On June 21, 2017, the U.S. District Court for the Northern District of Illinois entered an order granting preliminary approval of a $1.6 million class action settlement between Neiman Marcus and a class of its customers whose payment card information was exposed in a 2013 data breach.   See Remijas v. Neiman Marcus Group, LLC, No. 1:14-cv-01735, Doc. 154 (N.D. Ill., June 21, 2017). The case involves claims against Neiman Marcus arising out of a cybersecurity intrusion that exposed the payment card data of approximately 370,385 individuals who used a payment card at a Neiman Marcus store while malware was installed in the retailer’s computer system.

In January 2014, Neiman Marcus announced a data breach potentially compromising the payment card information of certain Neiman Marcus customers.  Shortly thereafter, Hilary Remijas filed suit in federal district court on behalf of a purported class of Neiman Marcus customers, asserting claims against Neiman Marcus for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and violations of state consumer laws and state data breach statutes. 

In September 2014, the district court dismissed the case based on the plaintiff’s lack of Article III standing, but the U.S. Court of Appeals for the Seventh Circuit reversed the dismissal and revived the case in July 2015, holding that the risk that the plaintiff’s personal data would be misused by the hackers was a sufficiently concrete injury to provide the plaintiff’s standing.  On remand from the Seventh Circuit, the district court denied Neiman Marcus’s renewed motion to dismiss on January 13, 2016.  The settlement was announced in March and preliminarily approved by the district court last week.

In exchange for a release of all claims stemming from the data breach, Neiman Marcus has agreed to create a $1.6 million settlement fund to pay class members who used a debit or credit card at a Neiman Marcus store on a date that malware was operating in that store.  Each class member is eligible to receive up to $100 from the settlement fund.  To be eligible to receive settlement funds, class members are only required to submit information sufficient to demonstrate that their payment card data was exposed, not that they incurred any fraudulent charges.  The settlement agreement also includes the parties’ agreement to an award of attorneys’ fees and expenses no greater than $530,000.  The final approval hearing is scheduled to occur on October 26, 2017.