A panel of judges in the 7th U.S District Court of Appeals have reinstated a class action suit against the retailer Neiman Marcus in connection with a data breach that occurred back in 2013.
Between July 16, 2013 and October 30, 2013, malware secretly installed on its systems collected the payment card information of Neiman Marcus customers. This led to as many as 320,000 cards being used for fraudulent purposes, as Visa, MasterCard, and Discover later informed the retailer.
In January of 2014, it was revealed that a total of 1.1 million cards may have been visible to the malware.
Several months later, U.S. District Judge James B. Zagel rejected a class action lawsuit filed in connection with the breach on the grounds that it was impossible to determine if customers had suffered concrete harm, for most of the plaintiffs involved were not claiming they were not reimbursed for fraudulent billings.
Judges with the 7th Circuit have since overturned this decision on the grounds that sooner or later, fraudulent billing is expected to occur in most hacking cases.
“The Neiman Marcus customers should not have to wait until hackers commit identity theft or creditcard fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur,” wrote Chief Judge Diane Wood for a panel that also included Judges Michael Kanne and John Tinder.
According to the judges, the plaintiffs have additional standing because some of them paid for credit monitoring services that were offered by Neiman Marcus. This demonstrates that in the case of the data breach, the retailer itself acknowledged that harm in this situation was not speculative and was a real and immediate threat.
“This decision is a monumental win for all current and future data breach victims, who have no choice but to entrust their sensitive personal information to large corporations for safekeeping in order to function in our society,” Tina Wolfson, founding partner at Ahdoot & Wolfson, PC, who represents the victims in this case, told Benzinga.
News of this suit follows the announcement of a separate legal action against Experian, which offered its ProtectMyID service to customers following the Neiman Marcus breach, for its failure to detect that a customer of its data broker subsidiary was a scammer who sold resold customers’ identities to thieves for nearly 10 months.