The data breach class action lawsuit filed against grocery store retail chain SuperValu Inc. (“SuperValu”) was put on the shelf by the U.S. District Court for the District of Minnesota on January 7, 2016.[1] The plaintiffs alleged they were harmed by hackers gaining access to and installing malware on the payment-processing network for payment card transactions at SuperValu’s grocery stores. SuperValu notified its customers of two different breaches of information embedded in the magnetic strip of payment cards (“PII”) – first in August 2014 and again in September 2014, affecting more than 1,000 stores.
The only alleged misuse of any of the plaintiffs’ PII was a single unauthorized charge on one plaintiff’s credit card; however, the one plaintiff did not allege the charge was unreimbursed or that he incurred bank fees or other monetary losses related to the charge. And no plaintiff alleged identity theft or attempted identity theft.
Relying on the U.S. Supreme Court’s Clapper ruling, the court granted SuperValu’s motion to dismiss for lack of Article III standing. The court found that the plaintiffs failed to allege sufficient facts to show that future harm is “certainly impending” or that there is a “substantial risk” the harm will occur – noting that the isolated single instance of an unauthorized charge was not indicative of data misuse that is fairly traceable to the data breach.
The court also ruled that the plaintiffs’ costs to mitigate the risk of future harm is not a sufficient injury in fact to confer Article III standing – quoting the Clapper ruling that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Additionally, the plaintiffs alleged no facts explaining how their PII became less valuable as a result of the data breach or showing that the loss of privacy and confidentiality resulted in a concrete injury.
Key to the court’s dismissal is the Clapper directive that standing is less likely to exist where a threatened injury hinges on speculation about the actions of third parties, which is particularly relevant in data breach litigation arising from hacker attacks.
Potentially problematic for SuperValu, however, is the court’s ruling that the plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III. The plaintiffs alleged that they were harmed by SuperValu’s untimely and inadequate notice of the data breach, a claim under state data breach notification laws.[2] This same standing issue is currently pending before the Supreme Court of the United States in Spokeo v. Robins. In Spokeo, the plaintiff sued alleging a violation of the Fair Credit Reporting Act, which lets consumers claim damages from $100 to $1000 if a company publishes a false report about them. Spokeo says the plaintiff should have to show some sort of injury, while the plaintiff says it’s enough to show the company broke the statutory law. A ruling against Spokeo could change the court’s ruling in the Supervalu opinion – and potentially in other data breach class action lawsuits dismissed for lack of Article III standing.
[1] A copy of the opinion can be found here.
[2] Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private entities to notify individuals of security breaches of information involving personally identifiable information.
— Melody McAnally