On Monday, October 3, 2016, the U.S. District Court for the Northern District of Illinois dismissed a putative class action lawsuit concerning a 2012 data breach at Barnes & Noble, Inc. (“B&N”) during which hackers obtained personal identifying information (“PII”) belonging to B&N customers. Although the court found that the plaintiffs had established standing to sue, it also concluded that the lack of monetary losses or public dissemination of the PII doomed their claims.
The alleged consumer harm stemmed from a security breach that compromised debit and credit cards swiped at PIN pad terminals at 63 B&N stores in nine states. An earlier ruling by U.S. District Judge John W. Darrah of the same court in 2013 dismissed the dispute without prejudice for standing deficiencies, which his colleague Judge Andrea R. Wood determined last week had been rectified. Nonetheless, Judge Wood again dismissed without prejudice the B&N customers’ claims of breach of contract, invasion of privacy, and violations of Illinois and California consumer fraud statutes for failure to adequately state a claim.
Specifically, Judge Wood noted that even where customer plaintiffs had identified fraudulent charges made with their stolen credit card information, they failed to demonstrate any out-of-pocket losses associated with those charges. The court distinguished these circumstances from a 2011 data breach suit against Michaels Stores Inc., in which the Michaels plaintiffs had shown unauthorized withdrawals from their accounts and related bank fees, both of which amounted to “actual monetary losses.” Further, Judge Wood found that none of the B&N plaintiffs’ allegations concerning future risk of identity theft and the cost of mitigating such risk amounted to sufficient economic harm to state a claim under the consumer fraud statutes.
The court also found that the exposed PII was not widely disseminated, and that the only people who would have had access to such information were the hackers themselves and potentially third parties to which they sold the PII. Even if the information had been shared publicly, the court added that credit card data would not rise to the level of “private facts” that would be “revealing, compromising, or embarrassing,” as required to sustain an invasion of privacy claim.
Under the court’s order, the B&N consumers have until October 31, 2016 to re-plead their claims.
