On June 12, 2017, a putative class action was filed in the U.S. District Court for the Northern District of Georgia against Tempur Sealy International, Inc. and Aptos, Inc. Tempur Sealy is a mattress, bedding and pillow retailer based in Lexington, Kentucky. Aptos is headquartered in Atlanta, Georgia, and formerly hosted and maintained Tempur Sealy’s website and online payment system. The plaintiff alleges that the breach was discovered in November of 2016 and involved the exposure of payment card data and other PII of an undisclosed number of Tempur Sealy customers.

The complaint advances claims for violations of 49 jurisdictions’ consumer protection laws, 39 jurisdictions’ breach notification laws, as well as causes of action for negligence, breach of implied contract and unjust enrichment. The plaintiff seeks to certify statewide consumer protection and data breach notification classes for New York residents, as well as a nationwide class (or alternative statewide classes) for the negligence, breach of implied contract and unjust enrichment claims. The plaintiff alleges that the defendants failed to follow best practices and industry security standards, including PCI DSS. The plaintiff also complains about violations of Tempur Sealy’s own posted privacy policy. The complaint additionally requests injunctive relief and various forms of monetary damages.

The named plaintiff alleges at least one payment card charge which, “upon information and belief,” she believes was fraudulent. The allegations do not specifically identify whether the charge was related to the exposed payment card information. However, the plaintiff does allege that the identified charge was not reimbursed. The plaintiff’s other alleged injuries are related to benefit-of-the-bargain/overpayment theories and loss of PII value (both of which are generally unpopular arguments with courts), time spent monitoring accounts, card replacement costs and an increased risk of future harm.