The Seventh Circuit ruled that the risk of future harm in a data breach is sufficient to take major companies to court. Plaintiffs, such as the Neiman Marcus Group LLC customers, now have standing to hold companies liable for a data breach, regardless of whether the actual harm of identity theft ever occurs.
The U.S. Court of Appeals reinstated the 2013 cyber attack case that had been dismissed by the district court, holding the likelihood of personal data exposure following a system breach is “immediate and very real.” Neiman Marcus never even investigated the nearly 60,000 software alerts its software system received during the data breach.
As the first federal appellate decision on the issue of standing to assert data breach claims for years, the Neiman Marcus decision will be cited frequently in creating the legal framework for data breach class actions. As one of the first federal appellate decisions on the issue of standing to assert data breach claims, Neiman Marcus will likely cast implications upon other currently pending data breach cases, such as Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-cv-4787 (N.D. Ill. Dec. 10, 2014), a case also before the Seventh Circuit.
The precedent-setting ruling means that companies will likely have to contend with more lawsuits after security breaches that have affected millions of consumers in recent years. The opinion noted that the Neiman Marcus plaintiffs’ allegations go far beyond those at issue in Spokeo v. Robins, a case expected to have wide-ranging federal consumer protections implications.
Plaintiffs’ counsel, Robert Ahdoot, told Law360 the decision means "data breach victims, who carry the burden of protecting themselves against the imminent risk of identify theft and fraud, can now have their day in court against companies who fail to secure consumers' personal information against hackers.” The plaintiffs are seeking a minimum of $5 million in damages.
The court granted the standing to the plaintiffs, based on the uncontested fact that the data breach exposed 350,000 consumers’ personal data. Neiman Marcus admitted in 2014 that of the 350,000 people whose information was stolen, 9,200 individuals’ credit card data had since been used fraudulently, but the number of potential or actual thefts is now irrelevant. The Seventh Circuit determined the Neiman Marcus victims “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”
According to Bloomberg, the company’s centralized computer system flagged the anomalous behavior of a malicious software program while the data breach occurred. However, the 59,746 alerts set off by the malware were never investigated. Using a different strategy and set of tools than the Target hackers, the Neiman Marcus hackers used custom hacking software and sent the data out through a virtual private network (VPN).
The Neiman Marcus hack was made easy by the point-of-sales system arrangement among the stores’ payment registers. Store registries are connected to the central computer that processes transactions, so the hackers were able to upload their software on multiple registers quickly, after carefully deleting the software at the end of each day.
In finding the plaintiffs suffered a substantial risk of harm, the Court asked rhetorically, “Why else would hackers break into a store’s database and steal consumers’ private information?”
The case is Remijas et al. v. The Neiman Marcus Group LLC, case number 14-3122, in the U.S. Court of Appeals for the Seventh Circuit.
