Court ruling says merchants can be held liable for hacks
A new court ruling may mean business will have to pay if they suffer a data breach.
Recently, a federal appeals court in Chicago dismissed the claims of a major retailer, in essence shifting liability in these cases to the company in question and making it easier for those affected to sue.
Neiman Marcus was sued in a class action lawsuit by a group of customers who claimed that the company was negligent and conducted deceptive business practices surrounding a data breach in January of 2014. The suit was dismissed by a U.S. district court on the grounds that the company had disclosed the breach to customers as soon as possible.
Then, late last month, Insurance Journal reports that the three judge panel in the appeals court ruled that the suit was valid, overturning the previous dismissal, saying that Neiman Marcus must face the class action lawsuit.
The key to this case, according to The Wall Street Journal (WSJ), was that there was proof of financial hardship. The dismissal was made based on the 2013 case Clapper v. Amnesty International U.S.A., a case concerning surveillance which was dismissed because the action did not cause or result in harm for those under surveillance and that the fear of future harm was not enough to substantiate a case.
However, this time around it was different. In the breach, 350,000 credit cards were compromised, which resulted in at least 9,200 of them being used fraudulently.
"For years, virtually all courts have said the mere risk of identity theft is not enough. You have to have an actual unreimbursed theft," Donna Wilson, a lawyer who specializes in privacy and data security, told WSJ. She continued, saying that the appeals ruling will likely mean more lawsuits for companies who have been breached in the future.
Companies that have not started to implement their own cyber security or disaster recovery strategies may want to consider reaching out to business continuity consultants who are experts in these subject areas.