Court revives one case related to SuperValu data breachReprints
A federal appeals court has upheld dismissal of most of the plaintiffs who sued the SuperValu Inc. grocery distributor in connection with 2014 data breaches, but reinstated the case of one plaintiff who provided evidence his credit card was misused.
Supermarket wholesaler and retailer SuperValu, based in Eden Prairie, Minnesota, reported two separate data breaches in 2014, according to Wednesday’s ruling by the 8th U.S. Circuit Court of Appeals in St. Louis in In re: SuperValu Inc., Customer Data Security Breach Litigation.
Customers allegedly affected by the breaches filed putative class actions in several U.S. District Courts that were eventually consolidated and transferred to the U.S. District Court in Minneapolis, according to the ruling, with a total of 16 named plaintiffs.
The litigation charges violations of state consumer protection statutes and state breach notification statutes, among other charges.
The plaintiffs included David Holmes, who alleged he used his credit card at a store in Belleville, Illinois, that was affected by the data breaches and that he subsequently noticed a fraudulent charge on his card.
The District Court evaluated the standing of all the named plaintffs collectively and dismissed the case. The ruling said because the complaint alleged only an “isolated single instance of an unauthorized charge” suffered by Mr. Holmes, there was insufficient evidence of misuse of the plaintffs’ card information to “plausibly suggest that the hackers had succeeded in stealing the data and were willing to and able to use it for future theft and fraud.”
On appeal, a three-judge appeals court panel reinstated Mr. Holmes’ case but upheld dismissal of the remaining plaintiffs. On the remaining plaintiffs, the decision says, “Plaintiffs argue that they have sufficiently alleged an injury in fact because the theft of their card information due to the data breaches at defendants’ stores creates the risk they will suffer identity theft in the future.”
However, except for Mr. Holmes, “the named plaintiffs have not alleged that they have suffered fraudulent charges on their credit or debit cards or that fraudulent accounts have been used in their names,” said the ruling. “Not only are these allegations speculative, they also fail to allege any injury to the plaintiffs.”
“Although others have ruled that a complaint could plausibly plead that the theft of a plaintiff’s personal or financial information creates a substantial risk that they will suffer identity theft sufficient to constitute a threated injury in fact … we conclude that plaintiffs have not done so here,” the ruling said.
In the case of Mr. Holmes, the ruling states that “Holmes’ allegations of misuse of his card information were sufficient to demonstrate that he has standing; that is all that is required for the court to have subject matter jurisdiction over this action.” The case was remanded for further proceedings.”
In May, a federal district court for the second time dismissed litigation filed by financial institutions against St. Louis-based supermarket chain Schnuck Markets Inc. in connection with a data breach it suffered in 2012 and 2013, citing the prevalence of data breaches during that period.