Macy’s Faces Class Action Lawsuit After October Data Breach


A data breach case against Macy’s, originally filed in Massachusetts state court, has been removed to federal court.  The complaint claims a data security breach took place between October 7 and October 15, 2019, during which hackers stole personal consumer information from Macy’s website. Macy’s is represented in the case by Goodwin Procter and the plaintiff, Robert Hartigan, is representing himself.

The complaint says Macy’s issued a public statement after the breach on November 14, 2019 saying they were aware of the incident. Hartigan also claimed they informed customers of possible identity theft or financial crimes advising them to be vigilant and offered identity monitoring and surveillance services within 12 months from the date on the notification letter. The complaint claims they did not follow through with this offer.

Hartigan purchased items from the Macy’s website on October 10, 2019, during the alleged breach period, giving the website his name, credit card information, phone number, and home address. Others in the class he describes would have given similar information. The plaintiff claims Macy’s entered into a contract at that point to protect the information from third parties. The complaint quotes Macy’s Privacy Policy: “we at Macy’s understand that you entrust your data to us. We value that trust. Our collection and use of customer data is guided by our corporate principle of Customers First and subject to our Macy’s Responsible Information Management program.”

The plaintiff claims he and the rest of the class suffered emotional distress, a breach in privacy, public disclosure of private facts, and loss of time because of the negligence and breach of contract by Macy’s. Macy’s is close to settlement in a similar lawsuit in the Alabama Northern District Court from a data breach in 2018.