MINNEAPOLIS (Legal Newsline) - A federal judge has dismissed a consolidated class action filed against grocery chain SuperValu following two 2014 data breaches, finding that the claims against the company were too speculative.
Judge Ann Montgomery for the U.S. District Court for the District of Minnesota, in her Jan. 7 ruling, agreed with other federal court rulings in similar data breach class actions.
“In data security breach cases where plaintiffs’ data has not been misused following the breach, the vast majority of courts have held that the risk of future identity theft or fraud is too speculative to constitute an injury in fact for purposes of Article III standing,” Montgomery wrote last month.
“In addition to the speculation of whether future harm from a data security breach will materialize, it cannot be known when such harm will occur. As more time lapses without the threatened injury actually occurring, the notion that the harm is imminent becomes less likely.”
SuperValu, which owns and operates retail grocery stores across the U.S., controls the payment processing at its stores and also provides payment processing services for AB Acquisition and Albertsons stores.
In August 2014, the company announced that from June 22, 2014 to July 17, 2014 hackers had gained unauthorized access to and installed malicious software on the portion of SuperValu’s computer network that processes payment card transactions for its retail stores.
The intrusion resulted in potential theft of information embedded in the magnetic strip of payment cards for sales transacted at 209 SuperValu stores and 836 AB Acquisition stores. The Personal Identifying Information, or PII, embedded in the magnetic strip included cardholder names, account numbers, expiration dates and PINS.
The company offered 12 months of complimentary consumer identity protection services to customers whose cards were possibly affected by the data breach.
A month later, SuperValu announced that a second data breach occurred in late August and early September.
In this instance, hackers installed different malware onto the portion of SuperValu’s computer network that processes payment card transactions for some retail stores owned or operated by AB Acquisition and Albertsons.
“SuperValu has installed enhanced protective technology in its retail food stores that it believes significantly limited the ability of this malware to capture data from payment cards used at stores where the malware was installed, except for some checkout lanes at four Cub Foods locations,” the company said in a statement at the time.
The plaintiffs -- consumers who shopped at SuperValu or SuperValu-owned stores and who were affected by the breach -- alleged the two incidents are related and stem from the company’s same fundamental security failures.
A total of four putative class actions brought by 12 plaintiffs were filed against SuperValu in federal courts in Illinois, Minnesota and Idaho.
In December 2014, the U.S. Judicial Panel on Multidistrict Litigation centralized the four complaints to the District of Minnesota for coordinated pre-trial proceedings.
In June 2015, the plaintiffs filed an amended complaint, alleging six causes of action on behalf of 16 named plaintiffs. The 16 named plaintiffs include the 12 original plaintiffs plus four new ones.
SuperValu moved to dismiss the amended complaint for lack of subject matter jurisdiction and failure to state a claim.
“Here, the Data Breach of Defendants’ computer network affected more than 1,000 retail grocery stores and occurred nearly one and a half years ago,” Montgomery wrote in the 17-page opinion. “Despite the large number of Affected Stores and the significant amount of time that has elapsed, the only facts asserted that any of Plaintiffs’ PII has been misused is the single incident alleged by Plaintiff [David] Holmes.”
Holmes, the judge explained, noticed a single unauthorized charge -- of an unspecified amount on an unspecified date -- on his credit card statement after learning of the breach.
“Given the unfortunate frequency of credit card fraud, it is common sense to expect that in any group similar in size to the 16 Plaintiffs and multitudes of potential class members who used their payment cards at one of the 1,000-plus Affected Stores would likely experience at least one instance of a fraudulent charge,” Montgomery noted. “Thus, the isolated single instance of an unauthorized charge is not indicative of data misuse that is fairly traceable to the Data Breach.”
Due to the absence of any other allegations that the plaintiffs’ PII has been misused, Montgomery said the court is “left to speculate” about whether the hackers were able to capture or steal the plaintiffs’ information, whether they will attempt to use the information and whether those attempts will be successful.
“This speculation prevents the Court from finding an increased risk of fraud and identity theft is ‘certainly impending’ or that there is a ‘substantial risk’ the harm will occur,” the judge wrote. “Moreover, the passage of nearly a year and a half without the occurrence of harm traceable to the Data Breach makes it unlikely that such threatened harm is imminent.”
As to the plaintiffs’ allegations that the value of their PII was lost or diminished as a result of the breach, Montgomery said they have not alleged an injury-in-fact -- a requirement that helps to ensure the plaintiff has a “personal stake” in the outcome.
“Assuming without deciding that Plaintiffs’ PII had monetary value, Plaintiffs have failed to allege any facts explaining how their PII became less valuable as a result of the Data Breach,” she wrote. “Plaintiffs have not alleged that they tried to sell their PII but were not able to do so or were forced to accept a lower price.”
The plaintiffs also argued they were harmed by the “untimely and inadequate” notification of the breach, alleging the delayed notification forced them to spend more time and money to contact banks and locate and evaluate credit card statements.
However, these assertions were not alleged in the amended complaint, Montgomery pointed out. Even if they were, the allegations would not have established standing because the cost to mitigate the risk of future harm does not constitute an injury-in-fact unless the risk is imminent, she said.
The judge dismissed the amended complaint without prejudice, which means it’s possible the class could be allowed to file another amended complaint.
In December, a New York federal judge came to a similar conclusion in a data breach class action filed against arts and crafts retailer Michaels.
SuperValu, headquartered in Eden Prairie, Minnesota, is the fifth-largest food retailing company in the U.S., after Kroger and Albertsons.
From Legal Newsline: Reach Jessica Karmasek by email at jessica@legalnewsline.com.