Last month, a Minnesota federal judge tossed out extensive multidistrict legislation concerning a proposed class action of SuperValu shoppers. Shoppers from Illinois, Minnesota, and Idaho had alleged that the supermarket chain caused them harm when hackers penetrated SuperValu’s systems and installed malicious software on its payment card systems. The complaint listed dozens of state and federal privacy violations.
The problem with their case, according to Judge Ann D. Montgomery of the U.S. District Court for the District of Minnesota, was that between the sixteen named shoppers in the proposed class, the only evidence of harm was a single unauthorized charge. In In re: SuperValu, Inc., Customer Security Breach Litigation, No. 14-MD-2586 ADM/TNL, Judge Montgomery held that this single charge could not reliably be traced back to SuperValu’s hack, given the frequency of credit card fraud. Without any other instances of harm, the judge said it was complete speculation as to whether the hackers were actually successful in using the data they obtained.
In 2014, SuperValu reported two separate breaches. The first occurred in August against the company’s Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘n Save, and Shoppers Food & Pharmacy systems and the second occurred one month later at its Albertson’s stores.
The debate over standing in data breach litigation has been raging as of late and we have reported on several of the more notable opinions (see here, here, and here for a few examples). In one of those cases, the U.S. District Court for the Eastern District of Pennsylvania found a plaintiff who had suffered identifiable identity attacks after a breach did have standing and the court allowed the plaintiff’s claims for breach of contract and restitution to move forward. See Enslin v. The Coca-Cola Co., No. 2:14-CV-06476 (E.D. Pa. Sept. 29, 2015).
Comparing the case to the Target data breach, Judge Montgomery noted that previous cases included detailed allegations of extensive misuse of customer data information. “Here, the singular incident from one named plaintiff over the course of more than a year following the data breach is not sufficient to ‘nudge’ plaintiffs’ class claims of data misuse or imminent misuse ‘across the line from conceivable to plausible.’” This increased risk of future harm was not enough to demonstrate standing.
Although members of the proposed class argued that they had suffered harm based on the time and money spent monitoring their accounts, Judge Montgomery ruled that this fear of future harm was not enough to establish standing under Article III.
The full text of Judge Montgomery’s opinion is available here. As the plaintiffs’ case in SuperValu was dismissed without prejudice, it remains to be seen whether they will bring an amended complaint.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
