In Dieffenbach v. Barnes & Noble, Inc. [1], the Seventh Circuit allowed a data breach class action to survive the pleadings stage, including a challenge to the plaintiffs’ standing. At the same time, the Court indicated that the plaintiffs may have a tough time proving their claims on the merits or establishing that class certification is warranted. That warning may put the brakes on this action as well as others brought on a similar theory of liability.

The Dieffenbach case arose out of an alleged 2012 breach of the defendant’s point of sale system. Hackers acquired customers’ names, credit and debit card numbers and expiration dates, and PINs [2]. In 2013, the district court dismissed the case for lack of standing [4]. Subsequently, the Seventh Circuit issued a pair of decisions in two other data breach class action cases, which held that “consumers who experience a theft of their data indeed have standing.” In light of these decisions, the district court reversed course on the standing question but nonetheless dismissed the plaintiffs’ claims for failure to adequately plead damages [5].

Although it expressed skepticism as to whether the plaintiffs could prove their case on the merits, the Seventh Circuit vacated the dismissal and held that when a plaintiff has adequately alleged standing, they have also adequately alleged damages if that is an element of their underlying claim [6]. The Court ruled that the plaintiffs had adequately alleged standing on three bases: “[1] because the data theft may have led them to pay money for credit-monitoring services, [2] because unauthorized withdrawals from their accounts cause a loss (the time value of money) even when banks later restore the principal, and [3] because the value of one’s own time needed to set things straight is a loss from an opportunity-cost perspective.” [7] The Seventh Circuit went on to hold that, as a general matter, “[t]hese injuries can justify money damages, just as they support standing” as “all th[e] complaint needed to do was allege generally that plaintiffs have been injured.” [8]

Turning to damages, the Court first examined whether one of the named plaintiffs had adequately alleged “lost money or property” sufficient to sustain her claim under California’s Unfair Competition Law (UCL) [9], based upon her allegations that “(1) her bank took three days to restore funds someone else had used to make a fraudulent purchase [and she could not use her account during that time]; (2) she had to spend time sorting things out with the police and her bank; … and [3] she did not receive the benefit of her bargain.” [10] Alleging “lost money or property” under the California law is not an insignificant hurdle, yet the Seventh Circuit held that the plaintiff’s first and second alleged injuries were sufficient, because being without her account for three days caused her to lose the “time value of [her] money” even if she eventually got it all back, and because “significant time and paper-work costs incurred … can qualify as economic losses.” [11] The Court’s holding under the California UCL, however, is arguably at odds with established California law that monetary damages are not recoverable under the UCL. Rather, the UCL limits plaintiffs’ remedies to restitution and injunctive relief [12].

As to the damages allegations under the Illinois Consumer Fraud and Deceptive Business Practices Act [13], the Court focused on the second plaintiff’s allegation that “the security breach … ‘was a decisive factor’ when she renewed a credit-monitoring service for $16.99 per month.” [14] The Court stated, in rather summary fashion, that “a monthly $17 out of pocket is a form of ‘actual damage’ [because] [i]t is real and measurable; Illinois does not require more.” [15]

Despite holding the door open to the plaintiffs at the pleadings stage, the Seventh Circuit made clear that its decision was narrow in scope. Specifically, the Court noted that its decision only “concerns injury,” and that it “ha[d] not considered whether [defendant] violated any of these [] state’s laws by failing to prevent villains from stealing plaintiffs’ names and account data.” [16] Further, the plaintiffs’ ability to prove their claims was likely to be difficult as “[n]one of the state laws expressly makes merchants liable for failure to crime-proof their point of sale systems,” and “plaintiffs must show that a culpable data breach caused the monthly payments.” [17] Indeed, the Seventh Circuit noted that the defendant here “was itself a victim,” and “[p]laintiffs may have a difficult task showing an entitlement to collect damages from a fellow victim of the data thieves.” [18] The Court also expressed doubt that the case could be certified because the “state laws and the potential damages are disparate.” [19]

At the end of the day, the Dieffenbach decision may prove to be less of a boon and more of a bust for plaintiffs in data breach class actions. Although it may provide a means to get into court and survive a motion to dismiss, the decision makes clear that obtaining a favorable outcome may be a “difficult task.” [20] We will continue to monitor and report on developments regarding data breach litigation in the Seventh Circuit and elsewhere [21].