indeed, this is clear from the cases on which plaintiffs themselves rely. For

example, as discussed above, this Court in Pisciotta (cited at Br. 7, 8, 10, 15)

determined that the plaintiffs had adequately alleged future injury to establish

Article III standing. Beyond the requirements of Article III, however, plaintiffs

were required to allege compensable injury in order to state a claim for negligence

and breach of implied contract under Indiana law. Pisciotta, 499 F.3d at 635. This

Court held that they failed to do so: the supposed injury of “data exposure” did not

give rise to a right to relief on the merits. Id. at 636. Thus, the Court explained,

“[w]ithout more than allegations of increased risk of future identity theft, the

plaintiffs have not suffered a harm that the law is prepared to remedy.” Id. at 639.

Likewise, in Moyer (cited at Br. 13), the court concluded that plaintiffs had

alleged imminent, non-speculative harm from identity theft sufficient to satisfy

Article III. 2014 WL 3511500, at *5-6. But the plaintiffs’ complaint was still

dismissed because their allegations of an increased risk of identity theft were

insufficient to state a claim: “Here, as in Pisciotta, Plaintiffs’ claims must be

dismissed because they have failed to plead a required element of their Illinois law


46

claims for breach of contract and consumer fraud: actual monetary damages.” Id. at

*7. Thus, the court concluded, “although Plaintiffs have standing, they have not

pled the type of actual economic damage necessary to state Illinois law claims for

breach of implied contract … or violation of the Consumer Fraud Act.” Id.

To the extent the Court determines that plaintiffs here have standing, the

same analysis applies to their claims. Because plaintiffs have not alleged and

cannot allege that they have been injured as a result of any Neiman Marcus action

in connection with the data incursion, they have failed to state a claim under each

and every theory of liability they have advanced.


47

CONCLUSION

For the foregoing reasons, the judgment of the district court should be

affirmed.

DATED: December 5, 2014 Respectfully submitted, s/ David H. Hoffman David H. Hoffman Tacy F. Flint Daniel C. Craig Sidley Austin LLP One South Dearborn Chicago, IL 60603 Tel: (312) 853-7000 Fax: (312) 853-7036

ACTIVE 204435383v.9


ACTIVE 204435383v.11

CERTIFICATE OF COMPLIANCE WITH TYPE-VOLUME LIMITATION, TYPEFACE REQUIREMENTS,

AND TYPE STYLE REQUIREMENTS

1. This brief complies with the type-volume limitation of Fed. R. App. P. 32(a)(7)(B) because it contains 12,912 words, excluding the parts of the brief exempted by Fed. R. App. P. 32(a)(7)(B)(iii).

2. This brief complies with the typeface requirements of Fed. R. App. P. 32(a)(5) and the type style requirements of Fed. R. App. P. 32(a)(6) because it has been prepared in a proportionally spaced typeface using Microsoft Word 2007 in plain, twelve-point Century Schoolbook.

s/ Daniel C. Craig Attorney for The Neiman Marcus Group LLC Dated: December 5, 2014


ACTIVE 204435383v.11 1

CERTIFICATE OF SERVICE

I hereby certify that on December 5, 2014, the Brief of Defendant-Appellee

The Neiman Marcus Group LLC was filed with the Clerk of the Court for the

United States Court of Appeals for the Seventh Circuit by using the appellate

CM/ECF system.

The following attorneys are registered CM/ECF users and will be served by

the appellate CM/ECF system:

Joseph Siprut SIPRUT PC Suite 1850 17 N. State Street Chicago, IL 60602

s/ Daniel C. Craig Attorney for The Neiman Marcus Group LLC

Dated: December 5, 2014


case no. 14-3122 united states court of … no. 14-3122 united states court of appeals ... i. the...

Documents