Earlier this month, the United States District Court for the Northern District of Illinois entered an order dismissing with prejudice a putative class action concerning a security breach affecting PIN pad devices at numerous Barnes & Noble locations. The lawsuit, In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617 (N.D. Ill.), was brought by consumers who had used credit and debit cards at Barnes & Noble during the time period of the breach.
The operative complaint pleaded several causes of action against Barnes & Noble, including breach of implied contract and the violation of several state statutes: the Illinois Consumer Fraud and Deceptive Business Practices Act, the California Customer Records Act, and the California Unfair Competition Act. The consumers alleged that they suffered various cognizable injuries, including holds placed on bank accounts, inability to use compromised cards until they were replaced, a decrease in value of plaintiffs’ personally identifiable information, credit monitoring costs, emotional distress, and credit monitoring costs.
The court held that these alleged damages were insufficient to give rise to an entitlement to relief, reasoning that “to state a claim based upon breach of contract” or the state consumer protection statutes, the plaintiffs were required “to allege economic or out-of-pocket damages caused by the data breach.” Setting aside the credit monitoring costs, none of the other asserted damages were economic in nature, and therefore did not constitute a legally cognizable injury. The credit monitoring costs were also insufficient to allow the lawsuit to proceed, as they did not constitute an “actual injury” that was redressable under the relevant consumer protection statutes and the operative complaint alleged only that the data breach was “a decisive factor” in one of the plaintiff’s decisions to sign up for the service.
Though this most recent Barnes & Noble decision was not decided on Article III standing grounds, it reflects a growing trend among courts to carefully scrutinize consumers’ claims for injury when they sue in the wake of a third-party criminal data breach. See, e.g., Whalen v. Michael Stores Inc., No. 14-cv-7006, 2015 WL 9462108 (E.D.N.Y. Dec. 28, 2015), aff’d, 2017 WL 1556116 (2d Cir. May 2, 2017); In re Zappos.com, Inc., 108 F. Supp. 3d 949 (D. Nev. 2015) (both dismissing consumer data breach cases for lack of standing). If this trend continues, companies that are the victims of data breaches will have increasingly strong arguments that consumers whose payment cards were compromised but who suffered no out-of-pocket losses have no redressable injury in court.