SuperValu Data Breach Claim Nixed, Court Sees No Consumer Harm

From Bloomberg Law: Privacy & Data Security

March 8, 2018

By Daniel R. Stoller

Grocery store chains SuperValu Inc. and New Albertson’s Inc. again dodged class claims over a 2014 data breach that impacted over 1,000 stores, after a federal court said hacked payment card data didn’t inflict enough direct harm to sustain a lawsuit.

Judge Ann D. Montgomery of the U.S. District Court for the District of Minnesota granted the shopping chains’ motion to dismiss March 7. The case was on remand from the U.S. Court of Appeals for the Eighth Circuit.

In general, consumers have struggled to succeed in data breach class actions, and the stumbling block has been an inability to show that they suffered imminent and direct harm. Many of the lawsuits are dismissed in the early stages of trial because consumers allege future harms, such as an increased risk of identify theft, instead of actual harms, including monetary losses directly attributed to hacker’s activities.

The dismissal on remand shows that even plaintiffs who allege harm tied to a data breach could run into issues keeping their claims in court if they are unable to show they suffered more than theoretical harm.

The case arose after hackers accessed and installed malicious code on SuperValu’s and Albertson’s payment card processing network in the summer of 2014. The code extracted personal identifying information, such as payment card numbers, expiration dates, personal identification numbers, and cardholder names. According to the consumer class, hackers also accessed sensitive personal data that had been improperly stored by SuperValu and Albertson’s.

“The court’s exhaustive efforts to review plaintiff’s efforts, but ultimate conclusion that they are wanting, sends another strong signal that mere theoretical possibility of injury isn’t necessarily ‘traceable’ injury” to achieve federal court legal standing to sue under Article III, Gerard Stegmaier, senior research fellow at the Antonin Scalia Law School at George Mason University, told Bloomberg Law.

Plaintiffs: Risk Is ‘Imminent’

According to the opinion, plaintiffs alleged the theft of their data “subjects them to an imminent risk that they will suffer identity theft in the future.” The District of Minnesota didn’t deviate from Eighth Circuit precedent that mere allegations of a future risk of harm aren’t enough to keep a claim going in federal court.

The court’s finding that plaintiffs’ claims “did not satisfy the requirements for Article III standing follows the 8th Circuit’s skepticism of general allegations regarding future risk of harm,” Adam Cooke, senior associate for privacy and data security litigation at Hogan Lovells LLP in Washington, told Bloomberg Law.

The court also dismissed claims from one plaintiff who alleged harm purportedly connected to the data breach, finding the plaintiff didn’t plead out-of-pocket expenses related to fraudulent charges or lack of reimbursement.

The court’s decision to dismiss claims on the plaintiff who didn’t plead out-of-pocket expenses shows that such motions at early stages of the trial “have bite even if a plaintiff is found to have alleged enough for standing,” Cooke said.

The case is In re SuperValu, Inc. Customer Data Sec. Breach Litig. , 2018 BL 78558, D. Minn., No. 14-MD-2586, 3/7/18 .

With assistance from George Lynch in Washington

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story:Barbara Yuill at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.