What sort of damages must be pleaded to survive a motion to dismiss in a data breach class action?
Recently, the Court of Appeals for the Seventh Circuit in Dieffenbach v. Barnes & Noble answered that question. In short, the court held that at the pleadings stage, damages may be just a “trifle.”
The case arose when Barnes & Noble experienced a data breach that resulted from the compromise of its point of sale system in 63 of its company stores. The data thieves acquired customers’ names, credit card numbers, expiration dates, and PIN numbers. Two Barnes & Noble customers brought a data breach class action, alleging they suffered damages arising from the data breach, specifically: (1) paying for credit-monitoring services; (2) the lost time value of their money; and (3) their own time and inconvenience in resolving problems with their financial accounts resulting from the data breach.
The trial court first dismissed the Dieffenbach data breach class action by finding the plaintiffs lacked standing. After that dismissal, the Seventh Circuit ruled in a separate data breach case that consumers who experience data theft do in fact have standing—yet the trial court dismissed this case a second time, ruling that the Dieffenbach plaintiffs had failed to adequately plead damages. The Seventh Circuit again reversed, remarking that “[t]his seems to us a new label for an old error.”
The court explained that the federal rules only require that a plaintiff identify the remedy sought, and do not require details about the nature of an injury. Here, however, the trial court had effectively held the plaintiffs to a higher standard of specificity in alleging damages that might be required in state court, but is not required under the federal rules.
Whether the damages alleged were in fact “compensable” still required analyzing state law. In this case, one plaintiff alleged damages under the California Customer Records Act and the California Unfair Competition Law. The Seventh Circuit determined that the plaintiff’s allegations that she was unable to use her compromised bank account for three days, and that she had to spend time sorting things out with the police and her bank, all fell within the statutory term of “lost money or property.” Because California courts read that requirement to mean any economic injury, even an “identifiable trifle of economic injury,” was sufficient to allege damages.
A second plaintiff brought claims under the Illinois Consumer Fraud and Deceptive Business Practices Act, which allows recovery for anyone “who suffers actual damage as a result of a violation.” The court held that because paying $17 per month for credit monitoring services was real and measurable, it was clearly “actual damage” and no more needed to be alleged.
Practical Take Away: Still More to Prove
Though the court’s ruling may suggest that plaintiffs will have an easier time advancing beyond a motion to dismiss in a data breach class action, the court made a point of explaining certain hurdles for these plaintiffs in pursuing a data breach class action. The court noted that, “Barnes & Noble was itself a victim. . . . None of the state laws expressly makes merchants liable for failure to crime-proof their point-of-sale systems. Plaintiffs may have a difficult task showing an entitlement to collect damages from a fellow victim of the data thieves.”
And it concluded, “All we hold today is that the complaint cannot be dismissed on the ground that the plaintiffs do not adequately allege compensable damages.”