McPeak v. Supervalu Inc., No. 3:14-cv-00899 (S.D. Ill., filed Aug 18, 2014)

Hanff v. Supervalu Inc., No. 14-cv-3252 (D. Minn., filed Aug. 25, 2014)

Supervalu, an operator of grocery and liquor stores, announced on August 14 that hackers had installed malware on its point-of-sale network, compromising the credit and debit card data of shoppers between June 22 and July 17 at more than 200 of its stores. Within two weeks of the announcement, consumers filed two putative class actions. Both lawsuits allege that Supervalu’s failure to secure consumers’ data gives rise to claims for negligence, breach of implied contract, and violations of state consumer protection acts. The McPeak suit also alleges violation of the Stored Communications Act and various state data protection statutes, while the Hanff suit includes a claim for invasion of privacy. In alleging damages, the McPeak plaintiffs focus on unspecified unauthorized charges, the time and cost spent replacing cards and monitoring credit, and the increased risk of identity theft. The Hanff plaintiffs additionally allege that they suffered emotional distress and the diminution in value of their personal information. This allegation about the value of the plaintiffs’ personal information amounts to an argument that the data breach deprived consumers of the value they could receive by selling their own credit card information on the black market.