In a blow to retailers and other businesses subjected to data breaches, the Seventh Circuit has reinstated a class action brought by consumers against Barnes & Noble arising from a 2012 breach. Two class representatives sued under California and Illinois law for breach of their credit card data. The District Court dismissed their cases because they failed to plead actual damages. The Seventh Circuit reversed. Writing for the appellate panel, Judge Easterbrook concluded that California's Records Act (Cal. Civ. Code S 1798.84) and Unfair Competition Law (Cal. Bus. & Prof. Code S 17204) as well as Illinois' Consumer Fraud and Deceptive Practice Act (815 ILCS 505/2) allowed the Illinois and California plaintiffs to proceed with their case seeking alleged 'economic losses' including: monthly payments for credit monitoring, a three-day interruption in the use of consumers' credit cards while unauthorized charges were reversed, and the hassle of resolving issues arising from the breach.
This case continues the progression of consumer-friendly data breach class action opinions in the Seventh Circuit. The Seventh Circuit (in opinions discussed by the Barnes & Noble court) previously found that consumers who were the victims of data breaches and who claimed similar injuries had standing to bring their claims in federal court. [See Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015); and Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016).] In this latest opinion, Judge Easterbrook concluded that dismissing plaintiffs' claims for failing to plead damages was essentially no different than dismissing the case involving the same type of injuries for lack of standing—or, as he put it, dismissal based upon lack of actual damages was "a new label for an old error." If plaintiffs' claimed injuries could constitute an injury-in-fact for standing, then they also could be actual recoverable damages under both the California and Illinois consumer statutes.
Judge Easterbrook's discussion of the Illinois Consumer Fraud Act is notable. He recognized that Illinois law requires a plaintiff to plead they have suffered an actual economic loss to recover non-economic damages. He found that plaintiff’s claim she paid a monthly fee for credit monitoring services qualified as an actual economic loss. In reaching this conclusion, Judge Easterbrook rejected an Illinois appellate court decision holding an individual who purchased credit-monitoring services after a data breach did not suffer an actual economic loss. [See Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358 (1st Dist. 2010).] Judge Easterbrook predicted the Illinois Supreme Court would disagree with the state appellate court decision when it ultimately considers this issue. Having found that the Illinois plaintiff had sufficiently pled actual economic loss, plaintiff could also seek damages for temporary lost use of her credit card.
All may not be lost for Barnes & Noble when it returns to the district court. Judge Easterbrook noted that neither California law nor Illinois law makes a retailer, who is also a victim of the criminal data breach, expressly liable for failing to "crime-proof their point of sale systems." And his opinion questioned whether the case should ever be certified as a class action, because of the different laws in the two states and the 5.5 years that have elapsed since the case was filed without a decision on a motion for class certification.
David Duffy is a partner in Thompson Coburn’s cybersecurity practice.