On Wednesday, Neiman Marcus – one of several major retailers that recently announced having customer payment cards, among other information, stolen in a malware attack against its point-of-sale systems – filed a motion to dismiss a class-action complaint filed in January by an impacted customer.
The January complaint – filed in the Eastern District of New York – seeks equitable relief for all impacted individuals, but Melissa Frank is named as lead plaintiff because she alleges that fraudulent charges made on her debit card are the result of the Neiman Marcus breach.
Neiman Marcus does not see it that way.
“The complaint nowhere alleges either that the data incursion at Neiman Marcus caused the fraudulent charges on her debit card or that those charges resulted in any financial or other concrete injury to her,” according to the motion for dismissal.
And that is not all.
“Because the complaint describes no specific harm she has suffered, monetary or otherwise, there is no way that a judgment in her favor would make her whole,” according to the motion, which adds Frank's payment card has zero fraud liability and she will not be held accountable for fraudulent charges. “Rather, she is whole already.”
The motion also rejects any claims that Frank may suffer future consequences, such as identity theft. Neiman Marcus previously announced, and brings up again in the motion, that necessary information such as Social Security numbers and dates of birth, as well as PIN numbers, were not compromised.
“In sum, plaintiff fails to allege what damage, what concrete and compensable harm she is suffering in the here and now,” according to the motion. “She alleges no unpaid bill to pay, no demand from her bank that it be reimbursed for charges incurred on her account, and no other presently realized (or certainly impending) harm.”
The Frank complaint states that Neiman Marcus failed to implement and maintain reasonable security procedures and practices appropriate to the scope of the breach, and adds that the retailer only revealed a breach had transpired after technology journalist Brian Krebs broke the story on Jan. 10.