credit card breach

Already reeling from the Equifax breach, U.S. consumers received yet another unwanted cyber surprise ahead of one the biggest holiday shopping days of the year. According to Reuters, in mid-November, retailer Forever 21 announced that from at least March to October, an unknown amount of consumer payment cards at an undisclosed number of its worldwide stores had been breached.

The cyber incident was the latest in a string of breaches that have put consumers at risk for financial and indemnity fraud, which have spurred the growth and prominence of breach class action litigation.

But while far from an uncommon event, the Forever 21 breach may be unique in its aftereffects—or lack thereof. It is unclear, after all, whether those affected by the Forever 21 breach will be able to take the company to court over the disclosure of sensitive financial information. Ultimately, whether a class action will be possible or prove successful will depend on a variety of factors, including what financial information was stolen, how it was used, and how any fraud was discovered.

The legal landscape regarding breach lawsuits has changed considerably since the 2016 U.S. Supreme Court case Spokeo v. Robins, where the high court ruled that consumers seeking damages against breached companies must allege injury that is “particularized” and “concrete”—and not just a procedural violation of a statute—to have standing in court.

Though Spokeo involved the Fair Credit Reporting Act (FCRA), its precedent has ultimately been used in other financial breach cases outside of credit reporting, and it will likely influence any class actions brought against Forever 21.

Marcus Christian, a partner at Mayer Brown and a former executive assistant U.S. attorney at the U.S. Attorney's Office for the Southern District of Florida, noted that after Spokeo, “it may be a little more difficult to bring a case after a data breach, given that plaintiffs have to show specific harm.”

As an example, he noted if any financial fraud emanating from the Forever 21 breach was caught early on, this may preclude any specific harm. And this is a distinct possibility, he said, given the financial intuitions' fraud detection capabilities.

“In my experience, credit card companies and banks tend to be very good at noticing patterns,” and can skillfully catch and flag abnormal behavior on their customers' accounts, he explained.

Still, should financial institutions find fraud, their ability to quickly remedy the situation will often depend on the type of payment card breached. While financial institutions can easily roll back charges on a credit card, it's “a whole other game” if a debit card was comprised, said Adam Levin, chairman and founder of identity and data protection company IDT911.

“Depending on the information that cybercriminals were able to retrieve, they could have accessed your bank account and taken money out,” Levin said.

Yet even if that were the case, consumers wouldn't necessarily suffer irrevocable financial theft. “Pretty much every bank has taken the policy that they will return the money to your account if it has been determined” there was criminal activity, he added.

Returning such money, however, can often be a slow process, which in and of itself may cause consumers harm. “Depending on the financial institution, the time frame in which they return the funds could be up to, I believe, 10 days, and that could be a problem for consumers,” Levin said.

For consumers with automated payments or overdue bills, he said, such a delay could cause an overdraft and could affect their credit scores.

Of course, whether such situations amount to injury will often depend on a court's interpretation. Moreover, such a situation assumes that financial institutions will detect the fraud in the first place—which, while likely, is far from a sure bet.

Cybercriminals, after all, often look for ways to evade fraud detection as best they can. Levin noted that many criminals, for instance, sell stolen payment card information on the dark web marketplace. He likened such marketplaces to “bazaars” where stolen cards “can be sold by the amount of available credit, by the institution, by the type of card it is, and by ZIP code.”

“So let's say you used the payment card in a particular ZIP code,” Levin said. “Hackers would buy that card and charge it in the same ZIP code in order for nobody to pick it up.”

Financial institutions' protections, therefore, are far from foolproof. “It's probably not the best practice for an individual to assume that a credit card company will catch this,” Christian said.

Indeed, if they don't, and fraud goes unnoticed for an extended amount of time, the financial losses a consumer suffers may then be permanent. “Most financial institutions tend to cover you, but it relates to how quickly you notify them” of any anomalous or fraudlike activities, Levin said. “If you don't notify them for 60 days, for example, you could be liable for whatever disappeared out of your bank account.”

credit card breach

Already reeling from the Equifax breach, U.S. consumers received yet another unwanted cyber surprise ahead of one the biggest holiday shopping days of the year. According to Reuters, in mid-November, retailer Forever 21 announced that from at least March to October, an unknown amount of consumer payment cards at an undisclosed number of its worldwide stores had been breached.

The cyber incident was the latest in a string of breaches that have put consumers at risk for financial and indemnity fraud, which have spurred the growth and prominence of breach class action litigation.

But while far from an uncommon event, the Forever 21 breach may be unique in its aftereffects—or lack thereof. It is unclear, after all, whether those affected by the Forever 21 breach will be able to take the company to court over the disclosure of sensitive financial information. Ultimately, whether a class action will be possible or prove successful will depend on a variety of factors, including what financial information was stolen, how it was used, and how any fraud was discovered.

The legal landscape regarding breach lawsuits has changed considerably since the 2016 U.S. Supreme Court case Spokeo v. Robins, where the high court ruled that consumers seeking damages against breached companies must allege injury that is “particularized” and “concrete”—and not just a procedural violation of a statute—to have standing in court.

Though Spokeo involved the Fair Credit Reporting Act (FCRA), its precedent has ultimately been used in other financial breach cases outside of credit reporting, and it will likely influence any class actions brought against Forever 21.

Marcus Christian, a partner at Mayer Brown and a former executive assistant U.S. attorney at the U.S. Attorney's Office for the Southern District of Florida, noted that after Spokeo, “it may be a little more difficult to bring a case after a data breach, given that plaintiffs have to show specific harm.”

As an example, he noted if any financial fraud emanating from the Forever 21 breach was caught early on, this may preclude any specific harm. And this is a distinct possibility, he said, given the financial intuitions' fraud detection capabilities.

“In my experience, credit card companies and banks tend to be very good at noticing patterns,” and can skillfully catch and flag abnormal behavior on their customers' accounts, he explained.

Still, should financial institutions find fraud, their ability to quickly remedy the situation will often depend on the type of payment card breached. While financial institutions can easily roll back charges on a credit card, it's “a whole other game” if a debit card was comprised, said Adam Levin, chairman and founder of identity and data protection company IDT911.

“Depending on the information that cybercriminals were able to retrieve, they could have accessed your bank account and taken money out,” Levin said.

Yet even if that were the case, consumers wouldn't necessarily suffer irrevocable financial theft. “Pretty much every bank has taken the policy that they will return the money to your account if it has been determined” there was criminal activity, he added.

Returning such money, however, can often be a slow process, which in and of itself may cause consumers harm. “Depending on the financial institution, the time frame in which they return the funds could be up to, I believe, 10 days, and that could be a problem for consumers,” Levin said.

For consumers with automated payments or overdue bills, he said, such a delay could cause an overdraft and could affect their credit scores.

Of course, whether such situations amount to injury will often depend on a court's interpretation. Moreover, such a situation assumes that financial institutions will detect the fraud in the first place—which, while likely, is far from a sure bet.

Cybercriminals, after all, often look for ways to evade fraud detection as best they can. Levin noted that many criminals, for instance, sell stolen payment card information on the dark web marketplace. He likened such marketplaces to “bazaars” where stolen cards “can be sold by the amount of available credit, by the institution, by the type of card it is, and by ZIP code.”

“So let's say you used the payment card in a particular ZIP code,” Levin said. “Hackers would buy that card and charge it in the same ZIP code in order for nobody to pick it up.”

Financial institutions' protections, therefore, are far from foolproof. “It's probably not the best practice for an individual to assume that a credit card company will catch this,” Christian said.

Indeed, if they don't, and fraud goes unnoticed for an extended amount of time, the financial losses a consumer suffers may then be permanent. “Most financial institutions tend to cover you, but it relates to how quickly you notify them” of any anomalous or fraudlike activities, Levin said. “If you don't notify them for 60 days, for example, you could be liable for whatever disappeared out of your bank account.”