The U.S. District Court for the Southern District of Illinois recently denied the retail grocery chain Schnuck Markets’ motion to dismiss various claims arising from a December 2012 data breach in which hackers gained access to Schnucks’ credit/debit card processing systems. 

The U.S. District Court for the Southern District of Illinois recently denied the retail grocery chain Schnuck Markets’ motion to dismiss various claims arising from a December 2012 data breach in which hackers gained access to Schnucks’ credit/debit card processing systems. By mid-March 2013, both customers’ banks and Schnucks’ own payment processor had notified Schnucks that the breach had resulted in fraudulent charges to customer cards. 

All 200 plaintiffs named in the case adopted a single paragraph outlining the same losses and damages, including both economic and non-economic harm such as direct financial losses caused by fraudulent charges; embarrassment and reputational damage caused by declined cards; damage to personal credit; money and value of time lost mitigating the increased risk of identity theft and fraud, replacing compromised cards, and reconfiguring automatic payment; diminished value of their personal information and financial information; increased risk of future damages; and emotional harm.

Schnucks argued that the plaintiffs’ complaint should be dismissed for failure to state a claim, specifically because the plaintiffs did not sufficiently plead actual injury. The court disagreed and denied Schnucks’ motion, finding that the plaintiffs alleged with sufficient specificity that they had already suffered non-economic and economic harm. Although the court found the content of the complaint sufficient, it did note that whether the evidence supports the allegations is a different issue that could be weighed on summary judgment.

TIP: While this decision indicates a slight trend towards more plaintiff-friendly decisions, it is not yet clear that the plaintiffs will be able to establish harm in this case. Regardless, this decision – and others – highlight that those impacted by data breaches are continuing to pursue the organizations who suffered the breaches.