One Fraudulent Charge Enough for Data Breach Class Standing: 8th Cir.

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

A single unauthorized payment card transaction following data breaches at SuperValu Inc. stores created sufficient injury for a class complaint to proceed, a federal appeals court held Aug. 30 ( In re SuperValu, Inc. Customer Data Sec. Breach Litig. , 8th Cir., No. 16-2378, 8/30/17 ).

Reversing a lower court’s dismissal of the complaint, the U.S. Court of Appeals for the Eighth Circuit held that named plaintiff David Holmes’ assertion of actual injury gives him standing to sue for himself and on behalf of similarly situated potential class members.

The appeals court rejected SuperValu’s argument that Holmes had to allege that the fraudulent charge occurred as a result of the data breaches. “At a later stage of the litigation, defendants are free to litigate whether the data breach caused Holmes’ fraudulent charge, but ‘this debate has no bearing on standing to sue,’” the appeals court held, citing the U.S. Court of Appeals for the Seventh Circuit’s opinion in Remijas v. Neiman Marcus.

Gerard M. Stegmaier, Washington-based partner in the intellectual property, tech, and data group at Reed Smith LLP, told Bloomberg BNA Aug. 30 that under the court’s reasoning, “anytime anyone suffers any fraud,” they have standing to sue, regardless of the fraudulent charge’s direct connection with the data breach.

Stegmaier compared the situation to securities fraud class complaints “about 20 years ago” that alleged fraud in response to any drop in stock prices. In response to the volume of securities fraud cases under that theory, Congress passed the Private Securities Litigation Reform Act which, among other things, requires plaintiffs to show that the events the fraud and drop in the stock price are linked, he said.

Two Data Breaches

Defendant SuperValu faced a pair of data breaches in 2014. Several federal court complaints were filed against the retail chain alleging negligence, breach of contract, and violations of state consumer protection and data breach statutes.

The cases were consolidated in the U.S. District Court for the District of Minnesota, which found the allegations of damages suffered by the plaintiffs were too speculative to support standing.

Reversing, the appeals court cited the U.S. Supreme Court’s opinion in Spokeo Inc. v. Robins, which held that “named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.”

The trial court mistakenly dismissed the suit because one plaintiff—Holmes—has standing to bring suit, the Eighth Circuit said.

Judge Jane Kelly wrote the opinion, which was joined by Judges Lavenski R. Smith and Steven M. Colloton.

Barnow & Associates; Coffman Law Firm; The Driscoll Firm; Carlson & Lynch; McSweeney & Fay; Lockridge & Grindal; Law Offices of Aron D. Robinson; and Steward Law Firm represented the plaintiffs. Ropes & Gray LLP and Robins Kaplan represented SuperValu.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Full text of the opinion is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security