The Seventh Circuit recently reversed the dismissal of a lawsuit brought against Neiman Marcus after it suffered a data breach, finding that the risk of harm to the 350,000 people whose credit card numbers were exposed was “very real and immediate.”
The Seventh Circuit recently reversed the dismissal of a lawsuit brought against Neiman Marcus after it suffered a data breach, finding that the risk of harm to the 350,000 people whose credit card numbers were exposed was “very real and immediate.” In support of its conclusion, the court noted that 9,200 cards had already been used to make fraudulent charges.
The Seventh Circuit distinguished data breach cases from the Supreme Court decision in Clapper v. Amnesty Int’l USA, which held that the risk that government agencies were spying on the plaintiffs was speculative. Instead, Judge Wood—writing for the unanimous panel—found that the only reason a hacker would have attacked the retailer’s system was to engage in fraud. Moreover, there was no reason to make the consumers wait for an actual fraud to be perpetrated before taking action.
The court rejected Neiman Marcus’ argument that the plaintiffs could not prove it was their breach that led to fraudulent transactions (Neiman Marcus noted that there were several other major data breaches at the same time). Rather, the Seventh Circuit stated that in order to survive a motion to dismiss, the plaintiffs need only show that the defendant’s breach might have caused the plaintiffs’ injury. The court also rejected Neiman Marcus’ argument that the plaintiffs’ claims were moot because the credit card companies would reimburse the plaintiffs for any fraudulent activity since the actions of the credit card companies were not required by law, but rather a business practice that could change.
The decision has received much attention, and Neiman Marcus has already asked the Seventh Circuit to reconsider its decision in a Petition for Rehearing En Banc. The petition raises several key issues, including the conflict this decision creates with existing case law in the Third Circuit and many district courts.
TIP: While this case differs from many others (where courts have dismissed breach cases for lack of harm), the law remains unsettled. Companies that have suffered data incidents should keep in mind potential future allegations of harm when investigating the incidents and designing their notice strategies.