Press "Enter" to skip to content

8th Cir. Rejects Alleged Data Breach Victim’s UDAP, UDTPA, Common Law, and Other Claims

The U.S. Court of Appeals for the Eighth Circuit recently upheld the dismissal of an alleged data breach victim’s allegations under the Illinois Consumer Fraud and Deceptive Business Practices Act, the Illinois Personal Information Protection Act, and the Illinois Uniform Deceptive Trade Practices Act, as well as various common law claims.

A copy of the opinion in Melissa Alleruzzo v. SuperValu, Inc. is available at:  Link to Opinion.

In June and July 2014, hundreds of retail grocery stores operated by three different entities (“grocers”) were hacked, resulting in the theft of customers’ card information, including their names, credit or debit card account numbers, expiration dates, personal identification numbers, and card verification value codes.  After the grocers notified customers of the cyberattack via a press release in August 2014, a second cyberattack took place around August or September 2014.

Affected customers filed multiple putative class actions against the stores, alleging that the attacks were related and resulted from the stores’ failure to properly safeguard their customers’ personal information.

After the cases were consolidated, the grocers moved to dismiss, asserting that plaintiffs lacked standing, and failed to state a claim upon which relief could be granted.  The grocers’ motion to dismiss was granted without prejudice for lack of standing pursuant to Rule 12(b)(1), as the trial court concluded that none of the plaintiffs had alleged an injury in fact because the complaint’s allegations were insufficient to plausibly suggest that the plaintiffs were likely to suffer future identity theft. The trial court did not address the defendants’ alternative motion under Rule 12(b)(6) for failure to state a claim.

The customers’ subsequent motions to alter or amend the trial court’s judgment pursuant to Rule 59(e), or alternatively, for leave to amend the complaint were denied. Thereafter, the customers appealed the trial court’s dismissal for lack of subject-matter jurisdiction, but did not appeal the denial of their Rule 59(e) motion.

On appeal, the Eighth Circuit affirmed the trial court’s ruling that the complaint did not sufficiently allege a substantial risk of identity theft, and the customers’ allegations of future injury did not support standing.  See In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017).

However, because one of the customers (“Customer 1”) alleged a present injury in fact — that he suffered a fraudulent charge on the credit card he previously used to make a purchase at one of the stores affected by the data breaches — the appellate court concluded that he had standing to bring suit, and remanded to allow the trial court to consider the grocers’ motion to dismiss pursuant to Rule 12b(6) as to Customer 1 in the first instance.

On remand, the grocers renewed their motion to dismiss.  A week later, the customers filed a second motion for leave to amend, with a proposed amended complaint that added general allegations about the likelihood of identity theft following a data breach — many of which were based on the same affidavits attached to their previously-denied motion to alter or amend judgment pursuant to Rule 59(e).  The trial court denied the customers’ motion for leave to amend, holding that futility and undue delay compelled denial under Rule 15(a)(2).  The trial court also granted dismissal as to all claims asserted by Customer 1 because: (i) he did not shop at a grocery store owned by two of the three defendant grocers, and; (ii) his claims against the third defendant grocer where he did shop (“Grocer 1”) for negligence, consumer protection, implied contract and unjust enrichment failed as a matter of law.

The instant, second appeal followed.

After addressing various procedural arguments not relevant here, the Eighth Circuit reviewed the dismissal of each of Customer 1’s four claims for failure to state a claim under Rule 12(b)(6).

First examining Customer 1’s negligence claims, the Court turned to applicable Illinois state law which requires that a complaint must allege “facts that establish the existence of a duty of care owed by the defendant to the plaintiff, a breach of that duty, and an injury proximately caused by that breach” to state a claim for negligence.  Marshall v. Burger King Corp., 856 N.E.2d 1048, 1053 (Ill. 2006).

As the Illinois Supreme Court had not yet addressed whether a retailer has a qualifying special relationship with its customers to trigger obligations to protect its financial information, the Eighth Circuit looked to a recent ruling from the Seventh Circuit which addressed the same question, and predicted that Illinois would not impose such a duty on retailers.  See Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 816 (7th Cir. 2018), citing Cooney v. Chicago Public Schools, 943 N.E.2d 23, 28–29 (Ill. App. Ct. 2010).

The Eighth Circuit further rejected Customer 1’s alternative argument that Section 45(a) of the Federal Trade Commission Act creates a duty enforceable through an Illinois negligence action, as having previously been rejected in Illinois federal court.  See Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 210 F. Supp. 3d 1022, 1041 (S.D. Ill. 2016).  Accordingly, the Eighth Circuit held that dismissal of Customer 1’s negligence claims was proper.

The Court next analyzed Customer 1’s claims raised under various Illinois consumer protection statutes, the Illinois Consumer Fraud and Deceptive Business Practices Act, the Illinois Personal Information Protection Act, and the Illinois Uniform Deceptive Trade Practices Act.  Primarily, the Court noted that the PIPA does not create a separate cause of action and may be pursued only by satisfying ICFA’s requirements.  See 815 Ill. Comp. Stat. 530/20; Best v. Malec, No. 09 C 7749, 2010 WL 2364412, at *7 (N.D. Ill. June 11, 2010).

The Eighth Circuit held that Customer 1’s alleged injuries of time spent monitoring his account, the single fraudulent charge (for which he did not specifically allege he was required to pay), and effort to replace his compromised card did not constitute actual damage and an ‘actual pecuniary loss’ as required under ICFA.  815 Ill. Comp. Stat. 505/10a(a); Kim v. Carter’s Inc., 598 F.3d 362, 365 (7th Cir. 2010).  The Court further rejected Customer 1’s argument that the collateral source doctrine, in which “benefits received by an injured party from a source wholly independent of, and collateral to, the tortfeasor will not diminish damages otherwise recoverable from the tortfeasor” applies to an ICFA claim.   Wills v. Foster, 892 N.E.2d 1018, 1022 (Ill. 2008).

As to his cause of action under Illinois’ UDTPA, Customer 1’s claims fail because the only available remedy under the statute is injunctive relief, and the complaint fails to show that he is “likely to be damaged” by Grocer 1 in the future, as required.  See Glazewski v. Coronet Ins. Co., 483 N.E.2d 1263, 1267 (Ill. 1985).  For these reasons, all of Customer 1’s claims under Illinois consumer protection statutes (ICFA, PIPA, UDTPA) were appropriately dismissed for failing to state a claim.

Without further analysis, the Eighth Circuit concluded that Customer 1’s claim for breach of an implied contract also failed for failure to sufficiently allege that the customers were party to an implied contract.

As to his remaining claim for unjust enrichment, Customer 1 alleged that Grocer 1’s delay in informing customers of the data breach resulted in an unjust benefit to Grocer 1, because he would not have shopped and expended money on groceries at its store if it had immediately informed its customers of the breach.

To state a claim of unjust enrichment in Illinois, “a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff’s detriment, and that defendant’s retention of the benefit violates the fundamental principles of justice, equity, and good conscience.” HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc., 545 N.E.2d 672, 679 (Ill. 1989).

Here, the Eighth Circuit opined that common sense rejects Customer 1’s theory because he did not pay, or allege to pay a premium “for a side order of data security and protection”—the amounts he paid for groceries would have been the same whether he paid by cash or credit card.  Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064, 1072 (C.D. Ill. 2016) (applying Arizona law).   As such, he does not adequately allege a benefit conferred in exchange for protection of his personal information nor shown how Grocer 1’s retention of his payment would be inequitable. Carlsen v. GameStop, Inc., 833 F.3d 903, 912 (8th Cir. 2016).   The Eighth Circuit therefore concluded that Customer 1 failed to state a plausible claim of unjust enrichment.

For these reasons, dismissal of Customer 1’s complaint under Rule 12(b)(6) for failure to state a claim was affirmed.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.