Hilary Remijas v. Neiman Marcus Group, LLC, 2015 U.S. App. LEXIS 12487

In 2013 hackers breached Neiman Marcus’s systems; the company announced in January 2014 that ~350,000 payment cards were potentially exposed and that 9,200 had known fraudulent charges.
Plaintiffs (four named customers) filed a consolidated class action alleging negligence, breach of implied contract, unjust enrichment, unfair/deceptive practices, invasion of privacy, and state data‑breach law violations, seeking more than $5,000,000 under CAFA.
Named plaintiffs allege various harms: fraudulent charges (some reimbursed), time and money resolving fraud, expenses for credit monitoring, and increased risk of future identity theft; defendants offered one year of credit monitoring to many customers.
The district court dismissed the complaint for lack of Article III standing; dismissal was without prejudice. Plaintiffs appealed.
The Seventh Circuit reviewed standing de novo and considered (1) injury‑in‑fact (actual and imminent), (2) causation (traceability), and (3) redressability.
The Seventh Circuit reversed, holding plaintiffs alleged sufficient concrete injuries (mitigation expenses and injuries associated with resolving fraud and risk of future harm) and that causation and redressability were plausibly pleaded.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Article III injury‑in‑fact (future risk)	Data was stolen; there is a substantial, objectively reasonable risk of future fraud/identity theft	Risk is speculative; reimbursement by card issuers makes injuries improbable	Plaintiffs plausibly alleged substantial risk; future harm allegations survive pleading stage
Article III injury‑in‑fact (mitigation costs)	Time/money spent on credit monitoring and resolving fraud are concrete injuries	Such mitigation expenses cannot manufacture standing absent imminent harm	Mitigation expenses are concrete here (breach occurred and company offered monitoring); sufficient for standing
Causation/traceability	Neiman Marcus admitted cards were exposed and notified customers; injuries are fairly traceable to its breach	Other contemporaneous breaches could have caused harm, attenuating traceability	At pleading stage traceability is plausible; alternative sources are defenses for later stages
Redressability	Judicial relief can remedy mitigation costs and unreimbursed losses; future harms can be mitigated by relief	Reimbursement practices and statutory protections mean damages are speculative or already addressed	Remedies could redress mitigation costs and unreimbursed losses; redressability satisfied for alleged injuries

Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83 (standing is threshold jurisdictional question)
Lujan v. Defenders of Wildlife, 504 U.S. 555 (Article III standing elements)
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (future injury requires imminent or substantial risk; substantial risk may suffice)
Bell Atl. Corp. v. Twombly, 550 U.S. 544 (pleading standard to raise right to relief above speculative level)
Anderson v. Hannaford Bros. Co., 659 F.3d 151 (mitigation expenses may support standing in data‑breach context)
Price Waterhouse v. Hopkins, 490 U.S. 228 (discussion of burden shifting where multiple possible tortfeasors exist)