Two years ago, retailer Neiman Marcus suffered a data breach that resulted in some 350,000 customers having their credit card information compromised. About 9,200 of those customers ended up with fraudulent credit card charges.
That’s bad enough – but Neiman Marcus was then sued in a class action by customers who didn’t have any fraudulent charges on their cards. These customers said Neiman Marcus should nevertheless compensate them for the time and money they had spent on credit monitoring and other efforts to prevent fraud as a result of the hack.
Even though the actual harm to these people might be fairly small, the fact that there were hundreds of thousands of them meant that the size of potential lawsuit was very significant.
Neiman Marcus argued that these customers hadn’t really suffered any harm, and couldn’t prove that any future harm was imminent. But a federal appeals court in Chicago disagreed, and let the case go forward.
“Why else would hackers break into a store’s database and steal consumers’ private information?” the court asked. “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
This case is yet another reason why it’s wise to review your data policies regularly, and make sure you’re complying with the law and have adequate insurance coverage.