Data Breach Class Action Against Michael Stores Doesn’t Stick

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/data-breach-class-action-against-45762/

The arts and crafts retail chain Michael Stores Inc. (“Michaels”) received
a late holiday gift in the form of a dismissal of a data breach class
action lawsuit. On December 28, 2015, the U.S. District Court for the
Eastern District of New York granted Michaels’ motion to dismiss. This is
at least the second data breach class action lawsuit dismissed against
Michaels.[1]

On January 25, 2014, Michaels notified its customers of fraudulent activity
on some credit cards from May 8, 2013 to January 27, 2014; 3 months later
it confirmed a data breach from malware that accessed customers’ credit and
debit card information estimated at affecting 2.6 million cards.

The named plaintiff alleged actual harm including monetary losses arising
from unauthorized bank account withdrawals, fraudulent card payments and/or
related bank fees. The named plaintiff only experienced one attempted
fraudulent charge before she cancelled her credit card, but did not allege
she suffered any unreimbursed charges (there was no allegation the named
plaintiff was required to pay the one fraudulent charge).

The plaintiff also alleged potential future harm arising out of costs
associated with identity theft and the increased risk of identity theft.

The court dismissed (without prejudice) the lawsuit for plaintiff’s lack of
Article III standing. Key to the court’s ruling is that the named plaintiff
did not allege that she suffered any unreimbursed charges, i.e., actual
harm. This is the same ruling for which similar data breach class actions
have been dismissed against P.F. Chang’s, Zappos, among many others.

The court also ruled that the plaintiff failed to allege an injury that is
“certainly impending” or based on a “substantial risk that the harm will
occur,” citing the Supreme Court’s 2013 ruling in Clapper v. Amnesty
International USA (Allegations of future harm can establish Article III
standing only “if the threatened injury is ‘certainly impending,’ or there
is a ‘substantial risk’ that the harm will occur.”)

This opinion follows a long list of opinions ruling that plaintiffs in data
breach cases do not have standing to sue under Article III unless they can
show actual harm or “certainly impending” harm or that “a substantial risk
that harm will occur” from the data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.