[BreachExchange] Litigation Alert: Second Circuit Limits Standing to Bring Data Breach Class Actions

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 12 14:01:32 EDT 2017


This week, the U.S. Court of Appeals for the Second Circuit issued an
important decision in Whalen v. Michaels Stores, placing the court at the
center of the controversy around what allegations are sufficient to
establish Article III standing in data breach class actions. In Whalen, the
plaintiff alleged that payment card information stolen in a data breach was
used in unsuccessful, attempted fraudulent transactions. The payment card
owner further alleged that she faced an increased risk of future identity
fraud, forcing her to spend time and money resolving the attempted
fraudulent charges and monitoring her credit. The court ruled that these
allegations did not establish a concrete injury sufficient to confer
Article III standing.


Michaels Store, Inc. (“Michaels”) is an arts and craft retail chain. On
January 25, 2014, Michaels notified its customers in press release of
“possible fraudulent activity on some U.S. payment cards.” The company
announced that it was investigating the incident and advised customers to
monitor their credit accounts for unauthorized charges. On April 17, 2014,
Michaels confirmed the existence of a data breach in another press release.
The company reported that hackers had used a “highly sophisticated malware”
to retrieve payment card information from the computer systems of Michaels
and its subsidiary, Aaron Brothers.  However, Michaels also reported that
there was no evidence that the hackers had obtained any other customer
information, such as names, addresses, or PIN numbers. Michaels estimated
that approximately 2.6 million payment cards may have been affected for the
period between May 8, 2013 and January 27, 2014. As a result, the company
offered free identity protection and credit monitoring services for twelve
months to affected customers.

Mary Jane Whalen made purchases with her credit card at a Michaels store on
December 21, 2013. On January 14 and 15, 2014, Whalen’s credit card
information was used unsuccessfully in two attempted fraudulent
transactions in Ecuador. On January 15, 2014, Whalen cancelled her credit
card. No other fraudulent transactions were either incurred or attempted on
Whalen’s credit card.

On December 2, 2014, Whalen filed a putative class action against Michaels,
alleging claims for breach of implied contract and violation of New York
General Business Law § 349. On December 28, 2015, the district court
dismissed the complaint, finding that Whalen lacked standing because she
“neither alleged that she incurred any actual charges on her credit card,
nor, with any specificity, that she had spent time and money monitoring her
credit.” Whalen v. Michaels Stores, Inc., No. 16-260 (L); 16-335 (XAP),
Summary Order, at 3 (2d Cir. May 3, 2017).

Second Circuit Decision

The Second Circuit affirmed the district court’s dismissal, concluding that
Whalen “alleged no injury that would satisfy the constitutional standing
requirements of Article III.”  Whalen, at 4. Citing Clapper v. Amnesty
Int’l USA, 133 S. Ct. 1138, 1147-48, 1151 (2013), the Second Circuit
explained that a plaintiff must allege an injury that is “concrete,
particularized, and actual or imminent’ and that a “threatened injury must
be certainly impending,” rather than simply speculative. Id. at 3-4. The
Second Circuit further elaborated that, under Clapper, a “theory of
standing[] which relies on a highly attenuated chain of possibilities[]
does not satisfy the requirement threatened injury must be certainly
impending.” Id. at 5 (citation omitted).

Turning to Whalen’s factual allegations, the Second Circuit rejected the
three theories of injury that Whalen had raised. Whalen had alleged that
(1) her credit card information was stolen and used in two attempted
fraudulent transactions; (2) she faced a risk of future identity theft; and
(3) she had lost time and money resolving the attempted the fraudulent
charges and monitoring her credit. The Second Circuit found that “Whalen
does not allege a particularized and concrete injury suffered from the
attempted fraudulent purchases… she never was either asked to pay, nor did
pay, any fraudulent charge. And she does not allege how she can plausibly
face a threat of future fraud, because her stolen credit card was promptly
canceled after the breach and no other personally identifying
information—such as her birth date or Social Security number—is alleged to
have been stolen.” Id. at 4. The Second Circuit also found that “Whalen
pleaded no specifics about any time or effort that she herself ha[d] spent
monitoring her credit,” instead relying on the general allegation that the
putative class had suffered damages based on “the opportunity cost and
value of time” they had been forced to expend to monitor their financial
accounts. Id.


Whalen puts the Second Circuit in the middle of a Circuit split concerning
what allegations are sufficient to establish Article III standing in data
breach class actions. On one end of the spectrum, the Sixth Circuit in
Galaria and the Seventh Circuit in Neiman Marcus and P.F. Chang’s have held
that plaintiffs can plead a concrete injury that will satisfy Article III
by alleging that their personal information was stolen, they face an
increased risk of future harm and they have incurred mitigation costs in
response to that risk. The Sixth and Seventh Circuits have also held an
offer by a company to provide free identity fraud protection and credit
monitoring following a data breach can be inferred to establish that the
company recognizes that the risk of future harm from the breach is

On the opposite end of the spectrum, the Second Circuit in Whalen and the
Fourth Circuit in Beck have heightened pleading requirements for standing
in data breach cases. Plaintiffs in the Second and Fourth Circuits cannot
rely on general allegations of increased risk of identity theft from stolen
personal information coupled with mitigation costs to establish a concrete
injury. Nor can they rely on an offer of free credit monitoring by a
company to supplement those otherwise deficient factual allegations.
Instead, these plaintiffs must allege actual injuries, such as successful
fraud charges based on stolen personal information that creates liability
on the part of the payment card owner, to survive a motion to dismiss for
lack of standing. This Circuit split is not likely to be resolved if and
until the Supreme Court weighs in on the issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170512/69dd9dc9/attachment.html>

More information about the BreachExchange mailing list