In re: SuperValu, Inc., Customer Data Security Breach Litigation
SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc. Defendants-Appellees Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan; Ivanka Soldan; Melissa Thompkins; Darla Young Plaintiffs-Appellants Electronic Privacy Information Center Amicus on Behalf of Appellant(s) In re: SuperValu, Inc., Customer Data Security Breach Litigation Melissa Alleruzzo; Heidi Bell; Rifet Bosnjak; John Gross; Kenneth Hanff; David Holmes; Steve McPeak; Gary Mertz; Katherin Murray; Christopher Nelson; Carol Puckett; Alyssa Rocke; Timothy Roldan; Ivanka Soldan; Melissa Thompkins; Darla Young Plaintiffs-Appellees
SuperValu, Inc.; AB Acquisition, LLC; New Albertsons, Inc. Defendants-Appellants
Submitted: May 10, 2017
from United States District Court for the District of
Minnesota - Minneapolis
SMITH, Chief Judge, COLLOTON and KELLY, Circuit Judges.
2014, retail grocery stores owned and operated by defendants
SuperValu, Inc., AB Acquisition, LLC, and New Albertsons,
Inc. suffered two cyber attacks in which their customers'
financial information was allegedly accessed and stolen.
Following the data breaches, customers who shopped at the
affected stores brought several putative class actions, which
were subsequently centralized in the United States District
Court for the District of Minnesota by the Judicial Panel on
Multidistrict Litigation. The district court dismissed the
plaintiffs' consolidated complaint under Federal Rule of
Civil Procedure 12(b)(1), concluding that plaintiffs failed
to allege facts establishing Article III standing. Plaintiffs
appealed, and we affirm in part, reverse in part, and remand
for further proceedings.
following facts, which we accept as true, are drawn from the
consolidated amended complaint and the appended exhibits.
See Carlsen v. GameStop, Inc., 833 F.3d 903, 908
(8th Cir. 2016). Plaintiffs are sixteen customers who
purchased goods from defendants' grocery stores in
Missouri, Illinois, Maryland, Pennsylvania, Delaware, Idaho,
and New Jersey using credit or debit cards during the period
between June and September 2014. From June 22, 2014, to July
17, 2014, cyber criminals accessed the computer network that
processes payment card transactions for 1, 045 of
defendants' stores. The hackers installed malicious
software on defendants' network that allowed them to gain
access to the payment card information of defendants'
customers (hereinafter, Card Information), including their
names, credit or debit card account numbers, expiration
dates, card verification value (CVV) codes, and personal
identification numbers (PINs). By harvesting the data on the
network, the hackers stole customers' Card Information.
August 14, 2014, defendants issued a press release notifying
customers of the computer intrusion at their stores. The
press release acknowledged that the attack "may have
resulted in the theft" of Card Information, but it had
not yet been determined that "any such cardholder data
was in fact stolen, " and, at that point, there was
"no evidence of any misuse of any such data."
Defendants also announced that they were conducting an
on-going investigation into the incident, which might uncover
additional "time frames, locations and/or at-risk
data" exposed in the intrusion.
September 29, 2014, defendants announced a second data breach
that took place in late August or early September 2014. The
press release stated that an intruder installed different
malicious software onto the same network. Defendants
acknowledged that the software may have captured Card
Information from debit and credit cards used to purchase
goods at their stores but, at the time of the press release,
there had been no determination that such information
"was in fact stolen." Once again, defendants
affirmed that their investigation was ongoing, and that
further information on the scope of the intrusion could be
identified in the future. Although defendants' release
states that the second intrusion was separate from the one
announced on August 14, 2014, plaintiffs dispute this
contention in their complaint, alleging that the two breaches
were related and stemmed from the same security failures.
to the complaint, hackers gained access to defendants'
network because defendants failed to take adequate measures
to protect customers' Card Information. Defendants used
default or easily guessed passwords, failed to lock out users
after several failed login attempts, and did not segregate
access to different parts of the network or use firewalls to
protect Card Information. By not implementing these measures,
defendants ran afoul of best practices and industry standards
for merchants who accept customer payments via credit or
debit card. Moreover, defendants were on notice of the risk
of consumer data theft because similar security flaws had
been exploited in recent data breaches targeting other
result of the breaches, plaintiffs' Card Information was
allegedly stolen, subjecting plaintiffs "to an imminent
and real possibility of identity theft." Specifically,
plaintiffs contend that the hackers can use their Card
Information to siphon money from their current accounts, make
unauthorized credit or debit card charges, open new accounts,
or sell the information to others who intend to commit fraud.
Identity thieves can use the stolen Card Information to
commit fraud for an "extended period of time after"
the breach, and the information is often traded on the cyber
black market "for a number of years after the initial
theft." In support of these allegations, plaintiffs cite
a June 2007 United States Government Accountability Office
(GAO) report on data breaches. See U.S. Gov't
Accountability Off., GAO-07-737, Personal Information: Data
Breaches are Frequent, but Evidence of Resulting Identity
Theft is Limited; However, the Full Extent is Unknown (2007),
allegedly affected by the breaches filed putative class
actions in several district courts. The Judicial Panel on
Multidistrict Litigation transferred the related actions to
the United States District Court for the District of
Minnesota for coordinated or consolidated pretrial
proceedings. Pursuant to the district court's order,
plaintiffs filed a consolidated amended complaint on June 26,
2015, with sixteen named plaintiffs bringing claims on behalf
of a putative class of persons affected by defendants'
the sixteen plaintiffs shopped at defendants' affected
stores using a credit or debit card, and their Card
Information was allegedly compromised in the data breaches.
After the data breaches were announced, each plaintiff
"spent time determining if [his or her] card was
compromised" by reviewing information released about the
breaches and the impacted locations and monitoring account
information to guard against potential fraud. Crucial to the
outcome in this appeal, one plaintiff, David Holmes, used his
credit card at a store in Belleville, Illinois that was affected
by the data breaches, and alleges his Card Information was
compromised as a result of defendants' security failures.
Shortly after the data breach was announced, "Holmes
noticed a fraudulent charge on his credit card statement and
immediately cancelled his credit card, which took two weeks
complaint states six claims for relief for: (1) violations of
state consumer protection statutes, (2) violations of state
data breach notification statutes, (3) negligence, (4) breach
of implied contract, (5) negligence per se, and (6) unjust
enrichment. Defendants moved to dismiss the complaint under
Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). The
district court granted the Rule 12(b)(1) motion and dismissed
the complaint without prejudice, finding that none of the
plaintiffs had alleged an injury-in-fact and thus they did
not have standing. The court did not address defendants'
arguments for dismissal under Rule 12(b)(6). Plaintiffs appeal
the district court's dismissal, and defendants
cross-appeal, arguing that the complaint was alternatively
subject to dismissal with prejudice under Rule 12(b)(6).