Damages from a Data Breach: Appeals Court Makes it Easier for Consumers to Sue
By CHHS Research Assistant Jules Szanton
Imagine this scenario: You read in the paper that a chain department store where you frequently shop has suffered a data breach. Hackers implanted malware into the company’s payment system, stealing credit card information from millions of the company’s customers. Since you shop at the department store frequently and have a store credit card, you suspect that your card is among the roughly 1.1 million cards to be compromised.
You check your credit card statement online. Sure enough, you find several large charges that you did not make. After several hours of calling customer service lines and confirming different information about yourself, you are able to get a new credit card and to cancel the fraudulent charges on your account. Yet the hackers still have at least some of your personal information. You worry that they’ll take out a new card in your name, or do something else to steal your identity. So you purchase a credit monitoring service, at a cost of $19.99 a month.
Many people in this situation would feel that they had suffered an injury. And after over a year of litigation, a major federal appeals court agrees.
The case in question is a class-action lawsuit by Neiman Marcus customers, whose credit card information was stolen by a 17-year-old Russian hacker. The customers alleged that Neiman Marcus had failed to secure their data. As a result of the data breach, the customers alleged that they had suffered damages–including the time it took to cancel their credit cards, and the cost of preventing future identity theft. For its part, Neiman Marcus claimed that the customers hadn’t actually suffered any real injury (yet, at least), and therefore were ineligible to sue in federal court. Neiman Marcus pointed out that the consumers had been reimbursed for the fraudulent charges, and couldn’t be sure that they would be targeted further.
In July, the United States Court of Appeals for the Seventh Circuit held that consumers who face the risk of future identity theft and future fraudulent charges do have standing to sue. Chief Judge Diane Wood, who wrote the court’s opinion, stated that “[t]he [customers] have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Moreover, in response to Neiman Marcus’ argument that plaintiffs lacked standing because the fraudulent charges had already been reimbursed, the court reasoned that plaintiffs may have been reimbursed for those charges, but that reimbursement policies vary, and plaintiffs have not been reimbursed for mitigation expenses or future injuries.
The Seventh Circuit’s decision was a major victory for the customers, especially because they had lost in a lower court. Judge James B. Zagel of the U.S. District Court for the Northern District of Illinois had previously held that the customers hadn’t suffered any concrete injury, and therefore couldn’t sue. The lower court had relied on the Supreme Court’s decision in Clapper v. Amnesty International, which noted that the Constitution only lets federal courts hear cases from plaintiffs who have suffered “concrete injur[ies].” In Clapper, the Supreme Court said that a plaintiff cannot bring a case in federal court if the plaintiff has not yet suffered an injury, and only worries about a “hypothetical future harm” that is not “certainly impending.”
The Seventh Circuit’s decision is especially important because many other companies are facing lawsuits from consumers whose personal information was stolen. In many of these cases, the companies have tried to use the Supreme Court’s decision in Clapper to claim that the customers lack standing if they haven’t yet received fraudulent charges or had their identities stolen. Other courts will likely be influenced by the Seventh Circuit’s holding that a customer whose personal information was stolen has suffered enough of an injury to be able to sue in federal court.
By making it easier for consumers to sue a company that fails to secure their personal information, the Seventh Circuit decision makes it easier for consumers to recover the costs they suffer when their personal information is stolen. The decision also increases companies’ incentive to invest in cybersecurity, since a data breach can now result in more costly litigation. While other courts will likely weigh in, this decision adds momentum to efforts to hold companies liable for the harm their customers suffer in the event of a data breach.