Barnes & Noble Turns Page After Class Data Breach Dismissal

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Oct. 4 — Compromised payment card PIN pads at Barnes & Noble Inc. stores don't present a harmful enough threat to allow consumers to recover damages ( In re Barnes & Noble Pin Pad Litig., N.D. Ill., No. 12-cv-08617, dismissal, 10/3/16 ).

Although the class plaintiffs stated sufficient risk of harm in their amended complaint to establish the basic step for a suit, they failed to establish sufficient injury tied directly to the data breach, Judge Andrea R. Wood of the U.S. District Court for the Northern District of Illinois said Oct. 3 in dismissing the case.

The case stems from a fall 2012 data breach that revealed tampering of the personal identification number pads used to process payment card transactions at 63 of its nationwide stores—nearly 9 percent of the stores in the chain. The hackers tampered with the credit card personal identification number pads to allow them to skim customers' credit and debit card information.

The plaintiffs brought claims under common law breach of contract, Illinois and California consumer fraud and deceptive business practices laws and California's breach notice statute. The plaintiffs sought monetary damages for the loss of their personal sensitive data, loss of privacy and expenses incurred to limit the risk of identify theft.

The court dismissed the original class complaint Sept. 3, 2013 because the plaintiffs failed to establish standing to sue in federal court. The plaintiffs then refiled their first amended complaint Sept. 24, 2013 with similar claims against Barnes & Noble. The amended class complaint only added six new allegations, which included costs associated with identity theft monitoring and Barnes & Noble's negligence in not discovering and reporting the breach sooner.

However, the plaintiffs' claims still didn't plead enough injury to sue in federal court. Judge Wood tossed the plaintiffs' claims because they didn't plead “any economic or out-of-pocket damages that were caused by the Barnes & Noble data breach.”

Because the plaintiffs didn't “allege actual damages to state a claim for relief,” the claims must be tossed, the court said.

The case highlights the potential longevity of a data breach class action and the high litigation costs that may accompany a drawn out case. A company may face less litigation and reputational costs if it can settle out of court early after a data breach.

New York-based Barnes & Noble is the tenth largest public e-commerce discretionary company in the U.S. with a $813.45 million market capitalization, Bloomberg data show.

Illinois, California Claims

The court also dismissed plaintiffs' Illinois state consumer law allegations that Barnes & Noble didn't “implement adequate, commercially reasonable security measures to protect” the sensitive personal information and “by failing to inform” the putative class of the breach.

The court noted that the “plaintiffs' failure to plead any economic damages” is “fatal to this cause of action.” Because the plaintiffs didn't allege claims that show that they “suffered actual monetary losses,” the Illinois claims were thrown out.

The court also dismissed the plaintiffs' California data breach notification law claims.

California enacted the first-in-the-nation data breach notification statute in 2002. It requires companies possessing or controlling personally identifiable information to notify individuals of a security breach if the personal information was or was presumed to be accessed by an unauthorized person. Now, 47 states and the District of Columbia have breach notice laws.

Although the court found that “Barnes & Noble was insufficiently prompt in notifying” the plaintiffs of the data breach, the putative class failed to adequately claim that they were injured by the delay in breach notification. The court was unable to find a “causal connection” between plaintiffs' harm and the “six-week delay in reporting the breach.”

The putative class has until Oct. 31 to file a second amended complaint to “cure the deficiencies” as outlined in the opinion.

Barnes & Noble didn't respond to Bloomberg BNA's e-mail request for comments.

Honigman Miller Schwartz and Cohn LLP and Arnold & Porter LLP represent Barnes & Noble. Grant & Eisenhofer PA, Siprut PC and Barnow and Associates PC represented the putative class.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.