Data Protection Report - Norton Rose Fulbright

The U.S. District Court for the Northern District of Illinois dismissed a putative class action against Barnes & Noble last week based on an incident in 2012 in which criminals tampered with payment card PIN pad terminals to steal customer payment card information from retail stores in nine states. The court’s decision highlights an important difference between the legal concepts of an “injury-in-fact” (which is necessary to support a finding of Article III standing so as to be able to maintain a case in federal court) and “damages” (which must be alleged to maintain many causes of action, such as for breach of contract). Although a plaintiff may have sufficiently alleged an “injury-in-fact” to enable a federal court to consider the case, those same allegations may be insufficient to allow the plaintiff to withstand a motion to dismiss.

Factual Background

In the case In re Barnes & Noble PIN Pad Litigation, three plaintiffs allegedly made purchases at Barnes & Noble stores during a time that criminals had tampered with the retailer’s credit card readers to steal payment card information. One plaintiff claimed to have had a fraudulent charge on her credit card; and “at the time of the fraudulent charge,” the plaintiff was unaware of any other recent data breaches that would have affected her credit card. The plaintiffs alleged that Barnes & Noble did not announce the security breach until six weeks after discovering it. The plaintiffs then filed a putative class action against Barnes & Noble. After the trial court dismissed an earlier version of the complaint in 2013, the plaintiffs amended their complaint, and Barnes & Noble again moved to dismiss, claiming that the plaintiffs lacked standing and failed to state a cause of action.

Standing Premised Upon Taking Precautions to Protect Against a Risk of Substantial Harm

In assessing the plaintiffs’ amended complaint, the trial court found that the plaintiffs had sufficiently alleged an injury for purposes of standing. In analyzing the plaintiffs’ Article III standing, the court relied on Remijas v. Neiman Marcus Group, a data breach case from the Seventh Circuit where the court found standing based on allegations that hackers deliberately targeted a retailer and stole credit card numbers, several thousand of which were used fraudulently. In Remijas, the court concluded that because the hackers deliberately targeted the retailer to obtain credit card information, it was “plausible to infer that the plaintiffs have shown a substantial risk of harm.” In addition, the Remijas plaintiffs had established injury-in-fact through allegations that they lost time and money protecting themselves against future identity theft. Interpreting the Remijas decision, the trial court in the Barnes & Noble case explained that the Seventh Circuit’s finding of injury-in-fact was based on the plaintiffs taking precautions to protect themselves against a “substantial risk” of injury created by the data breach, and not because the plaintiffs had actually suffered fraudulent charges. (In Remijas over 9,000 affected individuals allegedly had fraud on their payment cards as a result of the breach.)

Applying Remijas, the trial court found that the plaintiffs had standing because they alleged that they had incurred injuries in the course of protecting themselves from a “substantial risk” of fraudulent charges. Particularly, the trial court cited the following allegations as supporting standing:

  • Unauthorized individuals tampered with the retailer’s PIN pad devices for the purpose of stealing customers’ personal information.
  • Plaintiffs made purchases at several affected stores during the time period when the PIN pads were compromised.
  • Skimmers made unauthorized purchases using the stolen information.
  • Plaintiffs have devoted time and money to preventing improper use of their PII.

The trial court rejected the argument that Remijas did not apply. Although the plaintiffs in Remijas alleged that they had been the victim of identity theft, the trial court concluded that such an allegation was not needed to find standing. Rather, standing was based on the plaintiffs taking precautions to protect themselves against a “substantial risk” of injury created by a data breach – even in the absence of actual identity theft.

The Plaintiffs Failed to State a Claim Upon Which Relief Could Be Granted

Although the trial court found Article III standing – such that the plaintiffs’ claims could be considered in federal court – it ultimately dismissed the lawsuit. In dismissing the suit, the court cited the Seventh Circuit’s decision in Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007), which also found standing but concluded that dismissal was proper for failure to allege recoverable economic damages.

The trial court dismissed the claims for breach of contract, and alleged violations of the Illinois Consumer Fraud Act (ICFA), California Unfair Competition Law, and California Security Breach Notification Act, partly because the plaintiffs failed to allege that they faced any economic or out-of-pocket damages that were caused by the security breach. For example, the court considered the following theories of damages to be insufficient:

  • Overpayment for purchases – on the theory that the retailer builds in the cost of safeguarding personal information into the purchase price of all products and services, and that the plaintiffs were denied the protections for which they had paid.
  • Loss of value of personal information.
  • Costs of identity protection monitoring services that were contracted before the data breach and which were renewed “in part” due to the security breach. The trial court explained that these damages were not plausibly alleged to be attributable to the breach.
  • Time spent to dispute an unauthorized charge and have a new card issued – without allegations of “actual injury or monetary loss due to the fraudulent charge.”
  • Plaintiffs’ anxiety.

The court also held that the ICFA claim failed because the plaintiffs had not alleged that they were deceived, and the claim for invasion of privacy (based on disclosure of private data) failed because the plaintiffs did not allege any public disclosure of private facts – allegations that are required under Illinois law. With respect to the California Security Breach Notification Act claims, the court added that the plaintiffs had not claimed that their alleged injuries were caused by any delay in notification of the security breach.

The trial court’s dismissal of the lawsuit was not with prejudice, so it is possible that the plaintiffs may seek to amend their complaint to cure the deficiencies that the trial court identified.

Our Take

The Barnes & Noble case highlights the differences between the allegations that are necessary to support a finding of Article III standing and those that are necessary to be able to survive a 12(b)(6) motion to dismiss based on a failure to allege cognizable damages. As we have previously noted, the Seventh Circuit may apply a lower standard than its sister circuits when finding standing in data breach cases. Although one plaintiff alleged a fraudulent charge was made on her credit card, the trial court made clear that under the Seventh Circuit’s precedent, standing may be premised upon plaintiffs taking precautions to protect themselves against a “substantial risk” of injury – which may be inferred because criminals deliberately targeted their information. (This holding is also consistent with the Sixth Circuit’s recent decision in Galaria v. Nationwide Mutual Insurance Co., which we have covered.)

However, despite the Seventh and Sixth Circuits’ willingness to find standing in data breach cases – such that the cases may be heard in federal court – the allegations of injury may not suffice to meet the pleading requirements for any cause of action. Companies defending against data breach litigation may wish to keep this distinction in mind, as a plaintiff winning the standing battle does not mean that the plaintiff will win the war of a Motion to Dismiss.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.