Hardly a week goes by without word of a new corporate data breach. Until now, most affected businesses have dodged potential class liability, successfully arguing that customers suffered no compensable harm. Last month, a federal appellate court in Chicago rejected those arguments. That decision, Remijas v. Neiman Marcus Group, threatens data-intensive industries, like real estate, with massive losses.
Remijas involved the 2013 data breach at Neiman Marcus, the luxury retailer. Hackers supposedly stole credit card information for 350,000 Neiman Marcus customers, at least 9,200 of whom fell victim to fraudulent charges. Like day follows night, several class actions were filed by shoppers claiming they lost time and money dealing with bogus transactions and the increased risk of identity theft.
The U.S. Constitution requires that would-be plaintiffs have standing—that is, the suffering of a concrete harm, caused by the defendant, that is capable of redress. The lower court in Remijas found that the shoppers’ alleged injuries were too speculative and abstract to meet standing requirements. On appeal, the reviewing court disagreed. Even if Neiman Marcus customers have not yet suffered money damages, the appellate court ruled, those individuals now face a substantial risk of injury at the hands of cyber criminals. That does satisfy standing, the court held.
Remijas bodes ill for the real estate industry, which has eagerly adopted nearly every form of electronic innovation and is on the verge of e-closings. Each real estate closing involves loads of sensitive personal information, from social security numbers, to financial data, to birth dates, to bank routing numbers. That represents a goldmine to hackers, especially considering that most real estate companies lack sophisticated security systems and therefore are soft targets.