This post examines a recent opinion from a U.S. District Court Judge who sits in the U.S. District Court for the District of Minnesota: In Re: SuperValu, Inc., Customer Data Security Breach Litigation, 2016
WL 81792 (2016) (“In re SuperValu, supra”). She began by explaining that on
November 3, 2015, the undersigned
United States District Judge heard oral argument on Defendants SuperValu, Inc.
(`SuperValu’), AB Acquisition, LLC (`AB Acquisition’), and New Albertson's
Inc.'s (`Albertson's’) (collectively, `Defendants’) Motion to Dismiss
Plaintiffs' Consolidated Amended Class Action Complaint [Docket No. 33]. For
the reasons set forth below, the Motion is granted.
In re SuperValu, supra.
The judge explained how, and why, the litigation
arose:
In this multidistrict litigation case,
sixteen named plaintiffs (`Plaintiffs’) allege they were harmed by hackers
gaining access to and installing malicious software on the payment-processing
network for payment card transactions at Defendants' retail grocery stores.
Consolidated Am. Class Action Compl. (`Amended Complaint’) [Docket No. 28] ¶¶
16–45. Plaintiffs allege the malicious software released and disclosed the Personal
Identifying Information (`PII’) of Plaintiffs and Class Members who used their
payment cards for purchases at the affected stores. Id. ¶ 36.
The Amended Complaint states claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of various state
consumer protection and data breach notification laws. Id. ¶¶
13, 96–159. Plaintiffs assert their claims as class actions. Id. ¶¶
83–95.
A. Defendants
Defendants own and operate retail
grocery stores in the United States. Id. ¶¶ 2-3, 33-35.
SuperValu controls the payment processing at its stores and also provides
payment processing services for AB Acquisition and Albertson's stores. Id. ¶
3.
B. Data Breach
On August 14, 2014, Defendants
announced in press releases that from June 22, 2014 to July 17, 2014, hackers
had gained unauthorized access to and installed malicious software on the
portion of SuperValu's computer network that processes payment card
transactions for Defendants' retail stores. Id. ¶¶ 4–5, 36.
The intrusion resulted in potential theft of information embedded in the
magnetic strip of payment cards for sales transacted at 209 SuperValu stores
and 836 AB Acquisition stores. Id. ¶ 36. The PII embedded in
the magnetic strip included cardholder names, account numbers, expiration
dates, and PINS.Id. ¶¶ 1, 42. The press releases stated Defendants'
offer of 12 months of complimentary consumer identity protection services to
customers whose cards may have been affected by the data breach. Id. ¶
45.
On September 29, 2014, Defendants
announced in press releases that a second data breach occurred in late August
or early September 2014. Id. ¶ 6. In this second instance,
hackers installed different malware onto the portion of SuperValu's computer
network that processes payment card transactions for some retail stores owned
or operated by AB Acquisition and Albertson's (collectively referred to with
the stores affected in the first breach as the `Affected Stores’). Id. ¶¶
6, 44. Plaintiffs allege the two incidents (collectively referred to as the
`Data Breach’) are related and stem from Defendants' same fundamental security
failures. Id. ¶ 7.
C. Named Plaintiffs
Plaintiffs are consumers who shopped at
Defendants' stores that were affected by the Data Breach. Id. ¶¶
16–31. Plaintiffs provided their PII to Defendants when they used their payment
cards at Defendants' Affected Stores. Id. ¶¶ 1, 16–31.
In re SuperValu, supra.
Next, the judge outlines the “alleged harm” inflicted upon
the plaintiffs:
Although customer data at over 1,000 of
Defendants' stores was accessed, the only alleged misuse of any Plaintiff's PII
following the Data Breach is a single unauthorized charge on one Plaintiff's
credit card. Plaintiff David Holmes alleges he experienced a fraudulent charge
on his payment card after shopping at one of Defendants' Affected Stores and,
upon noticing the fraudulent charge on his credit card statement, he
immediately cancelled his credit card. Id. ¶ 31. Holmes does not specify the
amount or date of the fraudulent charge, nor does he allege the charge was
unreimbursed or that he incurred bank fees or other monetary losses related to
the charge. See id. No other Plaintiff alleges any unauthorized
charges on their account, and no Plaintiff, including Holmes, has alleged
experiencing identity theft or attempted identity theft after the Data
Breach. See generally Am. Compl.
All sixteen of the named Plaintiffs
allege that after Defendants announced the Data Breach, Plaintiffs spent time
determining whether their cards were compromised and monitoring their account
information to guard against potential fraud. Id. ¶¶ 16–31.
One Plaintiff, Kenneth Hanff, further alleges he closed his checking account
and opened a new one to prevent fraudulent purchases. Id. ¶
18.
Based on these factual allegations,
Plaintiffs allege that Defendants' wrongful conduct, the resulting Data Breach,
and the potential disclosure of Plaintiffs' and other Class Members' PII have
caused them to suffer harm including: (i) diminished value of their PII; (ii)
untimely and inadequate notification of the Data Breach; (iii) increased risk
of future losses, economic damages, and other harm; (iv) opportunity cost and
value of lost time spent monitoring financial accounts and payment card
accounts; (v) invasion of privacy and breach of the confidentiality of their
PII by Defendants' unauthorized release and disclosure; and (vi) lost benefit
of the bargain. Id. ¶¶ 32, 82.
In re SuperValu, supra.
The judge then went on to outline what had happened in the
case to this point:
A total of four putative class actions
brought by a total of twelve Plaintiffs were filed against Defendants in
federal courts in Illinois, Minnesota, and Idaho. See, McPeak v. SuperValu, Inc., 3:14-cv-00899
(S.D. Ill., filed Aug. 18, 2014); Hanff
v. SuperValu Inc., 14-cv-3252 (D. Minn., filed Aug. 25, 2014); Mertz v. SuperValu, Inc., 14-cv-04660
(D. Minn., filed Nov. 4, 2014); and Rocke
v. SuperValu, Inc., 1:14-cv-00511 (D. Idaho, filed Nov. 26, 2014). In
December 2014, the Judicial Panel on Multidistrict Litigation centralized the
four complaints to this Court for coordinated pre-trial proceedings. See Transfer
Order [Docket No. 1].
On June 26, 2015, Plaintiffs filed the
Amended Complaint alleging six causes of action on behalf of sixteen named
Plaintiffs. See generally Am. Compl. The sixteen named Plaintiffs
consist of the twelve original Plaintiffs plus four new Plaintiffs. See
id. ¶¶ 27–30. Defendants now move to dismiss the Amended
Complaint for
lack of subject matter jurisdiction under Rule 12(b)(1). . . .
In re SuperValu, supra.
The opinion then explains that the Defendants argued that
the Amended Complaint
must be dismissed under Rule 12(b)(1)
for Plaintiffs' failure to allege facts establishing Article III standing,
which is a prerequisite to subject matter jurisdiction. See Lujan v. Defenders of Wildlife,5 04 U.S. 555 (1992).
Defendants' Motion attacks the
sufficiency of the pleadings and thus raises a facial, rather than factual,
challenge to the Court's subject matter jurisdiction. See Stalley v. Catholic Health Initiatives, 509 F.3d 517 (U.S.Court of Appeals for the 8th Circuit 2007). In analyzing a facial challenge to
jurisdiction, the Court applies the same standard of review as that in Rule 12
(b)(6) cases. Id. The
Court `accepts as true all factual allegations in the complaint, giving no
effect to conclusory allegations of law.’ Id. Plaintiffs must
affirmatively and plausibly assert facts that suggest they have the right to
jurisdiction, rather than facts that are merely consistent with that right. See id. . . . Determining whether
a claim is plausible is a ‘”context-specific task that requires the reviewing
court to draw on its judicial experience and common sense.’ ” Hamilton v. Palm, 621 F.3d 816 (U.S.
Court of Appeals for the 8th Circuit 2010) (quoting Ashcroft v. Iqbal, 556 U.S. 662 (2009)).
In re SuperValu, supra.
The judge then took up the very important issue of
“standing,” noting, initially, that
`Article III standing is a threshold
question in every federal court case.’ United States v. One Lincoln Navigator
1998, 328 F.3d 1011 (U.S. Court of Appeals for the 8th Circuit 2003).
The party invoking federal jurisdiction has the burden of establishing standing.
standing. Lujan v. Defenders of
Wildlife, supra. To meet this
burden, a plaintiff must show: (1) an injury in fact; (2) a causal connection
between the injury and the challenged conduct of the defendant; and (3) a
likelihood that a favorable ruling will redress the alleged injury. Young
Am. Corp. v. Affiliated Computer Servs. (ACS), Inc., 424 F.3d 840, (U.S. Court
of Appeals for the 8th Circuit 2005) (citing Lujan v. Defenders of Wildlife, supra). Each element `must be supported
in the same way as any other matter on which the plaintiff bears the burden of
proof, i.e., with the manner and degree of evidence required at the successive
stages of the litigation.’ Lujan v.
Defenders of Wildlife, supra.
To satisfy the injury in fact element of
standing, an injury must be `concrete, particularized, and actual or imminent.’
Clapper v. Amnesty Int'l USA, 133
S.Ct. 1138 (2013). When a party's alleged injury is based on future harm,
standing exists if the threatened injury is `”certainly impending,”’ or there
is a ‘substantial risk’ that the harm will occur.’ SusanB. Anthony List v. Driehaus, 134 S.Ct. 2334 (2014) (quoting Clapper v. Amnesty Int'l USA, supra). `[A]llegations
of possible future injury are not sufficient.’ Clapper v. Amnesty Int'l USAm supra. . .
.
The requirement that a future injury be
imminent `ensure[s] that the alleged injury is not too speculative for Article
III purposes.’ Lujan v. Defenders of
Wildlife, supra. Although
imminence is a `somewhat elastic concept,’ it requires “that the injury proceed
with a high degree of immediacy, so as to reduce the possibility of deciding a
case in which no injury would have occurred at all.’ Lujan v. Defenders of Wildlife, supra.
Additionally, where a threatened injury hinges on speculation about the actions
of third parties, standing is less likely to exist. See Clapper v. Amnesty Int'l USA, supra (expressing
`reluctance to endorse standing theories that rest on speculation about the decisions
of independent actors’); Clapper v.
Amnesty Int'l USA, supra (`Plaintiffs cannot rely on speculation about the
unfettered choices made by independent actors not before the court’) (internal
quotations omitted).
In re SuperValu, supra.
The District Court Judge went on to point out that in a
class action lawsuit,
`named plaintiffs who represent a class
must allege and show that they personally have been injured, not that injury
has been suffered by other, unidentified members of the class to which they
belong and which they purport to represent.’ ).`[I]f none of the named
plaintiffs purporting to represent a class establishes the requisite of a case
or controversy with the defendants, none may seek relief on behalf of himself
or any other member of the class.’ O'Sheav. Littleton, 414 U.S. 488 (1974). . . .
The Amended Complaint alleges several
forms of injury: (a) increased risk of future losses, economic damages and
other harm; (b) opportunity cost and value of lost time spent monitoring
financial accounts and payment card accounts; (c) diminished value of
Plaintiffs' PII; (d) untimely and inadequate notification of the Data Breach;
(e) invasion of privacy and breach of the confidentiality of Plaintiffs' PII
due to Defendants' unauthorized release and disclosure; and (f) lost benefit of
the bargain. See Am. Compl. ¶¶ 32, 82. Defendants argue Plaintiffs
have failed to plausibly allege injury that is `concrete, particularized, and
actual or imminent.’ Clapper v. Amnesty
Int'l USA, supra.
In re SuperValu, supra.
She then parsed the “several forms of injury”, to determine
the extent to which the Complaint in this case adequately alleged that the
plaintiffs sustained injury sufficient to support their class action. In re
SuperValu, supra. She began with the
“increased risk of future harm”:
Plaintiffs allege they face a
substantial risk of future harm because Defendants' failure to properly secure
their computer network has allowed hackers to steal their PII for fraudulent
use. See Am. Compl. ¶ 8 (`Defendants' security failures
enabled the hackers to steal Consumer Plaintiffs' and the other Class members'
PII . . . and put Consumer Plaintiffs' and the other Class members' financial
information at serious, immediate, and ongoing risk.’); id. ¶ 9 (`On
information and belief, illicit websites are selling the stolen payment card
PII ‘dumps' to international card counterfeiters and fraudsters. . . .’).
Defendants argue that Plaintiffs' allegations of future harm are actually only
speculative claims of possible future injury, which are not sufficient to
satisfy Article III standing.
In data security breach cases where
plaintiffs' data has not been misused following the breach, the vast majority
of courts have held that the risk of future identity theft or fraud is too
speculative to constitute an injury in fact for purposes of Article III
standing. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38
(U.S. Court of Appeals for the 3d Circuit 2011) (`Most courts have held such
plaintiffs lack standing because the harm is too speculative. We agree with the
holdings in those cases’); In re
Zappos.com, Inc. Customer Data Sec. Breach Litig., 2015 WL 3466943 (U.S.District Court for the District of Nevada 2015) (`The majority of courts
dealing with data-breach cases post-Clapper
v. Amnesty Int'l USA, supra, have held that absent allegations of
actual identity theft or other fraud, the increased risk of such harm alone is
insufficient to satisfy Article III standing’). . . .
In re SuperValu, supra.
The judge went on to explain that the “speculative nature”
of the threatened injury
stems from the numerous variables upon
which the future harm depends, including whether the hacker: (1) read, copied,
and understood [Plaintiffs'] personal information; (2) intends to commit future
criminal acts by misusing the information; and (3) is able to use such
information to the detriment of [Plaintiffs] by making unauthorized
transactions in [Plaintiffs'] names.” Reilly
v.Ceridian Corp., supra. . . . In
addition to the speculation of whether future harm from a data
security breach will materialize, it cannot be known when such
harm will occur. As more time lapses without the threatened injury actually
occurring, the notion that the harm is imminent becomes less likely. In re Zappos.com, 2015 WL 3466943, at *7.
Here, the Data Breach of Defendants' computer
network affected more than 1,000 retail grocery stores and occurred nearly one
and a half years ago. Despite the large number of Affected Stores and the
significant amount of time that has elapsed, the only facts asserted that any
of Plaintiffs' PII has been misused is the single incident alleged by Plaintiff
Holmes. Holmes noticed a single unauthorized charge (of an unspecified amount
on an unspecified date) on his credit card statement after learning of the Data
Breach. See Am. Compl. ¶ 31. Given the unfortunate frequency
of credit card fraud, it is common sense to expect that in any group similar in
size to the sixteen Plaintiffs and multitudes of potential class members who
used their payment cards at one of the 1,000-plus Affected Stores would likely
experience at least one instance of a fraudulent charge. Thus, the isolated
single instance of an unauthorized charge is not indicative of data misuse that
is fairly traceable to the Data Breach. See, e.g., In re Barnes & Noble, 2013 WL 4759588 (U.S. District Court for the Northern District of Illinois 2013) (`[I]t is not
directly apparent that the fraudulent charge was in any way related to the security
breach at Barnes & Noble’).
In re SuperValu, supra.
The judge therefore found that,
[b]ased on the absence of any other
allegations that Plaintiffs' PII has been misused, the Court is left to
speculate about whether the hackers who gained access to Defendants' payment
processing network were able to capture or steal Plaintiffs' PII; whether
the hackers or other criminals will attempt to use the PII; and whether those
attempts will be successful. See Reilly
v. Ceridian Corp., supra. . . . This speculation prevents the Court from
finding an increased risk of fraud and identity theft is `certainly impending’
or that there is a “substantial risk” the harm will occur. Clapper v. Amnesty International USA,133 S.Ct. 1138 (2013). . . .
The recent cases relied on by
Plaintiffs do not compel a different result. Those cases included factual
allegations of substantial data misuse which plausibly suggested that the
hackers had succeeded in stealing the data and were willing and able to use it
for future theft or fraud. See Remijas
v. Neiman Marcus Grp., LLC, 794 F.3d 688 (U.S. Court of Appeals for the 7th Circuit 2015); In re AdobeSys., Inc.
Privacy Litig., 66 F. Supp. 3d 1197 (U.S. District Court for the Northern District of California 2014). . . .
These cases alleging widespread data
misuse contrast sharply with the allegations made in the instant case. Here,
only one unauthorized credit card charge (of an unspecified date and amount) is
alleged to have occurred in the fifteen-month time period following the Data
Breach that affected over 1,000 of Defendants' stores. This singular incident
from one named Plaintiff over the course of more than a year following the Data
Breach is not sufficient to `nudge[ ]’ Plaintiffs' class claims of data misuse
or imminent misuse `across the line from conceivable to plausible.’ Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007). Thus, Plaintiffs have failed to allege sufficient facts to show
that future harm from the Data Breach is `certainly impending’ or that there is
a `substantial risk that the harm will occur.’ Clapper v. Amnesty Int'l USA, supra.
In re SuperValu, supra.
Next, she took up the issue of “opportunity and mitigation
costs”, explaining that the
Plaintiffs allege they have suffered
harm based on mitigation costs, including time spent monitoring their account
information to guard against potential fraud and, in the case of Plaintiff
Hanff, costs and expenses associated with opening a new checking account. As
the Supreme Court has recently explained, plaintiffs `cannot manufacture
standing merely by inflicting harm on themselves based on their fears of
hypothetical future harm that is not certainly impending.’ Clapper v. Amnesty Int'l USA, supra. `If the law were otherwise, an
enterprising plaintiff would be able to secure a lower standard for Article III
standing simply by making an expenditure based on a nonparanoid fear.’ Id. In data breach cases, courts
consistently hold that the cost to mitigate the risk of future harm does not
constitute an injury in fact unless the future harm being mitigated against is
itself imminent. See, e.g., In
re Adobe, 66 F. Supp. 3d at 1217; In
re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig.,
45 F. Supp. 3d 14 (U.S. District Court for the District of Columbia 2014); In re Zappos.com, 2015 WL
3466943, at *10; Lewert, 2014 WL 7005097, at *3. Here, the risk of future
harm being mitigated against is not imminent. Thus, the cost to mitigate the
risk is not a sufficient injury in fact to confer Article III standing.
In re SuperValu, supra.
She then analyzed the next-to-last issue involved in this analysis,
noting that the
Plaintiffs also allege that the value
of their PII was lost or diminished as result of the Data Breach. Assuming
without deciding that Plaintiffs' PII had monetary value, Plaintiffs have
failed to allege any facts explaining how their PII became less valuable as a
result of the Data Breach. Plaintiffs have not alleged that they tried to sell
their PII but were not able to do so or were forced to accept a lower price.
Therefore, Plaintiffs have not alleged an injury in fact under this
theory. See In re Zappos.com,
2015 WL 3466943, at *3 (finding no injury in fact where plaintiffs had not
alleged that the data breach had prevented them from selling their personal
information at the price it was worth); In re SAIC, 45 F. Supp. 3d at 30 (same); Green, 2015 WL 2066531, at *5 n.59 (`Even if the Court were to find
that personal information has an inherent value and the deprivation of such
value is an injury sufficient to confer standing, Plaintiff has failed to
allege facts indicating how the value of his personal information has decreased
as a result of the Data Breach’).
In re SuperValu, supra.
Having resolved that issue, Judge then took up the
plaintiffs’ claim that they were
harmed by Defendants' `untimely and
inadequate notification of the Data Breach.’ Am. Compl. ¶ 82. Plaintiffs argue
the delayed notification forced them to spend more time and money to: (1)
refresh their recollections, contact their banks, and locate their credit card
statements to determine whether they had been exposed to the risk of fraud
created by the Data Breach; and (2) take additional steps to mitigate the risk
of fraud. Plaintiffs thus contend they have standing to assert claims under
state data breach notification laws that grant a private right of action. These
assertions of increased mitigation costs due to delayed notification are not
alleged in the Amended Complaint.
Even if they had been, the allegations
would not have established Article III standing because as discussed above, the
cost to mitigate the risk of future harm does not constitute an injury in fact
unless the risk of future harm is imminent. `Plaintiffs must plead an injury
beyond a statutory violation to meet the standing requirement of Article III.’ In re Barnes & Noble, 2013 WL
4759588, at *3. Therefore, `[e]ven assuming the statutes have been violated by
the delay or inadequacy of [Defendants'] notification, breach of these statutes
is insufficient to establish standing without any actual damages due to the
breach.’ Id.
In re SuperValu, supra.
She then ruled on, the plaintiffs’ final two arguments,
beginning with their claim that they
suffered an invasion of privacy and
breach of confidentiality of their PII as a result of the Data Breach. However,
Plaintiffs have not alleged facts showing that the loss of privacy and
confidentiality resulted in a concrete injury. Therefore, this theory of
standing also fails. See In re Zappos.com,
2015 WL 3466943, at *11 n.5 (finding no Article III standing under a loss of
privacy theory because plaintiffs `failed to show how that loss amounts to a
concrete and particularized injury’).
In re SuperValu, supra.
And, finally, she ruled on their argument that they were
injured by the
lost benefit of their bargain. Am.
Compl. ¶ 32. This theory is consistently rejected in data breach cases where
plaintiffs have not alleged that the value of the goods or services they
purchased was diminished as a result of the data breach. See, e.g., In re Zappos.com, 2015
WL 3466943, at *11 n.5 (rejecting benefit-of-bargain theory where
plaintiffs had not explained how the data breach impacted the value of the
goods they purchased, and further had not alleged facts showing that the price
plaintiffs paid for such goods incorporated a sum that both parties understood
would be allocated towards the protection of customer data); Fernandez v. Leidos, Inc., 2015 WL
5095893, at *9 (U.S. District Court for the Eastern District of California 2015) (finding
no standing where plaintiff failed to allege facts from which a plausible
inference could be drawn that the value of plaintiff's health care and
insurance coverage had been diminished as a result of the data breach); Remijas v. Neiman Marcus Grp., LLC,
supra (noting in dicta that the benefit-of-the-bargain theory was `problematic”
and `dubious' where plaintiffs had not alleged any defect in any product they
had purchased).
Here, Plaintiffs do not allege that the
Data Breach diminished the value of the groceries or other goods they purchased
from Defendants. Nor do Plaintiffs allege facts showing that the price they
paid for the goods included an amount that both parties understood would be
allocated toward protecting customer data. Thus, Plaintiffs have not
alleged a cognizable injury based on the lost benefit of their bargain.
In re SuperValu, supra.
The Judge therefore held that
[b]ecause the Court concludes that
Plaintiffs lack standing under Article III, the Court is without subject matter
jurisdiction to determine whether the Amended Complaint states a claim for
relief under Rule 12(b)(6). . . .
Based upon the foregoing, and all the
files, records, and proceedings herein, IT IS HEREBY ORDERED that
Defendants' Motion to Dismiss Plaintiffs' Consolidated Amended Class Action
Complaint . . . is GRANTED. The Consolidated Amended Class Action
Complaint is dismissed without prejudice.
In re SuperValu, supra.
No comments:
Post a Comment