PITTSBURGH – Plaintiffs in a data breach class action lawsuit against Barnes & Nobles fixed their standing problem but still couldn't adequately allege damages, a Pittsburgh attorney says.
"Upon analyzing the facts, this was not a particularly surprising ruling," Brian Willett, an associate with Reed Smith, said.
"However, it was significant in the data privacy space given that standing has been a common stumbling block in similar suits and while Plaintiffs here cleared that hurdle, their claim ultimately failed because Plaintiffs did not establish sufficient damages."
Plaintiffs in the case, R. Clutts et al v. Barnes & Noble, claimed the book seller had breached implied contract, violated the Illinois Consumer Fraud and Deceptive Business Practices Act, invaded their privacy, and violated the California Security Breach Notification Act and California’s Unfair Competition Act.
The plaintiffs' case fell apart when a judge with the U.S. District Court for Illinois' Northern District dismissed the amended complaint in a ruling handed down Oct. 3. The plaintiffs, the judge said, had suffered no injury.
"The court found that, despite Plaintiffs overcoming the standing hurdle which doomed their original complaint, Plaintiffs could not establish damages resulting from the tampered PIN pads," Willett said.
"In other words, while the court acknowledged Plaintiffs’ factual allegations, their claims that, for example, Plaintiffs suffered anxiety as a result of the PIN-pad issue was insufficient to establish a legally-cognizable harm."
The plaintiffs’ original complaint, filed in 2013, had been dismissed for lack of standing.
The district court came to its conclusion after careful analysis, Willett said.
"The court took the time to analyze the additional factual matter Plaintiffs presented in the amended complaint above and beyond the original complaint and concluded that damages were lacking here," he said.
The case emerged from a 2012 incident in which criminals tampered with Barnes & Nobles payment card PIN pad terminals in an attempt to steal customer payment card information. Retail stores in nine states were targeted.
Barnes & Noble pulled its pin pads, but four customers - Ray Clutts, Heather Dieffenbach, Jonathan Honor and Susan Winstead - filed their case the following year.
The case involved some of the legal concepts that surround the injury-in-fact and damages concepts under Article III of the U.S. Constitution. Those concepts must be alleged to support many causes of action, including breaches of contract.
In the Barnes & Noble case, plaintiffs seem to have alleged at least some injury and damage, Willett said.
"Plaintiffs did allege monetary harm such as costs associated with renewing identity protection monitoring services," he said. "But the court found that those claims, in addition to suffering anxiety based on the PIN pad tampering, were insufficient to support the suit."
It's not easy for courts to assess monetary damages for invasion of privacy claims, Willett said.
"As this decision demonstrates, putting a monetary amount on these kind of claims can be difficult, and the substance of such claims is very fact-intensive," he said. "State laws and available theories vary widely, and this is an evolving area of law, so it will be interesting to see how courts rule in differing factual scenarios."
In the 17-page ruling that dismissed the case without prejudice, the judge concluded that plaintiffs had cleared some injury and damages hurdles, but they failed to support claims of economic damages or public dissemination of personal data. That was necessary to sustain any of the five claims in their lawsuit, the court ruled.
"As much as plaintiffs' lawyers were excited about the Seventh Circuit's Neiman Marcus ruling, this decision indicates that that may have been a Pyrrhic victory," Sheppard Mullin Richter & Hampton LLP attorney Mark Eisen said. "Plaintiffs lawyers won the Article III battle, but this case seems to symbolize just how empty the Article III victory in data breach cases will end up becoming."