Not so fast on data breach liability

Would-be experts are portraying a federal appeals court ruling in the Neiman Marcus data breach case as a tipping point toward victims of cyber fraud, one that may lead to a wave of successful class-action lawsuits filed against retail chains.

This interpretation is premature.

It is an overreach rooted in a lack of appreciation for the overall procedural context in which the court reviewed the case, without accounting for the most important part of any class action lawsuit – class certification.

For background, the 2013 data breach exposed the credit card data of 350,000 Neiman Marcus customers. Without any doubt, this led to fraudulent charges occurring in 9,200 of those customer accounts. In short order, a class-action lawsuit followed in which customers sought $5 million in damages.

While a district court dismissed the case—in part because customers had been reimbursed for the false charges in question—the U.S. appeals court reversed that dismissal in late July.

Alarmist reactions came swiftly. One cyber-security firm, for instance, sent out an email newsletter with a story titled “Breaking News: Surging Legal Risks of a Data Breach.” The headline almost begs for an exclamation point.

But I say, “Not so fast.”

Pundits need to understand that, in the Neiman case, complex and subtle legal issues, poorly understood by non-litigators, are in play. The issue at the forefront of the Neiman case, at this point, was only “standing” – that is, whether the plaintiffs had alleged that the entire class has suffered “concrete harm.”

Without standing, plaintiffs cannot pursue a case in court. In order to achieve standing, plaintiffs in Neiman needed to meet certain thresholds related to harm and risk.

The district court dismissed the case because it felt these thresholds had not been crossed. With the reinstatement, all the appeals court did was declare that further proceedings were in order. This appellate court is far from the first court to find standing in a data breach case, but that doesn’t mean that this class action will result in Neiman ultimately paying $5 million.

As noted, standing is a threshold issue, but in class action, there is another, even more important procedural hurdle to cross – class certification. That means a number of additional questions would have to be hashed out in court.

But over the past 10 years, even though plaintiffs’ lawyers across the country have been working overtime to try to turn data breaches into the next asbestos-like legal windfall, no court has ever certified a class in a data breach case. Should retailers and their counsel closely monitor what happens in Neiman? Absolutely. But rest assured, plaintiffs’ attorneys still must overcome significant hurdles before their long-sought windfall becomes a reality.

Atlanta-based attorney John Hutchins is leader of national law firm LeClairRyan’s Privacy & Data Security practice team; [email protected]. For more on the specific legal issues involved here, Hutchins wrote a detailed analysis at LeClairRyan’s Information Counts blog: http://informationcounts.com/neiman-case-a-harbinger-for-data-breach-cases-not-so-fast/.