In data breach class actions, standing is often the major obstacle, and has taken on renewed focus following the U.S. Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016). See, e.g., Federal Court Finds Intangible Harm Caused by Robocalls Sufficient for Post-Spokeo Standing in TCPA Claim Alleging Privacy Invasion, Technology Law Dispatch (July 6, 2016); Wisconsin Federal Court Finds Spokeo Spells the End for Consumer Privacy Class Action, Technology Law Dispatch (June 21, 2016). However, as a recent decision from the U.S. District Court for the Northern District of Illinois indicates, prevailing on standing is just one battle, but is far from winning the war. Earlier this week, Barnes & Noble escaped a data breach class action after the court found plaintiffs cleared the standing hurdle but could not survive the retailer’s motion to dismiss because of a lack of out-of-pocket damages.
Plaintiffs’ claims arose from a late-2012 incident in which a group of so-called skimmers tampered with PIN pads in 63 Barnes & Noble locations in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island. Six weeks after Barnes & Noble discovered the problem, the retailer publicly announced that the tampering may have resulted in the theft of customers’ debit and credit information. In March 2013, plaintiffs filed a complaint alleging breach of contract; violation of Illinois’ Consumer Fraud and Deceptive Business Practices Act (“ICFA”); invasion of privacy; violation of the California Security Breach Notification Act; and violation of the California Unfair Competition Act (“UCL”). In April 2013, the Northern District of Illinois granted Barnes & Noble’s motion to dismiss, finding plaintiffs failed to meet Article III’s standing requirements.
Plaintiffs then filed an amended complaint, alleging the same counts but providing additional factual matter. Again, Barnes & Noble moved to dismiss. However, the Northern District found this time plaintiffs had established standing. Analyzing the claims in light of Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), the Court found injury-in-fact was established because plaintiffs alleged they incurred injuries while protecting themselves from a “substantial risk” of fraudulent charges. The Court found that because plaintiffs made purchases at several of the affected locations during the relevant time period; that because the skimmers made unauthorized purchases using the stolen data; and because plaintiffs spent time and money preventing unauthorized use of their personal data, they established a substantial risk of harm that prompted plaintiffs to reasonably incur costs to mitigate or avoid the harm.
However, those arguments were ultimately insufficient to win the day. On each and every count of the amended complaint, the Northern District of Illinois found plaintiffs’ claims fell short on the issue of damages. For example, regarding the breach of contract claim, plaintiffs alleged that by providing financial information to Barnes & Noble, they entered into an implied contract whereby the retailer “became obligated to safeguard Plaintiffs’…PII [personal identifying information].” However, the Court found that claims of overpayment for purchase and loss of value of their PII were insufficient, citing Remijas. The Court also rejected plaintiffs’ claim that suffering anxiety as a result of the breach was sufficient to establish damages. And while one plaintiff alleged to have renewed identity protection monitoring services at a set monthly cost, that could not constitute sufficient damages because that plaintiff already subscribed to the services before the breach and only renewed them “in part” because of the breach.
Notably, the Court rejected the invasion of privacy claim by finding two elements were unsatisfied. Under Illinois and California law, plaintiffs had to establish that there was (1) a “public” disclosure (2) of private facts, and (3) the matter made public would be “highly offensive to a reasonable person.” First, plaintiffs failed to allege that the breached information was shared beyond merely the skimmers and any third parties to whom that information was sold. Next, the Court found that PII such as credit card information, names, and PINs were not the type of “private facts” for which disclosure would be “highly offensive to a reasonable person.” Likewise, the Court found damages deficient with respect to the California Security Breach Notification Act, because even though Barnes & Noble delayed revealing its discovery of the breach for six weeks, plaintiffs did not allege that any injuries were caused by the delay.
The Barnes & Noble decision is instructive for a few reasons. First, and perhaps most significant, is that simply establishing injury for purposes of Article III standing does not guarantee a satisfaction of the damages element required for substantive claims. Additionally, the same pleading deficiency – here, failing to establish sufficient damages – can sink numerous claims, whether based in statutes or the common law. For data breach and class action defendants, this means that even if plaintiffs make a strong showing under post-Spokeo standards for standing, there is no need to give up the ship quite yet. Even at the motion to dismiss stage, overly attenuated or speculative claims of damages may be insufficient to permit a case to go forward.