Have the Flood Gates Been Opened for Cyber Breach Lawsuits?

Up until now, most lawsuits against retailers by customers whose personal information was stolen by hackers in a data breach, were dismissed by the courts in the early stages of litigation because the theft of personal information, such as credit card numbers, in and of itself was not considered a sufficient injury to confer “standing” on the customers to bring the lawsuit. This all changed on July 20, 2015 when the U.S. 7th Circuit Court of Appeals ruled in Remijas v. Neiman Marcus Group, LLC¹ , that resolving fraudulent charges and protecting oneself against future identify theft, even if the customer did not suffer a specific monetary loss, was sufficient injury to confer standing to bring a lawsuit.

This case arose from a breach of Neiman Marcus’ credit card database in 2013, in which 350,000 credit cards were potentially exposed, and 9,200 of the 350,000 cards were used fraudulently. As a result of this breach, a class action was filed. Neiman Marcus moved to dismiss the lawsuit for lack of standing, arguing that the plaintiffs could not prove they suffered a “concrete and particularized injury”, which is a necessary component of standing to sue. The U.S. District Court for the Northern District of Illinois initially dismissed the lawsuit, holding that the plaintiffs had not shown sufficient injury to support standing. The 7th Circuit reversed this ruling. The Circuit Court stated that when a breach occurs, the customers can incur identifiable costs associated with the process of “sorting things out.” Additionally, “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing.” Resolving fraudulent charges, and protecting oneself against future identity theft were sufficient injuries to satisfy the injury component of standing.

Neiman Marcus also argued that since other retailers, such as Target, experienced data breaches during the same period of time, the plaintiffs could not show that any of their injuries were traceable to the data breach at Neiman Marcus. The court was not persuaded. It stated that the burden was on Neiman Marcus to show that their negligent actions were not the cause of the plaintiffs’ injury.

This ruling does not only affect the potential liability of retailers in data breach cases. It opens the door for liability for any business that has customer credit card information, or other personal information, such as dates of birth or social security numbers, stolen as a result of a breach. It also increases the risk for medical providers who lose patient health and personal information as a result of a data breach, or as a result of their own negligent disclosure.

The 7th Circuit has certainly raised the stakes for everyone.

¹ 2015 U.S. App. LEXIS 12487 (July 20, 2015)

Written by Richard Sheinis, Esq.