May 31, 2018
Seventh Circuit Reinstates Data Breach Lawsuit Against Barnes & Noble
Michael A. Goodman and Kavitha J. Subramanian
The U.S. Court of Appeals for the Seventh Circuit has revived a class action lawsuit against the retailer Barnes & Noble, allowing consumers to continue to pursue claims arising from a data breach in 2012. Judge Frank Easterbrook delivered the unanimous opinion of the three-judge panel, holding that the trial court improperly dismissed the plaintiffs' claims based on a failure to prove damages.
While the appellate court granted a win for the Barnes & Noble customers seeking to sue for losses sustained by the retailer's data breach, Judge Easterbrook cautioned observers against the merits of the plaintiffs' claims. The judge noted that Barnes & Noble was also a victim of a crime, and casted doubt on the plaintiffs' ability to recover from the company.
In 2012, Barnes & Noble discovered that malware on its payment machines allowed hackers to obtain personal identifying information from consumers who used debit or credit cards at its stores. A putative class of consumers, led by Heather Dieffenbach of California and Susan Winstead of Illinois, sued the retailer in the U.S. District Court for the Northern District of Illinois, alleging breach of contract, invasion of privacy, and other California and Illinois state law claims. The consumers alleged damages, including an increased risk of future identity theft, inability to use their money for several days while waiting for a new card, and expenses incurred for credit monitoring services.
The trial court initially dismissed the plaintiffs' claims, finding that the plaintiffs did not plead sufficient facts to demonstrate that they had suffered an injury in fact, in part because a mere increased risk of identity theft was insufficient to establish standing. After the plaintiffs filed an amended complaint, the trial court found that the plaintiffs had suffered injuries resulting from the time they spent speaking with bank employees to get a new card and the money spent on credit monitoring services. Nonetheless, the trial court dismissed the claims, holding that the damages resulting from the alleged injuries were de minimis and too attenuated to Barnes & Noble's conduct to qualify as a redressable injury.
The Seventh Circuit reversed, holding that plaintiffs who have sufficiently alleged an injury in the pleadings may be entitled to damages as provided under the law in federal court. The appellate court explained that, under the Federal Rules of Civil Procedure, so long as the plaintiff is not alleging special damages, the plaintiff is not required to allege the details of the damages incurred by the defendant's conduct if alleged violations are compensable under the law. Accordingly, the appellate court considered whether California and Illinois law allow damages for the claims in the pleadings.
The plaintiffs alleged violations of California's Unfair Competition Law and the Illinois Consumer Fraud and Deceptive Business Practices Act. The appellate court found that the California UCL allows recovery for "lost money or property;" as such, the plaintiff's allegation that she lost the use of her money for three days while waiting to obtain a new debit card supported a claim for damages under the law. Additionally, the Illinois CFDBPA provides recovery for plaintiffs that suffer "actual damages" from a violation of the Act. The appellate court found that paying money for credit monitoring services is an actual and measurable cost that supports recovery under Illinois law.
Although the appellate court remanded the case back to trial court, Judge Easterbrook noted that the court's determination was based on the liberal pleading standards under the FRCP. He indicated that he does not believe the plaintiffs would be successful in proving that Barnes & Noble expressly violated any state law, emphasizing that state law does not make merchants liable for "failure to crime-proof their point-of-sale systems."
Judge Easterbrook concluded that he anticipates that consumers will have a difficult task proving that they are entitled to damages from "a fellow victim of the data thieves." Additionally, he noted that it was far from clear that customers' claims were similar enough to certify a class action.