On April 11, 2018, the Seventh Circuit reversed a district court’s dismissal, for failure to state a claim, of plaintiffs’ proposed class action arising out of a 2012 data breach affecting Barnes & Noble.[1] In so holding, the court reaffirmed its view that allegations of data theft with a substantial risk of future harm are sufficient to assert an “injury” under Article III, even in the absence of allegations that the risk actually materialized.[2] The Seventh Circuit further found that such injury may also satisfy the requisite damages allegations under federal pleading requirements.
The instant decision arose out of a 2012 incident, in which Barnes & Noble discovered a data breach affecting PIN pads used to verify customer payment information. The breach allowed hackers to acquire information including customer names, credit card numbers, expiration dates, and PIN numbers. Customers asserted losses in the form of: (i) temporary inability to use their funds while waiting for their banks to reverse unauthorized charges to their accounts; (ii) money spent on credit-monitoring services; and (iii) time devoted to acquiring new account numbers and notifying businesses of these changes.
Barnes & Noble moved to dismiss the complaint, and the district court granted its motion, finding that although the complaint alleged a sufficient Article III injury—under the Circuit’s prior holding that customers who experience data theft have standing to sue[3]—plaintiffs nonetheless failed to adequately plead damages.[4] On appeal, the Seventh Circuit referred to the district court’s decision as “a new label for an old error,” and found that the alleged injuries “can justify money damages, just as they support standing.” After finding that plaintiffs’ alleged injuries would be compensable under the applicable state laws, the court remanded to the district court to consider in the first instance whether plaintiffs’ claims otherwise pass muster under those laws, as well as the issue of class certification.
While there has been much discussion about the circuit split regarding standing to sue in data breach cases, this case serves as a reminder that even where standing is met through alleged risk of future harm alone, plaintiffs still have to satisfy the element of damages. In light of the Seventh Circuit’s decision, however, it remains to be seen whether courts will impose a vigorous pleading standard for damages allegations in data breach cases, particularly in circuits where there are more relaxed standing requirements, which—though an independent doctrine—overlap with damages requirements in the data breach context.
[1] See Dieffenbach v. Barnes & Noble, Inc., No. 17-2408, 2018 WL 1737128 (7th Cir. Apr. 11, 2018).
[2] As described in our most recent blog post, there is a circuit split regarding the issue of Article III standing in data breach cases, with the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits, on one side, finding allegations of data theft with the attendant risk of future harm sufficient to confer Article III standing and, on the other side, the Second, Fourth, and Eighth Circuits finding that allegations based solely on the risk of future harm are insufficient to satisfy Article III’s injury requirements.
[3] See Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015).
[4] See In re Barnes & Noble Pin Pad Litig., No. 12-cv-08617, 2017 WL 2633398 (N.D. Ill. June 13, 2017), vacated sub nom. Dieffenbach v. Barnes & Noble, Inc., No. 17-2408, 2018 WL 1737128 (7th Cir. Apr. 11, 2018) .