After a data breach, companies and other organizations have many worries—what happened to their data? How will their employees and clients be affected? How to remedy the situation? Will we face a lawsuit and, if so, is the lawsuit likely to be successful?
Although lawsuits do occur after data breaches, plaintiffs often have difficulty proving an actual injury. For example, the breached information may never be used. Without any known, improper use, courts often hold that plaintiffs lack standing and cannot bring a lawsuit.
Seventh Circuit Case Changes the Game. A July decision from the Seventh Circuit, however, makes it easier for plaintiffs to get around this obstacle. In Remijas v. Neiman Marcus Group, LLC, the plaintiffs brought a lawsuit against Neiman Marcus after they were among 350,000 customers whose payment cards were breached. Only about 9,200 customers were reimbursed for actual fraudulent charges. Nevertheless, the entire class alleged that they had standing because of: (1) an increased risk of future fraudulent charges; and (2) greater susceptibility to identity theft.
The Seventh Circuit agreed with the plaintiffs. The Court noted that “there are identifiable costs associated with the process of sorting things out.” These include the cost of credit-monitoring services. Although Neiman Marcus offered one year of free credit-monitoring and identity-theft services, this did not allow Neiman Marcus to escape the lawsuit (perhaps because the risk of identity theft could last longer than one year).
Monitor Developments. The Seventh Circuit adopted an analysis similar to one used by a district court in northern California last year (In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK). Few other court have—so far—adopted that analysis. And, in early August Neiman Marcus requested that the entire Seventh Circuit review the decision. So the situation may change. Companies and other organizations should monitor this litigation for further developments. If plaintiffs are able to successfully bring these types of claims, it will raise the overall cost of breaches. This may cause companies to spend more resources upfront, in an effort to prevent breaches in the first place.