UNITED STATES DISTRICT COURT for the DISTRICT of MINNESOTA in RE: Supervalu, Inc., Customer Data Security Breach Litigation MEMO

UNITED STATES DISTRICT COURT for the DISTRICT of MINNESOTA in RE: Supervalu, Inc., Customer Data Security Breach Litigation MEMO

ECUG!1<25.ex.15771.CFO.VPN!!!Fqewogpv!46!!!Hkngf!12018027!!!Rcig!2!qh!28 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MINNESOTA IN RE: SuperValu, Inc., Customer Data Security Breach Litigation MEMORANDUM OPINION AND ORDER Court File No. 14-MD-2586 ADM/TNL This Document Relates to: All Actions _____________________________________________________________________________ Ben Barnow, Esq., Barnow and Associates, P.C., Chicago, IL; Edwin J. Kilpela, Jr., Esq., Carlson Lynch Sweet & Kilpela, LLP, Pittsburgh, PA; Rhett A. McSweeney, Esq., McSweeney/Langevin, LLC, Minneapolis, MN; Karen Hanson Riebel, Esq., and Richard A. Lockridge, Esq., Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, on behalf of Plaintiffs. Harvey J. Wolkoff, Esq., and Kathryn E. Wilhelm, Esq., Ropes & Gray LLP, Boston, MA; Katherine S. Barrett Wiik, Esq., and Stephen P. Safranski, Esq., Robins Kaplan LLP, Minneapolis, MN, on behalf of Defendant SuperValu, Inc. John L. Landolfi, Esq., Vorys, Sater, Seymour and Pease LLP, Columbus, OH; and Marc A. Al, Esq., Stoel Rives LLP, Minneapolis, MN, on behalf of Defendants AB Acquisition, LLC and New Albertson’s Inc. ____________________________________________________________________________ I. INTRODUCTION On November 3, 2015, the undersigned United States District Judge heard oral argument on Defendants SuperValu, Inc. (“SuperValu”), AB Acquisition, LLC (“AB Acquisition”), and New Albertson’s Inc.’s (“Albertson’s”) (collectively, “Defendants”) Motion to Dismiss Plaintiffs’ Consolidated Amended Class Action Complaint [Docket No. 33]. For the reasons set forth below, the Motion is granted. II. BACKGROUND In this multidistrict litigation case, sixteen named plaintiffs (“Plaintiffs”) allege they were harmed by hackers gaining access to and installing malicious software on the payment- processing network for payment card transactions at Defendants’ retail grocery stores. ECUG!1<25.ex.15771.CFO.VPN!!!Fqewogpv!46!!!Hkngf!12018027!!!Rcig!3!qh!28 Consolidated Am. Class Action Compl. (“Amended Complaint”) [Docket No. 28] ¶¶ 16–45. Plaintiffs allege the malicious software released and disclosed the Personal Identifying Information (“PII”) of Plaintiffs and Class Members who used their payment cards for purchases at the affected stores. Id. ¶ 36. The Amended Complaint states claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of various state consumer protection and data breach notification laws. Id. ¶¶ 13, 96–159. Plaintiffs assert their claims as class actions. Id. ¶¶ 83–95. A. Defendants Defendants own and operate retail grocery stores in the United States. Id. ¶¶ 2-3, 33-35. SuperValu controls the payment processing at its stores and also provides payment processing services for AB Acquisition and Albertson’s stores. Id. ¶ 3. B. Data Breach On August 14, 2014, Defendants announced in press releases that from June 22, 2014 to July 17, 2014, hackers had gained unauthorized access to and installed malicious software on the portion of SuperValu’s computer network that processes payment card transactions for Defendants’ retail stores. Id. ¶¶ 4–5, 36. The intrusion resulted in potential theft of information embedded in the magnetic strip of payment cards for sales transacted at 209 SuperValu stores and 836 AB Acquisition stores. Id. ¶ 36. The PII embedded in the magnetic strip included cardholder names, account numbers, expiration dates, and PINS. Id. ¶¶ 1, 42. The press releases stated Defendants’ offer of 12 months of complimentary consumer identity protection services to customers whose cards may have been affected by the data breach. Id. ¶ 45. On September 29, 2014, Defendants announced in press releases that a second data 2 ECUG!1<25.ex.15771.CFO.VPN!!!Fqewogpv!46!!!Hkngf!12018027!!!Rcig!4!qh!28 breach occurred in late August or early September 2014. Id. ¶ 6. In this second instance, hackers installed different malware onto the portion of SuperValu’s computer network that processes payment card transactions for some retail stores owned or operated by AB Acquisition and Albertson’s (collectively referred to with the stores affected in the first breach as the “Affected Stores”). Id. ¶¶ 6, 44. Plaintiffs allege the two incidents (collectively referred to as the “Data Breach”) are related and stem from Defendants’ same fundamental security failures. Id. ¶ 7. C. Named Plaintiffs Plaintiffs are consumers who shopped at Defendants’ stores that were affected by the Data Breach. Id. ¶¶ 16–31. Plaintiffs provided their PII to Defendants when they used their payment cards at Defendants’ Affected Stores. Id. ¶¶ 1, 16–31. D. Alleged Harm Although customer data at over 1,000 of Defendants’ stores was accessed, the only alleged misuse of any Plaintiff’s PII following the Data Breach is a single unauthorized charge on one Plaintiff’s credit card. Plaintiff David Holmes alleges he experienced a fraudulent charge on his payment card after shopping at one of Defendants’ Affected Stores and, upon noticing the fraudulent charge on his credit card statement, he immediately cancelled his credit card.1 Id. ¶ 31. Holmes does not specify the amount or date of the fraudulent charge, nor does he allege the charge was unreimbursed or that he incurred bank fees or other monetary losses related to the charge. See id. No other Plaintiff alleges any unauthorized charges on their account, and no 1 Holmes does not specify whether he shopped at an Affected Store during the time periods associated with the Data Breach. See id. ¶ 31. For the purposes of this Motion, the Court assumes he did. 3 ECUG!1<25.ex.15771.CFO.VPN!!!Fqewogpv!46!!!Hkngf!12018027!!!Rcig!5!qh!28 Plaintiff, including Holmes, has alleged experiencing identity theft or attempted identity theft after the Data Breach. See generally Am. Compl. All sixteen of the named Plaintiffs allege that after Defendants announced the Data Breach, Plaintiffs spent time determining whether their cards were compromised and monitoring their account information to guard against potential fraud. Id. ¶¶ 16–31. One Plaintiff, Kenneth Hanff, further alleges he closed his checking account and opened a new one to prevent fraudulent purchases. Id. ¶ 18. Based on these factual allegations, Plaintiffs allege that Defendants’ wrongful conduct, the resulting Data Breach, and the potential disclosure of Plaintiffs’ and other Class Members’ PII have caused them to suffer harm including: (i) diminished value of their PII; (ii) untimely and inadequate notification of the Data Breach; (iii) increased risk of future losses, economic damages, and other harm; (iv) opportunity cost and value of lost time spent monitoring financial accounts and payment card accounts; (v) invasion of privacy and breach of the confidentiality of their PII by Defendants’ unauthorized release and disclosure; and (vi) lost benefit of the bargain. Id. ¶¶ 32, 82. E. Procedural History A total of four putative class actions brought by a total of twelve Plaintiffs were filed against Defendants in federal courts in Illinois, Minnesota, and Idaho. See, McPeak v. SuperValu, Inc., 3:14-cv-00899 (S.D. Ill., filed Aug. 18, 2014); Hanff v. SuperValu Inc., 14-cv- 3252 (D. Minn., filed Aug. 25, 2014); Mertz v. SuperValu, Inc., 14-cv-04660 (D. Minn., filed Nov. 4, 2014); and Rocke v. SuperValu, Inc., 1:14-cv-00511 (D. Idaho, filed Nov. 26, 2014). In December 2014, the Judicial Panel on Multidistrict Litigation centralized the four complaints to 4 ECUG!1<25.ex.15771.CFO.VPN!!!Fqewogpv!46!!!Hkngf!12018027!!!Rcig!6!qh!28 this Court for coordinated pre-trial proceedings. See Transfer Order [Docket No. 1]. On June 26, 2015, Plaintiffs filed the Amended Complaint alleging six causes of action on behalf of sixteen named Plaintiffs. See generally Am. Compl. The sixteen named Plaintiffs consist of the twelve original Plaintiffs plus four new Plaintiffs. See id. ¶¶ 27–30. Defendants now move to dismiss the Amended Complaint for lack of subject matter jurisdiction under Rule 12(b)(1) and for failure to state a claim under Rule 12(b)(6). III. DISCUSSION A. Rule 12(b)(1): Lack of Subject Matter Jurisdiction Defendants argue the Amended Complaint must be dismissed under Rule 12(b)(1) for Plaintiffs’ failure to allege facts establishing Article III standing, which is a prerequisite to subject matter jurisdiction. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 559–60 (1992). 1. Standard of Review Defendants’ Motion attacks the sufficiency of the pleadings and thus raises a facial, rather than factual, challenge to the Court’s subject matter jurisdiction. See Stalley v. Catholic Health Initiatives, 509 F.3d 517, 521 (8th Cir. 2007). In analyzing a facial challenge to jurisdiction, the Court applies the same standard of review as that in Rule 12 (b)(6) cases. Id. The Court “accepts as true all factual allegations in the complaint, giving no effect to conclusory allegations of law.” Id. Plaintiffs must affirmatively and plausibly assert facts that suggest they have the right to jurisdiction, rather than facts that are merely consistent with that right. See id. (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007)). “Determining whether a claim is plausible is a ‘context-specific task that requires the reviewing court to draw on its judicial experience and common sense.’” Hamilton v. Palm, 621 F.3d 816, 818 (8th Cir. 2010) (quoting 5 ECUG!1<25.ex.15771.CFO.VPN!!!Fqewogpv!46!!!Hkngf!12018027!!!Rcig!7!qh!28 Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). 2. Article III Standing “Article III standing is a threshold question in every federal court case.” United States v. One Lincoln Navigator 1998, 328 F.3d 1011, 1013 (8th Cir. 2003). The party invoking federal jurisdiction has the burden of establishing standing. Lujan, 504 U.S. at 560. To meet this burden, a plaintiff must show: (1) an injury in fact; (2) a causal connection between the injury and the challenged conduct of the defendant; and (3) a likelihood that a favorable ruling will redress the alleged injury. Young Am. Corp. v. Affiliated Computer Servs. (ACS), Inc., 424 F.3d 840, 843 (8th Cir.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    17 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us