Is Neiman Marcus Case a Game-Changer?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/neiman-marcus-suit-game-changer-a-8462

Neiman Marcus has asked a federal appeals court to reconsider its decision
to allow a consumer class-action suit filed against the luxury retailer to
move forward.

In July, a panel of three judges on the U.S. Court of Appeals for the
Seventh Circuit reversed a lower-court's September 2014 decision to dismiss
the case, which seeks damages for consumers who hadpayment card data
exposed as a result of the retailer's 2013 data breach.

If the appellate court does not change the panel's ruling and allows the
case to proceed to trial, Neiman Marcus will likely ask the Supreme Court
to review the decision. And if that happens, it could lead to a change in
case law surrounding consumer class-action suits filed against breached
retailers.

Consumer Class Actions Involving Breaches

Consumer class-action suits filed against breached retailers typically are
dismissed. The appellate court's decision in the Neiman Marcus case is
uncharacteristic, and has left Neiman Marcus and legal experts scratching
their heads (see Why So Many Data Breach Lawsuits Fail).

Cybersecurity attorney Chris Pierson, who serves as chief security officer
at payments provider Viewpost, says simply: "If the case is allowed to
proceed, it could spell trouble for companies suffering from a data breach."

That is because the breached entities could wind up being asked to
compensate consumers who had their payment data or personally identifiable
information exposed in a breach. In a breach where thousands or even
millions of consumers are compromised, the costs could be catastrophic for
a breached entity.

Neiman Marcus Likely to Prevail?

But proving consumer harm in payments breaches is challenging. Consumers
rarely suffer any monetary losses because of a card breach. Card issuers
almost always reimburse consumers for fraudulent transactions that may
result from such an incident.

"When it comes to credit card breaches, we are a little off the mark with
the rational harm that exists for the consumer," Pierson says.

And this is why the appellate court's ruling is likely to be changed or
overruled by the Supreme Court, if not changed at the appellate level,
experts say. In the end, they believe Neiman Marcus will prevail by
ensuring the class-action suit it is dismissed.

In its petition, Neiman Marcus reiterates that only payment card data was
exposed in its breach- not Social Security numbers or other personally
identifiable information.

If only payment card data was exposed, Pierson says, there is no chance
consumers could be victimized by identity theft - even though Neiman
Marcus, as a precaution, provided affected customers a year of free credit
monitoring and ID-theft protection.

Privacy Protections for Consumers

It has become customary for breached companies to provide free credit
monitoring and ID theft protection for consumers who may have been
impacted. If the Neiman Marcus class-action suit is allowed to proceed,
however, breached retailers may rethink that offering.

Here's why: The panel, in its decision to let the case move forward, found
that Neiman Marcus' decision to provide potentially affected customers a
year of free credit monitoring and ID-theft protection amounted to
acknowledgement of significant risk.

The panel also found that consumers impacted by the breach "should not have
to wait until hackers commit identity theft or credit card fraud in order
to give the class standing." And the panel said that there is reasonable
likelihood that consumers exposed in the breach will suffer injury in the
future.

Al Pascual, director of fraud and security at Javelin Strategy & Research,
says the panel's logic there could create a dangerous precedent for future
consumer protections provided by breached businesses.

"It would essentially make identity protection a Catch 22 for breached
companies," he says. "Should the court find for the class, it would greatly
discourage companies from offering identity protection post-breach."

But Pierson says it's not likely the panel's reasoning will stand up when
reviewed more thoroughly, either again by the appellate court or the
Supreme Court, should it go that far.

"Alleging that the provision of access to credit-watch services equates to
an admission of the actual harm of identity theft being present and visible
is unlikely to succeed," he says.

And the case law on consumer class-action suits against breached businesses
is pretty clear. The standard for determining whether a class-action suit
is valid, based on the "potential" of future injury, conflicts with the
Supreme Court's 2013 ruling in the Clapper v. Amnesty International USA.

Foreshadowing Future Class Actions

So why did the panel veer so far from case law when reviewing the Neiman
Marcus suit?

Financial fraud expert Shirley Inscoe, an analyst with consultancy Aite,
has an interesting take.

Even though Social Security numbers and other PII were not exposed in the
Neiman Marcus breach, Inscoe says that kind of information is often exposed
in other breaches, and the appellate panel may just be trying to send a
message.

"It will be most interesting to see what happens with this appeal," Inscoe
says. "I suspect the case will be dismissed, which is a shame. Class-action
suits in the past have failed because consumers do not suffer monetary
losses after a data breach; they are made whole by the card issuer."

But when PII is exposed, consumers are at risk of fraud and ID theft for
years (see Breached PII: Growing Fraud Worry).

"You cannot change your Social Security number or date of birth; and moving
just to change your address is ridiculous," Inscoe says. "Criminals compile
all this data and retain it or sell it in the underground market."

While the class-action suit against Neiman Marcus was probably a poor one
for the appellate court to try to make an example of, Inscoe says, the
panel's ruling could be a sign that courts are changing how they evaluate
consumer class-action suits related to breaches.

"This ruling certainly is an interesting departure from prior attempts to
hold retailers responsible for the damage caused to consumers stemming from
data breaches," she says. "You have to wonder: Was this ruling a case of
laziness - not researching prior rulings - or frustration, realizing that
retailers are never going to get serious about security until they are held
accountable?"

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!