Elawyers Elawyers
Washington| Change

IN RE BARNES & NOBLE PIN PAD LITIGATION, 12-cv-8617. (2013)

Court: District Court, N.D. Illinois Number: infdco20130905b09 Visitors: 3
Filed: Sep. 03, 2013
Latest Update: Sep. 03, 2013
Summary: MEMORANDUM OPINION AND ORDER JOHN W. DARRAH, District Judge. Plaintiffs Ray Clutts, Heather Dieffenbach, Jonathan Honor, and Susan Winstead have filed a Consolidated Class Action Complaint against Defendant Barnes & Noble, Inc., alleging five causes of action: (1) breach of contract; (2) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act ("ICFA"), 815 ILCS 505/1 et seq.; (3) invasion of privacy; (4) violation of California Security Breach Notification Act, Cal.
More

MEMORANDUM OPINION AND ORDER

JOHN W. DARRAH, District Judge.

Plaintiffs Ray Clutts, Heather Dieffenbach, Jonathan Honor, and Susan Winstead have filed a Consolidated Class Action Complaint against Defendant Barnes & Noble, Inc., alleging five causes of action: (1) breach of contract; (2) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act ("ICFA"), 815 ILCS § 505/1 et seq.; (3) invasion of privacy; (4) violation of California Security Breach Notification Act, Cal. Civ. Code § 1798.80 et seq.; and (5) violation of California's Unfair Competition Act ("UCA"), Cal. Bus. & Prof. Code § 17200 et seq. Barnes & Noble moves to dismiss the Complaint pursuant to Fed. R. Civ. P. 12(b)(1) and 12(b)(6).

BACKGROUND

Barnes & Noble is a Delaware corporation with its principal place of business in New York. (Compl. ¶ 15.) Barnes & Noble is the largest book retailer in the United States, with nearly 700 retail book stores throughout the country. (Id.) Barnes & Noble uses PIN pad terminals to process its customers' credit and debit card payments in its retail stores. (Id. ¶ 16.) To make a purchase using a PIN pad terminal, a customer swipes her card and, if it is a debit card, enters her PIN. (Id. ¶ 17.) The PIN pad will temporarily store the cardholder's card information and PIN, transmitting the information to a bank for verification to complete the purchase. (Id.)

"Skimming" is a form of electronic hacking that enables the unauthorized collection of credit and debit card data. (Id. ¶ 18.) On October 24, 2012, Barnes & Noble announced to the public it had experienced a security breach, whereby unsolicited individuals, known as "skimmers," potentially stole customer credit and debit information from sixty-three locations. (Compl. ¶ 2.) These sixty-three stores were located in nine states: California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island. (Id. ¶ 46.) The security breach occurred when the skimmers tampered with PIN pad devices in the Barnes & Noble stores in order to steal information from customers who used the devices to process transactions. (Id. ¶¶ 2, 18, 46.) There was a nearly six-week delay between the time Barnes & Noble became aware of the security breach and when it publically announced it. (Id. ¶ 46.) Barnes & Noble announced the security breach to the press and published a notice on its website, which instructed customers to take precautions against identity theft and fraud. (Id. ¶¶ 52-53, 55.) Barnes & Noble did not directly notify its customers that a security breach occurred. (Id. ¶ 58.)

Plaintiffs in this action were customers of Barnes & Noble during the time period when the skimming occurred. (Id. ¶¶ 10-13.) Clutts and Honor are Illinois citizens who made purchases with their debit cards at breached Barnes & Noble stores in Deer Park, Illinois, and Chicago, Illinois, respectively. (Id. ¶¶ 10, 12.) Dieffenbach is a California citizen who made a purchase with her debit card at a Barnes & Noble store that was breached in Calabasas, California. (Id. ¶ 11.) Winstead is an Illinois citizen who made a purchase with her credit card at a breached Barnes & Noble store in Deerfield, Illinois. (Id. ¶ 13.)

Plaintiffs claim they suffered many different types of damages due to the security breach, including: untimely and inadequate notification of the security breach, improper disclosure of their personal identifying information or "PII", loss of privacy, expenses incurred in efforts to mitigate the increased risk of identity theft or fraud, time lost mitigating the increased risk of identity theft or fraud, an increased risk of identity theft, deprivation of the value of Plaintiffs' PII, and anxiety and emotional distress. (Id. ¶¶ 67-69.) Only Winstead suffered from actual fraudulent activity, when a fraudulent charge was made to her credit card. (Id. ¶ 14.) This fraudulent charge occurred after she shopped at the breached Barnes & Noble store. (Id.) Winstead was contacted by her credit card company about a potentially fraudulent charge, she confirmed it was fraudulent; her card was cancelled; and Winstead was unable to use her credit card until a replacement card arrived. (Id.)

An individual's PII has value, both to the individual and on the black market. (Id. ¶¶ 59-62.) The value on the black market has been estimated to be between $1.50 and $90.00 per card number. (Id. ¶ 65.) There is also value in keeping this information private. (Id. ¶ 63.) At the time of the security breach, Barnes & Noble did not adhere to security protocols and regulations mandated by its credit partners, such as Visa and other members of the payment card industry ("PCI"). (Id. ¶¶ 25-30, 32-34.)

LEGAL STANDARD

Fed. R. Civ. P. 12(b)(1) permits a defendant to move for the dismissal of a claim due to lack of standing. See Retired Chicago Police Ass'n. v. City of Chicago, 76 F.3d 856, 862 (7th Cir. 1996). The plaintiff bears the burden of showing the jurisdictional requirements, including standing, have been met. Kathrein v. City of Evanston, 636 F.3d 906, 914 (7th Cir. 2011) (citing Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir. 2009)). All material allegations of the complaint are construed as true, and all reasonable inference are drawn in favor of the plaintiff when determining these motions. Apex Digital, 572 F.3d at 444. "[T]he question of standing is whether the litigant is entitled to have the court decide the merits of the dispute or particular issues." Id. (citations and quotations omitted).

ANALYSIS

Barnes & Noble's Motion to Dismiss Pursuant to Fed. R. Civ. P. 12(b)(1)

Barnes & Noble moves to dismiss the Complaint under Fed. R. Civ. P. 12(b)(1). Barnes & Noble asserts Plaintiffs lack standing to bring the claims alleged in the Complaint. For the following reasons, the motion to dismiss for lack of standing is granted. Hence, the issues raised by Barnes & Noble regarding Plaintiffs' failure to state a claim upon which relief may be granted need not be addressed.

Lack of Standing

To establish standing, a plaintiff must demonstrate: "(1) that [plaintiff] suffered an injury in fact (2) that is fairly traceable to the action of the defendant and (3) that will likely be redressed with a favorable decision." Kathrein, 636 F.3d at 914 (quoting Books v. City of Elkhart, 235 F.3d 292, 299 (7th Cir. 2000)). The plaintiff bears the burden of alleging facts sufficient to establish standing; there is no burden on the defendant to show standing does not exist. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). The United States Supreme Court has explained an injury that is "certainly impending" can establish injury in fact for the purposes of standing, though "[a]llegations of possible future injury are not sufficient." Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138, 1147 (2013) (citation and internal quotation marks omitted).

The Complaint alleges many forms of injury: untimely and inadequate notification of the security breach, improper disclosure of Plaintiffs' PII, invasion of privacy, expenses incurred in efforts to mitigate the increased risk of identity theft or fraud caused by the security breach, time lost mitigating the increased risk of identity theft or fraud caused by the security breach, an increased risk of identity theft, deprivation of the value of Plaintiffs' PII, anxiety and emotional distress, and diminished value of products and services. (Compl. ¶¶ 67-68.)

Untimely and/or Inadequate Notification of the Security Breach

The Plaintiffs' claim that they were injured by Barnes & Noble's failure to promptly notify them of the security breach is insufficient to establish standing. This claim of injury asserts that the delay or inadequacy of the notification has increased the risk to Plaintiffs of suffering some actual injury due to the security breach. Merely alleging an increased risk of identity theft or fraud is insufficient to establish standing. As the Supreme Court held in Clapper, "threatened injury must be certainly impending to constitute injury in fact, and . . . [a]llegations of possible future injury are not sufficient." Clapper, 133 S. Ct. at 1147 (citation and internal quotation marks omitted). Plaintiffs note Clapper contains a footnote allowing "substantial risk" to establish standing, but the footnote further states that "plaintiffs bear the burden of pleading and proving concrete facts showing that the defendant's actual action has caused the substantial risk of harm." Clapper, 133 S. Ct. at 1150 n.5. Nothing in the Complaint indicates Plaintiffs have suffered either a "certainly impending" injury or a "substantial risk" of an injury, and therefore, the increased risk is insufficient to establish standing.

An additional possibility for actual injury arising from delayed or inadequate notice is that such notice violated the statutes cited by Plaintiffs, the ICFA and the Database Breach Act, and the violation of one or more of these statutes constitutes actual injury sufficient to convey standing. However, this argument is misplaced. Even assuming the statutes have been violated by the delay or inadequacy of Barnes & Noble's notification, breach of these statutes is insufficient to establish standing without any actual damages due to the breach. Plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III. See Kyles v. J.K. Guardian Sec. Services, Inc., 222 F.3d 289, 295 (7th Cir. 2000). Also, both statutes stipulate there must be injury beyond the mere violation of the statute. 815 ILCS 505/10a (relief is granted to "[a]ny person who suffers actual damage as a result of a violation."); Cal. Civ. Code § 1798.84(b) (relief is granted to "[a]ny customer injured by a violation."). Accordingly the purported untimely or inadequate notification of the security breach by Barnes & Noble is insufficient to establish Plaintiffs suffered actual injury for purposes of Article III standing.

Improper Disclosure of Plaintiffs' PII

The Plaintiffs' claim of injury in the form of the improper disclosure of their PII is insufficient to establish standing. Here, there is no actual injury pled because there are no facts to support the allegations that the information was disclosed. While all reasonable inferences are construed in favor of the Plaintiffs, there is no factual statement here that allows such an inference. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Plaintiffs seek to establish that their information was stolen simply because Plaintiffs made credit and debit card purchases at Barnes & Noble stores affected by the security breach. The inference that their data was stolen, based merely on the security breach, is too tenuous to support a reasonable inference that can be made in Plaintiffs' favor. Defendants cite a case from Missouri with facts similar to the case at bar, with the exception that in the Missouri case the plaintiff admitted he did not know whether his personal information had been stolen. Amburgy v. Express Scripts, Inc., 671 F.Supp.2d 1046, 1052 (E.D. Mo. 2009). That court held a possible disclosure of information did not qualify as an actual injury. Id. Here, Plaintiffs also have not pled any facts to support the conclusion that their information was disclosed. Therefore, Plaintiffs have not alleged an actual injury with respect to the potential disclosure of their personal information.

Loss of Privacy

The Plaintiffs' claim of actual injury in the form of loss of privacy is insufficient to establish standing. The claimed loss of privacy relies on the same tenuous reasoning as the previous claim of improper disclosure of the PII of the Plaintiffs, as there are no facts alleged to support the conclusion Plaintiffs' information was disclosed, which is necessary for there to cause a loss of privacy. For this reason, the loss of privacy is insufficient to convey standing.

Time and Expenses Incurred to Mitigate Risks of Identity Theft

The Plaintiffs' claim of injury in the form of expenses incurred to mitigate an increased risk of identity theft or fraud is also insufficient to establish standing. The Complaint alleges Plaintiffs incurred expenses in order to mitigate an increased risk of identity theft or fraud, but it does not allege what those expenses are with any specificity. Even if specific expenses had been alleged, such expenses would not qualify as actual injuries under Clapper. Clapper, 133 S. Ct. at 1152-53 ("costs that they have incurred to avoid [injury]" are insufficient, even if the fear is "subjective"). Plaintiffs "cannot manufacture standing by incurring costs in anticipation of non-imminent harm." Id. at 1155. Plaintiffs have not pled the harm they potentially face is imminent, and, as previously discussed, they cannot do so because they have not sufficiently alleged the information they are trying to protect was actually stolen. Because of this, the costs they incurred in attempting to minimize their risks due to the security breach do not qualify as actual harm and thereby do not confer standing. Similarly, Plaintiffs' allegations, as pled, of actual injury in the form of time spent mitigating an increased risk of identity theft or fraud is insufficient to establish standing.

Increased Risk of Identity Theft

The Plaintiffs' claim of actual injury in the form of increased risk of identity theft is insufficient to establish standing. As discussed above, speculation of future harm does not constitute actual injury. Clapper, 133 S. Ct. at 1148. Because of this, the increased risk of identity theft is insufficient to convey standing upon Plaintiffs.

Deprivation of the Value of Plaintiffs' PII

The Plaintiffs' claim of injury in the form of deprivation of the value of their PII is insufficient to establish standing. Actual injury of this sort is not established unless a plaintiff has the ability to sell his own information and a defendant sold the information. See Yunker v. Pandora Media, Inc., 11-CV-03113 JSW, 2013 WL 1282980, at *4 (N.D. Cal. Mar. 26, 2013); LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW(JCGx), 2011 WL 1661532, at *4-*5 (C.D. Cal. Apr. 28, 2011). Plaintiffs do not allege their personal information was sold, nor do they allege the information could be sold by Plaintiffs for value. Therefore, there is no actual injury, and therefore, no standing based on deprivation of the value of the Plaintiffs' PII.

Anxiety and Emotional Distress

The Plaintiffs' claim of injury in the form of anxiety and emotional distress is insufficient to establish standing. This issue is, essentially, whether anyone who has made a purchase at a store with a security breach can claim any emotional distress or anxiety as actual damages for the purposes of establishing standing. Again, taking the facts pled in a light most favorable to the Plaintiffs, Plaintiffs are unable to demonstrate emotional distress or anxiety sufficient to establish standing in this case. Emotional distress in the wake of a security breach is insufficient to establish standing, particularly in a case that does not involve an imminent threat to the information. See Reilly v. Ceridian Corp., 664 F.3d 38, 42-43 (3d Cir. 2011) (rejecting standing for an emotional distress claim in a data security breach case and noting "The hacker did not change or injure Appellants' bodies; any harm that may occur—if all of Appellants' stated fears are actually realized—may be redressed in due time through money damages after the harm occurs with no fear that litigants will be dead or disabled from the onset of the injury."). Dieffenbach's anxiety following the security breach is insufficient to establish standing, as there is no indication there is an imminent threat of her information being used in a malicious way, as has been previously discussed.

Diminished Value of Products and Services

The Plaintiffs' claim of actual injury in the form of diminished value of products and services is insufficient to establish standing. Plaintiffs assert they overpaid for the products and services purchased from Barnes & Noble, because they were paying for the security measures Barnes & Noble was supposed to employ to protect credit and debit transactions. Barnes & Noble's failure to employ those security measures diminished the value of Plaintiffs' purchased products and services. Plaintiffs' argument is not persuasive, particularly as Plaintiffs have not pled that Barnes & Noble charged a higher price for goods whether a customer pays with credit, and therefore, that additional value is expected in the use of a credit card. Thus, this theory of damages is insufficient to establish standing.

Plaintiff Winstead's Fraudulent Charge

The only cognizable potential injury alleged in the Complaint is the fraudulent charge on Winstead's credit card, which followed a purchase she made at a breached Barnes & Noble store in Deerfield, Illinois. Even assuming the fraudulent charge is due to the actions or inactions of Barnes & Noble, Winstead has not pled that actual injury resulted and that she suffered any monetary loss due to the fraudulent charge. She alleges she was without the use of her credit card for the period of time it took to replace her card, but there is no indication of how long this was, or any other facts regarding this period of time. In order to have suffered an actual injury, she must have had an unreimbursed charge on her credit card; the most that is alleged is a time lag of an unknown length between learning of the fraudulent charge and receiving a new credit card. In re Michaels Stores Pin Pad Litig., 830 F.Supp.2d 518, 527 (N.D. Ill. 2011) ("[Defendant] is correct that Plaintiffs suffered no actual injury . . . if Plaintiffs were reimbursed for all unauthorized withdrawals and bank fees and, thus, suffered no out-of-pocket losses.") (citing Clark v. Experian Information Solutions, Inc., 2006 WL 2224049, at *3 (N.D. Ill. Aug. 2, 2006)). Moreover, it is not directly apparent that the fraudulent charge was in any way related to the security breach at Barnes & Noble. For these reasons, there is no actual injury and therefore, no standing.

Standing is "an indispensable part of the plaintiff's case . . . ." Lujan, 504 U.S. at 561. Accordingly, because subject matter jurisdiction does not exist here, the case is dismissed, and it is unnecessary to consider Defendant's arguments under Fed. R. Civ. P. 12(b)(6).

CONCLUSION

For the reasons provided above, Barnes & Noble's Motion to Dismiss for lack of standing pursuant to Rule 12(b)(1) is granted.

Source:  Leagle

Can't find what you're looking for?

Post a free question on our public forum.
Ask a Question
Search for lawyers by practice areas.
Find a Lawyer