The Seventh Circuit recently held that a class of plaintiffs had standing to sue for the risk of injury caused by the exposure of 350,000 customers’ credit card information to malware by Neiman Marcus in Remijas v. Neiman Marcus Group, LLC. The court distinguished Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1147 (2013), which held that allegations of possible future injury are not sufficient to provide standing to challenge the Foreign Intelligence Surveillance Act (FISA) because the plaintiffs could not show the government actually intercepted their communications. The Seventh Circuit stated that the question is “whether these allegations satisfy Clapper’s requirement that injury either already have occurred or be ‘certainly impending,’ “ a question that leaves room for the substantial risk of harm caused by a data breach that has been improperly handled.

While this ruling is a big victory for the plaintiffs, they still have a long way to go before receiving compensation. The court offered a limited ruling that paved the way for standing by elaborating on the Supreme Court’s “certainly impending” requirement using the substantial risk doctrine. The action must still survive a 12(b)(6) motion to dismiss for failure to state a claim (an issue the circuit court declined to address on appeal), and the plaintiffs are likely to find it difficult to present enough evidence to show causation and negligence on a motion for summary judgment or at trial.

What if the plaintiffs do win, however? How would the threat of liability for stolen credit card information affect the way companies collect and store data?

Every major company is collecting consumer data. Information is the new gold; it’s a valuable commodity that can be generated cheaply, aggregated, analyzed, used, and/or sold for significant gains. Most retail companies collect their customers’ credit card numbers, along with a wealth of other information. These companies have highly sophisticated security systems to protect this valuable data, but the threat of malware and weaknesses in software is ever-present. The only totally secure system is one with no new inputs. The threat of liability for stolen data may drastically alter the costs of collecting customer data and force companies to rethink their current strategy of collecting and storing everything. Or they might simply pass on these costs to consumers.

It is hard to say whether raising the cost of data collection is a good thing or a bad thing. It seems like markets would perform more efficiently if information was cheaper and more readily available, but there is also the risk that a small group in the market will control much more data than other any other group and will take advantage of this disparity to inefficiently extract value from the rest of the market. It seems like information collection must be controlled somehow, but liability might not be the best tool for correcting the kind of information asymmetry that is at risk.

One of the most striking (although not really surprising or novel) parts of the opinion involved the court’s consideration of the allegation that the plaintiffs suffered an injury by being deprived of their private information. See pages 13-14 of the opinion here. The plaintiffs sought to show that an actionable injury had occurred when some right to personal information was violated, and they cited to several recent state statutes regulating the storage of personal information. The court rejected this argument, finding that the injury was too abstract and noting that the plaintiffs did not suggest that they could sell their personal information for value. This final statement seems curious in light of the fact that Neiman Marcus could certainly sell information about their customers for value, and although selling credit card numbers would probably violate some law, this seems to only bolster the claim that there is some sort of right to personal information.

This right has not been clearly articulated by state and federal legislatures, and it seems that the court was reluctant to find an injury. Still, legislative action might be a better solution to protecting consumers than liability, and the judiciary’s increased interest in protecting customers’ personal information indicates that it may be time for the legislatures to better clarify the nature of an individual’s right to personal information and others’ responsibility to preserve that right. Once an individual’s right to personal information is better defined, the courts will be able to better determine when that right has been violated or injured, and markets can adapt to more efficiently use consumer information and compensate right-holders for such use.

Edmund Semmes

 

Comments are closed.