By Thomas G. Wolfe, J.D.
Although a consumer brought a proposed class action against Michael Stores Inc. (Michaels) in connection with a data breach at the arts-and-crafts retail chain affecting approximately 2.6 million credit and debit cards, the U.S. District Court for the Eastern District of New York recently dismissed the action. In rejecting the consumer’s lawsuit, which asserted state claims for breach of implied contract and for violations of the New York General Business Law provision governing deceptive acts and practices, the court determined that the consumer lacked standing to bring the suit because she failed to sufficiently allege the requisite level of harm and damages resulting from the data breach.
Providing some context for the court’s Dec. 28, 2015, decision in Whalen v. Michael Stores Inc., in April 2014, Michaels reported that hackers had used a “highly sophisticated malware” to obtain credit and debit card information from its computer systems. While the retailer indicated that there was no evidence that the hackers were able to retrieve customer “names, addresses, or PIN numbers,” Michaels offered free credit monitoring to its customers that may have been affected by the data breach that occurred between May 2013 and January 2014.
The consumer contended that, as a result of “unauthorized fraudulent charges” on her credit card, she experienced five different types of injuries. However, the court ultimately rejected the consumer’s contention and ruled that she lacked standing under Article III of the U.S. Constitution to bring her class-action lawsuit against Michaels. The court’s reasoning is instructive for this type of data-breach litigation because the court asserted that the consumer not only failed to sufficiently allege any concrete injury or damages arising out of the data breach, she also failed to explain how she faced any significant future threat of “certainly impending injuries.”
For instance, in reaching its decision, the court emphasized that: (1) the consumer did not allege that she suffered any unreimbursed charges, but only alleged that her credit card was “physically presented” for payment; (2) even if the pending credit card charges had been accepted by the consumer’s bank, she still would not have incurred any liability—given the zero-fraud-liability policy of her card issuer and “of every major card issuer in the country”; (3) the consumer’s contention about lost time and money associated with Michaels’ credit-monitoring offer did not pass muster because the U.S. Supreme Court has previously questioned this argument and because the consumer cancelled her credit card, thereby diminishing a need for identity-theft protection; (4) the consumer failed to allege that Michaels charged a different price for credit card payments and cash payments or that Michaels used any customer payments for its security services; (5) the consumer did not adequately explain how the value of her personal information was diminished by the data breach; (6) the consumer’s threadbare claim that Michaels violated the New York General Business Law was not supported by any “actual injury”; and (7) allegations of some possible future injury or harm were not enough; the consumer failed to allege a threatened injury that was “certainly impending” or a substantial risk that harm would occur.
For more information about data-breach litigation impacting the financial services industry, subscribe to the Banking and Finance Law Daily.