No need to wait: Court rules data breach victims do not need to wait for fraud before filing suit
Posted on 08/18/2015 at 07:16 AM by John Lande
On July 20, 2015, the United States Court of Appeals for the Seventh Circuit made it a little easier for victims of data breaches to file a lawsuit against the company that lost their data. A unanimous three-judge panel ruled that consumers who had their data stolen do not need to wait for fraud to occur before filing a lawsuit. The case Remijas v. Neiman Marcus Group, LLC started with a data breach in 2013. Hackers were able to gain access to department store Neiman Marcus's computer systems and obtain credit card information for approximately 350,000 consumers. After the breach was revealed in December 2013 several consumers whose data was compromised filed a lawsuit seeking to represent all affected consumers in a class action against Neiman Marcus. Approximately 9,200 of the consumers were victims of fraud by the time lawsuits were filed. However, many of those plaintiffs were reimbursed for any fraudulent charges.
Neiman Marcus challenged the ability of these plaintiffs to file suit because (1) they had already been reimbursed for their injury, and (2) any future fraud was too speculative to be the basis for a lawsuit now. The district court agreed with Neiman Marcus but the court of appeals disagreed. The court of appeals concluded that future harm could be a basis for filing a lawsuit. The court of appeals also noted that the possibility of future fraud was not too speculative. For example, the court of appeals noted that hackers would not have gone to the trouble of stealing the information if they did not intend to use it for fraud. More importantly, the fact that Neiman Marcus offered one year of credit monitoring for affected consumers suggested that the possibility of future harm to consumers is not too speculative. As with many of the data breach cases currently pending in court, there is still a long way to go before the plaintiffs are able to recover anything. The plaintiffs also face the challenge of articulating exactly how much money Neiman Marcus should pay when there has not been any fraud. However, the decision in Remijas removes one hurdle for future data breach cases.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.