A federal judge has dismissed an attempt by customers of
Barnes & Noble to sue the bookseller over a 2012 data breach they say
exposed them to an increased risk of identity theft.
In September 2012, PIN-pad terminals in 63 Barnes &
Noble stores were tampered with, allowing individuals known as “skimmers” to
collect customers’ data when they swiped their credit and debit cards. Barnes
& Noble publicly announced the breach six weeks after it was discovered.
The four named plaintiffs in the case then filed a class action
suit against the company. According to court documents, plaintiffs Ray Clutts,
Heather Dieffenbach, Jonathan Honor and Susan Winstead were all customers who
shopped at affected Barnes & Noble stores while the skimming devices were
The plaintiffs’ original complaint, filed in 2013, was
dismissed for lack of standing. On Oct. 3, Judge Andrea R. Wood dismissed all
counts of the plaintiff’s amended complaint, finding that, though the
plaintiffs had established standing, they still failed to state a claim.
The lawsuit had charged
Barnes & Noble with breach of implied contract, violation of the Illinois
Consumer Fraud and Deceptive Business Practices Act, invasion of privacy,
violation of the California Security Breach Notification Act and violation of
California’s Unfair Competition Act.
The invasion of privacy claim was dismissed because the
judge said it applies only to the public disclosure of highly offensive or
embarrassing private information. Not only was the plaintiffs’ personal
information not made public, the court wrote, such data as names, birth dates
and credit card numbers could not be considered offensive or embarrassing.
The four remaining counts all shared the same fatal flaw,
the judge wrote: Failure to show that any of the plaintiffs suffered actual
financial damages as a result of their claims.
On the breach of implied contract claim, the plaintiffs
argued that Barnes & Noble was obligated to “reasonably safeguard” its customers’
personal identifying information. The judge sided with the bookseller in
finding that regardless of whether such a contract existed, under state law, a
breach of contract claim can only stand if the plaintiffs suffered actual
damages. The plaintiffs tried to argue that the cost of protecting its
customers’ data is built into the company’s prices, but the court was
“The court rejects Plaintiffs’ arguments that overpayment
for goods at Barnes & Noble or the loss of the value of Plaintiffs’ PII
represent damages for the purposes of the breach of contract count,” she wrote.
Winstead argued that she had suffered financial losses in
the form of monthly payments to an identity protection monitoring service, but
the amended complaint made it clear that she had subscribed to the service even
before the data breach, according to court documents.
A claim for damages under the ICFA also requires the
plaintiff to show some actual injury suffered as a result of a business’ deception.
The court noted that the law specifically states an increased risk of future
identity theft does not qualify for damages under the act.
The California Security Breach Notification Act only
requires a business that conducts business in California to notify residents
whose information may have been compromised of a data security breach. The
court found that the six-week lag between the discovery of the data breach and
the public announcement was too long under the law, but again, the one
plaintiff who lives in California was unable to show that the lag caused her
That plaintiff’s claim under the Unfair Competition Act in
her home state had the same problem. The Unfair Competition Act prohibits
business practices that create unfair competition, but a claim under the act
must show damages. Case law has established that an increased risk of identity
theft does not qualify as damage under the act, the judge wrote.
Plaintiffs in the case were represented by attorneys with
the firms of Barnow & Associates, of Chicago; Grant & Eisenhofer, of
Chicago; and Siprut P.C., of Chicago.
Barnes & Noble was represented by the firms of Honigman
Miller Schwartz and Cohn, of Chicago; and Arnold & Porter, of Washington,