Federal Court's data breach decision shows new tilt toward victims, class-action lawsuits

Federal courts beginning to recognize possibility of on-going harm to those who lose financial, personal data in a breach

Federal courts historically have been quick to dismiss plaintiff claims of on-going harm when their data is snatched in a breach, but a crack is appearing in that logic that could change how liability is gauged for hacked corporations and fuel class-action lawsuits against those companies.

Last week, the U.S. Court of Appeals for the Seventh Circuit began to question the depth of on-going harm to victims by overturning a district court that had tossed a class-action lawsuit against Neiman Marcus over a 2014 data breach. The Court said victims had "standing," a right to file a lawsuit in federal court, over concerns of on-going problems.

"The court likened the case to a recent data breach involving Adobe, wherein the U.S. District Court for the Northern District of California declared that 'the risk that Plaintiffs' personal data will be misused by the hackers who breached Adobe's network is immediate and very real,' " lawyers from Ballard Spahr, a national law firm based in Philadelphia, wrote in a review of the ruling.

"Standing continues to be a central issue in data breach class-action litigation. Companies with consumer-facing operations should monitor developments in this area, because the law on standing in the data breach context is far from settled," law firm Haynes and Boone, wrote in its review of the ruling.

Liability is the piece of the breach puzzle that gets lost in the ranting against weak passwords and the standard corporate cleanup with its perfunctory one-year free credit monitoring services. Use of stolen passwords to hack the victim's accounts on other sites has been going on for years.

The number of breaches that have been occurring show that most companies are near defenseless against data breaches either via their own shoddy security, weakness in partner networks, or the all-too-familiar "sophisticated attack" excuse corporate PR machines use when announcing a breach.

Companies have been walking away from liability after the initial breach mess is cleaned up. And federal courts have historically backed that process, saying the risk of identity theft in the future does not qualify as "certainly impending" harm.

Now, federal appeals courts are starting to examine liability issues and how much real, as well as, potential harm exists for the victims of data breaches.

Both the Seventh Circuit and the Ninth Circuit have begun to take a second look at the legal impact a breach has on victims - specifically in the long term. Both courts have recently concluded that victims do have a legal right to file a lawsuit (standing) over the long-term consequences of a breach.

The crack has appeared around a lawsuit in the Neiman Marcus hack where payment card information was compromised for up to 350,000 customers.

The Seventh Circuit overturned a District Court ruling that concluded victims of that breach who suffered fraudulent charges had experienced actual injury and been reimbursed, but that potential future injury was not enough to warrant a lawsuit.

Among other issues, the plaintiffs said Neiman Marcus was negligent in securing customer payment card information.

The Seventh Circuit ruled that even beyond reimbursement for fraudulent charges, that plaintiffs incurred other costs to rebuild their financial lives. In addition, the court said even those in the class-action lawsuit who did not experience fraudulent charges have a likelihood of fraud in their future.

The Court said, "Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing."

In an interesting twist, the Court said the fact Neiman Marcus offered free credit monitoring services was evidence that there was harm to these victims. The ruling turned on its head the way courts historically view such services as compensation for harm while negating a victim's right to file a lawsuit (re: standing).

"It is unlikely that [Neiman Marcus] did so [offer monitoring] because the risk is so ephemeral that it can safely be disregarded," the Court wrote.

"Companies should expect plaintiffs' attorneys to rely heavily on the Neiman Marcus opinion going forward,' Haynes and Boone wrote in its review of the case.

The firm noted that customers are seeking to revive a data breach class-action lawsuit against Barnes & Noble that was dismissed for lack of "standing" in 2013.

Ballard Spahr lawyers said in their review, that the Seventh Circuit's opinion "...is likely to lead to an increase in data breach class actions in cases involving hacking. Armed with this case, plaintiffs' lawyers are likely to argue that the act of hacking itself makes it substantially likely that victims will suffer fraud and/or identity theft."