Jessica Karmasek Jan. 25, 2016, 12:23pm


BROOKLYN, N.Y. (Legal Newsline) - A New York federal judge earlier this month officially closed a case filed against arts and crafts retailer Michaels over a 2014 data breach.

Judge Joanna Seybert, for the U.S. District Court for the Eastern District of New York, filed an order Dec. 28 granting Michaels’ motion to dismiss the class action lawsuit. She deemed the case closed Jan. 8.

The judge said in her 16-page order last month that plaintiff Mary Jane Whalen’s allegations were “insufficient to confer standing.”

Michaels notified its customers of “possible fraudulent activity” in January 2014. According to a company press release, hackers used a “highly sophisticated malware” to retrieve credit and debit card information from the store’s system and that of its subsidiary, Aaron Brothers.

Michaels estimated that about 2.6 million cards may have been affected between May 8, 2013 and Jan. 27, 2014. As a result, the company offered free credit monitoring services for a year.

Whalen allegedly made purchases with her credit card at a Michaels store in Manhasset, New York, on Dec. 31, 2013.

In her complaint, filed in December 2014, Whalen alleged she suffered actual damages, including monetary losses, loss of time and money, and lost value of her credit card information. She also alleged she faces an increased risk of future harm because of the breach.

The court noted, however, that Whalen did not allege she suffered any unreimbursed charges.

“To the contrary, she asserts only that her credit card was ‘physically presented for payment in Ecuador,’” Seybert wrote. “There are no allegations that Whalen was required to pay the charges made in Ecuador.”

The judge concluded that Whalen’s allegations of lost time and money associated with credit monitoring and other mitigation expenses do not constitute standing.

Seybert pointed to the U.S. Supreme Court, which has dismissed similar arguments, explaining that plaintiffs “cannot manufacture” standing through credit monitoring.

“‘If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a non-paranoid fear,’” the judge wrote, quoting the nation’s high court. “That conclusion rings especially true here where Whalen cancelled her affected credit card.”

As to her arguments of future harm, Seybert said the allegations were “too remote” to establish an injury-in-fact -- a requirement that helps to ensure the plaintiff has a “personal stake” in the outcome.

Allegations of future harm can establish standing only if the threatened injury is “certainly impending,” or there is a “substantial risk” that the harm will occur, the judge noted.

“Although Whalen argues that she faces an increased risk of identity theft, she admits that ‘fraudulent use of cards might not be apparent for years,’” Seybert wrote. “In fact, it has been nearly two years since the Security Breach, and Whalen has experienced no fraudulent charges after cancelling her credit card.”

The judge explained that a ruling last year by the U.S. Court of Appeals for the Seventh Circuit -- which Whalen cited in support of her argument -- does not apply.

The Seventh Circuit, in its July ruling, found that the risk of harm to the 300,000-plus people whose credit card numbers were exposed as a result of a 2014 data breach suffered by Neiman Marcus was “very real and immediate.”

“There, hackers stole the credit card information of roughly 350,000 Neiman Marcus customers,” Seybert wrote. “But one critical distinction in that case is that 9,200 of those customers experienced fraudulent charges following the breach.

“By contrast, Whalen’s complaint only indicates that she was affected, and even she did not suffer any out-of-pocket losses.”

The federal court’s ruling is the same for which similar data breach class actions have been dismissed against P.F. Chang’s, Zappos and others.

It also is at least the second data breach class action dismissed against Michaels.

In July 2014, the U.S. District Court for the Northern District of Illinois dismissed a very similar lawsuit, ruling that the plaintiffs in Moyer v. Michaels Stores Inc. failed to plead the required element of actual monetary damages.

Linn Freedman, chairwoman of the Data, Privacy and Security Team at Providence law firm Robinson & Cole LLP, argues that plaintiffs attorneys are looking for ways to get around such rulings.

“We are seeing plaintiffs attorneys starting to use state law causes of action more and more in an attempt to find other causes of action that may be recoverable when most data breach cases are getting dismissed for lack of standing due to the inability to show injury or harm,” Freedman recently told Legal Newsline.

She expects data breach litigation to increase in 2016 as a result.

From Legal Newsline: Reach Jessica Karmasek by email at jessica@legalnewsline.com.

Organizations in this Story

Robinson+Cole
One Financial Plaza, Providence, RI, United States
Providence, RI 02903

Get notified the next time we write about Robinson+Cole!

More News