[BreachExchange] District court tosses all 13 counts in rare data breach case against grocery store

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 31 20:01:58 EDT 2016


http://legalnewsline.com/stories/511036323-district-
court-tosses-all-13-counts-in-rare-data-breach-case-against-grocery-store

A District Court for the Southern District of Illinois has tossed all 13
counts in data breach case against a grocery store, noting the plaintiffs
were too general in their allegations.

The Community Bank of Trenton, University of Illinois Employees Credit
Union, First Federal Savings Bank of Champaign-Urbana, and Southpointe
Credit Union filed a lawsuit Sept. 28, against Schnuck Markets, Inc.
alleging allegations of the civil provisions of Racketeer Influenced and
Corrupt Organizations Act (RICO), contractual breaches, and other torts
when it fell victim to a data breach.

The breach, the plaintiffs argued, caused them to suffer financial losses.

The lawsuit, considered rare by the court because it was brought by
financial institutions rather than harmed consumers, was dismissed by Judge
Michael Reagan Oct. 19, because the plaintiffs failed to particularize
their arguments to the facts of the case.

Between December 2012 and March 2013, Schnuck’s grocery became a victim of
a major data breach. Customers' personal information was put at risk as a
result of the breach. The plaintiffs were required to assist their
customers in resolving their personal financial risks and losses.

As such, the institutions sought financial relief from Schnuck's, alleging
had it been more careful, the breach might not have occurred.

The court noted in its dismissal, that for plaintiffs to avoid dismissal
for failure to state a claim, the complaint must contain a short and plain
statement of the claim adequate to demonstrate it is entitled to relief.
The court found the plaintiffs failed to satisfy this requirement.

The ruling states, “The case before the court presents an impressive 13
different theories of relief for the plaintiffs to recover against
Schnuck's. Many of the theories have been tested in other data breach
litigation against major retailers across the country, such as Target,
Jimmy Johns, Barnes and Noble, Home Depot, and Neiman Marcus, to name a
few. However, there is a critical distinction between the present set of
claims, and those presented in the aforementioned cases—the claims in the
present case are being brought by the financial institutions as opposed to
by the merchant's customers…the allegations of harms sustained are general.”

Bethany Gayle Lukitsch, a partner with McGuire Woods, told Legal Newsline,
“Data breach litigation is a growing area of litigation and plaintiffs’
alleged injuries and pled theories of relief have yet to be established.
The court clearly wanted to see more of a direct connection pled between
the data breach and these financial institutions before expanding the scope
of potential litigants in a data breach situation.”

The court notes the complaint contained unsubstantiated statements too
broad to ascertain harm or entitlement to relief. It noted statements made
by the plaintiffs including. Schnucks was alerted to fraudulent activity on
“a handful of payment cards,” the plaintiffs “may lose profits if customers
use payment cards less frequently,”

Schnuck's made fraudulent misrepresentations about its data security
practices without defining how, and “while Schnuck's threw consumers
somewhat of a bone in an effort to rebuild customer loyalty and improve its
financial outlook, it has not offered plaintiffs and class members any
compensation for the damages they have suffered, and will continue to
suffer.”

The court summed up the arguments as highly general, writing, “The court
notes the generality made it difficult to assess the plausibility of the
potential claims. For this reason, the court dismissed many of the claims
without prejudice to allow the plaintiffs an opportunity to file more
substantive pleadings.”

Lukitsch said she was not surprised by the dismissal.

“As stated throughout the court’s opinion, plaintiffs’ complaint lacked the
specificity required to meet pleading standards under Twombly andIqbal,
particularly for the fraud based claims,” she said
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161031/9413337f/attachment.html>


More information about the BreachExchange mailing list