On January 7, the District Court for the District of Minnesota tossed a putative class action against SuperValu, Inc., finding that the plaintiffs’ claims of possible future harm were too speculative to satisfy Article III standing requirements.
In this multi-district litigation, sixteen named plaintiffs alleged they were harmed by two 2014 data breaches where hackers gained access to the grocery stores’ network for payment card transactions. Customer data at over 1,000 of SuperValu’s stores was accessed. However, the plaintiffs could only allege a single unauthorized charge on one the plaintiff’s credit cards. Additionally, the Court found that even this incident was not indicative of data misuse that was fairly traceable to the data breaches. Based on the lack of concrete harm, Judge Ann D. Montgomery held that the case must be dismissed for want of subject matter jurisdiction.
The plaintiffs attempted to avoid dismissal by arguing in part that they were forced to spend time monitoring their account information to guard against potential fraud and that they face a substantial risk of future harm. However, Judge Montgomery rejected each argument. “[T]he cost to mitigate the risk of future harm does not constitute an injury in fact unless the future harm being mitigated against is itself imminent,” wrote Judge Montgomery. “The passage of nearly a year and a half without the occurrence of harm traceable to the Data Breach makes it unlikely that such threatened harm is imminent.”
Plaintiffs additionally argued damages based on an alleged invasion of privacy and breach of confidentiality. Again, the Court held that the plaintiffs failed to show that the loss of privacy and confidentiality resulted in a concrete injury, and thus this theory of standing was also dismissed.
Finally, the plaintiffs claimed that they were harmed by the lost benefit of their bargain. In other words, plaintiffs claimed that the value of the goods they purchased was diminished as a result of the security breach. Plaintiffs failed to plead any facts showing that the breach diminished the value of the groceries purchased, and that the price they paid for the goods included an amount that both parties understood would be allocated toward protecting consumer data.
This case highlights a strong defense tactic for companies defending data breach litigation.