Victims of Data Breaches, Corporate Hacking Have Standing to Sue

Customers who have seen their personal information stolen due to corporate data breaches have suffered recognizable injuries and have standing to sue, the Seventh Circuit ruled in late July. The court's holding revived a consumer class action against Neiman Marcus. Customers had sued after a data breach exposed their personal information and credit card numbers.

The ruling could be a boon for consumer advocates and class action lawyers, helping to reduce a major roadblock to litigation. For corporations who are victims to hacking, it could greatly increase their potential liabilities.

Who's Injured by a Data Breach?

Neiman Marcus discovered that its computers had been infected by malware in 2014. That malware had been collecting credit card data for at least a year. The data breach exposed the financial information of at least 300,000 customers, with over 9,000 cards subsequently used fraudulently. Consumers sued, arguing that Neiman Marcus was liable under a host of theories, from negligence to invasion of privacy to breach of contract.

A district court tossed the suit, however, finding that Neiman's customers had suffered no real injury. In doing so, the court relied on Clapper v. Amnesty International, a case that has long been a roadblock, if not absolute bar, in data breach and invasion of privacy consumer actions. Clapper holds that, for Article III standing, "allegations of possible future injury" are insufficient. If your identity hadn't yet been stolen, you were essentially out of luck.

Reviving Privacy, Data Breach Claims

The Seventh rejected a strict interpretation of Clapper's requirements. The case does not, the Seventh emphasized, "foreclose any use whatsoever of future injuries" in showing standing. So long as there is a substantial risk of harm, plaintiffs may sue. They need not wait for hackers to actually make use of their stolen information, so long as it is substantially likely that they will be harmed in the future.

The ruling could be a boon to Internet privacy and hacking litigation. Such suits had faded from the headlines over the past years, as plaintiffs struggled to show identifiable harms. Plaintiff's firms have largely moved away from such suits, pursing more profitable litigation. The Seventh's ruling may draw them back again. That could be good for lawyers and good for hacking victims -- but it certainly won't be appreciated by Neiman Marcus or other corporations who've lost sensitive consumer data. Neiman Marcus is currently seeking en banc review.

Related Resources:

• Neiman Marcus Ruling Aids Plaintiffs in Data Breach Class Actions (Insurance Journal)
• What Ever Happened to Internet Privacy Litigation? (FindLaw's Technologist)
• Sorry Senator, No Injury Here: Johnson's ACA Suit Tossed (FindLaw's U.S. Seventh Circuit Blog)
• 7th Circuit Can't Decide If Jail 'Booking Fee' Is Constitutional (FindLaw's U.S. Seventh Circuit Blog)