Big data breaches are all over the news lately, but when is a merchant liable to individuals whose information is breached? Two cases have recently addressed questions relating to the nature of damages needed to sustain a civil claim against a merchant for data breaches.

In Whalen v. Michael Stores, Inc., 2015 U.S. Dist. LEXIS 172152 (E.D.N.Y. December 28, 2015), the District Court for the Eastern District of New York found that a consumer suffered no actual damages from a merchant’s data breach where no fraudulent charges were made on her credit card and she failed to provide sufficient allegations on future harm.

Mary Jane Whalen used a credit card at a Michaels Stores location between May 8, 2013 and January 27, 2014. During that same time period, hackers used malware to retrieve over 2.6 million credit or debit card numbers. Whalen, along with a class of others, sued Michaels for breach of an implied contract and violation of New York law. establish subject-matter jurisdiction because she did not suffer any actual damages.

Whalen alleged that she: (1) experienced unauthorized fraudulent charges on her credit card; (2) lost time and money associated with credit monitoring and obtaining replacement cards; (3) overpaid for Michaels’ goods and services because she would not have shopped there had she known that Michaels did not properly safeguard her personal information; and (4) lost value of her credit card information. The court did not find that any of the alleged harms amounted to actual damages because, although there was an attempted use of Whalen’s credit card in Ecuador, the card was not used, Whalen suffered no financial loss, and Whalen could not establish potential future harm. Because Whalen’s claims were not sufficient to establish subject-matter jurisdiction, the court granted Michaels’ motion to dismiss on those grounds.

Similarly, in the case of In re SuperValu, Inc., 2016 U.S. Dist. LEXIS 2592 (D. Minn. January 7, 2016), the District Court for the District of Minnesota found that the speculation of future harm was insufficient for consumers to bring suit against a merchant after a data breach.

Consumers shopped at SuperValu, Inc. and related stores and provided their personal identifying information to the stores when they used a payment card. Two data breaches occurred, resulting in the potential theft of information stored in the magnetic strip of the payment cards, which included cardholder names, account numbers, expiration dates, and PINs. The consumers sued SuperValu in the U.S. District Court for the District of Minnesota, alleging, among other things, diminished value of their personal identifying information, increased risk of future losses, economic damages, and invasion of privacy. SuperValu moved to dismiss the consumers’ claims for lack of subject-matter jurisdiction, and the court granted the motion without prejudice.

In dismissing the consumers’ case, the court found that the consumers did not meet their burden of demonstrating an injury in fact, a causal connection between the injury and Supervalu’s conduct, and a likelihood that a favorable ruling would redress the consumers’ alleged injuries. Specifically, the court concluded that the consumers’ injuries were speculative and not specific to demonstrate standing because, even with over 1,000 stores impacted, only one consumer alleged that he experienced the fraudulent use of his payment card information. That consumer promptly cancelled his payment card and did not allege that the fraudulent charge was unreimbursed or that he suffered any other monetary loss related to the fraudulent use of his payment card. Thus, the consumers’ claims were based on speculation about damages that may be suffered in the future, and, as the court pointed out, after over a year and a half since the data breaches, no specific facts demonstrated that any consumers suffered harm. Without more specific evidence of injury to the consumers, the consumers lacked standing to bring their claims. 

Thus, these federal courts have found that merchants are liable to consumers who suffer actual and not speculative damage from data breaches. This does not, however, absolve merchants from their duties to protect against data breaches and comply with data breach notification laws, for
which the penalties for noncompliance may be staggering.