As previously noted in this blog, the Neiman Marcus payment card data theft class action reflects a lenient approach to the issue of standing in data breach cases. In that case, the Seventh Circuit rejected arguments that customers claiming to have sustained only the theft of debit and credit card information had not alleged sufficient injury to have standing to sue. See Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (2015). Now, however, differences in class members’ claimed injuries have resulted in intra-class conflicts that have led to an order by the trial court rejecting a proposed class settlement of the lawsuit. In so ruling, the court has highlighted why issues of injury and standing matter in data breach cases.
The main problem with the settlement was overbreadth. The lawsuit was brought on behalf of all customers using payment cards at Neiman Marcus during a specific class period. During part of the relevant period, malware was installed by hackers onto point of sale terminals at some – but not all – Neiman Marcus stores. The malware operated only for a certain period of time, and was present in only certain Neiman Marcus stores during that time period. As a result, the defined class can be divided into three parts: (1) customers using payments cards when malware was present at stores where malware was installed; (2) customers using payment cards during the period where malware was in use, but at stores not infected by the malware; and (3) customers using payment cards at times when no malware was present in any store The settlement only paid compensation to customers in categories (1) and (2), but would release claims of customers in all three categories. The court concluded that there was no way that class representatives, who would be receiving settlement compensation as participants in categories (1) and (2), could adequately represent the interests of the class members in category (3) who received nothing. The conflict between the “haves” and “have nots” let the court to conclude that the class representatives could not satisfy the adequacy requirement of Fed. R. Civ. P. 23(a)(4), thus precluding certification of the settlement class. The court sent the parties back to the drawing board to attempt to devise a settlement structure that would address or eliminate that conflict.
The botched attempt to obtain a class settlement in the Neiman Marcus case raises the question of what the category (3) class members were doing in that case in the first place. The court’s opinion suggests, without elaboration, that the no-compensation settlement gave up potentially meritorious claims on behalf of that cohort, but it is hard to conceive of what they might be, where such class members were not even exposed to malware and, therefore, could not have suffered injury. The very purpose of the “case or controversy” standing requirement under Article III of the United States Constitution is to avoid asking the federal courts to decide legal issues involving parties who were not injured. By applying that requirement leniently at the outset of the Neiman Marcus case, the Seventh Circuit set the stage for precisely what occurred – a settlement could not be approved because of the overbroad class yielded a conflict of interest between injured and uninjured class members. As such, this may be a cautionary tale for courts that are inclined to overlook difficult standing issues at early stages of data breach case. As Neiman Marcus illustrates, standing is not merely a defendant’s procedural loophole, but is instead a substantive issue which, if not handled properly at the outset, can have material ramifications for class certification, settlement, and trial.