Takeaway: In the wake of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), defendants in data breach class actions regularly move to dismiss on standing grounds, arguing the complaint’s allegations do not plausibly allege an injury-in-fact that is fairly traceable to the defendant’s conduct. Prevailing on the standing issue, however, means the district court does not have jurisdiction to resolve the merits of the dispute – it can only enter a procedural dismissal without prejudice. Moreover, where a standing challenge succeeds in federal court, the same claims could potentially be re-filed as non-removable claims in state court, because the defendant already succeeded in showing the absence of federal jurisdiction. We discussed these concerns in our February 13, 2019 post, Is standing overrated? Data breach defendants who lose standing battles end up winning dismissal on the merits. The Eighth Circuit recently affirmed the district court decision featured in that post, a decision entered in the long-running SuperValu data breach litigation. The Eighth Circuit’s decision demonstrates once again that attacking a data breach class action on the merits, instead of on standing grounds, might be the best route for some class defendants.
The district court in the SuperValu litigation originally dismissed the data breach class action on standing grounds. On appeal, the Eighth Circuit largely agreed with the district court, but it reversed and remanded based on an “isolated single instance of an unauthorized charge” suffered by a single class representative (David Holmes). In re Supervalu, Inc., 870 F.3d 763, 768, 772-774 (8th Cir. 2017).
In that opinion, the Eighth Circuit acknowledged a number of key omissions in Mr. Holmes’ allegations, including “that he failed to allege the date he shopped at the affected [SuperValue] store, the amount of the charge, or that the charge was unreimbursed.” Id. at 773. “While such omissions could be fatal to the complaint under the ‘higher hurdles’ of Rules 8(a) and 12(b)(6)—a contention that we do not opine on here—standing under Article III presents only a ‘threshold inquiry,’ requiring ‘general allegations’ of injury, causation, and redressability. We conclude that these attacks on the sufficiency of Holmes’ allegations are more properly directed at whether the complaint states a claim, not whether Holmes has alleged standing.” Id. (citations omitted).
Not surprisingly, SuperValu moved to dismiss on the merits on remand, and the district court dismissed all of Mr. Holmes’ remaining claims with prejudice. Among other rulings, the district court dismissed the negligence claim because Mr. Holmes did not allege an out-of-pocket loss (that is, he did not allege he paid the fraudulent charge or that any payment was not reimbursed). In re: SuperValu, Inc., Customer Data Security Breach Litigation, No. 14-MD-2586 ADM/TNL, 2018 WL 1189327, at *11-13 (D. Minn. Mar. 7, 2018). The district court also rejected the negligence claim based on the economic loss rule, finding the plaintiff did not allege personal injury or property damage. Id. at *13-14. And the court further noted that courts had consistently declined to impose a duty in tort under Illinois law to protect personal information. Id. at *14.
The plaintiff’s claim under the Illinois Consumer Fraud and Deceptive Practices Act failed because he failed to allege actual pecuniary loss. Id. at *15. And the unjust enrichment claim failed because the plaintiff conceded he had obtained goods of value from SuperValu. Id. at *16-17. The district court did not accept the argument that he paid “for a side order of data security and protection.” Id. at *16.
On May 31, 2019, the Eighth Circuit affirmed the district court’s ruling. In re SuperValu, Inc., --- F.3d ---, No. 18-1648, 2019 WL 2306267 (8th Cir. May 31, 201). Regarding Mr. Holmes’ negligence claim, the Eighth Circuit agreed with the Seventh Circuit that Illinois law “does not recognize a duty in tort to safeguard personal information,” as required to allege a viable negligence claim. 2018 WL 2306267, at *4 (citing Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 816 (7th Cir. 2018)).
Regarding Mr. Holmes’ claim under the Illinois Consumer Fraud and Deceptive Practices Act, the Eighth Circuit affirmed the dismissal of that claim for failure to allege actionable damages or a likelihood of future harm. Id. at *4-*5. Rejecting damages for time spent protecting against future harm, the Eighth Circuit reaffirmed its prior ruling that the “risk of future identify theft was too speculative to create standing.” Id. at *5 (citing In re SuperValu, Inc., 870 F.3d 763, 771 (8th Cir. 2017)). “A purely speculative injury is by definition not ‘real and measurable’ and cannot constitute actual damages.” Id. (citation omitted).
Regarding Mr. Holmes’ implied contract claim, the Eighth Circuit re-affirmed its prior determination that the complaint “‘does not sufficiently allege that plaintiffs were party to [an implied] contract.’” Id. at *6 (quoting 870 F.3d at 771 n.6).
And regarding Mr. Holmes’ unjust enrichment claim, the Eighth Circuit ruled: “Because [plaintiff] does not allege that any specific portion of his payment went toward data protection, he has not alleged a benefit conferred in exchange for protection of his personal information nor has he shown how SuperValu’s retention of his payment would be inequitable.” Id. at *6 (citation omitted).
The Eighth Circuit’s decision shows that losing the standing battle may merely be a prelude to winning the merits war. At a minimum, the decision shows that every motion to dismiss on standing grounds should also be accompanied by a corresponding motion to dismiss on the merits. And in a data breach case where no class plaintiff alleges an actual monetary loss, class defendants should consider seeking a merits-based dismissal rather than a dismissal without prejudice for lack of standing.