• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Illinois District Court Dismisses Data Breach Claims for Lack of Standing

September 13, 2013 By Privacy, Cyber & Data Strategy Team

In In re Barnes & Noble Pin Pad Litigation, No. 1:12-cv-08617 (N.D. Ill. Sept. 3, 2013), the United States District Court for the Northern District of Illinois dismissed a putative class action against defendant retailer Barnes & Noble because the named plaintiffs could not establish injury in fact stemming from the alleged security breach, and thus lacked standing to bring their claims.

In August of 2012, Barnes & Noble discovered that its customers’ personal identifying information (“PII”) may have been “skimmed” by intruders who had tampered with card readers in many of its stores. Six weeks later, Barnes & Noble publicly announced the breach, but did not provide any individual notice. Plaintiffs, who were Barnes & Noble customers at the time of the incident, filed a class action complaint, alleging claims for breach of an implied contract and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. Plaintiffs alleged several forms of injury, including untimely and inadequate notification of the breach, improper disclosure of PII, loss of privacy, and incurring time and expenses to mitigate the increased risk of identity theft or fraud. Only one of the four named plaintiffs experienced a fraudulent charge made to her credit card after she had shopped at a Barnes & Noble store.

In dismissing all of those claims with prejudice, the Court relied heavily on the Supreme Court’s recent decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), which was not a data breach case. Clapper clarified that while an injury that is “certainly impending” can establish injury in fact for the purposes of standing, “[a]llegations of possible future injury are not sufficient.” Id. at 1147. Applying the Clapper analysis, the Court stated that “merely alleging an increased risk of identity theft or fraud is insufficient to establish standing.” The Court further reasoned that, even assuming Barnes & Noble had violated certain notification statutes, breach of those statutes alone was insufficient to establish standing. Regarding the alleged improper disclosure of Plaintiffs’ PII, the Court found that, “[t]he inference that their data was stolen, based merely on the security breach, is too tenuous to support a reasonable inference that can be made in Plaintiffs’ favor.” Even as to the plaintiff with a fraudulent charge, the Court found those allegations insufficient because (1) the charge did not go unreimbursed; (2) the only purported harm was a time lag between learning of the charge and received a new card; and (3) there was no allegation that the fraudulent charge was related to the breach. Finally, as to the costs Plaintiffs incurred to mitigate an increased risk of identity theft, the Court reasoned that Plaintiffs could not manufacture standing by incurring costs in anticipation of merely potential harm.

This decision strengthens and adds additional support for the standing defense in data breach litigation. It further makes clear that Clapper, although not decided in the data breach context, can provide strong ammunition in defending breach-based claims.

Written by Kristy McAlister Brown, Partner, Technology & Telecommunications Litigation and Stephanie Driggers, Senior Associate, Litigation & Trial Practice | Alston & Bird LLP 

Filed Under: Data Breach, Security Breach Tagged With: Identity Theft, Litigation

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.