I just read a thought-provoking post by Amy Dunn Taylor and Amelia Coates on Cybersaurus Lex discussing the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, LLC. The plaintiffs’ claims against Neiman Marcus were based on the theft of personal and credit card data of more than 350,000 Neiman Marcus shoppers. Neiman’s argued that some of the plaintiffs had yet to experience actual identity theft or credit-card fraud, so they were not injured and couldn’t sue. But the court reasoned there was an objectively reasonable likelihood of injury because of the “immediate and very real” threat that the hackers would misuse the stolen consumer data. Thus, it found that the plaintiffs were injured and could proceed with their suit against Dallas’ most famous fashion retailer.
This decision highlights the critical importance of adequate steps to protect consumer data in an increasingly cyber-based world. If actual misuse of stolen data is not required before a consumer can sue a retailer based on a security breach, then retailers simply cannot afford to ignore or skimp on security measures and risk the consequences of a data hack.
The business of fashion is driven largely by retailers, many of which offer their wares online, and the consumer market. And, fast fashion relies heavily on e-commerce and the convenience of one-click shopping, the heart of which is consumer financial data. Data hacks and breaches may be inevitable. But fashion retailers and e-commerce sites can be mindful of how easily a hack can lead to a lawsuit, so that they wisely choose and implement appropriate data security systems and develop safe and sound protocols for collecting and storing consumer data.