Articles

Challenging Whether Plaintiffs Pled Viable State Law Claims May be an Effective Strategy in Defending Consumer Data Breach Class Action Litigation Even Where Plaintiffs Can Meet Federal Article III Standing Requirements

Last year, and earlier this year, a hot topic in data breach consumer class action litigation in federal court was whether plaintiffs could demonstrate Article III standing. Some courts have applied a more liberal rule that has allowed plaintiffs to survive an Article III challenge. (See, for example, Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015) (“Remijas”) and Lewert v. P.F. Chang’s China Bistro, Inc. (7th Cir. 2016) (“Lewert”)). Defendants are now having more success with a separate challenge as to whether a data breach consumer class action fails to plead viable claims under state law. For example, on October 3, 2016 Judge Andrea R. Wood granted the defendant’s Federal Rule of Civil Procedure 12(b)(6) motion to dismiss in In Re Barnes & Noble Pin Pad Litigation pending in the Northern District of Illinois (the same Circuit that ruled in favor of plaintiffs in Remijas and Lewert). See, 2016 U.S. Dist. LEXIS 137078 (N.D. Ill. Oct. 3, 2016), district court case no. 12-cv-08617.

The facts alleged in the In Re Barnes & Noble Pin Pad Litigation are that in September 2012, “skimmers” tampered with PIN pad terminals in 63 Barnes & Noble stores. The PIN pad terminals were used to process credit and debit card payments. Six weeks after discovering the potential breach, Barnes & Noble announced that skimmers had potentially stolen customer credit and debit card information from affected locations. Plaintiffs filed suit alleging five causes of action for (1) breach of contract; (2) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”); (3) invasion of privacy; (4) violation of California’s Security Breach Notification Act, Cal. Civil Code 1798.80 et seq.; and (5) violation of California’s Unfair Competition Act (“UCL”), Cal. Bus. & Prof. Code 17200 et seq.

Plaintiffs sought damages for unauthorized disclosure of their personal identifying information (“PII”), loss of privacy, expenses incurred attempting to mitigate the increased risk of identity theft or fraud, lost time mitigating the increased risk of identity theft or fraud, an increased risk of identity theft, deprivation of the value of plaintiffs’ PII, anxiety and emotional distress.

Judge Darrah had originally granted a motion to dismiss finding that plaintiffs had failed to establish Article III standing but granted plaintiffs leave to amend. The amended complaint pled the same five causes of action as the original complaint with a few new facts, including that plaintiff Winstead had a fraudulent charge on her credit card and was unaware of any other recent data braches that would have affected her credit card, and prior to the breach, Winstead subscribed to identity theft protection monitoring. After learning of the Barnes & Noble breach, Winstead “continued to subscribe to identity theft protection monitoring services, in part because of the security breach.”

Barnes & Noble moved to dismiss the amended complaint under both Federal Rule of Civil Procedure 12(b)(1) (challenging whether plaintiffs had Article III standing under federal law) and 12(b)(6) (asserting that plaintiffs failed to plead facts sufficient to support their state law claims). Based on Remijas, Judge Wood ruled that plaintiffs allegations were sufficient to establish Article III standing and denied the motion to dismiss to the extent it challenged Article III standing. But the court ruled that plaintiffs failed to plead facts to establish any of the state law claims they alleged and dismissed the complaint on that ground.

As to the breach of implied contract claim, the court noted that Barnes & Noble did not contest the issue of whether there was an implied contract between it and plaintiffs but claimed the count must be dismissed because plaintiffs failed to allege any cognizable damages. The court agreed. The court ruled that in order to plead a cause of action for breach of implied contract under both Illinois and California law, a plaintiff must allege that he or she suffered damages. The court ruled: “The Amended Complaint is deficient in just this manner – as it fails to plead any economic or out-of-pocket damages that were caused by the Barnes & Noble data breach.” The court rejected plaintiffs’ argument that overpayment for goods at Barnes & Noble or the loss of the value of plaintiffs’ PII represents damages for the purposes of the breach of contract claim.

Plaintiff Winstead alleged that she subscribed to an identity protection monitoring service, but she conceded she subscribed to that service even before the Barnes & Noble data breach. Her allegation that she renewed the service “in part” due to the Barnes & Noble breach was not sufficient. Similarly, her claim that she suffered damage in the form of “[taking] time to dispute an unauthorized charge and have a new card issued” was not sufficient as “Plaintiffs have not pled that Winsted suffered any actual injury or monetary loss due to the fraudulent charge.”

The court distinguished In re Michaels Stores Pin Pad Litigation, 830 F.Supp. 2d 518 (N.D. Ill. 2011), where the court allowed an alleged breach of implied contract theory to proceed because there plaintiffs alleged actual misuse of their financial information that “caused Plaintiffs to lose money from unauthorized withdrawals and/or related bank fees,” but plaintiffs in the suit against Barnes & Noble were not able to allege that they actually lost money from unauthorized withdrawals or bank fees.

Similarly, the court ruled that the claim alleging violation of ICFA was deficient because “[o]nly a person who suffers actual damage may bring an action under the ICFA,” and “[a]lthough Plaintiffs allege that a fraudulent charge was made on Winstead’s credit card, there is no allegation that she suffered out-of-pocket losses due to that charge.” The court ruled that it was also not sufficient that plaintiffs alleged an increased risk of future identity theft or because plaintiff purchased credit monitoring services.

As to the claim for invasion of privacy, the Court ruled that “Under Illinois law, a claim for invasion of privacy based on public disclosure of private facts requires Plaintiffs to plead three elements: (1) the disclosure must be public; (2) the facts must be private facts; and (3) the matter made public would be highly offensive to a reasonable person.” (Citations omitted.) California law imposed the same requirements. Plaintiffs failed to plead a claim “because they fail to allege that there was a public disclosure within the meaning of the common law cause of action. To state a claim that there was a public disclosure of private data, a plaintiff must plead that the disclosure "'communicate[d] the matter to the public at large or to so many persons that the matter must be regarded as one of general knowledge.'" But based on the facts alleged, the only people who would have had access to the stolen PII would be the skimmers, and potentially whatever third parties to which they sold the PII. The invasion of privacy claim also failed because even had the PII been sufficiently widely disseminated to count as a public disclosure, the PII cannot be considered private information that would be highly offensive to a reasonable person.

As to the claim attempting to allege a violation of California’s Security Breach Notification Act, the Court ruled that “a plaintiff must allege that her injuries were caused by the delay between the time she was notified of the breach and the time she contends she should have been notified.” The amended complaint failed to plead facts to demonstrate a connection between the alleged delay and the claimed injury.

To allege a violation of California’s UCL, a plaintiff must allege a loss of money or property as a result of the allegedly wrongful conduct. Because the amended complaint failed to meet that test, the claim was dismissed.

This demonstrates that even where plaintiffs can allege facts sufficient to demonstrate Article III standing under federal law, defendants may be able to successfully challenge whether plaintiffs have adequately pled damages, or failed to otherwise satisfy requirements for the tort under applicable state law.


[About the Author: Jon Kardassakis is a Co-Chair of the firm’s Class Action & Mass Tort Practice. He regularly defends data breach and other privacy class actions. He is also an owner of two spirited German Shorthair Pointers who enthusiastically encourage Jon to take them out running.]

Related Practices


Related Attorneys

Find an Attorney

Each of the firm's offices include partners, associates and a professional staff dedicated to meeting the challenge of providing the firm's clients with extraordinary service.