Up until this ruling, a plaintiff asserting damages from a data breach had to demonstrate an injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”
In reaching their decision, the Seventh Circuit cited the Neiman Marcus lawsuit, stating: “… it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities. The plaintiffs are also careful to say that only 9,200 cards have experienced fraudulent charges so far; the complaint asserts that fraudulent charges and identity theft can occur long after a data breach.”
READ MORE DATA BREACH LEGAL NEWSIn July 2013 Neiman Marcus publicly disclosed that it had experienced a data breach which allegedly exposed some 350,000 customers’ credit card data. Of those potentially affected credit cards, 9,200 were allegedly used fraudulently. Several federal class action lawsuits were filed, which were consolidated. While all of the plaintiffs alleged they had shopped at a Neiman Marcus, only some alleged that they had been victimized by fraudulent charges or had been exposed to scams. The district court hearing the case wrote, “… the overwhelming majority of the plaintiffs allege only that their data may have been stolen.” Consequently, the lawsuit was dismissed.
This new ruling by the Seventh Circuit will now make it easier to acquire standing by allowing risk for injury as criteria.