Illinois Court 2015 Ruling Puts Businesses Susceptible to Cyberattacks on Notice

A recent Illinois federal court ruling that makes it easier for victims of corporate hackings to file lawsuits comes at a time when the hacking of companies is not only rising, but it’s also getting easier for hackers to steal credit card information and personal data.

In a precedent, a three-member panel of the 7th Circuit Court of Appeals ordered a lawsuit filed by plaintiffs to be reinstated against Neiman-Marcus following a massive data breach during the Christmas shopping season in 2013.

While the ruling is a victory for consumers whose data was stolen by cyberthieves via corporate breaches, it also serves notice to business owners that they could be liable for damages in the event of a successful cyber attack on their company.

Customer cards compromised

The ruling, issued July 20, the 7th Circuit judges overturned a lower court ruling that barred plaintiffs from seeking damages against Neiman-Marcus. Company officials learned in mid-December 2013, that between July 16 and Oct. 30 of that year approximately 350,000 cards had been exposed to hackers’ malware, resulting in fraudulent charges on 9,200 of the cards, according to court documents.

Neiman-Marcus discovered malware from hackers on its computer systems on Jan. 1, 2014, and announced publicly details of the cyberattack on Jan. 10, 2014, according to court documents.

A number of lawsuits filed by victims of the breach were consolidated into one class-action case on June 2, 2014. The plaintiffs claimed they suffered lost time and money resolving the fraudulent charges and to protect themselves against future identity theft, as well as the financial loss of buying items at Neiman-Marcus that they wouldn’t have purchased had they known of the store’s careless approach to cybersecurity and lost control over the value of their personal information, according to court documents.

Courts rule differently

The plaintiffs’ claims were initially rejected by a lower-court judge and the lawsuit was tossed on the grounds of a Supreme Court Case called Clapper. That case set a standard that plaintiffs had to show they were facing imminent and concrete injury.

By overturning the lower court ruling and reinstating the plaintiffs’ claims, the 7th Circuit judges ruled that the fear of hackers taking a future action isn’t too speculative. “Why else,” wrote Chief Judge Diane Wood, “would hackers break into a store’s database and steal consumers’ private information?”

Ultimately, the ruling puts businesses on notice that they are susceptible to these types of lawsuits that could run into the millions of dollars. More importantly, it should serve as an enticement for businesses to beef up cybersecurity.

As if there needs to be additional incentive for businesses, an Australian government report noted recently that cybercrime activities are likely to increase as criminals have easier access to malware through the online marketplace.

How businesses should act

No business or company is immune to the threat of cybercriminals. The threat is growing as cybercriminals are finding breaches are easier to execute, and given the recent court ruling, the penalties for businesses may have just gotten steeper.

If you own a business, can you really afford not to be proactive about cybersecurity?

At Sera-Brynn, we advise companies to take a holistic and all-inclusive approach to cybersecurity through compliance, insurance and incident response.

As Sera-Brynn CEO Rob Hegedus wrote recently here, “the good news is meeting current cyber threats doesn’t have to be confusing or expensive. The best strategy is not some yet undiscovered tool or process. The best strategy lies in using an already established infrastructure.”

Read Rob’s complete article on how he learned to love cybersecurity here.