Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re SuperValu, Inc., Customer Data Security Breach Litigation

United States District Court, D. Minnesota

March 7, 2018

IN RE SuperValu, Inc., Customer Data Security Breach Litigation This Document Relates to All Actions

          Ben Barnow, Esq., Barnow and Associates, P.C., Chicago, IL; Kate M. Baxter-Kauf, Esq., Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, on behalf of Plaintiffs.

          Harvey J. Wolkoff, Esq., and David T. Cohen, Esq., Ropes & Gray LLP, New York, NY and Boston, MA; Katherine S. Barrett Wiik, Esq., and Stephen P. Safranski, Esq., Robins Kaplan LLP, Minneapolis, MN, on behalf of Defendant SuperValu, Inc.

          John L. Landolfi, Esq., Vorys, Sater, Seymour and Pease LLP, Columbus, OH; and Marc A. Al, Esq., Stoel Rives LLP, Minneapolis, MN, on behalf of Defendants AB Acquisition, LLC and New Albertson's Inc.




         On December 14, 2017, the undersigned United States District Judge heard oral argument on Defendant SuperValu, Inc.'s (“SuperValu”) Renewed Motion to Dismiss Plaintiffs' Consolidated Amended Class Action Complaint [Docket No. 78], Defendants AB Acquisition, LLC and New Albertson's, Inc.'s (together, “Albertson's”) Renewed Motion to Dismiss Plaintiffs' Consolidated Amended Class Action Complaint [Docket No. 85], and Class Plaintiffs' Motion for Leave to Amend Their Amended Complaint Pursuant to Fed.R.Civ.P. 15(a)(2) [Docket No. 91]. For the reasons set forth below, SuperValu and Albertson's Motions are granted and Plaintiffs' Motion is denied.

         II. BACKGROUND[1]

         A. Data Breach

         In this multi-district litigation case, sixteen named plaintiffs (“Plaintiffs”) alleged they were harmed after computer hackers breached the payment-processing network owned by SuperValu. See Consolidated Am. Class Action Compl. (“Amended Complaint”) [Docket No. 28] ¶¶ 16-45. Both SuperValu and Albertson's (collectively, “Defendants”) used the network to process payment card transactions at more than 1, 000 of Defendants' retail grocery stores. Id. ¶¶ 3-5. The hackers gained access to and installed malicious software on the payment-processing network in June 2014 and again in late July or early September 2014. Id. ¶¶ 4-6. The malicious software released and disclosed the Personal Identifying Information (“PII”) of Plaintiffs and Class Members who used their payment cards at the affected stores. Id. ¶ 36. The PII included cardholder names, account numbers, expiration dates, card verification value (“CVV”) codes, and personal identification numbers (“PINs”). Id. ¶¶ 1, 40, 42. Plaintiffs alleged the malware allowed hackers to harvest customers' PII from cash registers and other payment processing terminals at the time customers swiped their cards. Id. ¶¶ 36, 40. Hackers were also able to access customers' PII that had been improperly stored on Defendants' network after customers made purchases at Defendants' stores. Id. ¶ 41.

         Of the sixteen named Plaintiffs whose data was allegedly stolen in the breach, only one Plaintiff, David Holmes (“Holmes”), alleged that his PII was misused. See id. ¶¶ 16-31. Holmes alleged that he:

shopped at the Shop ‘n Save location [owned and operated by SuperValu] in Belleville, Illinois, and swiped his card through Defendants' POS [point of sale] terminals. On information and belief Holmes' PII was compromised as a result of Defendants' security failures. When the Data Breach was announced, Plaintiff Holmes spent time determining if his card had been compromised, including but not limited to, reviewing information released about the Data Breach and impacted locations. Shortly thereafter, Holmes noticed a fraudulent charge on his credit card, which took two weeks to replace. As a result of such compromise, Holmes suffered losses and damages in an amount yet to be completely determined, as such losses and damages are ongoing and include, but are not limited to, time spent monitoring his account information to guard against potential fraud.

Id. ¶ 31. Holmes' factual allegations do not state the date he shopped at the store, the date the charge was made to his credit card, the amount of the charge, or whether he was required to pay the charge. See id.

         The other fifteen named Plaintiffs did not allege that their PII was misused. Rather, they alleged that the theft of their PII subjects them to an imminent risk that they will suffer identity theft in the future. Id. ¶ 60.

         B. Procedural History

         Following the breach, four putative class actions were filed in federal courts in Illinois, Minnesota, and Idaho. See, McPeak v. SuperValu, Inc., 14-cv-00899 (S.D. Ill., filed Aug. 18, 2014); Hanff v. SuperValu Inc., 14-cv-3252 (D. Minn., filed Aug. 25, 2014); Mertz v. SuperValu, Inc., 14-cv-04660 (D. Minn., filed Nov. 4, 2014); and Rocke v. SuperValu, Inc., 14-cv-00511 (D. Idaho, filed Nov. 26, 2014). In December 2014, the Judicial Panel on Multidistrict Litigation centralized the four complaints to this Court for coordinated pre-trial proceedings. See Transfer Order [Docket No. 1]. On June 26, 2015, pursuant to this Court's first Pretrial Order [Docket No. 14], Plaintiffs filed the Amended Complaint with sixteen named plaintiffs bringing claims on behalf of a putative class of persons affected by the data breach.

         1. Defendants' Initial Motion to Dismiss

         On August 10, 2015, Defendants moved to dismiss the Complaint under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). See Defs.' Mot. Dism. [Docket No. 33]. On January 7, 2016, this Court granted the motion pursuant to Rule 12(b)(1), finding that none of the Plaintiffs had alleged facts sufficient to establish Article III standing. See generally Dismissal Order. The Court held that Plaintiffs had not plausibly alleged a cognizable injury because (1) they failed to allege misuse of their PII or other harm that was traceable to the data breach, and (2) they had not alleged facts that plausibly suggested a substantial risk of future harm. Id. at *4-7.

         In reaching this conclusion, the Court reasoned that because the Amended Complaint alleged only a single incident in which any Plaintiff's PII had been misused in the year and a half since the data breach affecting more than 1, 000 stores had occurred, any future harm was speculative. Id. at *5. Future harm depended upon whether the hackers who accessed Defendants' network actually succeeded in capturing the information, whether the hackers would attempt to use the information, and whether their attempts would be successful. Id.

         The Court also rejected Plaintiffs' additional theories of standing that were based upon: opportunity and mitigation costs, diminished value of Plaintiffs' payment card PII, delayed or inadequate notification of the data breach, invasion of Plaintiffs' privacy and breach of their PII confidentiality, and Plaintiffs' lost expectation of a bargained-for benefit. Id. at *7-8.

         Finding that Plaintiffs lacked standing under Article III, the Court concluded that it was without subject matter jurisdiction to address Defendants' Rule 12(b)(6) argument that the Amended Complaint failed to state a claim for which relief can be granted. The Amended Complaint was dismissed without prejudice and final judgment was entered. Id. at *8; Judgment [Docket No. 53].

         2. Plaintiffs' Rule 59(e) Motion

         On February 4, 2016, Plaintiffs filed a post-judgment motion under Rule 59(e), seeking to vacate the judgment and dismissal of the Amended Complaint. See Pls.' Mot. Alter Amend J. [Docket No. 54]. Alternatively, Plaintiffs requested leave to amend the Amended Complaint but did not submit a proposed Second Amended Complaint. Id.

         In support of their motion, Plaintiffs offered, for the first time, declarations of three credit union officers who averred that some payment cards issued by their respective institutions incurred fraudulent charges following the data breach. Id. Ex. 3 (“Anderson Decl.”); Pls.' Index [Docket No. 61] Ex. 1 (“Malinowski Decl.”), Ex. 2 (“Williams Decl.”). Significantly, the declarations did not state that any of the compromised cards belonged to a named Plaintiff or that any cardholder incurred unreimbursed fraudulent charges or other bank charges. Id. Indeed, one declaration stated that the fraudulent charges on cards issued by that credit union were all “absorbed” by the institution. Anderson Decl. ¶ 6.

         The Court denied the Rule 59(e) motion, finding: (1) Plaintiffs had not shown that they exercised diligence in obtaining the newly discovered evidence prior to judgment; and (2) none of the tardily filed declarations established that any named Plaintiff or potential class member suffered actual harm or faced a substantial risk of imminent future harm from the potential misuse of their PII. Mem. Op. Order, Apr. 20, 2016 [Docket No. 66] (“Rule 59(e) Order”) at 5-7.

         The Court also denied Plaintiffs' request for leave to amend the Amended Complaint because Plaintiffs had not satisfied the more stringent standards governing post-judgment leave to amend, and because Plaintiffs failed to comply with the requirement under Local Rule 15.1(b) that a motion to amend a pleading must include “a copy of the proposed amended pleading” and “a version of the proposed amended pleading that shows . . . how the proposed amended pleading differs from the operative pleading.” Id. at 8 (quoting L.R. 15.1(b)) .

         3. Appeal

         Plaintiffs then appealed the Court's Dismissal Order to the Eighth Circuit, but did not appeal the denial of the Rule 59(e) motion. See Eighth Cir. Op. at 767 n.2 (declining to consider arguments raised in Plaintiffs' Rule 59(e) motion or declarations attached to the motion because Plaintiffs did not appeal the denial of the Rule 59(e) motion).

         On appeal, Plaintiffs argued that the following three rulings in the Dismissal Order were erroneous: (1) that Plaintiffs had not adequately alleged the theft of their personal information, and that theft alone was not insufficient to confer Article III standing; (2) that Plaintiff Holmes did not have standing because the misuse of his PII was not fairly traceable to the Data Breach; and (3) that the breach of Plaintiffs' alleged implied contractual right to have their PII securely handled and reasonably protected was not sufficient to confer standing. See Appellant's Opening Br. (filed July 13, 2016 in Eighth Circuit Appeal No. 16-2378) at 2-3, 9. Defendants cross-appealed, arguing that the Amended Complaint was alternatively subject to dismissal under Rule 12(b)(6) for failure to state a claim upon which relief could be granted. Eighth Cir. Op. at 774 n.7.

         On August 30, 2017, the Eighth Circuit “reverse[d] the district court's dismissal of plaintiff Holmes for lack of Article III standing, affirm[ed] the dismissal as to the remaining plaintiffs, and remand[ed] for further proceedings consistent with this order.” Id. at 774.

         In upholding the dismissal of the fifteen Plaintiffs who did not allege that their PII had been misused, the Eighth Circuit found that the Amended Complaint alleged only a “mere possibility, ” rather than a substantial risk, that Plaintiffs would suffer future identity theft or account fraud. Id. at 771.

         The Eighth Circuit explained that the only factual support for the otherwise bare assertion that data breaches facilitate identity theft was a 2007 report by the United States Government Accountability Office (“GAO Report”), and this report did not support Plaintiffs' contention that they face a substantial risk of future harm as a result of the data breach. Id. at 770-71. The GAO Report stated that credit card information alone is generally not enough for identity thieves to open unauthorized new accounts. The Eighth Circuit noted that the PII alleged to have been stolen here was limited to credit card information and did not include personally identifying information such as social security numbers, birth dates, or drivers' license numbers. Additionally, the GAO Report concluded that “most breaches have not resulted in detected incidents of identity theft.” Id. at 771 (quoting GAO Report at 21). The Eighth Circuit thus concluded that the GAO Report supported only a “mere possibility” of future injury. Id. Because the Amended Complaint did not plausibly demonstrate that the risk of future identity theft is substantial, Plaintiffs' allegations of future injury were not sufficient to confer standing. Id.

         The Eighth Circuit also rejected Plaintiffs' attempt to establish injury based on other theories, including the costs Plaintiffs incurred to mitigate against the risk of identity theft, and Defendants' alleged breach of an implied contract to take reasonable measures to protect Plaintiffs' PII. Regarding mitigation costs, the Eighth Circuit held that “[b]ecause plaintiffs have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.” Id. As to the alleged breach of an implied contract, the Eighth Circuit held that “the complaint does not sufficiently allege that plaintiffs were party to such a contract. Therefore, the breach of implied contract claim does not supply plaintiffs with Article III standing.” Id. at 771 n.6.

         The Eighth Circuit declined to address other “independent forms of injury discussed by the district court, including the argument that the invasion of privacy suffered by the plaintiffs constitutes an injury in fact, because the plaintiffs did not press them on appeal.” Id. at 771 n.5.

         The Eighth Circuit held that Holmes, the Plaintiff who alleged that his stolen PII was misused in a single fraudulent charge, met the “relatively modest” burden of alleging a present injury that was fairly traceable to the data breaches. Id. at 772. Thus, Holmes was the only Plaintiff who satisfied the “threshold inquiry” of Article III standing. Id. at 773. However, the Eighth Circuit forecast that Defendants' attacks on the sufficiency of Holmes' allegations, including that he “failed to allege the date he shopped at the affected Illinois store, the amount of the charge, or that the charge was unreimbursed . . . could be fatal to the complaint under the ‘higher hurdles' of Rules 8(a) and 12(b)(6).” Because the issue of whether Holmes' allegations were sufficient to state a claim under Rule 12(b)(6) raises a different question than Article III standing, the Eighth Circuit concluded that the challenges to the sufficiency of Holmes' allegations were “more properly directed at whether the complaint states a claim, not whether Holmes has alleged standing.” Id.

         The Eighth Circuit thus concluded that since one named Plaintiff, Holmes, has standing to bring suit, the case should not have been dismissed for lack of subject matter jurisdiction. Id. at 774. The Court of Appeals expressly declined to consider Defendants' Rule 12(b)(6) arguments on appeal and remanded them to this Court. Id. at 774 n.7.

         C. Present Motions

         Following the Eighth Circuit's remand for consideration of Defendants' Rule 12(b)(6) motion, SuperValu filed a renewed motion to dismiss under Rule 12(b)(6) for failure to state a claim. SuperValu argues that the claims by Holmes suffer from fatal defects, including the failure to allege that he shopped at SuperValu's stores during the relevant time period or that he suffered economic injury as a result of the data breach.

         Albertson's also filed a renewed motion to dismiss, arguing that Holmes' claims against Albertson's should be dismissed under 12(b)(1) for failure to allege Article III standing. Albertson's contends that Holmes has not alleged that he shopped at an Albertson's store, and thus has not alleged an injury that is causally related to Albertson's or that can be redressed by a ruling against Albertson's. Albertson's also incorporates and adopts the arguments in SuperValu's renewed motion to dismiss under Rule 12(b)(6).

         Approximately one week after Defendants filed their renewed motions to dismiss, Plaintiffs moved for leave to amend the Amended Complaint. Plaintiffs argue that the Proposed Second Amended Class Action Complaint (“Proposed Second Amended Complaint”) [Docket No. 91, Ex. 1] includes additional factual allegations that support Article III standing for the dismissed Plaintiffs by showing that those Plaintiffs face a substantial risk of future injury. Plaintiffs contend that they are entitled to amend the Amended Complaint as a matter of course and that they should be permitted to amend before Defendants' renewed motions to dismiss are decided.


         A. Plaintiffs' Motion for Leave to Amend the Amended Complaint

         Plaintiffs argue that leave to amend the Amended Complaint is warranted under the liberal standard of Federal Rule of Civil Procedure 15(a). Plaintiffs contend that the Proposed Second Amended Complaint “adds allegations related to the increased risk of harm for plaintiffs previously dismissed for lack of standing, in addition to including additional allegations related to liability for Defendants.” Mem. Supp. Class Pls.' Mot. Am. Compl. [Docket No. 93] at 4.

         1. Legal Standard

         The proper standard for granting leave to amend a complaint depends upon whether leave is sought before or after judgment has been entered. Pre-judgment leave to amend is governed by Federal Rule of Civil Procedure 15(a), which provides in relevant part:

(a) Amendments Before Trial.
(1) Amending as a Matter of Course. A party may amend its pleading once as a matter of course within:
(A) 21 days after serving it, or
(B) if the pleading is one to which a responsive pleading is required, 21 days after service of a responsive pleading or 21 days after service of a motion under Rule ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.