The Seventh Circuit once again reversed a dismissal at the pleading stage in a data breach action. Building on its prior rulings allowing data breach cases to jump over standing hurdles, on April 11, 2018, in Dieffenbach v. Barnes & Noble, Inc., No. 17-2408 (7th Cir. 2018), the court also allowed a data breach case to hop over the damages hurdle at the pleading stage.
In Barnes & Noble, the plaintiffs alleged that in 2012, hackers breached PIN pads that Barnes & Noble used to verify customers’ payment information. This breach allegedly allowed the hackers to steal customers’ names, card numbers, expiration dates, and PINs. Barnes & Noble then announced to affected customers that it had been a victim of a data breach. In response to this announcement, some customers allegedly spent monies on credit-monitoring services, while others allegedly expended merely their personal time to sort out issues related to the breach with their credit card companies and/or the police.
Two lead plaintiffs brought this litigation: Heather Dieffenbach and Susan Winstead. Ms. Dieffenbach alleged four distinct injuries under California’s Customer Records Act and the Unfair Competition Law, three of which the Court found sufficient to allege injury: (1) her bank took three days to restore funds someone else had used to make a fraudulent purchase; (2) she had to spend time sorting things out with police and her bank; and (3) she could not make purchases using her compromised account for three days. And Ms. Winstead alleged two theories of injury under Illinois’ Consumer Fraud and Deceptive Business Practices Act: (1) her bank contacted her about a potentially fraudulent charge on her credit card statement and deactivated her card for several days; and (2) the security breach at Barnes & Noble “was a decisive” factor in her renewing a credit-monitoring service.
Consistent with its recent rulings in data breach actions, the Seventh Circuit noted that the alleged money spent for credit-monitoring services and the loss of the time value of money and one’s own time satisfied Article III standing. See Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (data breach plaintiffs may have standing based strictly on an alleged impending harm), and Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-3700 (7th Cir. 2016) (the increased risk of fraudulent charges and identity theft that consumers faced because their data had been stolen was sufficient to confer standing).
But the Seventh Circuit this time went further and held that the “time value of money” (the loss of access to plaintiff’s account for three days) and “significant time and paperwork costs incurred to rectify violations” can qualify as economic losses under the California statutory causes of action. The Court also held that the Illinois plaintiff sufficiently pled injury under the Illinois consumer protection statute based on her allegation that the security breach “was a decisive factor” when she paid to renew her credit-monitoring service.
While the Dieffenbach court seems to open the court doors to those who spend time “set[ting] things straight” after a data breach, the court expressly limited its decision to the pleadings stage. The court stated, “All we hold today is that the complaint cannot be dismissed on the ground that the plaintiffs do not adequately allege compensation damages.” The court also acknowledged the reality that, because Barnes & Noble was a victim of the data breach too, “[p]laintiffs may face a difficult task showing an entitlement to collect damages from a fellow victim of the data thieves” and that “it is far from clear that this suit should be certified as a class action.” This is not the last word; plaintiffs continue to face an uphill battle in proving that a class should be certified and that defendant is liable for any damages.