[BreachExchange] Second Circuit Affirms Dismissal of Data Breach Class Action for Failure to Allege Actual Injury

Mon Jun 5 19:03:27 EDT 2017

http://www.jdsupra.com/legalnews/second-circuit-affirms-dismissal-of-36297/

Takeaway: With new stories of data breaches popping up almost daily, a
recent Second Circuit decision illustrates the difficulties named
plaintiffs face establishing actual injury and surviving a motion to
dismiss based on Article III standing. To establish standing, the plaintiff
must allege more than a refunded fraudulent charge or the fear of future
identity theft. A recent ruling by the Second Circuit demonstrates that,
especially in cases involving only exposure of payment card information
(and not personal information), standing limitations can be a potent weapon
in the class action defendant’s arsenal.

In Whalen v. Michaels Stores, Inc., No. 16-260 (L), 2017 WL 1556116, at *1
(2d Cir. May 2, 2017), the Second Circuit upheld the district court’s
dismissal of a putative class action alleging claims arising out of a data
breach at Michaels stores, agreeing with the Eastern District of New York
that the plaintiff failed to show either actual injury or impending future
injury.

Whalen involved a data breach affecting around 2.6 million credit cards
used at Michaels stores between May 8, 2013 and January 27, 2014. Whalen v.
Michael Stores Inc., 153 F. Supp. 3d 577, 578 (E.D.N.Y. 2015), aff’d sub
nom. Whalen v. Michaels Stores, Inc., No. 16-260 (L), 2017 WL 1556116 (2d
Cir. May 2, 2017). Whalen alleged that she made a purchase with her credit
card during the relevant period and brought claims against Michaels for
breach of implied contract and violations of the New York GBL § 349.
Critically, the breach only involved the release of payment card
information. There was no allegation that any customer personal information
(such as social security numbers or addresses) had been released. Michaels
persuaded the district court to dismiss for lack of standing. 2017 WL
1556116 at *1.

The Second Circuit’s analysis focused on the specific harm suffered by
Whalen as a result of the data breach. Whalen alleged that (1) her credit
card information had been used twice in attempted fraudulent purchases in
Ecuador; (2) she faced a future risk of identify fraud; and (3) she lost
time and money attempting to resolve the charges and monitoring her credit.
The Court of Appeals rejected all three contentions.

First, the Second Circuit ruled that, because Whalen did not pay and was
never asked to pay the fraudulent charges, the unauthorized use of her
credit card did not constitute actual injury. Whalen, 2017 WL 1556116, at
*2. On this point, the district court observed below that every major
credit card issuer, including Whalen’s, has a zero-fraud-liability policy
and distinguished Whalen’s alleged injury from other data breach cases
where the individual plaintiffs alleged that they incurred actual charges
as a result of the fraud, including unreimbursed charges, blocked access to
bank accounts resulting in an inability to pay bills, or related bank fees.
Whalen, 153 F. Supp. 3d at 581 (citing In re Target Corp. Data Sec. Breach
Litig., 66 F. Supp. 3d 1154, 1159 (D.Minn. 2014); In re Michaels Stores Pin
Pad Litig., 830 F. Supp. 2d 518, 527 (N.D. Ill. 2011)). The Whalen court’s
ruling suggests that the mere fraudulent use of a credit card, absent
allegations of monetary loss, does not suffice to establish standing.

Second, the Second Circuit found that Whalen could “not allege[ ] how she
can plausibly face a threat of future fraud.” Whalen, 2017 WL 1556116, at
*2. In Clapper v. Amnesty International USA, 568 U.S. 398 (2013), the
Supreme Court held that threatened injury must be “certainly impending to
constitute injury in fact,” and that “[a]llegations of possible future
injury” are not sufficient. Here, Whalen cancelled her stolen credit card
after the breach and there was no allegation that any other personal
information, such as her social security number, had been exposed in the
breach. The Second Circuit concluded that these allegations at best
demonstrated possible future injury.

Finally, the Second Circuit held that Whalen “pleaded no specifics about
any time or effort that she herself has spent monitoring her credit.”
Whalen, 2017 WL 1556116, at *2. The district court noted that Michaels had
provided data breach victims with 12 months of free credit monitoring, and
that no monitoring was necessary given that she had cancelled her credit
card and no personal information was exposed. Whalen, 153 F. Supp. 3d at
581.

The Whalen decision illustrates that, in many data breach cases,
class-action defendants can use standing to obtain dismissal long before
class certification. But Whalen involves a relatively benign set of facts
and may be distinguishable from cases involving a more widespread data
breach or where the named plaintiff can allege some cognizable monetary
loss.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170605/75345cc7/attachment.html>