Sunday, November 5, 2017

In re SuperValu, Inc.

15.4 million Americans were victims of identity theft in 2016.[1]  Data breaches are becoming more common, and some consumers want to sue the company that suffered the data breach.  There is a circuit split regarding whether the consumers whose information was stolen satisfy the injury element of standing.[2]  The Eighth Circuit contributed to that split in In re SuperValu by holding that the consumers did not satisfy the injury requirement because they had not yet and may never suffer identity theft.[3]

I.        Facts and Holding
On August 14, 2017, SuperValu, a grocery store chain, issued a press release stating a data breach had occurred and the attack “may have resulted in the theft” of some of their consumers’ credit and debit card information.[4]  The data breach affected consumers who purchased goods with a credit or debit card from SuperValu stores in Missouri, Illinois, Maryland, Pennsylvania, Delaware, Idaho, and New Jersey.[5]  The hackers accessed the consumers names, credit or debit card numbers, expiration dates, card verification value (“CVV”) codes, and personal identification numbers (“PINs”) (hereinafter “Card Information”).[6]  In September of 2014, SuperValu announced a second data breach.[7]  The hackers again accessed consumers’ Card Information.[8]
Sixteen consumers who purchased goods at SuperValu stores with a credit or debit card filed a class action.[9]  The plaintiffs alleged SuperValu was on notice there was a risk of consumer data breaches because other national retailers suffered similar attacks, and the store was negligent in failing to follow industry standards for protecting consumer Card Information.[10]  The plaintiffs sued SuperValu for negligence, breach of implied contract, and other claims.[11]  Only one plaintiff, David Holmes, suffered a fraudulent charge on his credit card after the data breach.[12]  The Eighth Circuit reversed the trial court’s dismissal of the action as to Holmes, holding he did suffer an injury in fact and therefore had standing because he suffered credit card fraud.[13]  But the court affirmed the district court’s dismissal of the remaining plaintiffs for lack of standing because there was not a substantial risk they would suffer identity theft in the future.[14]

II.     Legal Background
The United States Constitution limits judicial power to deciding “cases” and “controversies.”[15]  Courts have interpreted this to mean that a plaintiff must have standing to sue in federal court.[16]  Standing has three elements: 1) the plaintiff must suffer an injury in fact; 2) the injury must be “fairly traceable to defendant’s conduct;” and 3) the relief the plaintiff seeks must be likely to redress her injury.[17]  The plaintiff’s injury must be “concrete and particularized” and “actual or imminent.”[18]  It is possible to satisfy the injury requirement with a future injury if “the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.”[19]
Some federal courts have held that the threat of future identity theft satisfies the injury in fact element of standing in data breach cases.  The Seventh Circuit held the plaintiffs had standing because there was an “objectively reasonable likelihood” they would suffer identity theft, and some of the cards had already experienced fraudulent charges.[20]  The court asked “[w]hy else would hackers break into a store’s database and steal consumers’ private information?”[21] The Sixth Circuit found that the plaintiffs had standing because they had an increased risk of identity theft.[22]  It was reasonable to infer that the hackers would use the plaintiffs data for fraudulent purposes.[23]  Further, the plaintiffs were damaged when they expended resources mitigating that risk.[24]  The Ninth Circuit also held that the plaintiffs had standing because they alleged a “credible threat of real and immediate harm” even though no identity theft had occurred.[25]
Other federal courts hold that the risk of future identity theft or credit card fraud is insufficient to satisfy the standing requirement.[26]  The Third Circuit found the alleged injury too attenuated because the injury “is dependent on entirely speculative, future actions of an unknown third-party.”[27]  In that case, it was unclear if the hacker read and copied the information, if the hacker would attempt to use the information, and if he would use it successfully.[28]  The Fourth Circuit also held that the future risk was not sufficient to constitute an injury; rather, the plaintiffs needed to show that there was a substantial risk that the information would be misused.[29]  The Eighth Circuit’s analysis more closely followed the Third and Fourth Circuit’s reasoning.[30]

III.  Instant Decision
The Eight Circuit held in In re SuperValu that “the complaint ha[d] not sufficiently alleged a substantial risk of identity theft, and plaintiffs' allegations of future injury do not support standing in this case.”[31]
The plaintiffs claimed that they were damaged in two ways.[32]  First, the plaintiffs spent time determining if their cards were compromised after they learned about the data breaches.[33]  The court reasoned that the time the plaintiffs spent did not satisfy the injury requirement because they were protecting themselves from a speculative threat.[34] 
Second, the plaintiffs alleged the data breach created a substantial risk of future identity theft.[35]  The court reasoned that while other courts “have ruled that a complaint could plausibly plead that the theft of a plaintiff’s personal or financial information creates a substantial risk that they will suffer identity theft sufficient to constitute a threated injury in fact … we conclude that plaintiffs have not done so here.”[36]  The court found that a report from the U.S. Government Accountability Office (“the Report”’), stating that there are some cases where identity theft occurred as a result of a data breach, was insufficient to support plaintiffs’ claim.[37] 
The court agreed with the Report, which states it is difficult to open an unauthorized account with only credit or debit card information; rather, fraudsters usually need social security numbers, birth dates, or driver’s license numbers.[38]  As for credit or debit card fraud, the court again relied on the Report in finding that “data breaches are unlikely to result in account fraud.”[39]  The court left open the possibility that, in the future, plaintiffs will be able to satisfy the injury requirement if there is more statistical support showing that fraud is likely to occur after a data breach.[40]  Because there was a mere possibility that Plaintiff would suffer identity theft, the court held that the plaintiffs did not allege an injury in fact and therefore did not have standing.[41]

IV.  Comment
The Eighth Circuit underestimated the frequency of identity theft in holding that the risk of future identity theft was not sufficient to satisfy the injury requirement.  From 2015 to 2016, identity theft increased sixteen percent, resulting in the theft of $16 billion.[42]  Identity theft where the criminal uses credit and debit card numbers to buy items online, rather than stealing the physical card, increased forty percent in the last year.[43]  Additionally, identity theft completed by opening new accounts in a victim’s name nearly doubled.[44] 
There is limited information about how often data breaches are the cause of identity theft because it is difficult to determine how the thieves obtained the Card Information.[45]  However, this should not prevent the court from finding that the plaintiffs have standing.  First, the risk of identity theft is real because as the Seventh Circuit asked, “[w]hy else would hackers break into a store’s database and steal consumers’ private information?”[46]
Plaintiffs are also injured because they have to spend time and money preventing identity theft.[47]   Many experts advise freezing your credit and choosing a credit monitoring service if your information was exposed during a data breach.[48]  It generally costs between $3 and $30 to freeze your credit cards and around $150 per year to monitor your credit.[49] While these costs do not seem significant, they add up in a class action.  These are just a few of the steps a vigilant consumer should take.  The court should have found that the plaintiffs had standing by recognizing both the substantial risk that the plaintiffs’ identities would be stolen and the costs that plaintiffs incur to reduce that risk.
- Ariel Kiefer



[1] Herb Weisbaum, Identity Fraud Hits Record Number of Americans in 2016, NBC News (Feb. 2, 2017), https://www.nbcnews.com/business/consumer/identity-fraud-hits-record-number-americans-2016-n715756.
[2] See infra Section II.
[3] In re SuperValu, Inc., 870 F.3d 763, 771–72 (8th Cir. 2017).
[4] Id. at 766.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Id.
[10] Id.
[11] Id. at 767.  The plaintiffs also sued for violations of the state data breach notification statutes, negligence per se, violation of consumer protection statutes, and unjust enrichment.  Id.
[12] Id.
[13] Id. at 774.
[14] Id.
[15] U.S. Const. art. III, §2, cl. 1; Spokeo, Inc., v. Robins, 136 S. Ct. 1540, 1547 (2016).
[16] Spokeo, 136 S. Ct. at 1547.
[17] Id.
[18] Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992).
[19] Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (internal quotation marks omitted) (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013)).
[20] Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693–94 (7th Cir. 2015) (quoting Clapper, 568 U.S. at 410).  9200 of the 350,000 cards had already experienced fraudulent charges. Id. at 964.
[21] Id.
[22] Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App’x. 384, 388 (6th Cir. 2016) (unpublished).
[23] Id.
[24] Id.
[25] Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010).
[26] See, e.g., In re Zappos.com, Inc., 108 F. Supp. 3d 949, 955 (D. Nev. 2015) (listing many federal district courts that have dismissed data breach cases for lack of standing).
[27] Reilly v. Ceridian Corp., 664 F.3d 38, 42, 40 (3d Cir. 2011) (The information subject to the data breach included names, addresses, social security numbers, birthdays, and bank account information.).  However, the Third Circuit has also held that if personal information is disclosed in violation of the Fair Credit Reporting Act, that violation is enough to satisfy the injury requirement even if the plaintiffs did not suffer identity theft or show that there was a substantial risk of identity theft.  In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 640 (3d Cir. 2017).
[28] Reilly, 664 F.3d at 44.
[29] Beck v. McDonald, 848 F.3d 262, 275 (4th Cir. 2017) (Plaintiff’s allegation that thirty-three percent of health-related data breaches resulted in identity theft was not enough to constitute a “substantial risk.”).
[30] See In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017).
[31] Id. at 771–72.  However, the court also held that Holmes had standing because he suffered the injury of credit card fraud, and the court remanded his action for further proceedings. Id. at 774.
[32] Id.
[33] Id. at 767.
[34] Id. at 771.
[35] Id. at 770.  Identity theft can include fraud on existing accounts or fraudulently creating new accounts. Id.; U.S. Gov't Accountability Office, Personal Information: Data Breaches are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown 2 (2007), http://www.gao.gov/assets/270/262899.pdf.
[36] Id. at 770.
[37] Id.
[38] Id.
[39] Id. at 779.  The Report found that credit and debit card fraud did occur in some data breach cases, however, “most breaches have not resulted in detected incidents of identity theft.” Id. (quoting U.S. Gov't Accountability Office, supra note 35, at 21).
[40] Id.
[41] Id. at 771–72.
[42] Weisbaum supra, note 1.
[43] Id.
[44] Id.
[45] U.S. Gov't Accountability Office, supra note 35, at 5.
[46] Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015).
[47] See Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App’x. 384, 388 (6th Cir. 2016) (unpublished); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010).  After a data breach, those affected should check their credit report, consider placing a freeze on their credit which costs a fee, monitor all of their credit and bank accounts, and place a fraud alert on their files.  Seena Gressin, The Equifax Data Breach: What to Do, Fed. Trade Commission (Sept. 8, 2017), https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do.
[48] Here's What It Costs to Freeze Your Credit After Equifax Breach, CNBC (Sept. 15, 2017), https://www.cnbc.com/2017/09/15/heres-what-it-costs-to-freeze-your-credit-after-equifax-breach.html.
[49] Id.; Should I Pay for Credit Monitoring?, TIME, http://time.com/money/collection-post/2791979/should-i-pay-for-credit-monitoring/ (last visited Oct. 10, 2017).