Since 2012, Barnes & Noble has been fighting claims arising from a data breach that affected its credit card pin pad machines. Now, the Barnes & Noble “Pin Pad” litigation is finally over. Following dismissals of the plaintiffs’ first and amended complaints, the court in In Re Barnes & Noble Pin Pad Litigation, No. 12-cv-08617, 2017 WL 2633398 (N.D. Ill. Jun. 13, 2017), recently granted defendants’ motion to dismiss the second amended complaint. The court held that any attempts by plaintiffs to further amend their complaint would be “futile,” and dismissed the case with prejudice. Not only does the dismissal put an end to the litigation, it provides insight into what allegations are required in order to plead a viable cause of action following a data breach and highlights the distinction between the allegations of harm necessary to confer standing in a data breach lawsuit and those necessary to survive a Rule 12(b)(6) motion to dismiss.
The Pin Pad litigation arose in 2012 after Barnes & Noble had announced a security breach in PIN Pad devices in sixty-three stores across nine states. Individuals known as “Skimmers” tampered and hacked the PIN pad devices that stored customer credit and debit card information. Six weeks after Barnes & Noble became aware of the breach, they announced to the public that customers’ financial information may have been stolen and advised customers to take precautions against identity theft. In Re Barnes & Noble Pin Pad Litigation, 12-cv-08617, 2013 WL 4759588, at *1 (N.D. Ill. Sep. 3, 2013).
Following Barnes & Noble’s announcement of the breach, four plaintiffs – Ray Clutts, Jonathan Honor, Heather Dieffenbach, and Susan Winstead – brought a class action suit against Barnes & Noble. They alleged five causes of action: (i) breach of contract; (ii) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act; (iii) invasion of privacy; (iv) violation of California Security Breach Notification Act; and (v) violation of California’s Unfair Competition Act. Plaintiffs sought damages for unauthorized disclosure of their personal identifying information, loss of privacy, expenses incurred attempting to mitigate the increased risk of identity theft or fraud, time lost mitigating the increased risk of identity theft or fraud, an increased risk of identity theft, deprivation of the value of plaintiffs’ personally identifiable information (PII), and anxiety and emotional distress. The claims were based on the allegation that Barnes & Noble had failed to provide timely notice of the breach.
Barnes & Noble moved to dismiss under Rules 12(b)(1) and 12(b)(6) of the Federal Rules of Civil Procedure. Barnes & Noble argued that, under Rule 12(b)(1), the court lacked jurisdiction because none of the alleged “injuries” were sufficient to create standing, as none of the plaintiffs were actually injured. In Re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588, at *6 (N.D. Ill. Sep. 3, 2013).
The court agreed. The law of “standing” at the time required “(1) that [the plaintiff have] suffered an injury in fact; (2) that is fairly traceable to the action of the defendant and; (3) that will likely be redressed with a favorable decision.” In Re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588, at *6 (N.D. Ill. Sep. 3, 2013) (internal citations omitted). The court held that all of the plaintiff’s claims rested on allegations of future harm, which were insufficient to satisfy standing. As a result, the court dismissed the original complaint based on Rule 12(b)(1) and did not reach Barnes & Noble’s Rule 12(b)(6) arguments.
Following the dismissal, plaintiffs amended their complaint, and Barnes & Noble once again moved to dismiss under Rules 12(b)(1) and 12(b)(6). Although the amended complaint included “virtually identical facts” as the original complaint, the court denied Barnes & Noble’s motion to dismiss the amended complaint based on a lack of standing. In Re Barnes & Noble Pin Pad Litigation, 2016 WL 5720370, at *9 (N.D. Ill. Oct. 3, 2016).
The court’s decision regarding standing rested on a critical shift in the law of standing in the Seventh Circuit. In Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), the Seventh Circuit Court of Appeals held that in the case of a data breach, standing may be satisfied with a showing that there is a substantial risk that future harm will occur or that the plaintiff has incurred expenses to mitigate such a risk. In Re Barnes & Noble Pin Pad Litigation, 2016 WL 5720370, at *4 (N.D. Ill. Oct. 3, 2016). Although the court found that the Pin Pad plaintiffs had satisfied the Remijas standard, it nevertheless dismissed the amended complaint based on Rule 12(b)(6) because plaintiffs had failed to allege injuries sufficient to state a claim.
Under Rule 12(b)(6), a complaint should survive a motion to dismiss only when it contains “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Id. (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). This standard requires a plaintiff to do more than provide “labels and conclusions” or “a formulaic recitation of the elements of a cause of action.” Twombly, 550 U.S. at 555. And although the court should assume the truthfulness of a plaintiff's well-pleaded factual allegations, it need not accept that all of the plaintiff's legal conclusions are true. Ashcroft v. Iqbal, 556 U.S. 662, 677–79 (2009).“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Id. at 678. Under the court’s analysis, each of plaintiffs’ claims required allegations that they had suffered injuries as a result of Barnes & Noble’s conduct, but the court found that the plaintiffs’ amended allegations of harm were insufficient to satisfy Rule 12(b)(6)’s pleading standards.
Following the dismissal of their amended complaint, and in a last ditch effort to satisfy Rule 12(b)(6), plaintiffs Winstead and Dieffenbach filed the SAC. The SAC alleged four causes of action: (i) breach of contract; (ii) violation of the ICF; (iii) violation of California Security Breach Notification Act; and (iv) violation of the UCA. Unlike the previous claims which were based on untimely notice, the SAC claimed that Barnes & Noble had failed to maintain adequate security measures. The SAC also added additional factual allegations to bolster the plaintiffs’ alleged injuries – that plaintiff Dieffenbach’s bank account was put on hold; she could not use her debit card until a new one was delivered; she had to spend time with police and bank employees; she had to use minutes from her cell phone plan to speak with bank employees; she lost the value of her PII; and she suffered emotional distress. The SAC further alleged that Winstead lost the value of her PII; she could not use her credit card until a new one was delivered; and she had to renew her credit monitoring service to protect against any further fraud. In Re Barnes & Noble Pin Pad Litigation, 2017 WL 2633398, at *2.
As with the first two complaints, Barnes & Noble moved to dismiss the SAC under Rule 12(b)(6). In its motion, Barnes & Noble argued that plaintiffs had failed to allege any “redressable injuries” and, therefore, had once again failed to satisfy the 12(b)(6) standard. The court agreed, explaining that in order to survive a motion to dismiss under 12(b)(6), the plaintiffs must “allege economic or out-of-pocket damages caused by the data breach.” Id. at *3.
In analyzing the plaintiffs’ alleged injuries, the court explained that the plaintiffs’ alleged loss of value to their PII, time spent talking to the bank and police, and emotional distress were insufficient allegations of harm to survive a motion to dismiss. None of these allegations demonstrated “economic or out-of-pocket damages.” Furthermore, the “inability to use a bank account [and credit card] is not a monetary injury in itself.” Id. at *3.
The court also rejected Winstead’s claim that she was forced to waste cell phone minutes and renew her credit monitoring service, as both were de minimis, as well as too attenuated to Barnes & Noble’s alleged wrongful conduct. Citing previous cases, the court noted that time and money spent on mitigating the risk of identity theft was not enough of an injury to support the claims. Id. at *3-4 (citing In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 966 (S.D. Cal. 2012); Cooney v. Chicago Pub. Sch., 943 N.E.2d 23, 31 (Ill. App. Ct. 2010)). Similarly, the court rejected the claimed injury for renewing credit monitoring services, as it was merely money spent on mitigating the risk of identity theft. The court also pointed out that the breach was merely a factor, albeit a decisive one, in her decision to renew the services.
In denying the plaintiffs’ claims against Barnes & Noble, the court sent a clear message regarding the allegations of harm that are necessary to survive a Rule 12(b)(6) motion to dismiss causes of action arising out of a data breach. The injury must be an actual out-of-pocket monetary loss that is more than de minimis. Further, the injury must be directly caused by the breach. Under the court’s analysis, additional costs incurred by the plaintiff that are merely associated with the breach do not suffice as an injury to support a plaintiff’s claims.
The decision also highlights the distinction between the allegations of harm necessary to demonstrate standing and those necessary to demonstrate injury for a motion to dismiss. Under Remijas, plaintiffs may satisfy the injury allegations required to demonstrate standing by alleging a “substantial risk of future harm” arising out of a data breach. Remijas, 794 F.3d at 696.
Furthermore, the Seventh Circuit held that the Remijas plaintiffs had established injury-in-fact for standing purposes in response to a motion to dismiss under Rule 12(b)(1) through allegations that they had lost time and money protecting themselves against future identity theft and fraudulent charges. Id. In contrast, the Barnes & Noble court’s decision makes clear that allegations of an increased risk of future harm or incurred mitigation expenses do not qualify as allegations of injuries sufficient to survive a motion to dismiss under Rule 12(b)(6). Instead, economic or direct, out-of-pocket damages are required. Thus, while Remijas may allow data breach plaintiffs to survive a motion to dismiss based on a lack of standing under Rule 12(b)(1), the district court’s most recent – and final – decision in the Pin Pad litigation makes it clear that surviving a Rule 12(b)(6) motion to dismiss requires greater allegations of actual monetary loss.