DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Does the Seventh Circuit opinion in Neiman Marcus litigation impact FTC v. Wyndham?

Posted on August 3, 2015 by Dissent

Since the Seventh Circuit revived the class action lawsuit, Remijas v. Neiman Marcus, there has been a lot of buzz about how the opinion will make it easier for consumers going forward.  The opinion (appended to this file), addresses Article III standing, which has been a major stumbling block in the majority of lawsuits.

But skip on over to the Third Circuit for a minute, where it appears that the FTC submitted a filing on July 24th that tries to use the Neiman Marcus opinion to support its case against Wyndham. The FTC argues, in part:

… In Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (July 20, 2015) (attached), the Seventh Circuit found that the victims of a breach of credit card data had alleged an injury-in-fact that gave them standing to sue the retailer from whose computers the data were stolen. The decision reverses a district court decision relied on by Wyndham in its opening and reply briefs (Br. at 48; Reply at 34) and supports the FTC’s argument in this case that the FTC’s complaint adequately alleged consumer harm. FTC Br. 52-61.

Wyndham has claimed that the FTC failed to plead facts showing consumer injury because credit card companies typically reimburse the victims of fraudulent charges. In response, the FTC has observed, inter alia, that even if Wyndham’s victims had been reimbursed, the complaint stated a valid cause of action by alleging that consumers spent “time and money resolving fraudulent charges and mitigating subsequent harm.” FTC Br. 58. Remijas supports that argument. The court there held that even though the victims were reimbursed for fraudulent charges, plaintiffs had alleged “identifiable costs associated with the process of sorting things out,” including “the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges.” Slip Op. 7. Those alleged harms were sufficient to give plaintiffs standing.

Wyndham’s lawyers fired back that the FTC’s contention is incorrect:

As an initial matter, Remijas is inconsistent with other databreach cases, including this Court’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). More importantly, Remijas did not address the consumer-injury requirements of Section 5—only the less rigorous standing requirements of Article III.

While the test for constitutional standing is exceedingly low, see, e.g., Blunt v. Lower Marion Sch. Dist., 767 F.3d 247, 278 (3d Cir. 2014) (requiring only “some specific, identifiable trifle of injury”), the FTC Act contains two additional requirements: the injury must be (1) “substantial,” which, to have any meaning, must be something more than the injury required by Article III; and, (2) not “reasonably avoidable by consumers themselves.” 15 U.S.C. § 45(n). Those requirements mean that time and money spent resolving fraudulent charges cannot satisfy Section 5(n), even if they might confer standing under Article III.

As the Ninth Circuit explained in Davis v. HSBC Bank Nevada, an “injury” is not actionable under Section 5(n) “if consumers are aware of, and are reasonably capable of pursuing, potential avenues toward mitigating the injury after the fact.” 691 F.3d 1152, 1168-69 (9th Cir. 2012). Davis rejected the notion that avoiding injury is itself sufficient, framing the issue as “not whether subsequent mitigation was convenient or costless, but whether it was reasonably possible.” Id.; see also Reply Br. 31-35. The FTC’s claim here is classic bootstrapping that would eviscerate the “reasonably avoidable” requirement.

Finally, the FTC’s argument that Wyndham consumers suffered unreimbursed fraud loss is implausible because—after investigating the cyberattacks against Wyndham for nearly five years and contacting hundreds of consumers—the FTC admitted that it has not identified a single individual consumer who suffered unreimbursed fraud loss (let alone “substantial” loss that was “not reasonably avoidable”).

So will Remijas have any impact on FTC v. Wyndham? I guess we’ll have to see when we finally get an opinion from the Third Circuit.

Related posts:

  • FTC Files Complaint Against Wyndham Hotels For Failure to Protect Consumers’ Personal Information
  • Transcript of Oral Argument in FTC v. Wyndham
  • Wyndham caves, settles charges with FTC (updated)
  • FTC claims victory in Wyndham case; Appellate court upholds authority to enforce data security
Category: Business SectorCommentaries and AnalysesHackU.S.

Post navigation

← IL: Batavia Container sues former employee for trade secrets theft
Donald Trumps website breached by @TelecomixCanada →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.