Pursuing negligence claims in the Eighth Circuit following a data breach just got harder. On May 31, 2019, the U.S. Court of Appeals for the Eighth Circuit again dismissed the data breach claims in In re SuperValu, Inc. Customer Data Security Breach Litigation, where the court had previously dismissed the claims of all but one of the 16 named plaintiffs for failing to allege actual injuries that would establish Article III standing. In addition to affirming the denial of the 15 plaintiffs’ motion for leave to amend, the Eighth Circuit held that the remaining plaintiff failed to state a claim in his complaint because he could not establish that SuperValu, Inc. had a duty to safeguard his personal data or that he had suffered actual damages or future likelihood of harm.
SuperValu, AB Acquisition and New Albertson (collectively, defendants) owned and operated a chain of retail grocery stores. In 2014, the defendants suffered two data breaches. The first breach occurred from June 22 through July 17, when hackers gained access to the payment information of defendants’ customers including their names, credit or debit card account numbers, card expiration dates, card verification value codes and personal identification numbers. The second breach took place in late August or early September and involved the same type of customer information. After each breach, defendants issued a press release notifying customers of the breach but indicating that there had been no determination that customer information had in fact been stolen or misused.
Customers from several states allegedly affected by the breaches filed putative class actions in different district courts, all of which were transferred to and consolidated in the U.S. District Court for the District of Minnesota. Sixteen named plaintiffs filed a consolidated amended complaint asserting claims for violations of state consumer protection and data breach notification statutes, negligence, breach of implied contract and unjust enrichment. Only one of the named plaintiffs, David Holmes, alleged that he had suffered a fraudulent charge on his credit card statement, resulting in the replacement of that card.
The district court evaluated the standing of the named plaintiffs collectively and dismissed the complaint without prejudice, finding that plaintiffs had not alleged an injury in fact and, therefore, lacked standing. The Eighth Circuit affirmed the district court’s dismissal of all of the named plaintiffs, other than David Holmes, for lack of standing. The court found that Holmes was the only plaintiff to have alleged a present injury in fact so it remanded Holmes’ case to the district court.
The 15 named plaintiffs, other than David Holmes, moved for leave to amend. The district court denied plaintiffs’ motion, holding that the futility of amendment and undue delay compelled denial of leave to amend. The district court also dismissed Holmes’ complaint, finding that his negligence, consumer protection, implied contract and unjust enrichment claims all failed as a matter of law.
The Eighth Circuit affirmed the district court’s dismissal of Holmes’ claims, holding that Holmes’ allegations fell short of stating a claim for relief under his negligence, consumer protection, implied contract and unjust enrichment theories. The court also affirmed the denial of the 15 plaintiffs’ motion for leave to amend.
For Holmes’ negligence claim, the Eighth Circuit held that Holmes had to establish that SuperValu, as a retailer, had a duty under Illinois law to safeguard his credit card information from cyberattacks and that under Illinois law there is no affirmative duty to protect another from that kind of criminal attack unless a “special relationship” exists between the parties. Citing the Seventh Circuit’s decision in Community Bank of Trenton v. Schnuck Markets Inc., where the Seventh Circuit predicted that Illinois would not find a “special relationship” between retailers and their customers existed such that retailers had a duty to protect their customer’s financial information from hackers, the Eighth Circuit held that “[t]he failure of Illinois law to impose this type of common-law duty on merchants mandates dismissal of Holmes’ negligence claim.”
The Eighth Circuit also rejected Holmes’ attempt to save his negligence claim by arguing that it was premised on the duties to protect consumer financial data against hackers imposed by the Federal Trade Commission Act. The court found that “Congress empowered the Commission – and the Commission alone – to enforce the FTCA” and that “[i]mplying a cause of action would be inconsistent with Congress’s anticipated enforcement scheme.” Therefore, the Eighth Circuit concluded that “Illinois is unlikely to recognize a legal duty enforceable through a negligence action arising from the FTCA.”
The Eighth Circuit further held that Holmes’ consumer protection claims brought under the Illinois Consumer Fraud and Deceptive Business Practices Act and the Illinois Uniform Deceptive Trade Practices Act failed because Holmes had not adequately pleaded damages or a likelihood of future harm. A claim under the ICFA requires actual damages as a result of defendant’s conduct. The Eighth Circuit held that “Holmes’ alleged injuries—the expenditure of time monitoring his account, the single fraudulent charge to his credit card and the effort expended replacing his card—do not constitute actual damage.” Nor does the “time Holmes spent protecting himself against the threat of future identity theft… amount to an out-of-pocket loss” as it was a “purely speculative injury.” Similarly, the Eighth Circuit held that Holmes’ claim under UDTPA, which only authorizes injunctive relief, required that Holmes show that he is “likely to be damaged” by SuperValu’s practices in the future, which he was unable to do. Holmes’ implied contract claim also failed because “‘the complaint does not sufficiently allege that plaintiffs were party to [an implied] contract’ with SuperValu.”
Finally, the Eighth Circuit affirmed the dismissal of Holmes unjust enrichment claim because it did not “allege that the defendant has unjustly retained a benefit to the plaintiff’s detriment.” Holmes alleged that SuperValu unjustly retained the money that Holmes paid it for his groceries. This was inadequate because “[b]ecause Holmes d[id] not allege that any specific portion of his payment went towards data protection, he has not alleged a benefit conferred in exchange for protection of his personal information nor has he shown how SuperValu’s retention of his payment would be inequitable.”
The implications of SuperValu are significant. The second SuperValu decision further limits the ability of plaintiffs to bring data breach actions premised on theories of negligence, consumer protection violations, implied contract and unjust enrichment (at least in the Eighth Circuit). By failing to recognize the existence of a special relationship between retailers and their customers and, therefore, a duty to protect customer data against cyberattacks, the Eighth Circuit has made it extremely difficult for data breach plaintiffs to bring negligence claims under Illinois law.
In addition, by finding that attempts to guard against identity theft constitute a speculative injury and not actual damages, the SuperValu decision makes it less likely that data breach plaintiffs will be able to allege viable Illinois consumer protection claims. Similarly, by affirming the dismissal of the implied contract claim, the SuperValu decision restricts plaintiffs to bringing contractual claims only in data breach cases where the terms of the agreement to safeguard data are express and definite.
Finally, by requiring that plaintiffs identify the specific portion of a payment to a defendant that is attributed to data protection, the Eighth Circuit has made it much more unlikely that these plaintiffs will succeed on unjust enrichment claims absent an express payment for data protection. Although Holmes’ claims were all brought under Illinois law, the SuperValu decision may prove persuasive to other courts addressing similar issues.