Data breaches already cost companies millions of dollars. The cost could rise to a punishing amount due to a federal appeals court ruling.
The 7th U.S. Circuit Court of Appeals in Chicago sided against Neiman Marcus in a class action lawsuit over a 2013 data breach that compromised some 350,000 credit cards. (Hilary Remijas et al. v. Neiman Marcus Group L.L.C.)
A lower court had dismissed the action on the basis that the plaintiffs didn’t have the grounds to sue.
The ruling by the three-judge panel read, in part, “At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store's database and steal consumers' private information?”
The U.S. Supreme Court has previously settled the issue of data breaches, in Clapper v. Amnesty International. The 2013 ruling stated that plaintiffs must prove that future harm is “certainly impending” in order to proceed.
The National Law Review called the decision by the Appeals Court “a precedential ruling” that should impact the way companies do business and keep records. “With this decision, the Seventh Circuit has made it much easier for victims of data breaches to have their day in Court,” the Review noted. “It is more imperative than ever that companies understand that the exposure from a cyber-breach extends beyond a failure of their respective systems. Post-breach public statements and post-breach disclosures concerning the company’s systems and security should be carefully drafted.”
For companies, this ruling could pave the way for expensive litigation. For consumers, a pathway for recovering damages from companies.