US Seventh Circuit Court of Appeals Validates Class Action Suit Over Data Breach

By Peter Bernstein July 27, 2015

Since what follows is about legal matters, let me start with the disclosure that I am not a lawyer, have no legal training and this is not an attempt to play an attorney on the Internet. That said, a very important decision was recently handed down here in the U.S. by the Seventh Circuit Court of Appeals that, to say the least, should command everyone’s attention.

The case of interest is REMIJAS v. NEIMAN MARCUS GROUP, LLC. It involves the assertion by customers of the luxury department store Nieman Marcus that the company did not take the proper precautions in protecting their private customer information which was compromised when a data breach occurred in 2013. As a result customers had to take measures to protect their identities and argued that Neiman Marcus should ultimately be held liable for their lack of protecting their private personal information. The Seventh Circuit Court of Appeals over-ruled a lower court which said the plaintiffs did not have standing to proceed and said plaintiffs in this matter do in fact constitute a class under Article III of the U.S. Constitution and thus are qualified to seek redress for the damages they believe they have suffered.

While this is the first in what could be a long process, the reason this case is so important is that just as victims are a class, by extension Neiman Marcus could be viewed as a stand-in for all organizations that capture, store, process and share private personal data. 

As those of us who live in the U.S. know, ours is a litigious society and the legal profession in recent years has looked to class action suits as a nice revenue source. Businesses for their part have argued that such suits, which aggregate the complaints of numerous parties that have alleged grievances, are frivolous and should be tossed. In fact, many have been. However, without going into the details of this case what the Court essentially said is that those who have had their personal information compromised have established that Neiman Marcus did not take good care by following known best practices, and hence they can proceed to explore their legal remedies as a group.

Image via Shutterstock 

The decision, albeit, is only about whether plaintiffs are a class and once recognized as one can sue. Nevertheless in the context of the daily barrage of news about data breaches, both of commercial entities and government agencies, this one has to be scored as consequential and a win for all consumers, and obviously not just those who were impacted by the Neiman Marcus data breach.  

Why is this possibly so consequential? The answer is easy to contemplate. In the future a court decides in favor of plaintiffs—who have argued they had no control over the security of their data once captured by the department store chain and were left with the time and costs of protecting their identities “E”verywhere.  The cost of damages paid out by entities who do not take good care to protect private personal information could be enormous. For example, damages for breaches such as the recent one at Target, where tens of millions of records were stolen by bad actors, even if nominal per individual could quickly add up to hundreds of millions of dollars if not billions of dollars. 

How all of this turns out is problematic. In fact, it may end up being something that the U.S. Supreme Court may have on its docket in the future. What should be noted here, and those with legal training are invited to send along their comments, is that there is legal precedent going back many decades that entities who willingly choose not to employ known and readily available best practices for safeguarding the person and property (which our identities likely would be considered) can be held liable when bad things happen.

In this regard, whether or not giving individuals a year of monitoring services is deemed to be fair compensation for damages suffered—the most common remedy offered by those who have been breached—could now be up to a court to decide. Let’s just say this is a class action to watch. Certainly any entity that captures, stores, processes, shares and otherwise provides access to personal customer information, by internal and not just external individuals and organizations, will be watching.  And, you can bet data protection firms will be too. 




Edited by Dominick Sorrentino
SHARE THIS ARTICLE
Related Articles

ITEXPO's IBM Keynoter: AI is Here Today

By: Paula Bernier    2/20/2018

Many folks think the artificial intelligence is something we'll see in the future. That's true. AI will be employed in a broader variety of more sophi…

Read More

The Blockchain Event Draws a Crowd

By: Paula Bernier    2/20/2018

The Blockchain Event in Fort Lauderdale draws a crowd, offers some answers, and raises lots of interesting questions. Why have some cryptocurrencies g…

Read More

Hughes: WAN Optimization Expertise, Homegrown Solution Differentiate SD-WAN

By: Paula Bernier    2/16/2018

The SD-WAN marketplace is a crowded one. But Hughes Network Systems says it brings unique expertise and proven technology to the table. And that, Jeff…

Read More

Juniper Security Expert: Behavior Analytics Helps Address Threat Complexity

By: Paula Bernier    2/16/2018

Organizations are changing their cybersecurity strategies, says Juniper Networks Cybersecurity Strategist Nick Bilogorskiy, who presented the closing …

Read More

Welbitz Wins ITEXPO's Idea SHOWCASE

By: Paula Bernier    2/16/2018

It was a sweep. Both the audience and the judges at ITEXPO's IDEA Showcase Thursday picked Welbitz as the winner. The company went up against fellow s…

Read More