A malware attack in 2013 resulted in the theft of as many as 1.1 million customers’ payment cards from retailer Neiman Marcus. That data breach naturally led to fraudulent purchases, and tremendous fear about stolen identities and the potential theft of money. A lawsuit was filed on behalf of about 350,000 people whose data was stolen by the hacking attack. However, earlier this month, a federal court dismissed the claims, citing a failure to demonstrate injury.
Data stolen? “You’ll have to wait till you’re actually injured”
The main argument for dismissing the case, according to the court, is that there is no evidence that there is “certainly impending” risk of future injury. Typically, there is a well-established principle that harm doesn’t have to have already occured in order to constitute injury-in-fact. It can be clear that harm will occur, and that’s sufficient. Basically, the judge said that it’s not clear that harm will occur, even though 9200 cards had already been used to make fraudulent purchases.
Here’s how the judge puts it:
Here, the overwhelming majority of the plaintiffs allege only that their data may have been stolen… Plaintiffs also allege (and Defendant acknowledges) that 9,200, or approximately 2.5% of these customers have actually had fraudulent charges appear on their credit cards. In other words, these customers’ data were actually stolen and were actually misused. This allegation permits several inferences of varying strength with respect to Plaintiffs’ claims to standing.
First, it certainly permits the inference that these 9,200 customers did indeed have their data stolen as a result of the cyber-attack on Defendant. That is an injury in fact… Second, it permits a weaker, though in my view still plausible, inference that others among the 350,000 customers are at a “certainly impending” risk of seeing similar fraudulent charges appear on their credit cards as a result of the cyber-attack on Defendant… I do not believe, however, that this allegation permits a plausible inference that any of the 350,000 customers are at a “certainly impending” risk of the other future injury claimed by Plaintiffs — identity theft.
It is not clear to me that the “fraudulent charge” injury alleged to have been incurred by the 9,200 customers, or, a fortiori, the risk that the same injury may befall others among the 350,000 customers at issue, is an injury sufficient to confer standing. To satisfy their burden to establish standing, plaintiffs must show that their injury is concrete, particularized, and, if not actual, at least imminent.
Summing it up: the judge says that all the numbers show is that of the 350,000 people whose card information was stolen, we know that 2.5% (those 9,200) suffered real damages, and that there are probably others among the 350,000 who will likely be harmed, but – and this is his key point – there’s no reason to assume that every one of them will suffer harm. In other words, the fact that they’re considered as a group instead of individuals is counting against them in this case.
Can you talk to a lawyer if your data or identity is stolen?
With this unfortunate judgement, you’re probably wondering if you should even talk to an attorney if your data is stolen. The answer is that you should always call and discuss your situation with an attorney. You’ll need somebody who understands the law to help you discover if you have legal rights you’re unaware of. If there have already been fraudulent charges against your card due to a data breach at a retailer, you should absolutely speak with an attorney as soon as possible.
In the mean time, if your personal data is ever at risk from a data breach, be sure to do everything you can to minimize your risk. Contact your bank for advice on changing your credit card information. Don’t hesitate to monitor your credit reports and credit score. Check your transaction history frequently for unexpected charges.
Resources for Data Breaches and Identity Theft
http://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf – what to do after your identity is stolen
https://www.annualcreditreport.com/ – your free annual credit report.