"Sometime in 2013, hackers attacked Neiman Marcus, a luxury department store, and stole the credit card numbers of its customers. In December 2013, the company learned that some of its customers had found fraudulent charges on their cards. On January 10, 2014, it announced to the public that the cyberattack had occurred and that between July 16, 2013, and October 30, 2013, approximately 350,000 cards had been exposed to the hackers' malware. In the wake of those disclosures, several customers..."filed a class action lawsuit.
In order to have standing, a plaintiff must be harmed. But how speculative can the harms be?
What about the class members who contend that unreimbursed fraudulent charges and identity theft may happen in the future, and that these injuries are likely enough that immediate preventive measures are necessary?
Neiman Marcus contends that this is too speculative to serve as injury-in-fact. It argues that all of the plaintiffs would be reimbursed for fraudulent charges because (it asserts) that is the common practice of major credit card companies.In other words, sorry that your identity got stolen, and that you "must spend time and money replacing cards and monitoring their credit score." And sorry that "that full reimbursement is not guaranteed." According to Neiman Marcus, this harm is too speculative and thus plaintiffs lack standing.
A substantial risk of future injuries is sufficient to establish harm for purposes of standing, according to the 7th Circuit. "The risk that Plaintiffs' personal data will be misused by the hackers who breached [defendant's] network is immediate and very real." "Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an "objectively reasonable likelihood" that such an injury will occur."
The 7th Circuit affirmed the standing of the plaintiffs, and the class action can proceed. REMIJAS v. NEIMAN MARCUS GROUP, LLC, Court of Appeals, 7th Circuit 2015
Win one for the victims. We have seen the story played out over and over in the media; corporation or government plays fast and loose with its security; personal data gets stolen; and the victims who had no control over the security in the first place bared the blame and the cost. The liability for data breaches needs to be placed on the party that can prevent those data breaches, the one who collected and held the data in the first place.