From Casetext: Smarter Legal Research

Remijas v. Neiman Marcus Grp., LLC

UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
Sep 17, 2018
341 F. Supp. 3d 823 (N.D. Ill. 2018)

Opinion

Case No. 14-cv-1735

09-17-2018

Hilary REMIJAS, Melissa Frank, Debbie Farnoush, and Joanne Kao, Individually and on Behalf of All Others Similarly Situated, Plaintiffs, v. The NEIMAN MARCUS GROUP, LLC, a Delaware Limited Liability Company, Defendant.

Joseph J. Siprut, Melanie K. Nelson, Siprut PC, Chicago, IL, John A. Yanchunis, Morgan & Morgan, Complex Litigation Group, Tampa, FL, Theodore Walter Maya, Pro Hac Vice, Tina Wolfson, Pro Hac Vice, Ahdoot & Wolfson, PC, Los Angeles, CA, for Plaintiffs. David Henry Hoffman, Geetanjli Malhotra, Daniel Cochran Craig, Sidley Austin LLP, Chicago, IL, James D. Arden, Pro Hac Vice, Steven Michael Bierman, Pro Hac Vice, Sidley Austin LLP, New York, NY, for Defendant.


Joseph J. Siprut, Melanie K. Nelson, Siprut PC, Chicago, IL, John A. Yanchunis, Morgan & Morgan, Complex Litigation Group, Tampa, FL, Theodore Walter Maya, Pro Hac Vice, Tina Wolfson, Pro Hac Vice, Ahdoot & Wolfson, PC, Los Angeles, CA, for Plaintiffs.

David Henry Hoffman, Geetanjli Malhotra, Daniel Cochran Craig, Sidley Austin LLP, Chicago, IL, James D. Arden, Pro Hac Vice, Steven Michael Bierman, Pro Hac Vice, Sidley Austin LLP, New York, NY, for Defendant.

MEMORANDUM OPINION AND ORDER

SHARON JOHNSON COLEMAN, United States District Court Judge

In 2013, Neiman Marcus suffered a major data breach that exposed consumers' credit card numbers and gave rise to this litigation. In June of 2017, Judge Der-Yeghiayan provisionally certified the settlement class and preliminarily approved the settlement in this class action. The parties now move this Court to approve the settlement and award attorney's fees, costs, and service awards. Multiple objectors have appeared to challenge the proposed settlement on numerous grounds. For the reasons set forth herein, this Court denies the motion for final approval [158] and the motion for attorney's fees [159] without prejudice and decertifies the proposed settlement class.

Background

In December 2013, Neiman Marcus began to receive reports of fraudulent charges on its customers' credit cards. Neiman Marcus investigated these reports and ultimately discovered malware in its computer systems. On January 10, 2014, Neiman Marcus disclosed the data breach to the public and individually notified the customers who had incurred fraudulent charges. At the time, Neiman Marcus disclosed that the malware had compromised customer's credit card numbers but not their birth dates or social security numbers. Neiman Marcus subsequently revealed that the malware had been active at various locations between July 16, 2013, and October 30, 2013, potentially exposing 350,000 customers' credit card information, and that 9,200 of those cards had since been used fraudulently. Neiman Marcus attempted to contact all of the customers who had shopped at a Neiman Marcus store within the past year (for whom it had contact information) to offer them one year of credit-monitoring and identity-theft protection. Neiman Marcus subsequently learned, during the pendency of this litigation, that the malware at issue was not installed at all Neiman Marcus locations, and that it was only operational on various dates and times between July 16, 2013, and October 30, 2013, at each location where it was installed.

The term "malware" generally describes computer programs written with the intent of being disruptive or damaging to a computer or computer user, and encompasses computer viruses, worms, and spyware.

News of Neiman Marcus' data breach yielded multiple class-action complaints, which were consolidated in this action brought by plaintiffs Hilary Remijas, Melissa Frank, Debbie Farnoush, and Joanne Kao. Remijas alleges that she made purchases using a credit card at the Neiman Marcus store in Oak Brook, Illinois in August and December 2013. Frank alleged that she and her husband used a joint debit card to make purchases at Neiman Marcus' Long Island store in December 2013, and that fraudulent charges subsequently appeared on their account on January 9, 2014. Farnoush alleges that she visited an unidentified Neiman Marcus store in 2013, and subsequently had fraudulent charges placed on her card. Finally, Kao alleges that she made purchases at a Neiman Marcus in San Francisco between February and December 2013, and that her bank subsequently replaced her debit card because it had been compromised.

This case was filed in March of 2014, and was initially assigned to Judge James Zagel. The defendant filed a motion to dismiss, which Judge Zagel granted in September 2014. In pertinent part, Judge Zagel held that the plaintiffs could not establish standing because they could only establish that their data might have been stolen and might subsequently result in fraudulent charges, injuries which he contended were not sufficiently concrete. That decision was subsequently appealed to the Seventh Circuit, which, in July 2015, reversed Judge Zagel's ruling with respect to standing and remanded the case for further proceedings. On remand, Neiman Marcus filed a renewed motion to dismiss, which was denied. Neiman Marcus then filed twelve consecutive motions to extend the responsive pleading deadline, pushing that deadline from February 12, 2016, to February 10, 2017. During that time, this case was transferred to Judge Der-Yeghiayan, who, on February 9, 2017, dismissed it based on the parties' failure to proceed with the litigation. The plaintiff promptly moved to reinstated the action and filed a motion for class certification and preliminary approval, which was granted. Following the requisite notice period, the plaintiffs filed their motions for final approval of the class action settlement [158] and for attorney's fees, costs, and service awards [159]. Parvinder Chohan, Gretchen Carey, and Donald L. Plunkett, Jr., all potential class members, subsequently filed detailed objections to the class settlement. Those objections were fully briefed and Judge Der-Yeghiayan heard arguments regarding them. Judge Der-Yeghiayan subsequently retired, and the case was transferred to this Court with those motions pending.

Discussion

As the Seventh Circuit has recognized, federal courts "naturally favor" the settlement of class action litigation. Isby v. Bayh , 75 F.3d 1191, 1196 (7th Cir. 1996). Settlements promote the interests of litigants by saving them the expense and uncertainty of trial and promote the interests of the judicial system by preserving public resources. Hispanics United of DuPage Cnty. v. Vill. of Addison, Ill. , 988 F.Supp. 1130, 1149 (N.D. Ill. 1997). Thus, although class action settlements must be approved by the court, the inquiry is limited to consideration of whether the proposed settlement is lawful, fair, reasonable, and adequate. E.E.O.C. v. Hiram Walker & Sons, Inc. , 768 F.2d 884, 888–89 (7th Cir. 1985), cert. denied, 478 U.S. 1004, 106 S.Ct. 3293, 92 L.Ed.2d 709 (1986).

Motions to decertify a class, however, are reviewed using the same standards as motions to certify a class. Motions to decertify a class are not subject to the heightened standards of review applied to motions for reconsideration, even if the class was previously certified by a different judge. See Ellis v. Elgin Riverboat Resort , 217 F.R.D. 415, 420 (N.D. Ill. 2003) (Ashman, Mag. J.); see also Phillips v. Sheriff of Cook County , 828 F.3d 541, 549 (7th Cir. 2016) (applying the class certification analysis to an order decertifying a class). Indeed, the Seventh Circuit has instructed district court judges reviewing class action settlements to act as "a fiduciary of the class" and to exercise a high duty of care in ensuring the propriety of class certification and the proposed class action settlement. Reynolds v. Beneficial Nat. Bank , 288 F.3d 277, 279–80 (7th Cir. 2002). In order for a class to be certified, (1) the class must be so numerous that joinder of all members is impracticable; (2) there must be questions of law or fact common to the class; (3) the claims of defenses of the class representatives must be typical of the class; and (4) the class representatives must adequately protect the interests of the class. Fed. R Civ. P. 23(a). Here, the parties propose that the class be certified under Fed. R. Civ. P. 23(b)(3), which additionally requires that common questions of law or fact predominate over any questions affecting only individual members and that the class action mechanism be superior to the available alternatives for fairly and efficiently adjudicating the controversy.

There is no doubt that there is a question of law or fact common to the class: whether Neiman Marcus put reasonable information technology security measures in place before the incident and otherwise complied with its legal duties. This question is common with respect to all Neiman Marcus customers who made purchases within the proposed class period. Numerosity also cannot be reasonably disputed, given that the proposed class contains over two million individuals.

The objectors, however, contend that the settlement class contains impermissible intra-class conflicts, an argument which challenges the adequacy of the named plaintiffs' representation of the "different, separate, and distinct interest[s] of the class members." Retired Chicago Police Ass'n v. City of Chicago , 7 F.3d 584, 598 (7th Cir. 1993) (quoting Secretary of Labor v. Fitzsimmons , 805 F.2d 682, 697 (7th Cir. 1986) (en banc) ). A single class cannot be fairly or adequately represented by the named plaintiffs and class counsel if members of the class have antagonistic or conflicting claims. Id.

For the purpose of analysis, it makes sense to divide the proposed class into three groups based on factual differences in their claims: (1) those who made purchases during the time range within which the malware was operating ("the malware period") but whose purchases were not affected by the malware; (2) those who made purchases during the malware period and while the malware was active at the location of their purchase; and (3) those who made purchases outside the malware period.

The Court turns its attention first to those class-members who made purchases within the malware period. Of those who made their purchases during the malware period, some made their purchases at times and locations when the malware was active, and the remainder did not. Under the terms of the proposed settlement those who made their purchases while the malware was active stood to receive financial compensation, while others who made their purchases during the malware period but at a time or place that the malware was not active did not. The objectors contend that because of this disparity the interests of those malware-period purchasers whose credit card information was accessed are at odds with those malware-period purchasers whose credit card numbers were not compromised and who therefore stand to make a de minimis recovery.

The parties, seemingly in anticipation of this potential argument, attempted to deliberately blind the class representatives. They structured their settlement such that individual class members could not learn whether their card number had been compromised until after they had opted into the settlement. The parties therefore assert that the named plaintiffs were able to adequately represent the interests of all class members who made purchases during the malware period because the named representatives had a personal stake in both groups within the scope of the malware period until after the settlement had already been agreed upon.

The Court finds this mechanism to be highly suspect. Although it may simplify matters of class action settlement, delaying the notification of individual victims no doubt caused potential class members continued uncertainty and caused them to continue to make unnecessary efforts to mitigate the perceived release of their credit card information. The refusal to inform class members of how they were situated until after they opted into the settlement also creates an appearance of manipulation or dishonesty, undermining the integrity of the class action mechanism.

The settling parties' position on this issue is strongly supported by Uhl v. Thoroughbred Technology and Telecommunications, Inc. , 309 F.3d 978 (7th Cir. 2002). In Uhl , the defendant announced its intention to install fiber optic conduits along a railroad right-of-way. The named plaintiff brought a class action on behalf of those who owned real estate on either side of the right-of-way. At the time of the class action settlement, the defendant had not yet surveyed or determined which side of the tracks the conduit would be installed on (and could not do so without trespassing on the land-owners land, absent the settlement at issue). The settlement thus divided the class into two categories: those on the side of the tracks that the conduit would be installed on, and those on the side of the tracks that the conduit would not be installed on. Because the location of the installation of the conduit was not yet known, the Seventh Circuit concluded that the class representative, who lived on one side of the tracks, could adequately represent both categories of class-members. See Id. at 986 ("[T]he named representative had an equal incentive to represent both sides as long as he did not know where his property would end up."). The named representatives here were similarly cloaked in a veil of ignorance with respect to whether or not the malware was active at the time that they made their purchase within the malware period. Thus, at the time that the settlement was negotiated the class representatives and class counsel had equal incentive to represent the interests of all class members who made a purchase within the malware period. Accordingly, the Court sees no adequacy problem as between the recovering and non-recovering class members who made their purchases within the malware period.

The same is not true, however, with respect to customers who made their purchases outside the malware period (the non-malware period subclass). At the time settlement in this case was reached, the parties already knew that the malware was only active between July 16, 2013, and October 30, 2013. Indeed, it appears that this date range was disclosed well before the settlement negotiations even began. Nevertheless, the settlement class encompasses those who made purchases between July 16, 2013, and January 10, 2014. The settlement class in this case thus includes individuals who the parties (and class representatives) knew from the outset could not have made their purchases at a time when the malware was active.

Interestingly, the plaintiffs' original complaint in this action defined the class as being comprised of individuals who made a purchase from Neiman Marcus between July 16, 2013, and October 30, 2013. Although the amended complaint expanded that definition to include "all persons whose personal and/or financial information was disclosed in the data incursion affecting Neiman Marcus in 2013," it did not expressly expand that definition to encompass those who made their purchases outside of the malware period. Although the plaintiffs at one point argued that the data breach continued through January 10, 2014, they abandoned that argument at settlement. It is therefore unclear to this court why the parties subsequently sought to expand the class beyond the malware period.

More important, at the time of the settlement the class representatives knew whether or not they had made their purchases within the malware period. Accordingly, the reasoning of Uhl cannot be applied to that subclass because the class representatives had no incentive to represent that group or its interests. The interests of the non-malware period subclass, moreover, plainly conflict with those of the remaining class-members. Unlike those within the malware period, the non-malware period subclass has no chance of monetary recovery under the current settlement terms because there appears to be no chance that their credit card numbers were actually compromised by the malware now at issue. Those who purchased during the malware period, by contrast, had heightened incentive to agree to the lackluster non-monetary relief offered to those whose credit card numbers weren't compromised because, if their credit card number was compromised, they stood to receive actual damages to offset that more pressing harm. The non-Malware-Period subclass, by contrast, has no chance of monetary recovery under the proposed settlement agreement, and thus has strong incentive to pursue additional legal that the plaintiffs have declined to pursue in favor of settling. Accordingly, the settlement class as it is currently composed has a fundamental conflict that undermines the adequacy of the representation of the class. See Rosario v. Livaditis , 963 F.2d 1013, 1018 (7th Cir. 1992) ("A class is not fairly and adequately represented if class members have antagonistic or conflicting claims."); see also In re Payment Card Interchange Fee and Merchant Discount Antitrust Litigation, 827 F.3d 223, 233 (2nd Cir. 2016) (recognizing that intense and protracted mediation with respected and capable mediators does not compensate for the absence of independent representation because there could be no assurance that anyone advanced the strongest arguments in favor of the disfavored claims).

The Court notes that it appears from the allegations of the complaint that Frank made a purchase at Neiman Marcus outside the malware period and was subsequently the victim of unauthorized fraudulent charges. Frank thus may be a member of the non-malware period subclass. The Court, however, has no evidence before it establishing that this is the case or that Frank engaged in any effort to represent the interests of that sub-class against the interests of the broader class.

The Court's concerns about the representation of the interests of all members of the proposed settlement class is only amplified by the illusory nature of the relief being afforded to those whose credit card information was not compromised, including those who made their purchases outside the malware period. The settling parties' assert that these individuals are receiving valuable non-monetary relief. Once the data breach that gave rise to this case was publicized, Neiman Marcus agreed to provide everyone who shopped in its stores between July 2013 and January 2014 with a year of free credit monitoring and identity theft insurance. Neiman Marcus also took actions to enhance its cybersecurity business practices. The settling parties attempt to argue that these are non-monetary benefits flowing from the settlement. These non-monetary benefits, however, were issued prior to the class action settlement and thus cannot be fairly attributed to that settlement. Neiman Marcus' changed business practices, moreover, cannot be characterized as relief given their non-binding nature. In the settlement agreement, the business practice changes that Neiman Marcus implemented are listed "for informational purposes only" with an explicit disclaimer stating that their identification did not create "any rights or obligations" and that Neiman Marcus was free to alter (or abandon) the practices at any time. See in re Subway Footlong Sandwich Marketing and Sales Practices Litig. , 869 F.3d 551, 557 (7th Cir. 2017) (recognizing that injunctive relief that did not correct the complained-of business practices was "worthless" to the class). Although the Court does not hold that these actions conferred no value on the non-malware period subclass, the Court questions whether they constitute the relief that an adequately represented non-malware period subclass would seek to recover. See Grok Lines, Inc. v. Paschall Truck Lines, Inc. , No. 14 C 8033, 2015 WL 5544504, at *2 (N.D. Ill. Sept. 18, 2015) (Chang, J.) (recognizing the Court's duty to vigilantly guard against settlements that enrich class counsel with scant reward to the class itself) (quoting Thorogood v. Sears, Roebuck & Co. , 627 F.3d 289, 293 (7th Cir. 2010) and Reynolds , 288 F.3d at 279–280 ).

Considering the inevitable conflict between the interests of those who made purchases during the malware period and those who made purchases outside the malware period, the Court has no alternative but to decertify the class in this case. The Court declines to instruct the parties on how best to resolve the current flaws in the representation of the proposed class, but does caution that if the named plaintiffs have learned whether their credit card information was compromised, they will no longer be able to act from within the veil of ignorance described by Uhl should it be necessary to substantively modify the conditions of the settlement agreement.

The Court acknowledges the lengthy history of this case, which has been heard by three district court judges as well as the Seventh Circuit. The Court concedes that it is loathe to issue a ruling that prolongs this case and further delays class members' recoveries. Nevertheless, the age and history of this case are not considerations which this Court may consider when assessing the validity of class certification or the fairness of the proposed settlement.

In light of its determination that the class here must be decertified, this Court need not evaluate the merits of the objectors' arguments challenging the fairness of the proposed settlement at this time. The Court does, however, address one area of procedural concern. In their motion for preliminary approval of the settlement, the settling parties represented that the proposed notice program would include "direct Notice to all proposed Settlement Class Members." That representation was false, as was reflected by both the contemporaneously filed Settlement Agreement and the materials filed in support of the parties' motion for final approval of the settlement. The plaintiffs represent that this misstatement resulted from a typographical error, and the Court has no reason to doubt that. Whatever the cause of the error, it concerned a key substantive provision of the parties' motion and this Court therefore cannot presume that it was harmless in effect. Instead of providing direct notice to all class members, direct notice was only provided to less than 773,292 potential class members out of a proposed class of over two million. Further, indirect notice was provided through a single print advertisement and a four-week internet banner advertisement campaign which purportedly was seen by 71.48% of class members an average of 2.95 times each. The result of these efforts, however, was paltry; three months before the claim deadline only 16,447 claim forms had been submitted. That figure represents three-quarters of a percent of the settling class in this case. Because of the erroneous representation at issue and the poor response rate demonstrated, the Court encourages the parties to consider whether further attempts at notice are warranted in this case.

The Chief Innovation Officer of the firm responsible for providing notice to the class provided these numbers in a signed declaration, but offered no underlying data or methodology justifying this calculation. The Court also takes note of the objectors' assertion that the funds available for providing notice to the class were not fully utilized.
--------

Conclusion

For the foregoing reasons, the Court decertifies the settlement class. The pending motions for final approval of the class action settlement [158] and for attorney fees, costs, and class representative service awards [159] are therefore denied without prejudice.

IT IS SO ORDERED.


Summaries of

Remijas v. Neiman Marcus Grp., LLC

UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
Sep 17, 2018
341 F. Supp. 3d 823 (N.D. Ill. 2018)
Case details for

Remijas v. Neiman Marcus Grp., LLC

Case Details

Full title:HILARY REMIJAS, MELISSA FRANK, DEBBIE FARNOUSH, and JOANNE KAO…

Court:UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

Date published: Sep 17, 2018

Citations

341 F. Supp. 3d 823 (N.D. Ill. 2018)

Citing Cases

In re Sonic Corp. Customer Data Sec. Breach Litig.

Castillejos Decl. ¶ 12, Doc. 162-2 ("According to KCC's media team, using advertising-industry standard reach…