The hassle of straightening out unauthorized charges and the cost of protecting oneself against identity theft give consumers whose personal information is swiped in a data breach standing to sue a company that controlled the information, a federal appeals court in Chicago ruled Monday.
Customers who shopped at Neiman Marcus over roughly three months in 2013 during which hackers used malware to steal payment card information from the retailer’s terminals suffered injuries concrete enough to support their claims, according to the U.S. Court of Appeals for the 7th Circuit.
The customers, who include people who discovered fraudulent charges on their credit or debit cards after using the cards at Neiman Marcus stores in New York and California two years ago, filed a class-action lawsuit in March 2014 charging the luxury chain with failing to maintain security sufficient to protect their personal information and waiting six months from the start of the breach to notify customers their information had been compromised.
The plaintiffs alleged that the breach exposed 350,000 cards, of which 9,200 were known to have been used fraudulently. In all, the breach may have exposed as many as 1.1 million payment cards.
The trial court tossed the lawsuit, finding the plaintiffs’ claims of financial harm they might experience insufficient to support standing. Judge Diane Wood, writing for a three-judge panel of the appeals court, disagreed:
“At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal customers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The court distinguished the case of the data breach before it with a ruling in 2013 by the Supreme Court that found human rights organizations lacked standing to challenge the Foreign Intelligence Surveillance Act because they could not show that the government actually intercepted their communications with suspected terrorists.
“This is a really consequential decision” notes Alison Frankel of Reuters. “It’s the first time a federal appeals court has looked at a data breach class action that was dismissed because the trial judge said it fell short of [the Supreme Court’s] standing requirements.”
The customers of Neiman Marcus “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” wrote Wood, citing the Court’s ruling from two years ago.
According to Wood, an offer by Neiman Marcus to pay the cost of a credit-monitoring service that costs $4.95 for the first month and $19.95 a month thereafter reflects the type of injury the plaintiffs suffered. She added:
“It is telling in this connection that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who shopped at their stores between January 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”
That some lenders will not hold customers responsible for unauthorized charges neither eliminates injury to the cardholders nor shows that their injury cannot be redressed by a decision in their favor, the court found.
According to the court, the fact that the plaintiffs’ injuries might be traced to a data breach at Target or another of the retailers whose systems hackers infiltrated around the same time also does not rule out a lawsuit against Neiman Marcus.
If it happens that more than one company may be responsible for exposing the plaintiffs’ personal information to hackers, the companies themselves will have an opportunity to prove that they were not the cause of the injury, the court said.