More Data Breach Lawsuits Fail In Court–Michaels Stores and SuperValu
Courts recently dismissed more data breach lawsuits for failure to allege harm.
Michael Stores: Michaels confirmed that consumer account information had been compromised and acknowledged that approximately 2.6 million cards could have been affected between 2013 and 2014. It offered free credit monitoring services for 12 months. A putative class action lawsuit was filed against it nonetheless.
The court focuses on the standing requirement and says there is no existing harm. The named plaintiff only alleged that her card information had been used once in Ecuador, but failed to allege that she bore the risk of loss from the unauthorized charge. To the contrary, the court notes that it would be extremely unlikely that she would have borne the loss given the zero-fraud-liability policy of “every major card issuer in the country.”
Plaintiff also argued that she had to deal with the hassle of getting new cards and accounts and in general dealing with the situation, but the court says crediting these as harms for standing purposes would allow a plaintiff to “manufacture” standing. Her argument that she would not have shopped at Michaels but for its assurances of reasonable security gets no traction with the court. The same is true of “loss of value” to her card information. Finally, she tries to rely on statutory standing but the court says that the Third Circuit still requires actual injury, regardless of a statutory violation.
Plaintiff also tried to argue that, regardless of present harm, she suffered risk of future harm and this is sufficient to create standing. The court cites to Clapper and says that as in that case, here, the future harm is speculative.
SuperValu: The decision in the SuperValu case is virtually the same as in Michaels Stores. Hackers gained access to the network in 2014 and obtained information embedded in the magnetic strip of payment cards (across some 1000 stores). Defendants offered 12 months of free credit monitoring. As in the Michaels Stores case, plaintiffs came forward with a sole instance of unauthorized charges. Plaintiffs failed to allege that this charge was unreimbursed. Beyond this, one plaintiff alleged that he closed his checking account and opened a new one.
The court focused on the risk of future harm and as in the Michaels Stores case concludes this is too speculative (also citing Clapper). In particular, the court focuses on the sole instance of misuse of data and says this is not indicative of data misuses that are “fairly traceable” to the data breach:
Based on the absence of any other allegations that Plaintiffs’ PII has been misused, the court is left to speculate about whether the hackers who gained access to Defendants’ payment processing network were able to capture or steal Plaintiffs’ PII; whether the hackers or other criminals will attempt to use the PII; and whether those attempts will be successful.
The court also looks at plaintiffs’ remaining arguments: (1) mitigation or opportunity costs, and (2) diminished value in PII. As in Michaels Stores, these are also insufficient. Plaintiffs also asserted a claim based on delayed notification but the court says this is likewise insufficient, given that the underlying harm (mitigation efforts) are not sufficient to establish standing.
These two cases can be contrasted with the Neiman Marcus case decided by the Seventh Circuit (discussed in both cases above). (Blog post on the Neiman Marcus ruling here: “Seventh Circuit: Data Breach Victims Have Standing Based on Future Harm“.) There, the court reversed the district court’s dismissal of a data breach lawsuit on standing grounds. The court agreed that plaintiffs’ theories that they overpaid and that they had some sort of property right in their personal data were insufficient. However, the court did find that the approximately 9,200 people who had unauthorized charges adequately allege standing despite getting reimbursed. The court said that there are “identifiable costs associated with the process of sorting this out” and treated this as clearly sufficient.
The Neiman Marcus court also concluded that even those whose cards were not used for fraudulent charges could proceed on a theory of increased risk:
[a]t this stage in the litigation, it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the . . . data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.
Finally, the Neiman Marcus court also credits plaintiffs’ mitigation expenses. Mitigation expenses are not sufficient where the harm is not “imminent” but that was not the case there.
The big question is what accounts for the different results between the Neiman Marcus case and the two district court cases. You could say that the number of alleged unauthorized charges make the allegations regarding future harm more credible in Neiman Marcus (and those allegations were not present in SuperValu and Michael’s Stores, but that’s not necessarily a principled distinction). I would probably chalk it up to slightly different views of the standing rules. (Krottner v. Starbucks, decided by the Ninth Circuit, takes a similar approach to the Neiman Marcus case.)
Neiman Marcus is an outlier, and despite an aberrational ruling that allows a data breach case to proceed, the overwhelming majority of cases (at least at the district court level) have rejected claims asserted by plaintiffs. (See also the Unity and Cahen rulings, which dismissed claims based on security deficiencies in the lock and car contexts.) In addition to Clapper, both rulings cite the Zappos ruling.
Whalen v. Michaels Stores, Inc., 2015 WL 946 2108 (E.D.N.Y. Dec. 28, 2015)
In re SuperValu, Inc. Customer Data Security Breach Litigation, 2016 WL 81792 (D. Minn. Jan. 7, 2016)