Within nearly a week of each other, two federal courts in New York and Minnesota have dismissed potentially significant class action data breach cases in December 2015 and January 2016. Given the similar reasoning, the two cases provide legal guidance on how to dismantle data breach claims at the motion-to-dismiss stage.
In Whalen v. Michael Stores, Inc., the data breach initially appeared to be significant for consumers: 2.6 million debit and credit card numbers were stolen over an eight month period. Likewise, in In Re SuperVALU, Inc. Customer Data Security Breach Litigation, two data breaches allegedly resulted in the disclosure of payment card numbers, names, and PINs for customers of over 1,000 grocery stores. But, between the two cases, there were only two alleged claims of actual damages. In such instances, Plaintiffs must resort to stretched arguments to claim “damages” – a required element to proceed with the case. Here are four purported damages claims from the Michaels and SuperVALU cases and why they often fail in data breach cases.
1. Future risk of harm
Plaintiffs typically claim that their payment card or personal information was stolen and it is only a matter of time until they suffer a loss. This argument failed in these two cases (and typically fails elsewhere) because it pre-supposes that hackers read, copied, and understood the data and that hackers intend to use that information to the detriment of the Plaintiff in the future. Standing alone, such arguments are frequently deemed “too speculative” since they rely upon the actions of unknown third parties (and other variables). Moreover, courts are typically ruling on these matters a year or more after the hack occurred and conclude that the absence of harm to date signifies an absence of imminent harm.
2. Lost time and expense
At first blush, it may sound appealing that a Plaintiff was damaged because, as a result of the breach, he or she had to cancel cards, purchase credit monitoring, and be more vigilant with their credit information. However, three years ago, the U.S. Supreme Court concluded that Plaintiffs could not be permitted to “manufacture standing by inflicting harm on themselves…” and, without more, this argument fails.
3. Diminished value of payment or personal information
This argument is premised upon the notion that a Plaintiff’s payment card number and personal information lost value through disclosure alone. In some respects, this argument follows the “future risk of harm” claim. The Michaels court pointed out that no personal information was disclosed – only credit card numbers were obtained. In that case, the Plaintiffs obtained new cards and no harm occurred. To date, no court has found value in credit card numbers and, without more, the mere disclosure of someone’s name, address, and PIN does not confer standing to proceed with a suit.
4. I wouldn’t have shopped here
Here, the Plaintiff claims that the retailer charges more to its customers but fails to use that money towards better security and the Plaintiffs were mislead into thinking that they were paying for additional safeguards. In Michaels, the Plaintiffs did not even allege that Michaels actually uses any customer payments for its security services. There is some room to argue that this claim of “damages” may exist where retailers charge more for credit cards. However, barring additional grounds, courts have been unconvinced by this argument.Not all data breach cases have the potential significance of the Neiman Marcus or Target suits. In fact, it appears that, more frequently than not, consumers are insulated from damage by existing credit laws, replacement cards, and offers of free credit monitoring.