Neiman Marcus Group LLC must face a proposed class action in which the high-end retailer is accused of failing to protect customers from computer hackers who stole credit and debit card information, an appeals court ruled, saying a judge decided too soon that the victims didn’t have a case.
The decision reverses a September ruling by a Chicago federal judge who found the customers didn’t show they suffered concrete harm. The consumers sued Neiman Marcus for negligence, breach of contract and deceptive business practices.
The data breach, disclosed last year, is one of multiple such attacks on credit information at U.S. retailers including Target Corp. and Home Depot Inc.
Malicious software “was clandestinely installed on our system,” and attempted to collect data from July 16, 2013, to Oct. 30, 2013, Neiman Marcus told customers in a statement last year.
Visa, MasterCard and Discover notified Neiman Marcus that about 9,200 of 350,000 affected cards were subsequently used fraudulently.
U.S. District Judge James B. Zagel, in rejecting the lawsuit last year, said customers weren’t claiming they hadn’t been reimbursed for fraudulent billings. He said he wasn’t convinced that there were concrete injuries if the card-owners weren’t responsible for the bills.
Unreimbursed payments weren’t the only possible harm, the appeals court found, citing the cost of credit monitoring and the hackers’ ability to use the fraudulent data for years.
“Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities,” the panel said.
Ginger Reeder, a Neiman Marcus spokeswoman, declined to comment on Monday’s decision. Joseph Siprut, a consumer attorney, didn’t immediately respond to an e-mail seeking comment.
The lawsuit, filed as a proposed class action on behalf of all affected Neiman Marcus credit customers, is seeking damages and payments for credit monitoring.
The lawsuit is Remijas v. Neiman Marcus Group LLC, U.S. Court of Appeals for the 7th Circuit (Chicago).
(An earlier version of this story was corrected to say the breach was disclosed in 2014.)
With assistance from Janan Hanna in Chicago.