On April 11, 2018, the Seventh Circuit reversed and remanded a district court decision dismissing, for a lack of standing, a class action brought against Barnes & Noble related to a 2012 “skimming” attack suffered by the bookseller.
In a decision penned by Judge Easterbook, the court described how in 2012 Barnes & Noble learned that “scoundrels” compromised PIN pads used to verify purchases. Personally Identifiable Information (PII) was exfiltrated by said scoundrels, including: customer names, credit card numbers (and expiration dates) and customer PINs. In the aftermath, some plaintiffs were prevented from accessing their funds until banks resolved unauthorized charges. Others expended funds on credit-monitoring services to protect their interests or spent time and effort to acquire new account numbers and notify businesses of the changes.
Describing the district court’s decision as “a new label for an old error,” the Seventh Circuit recalled its precedent in this area where it has, on multiple occasions, granted standing to plaintiffs who experience a loss of their data caused by a data breach. The court held that because: (1) members of the class may have spent money for credit-monitoring services; (2) suffered unauthorized withdrawals from their accounts (regardless of subsequent restoration of funds by banks); and (3) spent time undertaking corrective measures—like obtaining new account numbers—this case falls squarely within its line of cases on this matter.
However, the per curiam decision expressed doubts about the merits of the case going forward—questioning the commonality of the numerous plaintiffs to justify a class action, and whether the state law allegations would hold liable retailers who fail to “crime-proof” their payment systems. The court wrote: “[p]laintiffs may have a difficult task showing an entitlement to collect damages from a fellow victim of the data thieves. It is also far from clear that this suit should be certified as a class action; both the state laws and the potential damages are disparate.”
In the absence of federal legislation, many victims of data breaches are exposed to the dreaded motion to dismiss because the state contract and tort claims upon which their claims rest are often not directed toward the unique circumstance that a data breach presents, where both sides of the case are victims to a third party’s action. With decisions such as this, however, courts like the Seventh Circuit have offered plaintiffs another leg to stand on.
For more information about Seventh Circuit Jurisprudence on Data Breaches, this case and other notable ones are:
Diffenbach v. Barnes & Noble, 2018 U.S. App. LEXIS 9051, No. 17-2408 (7th Cir. Apr. 11, 2018)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015)
Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016)