Eighth Circuit Affirms Dismissal of Putative Class Action Litigation Against Charter Communications Alleging Unlawful Retention of Personally Identifiable Information 

Braitberg v. Charter Commc’ns, Inc., No. 14-737, 2016 WL 4698283 (8th Cir. Sept. 8, 2016)

The Eighth Circuit affirmed the dismissal of a putative class against cable television provider Charter Communications for allegedly retaining personally identifiable information (PII) of former subscribers, including addresses, telephone numbers and Social Security numbers, years after subscribers had canceled the service, in alleged violation of the Cable Television Consumer Protection and Competition Act, which governs cable operators’ retention of subscriber data. Lead plaintiff Braitberg alleged injury because retention of the PII was allegedly a “direct invasion of . . . federally protected privacy rights” and deprived him of the full value of the services purchased, on the theory that there was monetary value in controlling the retained PII. The district court dismissed the putative class action, holding that plaintiff lacked standing. The Eighth Circuit affirmed the dismissal, applying the Supreme Court’s analysis in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), which held that a “concrete injury must ‘actually exist,’ and it must be ‘real,’ not ‘abstract.’” The appellate court held that Braitberg had not alleged an “injury in fact” because his complaint asserted “a bare procedural violation, divorced from any concrete harm.” Braitberg failed to allege that Charter had (i) “violated a duty to destroy” PII, (ii) “disclosed the information to a third party,” or (iii) used the information in any way. Plaintiff also did not allege that “any outside party had accessed the data.” Without a more particularized harm, plaintiff could not establish standing, and dismissal was affirmed. View the decision.

Third Circuit Affirms Dismissal of Putative Class Action Following Data Breach and Misuse of Customer and Employee PII 

Longenecker-Wells v. Benecard Services, Inc., No. 15-3538, 2016 WL 4474701 (3d Cir. Aug. 25, 2016) 

The Third Circuit affirmed dismissal of a putative class action litigation against Benecard, a prescription benefit administration services company, arising from the misuse of employee and customer data after an illegal data breach of Benecard’s computer system. In early 2015, unknown third parties breached Benecard’s computer system and used the PII obtained to file fraudulent federal tax returns and redirect tax refunds. Plaintiffs asserted claims for negligence and breach of implied contract under Pennsylvania law. The district court dismissed the negligence claims as barred by Pennsylvania’s economic loss doctrine, as well as the breach claims for failure to state a claim. On appeal, the Third Circuit affirmed the dismissal, rejecting an argument that the economic loss doctrine did not apply because the negligence claim arose under “a common law duty grounded in public policy.” View the decision.

Georgia District Court Approves $13 Million Settlement of Claims Arising From Home Depot Data Breach 

In re Home Depot, Inc., Customer Data Sec. Breach Litig., Case No.: 1:14-md-2583-TWT (N.D. Ga. Aug. 23, 2016) 

A Georgia federal judge approved a total package settlement valued at approximately $27 million (including a $13 million cash fund) between consumers and Home Depot on claims arising from a data breach of Home Depot’s payment systems, announced in September 2014. Plaintiffs alleged, among other claims, violations of various state consumer laws and data breach statutes. The parties settled while a motion to dismiss was pending. The settlement allows for up to $10,000 for a settlement class member with documented claims. Home Depot agreed to “implement and maintain enhanced security measures designed to detect and prevent this type of harm from occurring again.” Home Depot also agreed to provide 18 months of identity monitoring services to members of the settlement class. The court held that an attorneys’ fees award of $7.5 million was fair and reasonable. View the decision.

Eighth Circuit Affirms Dismissal of Putative Class Action Litigation Against GameStop Alleging Unlawful Sharing of Customer Data With Facebook 

Carlsen v. GameStop, Inc., 833 F.3d 903 (8th Cir. 2016) 

The Eighth Circuit affirmed the dismissal of a putative class action against GameStop Inc. and Sunrise Publications Inc. for allegedly sharing PII with Facebook, in violation of GameStop’s privacy policy. The complaint alleged that plaintiff accessed the website www.gameinformer.com to manage subscriptions and access enhanced content and message boards with his Facebook account and used Facebook’s features, such as “Like” and “Share,” and that, in that process, GameStop disclosed his Facebook ID and browsing history, in violation of its privacy policy. The district court dismissed the claims for lack of standing, holding, in part, that plaintiff had failed to allege a cognizable injury in fact because he “had failed to allege that he paid any specific amount for the privacy policy or that he bargained for additional data privacy over that received by non-paying Game Informer visitors.” The Eighth Circuit, however, held that plaintiff had standing on his breach of contract, unjust retention of payment and Minnesota consumer fraud law claims, but affirmed the dismissal because the privacy policy “unambiguously” did not include a promise not to disclose PII such as Facebook ID or browser history. As a result, plaintiff failed to state a claim for breach of contract or for violations of state consumer fraud laws. View the decision.

Illinois Federal Court Dismisses Putative Class Action Against Barnes & Noble Following 2012 Data Breach 

In re Barnes & Noble Pin Pad Litig., No. 12-cv-08617, 2016 WL 5720370 (N.D. Ill. Oct. 3, 2016) 

For the second time, a Northern District of Illinois federal judge dismissed a putative class action against Barnes & Noble arising out of a 2012 data breach in which illegal “skimmers” secretly collected customer credit and debit card information at PIN pad terminals in 63 stores. The putative class action alleged breach of contract, violations of the Illinois Consumer Fraud and Deceptive Business Practices Act, and violations of similar California statutes, among other claims and damages arising from “unauthorized disclosure of their PII, loss of privacy, expenses incurred attempting to mitigate the increased risk of identity theft or fraud, time lost mitigating the increased risk of identity theft or fraud, an increased risk of identity theft, deprivation of the value of the Plaintiffs’ PII, and anxiety and emotional distress.” The court dismissed the complaint for lack of Article III standing and allowed plaintiffs to replead. The amended complaint included expanded allegations concerning the damages flowing from the breach, including incidents of identity theft. The court held that, as a result, plaintiffs had met their burden of establishing “injury in fact” for Article III standing, but dismissed the claims on the separate ground that plaintiffs failed “to plead any economic or out-of-pocket damages.” The court rejected arguments that devaluation of PII, overpayment for purchases constituted, or time spent mitigating and preventing improper use of PII were requisite damages. View the decision.

DC Federal Court Dismisses Putative Class Action Against CareFirst BlueCross BlueShield Following 2014 Data Breach 

Attias v. CareFirst, Inc., No. 15-cv-00882 (CRC), 2016 WL 4250232 (D.D.C. Aug. 10, 2016)

A putative class of insureds brought a suit against CareFirst alleging that the insurer had violated certain state laws by failing to safeguard their PII. The lawsuit followed a 2014 data breach of CareFirst’s computer systems, which compromised the PII of over a million policyholders. CareFirst moved to dismiss, arguing that because plaintiffs had not alleged actual misuse of their PII, they could not establish injury necessary for Article III standing. Plaintiffs countered that the breach had “increased [their] likelihood of identity theft” and that they had incurred costs to mitigate that occurrence. The district court rejected these arguments and granted the motion to dismiss, noting “[t]heft of electronic data has become commonplace in our digital economy, victimizing millions of Americans each year. But while the resulting harm to consumers can be catastrophic, not all data breaches result in legally actionable injuries.” The court held that “[a]bsent facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner, merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.” Although certain plaintiffs alleged that they had been the victims of tax fraud as a result of the breach, the court held that because Social Security numbers were not disclosed in the breach, those plaintiffs could not prove causation sufficient to establish standing. The court also rejected claims that the plaintiffs had lost an “intrinsic value” in the control of their PII, as well as claims arising under the D.C. Consumer Protection Procedures Act, because Spokeo did not confer Article III standing for mere statutory violations alone. The matter is currently on appeal. View the decision.

Heightened Risk of Future Identify Theft Insufficient to Establish Concrete Injury Under Spokeo 

Kamal v. J. Crew Grp., Inc., No. 2:15-cv-0190, 2016 WL 6133827 (D.N.J. Oct. 20, 2016) 

Citing Spokeo, a New Jersey district court dismissed a proposed class action alleging that retailer J. Crew printed too many digits of consumers’ credit card numbers on customer receipts, in violation of the credit card number truncation provision of the Fair and Accurate Credit Transactions Act. The court concluded that plaintiff’s claim that the retailer’s improper credit card truncation exposed him and the class of consumers to a heightened risk of fraud and identity theft in the future was not sufficient to meet the concreteness standard of Spokeo. “There is no evidence that anyone has accessed or attempted to access or will access plaintiff’s credit card information. Nothing has been disclosed to third parties. Nor does the record indicate that anyone will actually obtain one of plaintiff’s discarded J. Crew receipts, and – through means left entirely to the court’s imagination – identify the remaining six digits of the card number and then proceed undetected to ransack Plaintiff’s Discover account.” View the decision.

California District Court Approves $9 Million Settlement of Allegations That Mobile Manufacturers Illegally Collected User Data 

In re Carrier IQ, Inc. v. Consumer Privacy Litig., No. 12-MD-02330-EMC, 2016 WL 4474366 (N.D. Cal. Aug. 25, 2016) 

A California federal judge has approved a $9 million settlement between consumers and various manufacturers of mobile phones on claims that they illegally collected user data, in violation of the Federal Wiretap Act, state privacy and consumer protection laws, the Magnuson-Moss Warranty Act, and the implied warranty of merchantability. After the deduction of incentive awards for the named plaintiffs, litigation costs and attorneys’ fees (approved at $2.25 million), the settlement creates a fund of $5.9 million for approximately 30 million class members. View the decision.