A trial court in the Seventh Circuit recently dismissed a data breach class action case against Barnes & Noble (B&N) due to the plaintiffs’ failure to allege actual or imminent injuries.1 This is one of the first data breach cases following the U.S. Supreme Court’s recent decision about pleading actual damages in Clapper v. Amnesty Int’l USA.2 The trial court relied on Clapper to dismiss the case rather than follow Seventh Circuit precedent, which may have allowed the case to continue. Clapper appears to provide defendants with a strong defense in data breach cases.
Barnes & Noble Data Breach
According to the complaint, B&N was the victim of criminal actors hacking into the credit and debit card readers at several of its stores. The hackers collected credit and debit card data from B&N customers. Approximately six weeks after the breach discovery, B&N notified the media and posted notice on its website. The company allegedly did not provide direct notice to customers because it did not know which customers were affected.
The Plaintiffs’ Claims
The plaintiffs sued on behalf of all customers who made in-store credit and debit card purchases during the time period the hackers may have had unauthorized access to the card readers. The plaintiffs made the following claims:
- B&N allegedly breached implied contracts formed with its customers when it collected financial information from them. The plaintiffs allege that the contracts require B&N to reasonably safeguard this information.
- B&N allegedly violated federal and state consumer protection laws when it failed to properly implement adequate, commercially reasonable measures to protect financial information.
- B&N allegedly violated the state breach notification statute in Illinois when it failed to immediately notify affected customers of the breach.
The plaintiffs asserted a series of harms resulting from B&N’s alleged activities. They alleged that they made purchases at the B&N stores affected by the breach during the time the breach occurred and that therefore the court should infer that their financial information was stolen as part of the breach. The plaintiffs alleged that as a result they were subject to:
- increased risk of identity theft, fraud, and other misuse;
- out-of-pocket costs and the value of time for identity theft prevention and replacement of cards and PIN numbers;
- inherent injuries from a violation of a breach notification statute;
- deprivation of the value of their personal information;
- the inaccessibility to the credit card of one plaintiff whose card was cancelled following an unauthorized charge;
- inherent harm from invasion of privacy;
- inherent harm from improper disclosure of personal information; and
- overpayment for products, which incorporated the costs of data security.
Federal Court Jurisdiction
Federal courts have jurisdiction over cases only when the plaintiff has standing to sue. Therefore, courts will dismiss a case when the plaintiff does not meet the requirements for standing. For standing to exist, the plaintiffs’ injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”3
Courts have not reached consensus on whether the frequently alleged injuries from data breaches meet standing requirements. Both the Seventh Circuit and the Ninth Circuit have concluded that an increased risk of identity theft caused by a data breach is sufficient to confer standing.4 Other courts have not found standing in data breach cases.5 The Supreme Court’s recent decision in Clapper calls into question the precedent in the Seventh and Ninth Circuits, as it clarified what an “actual or imminent” injury is.
In Clapper, the Supreme Court clarified that to find standing based on a threat of future harm, the “threatened injury must be certainly impending to constitute injury in fact.” Allegations of possible future injury are inadequate. The Supreme Court also stated that it has found standing based on the existence of a “substantial risk” of future injury that reasonably prompts a plaintiff to incur costs to avoid or mitigate that harm. However, plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Plaintiffs frequently have been unable to successfully allege that harm is “certainly impending” following a data breach. The case against B&N was no different.
Federal Court Grants Barnes & Noble’s Motion to Dismiss
B&N filed a motion to dismiss, alleging that the plaintiffs did not have standing. The court agreed and dismissed the case, concluding that none of the alleged injuries claimed by the plaintiffs constituted actual or imminent injury sufficient to confer standing.
General Increased Risk of Identity Theft Is Not an Injury Sufficient for Standing. Relying on Clapper, the court concluded that an increased risk of identity theft or fraud was insufficient to establish standing, because the plaintiffs failed to plead that they suffered a “certainly impending” injury or a “substantial risk” of an injury. Seventh Circuit precedent indicated that increased risk of identity theft or fraud could be sufficient for standing purposes, but the court relied on the Supreme Court case to hold otherwise. Likewise, the court concluded that the cost and time spent to mitigate any increased risk of identity theft are insufficient injuries when harm is not imminent.
Notification Delays Are Not Injuries Sufficient for Standing Without Actual Injuries. The court held that delays in notifying affected customers, even when the delays may have violated the Illinois breach notification statute, are not enough to establish standing without actual resulting injuries. The Illinois breach notification statute explicitly requires “actual injury” before affected individuals have a claim, and a statutory violation alone is generally not enough to confer standing.
Deprivation of Value of Personal Information Is Not an Injury Sufficient for Standing Without Allegations that Personal Information Could Be Sold for Value. The court rejected the claims that the data breach deprived the plaintiffs of the value of their personal information. The court stated that the plaintiffs must allege that they sold or could sell their personal information for value.
General Anxiety from a Data Breach Is Not an Injury Sufficient for Standing. The court determined that anxiety and emotional distress are insufficient to establish standing, especially where, as in this case, there is no imminent threat the information will be used in a malicious way.
Lag Time in Receiving Replacement Credit Card Is Not an Injury Sufficient for Standing. The court concluded that a time lag in receiving a replacement credit card following a fraudulent charge is not an actual injury. Instead, the court stated that plaintiffs must have had an unreimbursed charge on the credit card to suffer an actual injury. Here, the plaintiff did not have any unreimbursed charges.
Plaintiffs Failed to Show Their Data Was Compromised. The court also denied the claims for improper disclosure of personal information and invasion of privacy. It refused to make the inference that the plaintiffs’ data was compromised as part of the breach. The court explained that making a purchase from a store that had a data breach is too tenuous to support a reasonable inference that the plaintiffs’ information was involved. Ultimately B&N benefited from its inability to accurately determine which customers were affected, because the plaintiffs were unable to plead that their data was in fact compromised.
Plaintiffs Failed to Show They Paid Higher Prices to Pay for B&N’s Data Security. The court concluded that the plaintiffs failed to allege that they paid higher prices at B&N when they pay with credit or debit cards to account for data security. Therefore, there was no proper allegation that the plaintiffs overpaid for B&N goods to pay for data security measures that did not prevent this breach.
The dismissal of the B&N case shows that the recent Supreme Court ruling in Clapper appears to be a strong defense for data breach defendants. In the B&N case, the trial court seemed to ignore Seventh Circuit precedent to dismiss the case. Time will tell whether the Seventh and Ninth Circuits will attempt to distinguish Clapper in data breach cases, and whether plaintiffs will be able to successfully plead that an injury is “certainly impending” following data breaches.
1 In re Barnes & Noble Pin Pad, No. 12-cv-8617, 2013 U.S. Dist. LEXIS 125730 (N.D. Ill. September 3, 2013).
2 Clapper v. Amnesty Int’l USA, 568 U.S. ____, 133 S. Ct. 1138 (2013). See the Eye on Privacy article discussing Clapper v. Amnesty Int’l USA at http://www.wsgr.com/publications/PDFSearch/eye-on-privacy/May2013/index.html#4.
3 Monsanto Co. v. Geertson Seed Farms, 561 U.S. ___, 130 S.Ct. 2743, 2752 (2010).
4 Krottner v. Starbucks Corp., Nos. 09-35823 and 35824 (9th Cir.; December 14, 2010); Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007). See the WSGR Alert discussing the Krottner case in the Ninth Circuit at http://www.wsgr.com/wsgr/Display.aspx?SectionName=publications/pdfsearch/wsgralert_Krottner_v_Starbucks.htm
5 Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011); Whitaker v. Health Net of California, Inc., No. CIV S-11-0910 KJMDAD, 2012 WL 174961, at *2 (E.D. Cal. January 20, 2012); Low v. LinkedIn Corp., No. 11-CV01468-LHK, 2011 WL 5509848, at *4 (N.D. Cal. November 11, 2011).