Last Friday we blogged on the Saks data breach class action, and in the process mentioned a trend among federal courts to reject fear of future identity theft claims in retail breach cases. As we explained, because retail breaches rarely involve theft of social security numbers, date of birth, healthcare information or other data that can be used to commit identity theft, courts have typically found that plaintiffs in such cases lack standing to pursue their claims in federal court.
Dismissal in one of those cases we mentioned, SuperValu, was affirmed on Friday by the 8th Circuit. The Court’s opinion doesn’t address the standing argument we blogged about, but instead rests on a different ground that highlights another hurdle that data breach plaintiffs continue to face: even if they can plausibly allege an injury in fact for standing purposes, that injury may be insufficient to meet damages standards under applicable state law.
The procedural history of the SuperValu case spans five years and multiple dismissals and appeals, but here’s the skinny: after the district court initially dismissed the action for lack of standing, plaintiffs’ counsel located a consumer who had suffered fraudulent charges on his credit card stemming from the SuperValu breach in 2014. This fact distinguished the consumer from other plaintiffs who relied unsuccessfully on a fear of future identity theft to support their standing claim. After significant motion practice over whether the post-judgment process plaintiffs used to amend the complaint was proper, the new consumer was substituted in as a plaintiff/class representative and the case reinstated. The district court then granted SuperValu’s 12(b)(6) motion, finding that the plaintiff had failed to plead cognizable negligence, consumer fraud, unjust enrichment, and implied contract claims.
The 8th Circuit affirmed the district court decision. The most important rulings relate to the viability of the plaintiff’s negligence and consumer fraud claims. The 8th Circuit found that Illinois state law did not recognize a common law duty of merchants to protect consumers against criminal activity, including data breaches. In the Court’s view, consumers and merchants do not have a special relationship sufficient to establish such a duty, and the FTCA does not establish a private right of action to pursue such a claim.
The Court also affirmed dismissal of the consumer fraud claim, finding that the Illinois statute required plaintiffs establish “actual damage”, defined to mean “pecuniary harm.” Although the plaintiffs did not state so in the amended complaint, the Court concluded that plaintiff had been reimbursed for the fraudulent credit card charge — because federal law and credit card contracts require such reimbursement — and therefore hadn’t suffered any pecuniary harm. The Court also held that the time the Plaintiff had spent monitoring his credit and obtaining a new credit card did not constitute actual damage under the Illinois Consumer Fraud Act.
The SuperValu opinion is a reminder that legal injury and damages are not the same thing. Even where plaintiffs are successful in establishing an injury sufficient for Article III standing, the injury may not be sufficient to meet damages requirements under state causes of action, which often require out of pocket losses. Moreover, not every state has recognized a common law duty for businesses to protect sensitive customer data from unauthorized access. Data breach plaintiffs will continue to face an uphill climb in those jurisdictions, even if they can clear the standing hurdle.