Michaels Breach Plaintiffs Have Standing, But Not Money Damages to Avoid Dismissal

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson    

July 17 --In a now familiar data breach damages analysis, a federal court in Illinois held July 14 that an elevated risk of identity theft from a Michaels Stores Inc. breach provides standing, but without evidence of specific monetary damages that risk is insufficient to support statutory or common law claims.

Judge Elaine E. Bucklo of the U.S. District Court for the Northern District of Illinois dismissed the case against the arts and crafts retailer, finding that the plaintiffs failed to plead monetary damages.

“The Michaels decision is consistent with virtually all holdings on stating a claim in data breach cases, but the courts continue to leave slight openings that will continue to encourage class action counsel to bring cases in this area,” Kirk Nahra, a partner at Wiley Rein LLP in Washington, told Bloomberg BNA July 17.

“The wall requiring real damage is strong, but may only take one strong wind to knock it down,” Nahra, who is also a Privacy & Security Law Report advisory board member, added.

The Michaels ruling here didn't generate that wind.

2.6 Million Cards Affected

In April, Michaels confirmed that its systems were affected by a data breach possibly affecting 2.6 million customer payment cards used at its stores between May 8, 2013, and Jan. 27 .

Six Illinois residents sued Michaels, alleging that the company failed to secure their credit and debit card information.

Michaels moved to dismiss their consolidated complaint. It argued that they lack standing on the basis of speculative injuries and that they failed to state a plausible claim upon which relief may be granted. The court found the plaintiffs had standing but failed to state a claim.

Clapper Is Distinguishable

The court concluded that “the elevated risk of identity theft stemming from the data breach at Michaels is sufficiently imminent to give Plaintiffs standing.”

It said this conclusion is consistent with the U.S. Court of Appeals for the Seventh Circuit's ruling in Pisciotta v. Old Natl. Bancorp, 499 F.3d 629 ( 7th Cir. 2007), which held that a consumer who is faced with an increased risk of identity theft following a data breach satisfies the injury in fact standing requirement even where he or she hasn't suffered a monetary loss .

Michaels argued that Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 ( 2013), abrogated Pisciotta and imposed a more stringent imminence requirement for standing based on future harm. In Clapper, the U.S. Supreme Court held that a group of human rights activists, journalists and lawyers lacked standing to challenge a wiretapping program because their claims of injury weren't “certainly impending” .

But the district court disagreed. “Clapper is distinguishable based on its admittedly rigorous application of the 'certainly impending' standard in a case that involved (1) national security and constitutional issues and (2) no evidence that the relevant risk of harm had ever materialized in similar circumstances,” the court said.

Here, the plaintiffs alleged that one of the putative class members incurred fraudulent credit card charges, the district court said.

Monetary Damages Not Alleged

But, similar to Pisciotta, the plaintiffs' claims must be dismissed because they didn't plead a necessary element of their Illinois breach of contract and consumer fraud claims, monetary damages, the court said.

Illinois courts have concluded that an elevated risk of identity theft doesn't constitute actual damage, the court said. Nor does a plaintiff's purchase of credit card monitoring protection meet the economic damage threshold, the court added.

The plaintiffs' other alleged monetary losses, such as general allegations about unauthorized bank account withdrawals, are too conclusory, the court said. In addition, the plaintiffs failed to plead enough facts to support their argument that Michaels charged customers for data security protection.

The court also dismissed a claim alleging a violation of New York's consumer fraud statute. The New York resident named in the Illinois complaint isn't a party to the lawsuit, the court said.

Siprut PC and Edelman, Combs, Latturner & Goodwin LLC served as co-lead interim class counsel. Sidley Austin LLP represented Michaels.

To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/Moyer_v_Michaels_Stores_Inc_Docket_No_114cv00561_ND_Ill_Jan_27_20.

Request Bloomberg Law Privacy and Data Security