In In re Barnes & Noble Pin Pad Litigation, No. 1:12-cv-08617 (N.D. Ill. Sept. 3, 2013), the United States District Court for the Northern District of Illinois dismissed a putative class action against defendant retailer Barnes & Noble because the named plaintiffs could not establish injury in fact stemming from the alleged security breach, and thus lacked standing to bring their claims.
In August of 2012, Barnes & Noble discovered that its customers’ personal identifying information (“PII”) may have been “skimmed” by intruders who had tampered with card readers in many of its stores. Six weeks later, Barnes & Noble publicly announced the breach, but did not provide any individual notice. Plaintiffs, who were Barnes & Noble customers at the time of the incident, filed a class action complaint, alleging claims for breach of an implied contract and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. Plaintiffs alleged several forms of injury, including untimely and inadequate notification of the breach, improper disclosure of PII, loss of privacy, and incurring time and expenses to mitigate the increased risk of identity theft or fraud. Only one of the four named plaintiffs experienced a fraudulent charge made to her credit card after she had shopped at a Barnes & Noble store.
In dismissing all of those claims with prejudice, the Court relied heavily on the Supreme Court’s recent decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), which was not a data breach case. Clapper clarified that while an injury that is “certainly impending” can establish injury in fact for the purposes of standing, “[a]llegations of possible future injury are not sufficient.” Id. at 1147. Applying the Clapper analysis, the Court stated that “merely alleging an increased risk of identity theft or fraud is insufficient to establish standing.” The Court further reasoned that, even assuming Barnes & Noble had violated certain notification statutes, breach of those statutes alone was insufficient to establish standing. Regarding the alleged improper disclosure of Plaintiffs’ PII, the Court found that, “[t]he inference that their data was stolen, based merely on the security breach, is too tenuous to support a reasonable inference that can be made in Plaintiffs’ favor.” Even as to the plaintiff with a fraudulent charge, the Court found those allegations insufficient because (1) the charge did not go unreimbursed; (2) the only purported harm was a time lag between learning of the charge and received a new card; and (3) there was no allegation that the fraudulent charge was related to the breach. Finally, as to the costs Plaintiffs incurred to mitigate an increased risk of identity theft, the Court reasoned that Plaintiffs could not manufacture standing by incurring costs in anticipation of merely potential harm.
This decision strengthens and adds additional support for the standing defense in data breach litigation. It further makes clear that Clapper, although not decided in the data breach context, can provide strong ammunition in defending breach-based claims.