Lack of Injury Dooms Michaels Breach Class Suit

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Dec. 28 — Because the plaintiffs failed to demonstrate actual injuries, arts and crafts retail chain Michaels Stores Inc. Dec. 28 dodged a federal court putative class action over a data breach that compromised approximately 2.6 million payment cards.

Dismissing the suit without prejudice, Judge Joanna Seybert of the U.S. District Court for the Eastern District of New York said that plaintiff Mary Jane Whalen failed to assert any injuries that are “certainly impending” or based on a “substantial risk that the harm will occur”—a standard for Article III standing established by the U.S. Supreme Court in Clapper v. Amnesty Int'l USA.

On Jan. 25, 2014, Michaels notified its customers of possible fraudulent activity on some U.S. payment cards, and three months later, it confirmed the security breach. Specifically, Michaels said that hackers retrieved payment card information from the company's systems. However, the company said that there was no evidence that the hackers obtained any personally identifiable information, including names, addresses or personal identification numbers.

According to the plaintiff, following the data breach, her credit card was “physically presented for payment” in Ecuador. However, the complaint didn't allege that the attempted charges were approved or that the plaintiff suffered financial losses. Nonetheless, the plaintiff alleged that she suffered damages arising out of “costs associated with identity theft” as well as the increased risk of identity theft. However, the plaintiff conceded that fraudulent use of her credit card may not be apparent “for years.”

In July 2014, a federal court in Illinois rejected a similar class claim, finding that an elevated risk of identity theft without evidence of specific monetary damages was insufficient to support statutory or common law claims.

Failure to Allege Injury

Moving to dismiss the complaint, Michaels argued that Whalen lacks Article III standing because she failed to allege any actual damages or any “certainly impending” future injuries. The court agreed.

In a class action, the court said, plaintiffs must show that they “personally have been injured, not that injury has been suffered by other, unidentified members of the class.” Further, in Clapper, the Supreme Court said that plaintiffs lacked if the alleged injury was “highly speculative” and based on “a highly attenuated chain of possibilities.”

Here, the plaintiff has alleged that her credit card was “physically presented for payment,” but didn't allege that she was required to pay the charges made in Ecuador. Even if the pending charges were accepted, the court said, the plaintiff wouldn't have suffered any injury due to the “zero-fraud-liability policy” of major credit card companies, including the plaintiff's card issuer.

As the plaintiff admitted, fraudulent use of the payment cards may not be apparent “for years,” the court said, concluding that the Whalen failed to allege an injury that is “certainly impending” or based on “substantial risk that the harm will occur.”

The court also distinguished the facts in this case from those in Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, 9,200 of the 350,000 customers affected by a hacker data breach experienced fraudulent charges following the breach, allowing for a finding of a likely threat of harm. By contrast, the court said, Whalen's complaint failed to allege any out-of-pocket losses.

Siprut PC; Glancy Binkow & Goldberg LLP; and Lite Depalma Greenberg LLC represented the plaintiffs. Sidley Austin LLP represented Michaels.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Full text of the court's opinion is available at


Request Bloomberg Law: Privacy & Data Security