On September 3, 2013, the U.S. District Court for the Northern District of Illinois dismissed a class action complaint against Barnes & Noble seeking damages based on a data security incident, finding that the plaintiffs lacked standing to bring the claims. This decision reaffirms that retailers may be able to avoid damages for data breaches where the plaintiffs cannot allege or establish actual damages.
In October 2012, Barnes & Noble notified the public, through a press release and a notice on its website, that it had discovered hackers were stealing credit and debit card information from its PIN pad devices at 63 stores across the country. The hackers obtained the data by tampering with the PIN pad devices used to process transactions. Barnes & Noble made the announcement approximately six (6) weeks after it discovered the fraudulent activity. Barnes & Noble did not directly notify individual customers.
Plaintiffs filed multiple claims under Illinois and California state law alleging various injuries including: untimely and inadequate notification of the incident; improper disclosure of their personally identifiable information (PII); loss of privacy; expenses incurred in efforts to mitigate the increased risk of identity theft or fraud; an increased risk of identity theft; deprivation of the value of their PII; and anxiety and emotional distress.
Judge John W. Darrah ruled that these alleged injuries were insufficient to establish actual injury for purposes of standing. Following closely the recent Supreme Court decision in Clapper v. Amnesty Int’l USA, the court explained that although an injury that is “certainly impending” can establish injury sufficient to support standing, “[a]llegations of possible future injury are not sufficient.” Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013). Though the Clapper decision involved a challenge to the constitutionality of the Foreign Intelligence Surveillance Act (FISA), its standing rationale is readily applicable to data breach lawsuits.
Applying Clapper, the court determined that plaintiffs’ allegations claiming untimely notification were insufficient because they merely posed an increased risk of actual injury such as identity theft, not an actual injury or “certainly impending” injury. The court further ruled that even if Barnes & Noble violated the state statutes at issue, that alone did not establish standing in lieu of actual damages. The court next held that plaintiffs did not state facts to support a claim that their information was in fact disclosed. “The inference that their data was stolen, based merely on the security breach, is too tenuous to support a reasonable inference that can be made in Plaintiff’s favor.” The court also rejected plaintiffs’ claims regarding the time and expenses incurred to mitigate the risks of identity theft, finding that plaintiffs “cannot manufacture standing by incurring costs in anticipation of non-imminent harm.”
Finally, the court addressed the claim of one named plaintiff who alleged a fraudulent charge had been made on her credit card following a purchase made at an affected Barnes & Noble store. The court found that the only injury suffered was “a time lag of an unknown length between learning of the fraudulent charge and receiving a new credit card” as the credit card company absorbed the cost of the alleged fraudulent transaction. In order to suffer actual injury, the court explained, there would need to be an unreimbursed charge on her credit card. The court also rejected standing for this plaintiff because “it is not directly apparent that the fraudulent charge was in any way related to the security breach at Barnes & Noble.”
This decision, like the previously reported LinkedIn User Privacy Litigation decision (March 15, 2013), further establishes lack of standing as a strong defense against class action lawsuits seeking millions of dollars in damages for security incidents where the putative class members cannot allege or prove actual injury.