Card Not Present Fraud , Fraud Management & Cybercrime , Incident & Breach Response
Is Neiman Marcus Case a Game-Changer?
Experts: Lawsuit Could Spell Trouble for Breached EntitiesNeiman Marcus has asked a federal appeals court to reconsider its decision to allow a consumer class-action suit filed against the luxury retailer to move forward.
See Also: 57 Tips to Secure Your Organization
In July, a panel of three judges on the U.S. Court of Appeals for the Seventh Circuit reversed a lower-court's September 2014 decision to dismiss the case, which seeks damages for consumers who had payment card data exposed as a result of the retailer's 2013 data breach.
If the appellate court does not change the panel's ruling and allows the case to proceed to trial, Neiman Marcus will likely ask the Supreme Court to review the decision. And if that happens, it could lead to a change in case law surrounding consumer class-action suits filed against breached retailers.
Consumer Class Actions Involving Breaches
Consumer class-action suits filed against breached retailers typically are dismissed. The appellate court's decision in the Neiman Marcus case is uncharacteristic, and has left Neiman Marcus and legal experts scratching their heads (see Why So Many Data Breach Lawsuits Fail).
Cybersecurity attorney Chris Pierson, who serves as chief security officer at payments provider Viewpost, says simply: "If the case is allowed to proceed, it could spell trouble for companies suffering from a data breach."
That is because the breached entities could wind up being asked to compensate consumers who had their payment data or personally identifiable information exposed in a breach. In a breach where thousands or even millions of consumers are compromised, the costs could be catastrophic for a breached entity.
Neiman Marcus Likely to Prevail?
But proving consumer harm in payments breaches is challenging. Consumers rarely suffer any monetary losses because of a card breach. Card issuers almost always reimburse consumers for fraudulent transactions that may result from such an incident.
"When it comes to credit card breaches, we are a little off the mark with the rational harm that exists for the consumer," Pierson says.
And this is why the appellate court's ruling is likely to be changed or overruled by the Supreme Court, if not changed at the appellate level, experts say. In the end, they believe Neiman Marcus will prevail by ensuring the class-action suit it is dismissed.
In its petition, Neiman Marcus reiterates that only payment card data was exposed in its breach- not Social Security numbers or other personally identifiable information.
If only payment card data was exposed, Pierson says, there is no chance consumers could be victimized by identity theft - even though Neiman Marcus, as a precaution, provided affected customers a year of free credit monitoring and ID-theft protection.
Privacy Protections for Consumers
It has become customary for breached companies to provide free credit monitoring and ID theft protection for consumers who may have been impacted. If the Neiman Marcus class-action suit is allowed to proceed, however, breached retailers may rethink that offering.
Here's why: The panel, in its decision to let the case move forward, found that Neiman Marcus' decision to provide potentially affected customers a year of free credit monitoring and ID-theft protection amounted to acknowledgement of significant risk.
The panel also found that consumers impacted by the breach "should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing." And the panel said that there is reasonable likelihood that consumers exposed in the breach will suffer injury in the future.
Al Pascual, director of fraud and security at Javelin Strategy & Research, says the panel's logic there could create a dangerous precedent for future consumer protections provided by breached businesses.
"It would essentially make identity protection a Catch 22 for breached companies," he says. "Should the court find for the class, it would greatly discourage companies from offering identity protection post-breach."
But Pierson says it's not likely the panel's reasoning will stand up when reviewed more thoroughly, either again by the appellate court or the Supreme Court, should it go that far.
"Alleging that the provision of access to credit-watch services equates to an admission of the actual harm of identity theft being present and visible is unlikely to succeed," he says.
And the case law on consumer class-action suits against breached businesses is pretty clear. The standard for determining whether a class-action suit is valid, based on the "potential" of future injury, conflicts with the Supreme Court's 2013 ruling in the Clapper v. Amnesty International USA.
Foreshadowing Future Class Actions
So why did the panel veer so far from case law when reviewing the Neiman Marcus suit?
Financial fraud expert Shirley Inscoe, an analyst with consultancy Aite, has an interesting take.
Even though Social Security numbers and other PII were not exposed in the Neiman Marcus breach, Inscoe says that kind of information is often exposed in other breaches, and the appellate panel may just be trying to send a message.
"It will be most interesting to see what happens with this appeal," Inscoe says. "I suspect the case will be dismissed, which is a shame. Class-action suits in the past have failed because consumers do not suffer monetary losses after a data breach; they are made whole by the card issuer."
But when PII is exposed, consumers are at risk of fraud and ID theft for years (see Breached PII: Growing Fraud Worry).
"You cannot change your Social Security number or date of birth; and moving just to change your address is ridiculous," Inscoe says. "Criminals compile all this data and retain it or sell it in the underground market."
While the class-action suit against Neiman Marcus was probably a poor one for the appellate court to try to make an example of, Inscoe says, the panel's ruling could be a sign that courts are changing how they evaluate consumer class-action suits related to breaches.
"This ruling certainly is an interesting departure from prior attempts to hold retailers responsible for the damage caused to consumers stemming from data breaches," she says. "You have to wonder: Was this ruling a case of laziness - not researching prior rulings - or frustration, realizing that retailers are never going to get serious about security until they are held accountable?"