An Appellate court’s ruling on a data breach lawsuit could impact small businesses.
Last week, the 7th U.S. Circuit Court of Appeals in Chicago reversed the decision of a lower court that previous dismissed the class action suit against Neiman Marcus for its data breach (January 2104). The breach resulted information on 350,000 credit card accounts being stolen, and at the time of the original court case, 9,200 accounts had been fraudulently used.
The case reversal centers around the requirement that the “plaintiffs must allege that the data breach inflicted concrete, particularize injury on them”. Several previous data breach lawsuits were dismissed on the judgment that future potential injury, such as future potential fraudulent use, did not meet this requirement.
The ruling last week includes the statement: “At this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information?”
Potential Impact to Small Businesses
Several attorneys believe this case will create the opportunity for more class action suits against businesses. If the courts agree that data stolen, but not yet fraudulently used, can be considered concrete injury, it may be easier for class action efforts to substantiate their claims.
A blog in the Wall Street Journal stated: “The reversal highlights the complicated legal issues companies confront when customer data is breached, including questions concerning the degree to which customers can hold companies, and their executives, liable.”
If cases proceed in the court system beyond a dismissal, businesses have the option to settle or continue their defense. A concern of some companies is if they continue with their defense, their security efforts, and potentially inaction to security recommendations, may be discoverable. As with any lawsuit, the various outcomes and impacts need to be seriously weighed.
What Small Businesses Can Do
Businesses should be in frequent conversation with their legal team about the businesses’ cyber risks and potential exposure. Knowing possible courses of action before a breach may make the breach recovery smoother.
As with any risk the business faces, company executives should be fully aware of potential cyber risks and ensure they have strong rationale for how they mitigate that risk or acknowledge the risk level they will accept. Even if a business doesn’t have consumer credit card information, a data breach can be devastating if client information is stolen.
If you are interested in a carreer in cybersecurity including an MBA please visit NCI’s programs and courses to get started.
Justia (2015).Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015).
Nash, K. The Wall Street Journal, CIO Journal (July 23, 2015).Appeals Court Revives Neiman Marcus Data Breach Suit. http://blogs.wsj.com/cio/2015/07/23/appeals-court-revives-neiman-marcus-data-breach-suit/