Malware attacks are in the news a lot these days. In some cases, hackers hold victims’ computers hostage in exchange for ransom. In other cases, they quietly install malware on a computer and then use it to siphon away a victim’s private information.
It’s only gotten worse now that the hackers have learned that the big prizes are tucked away inside corporate networks, not individual PCs. One corporate hack can compromise the personally identifiable information (PII) of thousands of employees and customers—information like online passwords, credit card and bank account numbers, and even social security numbers. Hackers can use this information to rack up fraudulent charges, apply for government benefits, and even file phony tax returns in order to collect bogus refunds.
Companies that store PII must take reasonable steps to do so securely. If they fail to live up to this responsibility, victims whose data is exposed can hold them accountable under a host of federal and state laws as well as common-law doctrines like negligence or breach of contract. Additionally, California and other states require companies to quickly inform customers when a data breach has been discovered, and may be held liable if they delay.
Neiman Marcus settles data breach claims
In some data breach cases, a company may discover its network has been compromised before thieves have had a chance to actually use some or all of the stolen PII. Companies defending lawsuits in such situations have tried to get the cases dismissed, arguing that customers whose PII hasn’t been used lack “standing” required to sue because they haven’t suffered compensable harm.
Thankfully for consumers, courts across the country are increasingly denying companies this easy out. For instance, an Illinois federal judge recently gave preliminary approval to a $1.6 million settlement in a case against luxury retailer Neiman Marcus. In 2013, hackers allegedly installed malware on the luxury retailer’s computer networks and “scraped” payment information from several stores.
It took three months for Neiman Marcus to discover and remove the malware. A total of around 370,385 credit cards were exposed. The hackers ultimately used around 9,200 card numbers to rack up fraudulent charges.
Earlier in the case, Neiman Marcus had argued that the plaintiffs had no standing to sue if they hadn’t suffered any fraud. But last year an appellate court ruled that customers who had incurred expenses for fraud prevention resulting from the malware attack had secured the needed standing.
That ruling presumably helped spur the $1.6 million settlement announced this June. The four class representatives will each receive $2,500, while customers who can show their credit cards were used at an affected store can receive up to $100 each. Neiman Marcus has also taken voluntary measures to improve its data security including installing chip readers, bringing on a chief information security officer, and educating its workforce.
California courts increasingly following suit
While the matter is not settled law in the Ninth Circuit (which includes California and other West Coast states), in Walters v. Kimpton Hotel & Restaurant Group, the court denied Kimpton’s motion to dismiss along similar grounds as the appellate court in Neiman Marcus. In Walters, the plaintiff alleged that in 2016 he visited a Kimpton hotel and paid with his credit card during a five-month period during which “hackers used malware to access Kimpton computer systems and steal copies of customer data.”
The court found it “plausible” that Walters’s credit card information had been stolen by the hackers. Nevertheless, Kimpton argued the mere theft of credit card data, “coupled with evidence of a single or just a few unauthorized charges, was insufficient” to give Walters standing to sue. Disagreeing with previous rulings in other district courts, Judge Vince Chhabria didn’t buy that argument:
The Court respectfully disagrees that a plaintiff must actually suffer the misuse of his data or an authorized charge before he has an injury for standing purposes. . . . The theft of Walters’s payment card data and the time and effort he has expended to monitor his credit are sufficient to demonstrate injury for standing purposes.
Rulings protect data breach victims
Quoting a similar decision from the Sixth Circuit, Judge Chhabria write that “[t]here is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.” His Kimpton decision, while not binding on other courts, reflects a common-sense understanding of the costs—in money, inconvenience, ruined credit, and stress—that come with being victimized by a data breach.
[QUOTE FROM ERIC GROVER]