Since what follows is about legal matters, let me start with the disclosure that I am not a lawyer, have no legal training and this is not an attempt to play an attorney on the Internet. That said, a very important decision was recently handed down here in the U.S. by the Seventh Circuit Court of Appeals that, to say the least, should command everyone’s attention.
The case of interest is REMIJAS v. NEIMAN MARCUS GROUP, LLC. It involves the assertion by customers of the luxury department store Nieman Marcus that the company did not take the proper precautions in protecting their private customer information which was compromised when a data breach occurred in 2013. As a result customers had to take measures to protect their identities and argued that Neiman Marcus should ultimately be held liable for their lack of protecting their private personal information. The Seventh Circuit Court of Appeals over-ruled a lower court which said the plaintiffs did not have standing to proceed and said plaintiffs in this matter do in fact constitute a class under Article III of the U.S. Constitution and thus are qualified to seek redress for the damages they believe they have suffered.
While this is the first in what could be a long process, the reason this case is so important is that just as victims are a class, by extension Neiman Marcus could be viewed as a stand-in for all organizations that capture, store, process and share private personal data.
As those of us who live in the U.S. know, ours is a litigious society and the legal profession in recent years has looked to class action suits as a nice revenue source. Businesses for their part have argued that such suits, which aggregate the complaints of numerous parties that have alleged grievances, are frivolous and should be tossed. In fact, many have been. However, without going into the details of this case what the Court essentially said is that those who have had their personal information compromised have established that Neiman Marcus did not take good care by following known best practices, and hence they can proceed to explore their legal remedies as a group.
The decision, albeit, is only about whether plaintiffs are a class and once recognized as one can sue. Nevertheless in the context of the daily barrage of news about data breaches, both of commercial entities and government agencies, this one has to be scored as consequential and a win for all consumers, and obviously not just those who were impacted by the Neiman Marcus data breach.
Why is this possibly so consequential? The answer is easy to contemplate. In the future a court decides in favor of plaintiffs—who have argued they had no control over the security of their data once captured by the department store chain and were left with the time and costs of protecting their identities “E”verywhere. The cost of damages paid out by entities who do not take good care to protect private personal information could be enormous. For example, damages for breaches such as the recent one at Target (News - Alert), where tens of millions of records were stolen by bad actors, even if nominal per individual could quickly add up to hundreds of millions of dollars if not billions of dollars.
How all of this turns out is problematic. In fact, it may end up being something that the U.S. Supreme Court may have on its docket in the future. What should be noted here, and those with legal training are invited to send along their comments, is that there is legal precedent going back many decades that entities who willingly choose not to employ known and readily available best practices for safeguarding the person and property (which our identities likely would be considered) can be held liable when bad things happen.
In this regard, whether or not giving individuals a year of monitoring services is deemed to be fair compensation for damages suffered—the most common remedy offered by those who have been breached—could now be up to a court to decide. Let’s just say this is a class action to watch. Certainly any entity that captures, stores, processes, shares and otherwise provides access to personal customer information, by internal and not just external individuals and organizations, will be watching. And, you can bet data protection firms will be too.