US Seventh Circuit Court of Appeals Validates Class Action Suit Over Data Breach

By Peter Bernstein July 27, 2015

Since what follows is about legal matters, let me start with the disclosure that I am not a lawyer, have no legal training and this is not an attempt to play an attorney on the Internet. That said, a very important decision was recently handed down here in the U.S. by the Seventh Circuit Court of Appeals that, to say the least, should command everyone’s attention.

The case of interest is REMIJAS v. NEIMAN MARCUS GROUP, LLC. It involves the assertion by customers of the luxury department store Nieman Marcus that the company did not take the proper precautions in protecting their private customer information which was compromised when a data breach occurred in 2013. As a result customers had to take measures to protect their identities and argued that Neiman Marcus should ultimately be held liable for their lack of protecting their private personal information. The Seventh Circuit Court of Appeals over-ruled a lower court which said the plaintiffs did not have standing to proceed and said plaintiffs in this matter do in fact constitute a class under Article III of the U.S. Constitution and thus are qualified to seek redress for the damages they believe they have suffered.

While this is the first in what could be a long process, the reason this case is so important is that just as victims are a class, by extension Neiman Marcus could be viewed as a stand-in for all organizations that capture, store, process and share private personal data. 

As those of us who live in the U.S. know, ours is a litigious society and the legal profession in recent years has looked to class action suits as a nice revenue source. Businesses for their part have argued that such suits, which aggregate the complaints of numerous parties that have alleged grievances, are frivolous and should be tossed. In fact, many have been. However, without going into the details of this case what the Court essentially said is that those who have had their personal information compromised have established that Neiman Marcus did not take good care by following known best practices, and hence they can proceed to explore their legal remedies as a group.

Image via Shutterstock 

The decision, albeit, is only about whether plaintiffs are a class and once recognized as one can sue. Nevertheless in the context of the daily barrage of news about data breaches, both of commercial entities and government agencies, this one has to be scored as consequential and a win for all consumers, and obviously not just those who were impacted by the Neiman Marcus data breach.  

Why is this possibly so consequential? The answer is easy to contemplate. In the future a court decides in favor of plaintiffs—who have argued they had no control over the security of their data once captured by the department store chain and were left with the time and costs of protecting their identities “E”verywhere.  The cost of damages paid out by entities who do not take good care to protect private personal information could be enormous. For example, damages for breaches such as the recent one at Target, where tens of millions of records were stolen by bad actors, even if nominal per individual could quickly add up to hundreds of millions of dollars if not billions of dollars. 

How all of this turns out is problematic. In fact, it may end up being something that the U.S. Supreme Court may have on its docket in the future. What should be noted here, and those with legal training are invited to send along their comments, is that there is legal precedent going back many decades that entities who willingly choose not to employ known and readily available best practices for safeguarding the person and property (which our identities likely would be considered) can be held liable when bad things happen.

In this regard, whether or not giving individuals a year of monitoring services is deemed to be fair compensation for damages suffered—the most common remedy offered by those who have been breached—could now be up to a court to decide. Let’s just say this is a class action to watch. Certainly any entity that captures, stores, processes, shares and otherwise provides access to personal customer information, by internal and not just external individuals and organizations, will be watching.  And, you can bet data protection firms will be too. 




Edited by Dominick Sorrentino
SHARE THIS ARTICLE
Related Articles

Compliance: Hope Is Not a Plan

By: Special Guest    8/1/2018

Internal misalignment between compliance and business teams can lead to major problems for organizations seeking to implement new digital communicatio…

Read More

Modern Moms Shaping Influence

By: Maurice Nagle    7/19/2018

Everyone knows Mom knows best. The internet is enabling a new era in sharing, and sparking a more enlightened, communal shopping experience. Mommy blo…

Read More

Why People Don't Update Their Computers

By: Special Guest    7/13/2018

When the WannaCry ransomware attacked companies all over the world in 2017, experts soon realized it was meant to be stopped by regular updating. Even…

Read More

More Intelligence About The New Intelligence

By: Rich Tehrani    7/9/2018

TMC recently announced the launch of three new artificial intelligence events under the banner of The New Intelligence. I recently spoke with TMC's Ex…

Read More

Technology, Innovation, and Compliance: How Businesses Approach the Digital Age

By: Special Guest    6/29/2018

Organizations must align internally to achieve effective innovation. Companies should consider creating cross-functional teams or, at a minimum, incre…

Read More