US Seventh Circuit Court of Appeals Validates Class Action Suit Over Data Breach

By Peter Bernstein July 27, 2015

Since what follows is about legal matters, let me start with the disclosure that I am not a lawyer, have no legal training and this is not an attempt to play an attorney on the Internet. That said, a very important decision was recently handed down here in the U.S. by the Seventh Circuit Court of Appeals that, to say the least, should command everyone’s attention.

The case of interest is REMIJAS v. NEIMAN MARCUS GROUP, LLC. It involves the assertion by customers of the luxury department store Nieman Marcus that the company did not take the proper precautions in protecting their private customer information which was compromised when a data breach occurred in 2013. As a result customers had to take measures to protect their identities and argued that Neiman Marcus should ultimately be held liable for their lack of protecting their private personal information. The Seventh Circuit Court of Appeals over-ruled a lower court which said the plaintiffs did not have standing to proceed and said plaintiffs in this matter do in fact constitute a class under Article III of the U.S. Constitution and thus are qualified to seek redress for the damages they believe they have suffered.

While this is the first in what could be a long process, the reason this case is so important is that just as victims are a class, by extension Neiman Marcus could be viewed as a stand-in for all organizations that capture, store, process and share private personal data. 

As those of us who live in the U.S. know, ours is a litigious society and the legal profession in recent years has looked to class action suits as a nice revenue source. Businesses for their part have argued that such suits, which aggregate the complaints of numerous parties that have alleged grievances, are frivolous and should be tossed. In fact, many have been. However, without going into the details of this case what the Court essentially said is that those who have had their personal information compromised have established that Neiman Marcus did not take good care by following known best practices, and hence they can proceed to explore their legal remedies as a group.

Image via Shutterstock 

The decision, albeit, is only about whether plaintiffs are a class and once recognized as one can sue. Nevertheless in the context of the daily barrage of news about data breaches, both of commercial entities and government agencies, this one has to be scored as consequential and a win for all consumers, and obviously not just those who were impacted by the Neiman Marcus data breach.  

Why is this possibly so consequential? The answer is easy to contemplate. In the future a court decides in favor of plaintiffs—who have argued they had no control over the security of their data once captured by the department store chain and were left with the time and costs of protecting their identities “E”verywhere.  The cost of damages paid out by entities who do not take good care to protect private personal information could be enormous. For example, damages for breaches such as the recent one at Target, where tens of millions of records were stolen by bad actors, even if nominal per individual could quickly add up to hundreds of millions of dollars if not billions of dollars. 

How all of this turns out is problematic. In fact, it may end up being something that the U.S. Supreme Court may have on its docket in the future. What should be noted here, and those with legal training are invited to send along their comments, is that there is legal precedent going back many decades that entities who willingly choose not to employ known and readily available best practices for safeguarding the person and property (which our identities likely would be considered) can be held liable when bad things happen.

In this regard, whether or not giving individuals a year of monitoring services is deemed to be fair compensation for damages suffered—the most common remedy offered by those who have been breached—could now be up to a court to decide. Let’s just say this is a class action to watch. Certainly any entity that captures, stores, processes, shares and otherwise provides access to personal customer information, by internal and not just external individuals and organizations, will be watching.  And, you can bet data protection firms will be too. 




Edited by Dominick Sorrentino
SHARE THIS ARTICLE
Related Articles

Pai Makes His Case for Title II Repeal

By: Paula Bernier    11/21/2017

FCC Chairman Ajit Pai today made clear his plans to repeal Title II net neutrality rules. The commission is expected to pass his proposal at its Dec. …

Read More

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More