Publications & Presentations
August 3, 2015
One of the most rapidly developing areas of jurisprudence is online data privacy class actions. The issues being raised in these lawsuits mirror the overarching societal debate of the meaning of privacy, the definition of “privacy rights,” and what constitutes highly sensitive personal and business information, in the context of electronic data and communications. The courts are grappling with these metaphysical questions through the lens of legal precedent developed in the nonvirtual world. The case law can be, from a business perspective, frustrating to read because the courts often appear to be unfamiliar with technology, "big data" and cybersecurity, and seem to ignore the practical ramifications. The purpose of this article is to discuss the salient facts that the Seventh Circuit Court of Appeals found relevant in deciding Remijas v. Neiman Marcus Group, as potential guidance for companies developing their privacy policies and cybersecurity protocols.

Currently, the major battle of data privacy class actions in federal court is over the threshold question of Article III standing. Article III standing requires a plaintiff to demonstrate: (1) a concrete injury in fact, (2) that is fairly traceable to the defendant’s conduct, and (3) that can be redressed by a favorable decision. The data privacy class actions can be broken down into two categories. First, there are the lawsuits in which an individual alleges a breach of a privacy policy or violation of a statute, but with no injury suffered. The U.S. Supreme Court is currently considering the Ninth Circuit’s ruling in Spokeo Inc. v. Robins, which held a statutory violation associated with publishing incorrect personal online information was sufficient to establish standing despite the fact that the plaintiff did not suffer actual injury.

The second category is cases dealing with the liability of a company for cybersecurity breaches and theft by a third party. Remijas is the first appellate decision to wrestle with Article III standing — specifically, what constitutes concrete and particularized injury” that is “certainly impending” — with respect to future, potential injury from a cyberattack. The case is comprised of four consolidated consumer class actions that complain of hackers that accessed 350,000 customers’ financial and personal information from Neiman Marcus over the course of 2013. The store confirmed that 9,500 customers’ credit and debit cards were subjected to fraudulent charges. Plaintiffs assert a host of common law claims and violations of multiple state data breach and privacy laws, premised on the following factual allegations:

1. Consumers “place value in data privacy and security,” and expect greater security at high end retailers like Neiman Marcus. The data is also highly valuable to the store and other companies for marketing, and a target of hackers for identity theft.

2. The store’s privacy policy describes the multiple ways that the store collects a “massive amount” of personal information, both inside the store and online.

3. The store delayed notification of the breach for a month, waiting until after the Christmas holiday shopping season and after it was leaked to the press.

4. The store disenabled part of the cybersecurity software that alerted the store of “suspicious behavior.” It also failed to segregate the servers that housed personal information (name, address, date of birth, etc.) from financial information (credit and debit card info), which meant the hackers may have accessed all of a customer’s personal information.

5. The store did not provide “adequate notice” of the breach because it did not sufficiently describe the system’s weaknesses or all the types of data that were accessed or protected.

6. The debit cards of three of the four named plaintiffs were stolen and charged. Two plaintiffs were also subjected to “phishing” for identity theft. The plaintiffs all alleged that their data was likely stolen and they feared the threat of identity theft.

7. The Seventh Circuit delineated the types of injuries alleged by plaintiffs between imminent and actual. The actual injuries alleged are: “(1) lost time and money resolving the fraudulent charges, (2) lost time and money protecting themselves against future identity theft, (3) the financial loss of buying items at Neiman Marcus that they would not have purchased had they known of the store’s careless approach to cybersecurity, and (4) lost control over the value of their personal information.” The imminent injuries are: (1) an increased risk of future fraudulent charges, and (2) greater susceptibility to identity theft.

The district court granted Neiman Marcus’ motion to dismiss for lack of standing. It concluded that with respect to the 9,500 customers’ data that was stolen, because all of the charges were reimbursed, the injury had been cured. As for the remaining customers — whose data may have been stolen — the court held that though harm was “certainly impending,” the fear of identity theft was too abstract and the mitigation costs for preventing the risk of future fraud appeared to be de minimus.

The Seventh Circuit reversed. It concluded that the two types of “imminent injury” satisfied the standing requirement. The “mitigation of risk” injuries — of suffering “the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges” — were “identifiable costs.” It treated Neiman Marcus’ offer of free credit monitoring and identity-theft protection as an admission that the risk of injury was concrete, not “ephemeral.” The court also exploited the store’s argument that there was no causation as between the fraudulent charges and the breach. If plaintiffs waited, the court posited, then certain class members might be denied reimbursement for fraudulent charges or the offer of free identity theft detection measures, based upon this same “lack of causation” rationale. Finally, the court found that there was a “material factual dispute on the class members’ experiences and both the content of, and the universality of, bank reimbursement policies.”

The tension with the ruling is that the analysis would likely be different based upon the type of defendant, rather than the type of future harm. If the defendant had been the data thief itself, it is doubtful that any court would have entertained the standing argument; and yet, the same issues of speculative injury and future harm would apply. By contrast, the company from which the data was stolen is also a victim, but it is being potentially exposed to a substantial claim for someone else’s crime.

Indeed, the entire data infrastructure realm, both private and public, is vulnerable and constantly under attack. A few weeks before the decision was issued, news broke that the government’s Office of Personal Management was hacked by Chinese government-affiliated cyber warriors, who accessed millions of federal employees’ data. In the absence of a federal statute or regulation that defines the level of protection that firms must have, it is difficult to reconcile a decision that saddles a single company with potential liability for someone else’s crime based upon potential injuries in the future.

Regardless, the case underscores factors that a company may want to consider with respect to developing and revamping its privacy policy, cybersecurity protocol and response plan. For example, is the amount and type of data collected really worth it? Does the economic and business value for a particular process of collecting or storing customer data outweigh the costs of data security and litigation risk? Is the malware protection software appropriate, and are all its functionalities being utilized?

A company may also want to consider supplementing its privacy policy to disclose the technological limitations of cybersecurity software and hacker threats. Finally, a cybersecurity protocol may want to incorporate the requirements of the Payment Card Industry Data Security Standard as well as the recommendations (e.g., financial and personal data should be segregated on separate servers). The court was the most concerned with the delay in providing notice of the breach and the content of that disclosure, while being dismissive of the proactive efforts taken to redress the potential injury.

-Published by Law360