Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Breach victims' ruling causes uncertainty

Court backs lost time, money as damage

Reprints

Businesses face an uncertain legal environment when it comes to litigation filed by consumer data breach victims.

While some courts have ruled that plaintiffs have not suffered damages sufficient to give them standing to sue, the influential 7th U.S. Court of Appeals in Chicago held on July 20 in Hilary Remijas et al. v. Neiman Marcus Group L.L.C. that potential damages suffered by the victims do give them standing.

Some observers say the issue may eventually be decided by the U.S. Supreme Court.

Dallas-based Neiman Marcus learned in mid-December 2013 that fraudulent charges had shown up on the credit cards of some of its customers, according to the ruling. It discovered potential malware in its computer systems on Jan. 1, 2014, and sent notices nine days later to customers who had incurred fraudulent charges, according to the ruling.

Complaints seeking class action status were filed and consolidated in June 2014. In September 2014, the U.S. District Court in Chicago dismissed the case, ruling the plaintiffs did not have sufficient grounds to sue.

Plaintiffs pointed to several kinds of injury they allegedly suffered, including lost time and money resolving the fraudulent charges and protecting themselves against future identity theft.

To pursue the case, the plaintiffs' complaints must satisfy the requirements established in the U.S Supreme Court's 2013 ruling in James R. Clapper Jr. v. Amnesty International USA et al., in which the high court held that alleged injuries must be “concrete, particularized and actual or imminent,” according to the ruling.

“The question is whether (plaintiffs') allegations satisfy Clapper's requirement that injury either already have occurred or be "certainly impending,'” said the ruling.

A three-judge panel held plaintiffs have met this standard. “At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store's database and steal consumers' private information?” said last month's ruling.

The ruling also pointed to Neiman Marcus offering one year of credit monitoring and identity-theft protection to customers. “It is unlikely they did so because the risk is so ephemeral that it can safely be disregarded,” said the ruling, in remanding the case for further action.

In other cases, courts have held plaintiffs did not have standing to sue because they had not yet suffered injury, and defendants have sought dismissal on that basis.

For instance, in a case involving stolen laptops, a Lake County Circuit Court judge in Waukegan, Illinois, ruled in May 2014 in Veronica Vides et al. v. Advocate Health & Hospitals Corp. d/b/a Advocate Medical Group that plaintiffs must establish that an injury is “distinct and palpable” and “fairly traceable.”

“There's no question it's a highly significant decision,” said Roberta Anderson, a partner at K&L Gates L.L.P. in Pittsburgh.

The ruling is “a break from the line of most of the cases that have been filed in consumer data breach actions,” where “this sort of an injury wasn't viewed as sufficient to establish the standing requirement,” said Patrick X. Fowler, a partner with Snell & Wilmer L.L.P. in Phoenix.

“This is an important decision because right now the courts in the U.S. are in a bit of flux figuring out whether plaintiffs have standing in certain data breach cases,” said Jason M. Beach, counsel with Hunton & Williams L.L.P. in Atlanta.

The case may reach the U.S. Supreme Court, said Thomas B. Alleman, a partner with law firm Dykema Gossett P.L.L.C. in Dallas. “This would seem to me to be a candidate to go up on this very issue of how much prophylactic remedy constitutes an actual injury in fact,” he said.

However, Julia B. Strickland, a partner with law firm Stroock & Stroock & Lavan L.L.P. in Los Angeles questioned the ruling's significance. “It's very fact-specific because of the nature of the breach,” she said.

The ruling is confined to the issue of whether plaintiffs have standing to sue, said Karla Grossenbacher, a partner with Seyfarth Shaw L.L.P. in Washington. The “battle over whether the injuries are sufficient to state a valid cause of action is yet to be fought and is still wide open,” she said.