Share This

An Alabama resident filed a class-action complaint against Macy’s in July after the retailer announced hackers broke into its secure database and stole personally identifiable information (PII) from its customers.

Source: (https://www.classaction.org/media/carroll-v-macys-inc-et-al.pdf)

Plaintiff, Anna Carroll, recorded her Macy’s PII lawsuit in federal court, demanding the company pay damages for invasion of privacy and injuries sustained from breach of fiduciary duty and negligence for not protecting confidential consumer information.

Lead attorneys have announced they’ll be motioning the court to certify Carroll’s lawsuit as a class action; doing so will allow other consumers harmed by Macy’s data breach to join as class plaintiffs, sharing compensation awards if Carroll settles or wins her case.  

Hackers Steal Confidential Information from Macy’s Customers

After nearly a month of data hacking, Macy’s notified the public and its customers on June 7th that the company was victim of a cyberattack by a third party.

The retail giant confirmed from April 26 to June 6, unnamed hackers stole their customer’s email addresses, credit and debit card numbers, birthdays, addresses and other personal data. 

Cyber attackers first gained access to thousands of Macy’s customer usernames and passwords from an outside source and later applied the information to collect unprotected PII data from servers.

Hackers did not however gain entry to social security numbers, according to Macy’s IT reps; nor did the data breach expose three-digit CVC information (numbers that appear on the backs of credit cards); yet, the thieves did acquire credit and debit card expiration dates. 

Macy’s Negligence Provoked PII Data Breach

Carroll’s lawsuit asserts Macy’s security measures set up to prevent PII breaches were “lackadaisical, cavalier, reckless, and negligent.” The plaintiff also contends the company didn’t inform customers about the cyberattack in good time, as prudent businesses would have done under similar circumstances.

Lead attorney in this class action, Oscar M. Price IV, argues customers consent to Macy’s storing their PII data in consideration for the company promising to protect the information from hackers, which assigns certain fiduciary duties and obligations to the defendant that were breached in this case.

Large retailers also recognize or should recognize that most data servers do not have autonomous encryption to protect PII from cyberattacks, placing this information in strong demand for hackers and vulnerable to identity theft; Macy’s therefore held legal obligations to implement the best PII security measures available, according to Price.

Carroll is prepared to offer economic evidence that shows the retailer sustained large profits from using millions of consumer PII in their marketing strategies and promotions, but the defendant recklessly chose to spend those profits to protect customer payment information only, disregarding PII security to save on data encryption expenses.

The plaintiff further asserts Macy’s waited too long to tell customers a data breach took place. PII cyberattacks started in April; yet, Macy’s IT department found the hacks only on June 11, giving the thieves over two weeks to collect PII info.

A prompt notice would have enabled consumers to take affirmative action and mitigate damages by changing passwords and canceling credit cards, according to Carroll.

Data Breach Litigation Surges in America

The law defines PII as information that distinguishes or depicts a person’s identity where when used alone or when combined with other PII can place an individual’s confidential information into an unprotected environment. 

According to the FTC, data breach litigation is on the rise in America and emerges in individual lawsuits and class action filings in federal and state courts.

(Source: https://www.ftc.gov/system/files/documents/public_comments/2015/10/00027-97671.pdf)

Most data breach victims file PII lawsuits to pursue remedies to cover damages from unjust enrichment, breach of fiduciary duty, negligence, res ipsa loquitur, and breach of contract; equitable remedies (injunctive relief or specific performance) are likewise available to data breach victims when they establish legal damages cannot remedy the defendant’s wrongdoing.

Money damages arising from PII jury verdicts and data breach settlement awards often reimburse specific harm produced by the cyberattack:

    • Fraudulent charges
    • Cost to monitor credit scores
    • Cost to recover credit cards
    • Unjust enrichment indemnification

The courts further award PII victims general damages to cover the natural harm that occurs after a data breaches take place:

    • Credit score damage
    • Personal time to examine and to correct credit disputes,
    • Emotional distress
    • Future credit harm.

Customers Claim Damages in Macy’s PII Lawsuit

Carroll allegedly used her PII to conduct multiple internet purchases at Macys.com between April and June and discontinued shopping at the online megastore only after the company notified her on June 7th that hackers stole her personal information.

Macy’s PII class action lawsuit alleges the cyberattack harmed over nine thousand Macy’s customers, some of whom discovered hackers were trying to make fraudulent online purchases using their identities and stolen payment information.

Class members in this lawsuit will subsequently face “years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” according to Price.

Carroll is seeking at least $5 million in restitution on behalf of all class members.

Legal damages will reimburse individuals for their personal time used to restore their PII security and for time spent to dispute negative credit charges appearing on their credit reports emanating from hackers successfully exploiting their identities to engage in fraudulent business transactions.

The courts may further award punitive damages if Price can prove Macy’s deliberately chose to not secure its customer PII data and that the defendant’s intentional act actually injured the plaintiffs.

Retailer Responds to Macy’s Class Action

Before this lawsuit, Macy’s lorded about its promise to secure customer PII and payment information during online purchases.

(Source: https://www.customerservice-macys.com/app/answers/detail/a_id/360/~/security-policy)

The retailer went as far as disclosing on its website that safeguarding consumer data is a business priority, and that Macy’s takes steps “to protect the security of our customer’s account information.”

Macy’s issued an overt statement on July 8, publicly acknowledging the PII cyberattack and claiming that the theft only involved “a small number of our customers at macys.com and bloomingdales.com.”

(Source: https://www.experian.com/blogs/ask-experian/macys-bloomingdales-data-breach-what-you-need-to-know)

Executives further claimed its IT staff investigated the PII theft and has since implemented “additional security measures” only as a precaution.

As for Carroll and the thousands of potential class member who will join this Macy’s class action lawsuit, the defendant’s commitment to protect PII conclusively comes a little too late because their identities are already in the hand of thieves.