The U.S. Court of Appeals for the Seventh Circuit (the “7th Circuit”) recently issued an opinion in Heather Dieffenbach, et al. v. Barnes & Noble, Inc. that is potentially concerning for current and potential defendants in class action claims related to data breaches. The case relates to a 2012 incident where Barnes & Noble discovered that attackers had compromised some of the PIN pads they used to verify customer payment information. The attackers then used these devices to acquire customer data including names, payment card information and PINs.
Because of this incident, some Barnes & Noble customers temporarily lost use of their funds while waiting for their banks to reverse unauthorized charges, spent money on credit monitoring services, and lost time dealing with impacts of this data breach. Suing under Illinois and California state law, plaintiffs seek to collect damages from Barnes & Noble, as well as the data thieves.
Barnes & Noble moved to dismiss the complaint. The district court granted Barnes & Noble’s motion in 2013, holding that the representative plaintiffs suffered no loss and therefore lacked Article III standing to bring their claims. But subsequent 7th Circuit case law undercut that ruling, as the Circuit court held in Remijas (2015) and Lewert (2016) that customers who experience a loss of data have standing. The district court, bound by those decisions, held that the plaintiffs had standing, but nevertheless dismissed plaintiffs’ complaint, finding that it did not adequately plead damages for any of the alleged claims.
The 7th Circuit reversed the trial court’s decision, in an expansive ruling that appeared determined to find standing and permit the case to advance. With respect to the California plaintiff, the court permitted the plaintiff’s claims to survive based on the “damages” allegations that she did not have access to certain funds for three days and was inconvenienced by having to take time “sorting things out” as a result of the breach. In so doing, the court was dismissive of California law holding that time spent filling out paperwork is insufficient to allege damages, and relied on factually distinguishable and unpublished California authority (which is not precedential, and may not even be cited under California procedure) to find that loss of use of money was a cognizable form of damages. And for the Illinois plaintiff, who alleged she had purchased credit monitoring as a result of the breach, the Seventh Circuit flatly disregarded published Illinois appellate authority rejecting the plaintiff’s alleged damages theory, on the basis that the court believed—without citation to any Illinois state authority—that the Illinois Supreme Court would not agree with the state appellate court.
While the court somewhat tempered its decision by declaring that the question of whether Barnes & Noble violated any state laws by failing to prevent the thieves from stealing customer information remained open on remand, and questioned whether a class could be certified, this decision should nevertheless be concerning to companies in the Seventh Circuit who, like Barnes & Noble, find themselves victims of data thieves, even where years have passed and it is clear that the impacts to consumers are de minimis.