In 2013, the Target data breach had everyone from consumers, businesses, financial institutions and those who sit somewhere in-between, trying to navigate following a catastrophic data theft. Consumers frustrated by the retailer’s data security standards attempted to bring Target to justice through class action lawsuits. However, a recent court ruling has made it much easier for organizations that suffer a data breach to be sued by affected customers. Up until late July, breached companies were able to use a legal rule to shield them from potential damages related to class action lawsuits.
In January of last year, sources in the financial industry heard the whispers that an increasing number of credit and debit cards that transacted at Neiman Marcus locations had been used to make fraudulent transactions. Shortly after, news broke that unauthorized access into Neiman Marcus’ systems had occurred, where malicious software was installed. This strain of malicious software collected the payment card data of roughly 350,000 Neiman Marcus customers from July 16, 2013 to October 30, 2013.
Nearly a year later, a group of affected Neiman Marcus customers brought a case to the 7th Circuit Court of Appeals, attempting to sue the breached retailer. Before the case could reach an end, the court dismissed the case, citing that the affected individuals did not have “concrete, particularized and actual or imminent” injuries. These “imminent” and “concrete” injuries stem from a 2013 Supreme Court ruling in Clapper v. Amnesty International USA. This case has often been used as grounds to dismiss consumer class action suits against companies regarding data security.
Protecting the interests of consumers took a hit after this case dismissal, despite evidence that shows the financial impact that a compromised card can have. Since the dismissal, consumers have been limited in regards to seeking some form of compensation for having their personal or payment information exposed in a data breach.
If you’re a frequent visitor on various legal blogs, this news won’t come as a surprise to you. On July 20, 2015, a three-judge panel of the 7th U.S. Circuit Court of Appeals reinstated the class action lawsuit against Neiman Marcus, stating that the theft of their customers’ payment information was a prerequisite to future identity theft or credit card fraud.
In order to give the class standing, there is an ‘objectively reasonable likelihood’ that such an injury will occur. This was seen as an unprecedented move by some, as this was the first time a federal appeals court would re-evaluate a class action lawsuit involving a breached company.
The Seventh Circuit’s court ruling regarding the Neiman Marcus data breach should be viewed as a victory for consumers when looking at the macro level, but consumers should not expect to see positive changes on an individual basis. The 7th Circuit is one of the more influential courts in our country and has been known to rule in favor of businesses more often than not. From a legal standpoint, it is worth noting that the court’s decision is binding only for cases within the Seventh Circuit, but will likely influence future decisions for other circuit courts.
For the 350,000 cardholders that had their personal information exposed in the Neiman Marcus breach, the legal teams that fought on their plaintiffs’ behalf can move forward with their suit against the retailer. Generally, consumers are unlikely to see financial compensation from class action suits. It’s often the legal teams that see the most financial gain from these suits. Moving forward, businesses that suffer a data breach will now be at greater risk of litigation, as one of the more reliable means to get a lawsuit dismissed surrounding data has been removed. In order to reduce this risk, businesses will look to improve their data security standards and security portfolios. And in the opinion of this writer, that’s a win-win situation for all parties involved.
As retailers and other businesses look to ramp up their security portfolios, companies are taking an innovative approach to protect their sensitive data and that of their customers. We take a look at traditional data breach prevention software and how detection may be a more effective alternative to mitigating the impact of a data breach.