Data breach litigation continues to fill the courts in all stages, with a new class action filed against Tempur Sealy International and the dismissal of a suit against Barnes & Noble.
In the new action, New York resident Michelle Provost claims that Tempur Sealy (and Aptos Inc., the company’s website host) failed to appropriately safeguard customers’ personal information. The defendants’ poor data security practices and decision not to abide by best practices and industry standards resulted in a February 2016 breach that compromised sensitive consumer data, including names, addresses, email addresses, telephone numbers, and payment card account numbers and expiration dates, the plaintiff alleged.
“Defendants allowed widespread and systematic theft of their customers’ personal information,” according to the complaint. “Defendants’ actions did not come close to meeting the standards of commercially reasonable steps that should be taken to protect customers’ personal information.”
The defendants also waited too long to disclose the extent of the breach and notify affected consumers in a timely manner, Provost claimed. She used her debit card to make two purchases from the Tempur Sealy website in 2016, but when she reviewed her bank statements after being notified of the breach, she found at least one fraudulent charge that was incurred after the hack occurred.
Aptos became aware of the breach in November 2016 but held off informing Tempur Sealy until February 2017 (upon the instructions of law enforcement). Tempur Sealy didn’t give its customers a heads-up until April 2017, and neither defendant has yet to disclose the full extent of the breach, Provost added.
Asserting claims against the defendants for violations of state consumer protection statutes, state data breach statutes, negligence, breach of implied contract and unjust enrichment, the action seeks to recover actual and statutory damages as well as injunctive relief to prevent another breach, including an order requiring the defendants to implement and maintain adequate security measures.
In a separate action, Barnes & Noble was able to dodge consolidated litigation based on similar claims after hackers stole customer credit and debit information from PIN pad terminals in 63 stores in nine states in September 2012. The court dismissed the first two complaints for lack of standing and failure to plead a viable claim, respectively.
The plaintiffs’ third effort was not the charm, despite the fact that they dropped some claims and added factual allegations about their injuries, namely that one had her bank account put on hold, had to spend time with police and bank employees sorting out her financial affairs, lost the value of her personally identifiable information (PII), and suffered emotional distress because she had to renew her credit monitoring service to protect against future fraud.
But U.S. District Court Judge Andrea R. Wood was not persuaded that the updated complaint alleged economic or out-of-pocket damages caused by the data breach, as required by the breach of contract, Illinois Consumer Fraud and Deceptive Business Practices Act, and California Unfair Competition Act claims.
“Plaintiffs’ alleged injuries as to the value of their PII, their time spent with bank and police employees, and any emotional distress they might have suffered are not injuries sufficient to state a claim,” the court said. “In a similar vein, Plaintiffs’ temporary inability to use their bank accounts is also insufficient to state a claim—the temporary inability to use a bank account is not a monetary injury in itself, and Plaintiffs have not set forth any allegations about how they suffered monetary injury due to the inconvenience of not being able to access their accounts.”
Cellphone minutes lost speaking to bank employees were a de minimis cost and too attenuated from Barnes & Noble’s conduct to qualify as a redressable injury, the court added. As for the plaintiff’s renewal of her credit monitoring service, she failed to plausibly allege that the purchase was attributable to the breach, the court said. The plaintiff alleged that the data breach only played a part in her decision to renew the service, “and thus this alleged injury is still insufficient to state a claim.”
Granting the defendant’s motion to dismiss, Judge Wood said further opportunities for amendments to the complaint “would be futile,” dismissing the suit with prejudice.
To read the complaint in Provost v. Aptos, Inc., click here.
To read the order in In re Barnes & Noble Pin Pad Litigation, click here.
Why it matters: The cases demonstrate the challenges facing data breach cases—the difficulties of establishing standing as well as stating a viable claim, as found in the Barnes & Noble litigation. Despite these uphill battles, plaintiffs (like those in the suit against Tempur Sealy) continue to file class actions.