Hackers are breaking into major companies and making off with hoards of customer data, including credit cards, at an alarming rate. But one minor consolation for the companies, so far, has been a legal rule that shields them from damages. Until now.
In a ruling causing a stir on legal blogs, the influential 7th Circuit Court of Appeals last week reinstated a lawsuit against Neiman Marcus over a 2013 data breach in which hackers stole credit card information from as many as 350,000 customers.
The unanimous 3-judge ruling, issued in Chicago, is a big deal because it lowers the bar for consumers who want to sue over such breaches. Until now, companies have been able to deflect many such lawsuits by invoking a Supreme Court case called Clapper that basically kept people out of court because they couldn’t show an injury.
The Clapper case, which was about phone records and national security, required would-be plaintiffs to show a risk of “imminent” and “concrete” injury. It has been frequently invoked to bar consumer class actions suits involving data.
In the Neiman Marcus case, this line of thinking led a lower judge to throw out a class action complaint after concluding that customers’ who feared future fraud or ID theft didn’t have standing to bring a lawsuit. He even threw out claims from those who had paid for credit monitoring in the wake of the breach, reasoning they could have simply relied on their credit cards’ fraud protection program instead.
The 7th Circuit, however, reinstated both types of claims – those who had incurred expenses tied to the Neiman Marcus hack, and those who feared identity theft in the future. The game-changing part of the ruling comes from Chief Judge Diane Wood, who said that fear of hackers in the future is not too “speculative” for a day in court.
“Why else [other than to cause harm] would hackers break into a store’s database and steal consumers’ private information?” wrote Wood.
The ruling is particularly significant because it comes from the 7th Circuit, which is among the country’s most influential appeals courts, and also has a business-friendly reputation. All this is bad news for Neiman Marcus and for other companies facing class action lawsuits over hacking, including Sony and Target, since it will now be much harder to fend off multi-million dollar payouts.
Consumers, however, are unlikely to cash in since lawyers are typically the only ones who make money in a class action case. But the ruling will help consumers by giving companies yet another incentive to tune up their data security.
To learn more about the Neiman Marcus ruling and what it means, you can find detailed write-ups by Reuters’ Alison Frankel, and at National Law Review and the Technology & Marketing Law Blog.