The arts and crafts retail chain Michael Stores Inc. (“Michaels”) received a late holiday gift in the form of a dismissal of a data breach class action lawsuit. On December 28, 2015, the U.S. District Court for the Eastern District of New York granted Michaels’ motion to dismiss. This is at least the second data breach class action lawsuit dismissed against Michaels.
On January 25, 2014, Michaels notified its customers of fraudulent activity on some credit cards from May 8, 2013 to January 27, 2014; 3 months later it confirmed a data breach from malware that accessed customers’ credit and debit card information estimated at affecting 2.6 million cards.
The named plaintiff alleged actual harm including monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments and/or related bank fees. The named plaintiff only experienced one attempted fraudulent charge before she cancelled her credit card, but did not allege she suffered any unreimbursed charges (there was no allegation the named plaintiff was required to pay the one fraudulent charge).
The plaintiff also alleged potential future harm arising out of costs associated with identity theft and the increased risk of identity theft.
The court dismissed (without prejudice) the lawsuit for plaintiff’s lack of Article III standing. Key to the court’s ruling is that the named plaintiff did not allege that she suffered any unreimbursed charges, i.e., actual harm. This is the same ruling for which similar data breach class actions have been dismissed against P.F. Chang’s, Zappos, among many others.
The court also ruled that the plaintiff failed to allege an injury that is “certainly impending” or based on a “substantial risk that the harm will occur,” citing the Supreme Court’s 2013 ruling in Clapper v. Amnesty International USA (Allegations of future harm can establish Article III standing only “if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.”)
This opinion follows a long list of opinions ruling that plaintiffs in data breach cases do not have standing to sue under Article III unless they can show actual harm or “certainly impending” harm or that “a substantial risk that harm will occur” from the data breach.
 On July 14, 2014, the U.S. District Court for the Northern District of Illinois dismissed a substantially similar data breach class action lawsuit, ruling that the plaintiffs failed to plead the required element of actual monetary damages. Moyer v. Michaels Stores, Inc., No. 14C561, slip op. (N.D. Ill. July 14, 2014).