Plaintiffs continue to battle for standing in data breach cases, and another federal court recently added to a growing body of decisions helpful to companies who find themselves on the receiving end of a lawsuit after falling victim to hackers.  The United States District Court for the Eastern District of New York decided last month in Whalen v. Michaels Stores, Inc. that craft supplies giant Michaels Stores, Inc. (“Michaels”) is not liable to a putative class of plaintiffs whose credit card information was stolen when the company’s computer system was hacked in early 2014.  Finding that the plaintiff alleged no unreimbursed fraudulent charges, and no impending injury, the court granted the company’s motion to dismiss for lack of standing.

Mary Jane Whalen sued Michaels on behalf of a class of individuals similarly situated, alleging that her credit card information was among the data hackers obtained from Michaels and its subsidiary, Aaron Brothers, in a security breach that reached approximately 2.6 million cards.  In an effort to establish Article III standing, the plaintiff alleged that she and the putative class members suffered five types of injury:

  1. actual damages including monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charges to their accounts;
  2. loss of time and money associated with credit monitoring and obtaining replacement cards;
  3. overpayment for Michaels’ services;
  4. lost value of credit card information; and
  5. violation of New York General Business Law § 349.

The court rejected each of these theories.  As to actual damages, the court noted that the plaintiff had not alleged that she had lost any money.  Rather, she merely alleged that her credit card (which she cancelled) had been “physically presented for payment” to a gym and a concert venue in Ecuador.  She did not allege that the charges were approved or that she suffered any loss because of them.  Even if the charges had been approved, the court noted, the plaintiff “would not have suffered any liability ‘given the zero-fraud-liability policy of every major credit card issuer in the country, including Whalen’s card issuer.’”

The court made short work of the plaintiff’s second alleged injury, relying upon the Supreme Court’s admonition in Clapper v. Amnesty International, USA that plaintiffs “cannot manufacture standing” through credit monitoring.  Moreover, Michaels offered one year of free credit monitoring to those affected by the breach.

The plaintiff’s third theory of harm, overpayment for services, hinged on the idea that she would not have used her credit card at Michaels had she known that her information would not be reasonably safeguarded.  The court found that this argument rang hollow, noting that the plaintiff “failed to allege that Michaels charges a different price for credit card payments and cash payments or that Michaels uses any customer payment for its security services.”

The court seemed to find the plaintiff’s fourth alleged injury — diminished value of her credit card information — nonsensical, simply noting that “without allegations about how her cancelled credit card information lost value, Whalen does not have standing on this ground.”  And an alleged statutory violation is likewise insufficient to gain standing, the court held.

Having rejected each of the plaintiff’s attempts to show actual harm, the court then turned to her argument that she faced an increased risk of future harm sufficient to confer standing.  It is well-established that such harm must be “certainly impending,” or present a “substantial risk,” to constitute an injury-in-fact for Article III purposes.  Fatal to the plaintiff’s argument on this point was her own allegation that “fraudulent use of cards might not be apparent for years,” (emphasis added by the court) and the fact that in the nearly years between the breach and the filing of her complaint, the plaintiff had suffered no harm.

The decision reinforces the idea that a security breach should not expose a company to liability to those whose information was taken, unless plaintiffs are able to demonstrate they suffered some demonstrable loss, or are very likely to in the foreseeable future.