On April 11, 2018, the U.S. Court of Appeals for the Seventh Circuit vacated a judgment entered in Barnes & Noble’s favor in a class action case accusing the bookseller of data privacy violations. The lawsuit (Dieffenbach v. Barnes & Noble, Inc.) stemmed from Barnes & Nobles’ 2012 data breach, in which fraudsters compromised PIN pads at 63 bookstores in nine U.S. states. The “scoundrels” (as the Seventh Circuit aptly labeled them) used “skimmers” to acquire details such as customers’ names, credit card numbers and expiration dates, and PINs. The case now heads back to the District Court for the Northern District of Illinois, which had dismissed the complaint three times for lack of standing and/or failure to state a claim.
In the most recent iteration, the lower court entered a judgment on the pleadings in Barnes & Nobles’ favor after finding that the plaintiffs did not adequately allege compensable damages and therefore lacked standing. In reversing, the Seventh Circuit noted that the plaintiffs alleged a variety of compensable damages including:
- Temporary loss of funds while waiting for banks to reverse unauthorized charges to their accounts.
- Monies spent on credit-monitoring services to protect the plaintiffs’ financial interests.
- The value of lost time devoted to acquiring new account numbers and notifying businesses of these changes.
The Seventh Circuit stated that although “[l]osing the use of money for three days may be a trifle to some people (though to others it may be a calamity) . . . a trifling loss suffices[.]” It further pointed out that state courts have said that significant time and paperwork costs incurred to rectify violations also can qualify as economic losses. These injuries, the court explained, can justify money damages, just as they support standing. With respect to the out-of-pocket expenses related to credit monitoring services, the court found that plaintiffs must show that a culpable data breach caused the monthly payments, but that the complaint could not be dismissed before giving the class an opportunity to make that showing.
Although the Seventh Circuit reversed the judgment and remanded the matter, it highlighted a variety of issues plaintiffs face.
- It noted that Barnes & Noble was itself a victim and that no state laws expressly make merchants liable for failure to “crime-proof their point-of-sales systems.” In fact, the court stated that plaintiffs may have a difficult task showing an entitlement to collect damages from a fellow victim of the data thieves.
- The court indicated that it was “far from clear” that the suit should be certified as a class action.
- The court made clear that it did not consider the merits of the lawsuit in the culmination of its opinion: “All we hold today is that the complaint cannot be dismissed on the ground that the plaintiffs do not adequately allege compensable damages.”
Implications for how you should prepare for a data breach - or possible class action litigation
As we have noted in the past, courts across the country have reached different conclusions about whether data breach litigation is sufficiently pled, especially with respect to damages. While some courts have been hesitant to allow litigation to proceed when information has been accessed by a hacker but not used, in this case at least some of the plaintiffs had fraudulent credit card charges. These fraudulent charges likely are sufficient to confer Article III standing in most, if not all, courts.
The atmosphere surrounding data breach litigation is ever-changing and recent shifts in case law have significant implications for how companies should prepare for a data breach and possible class action litigation. For questions or information on data privacy and cybersecurity litigation, please contact one of the attorneys below.