Known for its leadership in law and economic analysis, with Chicago School giants Richard Posner and Frank Easterbrook as acting judges, the U.S. Court of Appeals for the Seventh Circuit is hardly known as sympathetic to class-action plaintiffs seeking compensation from business. That’s why Monday’s decision by a three-judge panel headed by Chief Judge Diane Wood should reverberate loudly and potentially for years to come. Overturning a decision by a federal district court, the Seventh Circuit held that a class-action lawsuit against Neiman Marcus is allowed to proceed based not only on demonstrated harm, but also potential future harms arising from the luxury department store’s data breach in 2013 (Jason Hirsh saw this coming, in Privacy Tracker).
That sound you hear is the collective sigh of contentment of a thousand plaintiff’s lawyers.
Sometime in 2013, hackers attacked Neiman Marcus and stole the credit card numbers of around 350,000 shoppers. By December, the company knew that some of its shoppers had found fraudulent charges on their cards. The company then on January 10, 2014, publicly disclosed the data breach and alerted affected shoppers. On February 4, 2014, a senior Neiman Marcus officer testified before the Senate Judiciary Committee, stating that payment card account information was potentially exposed to the hackers’ malware.
These disclosures prompted the filing of a number of class-action complaints, which were consolidated into a lawsuit on behalf of all of the shoppers whose data may have been hacked. As has been the case in similar previous lawsuits, a federal district court dismissed the class-action for lack of standing. Under federal rules of procedure, plaintiffs must clear an apparently low bar to proceed to trial. At this stage, a court accepts as true all material allegations of the plaintiffs’ complaint, drawing all reasonable inferences in the plaintiffs’ favor. To have standing, a plaintiff must “prove that he has suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Alas, in similar past actions, courts struggled to accept the potential losses incurred as a result of a breach as “concrete and particularized injury.”
Simply stated, courts have told plaintiffs, “okay, your data was lost, but what’s the harm?”
Well, there is harm, held the Seventh Circuit in Neiman Marcus; and it’s not just in the form of fraudulent charges (already) incurred by a small subset of shoppers. For starters, shoppers must protect themselves against the likelihood of future misconduct or identity theft. This includes spending time and money replacing cards and monitoring their credit score. And, as the court recognizes, “It would not be enough to review one’s credit card statements carefully every month, because the thieves might— and often do—acquire new credit cards unbeknownst to the victim.”
Importantly, citing with agreement Ninth Circuit District Court Judge Lucy Koh's decision in connection with the Adobe breach, and distinguishing the U.S. Supreme Court’s decision in Clapper v. Amnesty, the Seventh Circuit Court of Appeals held that Neiman Marcus customers do not have to wait until hackers commit identity theft or credit card fraud in order to gain class-action standing because there is an objectively reasonable likelihood that such an injury will occur. After all, the Court asserts, “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
Behold, class-action defendants: In this case, common sense prevails over "lawcraft."
In fact, as the decision unfolds, Neiman Marcus is repeatedly caught tripping over the legal web it has sewn. The retailer argues that plaintiffs fail to demonstrate causation, as their data could already have been stolen in a series of nonrelated cyber incidents–think Target, JP Morgan Chase, Home Depot and more. Plaintiffs cannot prove, Neiman Marcus says, that they were harmed by this specific cyber incident. Why then, asks the court, did Neiman Marcus choose to notify 350,000 of the breach? “Those admissions and actions by the store adequately raise the plaintiffs’ right to relief above the speculative level,” holds the court.
Interestingly, the plaintiffs claimed Neiman Marcus kept news of the breach confidential for a few weeks in December 2013 so as not to disrupt the lucrative holiday shopping season, providing notification only on January 10, 2014. The court will no doubt scrutinize this time period closely if the lawsuit is not settled and proceeds to trial.
[quote]Neiman Marcus proves to any remaining skeptics that decisions concerning the preparation for and reaction to data breaches will inevitably impact the bottom line, senior management and the board.[/quote]
Moreover, citing Adobe, the court explains that requiring the plaintiffs to wait for the threatened harm to materialize in order to sue would further attenuate causation, since “the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not ‘fairly traceable’ to the defendant’s data breach.” In other words, Neiman Marcus cannot have it both ways, claiming on the one hand that potential future harm is too uncertain to support standing, and on the other hand that once that harm materializes, the line of causation is disrupted by additional interfering events.
For privacy advocates and pundits watching the action, two of the issues the court decided not to decide are worth following.
First is the plaintiffs’ product liability claim, essentially arguing that Neiman Marcus sells faulty products based on its allegedly deficient data security practices, which are, plaintiffs claim, part and parcel of what shoppers buy at the stores. Plaintiffs allege that they would have shunned Neiman Marcus had they known that it did not take the necessary precautions to secure their personal and financial data. In other words, plaintiffs state that in a digital economy, sound privacy and data security must be embedded in the design of every product, service and business model, emphasizing the essential role of data governance in organizations.
Second, plaintiffs raise a property-based argument, claiming they had a concrete injury in the loss of their private information, which they characterize as an intangible commodity. The personal information as property theory has existed for decades in American privacy policy thinking, and while it could underlie interesting cost-benefit analysis by a Chicago School-oriented Seventh Circuit court, the Neiman Marcus Court chose to leave it for another day.
Neiman Marcus elevates the complexity of challenges facing businesses in privacy and cybersecurity. It potentially portends a new era where the floodgates of litigation based on rampant data breaches are opened. It proves to any remaining skeptics that decisions concerning the preparation for and reaction to data breaches will inevitably impact the bottom line, senior management and the board.