Customer Data Sec. Breach Litig. Melissa Alleruzzo v. Supervalu, Inc. (In re Supervalu, Inc.)

• Decision Date: 30 August 2017
• Docket Number: Nos. 16-2378, 16-2528.,s. 16-2378, 16-2528.
• Citation: 870 F.3d 763
• Parties: IN RE: SUPERVALU, INC., Customer Data Security Breach Litigation Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan; Ivanka Soldan ; Melissa Thompkins; Darla Young, Plaintiffs-Appellants, v. SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc., Defendants-Appellees. Electronic Privacy Information Center Amicus on Behalf of Appellant(s) In re: SuperValu, Inc., Customer Data Security Breach Litigation Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan; Ivanka Soldan ; Melissa Thompkins; Darla Young, Plaintiffs-Appellees, v. SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc., Defendants-Appellants.
• Court: U.S. Court of Appeals — Eighth Circuit

870 F.3d 763

IN RE: SUPERVALU, INC., Customer Data Security Breach Litigation

Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan; Ivanka Soldan ; Melissa Thompkins; Darla Young, Plaintiffs-Appellants,

v.SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc., Defendants-Appellees.

Electronic Privacy Information Center Amicus on Behalf of Appellant(s)

In re: SuperValu, Inc., Customer Data Security Breach Litigation

Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan; Ivanka Soldan ; Melissa Thompkins; Darla Young, Plaintiffs-Appellees,

v.SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc., Defendants-Appellants.

Nos. 16-2378, 16-2528.

United States Court of Appeals, Eighth Circuit.

Submitted: May 10, 2017

Filed: August 30, 2017

Ben Barnow, Barnow & Associates, Aron Robinson, Law Offices of Aron D. Robinson, Chicago, IL, Richard L. Coffman, Coffman Law Firm, Beaumont, TX, John J. Driscoll, Christopher Joseph Quinn, The Driscoll Firm, John S. Steward, Steward Law Firm, Saint Louis, MO, Edwin J. Kilpela, Jr., Carlson & Lynch, Pittsburgh, PA, David Langevin, Mcsweeney & Fay, Karen Riebel, Lockridge & Grindal, Minneapolis, MN for Plaintiffs-Appellees.

Katherine Susan Barrett Wiik, Stephen Paul Safranski, ROBINS & KAPLAN, Minneapolis, MN, David Thomas Cohen, Ropes & Gray, New York, NY, Kathryn Elizabeth Wilhelm, Harvey J. Wolkoff, Ropes & Gray, Boston, MA for Defendant-Appellant SuperValu, Inc.

Marc Andre Al, Stoel & Rives, Minneapolis, MN, Christopher L. Ingram, John L. Landolfi, Vorys & Sater, Columbus, OH for Defendants-Appellants AB Acquisition, LLC, New Albertsons, Inc.

Alan Jay Butler, Senior Counsel, Marc Rotenberg, Aimee Thomson, Electronic Privacy Information Center, Washington, DC for Amicus on Behalf of Appellant(s).

Before SMITH, Chief Judge, COLLOTON and KELLY, Circuit Judges.

KELLY, Circuit Judge.

In 2014, retail grocery stores owned and operated by defendants SuperValu, Inc., AB Acquisition, LLC, and New Albertsons, Inc. suffered two cyber attacks in which their customers' financial information was allegedly accessed and stolen. Following the data breaches, customers who shopped at the affected stores brought several putative class actions, which were subsequently centralized in the United States District Court for the District of Minnesota by the Judicial Panel on Multidistrict Litigation. The district court dismissed the plaintiffs' consolidated complaint under Federal Rule of Civil Procedure 12(b)(1), concluding that plaintiffs failed to allege facts establishing Article III standing. Plaintiffs appealed, and we affirm in part, reverse in part, and remand for further proceedings.

I. Background

The following facts, which we accept as true, are drawn from the consolidated amended complaint and the appended exhibits. See Carlsen v. GameStop, Inc., 833 F.3d 903, 908 (8th Cir. 2016). Plaintiffs are sixteen customers who purchased goods from defendants' grocery stores in Missouri, Illinois, Maryland, Pennsylvania, Delaware, Idaho, and New Jersey using credit or debit cards during the period between June and September 2014. From June 22, 2014, to July 17, 2014, cyber criminals accessed the computer network that processes payment card transactions for 1,045 of defendants' stores. The hackers installed malicious software on defendants' network that allowed them to gain access to the payment card information of defendants' customers (hereinafter, Card Information), including their names, credit or debit card account numbers, expiration dates, card verification value (CVV) codes, and personal identification numbers (PINs). By harvesting the data on the network, the hackers stole customers' Card Information.

On August 14, 2014, defendants issued a press release notifying customers of the computer intrusion at their stores. The press release acknowledged that the attack "may have resulted in the theft" of Card Information, but it had not yet been determined that "any such cardholder data was in fact stolen," and, at that point, there was "no evidence of any misuse of any such data." Defendants also announced that they were conducting an on-going investigation into the incident, which might uncover additional "time frames, locations and/or at-risk data" exposed in the intrusion.

On September 29, 2014, defendants announced a second data breach that took place in late August or early September 2014. The press release stated that an intruder installed different malicious software onto the same network. Defendants acknowledged that the software may have captured Card Information from debit and credit cards used to purchase goods at their stores but, at the time of the press release, there had been no determination that such information "was in fact stolen." Once again, defendants affirmed that their investigation was ongoing, and that further information on the scope of the intrusion could be identified in the future. Although defendants' release states that the second intrusion was separate from the one announced on August 14, 2014, plaintiffs dispute this contention in their complaint, alleging that the two breaches were related and stemmed from the same security failures.

According to the complaint, hackers gained access to defendants' network because defendants failed to take adequate measures to protect customers' Card Information. Defendants used default or easily guessed passwords, failed to lock out users after several failed login attempts, and did not segregate access to different parts of the network or use firewalls to protect Card Information. By not implementing these measures, defendants ran afoul of best practices and industry standards for merchants who accept customer payments via credit or debit card. Moreover, defendants were on notice of the risk of consumer data theft because similar security flaws had been exploited in recent data breaches targeting other national retailers.

As a result of the breaches, plaintiffs' Card Information was allegedly stolen, subjecting plaintiffs "to an imminent and real possibility of identity theft." Specifically, plaintiffs contend that the hackers can use their Card Information to siphon money from their current accounts, make unauthorized credit or debit card charges, open new accounts, or sell the information to others who intend to commit fraud. Identity thieves can use the stolen Card Information to commit fraud for an "extended period of time after" the breach, and the information is often traded on the cyber black market "for a number of years after the initial theft." In support of these allegations, plaintiffs cite a June 2007 United States Government Accountability Office (GAO) report on data breaches. See U.S. Gov't Accountability Off., GAO-07-737, Personal Information: Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown (2007), http://www.gao.gov/assets/270/262899.pdf.

Customers allegedly affected by the breaches filed putative class actions in several district courts. The Judicial Panel on Multidistrict Litigation transferred the related actions to the United States District Court for the District of Minnesota for coordinated or consolidated pretrial proceedings. Pursuant to the district court's order, plaintiffs filed a consolidated amended complaint on June 26, 2015, with sixteen named plaintiffs bringing claims on behalf of a putative class of persons affected by defendants' data breaches.

Each of the sixteen plaintiffs shopped at defendants' affected stores using a credit or debit card, and their Card Information was allegedly compromised in the data breaches. After the data breaches were announced, each plaintiff "spent time determining if [his or her] card was compromised" by reviewing information released about the breaches and the impacted locations and monitoring account information to guard against potential fraud. Crucial to the outcome in this appeal, one plaintiff, David Holmes, used his credit card at a store in Belleville, Illinois¹ that was affected by the data breaches, and alleges his Card Information was compromised as a result of defendants' security failures. Shortly after the data breach was announced, "Holmes noticed a fraudulent charge on his credit card statement and immediately cancelled his credit card, which took two weeks to replace."

The complaint states six claims for relief for: (1) violations of state consumer protection statutes, (2) violations of state data breach notification statutes, (3) negligence, (4) breach of implied contract, (5) negligence per se, and (6) unjust enrichment. Defendants moved to dismiss the complaint under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). The district court granted the Rule 12(b)(1) motion and dismissed the complaint without prejudice, finding that none of the plaintiffs had alleged an injury-in-fact and thus they did not have standing. The court did not address defendants' arguments for dismissal under Rule 12(b)(6).² Plaintiffs appeal the district court's dismissal, and defendants cross-appeal, arguing that the complaint was alternatively subject to dismissal with prejudice under Rule 12(b)(6).

II. Discussion

Article III of the Constitution limits the jurisdiction of the federal courts to cases or controversies.

Spokeo, Inc. v. Robins, ––– U.S. ––––, 136 S.Ct. 1540, 1547, 194 L.Ed.2d 635 (2016). A plaintiff invoking the jurisdiction of the court must demonstrate standing to sue by showing that she has suffered an injury in fact that is fairly traceable to the defendant's conduct and that is likely to be redressed by the relief she seeks. Id. This case primarily concerns the injury in fact and fairly traceable elements. To establish...