BreachExchange mailing list archives
Data Breach Class Action Against Michael Stores Doesn’t Stick
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 22 Jan 2016 14:24:04 -0700
http://www.jdsupra.com/legalnews/data-breach-class-action-against-45762/ The arts and crafts retail chain Michael Stores Inc. (“Michaels”) received a late holiday gift in the form of a dismissal of a data breach class action lawsuit. On December 28, 2015, the U.S. District Court for the Eastern District of New York granted Michaels’ motion to dismiss. This is at least the second data breach class action lawsuit dismissed against Michaels.[1] On January 25, 2014, Michaels notified its customers of fraudulent activity on some credit cards from May 8, 2013 to January 27, 2014; 3 months later it confirmed a data breach from malware that accessed customers’ credit and debit card information estimated at affecting 2.6 million cards. The named plaintiff alleged actual harm including monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments and/or related bank fees. The named plaintiff only experienced one attempted fraudulent charge before she cancelled her credit card, but did not allege she suffered any unreimbursed charges (there was no allegation the named plaintiff was required to pay the one fraudulent charge). The plaintiff also alleged potential future harm arising out of costs associated with identity theft and the increased risk of identity theft. The court dismissed (without prejudice) the lawsuit for plaintiff’s lack of Article III standing. Key to the court’s ruling is that the named plaintiff did not allege that she suffered any unreimbursed charges, i.e., actual harm. This is the same ruling for which similar data breach class actions have been dismissed against P.F. Chang’s, Zappos, among many others. The court also ruled that the plaintiff failed to allege an injury that is “certainly impending” or based on a “substantial risk that the harm will occur,” citing the Supreme Court’s 2013 ruling in Clapper v. Amnesty International USA (Allegations of future harm can establish Article III standing only “if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.”) This opinion follows a long list of opinions ruling that plaintiffs in data breach cases do not have standing to sue under Article III unless they can show actual harm or “certainly impending” harm or that “a substantial risk that harm will occur” from the data breach.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- Data Breach Class Action Against Michael Stores Doesn’t Stick Audrey McNeil (Jan 25)