Barnes & Noble Customers Lack Standing To Bring Data Breach Litigation, Court Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Customers of Barnes & Noble Inc. have not suffered injuries sufficient to grant them standing in a putative class action against the book retailer following a data breach, the U.S. District Court for the Northern District of Illinois ruled Sept. 3, dismissing the case (In re Barnes & Noble Pin Pad Litig., N.D. Ill., No. 1:12-cv-08617, dismissed 9/3/13).

In October 2012, Barnes & Noble revealed that it had discovered tampering with the personal identification number pads used to process payment card transactions at 63 of its stores (11 PVLR 1584, 10/29/12). The hackers used a technique known as “skimming” to collect customers' credit and debit card information, the court said.

The plaintiffs filed a consolidated class action complaint against Barnes & Noble, alleging the following five causes of action: breach of contract; violation of the Illinois Fraud and Deceptive Business Practices Act, 815 Ill. Comp. Stat. §§ 505/2; invasion of privacy; violation of the California Security Breach Notification Act, Cal. Civ. Code §§ 1798.80-1798.82 and § 1798.84; and violation of California's Unfair Competition Act, Cal. Bus. & Prof. Code §§ 17200-17210.

According to the plaintiffs, there was a six-week delay between the time Barnes & Noble learned of the breach and when it publicly announced the breach. They also alleged that the company failed to directly notify its customers. In addition, they claimed that the company failed to follow security protocols and regulations maintained by the payment card industry.

Barnes & Noble moved to dismiss the complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). The court, however, found it unnecessary to analyze the book retailer's 12(b)(6) arguments.

Delayed Notification, Statutory Violations

The court granted the company's motion to dismiss for lack of standing after finding all of the alleged injuries insufficient to support standing.

It rejected the plaintiffs' argument that the delay or inadequacy of the breach notification increased the risk that they would suffer injuries and therefore supported standing. “Merely alleging an increased risk of identity theft or fraud is insufficient to establish standing,” the court said.

“Nothing in the Complaint indicates Plaintiffs have suffered either a 'certainly impending' injury or a 'substantial risk' of an injury, and therefore, the increased risk is insufficient to establish standing,” the district court said, quoting the U.S. Supreme Court's holding in Clapper v. Amnesty Int'l USA, 33 S. Ct. 1138 (2013) (12 PVLR 350, 3/4/13).

Allegations that statutes were breached, without any allegation of actual damages resulting from the breach, were inadequate to establish standing, the court said.

The alleged improper disclosure of the plaintiffs' personally identifiable information (PII) was insufficient to establish standing because the plaintiffs failed to allege that the information was disclosed, the court said. For the same reason, their alleged loss of privacy did not convey standing.

Mitigation Expenses, Fraudulent Charge

Nor did the plaintiffs' alleged time and expenses incurred to mitigate the risks of identity theft confer standing, the court concluded. They failed to allege expenses with specificity, and Clapper held that such expenses are not actual injuries in the absence of imminent harm, the court said.

An increased risk of identity theft is also inadequate to support standing, the court determined, noting that Clapper held that speculation of future harm is not an actual injury.

The plaintiffs did not allege an actual injury based on the deprivation of the value of their PII, the court said. “Plaintiffs do not allege their personal information was sold, nor do they allege the information could be sold by Plaintiffs for value,” it said.

In addition, anxiety and emotional distress following a breach are insufficient to confer standing, the court concluded, again noting the lack of an imminent threat to their PII.

The court found unpersuasive the plaintiffs' argument that the diminished value of their products and services supported standing because they “have not pled that Barnes & Noble charged a higher price for goods whether a customer pays with credit, and therefore, that additional value is expected in the use of a credit card.”

Finally, a fraudulent charge on one plaintiff's credit card was insufficient to confer standing because that plaintiff failed to plead that she suffered a monetary loss resulting from the charge and failed to connect that charge to the breach, the court said.

Edmund S. Aronowitz and Adam J. Levitt, of Grant & Eisenhofer PA, in Chicago; Joseph J. Siprut, of Siprut PC, in Chicago; Aleksandra M. S. Vold, of Synergy Law Group, in Chicago; and Ben Barnow, of Barnow and Associates PC, in Chicago, represented the plaintiffs. Peter V. Baugher and Kristen E. Hudson, of Schopf & Weiss LLP, in Chicago; and Kenneth L. Chernof and Hadrian R. Katz, of Arnold & Porter, in Washington, represented Barnes & Noble.

Full text of the court's opinion is available at

Full text of the consolidated class action complaint is available at

Request Bloomberg Law: Privacy & Data Security