The U.S. Court of Appeals for the Second Circuit found that the plaintiff failed to establish standing and affirmed the dismissal of a consumer class action filed based on data breach at Michaels Stores, Inc.
Mary Jane Whalen made purchases with her credit card at a Michaels store on December 13, 2013. About two weeks later, her credit card was presented for payment to a gym in Ecuador for a charge of $398.16; the next day, it was presented for payment to a concert ticket company in Ecuador for a charge of $1,320.
Whalen canceled her card on January 15 and was not liable for either of the Ecuador purchases. On January 25, Michaels issued a press release acknowledging that the retail chain may have suffered a data breach of its system involving the theft of customers’ credit and debit card data. In a subsequent press release, the company noted that there was no evidence that other information was at risk and offered 12 months of identity protection and credit monitoring services to affected customers.
In response, Whalen filed a putative class action in New York federal court asserting claims for breach of an implied contract and violation of the state’s General Business Law Section 349. A district court judge granted Michaels’ motion to dismiss the suit for lack of standing.
Whalen appealed, asserting three theories of injury to establish Article III standing to pursue her claims: her credit card information was stolen and used twice in attempted fraudulent purchases, she faces a risk of future identity fraud, and she has lost time and money resolving the attempted fraudulent charges and monitoring her credit.
None of her arguments persuaded the court, which unanimously affirmed dismissal in a summary order.
“Whalen does not allege a particularized and concrete injury suffered from the attempted fraudulent purchases … she never was either asked to pay, nor did pay, any fraudulent charge,” the Second Circuit wrote. “And she does not allege how she can plausibly face a threat of future fraud, because her stolen credit card was promptly canceled after the breach and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.”
As for time and money spent resolving the fraudulent charges and monitoring her credit, “Whalen pleaded no specifics about any time or effort that she herself has spent,” the court said, alleging only that “consumers must expend considerable time” on credit monitoring and that she “and the Class suffered additional damages based on the opportunity cost and value of time that [she] and the Class have been forced to expend to monitor their financial and bank accounts.”
Since Whalen did not seek leave to amend her complaint to add anything more substantial, the panel dismissed the lawsuit.
To read the summary order in Whalen v. Michaels Stores, Inc., click here.
Why it matters: The panel distinguished the “shortcomings” in Whalen’s complaint from other cases that involve vendor data breaches, including class actions against Neiman Marcus and P.F. Chang’s. In both cases, the Seventh Circuit found that in reversing summary judgment in favor of the defendants, the plaintiff’s fear of future harm stemming from the breach was sufficient to establish standing.