MINNEAPOLIS (Legal Newsline) - A Minnesota federal court recently dismissed a class action lawsuit alleging grocery store customers were harmed when hackers stole personal data, but the jury may still be out on how courts will handle similar data breach cases in the future.
That’s the bottom line for commercial litigation attorney Melody McAnally, who works for Butler Snow LLP in Memphis, Tenn. She followed the case of SuperValu Inc. customers who filed suit after the grocery store reported two breaches of personal data embedded in SuperValu payment cards.
SuperValu succeeded in having the class action case thrown out in January because the 16 plaintiffs failed to show evidence of identity theft or significant financial harm, and only one unauthorized charge occurred on a customer’s credit card.
“Overall, the Minnesota court decision is consistent with a majority of courts who have handled similar data breach cases,” McAnally told Legal Newsline.
She explained that most courts have lined up behind a 2013 U.S. Supreme Court decision, Clapper v. Amnesty International USA, which required that injuries to a party in a constitutional dispute must be “certainly impending” – that is, not hypothetical.
“Most courts are holding a position that if a plaintiff fails to allege monetary loss, the class action lawsuit can’t go forward,” she said.
Often, data breach class action lawsuits are filed within a week of the breach being made public, so not enough time has gone by to demonstrate actual financial harm, McAnally explained.
A case now before the U.S. Supreme Court, Spokeo vs. Robins, however, could potentially change the legal requirements for prevailing in such a data breach class action lawsuit.
The plaintiffs in the SuperValu case charged that they were harmed, in part, because the grocery chain’s notices to customers about the breaches were inadequate and didn’t comply with Minnesota’s state data breach laws.
This same issue about what constitutes “harm” to the plaintiff will be decided in the Spokeo case, McAnally explained, and a ruling against Spokeo could give the SuperValu plaintiffs a means to resuscitate their case.
Moreover, the Clapper case and the legal requirements it has placed on such data breach cases nationwide was a 5-4 decision, and the court now has only eight members since the death of Justice Antonin Scalia.
McAnally advises businesses to pursue a two-pronged path to minimize problems associated with data breaches.
“Prepare in advance for a data breach,” she said. “Assume that every business will suffer a data breach because it’s so rampant.”
She advises businesses to have a basic notification ready to go to customers and to have companies already lined up that can send notices to thousands of customers in a 24-hour period. And second, “notify customers immediately,” McAnally urged. “Don’t let them hear about it in the media first.”
If such actions don’t occur, she said, the business could suffer a loss of customer trust. In addition, she added, businesses should set up an 800 line immediately so that customers can call and get information about the breach of financial data.
“Most businesses offer customers free credit monitoring and credit counseling services” after a data breach, McAnally added. “And it works in most cases.”
Finding the actual hackers is problematic because they often operate from locations that do not have extradition treaties with the United States, she said.