Saying a “trifling loss” is still a loss under state consumer protection laws, a federal appeals panel has reopened the book on a potential class action lawsuit against Barnes & Noble over a 2012 data breach that cost customers some time and money in protecting themselves from potential identity theft, and which the appellate judges took care to note also victimized the chain of big box bookstores.
On April 11, a three-judge panel of the U.S. Seventh Circuit Court of Appeals said a Chicago federal judge had wrongly dismissed the lawsuit.
Joseph Siprut | Siprut P.C.
“This seems to us a new label for an old error,” Seventh Circuit Judge Frank Easterbrook wrote in the unanimous opinion.
He was joined in the opinion by Seventh Circuit Chief Judge Diane Wood and Circuit Judge David Hamilton.
The lawsuit dates back to 2012, when plaintiffs Heather Dieffenbach and Susan Winstead brought the action in Chicago federal court, asserting Barnes and Noble violated Illinois consumer fraud law and California laws governing business’ notification duties following data breaches, in the aftermath of a data security breach that allegedly compromised personal and financial information for customers of the retail chain.
According to court documents and other published sources, “scoundrels,” as Easterbrook described them, used devices known as “skimmers” to tamper with PIN-pad terminals in 63 Barnes & Noble stores in September 2012, swiping customer data when they swiped their credit and debit cards while making purchases at the stores.
Barnes & Noble, however, allegedly waited six weeks after learning of the breach to inform the public, the lawsuit asserted, violating the state laws.
In 2013, the plaintiffs’ original complaint was dismissed for lack of standing. The plaintiffs then filed an amended complaint, and, in October 2017, U.S. District Judge Andrea Wood again moved to shelf the lawsuit, saying, while the plaintiffs had now demonstrated standing, they could not demonstrate they had suffered any actual losses.
The judge rejected plaintiffs’ attempts to argue they had suffered losses in time and money dealing with the aftermath of the data breach, including waiting days for banks to restore “funds someone else had used to make a fraudulent purchase” and paying monthly fees for credit monitoring to ensure no other data thieves used their pilfered information for nefarious ends.
“Plaintiffs’ alleged injuries to the value of their PII (personal identifying information), their time spent with bank and police employees, and any emotional distress they might have suffered are not injuries sufficient to state a claim,” Judge Andrea Wood wrote in her 2017 decision. “In a similar vein, Plaintiffs’ temporary inability to use their bank accounts is also insufficient to state a claim - the temporary inability to use a bank account is not a monetary injury in itself, and Plaintiffs have not set forth any allegations about how they suffered monetary injury due to the inconvenience of not being able to access their accounts.”
On appeal, the Seventh Circuit judges noted an Illinois state appeals court had similarly found “that a person who purchases credit-monitoring services after a merchant discloses personal information has not suffered actual damages.”
But in the opinion, Easterbrook said these determinations defy “the breadth of the statutory language,” which indicates even small amounts of money lost can still support even a sweeping legal action.
“Money out of pocket is a standard understanding of actual damages in contract law, antitrust law, the law of fraud and elsewhere,” Easterbrook wrote. “To get damages plaintiffs must show that culpable data breach caused the monthly payments, but the complaint cannot be dismissed before giving the class an opportunity to do so.”
In this specific case, Easterbrook noted Judge Andrea Wood’s findings ran counter to the language of two California laws and an Illinois law. In the California Customer Records Act and its Unfair Competition Law, Easterbrook noted the plaintiffs need only demonstrate they had suffered “lost money or property.” And in this case, he said, plaintiffs had done so.
“Losing the use of money for three days may be a trifle to some people (though to others it may be a calamity), but a trifling loss suffices under California law,” Easterbrook wrote. “And state courts have said that significant time and paperwork costs incurred to rectify violations also can qualify as economic losses.”
And in Illinois, the appeals judges said a $17-a-month cost for credit monitoring can suffice as “actual damage” under the state’s consumer fraud law and nearly identical laws in other states across the country.
“It is real and measurable,” Easterbrook wrote. “Illinois does not require more.”
The judges spent time in the their opinion, as well, to note the data breach also victimized Barnes & Noble, as the retail chain’s “reputation took a hit,” and the company had to pay to replace breached customer terminals, among other steps and costs following the breach.
And the judges said they harbored doubt as to whether the lawsuit could succeed, particularly as a class action.
They nonetheless reversed Judge Andrea Wood’s decision, and returned the matter to federal district court for further proceedings.
Barnes & Noble is represented by attorneys Peter V. Baugher, of Baugher Dispute Resolution LLC, of Chicago; Kenneth Lee Chernof, of Arnold & Porter LLP, of Washington, D.C.
Plaintiffs are represented in the action by attorneys Joseph J. Siprut, of Siprut P.C., of Chicago; Adam J. Levitt, of Dicello Levitt & Casey LLC, of Chicago; Edmund S. Aronowitz, of Aronowitz Law Firm PLLC, of Troy, Mich.; William A. Baird, of Marlin & Saltzman LLP, of Agoura Hills, Calif.; and Ben Barnow, of Barnow and Associates P.C., of Chicago.