870 F.3d 763 (8th Cir. 2017), 16-2378, In re SuperValu, Inc.

Docket Nº:16-2378, 16-2528
Citation:870 F.3d 763
Opinion Judge:KELLY, Circuit Judge.
Party Name:In re: SuperValu, Inc., Customer Data Security Breach Litigation. v. SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc., Defendants - Appellees. Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan...
Attorney:For Melissa Alleruzzo, Heidi Bell, Rifet Bosnjak, John Gross, Kenneth Hanff, David Holmes, Steve McPeak, Gary Mertz, Katherin Murray, Christopher Nelson, Carol Puckett, Alyssa Rocke, Timothy Roldan, Ivanka Soldan, Melissa Thompkins, Darla Young, Plaintiffs - Appellants (16-2378): Ben Barnow, BARN...
Judge Panel:Before SMITH, Chief Judge, COLLOTON and KELLY, Circuit Judges.
Case Date:August 30, 2017
Court:United States Courts of Appeals, Court of Appeals for the Eighth Circuit
 
FREE EXCERPT

Page 763

870 F.3d 763 (8th Cir. 2017)

In re: SuperValu, Inc., Customer Data Security Breach Litigation.

Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan; Ivanka Soldan; Melissa Thompkins; Darla Young, Plaintiffs - Appellants

v.

SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc., Defendants - Appellees.

Electronic Privacy Information Center, Amicus on Behalf of Appellant(s); In re: SuperValu, Inc., Customer Data Security Breach Litigation.

Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan; Ivanka Soldan; Melissa Thompkins; Darla Young, Plaintiffs - Appellees

v.

SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc., Defendants - Appellants

Nos. 16-2378, 16-2528

United States Court of Appeals, Eighth Circuit

August 30, 2017

Submitted May 10, 2017.

Page 764

Appeals from United States District Court for the District of Minnesota - Minneapolis.

In re SuperValu, Inc., (D. Minn., Jan. 7, 2016)

For Melissa Alleruzzo, Heidi Bell, Rifet Bosnjak, John Gross, Kenneth Hanff, David Holmes, Steve McPeak, Gary Mertz, Katherin Murray, Christopher Nelson, Carol Puckett, Alyssa Rocke, Timothy Roldan, Ivanka Soldan, Melissa Thompkins, Darla Young, Plaintiffs - Appellants (16-2378): Ben Barnow, BARNOW & ASSOCIATES, Chicago, IL; Richard L. Coffman, COFFMAN LAW FIRM, Beaumont, TX; John J. Driscoll, Christopher Joseph Quinn, THE DRISCOLL FIRM, Saint Louis, MO; Edwin J. Kilpela, Jr., CARLSON & LYNCH, Pittsburgh, PA; David Langevin, Rhett Anthony McSweeney, MCSWEENEY & FAY, Minneapolis, MN; Karen Riebel, LOCKRIDGE & GRINDAL, Minneapolis, MN; Aron Robinson, LAW OFFICES OF ARON D. ROBINSON, Chicago, IL; John S. Steward, STEWARD LAW FIRM, Saint Louis, MO.

For SuperValu, Inc., Defendant - Appellee (16-2378): Katherine Susan Barrett Wiik, Stephen Paul Safranski, ROBINS & KAPLAN, Minneapolis, MN; David Thomas Cohen, ROPES & GRAY, New York, NY; Kathryn Elizabeth Wilhelm, ROPES & GRAY, Boston, MA; Harvey J. Wolkoff, ROPES & GRAY, Boston, MA.

For AB Acquisition, LLC, New Albertsons, Inc., Defendants - Appellees (16-2378): Marc Andre Al, STOEL & RIVES, Minneapolis, MN; Christopher L. Ingram, John L. Landolfi, VORYS & SATER, Columbus, OH.

For Electronic Privacy Information Center (16-2378, 16-2528), Amicus on Behalf of Appellant(s): Alan Jay Butler, Senior Counsel, Marc Rotenberg, Aimee Thomson, ELECTRONIC PRIVACY INFORMATION CENTER, Washington, DC.

For Melissa Alleruzzo, Heidi Bell, Rifet Bosnjak, John Gross, Kenneth Hanff, David Holmes, Steve McPeak, Gary Mertz, Katherin Murray, Christopher Nelson, Carol Puckett, Alyssa Rocke, Timothy Roldan, Ivanka Soldan, Melissa Thompkins, Darla Young, Plaintiffs - Appellees (16-2528): Ben Barnow, BARNOW & ASSOCIATES, Chicago, IL; Richard L. Coffman, COFFMAN LAW FIRM, Beaumont, TX; John J. Driscoll, Christopher Joseph Quinn, THE DRISCOLL FIRM, Saint Louis, MO; Edwin J. Kilpela, Jr., CARLSON & LYNCH, Pittsburgh, PA; David Langevin, Rhett Anthony McSweeney, MCSWEENEY & FAY, Minneapolis, MN; Karen Riebel, LOCKRIDGE & GRINDAL, Minneapolis, MN; Aron Robinson, LAW OFFICES OF ARON D. ROBINSON, Chicago, IL; John S. Steward, STEWARD LAW FIRM, Saint Louis, MO.

For SuperValu, Inc., Defendant - Appellant (16-2528): Katherine Susan Barrett Wiik, Stephen Paul Safranski, ROBINS & KAPLAN, Minneapolis, MN; David Thomas Cohen, ROPES & GRAY, New York, NY; Kathryn Elizabeth Wilhelm, ROPES & GRAY, Boston, MA; Harvey J. Wolkoff, ROPES & GRAY, Boston, MA.

For AB Acquisition, LLC, New Albertsons, Inc., Defendants - Appellants (16-2528): Marc Andre Al, STOEL & RIVES, Minneapolis, MN; Christopher L. Ingram, John L. Landolfi, VORYS & SATER, Columbus, OH.

Before SMITH, Chief Judge, COLLOTON and KELLY, Circuit Judges.

OPINION

Page 765

KELLY, Circuit Judge.

In 2014, retail grocery stores owned and operated by defendants SuperValu, Inc., AB Acquisition, LLC, and New Albertsons, Inc. suffered two cyber attacks in which their customers' financial information was allegedly accessed and stolen. Following the data breaches, customers who shopped at the affected stores brought several putative class actions, which were subsequently centralized in the United States District Court for the District of Minnesota by the Judicial Panel on Multidistrict Litigation. The district court dismissed the plaintiffs' consolidated complaint under Federal Rule of Civil Procedure 12(b)(1), concluding that plaintiffs failed to allege facts establishing Article III standing. Plaintiffs appealed, and we affirm in part, reverse in part, and remand for further proceedings.

Page 766

I. Background

The following facts, which we accept as true, are drawn from the consolidated amended complaint and the appended exhibits. See Carlsen v. GameStop, Inc., 833 F.3d 903, 908 (8th Cir. 2016). Plaintiffs are sixteen customers who purchased goods from defendants' grocery stores in Missouri, Illinois, Maryland, Pennsylvania, Delaware, Idaho, and New Jersey using credit or debit cards during the period between June and September 2014. From June 22, 2014, to July 17, 2014, cyber criminals accessed the computer network that processes payment card transactions for 1,045 of defendants' stores. The hackers installed malicious software on defendants' network that allowed them to gain access to the payment card information of defendants' customers (hereinafter, Card Information), including their names, credit or debit card account numbers, expiration dates, card verification value (CVV) codes, and personal identification numbers (PINs). By harvesting the data on the network, the hackers stole customers' Card Information.

On August 14, 2014, defendants issued a press release notifying customers of the computer intrusion at their stores. The press release acknowledged that the attack " may have resulted in the theft" of Card Information, but it had not yet been determined that " any such cardholder data was in fact stolen," and, at that point, there was " no evidence of any misuse of any such data." Defendants also announced that they were conducting an on-going investigation into the incident, which might uncover additional " time frames, locations and/or at-risk data" exposed in the intrusion.

On September 29, 2014, defendants announced a second data breach that took place in late August or early September 2014. The press release stated that an intruder installed different malicious software onto the same network. Defendants acknowledged that the software may have captured Card Information from debit and credit cards used to purchase goods at their stores but, at the time of the press release, there had been no determination that such information " was in fact stolen." Once again, defendants affirmed that their investigation was ongoing, and that further information on the scope of the intrusion could be identified in the future. Although defendants' release states that the second intrusion was separate from the one announced on August 14, 2014, plaintiffs dispute this contention in their complaint, alleging that the two breaches were related and stemmed from the same security failures.

According to the complaint, hackers gained access to defendants' network because defendants failed to take adequate measures to protect customers' Card Information. Defendants used default or easily guessed passwords, failed to lock out users after several failed login attempts, and did not segregate access to different parts of the network or use firewalls to protect Card Information. By not implementing these measures, defendants ran afoul of best practices and industry standards for merchants who accept customer payments via credit or debit card. Moreover, defendants were on notice of the risk of consumer data theft because similar security flaws had been exploited in recent data breaches targeting other national retailers.

As a result of the breaches, plaintiffs' Card Information was allegedly stolen, subjecting plaintiffs " to an imminent and real possibility of identity theft." Specifically, plaintiffs contend that the hackers can use their Card Information to siphon money from their current accounts, make unauthorized credit or debit card charges,

Page 767

open new accounts, or sell the information to others who intend to commit fraud. Identity thieves can use the stolen Card Information to commit fraud for an " extended period of time after" the breach, and the information is often traded on the cyber black market " for a number of years after the initial theft." In support of these allegations, plaintiffs cite a June 2007 United States Government Accountability Office (GAO) report on data breaches. See U.S. Gov't...

To continue reading

FREE SIGN UP