Earlier this week, a federal Illinois court dismissed a class action against book retailer Barnes & Noble that alleged breach of contract, invasion of privacy, and violations of state consumer fraud and breach reporting laws. The case, dismissed for failing to establish economic harm, marks another data point in demarcating actionable data breaches and highlights perhaps the most challenging issue for plaintiffs in data breach class actions.
The complaint stemmed from a data breach that Barnes & Noble suffered in 2012 where hackers tampered with PIN pad terminals in 63 Barnes & Noble stores across nine states, compromising customers’ credit card and debit card information. The Court previously ruled that the plaintiffs had to allege economic or out-of-pocket damages caused by the data breach in order to state a claim.
The U.S. District Court for the Northern District of Illinois ruled that the plaintiffs’ alleged injuries to the value of their personally identifiable information, time spent with bank and police employees, and emotional distress were insufficient to state a claim. Similarly, although the plaintiffs alleged a temporary inability to use their bank accounts, they failed to demonstrate how this inconvenience caused any monetary injury. The plaintiffs’ lost cell phone minutes in speaking to bank employees and purchases of credit monitoring were also deemed insufficient to state a claim.