Neiman Marcus disagrees with Seventh Circuit over harm in breach case

The Seventh Circuit recently reversed the dismissal of a lawsuit brought against Neiman Marcus after it suffered a data breach, finding that the risk of harm to the 350,000 people whose credit card numbers were exposed was “very real and immediate.” In support of its conclusion, the court noted that 9,200 cards had already been used to make fraudulent charges.

The Seventh Circuit distinguished data breach cases from the Supreme Court decision in Clapper v. Amnesty Int’l USA, which held that the risk that government agencies were spying on the plaintiffs was speculative. Instead, Judge Wood—writing for the unanimous panel—found that the only reason a hacker would have attacked the retailer’s system was to engage in fraud. Moreover, there was no reason to make the consumers wait for an actual fraud to be perpetrated before taking action.

The court rejected Neiman Marcus’ argument that the plaintiffs could not prove it was their breach that led to fraudulent transactions (Neiman Marcus noted that there were several other major data breaches at the same time). Rather, the Seventh Circuit stated that in order to survive a motion to dismiss, the plaintiffs need only show that the defendant’s breach might have caused the plaintiffs’ injury. The court also rejected Neiman Marcus’ argument that the plaintiffs’ claims were moot because the credit card companies would reimburse the plaintiffs for any fraudulent activity since the actions of the credit card companies were not required by law, but rather a business practice that could change.

The decision has received much attention, and Neiman Marcus has already asked the Seventh Circuit to reconsider its decision in a Petition for Rehearing En Banc. The petition raises several key issues, including the conflict this decision creates with existing case law in the Third Circuit and many district courts.

TIP: While this case differs from many others (where courts have dismissed breach cases for lack of harm), the law remains unsettled. Companies that have suffered data incidents should keep in mind potential future allegations of harm when investigating the incidents and designing their notice strategies.

Register now for your free, tailored, daily legal newsfeed service.

Neiman Marcus disagrees with Seventh Circuit over harm in breach case
Blog Privacy & Data Security Law Blog

Filed under

Courts

Popular articles from this firm

Amazon laws: an overview of state laws and proposed federal legislation *

NAD Recommends Philips Discontinue Sonicare Electric Toothbrush Claims *

SEC renews focus on insider trading in private company stock *

Confidentiality and the Hart-Scott-Rodino Act *

IRS Releases Clarifying FAQs on CARES Act Retirement Plan Relief *

More from Privacy & Data Security Law Blog

2020 Privacy Law Year in Review

Husband Joins Wife in Pleading Guilty to Stealing Trade Secrets from Children’s Hospital

New Judicial Interpretation in China Strengthens Protection of Trade Secrets

Court Battle Between India’s SaaS Industry Leaders Being Fought in California

First Circuit Decision Underscores the Importance of Meeting the Definition of a Trade Secret as it Relates to Compilations

Related practical resources PRO

Related research hubs