The revival of a class action lawsuit against Neiman Marcus over the retailer’s late 2013 data breach raises a series of issues, including one that promises to become more of a concern for insurers as evidenced by industry chatter.
The issue is that of causation of injury for the purposes of showing standing to sue over data breaches and it has already prompted insurers and businesses to question whether they should really be paying for credit monitoring and identity theft services for a wide range of consumers who may have actually fallen victim to fraud due to a separate breach. The acceptance rate for credit monitoring is already fairly low; consumers don’t seem to need their credit monitored once, let alone twice.
The class action against Neiman Marcus had been dismissed in the fall of 2014, with a district court judge determining that of 350,000 people, only 9,200 had experienced fraudulent transactions on their stolen payment cards and had all been reimbursed by their card issuers. This latest decision reverses the lower court’s ruling and allows plaintiffs to have another go at the luxury retailer.
However, Neiman Marcus pointed out that right around the same time as its breach the broader and more widely-publicized Target breach occurred, likely leaving some confusion for some shoppers who might have visited both retailers around the same busy holiday gift-buying season.
“Eh. That doesn’t matter,” responded the Court. (I’m paraphrasing.)
Seventh Circuit Court of Appeals Chief Judge Diane Wood officially noted in her decision, “The fact that Target or some other store might have caused the plaintiffs’ private information to be exposed does nothing to negate the plaintiffs’ standing to sue. It is certainly plausible for pleading purposes that their injuries are ‘fairly traceable’ to the data breach at Neiman Marcus.”
Judge Wood also commented that the plaintiffs shouldn’t be prevented from suing even if they haven’t actually seen any fraudulent charges – because the threat still exists for some level of activity or identity theft as “future injuries.” While courts have definitely varied on finding standing for data breach plaintiffs, this suggests something of a stretch, since only payment card data was shown to be affected via the Neiman breach, rather than Social Security numbers. It seems unlikely, though I’m not a hacker or identity thief, that a card that has been replaced by its issuing bank can continue to be used or that an identity can be stolen absent the rather singular identifying federally-issued number.
At some point, data breaches lawsuits – and the businesses facing them – with need to take into account this problem of causation. If a consumer has shopped at Sally Beauty, CVS Photo, and also happens to be a federal employee, who can pinpoint the exact reason for the fraud? Except it’s probably not CVS Photo, because no one develops film anymore, so that had to be a fairly minimal-impact breach.
It may be something that could be better resolved by more cyber-threat information-sharing between banks, law enforcement officials, and the business community, to better determine the actual source of fraud. Insurers are already discussing the logic behind continuing to pay for credit monitoring services in multiple data breaches that might have consumers in common and as cyber insurance increases in popularity and the litigation landscape heats up, there will be more emphasis on the true cause of fraud following data breaches. The Neiman Marcus decision does little to clarify that point, leaving it to be a “legal theory” for the defendant retailer to raise.