United States District Court, D. Minnesota
IN RE SuperValu, Inc., Customer Data Security Breach Litigation This Document Relates to All Actions
Barnow, Esq., Barnow and Associates, P.C., Chicago, IL; Kate
M. Baxter-Kauf, Esq., Lockridge Grindal Nauen P.L.L.P.,
Minneapolis, MN, on behalf of Plaintiffs.
J. Wolkoff, Esq., and David T. Cohen, Esq., Ropes & Gray
LLP, New York, NY and Boston, MA; Katherine S. Barrett Wiik,
Esq., and Stephen P. Safranski, Esq., Robins Kaplan LLP,
Minneapolis, MN, on behalf of Defendant SuperValu, Inc.
L. Landolfi, Esq., Vorys, Sater, Seymour and Pease LLP,
Columbus, OH; and Marc A. Al, Esq., Stoel Rives LLP,
Minneapolis, MN, on behalf of Defendants AB Acquisition, LLC
and New Albertson's Inc.
MEMORANDUM OPINION AND ORDER
MONTGOMERY U.S. DISTRICT JUDGE
December 14, 2017, the undersigned United States District
Judge heard oral argument on Defendant SuperValu, Inc.'s
(“SuperValu”) Renewed Motion to Dismiss
Plaintiffs' Consolidated Amended Class Action Complaint
[Docket No. 78], Defendants AB Acquisition, LLC and New
Albertson's, Inc.'s (together,
“Albertson's”) Renewed Motion to Dismiss
Plaintiffs' Consolidated Amended Class Action Complaint
[Docket No. 85], and Class Plaintiffs' Motion for Leave
to Amend Their Amended Complaint Pursuant to Fed.R.Civ.P.
15(a)(2) [Docket No. 91]. For the reasons set forth below,
SuperValu and Albertson's Motions are granted and
Plaintiffs' Motion is denied.
multi-district litigation case, sixteen named plaintiffs
(“Plaintiffs”) alleged they were harmed after
computer hackers breached the payment-processing network
owned by SuperValu. See Consolidated Am. Class
Action Compl. (“Amended Complaint”) [Docket No.
28] ¶¶ 16-45. Both SuperValu and Albertson's
(collectively, “Defendants”) used the network to
process payment card transactions at more than 1, 000 of
Defendants' retail grocery stores. Id.
¶¶ 3-5. The hackers gained access to and installed
malicious software on the payment-processing network in June
2014 and again in late July or early September 2014.
Id. ¶¶ 4-6. The malicious software
released and disclosed the Personal Identifying Information
(“PII”) of Plaintiffs and Class Members who used
their payment cards at the affected stores. Id.
¶ 36. The PII included cardholder names, account
numbers, expiration dates, card verification value
(“CVV”) codes, and personal identification
numbers (“PINs”). Id. ¶¶ 1,
40, 42. Plaintiffs alleged the malware allowed hackers to
harvest customers' PII from cash registers and other
payment processing terminals at the time customers swiped
their cards. Id. ¶¶ 36, 40. Hackers were
also able to access customers' PII that had been
improperly stored on Defendants' network after customers
made purchases at Defendants' stores. Id. ¶
sixteen named Plaintiffs whose data was allegedly stolen in
the breach, only one Plaintiff, David Holmes
(“Holmes”), alleged that his PII was misused.
See id. ¶¶ 16-31. Holmes alleged that he:
shopped at the Shop ‘n Save location [owned and
operated by SuperValu] in Belleville, Illinois, and swiped
his card through Defendants' POS [point of sale]
terminals. On information and belief Holmes' PII was
compromised as a result of Defendants' security failures.
When the Data Breach was announced, Plaintiff Holmes spent
time determining if his card had been compromised, including
but not limited to, reviewing information released about the
Data Breach and impacted locations. Shortly thereafter,
Holmes noticed a fraudulent charge on his credit card, which
took two weeks to replace. As a result of such compromise,
Holmes suffered losses and damages in an amount yet to be
completely determined, as such losses and damages are ongoing
and include, but are not limited to, time spent monitoring
his account information to guard against potential fraud.
Id. ¶ 31. Holmes' factual allegations do
not state the date he shopped at the store, the date the
charge was made to his credit card, the amount of the charge,
or whether he was required to pay the charge. See
other fifteen named Plaintiffs did not allege that their PII
was misused. Rather, they alleged that the theft of their PII
subjects them to an imminent risk that they will suffer
identity theft in the future. Id. ¶ 60.
the breach, four putative class actions were filed in federal
courts in Illinois, Minnesota, and Idaho. See,
McPeak v. SuperValu, Inc., 14-cv-00899 (S.D. Ill.,
filed Aug. 18, 2014); Hanff v. SuperValu Inc.,
14-cv-3252 (D. Minn., filed Aug. 25, 2014); Mertz v.
SuperValu, Inc., 14-cv-04660 (D. Minn., filed Nov. 4,
2014); and Rocke v. SuperValu, Inc., 14-cv-00511 (D.
Idaho, filed Nov. 26, 2014). In December 2014, the Judicial
Panel on Multidistrict Litigation centralized the four
complaints to this Court for coordinated pre-trial
proceedings. See Transfer Order [Docket No. 1]. On
June 26, 2015, pursuant to this Court's first Pretrial
Order [Docket No. 14], Plaintiffs filed the Amended Complaint
with sixteen named plaintiffs bringing claims on behalf of a
putative class of persons affected by the data breach.
Defendants' Initial Motion to Dismiss
August 10, 2015, Defendants moved to dismiss the Complaint
under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6).
See Defs.' Mot. Dism. [Docket No. 33]. On
January 7, 2016, this Court granted the motion pursuant to
Rule 12(b)(1), finding that none of the Plaintiffs had
alleged facts sufficient to establish Article III standing.
See generally Dismissal Order. The Court held that
Plaintiffs had not plausibly alleged a cognizable injury
because (1) they failed to allege misuse of their PII or
other harm that was traceable to the data breach, and (2)
they had not alleged facts that plausibly suggested a
substantial risk of future harm. Id. at *4-7.
reaching this conclusion, the Court reasoned that because the
Amended Complaint alleged only a single incident in which any
Plaintiff's PII had been misused in the year and a half
since the data breach affecting more than 1, 000 stores had
occurred, any future harm was speculative. Id. at
*5. Future harm depended upon whether the hackers who
accessed Defendants' network actually succeeded in
capturing the information, whether the hackers would attempt
to use the information, and whether their attempts would be
Court also rejected Plaintiffs' additional theories of
standing that were based upon: opportunity and mitigation
costs, diminished value of Plaintiffs' payment card PII,
delayed or inadequate notification of the data breach,
invasion of Plaintiffs' privacy and breach of their PII
confidentiality, and Plaintiffs' lost expectation of a
bargained-for benefit. Id. at *7-8.
that Plaintiffs lacked standing under Article III, the Court
concluded that it was without subject matter jurisdiction to
address Defendants' Rule 12(b)(6) argument that the
Amended Complaint failed to state a claim for which relief
can be granted. The Amended Complaint was dismissed without
prejudice and final judgment was entered. Id. at *8;
Judgment [Docket No. 53].
Plaintiffs' Rule 59(e) Motion
February 4, 2016, Plaintiffs filed a post-judgment motion
under Rule 59(e), seeking to vacate the judgment and
dismissal of the Amended Complaint. See Pls.'
Mot. Alter Amend J. [Docket No. 54]. Alternatively,
Plaintiffs requested leave to amend the Amended Complaint but
did not submit a proposed Second Amended Complaint.
support of their motion, Plaintiffs offered, for the first
time, declarations of three credit union officers who averred
that some payment cards issued by their respective
institutions incurred fraudulent charges following the data
breach. Id. Ex. 3 (“Anderson Decl.”);
Pls.' Index [Docket No. 61] Ex. 1 (“Malinowski
Decl.”), Ex. 2 (“Williams Decl.”).
Significantly, the declarations did not state that any of the
compromised cards belonged to a named Plaintiff or that any
cardholder incurred unreimbursed fraudulent charges or other
bank charges. Id. Indeed, one declaration stated
that the fraudulent charges on cards issued by that credit
union were all “absorbed” by the institution.
Anderson Decl. ¶ 6.
Court denied the Rule 59(e) motion, finding: (1) Plaintiffs
had not shown that they exercised diligence in obtaining the
newly discovered evidence prior to judgment; and (2) none of
the tardily filed declarations established that any named
Plaintiff or potential class member suffered actual harm or
faced a substantial risk of imminent future harm from the
potential misuse of their PII. Mem. Op. Order, Apr. 20, 2016
[Docket No. 66] (“Rule 59(e) Order”) at 5-7.
Court also denied Plaintiffs' request for leave to amend
the Amended Complaint because Plaintiffs had not satisfied
the more stringent standards governing post-judgment leave to
amend, and because Plaintiffs failed to comply with the
requirement under Local Rule 15.1(b) that a motion to amend a
pleading must include “a copy of the proposed amended
pleading” and “a version of the proposed amended
pleading that shows . . . how the proposed amended pleading
differs from the operative pleading.” Id. at 8
(quoting L.R. 15.1(b)) .
then appealed the Court's Dismissal Order to the Eighth
Circuit, but did not appeal the denial of the Rule 59(e)
motion. See Eighth Cir. Op. at 767 n.2 (declining to
consider arguments raised in Plaintiffs' Rule 59(e)
motion or declarations attached to the motion because
Plaintiffs did not appeal the denial of the Rule 59(e)
appeal, Plaintiffs argued that the following three rulings in
the Dismissal Order were erroneous: (1) that Plaintiffs had
not adequately alleged the theft of their personal
information, and that theft alone was not insufficient to
confer Article III standing; (2) that Plaintiff Holmes did
not have standing because the misuse of his PII was not
fairly traceable to the Data Breach; and (3) that the breach
of Plaintiffs' alleged implied contractual right to have
their PII securely handled and reasonably protected was not
sufficient to confer standing. See Appellant's
Opening Br. (filed July 13, 2016 in Eighth Circuit Appeal No.
16-2378) at 2-3, 9. Defendants cross-appealed, arguing that
the Amended Complaint was alternatively subject to dismissal
under Rule 12(b)(6) for failure to state a claim upon which
relief could be granted. Eighth Cir. Op. at 774 n.7.
August 30, 2017, the Eighth Circuit “reverse[d] the
district court's dismissal of plaintiff Holmes for lack
of Article III standing, affirm[ed] the dismissal as to the
remaining plaintiffs, and remand[ed] for further proceedings
consistent with this order.” Id. at 774.
upholding the dismissal of the fifteen Plaintiffs who did not
allege that their PII had been misused, the Eighth Circuit
found that the Amended Complaint alleged only a “mere
possibility, ” rather than a substantial risk, that
Plaintiffs would suffer future identity theft or account
fraud. Id. at 771.
Eighth Circuit explained that the only factual support for
the otherwise bare assertion that data breaches facilitate
identity theft was a 2007 report by the United States
Government Accountability Office (“GAO Report”),
and this report did not support Plaintiffs' contention
that they face a substantial risk of future harm as a result
of the data breach. Id. at 770-71. The GAO Report
stated that credit card information alone is generally not
enough for identity thieves to open unauthorized new
accounts. The Eighth Circuit noted that the PII alleged to
have been stolen here was limited to credit card information
and did not include personally identifying information such
as social security numbers, birth dates, or drivers'
license numbers. Additionally, the GAO Report concluded that
“most breaches have not resulted in detected incidents
of identity theft.” Id. at 771 (quoting GAO
Report at 21). The Eighth Circuit thus concluded that the GAO
Report supported only a “mere possibility” of
future injury. Id. Because the Amended Complaint did
not plausibly demonstrate that the risk of future identity
theft is substantial, Plaintiffs' allegations of future
injury were not sufficient to confer standing. Id.
Eighth Circuit also rejected Plaintiffs' attempt to
establish injury based on other theories, including the costs
Plaintiffs incurred to mitigate against the risk of identity
theft, and Defendants' alleged breach of an implied
contract to take reasonable measures to protect
Plaintiffs' PII. Regarding mitigation costs, the Eighth
Circuit held that “[b]ecause plaintiffs have not
alleged a substantial risk of future identity theft, the time
they spent protecting themselves against this speculative
threat cannot create an injury.” Id. As to the
alleged breach of an implied contract, the Eighth Circuit
held that “the complaint does not sufficiently allege
that plaintiffs were party to such a contract. Therefore, the
breach of implied contract claim does not supply plaintiffs
with Article III standing.” Id. at 771 n.6.
Eighth Circuit declined to address other “independent
forms of injury discussed by the district court, including
the argument that the invasion of privacy suffered by the
plaintiffs constitutes an injury in fact, because the
plaintiffs did not press them on appeal.” Id.
at 771 n.5.
Eighth Circuit held that Holmes, the Plaintiff who alleged
that his stolen PII was misused in a single fraudulent
charge, met the “relatively modest” burden of
alleging a present injury that was fairly traceable to the
data breaches. Id. at 772. Thus, Holmes was the only
Plaintiff who satisfied the “threshold inquiry”
of Article III standing. Id. at 773. However, the
Eighth Circuit forecast that Defendants' attacks on the
sufficiency of Holmes' allegations, including that he
“failed to allege the date he shopped at the affected
Illinois store, the amount of the charge, or that the charge
was unreimbursed . . . could be fatal to the complaint under
the ‘higher hurdles' of Rules 8(a) and
12(b)(6).” Because the issue of whether Holmes'
allegations were sufficient to state a claim under Rule
12(b)(6) raises a different question than Article III
standing, the Eighth Circuit concluded that the challenges to
the sufficiency of Holmes' allegations were “more
properly directed at whether the complaint states a claim,
not whether Holmes has alleged standing.” Id.
Eighth Circuit thus concluded that since one named Plaintiff,
Holmes, has standing to bring suit, the case should not have
been dismissed for lack of subject matter jurisdiction.
Id. at 774. The Court of Appeals expressly declined
to consider Defendants' Rule 12(b)(6) arguments on appeal
and remanded them to this Court. Id. at 774 n.7.
the Eighth Circuit's remand for consideration of
Defendants' Rule 12(b)(6) motion, SuperValu filed a
renewed motion to dismiss under Rule 12(b)(6) for failure to
state a claim. SuperValu argues that the claims by Holmes
suffer from fatal defects, including the failure to allege
that he shopped at SuperValu's stores during the relevant
time period or that he suffered economic injury as a result
of the data breach.
also filed a renewed motion to dismiss, arguing that
Holmes' claims against Albertson's should be
dismissed under 12(b)(1) for failure to allege Article III
standing. Albertson's contends that Holmes has not
alleged that he shopped at an Albertson's store, and thus
has not alleged an injury that is causally related to
Albertson's or that can be redressed by a ruling against
Albertson's. Albertson's also incorporates and adopts
the arguments in SuperValu's renewed motion to dismiss
under Rule 12(b)(6).
one week after Defendants filed their renewed motions to
dismiss, Plaintiffs moved for leave to amend the Amended
Complaint. Plaintiffs argue that the Proposed Second Amended
Class Action Complaint (“Proposed Second Amended
Complaint”) [Docket No. 91, Ex. 1] includes additional
factual allegations that support Article III standing for the
dismissed Plaintiffs by showing that those Plaintiffs face a
substantial risk of future injury. Plaintiffs contend that
they are entitled to amend the Amended Complaint as a matter
of course and that they should be permitted to amend before
Defendants' renewed motions to dismiss are decided.
Plaintiffs' Motion for Leave to Amend the Amended
argue that leave to amend the Amended Complaint is warranted
under the liberal standard of Federal Rule of Civil Procedure
15(a). Plaintiffs contend that the Proposed Second Amended
Complaint “adds allegations related to the increased
risk of harm for plaintiffs previously dismissed for lack of
standing, in addition to including additional allegations
related to liability for Defendants.” Mem. Supp. Class
Pls.' Mot. Am. Compl. [Docket No. 93] at 4.
proper standard for granting leave to amend a complaint
depends upon whether leave is sought before or after judgment
has been entered. Pre-judgment leave to amend is governed by
Federal Rule of Civil Procedure 15(a), which provides in
(a) Amendments Before Trial.
(1) Amending as a Matter of Course. A party may amend its
pleading once as a matter of course within:
(A) 21 days after serving it, or
(B) if the pleading is one to which a responsive pleading is
required, 21 days after service of a responsive pleading or
21 days after service of a motion under Rule ...