What Does the Neiman Marcus Ruling Mean for Data Security Law?

Posted by Mark Greisiger

A Q&A with Ben Barnow of Barnow Associates PC
The decision in the recent Neiman Marcus case was a game changer for the swiftly evolving legal climate around data breach events. By establishing the theory of “likely future fraud or injury” the court recognized that plaintiffs no longer have to prove the “impending certainty” of potential injury (as was previously established by the 2013 decision in Clapper v. Amnesty International). To find out more about its impact we talked to Ben Barnow of Barnow Associates PC.

In a nutshell, what happened in this case?
As is common in the law, the previous case theories were subject to review. In many of the cases I was involved with in the early years, the courts basically either granted a summary judgment or a motion to dismiss, but not always. Then along came the Clapper decision in 2013, which was aggressively—and skillfully—utilized by the defense bar. With Neiman Marcus you have the Seventh Circuit essentially recognizing that it is not so remote to accept that people will suffer from a data breach. You have people risking jail time to hack into a system and steal information and I think that makes it clear what they are intending to do with it. My view is the Court recognized that the threat is real and not a mere remote possibility.

What is the cultural impact of this case?
I think this case is good for people and companies dealing with the private and personal information of others and it’s good for plaintiffs. For those who could or would be defendants, it is a siren to sharpen their security. Sirens tell us to get out harm’s way. So, on the industry side, people need to make sure that they are accessing the most advanced and credible facilities to prevent data breaches and its consequences. For the plaintiffs, this means that they can better access to recover damages if they have been harmed as a result of data loss.

How do you think this decision might affect similar cases going forward?
I think there might be a greater interest in embracing settlement. The decision is a tremendous review of other cases and developments and a path that leads everybody to a better way to handle these cases. To me, this is clearly a win in the plaintiff column. But we should not expect the defense lawyers to just lay down, either.

In Summary
2015 has brought an onslaught of new data breach class action lawsuits against The Office of Personnel management, Medical Informatics Engineering, Inc., Carefirst, UCLA Health Systems and Anthem, just to name a few. Both the Seventh Circuit, in Remijas v. Neiman Marcus, and the Ninth Circuit, in Adobe Systems Inc. Privacy Litigation, have begun to take a closer look at the impact a breach can have on victims, especially in the long term. Both courts concluded that victims do have standing to file a lawsuit over the long-term consequences of a breach. Courts and regulatory bodies will be as busy as ever this year as they try to fit cyber security breaches into aging bodies of law. In the meantime, companies should continually review their practices and be prepared to defend themselves in the event of a cyber-security incident.

—###—

NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal (www.eriskhub.com) is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.