In re SuperValu Customer Data Security Breach Litigation
This case concerns a proposed class action against SuperValu after the grocery store chain was hacked, placing at risk the personal data of SuperValu customers. At issue is whether plaintiffs must demonstrate actual damages to satisfy the “injury-in-fact” requirement of Article III standing. The trial court dismissed the complaint, finding the plaintiffs failed to demonstrate they suffered an “injury-in-fact” because the risk of future damages was not imminent. But the trial court confused injury-in fact, which is a legal injury, with actual damages, which are the consequential harm. This confusion is widespread among federal courts since the Supreme Court’s recent decision in Spokeo v. Robbins.
On August 1, 2017, the U.S. Court of Appeals for the Eighth Circuit affirmed in part and reversed in part the district Court’s decision. Though the court held that consumers need to allege actual identity fraud in order to establish an "injury in fact" for data breach claims, the court also concluded that one of the named plaintiffs met that test. The court therefore allowed the suit to move forward.
- Federal Student Aid Office Not Protecting Student Privacy, GAO Audit Finds: The Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect student privacy including a 2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the FTC Safeguards Rule by failing to protect students' financial information. EPIC also urged Congress to strengthen student privacy protections following a FAFSA data breach. In 2012 EPIC sued the Department of Education for weakening student privacy protections. EPIC has proposed a Student Privacy Bill of Rights. (Dec. 6, 2017)
- EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing': The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Nov. 29, 2017) More top news »
Must a plaintiff suffer a concrete harm (i.e., damages) in order to satisfy the injury-in-fact requirement of Article III standing?
SuperValu “owns and operates retail grocery stores in the United States. SuperValu controls the payment processing at its stores and also provides payment processing services to AB Acquisition and Albertson’s stores.” Processing payments involves collecting and storing consumers’ personally identifiable information that is embedded in the magnetic strips of their debt and credit cards. The PII collected includes “cardholder names, account numbers, expiration dates, and PINS.”
According to an August 14, 2014 press release, hackers installed malware on SuperValu’s network which processed card transactions. The intrusion “resulted in potential theft of information embedded in the magnetic strip of payment cards for sales transacted at 209 SuperValu stores and 836 AB Acquisition stores” between June 22, 2014 and July 17, 2014.
On September 29, 2014, SuperValu indicated a second data breach occurred in “late August or early September,” in which hackers installed a different malware onto the network processing card transactions for some AB Acquisition and some Albertson’s stores. Following these press released, four putative class actions were filed on behalf of twelve named plaintiffs. These cases were consolidated by the Judicial Panel on Multidistrict Litigation in December 2014.
Procedural Background and Lower Court Opinion
The consolidated action alleges six claims against the defendants (SuperValu, AB Acquisition, and Albertson’s): violation of eight state consumer protection statutes and six state breach notification statutes, negligence, negligence per se, unjust enrichment, and breach of implied contract. The trial court dismissed without prejudice finding the plaintiffs lacked standing to invoke federal subject matter jurisdiction.
The lower court determined the alleged risk of future harms (i.e., damages) are not imminent. Relying on Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011), the court found that the threatened harms (i.e., damages) are speculative in both whether and when the harms will come to pass. Specifically, the allegations rely on whether the hacker: “(1) read, copied, and understood Plaintiffs’ personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Plaintiffs by making unauthorized transactions in Plaintiffs’ names.” According to the court, the single alleged instance of an unauthorized charge that occurred a year after the data breach is not fairly traceable to the defendant.
To dismiss statutory claims, the court relied on In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013), which stated “plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III.”
Additionally, the court reiterated mitigation costs cannot establish standing according to Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013). The court finally said the facts failed to support allegations of diminished value of the plaintiff’s PII, lost benefit of the bargain, or a concrete injury from loss of privacy and confidentiality.
Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.
EPIC has a long history of advocating for consumers against the risks of identity theft and financial fraud.
In April 2016, EPIC filed an amicus brief in the Third Circuit case Storm v. Paytime, Inc., which involved a very similar question as In Re SuperValu. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.
In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.
In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. In May 2016, the Supreme Court concluded that the U.S. Court of Appeals for the Ninth Circuit had failed to analyze whether Robins's allegations were "concrete," and remanded the case to the lower court.
In April 2014, EPIC submitted comments to the White House Office of Science and Technology Policy’s review of Big Data and the Future of Privacy. In its comments, EPIC warned the OSTP about the risks Americans face from the current big data environment, urged the swift enactment of the Consumer Privacy Bill of Rights, and highlighted the need for stronger privacy safeguards.
EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. In October 2015, EPIC testified before the Senate Committee on Aging about protecting senior citizens from identity theft. EPIC warned about the growing risk of SSN-related identity theft, a risk magnified by the inclusion of SSNs on Medicare cards. EPIC had previously warned Congress and state legislators about the risks of using SSNs on identity documents. In June 2011, EPIC testified before the House Committee on Energy and Commerce about the SAFE Data Act, a bill intended to protect consumers’ personal information. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information. The bill was not enacted. And in May 2009, EPIC testified before the House Committee on Energy and Commerce about H.R. 2221, the Data Accountability and Trust Act, and H.R. 1319, the Informed P2P User Act. EPIC opposed the preemption of state laws, recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that identifies or could identify a particular person. Both bills died in committee.
U.S. Court of Appeals for the Eighth Circuit, Nos. 16-2378 and 16-2528
- Appellants Opening Brief (July 13, 2016)
- EPIC Amicus Brief in Support of Appellants (July 19, 2016)
- Appellee Response and Opening Brief (Aug. 15, 2016)
- Appellants Response and Reply (Sep. 15, 2016)
- Appellees Reply (Oct. 4, 2016)
- Oral Argument (May 10, 2017)
- Opinion (Aug. 30, 2017)
U.S. District Court for the District of Minnesota, No. 14-MD-2586
- Cara Salvatore, SuperValu Tells 8th Circ. Not To Revive Shopper-Privacy MDL, Law360 (Aug. 16, 2016)
- Brandon Lowrey, SuperValu Says Data Breach Evidence Came Too Late, Law360 (Apr. 6, 2016)
- Melody McAnally, Data Breach Class Action Against SuperValu Doesn’t Check Out, Butler Snow (Feb. 16, 2016)
- Venkat Balasubramani, More Data Breach Lawsuits Fail In Court-Michaels Stores and SuperValu, Technology & Marketing Law Blog (Jan. 18, 2016)
- Kathryn Rattigan, Data breach class action dismissed against SuperValu for lack of standing, Data Privacy + Security Insider (Jan. 13, 2016)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Privacy in the Modern Age