A federal judge has dismissed an attempt by customers of Barnes & Noble to sue the bookseller over a 2012 data breach they say exposed them to an increased risk of identity theft.
In September 2012, PIN-pad terminals in 63 Barnes & Noble stores were tampered with, allowing individuals known as “skimmers” to collect customers’ data when they swiped their credit and debit cards. Barnes & Noble publicly announced the breach six weeks after it was discovered.
The four named plaintiffs in the case then filed a class action suit against the company. According to court documents, plaintiffs Ray Clutts, Heather Dieffenbach, Jonathan Honor and Susan Winstead were all customers who shopped at affected Barnes & Noble stores while the skimming devices were in place.
The plaintiffs’ original complaint, filed in 2013, was dismissed for lack of standing. On Oct. 3, Judge Andrea R. Wood dismissed all counts of the plaintiff’s amended complaint, finding that, though the plaintiffs had established standing, they still failed to state a claim.
The lawsuit had charged Barnes & Noble with breach of implied contract, violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, invasion of privacy, violation of the California Security Breach Notification Act and violation of California’s Unfair Competition Act.
The invasion of privacy claim was dismissed because the judge said it applies only to the public disclosure of highly offensive or embarrassing private information. Not only was the plaintiffs’ personal information not made public, the court wrote, such data as names, birth dates and credit card numbers could not be considered offensive or embarrassing.
The four remaining counts all shared the same fatal flaw, the judge wrote: Failure to show that any of the plaintiffs suffered actual financial damages as a result of their claims.
On the breach of implied contract claim, the plaintiffs argued that Barnes & Noble was obligated to “reasonably safeguard” its customers’ personal identifying information. The judge sided with the bookseller in finding that regardless of whether such a contract existed, under state law, a breach of contract claim can only stand if the plaintiffs suffered actual damages. The plaintiffs tried to argue that the cost of protecting its customers’ data is built into the company’s prices, but the court was unconvinced.
“The court rejects Plaintiffs’ arguments that overpayment for goods at Barnes & Noble or the loss of the value of Plaintiffs’ PII represent damages for the purposes of the breach of contract count,” she wrote.
Winstead argued that she had suffered financial losses in the form of monthly payments to an identity protection monitoring service, but the amended complaint made it clear that she had subscribed to the service even before the data breach, according to court documents.
A claim for damages under the ICFA also requires the plaintiff to show some actual injury suffered as a result of a business’ deception. The court noted that the law specifically states an increased risk of future identity theft does not qualify for damages under the act.
The California Security Breach Notification Act only requires a business that conducts business in California to notify residents whose information may have been compromised of a data security breach. The court found that the six-week lag between the discovery of the data breach and the public announcement was too long under the law, but again, the one plaintiff who lives in California was unable to show that the lag caused her any injury.
That plaintiff’s claim under the Unfair Competition Act in her home state had the same problem. The Unfair Competition Act prohibits business practices that create unfair competition, but a claim under the act must show damages. Case law has established that an increased risk of identity theft does not qualify as damage under the act, the judge wrote.
Plaintiffs in the case were represented by attorneys with the firms of Barnow & Associates, of Chicago; Grant & Eisenhofer, of Chicago; and Siprut P.C., of Chicago.
Barnes & Noble was represented by the firms of Honigman Miller Schwartz and Cohn, of Chicago; and Arnold & Porter, of Washington, D.C.