[BreachExchange] Data Breach Class Action Against SuperValu Doesn’t Check Out

[Audrey McNeil]

http://www.jdsupra.com/legalnews/data-breach-class-action-against-68485/

The data breach class action lawsuit filed against grocery store retail
chain SuperValu Inc. (“SuperValu”) was put on the shelf by the U.S.
District Court for the District of Minnesota on January 7, 2016.[1] The
plaintiffs alleged they were harmed by hackers gaining access to and
installing malware on the payment-processing network for payment card
transactions at SuperValu’s grocery stores. SuperValu notified its
customers of two different breaches of information embedded in the magnetic
strip of payment cards (“PII”) – first in August 2014 and again in
September 2014, affecting more than 1,000 stores.

The only alleged misuse of any of the plaintiffs’ PII was a single
unauthorized charge on one plaintiff’s credit card; however, the one
plaintiff did not allege the charge was unreimbursed or that he incurred
bank fees or other monetary losses related to the charge. And no plaintiff
alleged identity theft or attempted identity theft.

Relying on the U.S. Supreme Court’s Clapper ruling, the court granted
SuperValu’s motion to dismiss for lack of Article III standing. The court
found that the plaintiffs failed to allege sufficient facts to show that
future harm is “certainly impending” or that there is a “substantial risk”
the harm will occur – noting that the isolated single instance of an
unauthorized charge was not indicative of data misuse that is fairly
traceable to the data breach.

The court also ruled that the plaintiffs’ costs to mitigate the risk of
future harm is not a sufficient injury in fact to confer Article III
standing – quoting the Clapper ruling that plaintiffs “cannot manufacture
standing merely by inflicting harm on themselves based on their fears of
hypothetical future harm that is not certainly impending.” Additionally,
the plaintiffs alleged no facts explaining how their PII became less
valuable as a result of the data breach or showing that the loss of privacy
and confidentiality resulted in a concrete injury.

Key to the court’s dismissal is the Clapper directive that standing is less
likely to exist where a threatened injury hinges on speculation about the
actions of third parties, which is particularly relevant in data breach
litigation arising from hacker attacks.

Potentially problematic for SuperValu, however, is the court’s ruling that
the plaintiffs must plead an injury beyond a statutory violation to meet
the standing requirement of Article III. The plaintiffs alleged that they
were harmed by SuperValu’s untimely and inadequate notice of the data
breach, a claim under state data breach notification laws.[2] This same
standing issue is currently pending before the Supreme Court of the United
States in Spokeo v. Robins. In Spokeo, the plaintiff sued alleging a
violation of the Fair Credit Reporting Act, which lets consumers claim
damages from $100 to $1000 if a company publishes a false report about
them. Spokeo says the plaintiff should have to show some sort of injury,
while the plaintiff says it’s enough to show the company broke the
statutory law. A ruling against Spokeo could change the court’s ruling in
the Supervalu opinion – and potentially in other data breach class action
lawsuits dismissed for lack of Article III standing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160224/61a82a6e/attachment-0001.html>