In Re Barnes & Noble Pin Pad Litigation -...
Transcript of In Re Barnes & Noble Pin Pad Litigation -...
IN THE UNITED STATES DISTRICT COURTFOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
In re Barnes & Noble Pin PadLitigation
))))))))
Case No. 12-cv-8617
Hon. John W. Darrah
Magistrate Judge Schenkier
PLAINTIFFS’OPPOSITION TO BARNES & NOBLE’SMOTION TO DISMISS THE CONSOLIDATED CLASS ACTION COMPLAINT
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 1 of 36 PageID #:274
i
TABLE OF CONTENTS
Factual Background...............................................................................................................................1
Argument ..............................................................................................................................................2
I. Plaintiffs have Article III Standing. ...................................................................................................3
A. Clapper Does Not Refute Standing Here, But Rather, Supports It ...........................................4
B. Plaintiffs’Injuries are Fairly Traceable to B&N’s Conduct ......................................................5
1. Plaintiff Dieffenbach’s emotional distress .....................................................................7
2. Plaintiff Winstead’s unauthorized credit card charge ....................................................9
C. Plaintiffs Plead Injury in Fact...................................................................................................10
1. Plaintiffs’increased risk of identity theft confers Article III standing.........................10
2. Plaintiffs were injured by the deprivation of the value of their PII..............................10
3. Plaintiff were injured by the diminished value ofproducts and services purchased from B&N. ..............................................................12
4. The loss of time and the expenses to mitigate the increased risk of identitytheft constitutes injury..................................................................................................14
II. B&N’s Motion to Dismiss Pursuant to 12(b)(6) Should be Denied. .............................................15
A. Plaintiffs State a Valid Claim for Breach of Implied Contract ..............................................16
B. Plaintiffs allege Actionable Illinois Consumer Fraud Act (“ICFA”) Claims ........................17
C. Plaintiffs Plead a Valid Claim for Invasion of Privacy ..........................................................21
1. Plaintiffs’private and confidential information was published...................................21
2. Plaintiffs’credit and debit card information is private. ...............................................21
3. The publication of Plaintiffs’private and confidential information is
highly offensive............................................................................................................22
D. California Database Breach Act… .. .......................................................................................22
1. B&N’s security failures… .......................................................................................22
2. B&N’s failure to provide immediate notification of the SecurityBreach.. ....................................................................................................................23
E. Dieffenbach May Pursue her California UCL Claim… .........................................................25
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 2 of 36 PageID #:275
ii
Conclusion ....................................................................................................................................… ..27
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 3 of 36 PageID #:276
iii
TABLE OF AUTHORITIES
Cases
Ainsworth v. Century Supply Co.,295 Ill. App. 3d 644, 693 N.E.2d 510 (Ill. App. Ct. 1998)......................................................... 3
Amburgy v. Express Scripts, Inc.,671 F. Supp. 2d 1046 (E.D. Mo. 2009)....................................................................................... 6
Ashcroft v. Iqbal,129 S. Ct. 1937 (2009)................................................................................................................ 3
Bell Atl. Corp. v. Twombly,550 U.S. 544 (2007)................................................................................................................ 2, 3
Boorstein v. Men's Journal, LLC,No. CV-12-771 DSF, 2012 WL 2152815 (C.D. Cal. June 14, 2012)....................................... 24
Camacho v. Automobile Club of Southern California,142 Cal. App. 4th 1394 (2006) ................................................................................................. 26
Caudle v. Towers, Perrin, Forster & Crosby, Inc.,580 F. Supp. 2d 273 (S.D.N.Y. 2008)....................................................................................... 10
Cel-Tech Communications, Inc. v. Los Angeles Cellular Telephone Co.,20 Cal. 4th 163 (1999) .............................................................................................................. 25
Clapper v. Amnesty Int'l USA,133 S. Ct. 1138 (2013)................................................................................................ 4, 5, 10, 15
Claridge v. RockYou, Inc.,785 F. Supp. 2d 855 (N.D. Cal. 2011) ...................................................................................... 12
Connick v. Suzuki Motor Co.,Inc., 174 Ill. 2d 482, 675 N.E.2d 584 (1996)............................................................................ 18
Davis v. Ford Motor Credit Co., LLC,179 Cal. App. 4th 581 (2d Dist. 2009)...................................................................................... 25
Doe 1 v. AOL, LLC,719 F. Supp. 2d 1102 (N.D. Cal. 2010) .................................................................................... 13
Edwards v. First Am. Corp.,610 F.3d 514 (9th Cir. 2010) .................................................................................................... 24
Erickson v. Pardus,551 U.S. 89 (2007)...................................................................................................................... 2
Fed. Trade Comm'n v. Sperry & Hutchinson Co.,405 U.S. 233 (1972).................................................................................................................. 20
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 4 of 36 PageID #:277
iv
Giammanco v. Giammanco,253 Ill. App. 3d 750, 625 N.E.2d 990 (Ill. App. Ct. 1993)....................................................... 19
Gibson v. Chicago,910 F.2d 1510 (7th Cir. 1990) .................................................................................................... 2
Graczyk v. West Publ'g Co.,660 F.3d 275 (7th Cir. 2011) .................................................................................................... 24
Gregory v. Albertson's Inc.,104 Cal. App. 4th 845 (2002) ................................................................................................... 26
Hammond v. The Bank of New York Mellon Corp.,No. 08 Civ. 6060 RMB RLE, 2010 WL 2643307 (S.D.N.Y. June 25, 2010) ............................ 9
Havens Realty Corp. v. Coleman,455 U.S. 363 (1982)................................................................................................................ 3, 4
Hay v. Ind. State Bd. of Tax Commis.,312 F.3d 876 (7th Cir. 2002) ...................................................................................................... 2
Holmes v. Countrywide Fin. Corp.,No. 5:08-CV-00205-R, 2012 WL 2873892 (W.D. Ky. July 12, 2012) ............................ 5, 6, 10
In re Facebook Privacy Litig.,791 F. Supp. 2d 705 (N.D. Cal. 2011) ...................................................................................... 12
In re Global Indus. Tech., Inc.,No. 08-3650, 2011 WL 1662792 (3d Cir. May 4, 2011) ............................................................ 3
In Re LinkedIn User Privacy Litig.,No. 5:12-CV03088 EJD, 2013 WL 844291 (N.D. Cal. Mar. 6, 2013)..................................... 13
In re TJX Cos. Retail Sec. Breach Litig.,564 F.3d 489 (1st Cir. 2009)............................................................................................... 20, 23
In Re: Michaels Stores Pin Pad Litig.,830 F. Supp. 2d 518 (N.D. Ill. 2011) ............................................................................ 17, 18, 20
In re: Sony Gaming Networks and Customer Data Sec. Breach Litig.,MDL No. 11-md-2258, 2012 WL 4849054 (S.D. Cal. Oct. 11, 2012)............................... 13, 24
Johnson v. Kmart Corp.,311 Ill. App. 3d 573, 723 N.E.2d 1192 (1st Dist. 2000)........................................................... 21
Kirkpatrick v. Strosberg,385 Ill. App. 3d 119, 894 N.E.2d 781 (2008) ........................................................................... 19
Krottner v. Starbucks Corp.,628 F.3d 1139 (9th Cir. 2010) ................................................................................................. 10
Krottner v. Starbucks Corp.,No. C09-0216RAJ, 2009 WL 7382290 (W.D. Wash. Aug. 14, 2009) ..................................... 10
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 5 of 36 PageID #:278
v
Libertarian Party of Los Angeles Cnty. v. Bowen,709 F.3d 867 (9th Cir. 2013) .............................................................................................. 15, 16
Low v. LinkedIn Corp.,No. 11-cv-01468-LHK, 2011 WL 5509848 (N.D. Cal. Nov. 11, 2011)..................................... 8
Lozano v AT&T Wireless Servs, Inc,504 F.3d 718 (9th Cir. 2007) .................................................................................................... 25
Lujan v. Defenders of Wildlife,504 U.S. 555 (1992).................................................................................................................... 4
Marin v. Leading Edge Recovery Solutions, LLC,No. 11 C 5886, 2012 WL 3292838 (N.D. Ill. Aug. 10, 2012).................................................... 4
Massachusetts v. E.P.A.,549 U.S. 497 (2007).................................................................................................................... 3
McLoughlin v. People's United Bank, Inc.,No. 08-CV-00944, 2009 WL 2843269 (D. Conn. Aug. 31, 2009) ........................................... 10
Miller v. Motorola, Inc.,202 Ill. App. 3d 976, 560 N.E.2d 900 (1st Dist. 1990)............................................................. 21
Monsanto Co. v. Geertson Seed Farms,130 S. Ct. 2743 (2010)................................................................................................................ 5
O'Brien v. Landers,2011 WL 221865 (N.D. Ill. Jan. 24, 2011) ............................................................................... 20
People ex rel. Daley v. Datacom Systems Corp.,146 Ill. 2d 1, 585 N.E.2d 51 (1991) .......................................................................................... 18
Perez v. Citicorp Mortgage, Inc.,301 Ill. App. 3d 413 (1998) ...................................................................................................... 19
Pisciotta v. Old Nat'l Bancorp,499 F.3d 629 (7th Cir. 2007) .......................................................................................... 9, 10, 11
Preminger v. Peake,552 F.3d 757 (9th Cir. 2008) ...................................................................................................... 3
Ramirez v. Smart Corp.,371 Ill. App. 3d 797, 863 N.E.2d 800 (3d Dist. 2007) ............................................................. 18
Reilly v. Ceridian Corp.,664 F.3d 38 (3d Cir. 2011)...................................................................................................... 7, 8
Resnick v. AvMed Inc.,693 F.3d 1317 (11th Cir. 2012) ............................................................................................ 5, 13
Revelis v. Napolitano,844 F. Supp. 2d 915 (N.D. Ill. 2012) ................................................................................ 2, 7, 17
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 6 of 36 PageID #:279
vi
Robinson v. Toyota Motor Credit Corporation,201 Ill. 2d 403, 775 N.E.2d 951 (2002) .................................................................................... 20
Ruiz v. Gap, Inc.,380 Fed. Appx. 689 (9th Cir. 2010).......................................................................................... 10
Ruiz v. Gap, Inc.,622 F. Supp. 2d 908 (N.D. Cal. 2009) ...................................................................................... 10
Satkar Hospitality Inc. v. Cook County Bd. of Review,819 F. Supp. 2d 727 (N.D. Ill. 2011) ........................................................................................ 18
Saunders v. Michigan Ave. Nat'l Bank,278 Ill. App. 3d 307, 662 N.E.2d 602 (1996) ........................................................................... 19
Smith v. State Farm Mutual Automobile Ins. Co.,93 Cal. App. 4th 700 (2001) ..................................................................................................... 25
State v. Mayze,622 S.E.2d 836 (Ga. 2005)........................................................................................................ 12
Sterk v. Best Buy Stores LP,No. 11-c-1894, 2012 WL 5197901 (N.D. Ill. 2012) ........................................................... 11, 14
Transit Exp., Inc. v. Ettinger,246 F.3d 1018 (7th Cir. 2001) .................................................................................................... 2
Valley Forge Ins. Co. v. Swiderski Elecs., Inc.,223 Ill. 2d 352, 860 N.E.2d 307 (2006) .................................................................................... 22
Warth v. Seldin,422 U.S. 490 (1975).................................................................................................................... 3
Whitmore v. Arkansas,495 U.S. 149 (1990)................................................................................................................ 4, 5
Windy City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs.,536 F.3d 663 (7th Cir. 2008) .................................................................................................... 20
Statutes
815 ILCS § 505/1, et seq................................................................................................................. 2
815 ILCS § 530/1, et seq........................................................................................................... 4, 18
815 ILCS § 505/10a ...................................................................................................................... 19
Cal. Civ. Code § 1798.80, et seq............................................................................................... 2, 23
Cal. Civ. Code § 1798.81.5........................................................................................................... 22
Cal. Civ. Code § 1798.82.................................................................................................... 4, 23, 24
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 7 of 36 PageID #:280
vii
Cal. Civ. Code § 1798.84.............................................................................................................. 24
Rules
Fed. R. Civ. P. 12(b)(1)................................................................................................................... 2
Fed. R. Civ. P. 12(b)(6)................................................................................................................... 2
Other Authorities
Restatement (Second) Torts § 911................................................................................................ 12
BALLENTINE’S LAW DICTIONARY (3d ed. 1969) ........................................................................... 19
BLACK’S LAW DICTIONARY (5th ed. 1979) ................................................................................... 19
T. Soma, et al., Corporate Privacy Trend: The “Value”of PersonallyIdentifiable Information (“PII”) Equals the “Value”of Financial Assets,15 RICH. J.L. & TECH. 11 (2009) .............................................................................................. 12
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 8 of 36 PageID #:281
1
FACTUAL BACKGROUND
Plaintiffs bring this class action against Barnes & Noble, Inc. (“B&N”) for its failure to
secure and safeguard its customers’personal financial data— including, but not limited to,
names, credit and debit card information, and personal identification numbers (“PIN”)
(collectively, “Personal Identifying Information” or “PII”)— and failure to provide clear,
conspicuous, and timely notice to Plaintiffs and Class members that their information had been
stolen. Consolidated Class Action Complaint ¶1 (D.E. #49) (“Complaint”or “Compl.”).
On October 24, 2012, nearly six weeks after B&N allegedly discovered what it has
described as a “sophisticated criminal effort to steal credit card information, debit card
information, and debit card PIN numbers from customers who swiped their cards through PIN
pads when they made purchases,” B&N began disclosing to the public that these alleged
criminals (referred to herein as “skimmers”) infiltrated B&N’s flawed payment security system
by tampering with PIN pad devices at 63 separate B&N stores and stole B&N’s customers’PII
(the “Security Breach”). Id. ¶2. B&N’s security failures enabled the skimmers to steal Plaintiffs’
and Class members’PII from within B&N’s stores and make unauthorized purchases on
customers’credit and debit cards, and otherwise put Plaintiffs’and Class members’financial
information at serious and ongoing risk. Id. ¶3. As a result of B&N’s inadequate security, the
skimmers continue to use the information they obtained to injure Plaintiffs and Class members.
Id.
The Security Breach occurred as a result of B&N’s knowing violation of its contractual
obligations to abide by best practices and industry standards concerning the security of PIN pad
terminals. Id. ¶4. B&N cut corners on security measures that could have prevented or mitigated
the Security Breach. Id. B&N failed to disclose the extent of the Security Breach, failed to
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 9 of 36 PageID #:282
2
individually notify each of its affected customers of the Security Breach in a timely manner, and
failed to take other reasonable steps to clearly and conspicuously inform Plaintiffs and Class
members of the nature and extent of the Security Breach. Id. ¶5. By failing to provide adequate
notice, B&N prevented Plaintiffs and Class members from protecting themselves from the
Security Breach. Id. Plaintiffs assert claims for breach of implied contract, violation of the
Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS § 505/1, et seq.,
invasion of privacy, violation of Calif. Civil Code § 1798.80, et seq., and violation of the Unfair
Competition Act, Business & Professions Code § 17200, et seq., and seek injunctive relief,
declaratory relief, monetary damages, statutory damages, and all other relief as authorized in
equity or by law. Id. ¶6.
ARGUMENT
Fed. R. Civ. P. 12(b)(1) allows a party to move to dismiss “for lack of subject-matter
jurisdiction.”While a plaintiff has the burden of establishing jurisdiction, a court accepts a
plaintiff’s well-pleaded factual allegations as true and draws reasonable inferences in their favor.
Revelis v. Napolitano, 844 F. Supp. 2d 915, 919 (N.D. Ill. 2012) (citing Transit Exp., Inc. v.
Ettinger, 246 F.3d 1018, 1023 (7th Cir. 2001)). “However, the Court may look beyond the
pleadings if necessary to determine whether subject-matter jurisdiction exists.”Id. (citing Hay v.
Ind. State Bd. of Tax Commis., 312 F.3d 876, 879 (7th Cir. 2002)).
The purpose of a Rule 12(b)(6) motion is to decide “the adequacy of the complaint, not to
determine the merits of the case.”Gibson v. Chicago, 910 F.2d 1510, 1520 (7th Cir. 1990).
“Specific facts are not necessary; the statement need only ‘give the defendant fair notice of what
the . . . claim is and the grounds upon which it rests.’”Erickson v. Pardus, 551 U.S. 89, 93
(2007) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)). A court must accept a
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 10 of 36 PageID #:283
3
complaint’s well-pleaded allegations as true and draw all favorable inferences for the plaintiff.
Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949–50 (2009). All that is required is “enough facts to state a
claim to relief that is plausible on its face.”Twombly, 550 U.S. at 570. To survive a motion to
dismiss, “[a] claim has facial plausibility when the plaintiff pleads factual content that allows the
court to draw the reasonable inference that the defendant is liable for the misconduct alleged.”
Iqbal, 129 S. Ct. at 1949. As set forth below, Plaintiffs meet applicable pleading standards.
I. Plaintiffs Have Article III Standing.
To establish Article III standing, the party invoking a court’s jurisdiction must
“demonstrate that it has suffered a concrete and particularized injury that is either actual or
imminent, that the injury is fairly traceable to the defendant, and that it is likely that a favorable
decision will redress that injury.”Massachusetts v. E.P.A., 549 U.S. 497, 517 (2007). Even
though “[t]he contours of the injury-in-fact requirement [are] not precisely defined, [they] are
very generous,”and the “standard is met as long as the party alleges a specific, ‘identifiable
trifle’of injury.”In re Global Indus. Tech., Inc., No. 08-3650, 2011 WL 1662792, at *5 (3d Cir.
May 4, 2011) (internal quotation omitted); Preminger v. Peake, 552 F.3d 757, 763 (9th Cir.
2008) (“[t]he injury may be minimal”). There is a presumption of nominal damages for invasion
of privacy claims involving the right to control the use of one’s identity. Ainsworth v. Century
Supply Co., 295 Ill. App. 3d 644, 650, 693 N.E.2d 510, 514 (Ill. App. Ct. 1998). And “[i]njury in
fact . . . may exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates
standing.’”Havens Realty Corp. v. Coleman, 455 U.S. 363, 373 (1982) (quoting Warth v. Seldin,
422 U.S. 490, 500 (1975)).
Here, Plaintiffs allege B&N failed to secure and safeguard customers’PII and failed to
immediately notify customers of the nature and extent of the Security Breach in violation of the
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 11 of 36 PageID #:284
4
Illinois Personal Information Protection Act, 815 ILCS §530/1, et seq., and California’s Database
Breach Act, Cal. Civ. Code § 1798.82. Compl. ¶¶5, 46, 78 (d)-(e), (g), (m)-(n), 107, 118-32. This
alone confers the requisite injury-in-fact for standing. See, e.g., Lujan v. Defenders of Wildlife,
504 U.S. 555, 562–63 (1992); Havens Realty Corp., 455 U.S. at 374 (plaintiff had standing to
bring Fair Housing Act claim where she “alleged injury to her statutorily created right to truthful
housing information”); Marin v. Leading Edge Recovery Solutions, LLC, No. 11 C 5886, 2012
WL 3292838 (N.D. Ill. Aug. 10, 2012) (allegations of unwanted calls established violation of the
privacy and property interests protected by TCPA). Additionally, Plaintiffs allege invasion of
privacy for which there is a presumption of at least nominal damages.
A. Clapper Does Not Refute Standing Here, But Rather, Supports It.
B&N cites Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013), to support its
position that Plaintiffs lack standing. MTD at 2.1 In Clapper, plaintiffs challenged the
constitutionality of the Foreign Intelligence Surveillance Act of 1978 (“FISA”), as amended, and
the Foreign Intelligence Surveillance Courts. Id. at 1144. The plaintiffs alleged “there [was] an
objectively reasonable likelihood that their communications [would] be acquired under [FISA].”
Id. at 1146. Because the constitutionality of two Government branches’actions were at issue, the
Court applied an “especially rigorous”standing inquiry. Id. at 1147. Before addressing plaintiffs’
claims, the Court noted it had “repeatedly reiterated that ‘threatened injury must be certainly
impending to constitute injury in fact’and that ‘[a]llegations of possible future injury’are not
sufficient,”signifying the Court was not making new law. Id. (citing Whitmore v. Arkansas, 495
U.S. 149, 158 (1990) (emphasis added to original by the Clapper Court)). The Court further held
its “cases do not uniformly require plaintiffs to demonstrate it is literally certain that the harms
1 Barnes & Noble, Inc.’s Memorandum of Law in Support of its Motion to Dismiss the ConsolidatedAmended Complaint [D.E. #44] is sometimes referred to herein as “MTD”.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 12 of 36 PageID #:285
5
they identify will come about. In some instances, we have found standing based on a ‘substantial
risk’that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate
or avoid that harm.”Id. at n.5 (collecting cases).
In concluding plaintiffs lacked Article III standing, Clapper noted it was “speculative”
whether the Government would actually acquire the plaintiffs’communications under FISA, and
found, among other things, that the plaintiffs failed to set forth facts that their communications
would be targeted by the Government. Id. at 1148–49. “In sum, [plaintiffs’] speculative chain of
possibilities does not establish that injury based on potential future surveillance is certainly
impending . . . .”Id. at 1150. Here, Plaintiffs alleged that they made purchases at the affected
stores during the relevant time period, Plaintiffs’PII has been stolen, and there is an increased
risk their PII will be subjected to further misuse, as evidenced by the unauthorized charge on
Plaintiff Winstead’s credit card account. Compl. ¶¶ 2-3, 13-14. The injury here is not self-
inflicted or conjectural; it is concrete, particularized, and supported by the facts. Cf. Clapper, 133
S. Ct. at 1153-54 (discussing Monsanto Co. v. Geertson Seed Farms, 130 S. Ct. 2743, 2754–55
(2010)) with Compl. ¶¶41-45, 67-71. Clapper supports standing.
B. Plaintiffs’Injuries are Fairly Traceable to B&N’s Conduct.
Injury-in-fact that is even indirectly caused by a defendant’s actions satisfies the fairly
traceable requirement. See, e.g., Resnick v. AvMed Inc., 693 F.3d 1317, 1324 (11th Cir. 2012);
Holmes v. Countrywide Fin. Corp., No. 5:08-CV-00205-R, 2012 WL 2873892, at *5 (W.D. Ky.
July 12, 2012). B&N accepts customer payments for purchases through credit and debit cards
issued by members of the payment card industry (“PCI”), such as Visa USA (“Visa”),
MasterCard, Discover, and American Express. Compl. ¶22. On information and belief, at the
time of the Security Breach, B&N was not in compliance with Visa’s Global Mandate, PCI PIN
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 13 of 36 PageID #:286
6
Security Requirements, or the standards set by the PCI Security Standards Council. Id. ¶49.
These industry standards required, inter alia, the use of tamper-resistant PIN pads in all of its
stores, the implementation of procedures to ensure that counterfeit devices have not been
substituted for legitimate devices, and documented procedures are in place and followed to
ensure the security and integrity of PIN-processing equipment. Id. ¶¶25, 28, 36-39. As a result of
B&N’s failure to properly secure and safeguard Plaintiffs’PII, Plaintiffs’PII was stolen, their
privacy was invaded, and their rights violated. B&N’s wrongful conduct has caused Plaintiffs’
injuries in concrete and particularized ways and placed Plaintiffs at an imminent, immediate, and
continuing increased risk of identity theft and identity fraud. Id. ¶¶67-71.
Despite B&N’s press release admitting that tampered PIN pads were discovered at certain
of its stores,2 and Plaintiffs’allegations that they made purchases at these stores prior to the
discovery of the tampered PIN pads, B&N incredulously argues that Plaintiffs offer “no facts”to
support their allegation that their personal information has been “exposed.”MTD at 3. Further,
Plaintiff Winstead was a victim of a fraudulent charge on her credit card near the end of
September 2012, after her last purchase at the affected B&N store in Deerfield, Illinois. Compl.
¶14. Winstead had her credit card company deactivate her credit card and she was without use of
her credit card until a replacement card arrived. Id. Thus, there is substantial evidence that
Plaintiffs’injuries are fairly traceable to B&N’s conduct.
B&N’s reliance on Amburgy v. Express Scripts, Inc., is misplaced because Amburgy
found the plaintiff did not allege “his information has in fact been stolen, published or used in
such a way so as to cause him damage either presently or in the future.”Amburgy v. Express
Scripts, Inc., 671 F. Supp. 2d 1046, 1050 (E.D. Mo. 2009). Here, the Complaint against B&N
2 See http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html(last visited May 16, 2013).
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 14 of 36 PageID #:287
7
includes these allegations. While Plaintiffs Clutts, Honor, and Dieffenbach have not alleged that
they have been victims of identity theft or had unauthorized charges on their accounts (at least as
of now), it is undisputed that “sophisticated” criminals stole B&N customers’PII, and that
Plaintiffs used B&N PIN pads to make purchases at affected stores prior to the discovery of the
criminal tampering. Significantly, Plaintiff Winstead did have a fraudulent charge on her credit
card that occurred after she made purchases at an affected B&N during the relevant time period.
The reasonable inference from these facts (and certainly a permissible inference at the pleadings
stage) is that the skimmers stole Plaintiffs’information to use it to commit further criminal acts.
Revelis, 844 F. Supp. 2d at 919 (N.D. Ill. 2012) (on a motion to dismiss, a court accepts a
plaintiff’s well-pleaded factual allegations as true and draws reasonable inferences in their
favor). Further, Plaintiffs alleged they were injured in several additional, concrete ways, which
are set forth in the Complaint and discussed below. Compl. ¶¶67-71.
1. Plaintiff Dieffenbach’s emotional distress
B&N argues that plaintiff Dieffenbach does not “allege any facts demonstrating that her
anxiety is fairly traceable to any conduct of B&N.” MTD at 3. The Complaint alleges
“Diffenbach has suffered emotional distress from the Security Breach, including, among other
things, anxiety.”Compl. ¶11. This allegation, combined with the allegations listed above, is
sufficient to demonstrate that her anxiety is caused by B&N’s conduct that led to the Security
Breach and put her at a real risk of identity theft.
The cases relied upon by B&N are distinguishable. In Reilly v Ceridian Corp., there was
no evidence to suggest that the data was misused or ever would be misused, because there was
“no evidence that the intrusion was intentional or malicious,”as “no identifiable taking occurred;
all that [was] known [was] that a firewall was penetrated.”Reilly v. Ceridian Corp., 664 F.3d 38,
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 15 of 36 PageID #:288
8
43-44 (3d Cir. 2011). The court found that the plaintiffs relied upon “speculation that the hacker:
(1) read, copied, and understood their personal information; (2) intends to commit future
criminal acts by misusing the information; and (3) is able to use such information to the
detriment of [plaintiffs] by making unauthorized transactions in [plaintiffs’] names.”Id. at 42.
Here, the situation is much different because there is evidence that the Security Breach was
accomplished by sophisticated criminals, and Plaintiff Winstead has alleged a fraudulent charge
on her credit card that is fairly traceable to the Security Breach.
Further, B&N has not presented any evidence –nor could it, at the pleadings stage –that
Plaintiffs were not among those whose information was stolen in the Security Breach.3
B&N’s reliance on Low v. LinkedIn Corp. is also misplaced. Low v. LinkedIn Corp., No.
11-cv-01468-LHK, 2011 WL 5509848 (N.D. Cal. Nov. 11, 2011). In LinkedIn, the plaintiff
“alleged that LinkedIn allow[ed] transmission of users’personally identifiable browsing history
and other personal information to third parties, . . . , in violation of federal and state laws and in
violation of LinkedIn’s privacy policy.”Id. at *1. The plaintiff alleged he suffered emotional
harm because he was “embarrassed and humiliated by the disclosure of his personally
identifiable browsing history”. Id. at *3. The court found that the plaintiff failed to allege facts
sufficient to establish Article III standing because he “ha[d] not alleged that his browsing history,
with embarrassing details of his personal browsing patterns, was actually linked to his identity by
LinkedIn and actually transmitted to any third parties [and had not alleged] how third party
advertisers would be able to infer Low’s personal identity from LinkedIn’s anonymous user ID
combined with his browsing history.” Id. Plaintiff Dieffenbach does not allege she was
3 See http://www. barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html(last visited May 16, 2013) (“[B&N] is working with banks, payment card brands and issuers to identifyaccounts that may have been compromised, so banks and issuers can employ enhanced fraud securitymeasures on potentially impacted accounts.”).
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 16 of 36 PageID #:289
9
“embarrassed and humiliated”; she alleges a different type of emotional harm— anxiety— which
she has suffered from as a result of the Security Breach.
2. Plaintiff Winstead’s unauthorized credit card charge
B&N argues Plaintiff Winstead does not allege any injury from the unauthorized charge
on her credit card because her credit card company deactivated her card and sent her a
replacement. MTD at 4. To the contrary, Plaintiff Winstead’s allegation supports that Plaintiffs
are at an increased risk of future harm from identity theft, which is sufficient for purposes of
alleging injury for standing. Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007)
(“the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which
harms the plaintiff only by increasing the risk of future harm that the plaintiff would have
otherwise faced, absent the defendant’s actions”). Whether Plaintiff Winstead suffered an
unreimbursed loss is irrelevant, as the fact of an unauthorized charge shows that she is at
increased risk of future harm from identity theft.
B&N argues that a “‘mere coincidence in timing’does not establish a causal connection
sufficient to confer standing.”MTD at 4 (citing Hammond v. The Bank of New York Mellon
Corp., No. 08 Civ. 6060 RMB RLE, 2010 WL 2643307, at *5 (S.D.N.Y. June 25, 2010)).
B&N’s reliance on Hammond is misplaced because the plaintiff there “admit[ted] that a
coincidence in timing is her sole basis for alleging that [the] unauthorized [credit card account]
in her name was related to the [February 2008] tape loss.” Id. at Unlike Hammond, where
computer back-up tapes were lost (not stolen), there is more than just a coincidence in timing
here. There was PIN pad tampering at 63 separate B&N locations in 9 states, including a B&N
store where Plaintiff Winstead made purchases during the relevant time period, which is
evidence of a large scale criminal operation to steal the PII of B&N customers. Compl. ¶2.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 17 of 36 PageID #:290
10
C. Plaintiffs Plead Injury in Fact.
1. Plaintiffs’increased rick of identity confers Article III standing.
The law does not always keep pace with technology. The courts in early data breach
cases struggled to match centuries old legal principles to current technology. Since Pisciotta v.
Old Nat. Bancorp, 499 F.3d 629, 633–34 (7th Cir. 2007), however, with limited exceptions due
to pleading deficiencies that do not exist here, the recent trend is that courts have recognized that
when dealing with data breaches, a quantified increased risk of identity theft supports a finding
of injury-in-fact and Article III standing. See, e.g., Ruiz v. Gap, Inc., 380 Fed. Appx. 689, 690–
91 (9th Cir. 2010) (Gap III); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir.
2010) (Krottner II).4 B&N relies heavily upon Clapper v. Amnesty International USA, 133 S. Ct.
1138 (Feb. 26, 2013), in support of its argument that Plaintiffs do not have standing based on an
increased risk of identity theft. MTD at 7. But Clapper is unavailing. See supra. Further, because
Clapper does not change Article III standing law, Pisciotta, 499 F.3d 629, remains in force in
this Circuit, despite B&N’s suggestion to the contrary.
2. Plaintiffs were injured by the deprivation of the value of their PII.
Plaintiffs allege they were injured by the deprivation of the value of their PII, for which
there is a well-established market, and they are entitled to compensation. Compl. ¶¶59-66.
Consumers place a high value not only on their PII, but also on the privacy of their PII. Research
has confirmed the considerable value consumers place on their data privacy: “[a]mong U.S.
subjects, protection against errors, improper access, and secondary use of personal information is
4 See also In re Sony Gaming Networks & Customer Data Sec. Breach Litig., No. 11-MD-2258, 2012WL 4849054, at *11–15 (S.D. Cal. Oct. 11, 2012); Holmes v. Countrywide Fin. Corp., No. 08-CV-00205,2012 WL 2873892, at *5–11(W.D. Ky. July 12, 2012); McLoughlin v. People’s United Bank, Inc., No.08-CV-00944, 2009 WL 2843269, at *3–4 (D. Conn. Aug. 31, 2009); Doe 1 v. AOL, 719 F. Supp. 2d1102, 1109–11 (N.D. Cal. 2010); Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 912 (N.D. Cal. 2009); Caudle v.Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273, 280 (S.D.N.Y. 2008); Krottner v. StarbucksCorp., No. C09-0216RAJ, 2009 WL 7382290, at *4 (W.D. Wash. Aug. 14, 2009).
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 18 of 36 PageID #:291
11
worth US$30.49–44.62.”5 Id. ¶63. The value of Plaintiffs’and Class members’PII on the black
market is substantial— credit card numbers range in cost from $1.50 to $90 per card number.6 Id.
¶65. By way of the Security Breach, B&N has deprived Plaintiffs and Class members of the
substantial value of their PII. Id. ¶65.
B&N argues that because Plaintiffs have not alleged that they intended to sell, or that
they are now foreclosed from selling, their credit or debit card information, and do not allege that
B&N sold such information, that Plaintiffs’“lost value”theory should be rejected. MTD at 5.
B&N relies upon this Court’s decision in Sterk v. Best Buy Stores LP, No. 11-c-1894, 2012 WL
5197901 (N.D. Ill. 2012). Unlike the data thefts and security lapses here, Sterk involved the issue
of whether a retailer violated the Video Privacy Protection Act (“VPPA”) by keeping and
transferring the plaintiffs’video rental history between parent/subsidiary companies. Id. at *1.
While relying substantially on the conclusion that the “internal” transfers of data did not
constitute disclosure under the VPPA (id. at *2-3) and the lack of a private cause of action for
data retention (id. at *3-4), the Court also noted that Sterk’s claim of “lost value”was not
recognizable injury because the plaintiff had not alleged that defendants sold his information or
that plaintiff had not been able to sell his own information for as much value. Id. at *6.
Here, however, Plaintiffs’argument is that any company that transacts business with a
consumer and then compromises the privacy of the consumer’s PII has deprived that consumer
of the full monetary value of their PII. In short, Plaintiffs have the right to control their PII—
5 Il-Horn Hann et al., The Value of Online Information Privacy: An Empirical Investigation (Oct. 2002)available at http://www.comp.nus.edu.sg/~ipng/research/privacy.pdf (emphasis added) (last visited May13, 2013).
6 The Cyber Black Market: What’s Your Bank Login Worth, available athttp://www.ribbit.net/frogtalk/id/50/the-cyber-black-market-whats-your-bank-login-worth (last visitedMar. 25, 2013); Office of the National Counterintelligence Executive, How Much Do You Cost on theBlack Market, available at http://www.ncix.gov/issues/cyber/identity_theft.php (last visited Mar. 252013).
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 19 of 36 PageID #:292
12
including the right to sell or not sell and to disseminate or not disseminate their PII. This right is
a property right, and when and how they exercise this right has value. RESTATEMENT (SECOND)
TORTS §911, cmt. b, e; see also Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 865 (N.D. Cal.
2011) (“the breach of his PII has caused him to lose some ascertainable but unidentified ‘value’
and/or property right inherent in the PII”); T. Soma, et al., Corporate Privacy Trend: The
“Value”of Personally Identifiable Information (“PII”) Equals the “Value”of Financial Assets,
15 RICH. J.L. & TECH. 11 (2009) (data in electronic form has value not only to a company that
collects and stores it, but also to consumer who owns it); accord State v. Mayze, 622 S.E.2d 836,
841 (Ga. 2005) (“identity fraud is an offense against the victim’s possessory interest in his or her
personal information,” and PII is an intangible commodity). This property right is no less
valuable should Plaintiffs elect not to sell or otherwise disseminate their PII. B&N’s failure to
safeguard and protect Plaintiffs’PII, thereby allowing this right to be taken from Plaintiffs
without their authorization, constitutes injury-in-fact and Article III standing.
3. Plaintiffs were injured by the diminished value of products andservices purchased from B&N.
Plaintiffs allege that part of the benefit of the bargain was B&N’s compliance with
industry standards for collecting and safeguarding PII, which was included as part of the
purchase price paid by Plaintiffs. Compl. ¶¶22-39, 67. It is readily apparent that the PIN pads
and compliance with industry standards cost B&N money both in terms of the costs of the PIN
pads and the employee time to implement and maintain the industry standards and safeguards.
B&N cannot challenge these allegations on a motion to dismiss, as courts accept a plaintiff’s
well-pleaded factual allegations as true.
Courts have found standing where a defendant charges money for a good or service but
fails to honor its own policies in connection with providing the good or service. In re Facebook
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 20 of 36 PageID #:293
13
Privacy Litig., 791 F. Supp. 2d 705, 715 (N.D. Cal. 2011) (“[A] plaintiff who is a consumer of
certain services (i.e., who ‘paid fees’for those services) may state [a claim requiring monetary
loss] when a company, in violation of its own policies, discloses personal information about its
customers to the public.”); see also Doe 1 v. AOL, LLC, 719 F. Supp. 2d 1102, 1111 (N.D. Cal.
2010). In In re: Sony Gaming Networks and Customer Data Sec. Breach Litig., MDL No. 11-
md-2258, 2012 WL 4849054, at *15 (S.D. Cal. Oct. 11, 2012), the court noted that economic
injury can occur both when a plaintiff gives more or acquires less in a transaction than he or she
otherwise would have. See also Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012)
(economic injury stemming from the failure to implement security policies, for which plaintiffs
allegedly paid as a part of their monthly premiums).
B&N cites two decisions that are factually distinguishable. In Re LinkedIn User Privacy
Litig., No. 5:12-CV03088 EJD, 2013 WL 844291 (N.D. Cal. Mar. 6, 2013), involved claims that
the online social networking web service failed to protect members’User Id’s, passwords, and e-
mail addresses. Members had options for both free and premium memberships, and the data
security and sign-up provisions were the same for both, i.e., signing up for the premium
membership did not involve any additional security for the data stolen and, unlike here, there
were no allegations that “premium”(paid) members’credit card information was compromised.
The court dismissed the initial complaint (an amended complaint is pending before the court),
finding that the premium members did not pay anything for data security because exactly the
same services were provided to non-premium users for free.7 In contrast, the Complaint here
alleges that B&N included its costs for security in its prices and, as noted above, the security is a
value determinable part of each transaction regardless of the payment method. Compl. ¶67.
7 Notably, LinkedIn and other social media web sites obtain the bulk of their revenue from advertising ontheir websites and not by operating brick-and-mortar retail stores or selling tangible goods.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 21 of 36 PageID #:294
14
B&N again relies on the Sterk decision, which, as explained above, is factually
distinguishable. The Court found that the plaintiff did not have valid claims under the VPPA
because there was no disclosure of data and no private cause of action for data retention. The
Court noted that Sterk’s claim that he “overpaid”was not a legally cognizable injury. Sterk, 2012
WL 5197901, at *7 (reconsideration pending). The Court noted that the items cost the same
whether the customer paid for the rental video with cash or a credit card and, thus, no claim for
lost value could exist. However, unlike Sterk, Plaintiffs’ information here has been
compromised. In fact, Plaintiff Winstead incurred actual fraudulent charges on her credit card.
Moreover, Plaintiffs expressly allege that B&N included the costs of the security in its prices and
that Plaintiffs were overcharged. Compl. ¶67.
When a merchant sets its prices for goods, it does so based upon its costs, expected
profits, and other factors. It sets a price for each item to allow for these factors. Moreover,
because it is likely that the majority of customers today use some form of electronic payment,
any allocation to cash customers for the security measures is likely inconsequential. It also may
be offset by concomitant costs for man hours to stock and balance cash drawers, safes, and other
cash handling costs so that the cash payor has similar overhead to account for. This argument
does not defeat the allegations that the price charged includes the cost and value of the data
security. Compliance with the promised and expected security has both a demonstrable cost and
value to merchants and credit customers alike. That value here was not delivered and, thus,
Plaintiffs overpaid B&N.
4. The loss of time and the expenses to mitigate the increased risk ofidentity theft constitutes injury.
B&N is instructing customers who swiped their cards at any of the B&N stores with
affected PIN pads to take certain steps: (i) credit card users should review their accounts and
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 22 of 36 PageID #:295
15
notify their banks if they discover unauthorized purchases or cash advances; and (ii) debit card
users should do the same and change their PIN numbers, which will take time. Compl. ¶¶70-71.
Plaintiffs and Class members suffered damages based on the opportunity cost and value of time
that Plaintiffs and Class members have been forced to expend to monitor their financial and bank
accounts as a result of the Security Breach. Id. ¶69. Such damages also include the cost of
obtaining replacement credit and debit cards. Id.
Despite instructing its affected customers to take these steps, B&N now argues that the
out-of-pocket costs and value of time spent taking these steps do not constitute injury. MTD at 8.
B&N relies on Clapper but again its reliance is misplaced. In Clapper, the court found that the
plaintiffs’“speculative chain of possibilities does not establish that injury based on potential
future surveillance is certainly impending . . . .”Id. at 1150. Here, in contrast, Plaintiffs face a
well-founded risk of identity theft as a result of the Security Breach. See Libertarian Party of Los
Angeles Cnty. v. Bowen, 709 F.3d 867, 870 (9th Cir. 2013) (“Unlike in Clapper, Plaintiffs’fear
of enforcement here is actual and well-founded and does not involve a ‘highly attenuated chain
of possibilities.’”).
II. B&N’s Motion to Dismiss Pursuant to 12(b)(6) Should be Denied.
B&N also seek to dismiss Plaintiffs’Complaint for failure to state any claims. B&N’s
motion to dismiss should be denied because Plaintiffs plead valid claims. B&N’s arguments
regarding lack of actual damages should be rejected because Plaintiffs alleged several cognizable
forms of damages resulting from the Security Breach. See generally Section I, supra; Compl.
¶¶67-71
Plaintiffs and Class members incurred actual monetary damages in that they overpaid for
the products purchased from B&N. Compl. ¶67. Plaintiffs and the other members of the Class
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 23 of 36 PageID #:296
16
have suffered additional injury and damages, including, but not limited to: (i) the untimely
and/or inadequate notification of the Security Breach, which has placed Plaintiffs and Class
members at an increased risk of identity theft and/or identity fraud; (ii) improper disclosure of
their PII; (iii) loss of and invasion of privacy, and all damages relating thereto that are
recoverable at law; (iv) out-of-pocket expenses incurred to mitigate the increased risk of identity
theft and/or identity fraud pressed upon them by the Security Breach; (v) the value of their time
spent mitigating identity theft and/or identity fraud and/or the increased risk of identity theft
and/or identity fraud; (vi) the increased risk of identity theft; (vii) anxiety and emotional distress;
and (viii) deprivation of the value of their PII, for which there is a well-established national and
international market— for which they are entitled to compensation. Compl. ¶68.
Plaintiffs and Class members suffered additional damages based on the opportunity cost
and value of time that Plaintiffs and Class members have been forced to expend to monitor their
financial and bank accounts as a result of the Security Breach. Id. ¶69. Such damages also
include the cost of obtaining replacement credit and debit cards and taking the time to change
their PIN numbers on their debit cards. Id. ¶¶69-71.
A. Plaintiffs State a Valid Claim for Breach of Implied Contract.
B&N does not argue that an implied contract does not exist. MTD at 9-10. Rather, B&N
argues Plaintiffs have not alleged “actual damages sufficient to state a claim for breach of
implied contract.”Id. at 9. As set forth above and in the Complaint, Plaintiffs allege that they
incurred several forms of injury and damages. B&N argues that there must be actual misuse of
Plaintiffs’ information resulting in monetary loss, such as lost money from unauthorized
withdrawals or bank fees. MTD at 9-10. B&N’s reliance on In Re: Michaels Stores Pin Pad
Litig., for this proposition is misplaced because that opinion does not impose a requirement of
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 24 of 36 PageID #:297
17
actual misuse of PII for a breach of implied contract claim; rather, the court found that there must
be actual injury. In Re: Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518, 531-32 n.6
(N.D. Ill. 2011) (denying motion to dismiss a breach of implied contract claim).
Moreover, B&N ignores several of Plaintiffs’allegations regarding the injuries and
damages they suffered. For example, Plaintiffs overpaid for purchases, they lost the value of
their PII, they suffered opportunity costs and lost the value of their time to mitigate the risks of
identity theft/identity fraud, Plaintiff Winstead took time to dispute an unauthorized charge and
have a new card issued, and Plaintiff Dieffenbach suffered emotional distress in the form of
anxiety as a result of the Security Breach. At the very least, Plaintiffs are entitled to nominal
damages for the injury from the breach of implied contract. Id. ¶91.
B&N also argues that Plaintiffs have not alleged that their data was in fact skimmed.
MTD at 10. Plaintiffs have alleged that they made purchases at affected B&N stores during the
relevant time period and that Plaintiff Winstead incurred a fraudulent charge on her credit card
after she made purchases at an affected B&N during the relevant time period. The reasonable
inference from these facts is that the skimmers stole Plaintiffs’information to use it to commit
criminal acts. Revelis, 844 F. Supp. 2d at 919. B&N has not presented any evidence that
Plaintiffs were not among those whose information was stolen in the Security Breach. See n. 3,
supra.
B. Plaintiffs Allege Actionable Illinois Consumer Fraud Act (“ICFA”) Claims8
B&N’s arguments seeking dismissal of the ICFA claims are of no avail.9 As noted above,
Plaintiffs have alleged actual damages. Further, given the purpose of the ICFA to stop all forms
8 Plaintiff Dieffenbach’s claims under the California statutes are analyzed below.
9 B&N comments that a 9-state consumer fraud class is somehow unsubstantiated. That analysis isinappropriate at the motion to dismiss stage. Presently, the claims of Plaintiffs are at issue.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 25 of 36 PageID #:298
18
of prohibited conduct, B&N’s argument that Plaintiffs’claims do not satisfy the unfairness
analysis of the ICFA is misplaced.
The ICFA— and claims brought under it — should be broadly and liberally construed to
effect the Act’s remedial purpose of eradicating all forms of deceptive and unfair business
practices and to grant appropriate remedies to defrauded consumers. Connick v. Suzuki Motor
Co., Inc., 174 Ill. 2d 482, 503, 675 N.E.2d 584, 594 (1996), Ramirez v. Smart Corp., 371 Ill.
App. 3d 797, 805, 863 N.E.2d 800, 811-12 (3d Dist. 2007). The language of the ICFA is
intended to extend the reach of the statute broadly. People ex rel. Daley v. Datacom Systems
Corp., 146 Ill. 2d 1, 30, 585 N.E.2d 51, 64 (1991).
In In Re: Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518 (N.D. Ill. 2011), the
court denied motions to dismiss the plaintiff’s ICFA claims, rejecting arguments repeated by
B&N here. Similarly, In Re Michaels involved thefts of customer PII when their credit/debit
cards were swiped in Michaels stores. Id. at 521-22. The court held that while the plaintiffs did
not adequately allege a deceptive practice claim, they had sufficiently alleged an ICFA claim
under an “unfairness”analysis and for violations of the Illinois Personal Information Protection
Act (“PIPA”), 815 ILCS 530/1, et seq. Id. at 525-28.
B&N does not challenge Plaintiffs’claims here arising from its failure to timely notify
Plaintiffs of the Security Breach; nor does B&N dispute that a violation of the PIPA constitutes a
per se violation of the ICFA. In fact, B&N does not address these points at all. MTD at 10-11.
Such a failure constitutes waiver of the argument. Satkar Hospitality Inc. v. Cook County Bd. of
Review, 819 F. Supp. 2d 727, 739 (N.D. Ill. 2011) (arguments not raised in motion to dismiss
deemed waived). Regardless, In re Michaels establishes that a violation of the PIPA is actionable
under the ICFA. 830 F. Supp. 2d at 527-28.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 26 of 36 PageID #:299
19
Given that Plaintiffs demonstrated that B&N violated the ICFA both by its actions and
inactions, including its violation of the IPPA, the issue becomes the calculation of damages, not
their existence. Under Section 10a(a) of ICFA: “Any person who suffers actual damage as a
result of a violation of this Act committed by any other person may bring an action against such
person. The court in its discretion may award actual economic damages or any other relief which
the court deems proper.”815 ILCS 505/10a(a) (West 1996). “Actual damage”is the “loss, hurt,
or harm” that results from “the illegal invasion of a legal right,” while “damages” is the
“recompense or compensation awarded for the damage suffered.”Giammanco v. Giammanco,
253 Ill. App. 3d 750, 758, 625 N.E.2d 990, 997 (Ill. App. Ct. 1993) (citing BALLENTINE’S LAW
DICTIONARY 303 (3d ed. 1969); BLACK’S LAW DICTIONARY 351 (5th ed. 1979) (“The word
[‘damage’] is to be distinguished from its plural, ‘damages’, which means a compensation in
money for a loss or damage”)). Plaintiffs have shown that they and Class members have suffered
injury and harm as the result of B&N’s ICFA violations. Where the amount of damages is
difficult or impossible to prove, the ICFA allows awards of nominal damages. Kirkpatrick v.
Strosberg, 385 Ill. App. 3d 119, 126-133, 894 N.E.2d 781, 793-94 (2008) (2d Dist. 2008)
(awarding $100 in nominal damages). Additionally, punitive damages are available. Id. at 794-
95; 815 ILCS 505/10a(a).
Whether a defendant’s conduct is unfair under the ICFA is determined on a case-by-case
basis. Saunders v. Michigan Ave. Nat’l Bank, 278 Ill. App. 3d 307, 313, 662 N.E.2d 602, 608
(1996). “[C]ourts consider whether the practice offends public policy, whether it is oppressive,
and whether it causes consumers substantial injury.” Id. at 608 (citing Perez v. Citicorp
Mortgage, Inc., 301 Ill. App. 3d 413 (1998)). Further, “all three criteria do not need to be
satisfied to support a finding of unfairness. A practice may be unfair because of the degree to
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 27 of 36 PageID #:300
20
which it meets one of the criteria or because to a lesser extent it meets all three.”Robinson v.
Toyota Motor Credit Corporation, 201 Ill. 2d 403, 775 N.E.2d 951, 961 (2002). Public policy is
manifested in existing statutes, common law, or some “other established concept of unfairness.”
Fed. Trade Comm’n v. Sperry & Hutchinson Co., 405 U.S. 233, 244–45 n.5 (1972). The
heightened-pleading requirement of Rule 9(b) does not apply to ICFA claims based on unfair
practices. O’Brien v. Landers, 2011 WL 221865, at *6 (N.D. Ill. Jan. 24, 2011) (citing Windy
City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs., 536 F.3d 663, 669–70 (7th Cir.
2008)).
B&N’s argument on unfairness is that Plaintiffs do not allege injury. MTD at 11. As
noted above though, the injury requirement has been satisfied. See generally, Section I, supra;
Compl. ¶¶ 10-14, 67-71, 107-09.
B&N also ignores the In Re Michaels decision upholding the ICFA claim on virtually
identical arguments and allegations. 830 F. Supp. 2d at 525-26. Relying in part on In re TJX Cos.
Retail Sec. Breach Litig., 564 F.3d 489, 495-96 (1st Cir. 2009), the In Re Michaels Court
concluded:
Here, Plaintiffs allege that Michaels failed to comply with Visa’s GlobalMandate, requiring the use of tamper-resistant PIN pads, and with the PCI PinSecurity Requirements. Plaintiffs further allege that Michaels failed to promptlynotify consumers of the security breach. As determined by the First Circuit inTJX, such conduct could constitute an unfair practice because it causes substantialinjury to consumers.
830 F. Supp. 2d at 526. Plaintiffs’similar allegations here (Compl. ¶¶22-39) cannot be ignored.
Finally, B&N argues that there can be no ICFA liability without Plaintiffs having
received a communication or advertising by B&N. MTD at 11. This is an overstatement and, as
noted above, at best goes to Plaintiffs’deception claims, not their unfairness claims. As B&N
would have it, it and any other merchant could accept a consumer’s credit card intending to post
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 28 of 36 PageID #:301
21
the full credit card number, security code, and customer’s name on a bulletin board or even on
the internet and have done nothing violative of the ICFA. Such an outcome would eviscerate the
spirit of the ICFA. In any event, there were communications by B&N to Plaintiffs and Class
members. Implicit in having its customers swipe their cards through the PIN pads is the
communication that B&N was in compliance with the credit industry’s safety and security
practices. This is a communication of the compliance that Plaintiffs complain was lacking.
C. Plaintiffs Plead a Valid Claim for Invasion of Privacy.
A successful claim for public disclosure of private facts requires that: (1) publicity was
given to the disclosure of private facts; (2) the facts were private and not public facts; and (3) the
matter made public would be highly offensive to a reasonable person. Johnson v. Kmart Corp.,
311 Ill. App. 3d 573, 596, 723 N.E.2d 1192, 1197 (1st Dist. 2000) (citation omitted). The facts of
this case support that, because of B&N’s conduct, publicity was given to Plaintiffs’private facts,
and B&N’s conduct would be highly offensive to a reasonable person.
1. Plaintiffs’private and confidential information was published.
To permit recovery for egregious conduct, courts recognize the need for flexibility in the
application of the publication requirement. Miller v. Motorola, Inc., 202 Ill. App. 3d 976, 978,
560 N.E.2d 900, 903 (1st Dist. 1990) Because of B&N’s failure to secure and protect Plaintiffs’
PII, Plaintiffs’private and confidential information was published, on information and belief, to
a large number of unauthorized persons via the Security Breach. Compl. ¶46. Thus, the publicity
requirement is satisfied.
2. Plaintiffs’credit and debit card information is private.
B&N argues that Plaintiffs “have not demonstrated how credit and debit card information
can constitute ‘private facts’when such information is routinely and voluntarily disclosed in the
course of everyday transactions.”MTD at 12. This argument is misguided. There can be no
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 29 of 36 PageID #:302
22
reasonable dispute that credit and debit card information should not be disclosed to the public at
large; the “everyday transactions”are made with the implicit agreement that the credit and debit
card information is not to be published but, rather, used solely for the particular transaction.
B&N’s argument should be given short-shrift.
3. The publication of Plaintiffs’private and confidentialinformation was highly offensive.
Very little is as sacred as one’s private and confidential information. See Valley Forge
Ins. Co. v. Swiderski Elecs., Inc., 223 Ill. 2d 352, 860 N.E.2d 307, 317 (2006) (a “right of
privacy” connotes an interest in the secrecy of personal information). Dissemination of
Plaintiffs’PII is not of legitimate public concern. Because of B&N’s failure to secure and protect
customers’PII, criminals were able to obtain it. It is difficult, if not impossible, to conceive that
B&N’s dissemination of Plaintiffs’and Class Members’PII would not be considered highly
offensive to a reasonable person.
D. California Database Breach Act
Plaintiff Dieffenbach is a citizen of California. Compl. ¶11. B&N failed to ensure that
personal information about its Californian customers was protected and failed to give proper
notice of the Security Breach. Compl. ¶¶118-32.
1. B&N’s security failures
Plaintiffs alleged that B&N failed to comply with its statutory obligations to implement
and maintain reasonable security procedures and practices under Cal. Civ. Code § 1798.81.5(c).
Compl. ¶¶122-26. B&N failed to comply with security standards and allowed its customers’PII
to be compromised by cutting corners on security measures that could have prevented or
mitigated the Security Breach. Id. ¶4. Plaintiffs allege in detail the security precautions and
industry standards that B&N did not implement or maintain. Id. ¶¶22-40.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 30 of 36 PageID #:303
23
2. B&N’s failure to provide immediate notification of the Security Breach
B&N failed to provide proper and immediate notification of the Security Breach pursuant
to Cal. Civ. Code § 1798.82. Compl. ¶¶121-27, 130. B&N failed to disclose the extent of the
Security Breach, failed to individually notify each of its affected customers of the Security
Breach in a timely manner, and failed to take other reasonable steps to clearly and conspicuously
inform Plaintiffs and Class members of the nature and extent of the Security Breach. Id. ¶5. By
failing to provide adequate notice, B&N prevented Plaintiffs and Class members from protecting
themselves from the Security Breach. Id. B&N has not argued that it provided proper notification
to Plaintiffs and Class members, but argues that Plaintiff Dieffenbach fails to allege any
substantive violation of the statute and argues that she does not allege any injuries attributable to
the delay in notification. MTD at 12-13.
Section 1798.82 provides that the “owner or licensee”of the information is to be notified
of the breach. B&N relies on Section 1798.81.5(a) for its argument that an “owner or licensee”
of PII is a business (not an individual consumer) and, therefore, the statute’s notification
provisions do not require notification to the individual consumer, but to some business entity that
Plaintiff Dieffenbach fails to identify. MTD at 13. B&N’s tortured interpretation of the statute is
wrong and contrary to the stated purpose of the statute. Section 1798.80 provides definitions for
various terms and does not define “owner or licensee.”Where a term is undefined, it is to be
given its plain meaning. In this case, Plaintiff Dieffenbach is the “owner,”as she is the person
who owns her personal information and timely notice was to be to her given by B&N. This is in
line with the stated “intent of the Legislature to ensure that personal information about
Californian residents is protected.”Cal. Civ. Code §1798.81.5(a).
B&N’s claim that Plaintiff Dieffenbach has not alleged a cognizable injury under the Act
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 31 of 36 PageID #:304
24
is also unavailing. B&N relies on a case solely addressing §1798.83 and the sale of personal
information to marketers. Nothing in Boorstein v. Men’s Journal, LLC, No. CV-12-771 DSF,
2012 WL 2152815 (C.D. Cal. June 14, 2012), involves violations of §1798.82. Section 1798.84
provides that any customer injured by a violation of this title may institute a civil action to
recover damages and any business that violates this title may be enjoined. Cal. Civ. Code §
1798.84. Here, the injury suffered by Plaintiff Dieffenbach derives from the violation of
§1798.82 itself. The “injury required by Article III can exist solely by virtue of statutes creating
legal rights, the invasion of which creates standing.”Edwards v. First Am. Corp., 610 F.3d 514,
517 (9th Cir. 2010). Courts have applied this principle— that the Legislature can define a “legal
right, the invasion of which establishes standing,”— to find standing when a consumer alleges a
violation of a consumer privacy statute with a private right of action. See, e.g., Graczyk v. West
Publ’g Co., 660 F.3d 275, 277 (7th Cir. 2011) (the court held violations of the Driver’s Privacy
Protection Act, which prohibits certain uses and disclosures of private information provided to
DMVs, was sufficient to establish injury without anything further). The same holds true here. In
re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal.
2012) (where the plaintiffs’allegations of injury were sufficient for Article III standing, their
allegations of injury were sufficient for their California Database Breach Act claim). By creating
a specific civil enforcement mechanism for violations of Civil Code §1798.82, the California
Legislature conferred standing on people affected by a violation. Moreover, Plaintiff
Dieffenbach has alleged actual damages (see generally, Section I, supra), including emotional
distress, that are fairly attributable to the delay in notifying the public of the Security Breach.
B&N’s motion to dismiss Count IV should be denied.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 32 of 36 PageID #:305
25
E. Dieffenbach May Pursue her California UCL Claim.
B&N makes similar arguments seeking dismissal of Count V (California UCL, “UCL”)
that it unsuccessfully made above regarding the ICFA claim. See Section II.B, supra. There is no
reason to construe the unfairness analysis under the UCL differently. Similarly, because
Plaintiffs properly alleged damages for the ICFA and the other counts, Dieffenbach’s claims
should be treated no differently. Also, because Plaintiff Dieffenbach states a claim for violation
of the California Database Breach Act, she necessarily states a claim under the UCL.
B&N glosses over the scope of California’s interpretation of unfairness. B&N cites
Lozano v AT&T Wireless Servs, Inc, 504 F.3d 718, 735-36 (9th Cir. 2007), regarding a view that
claims of unfairness must be tethered to some legislatively-declared policy. This concept derives
from the California Supreme Court decision in Cel-Tech Communications, Inc. v. Los Angeles
Cellular Telephone Co., 20 Cal. 4th 163 (1999). That decision did discuss the tethering concept,
but stated “Nothing we say relates to actions by consumers or by competitors alleging other
kinds of violations of the unfair competition law such as ‘fraudulent’or ‘unlawful’business
practices or ‘unfair, deceptive, untrue or misleading advertising.’”Id. at 186-87 n. 12.
Three different methods have arisen where California courts determine unfairness after
Cel-Tech. Dieffenbach’s claims satisfy each methodology. See, Davis v. Ford Motor Credit Co.
LLC, 179 Cal. App. 4th 581, 593-98 (2d Dist. 2009).
Smith v. State Farm Mutual Automobile Ins. Co., 93 Cal. App. 4th 700, 718 (2001),
applied a balancing test of the practice’s “impact on its alleged victim . . . against the reasons,
justifications and motives of the alleged wrongdoer.”“[A]n ‘unfair’business practice occurs
when that practice ‘offends an established public policy or when the practice is immoral,
unethical, oppressive, unscrupulous or substantially injurious to consumers.’”Smith, 93 Cal.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 33 of 36 PageID #:306
26
App. 4th at 719. These are the same standards as under the ICFA. As noted above, this test is
satisfied here. See Section II.B, supra.
A second line of cases, like Gregory v. Albertson’s Inc., 104 Cal. App. 4th 845, 854
(2002), focus on public policy: “the public policy which is a predicate to the action must be
‘tethered’ to specific constitutional, statutory or regulatory provisions.” This “tethering”
requirement is satisfied here because Plaintiff Dieffenbach has alleged violations of California’s
Database Breach Act. Thus, similar to the relationship between the ICFA and the PIPA, there is a
California statute regulating data breach disclosures and requirements. This relationship creates a
nexus to the UCL regardless of whether an independent claim exists under the Database Breach
Act. Therefore, Dieffenbach satisfies this unfairness analysis.
Finally, some California courts look to FTC interpretations to define unfairness.
Camacho v. Automobile Club of Southern California, 142 Cal. App. 4th 1394 (2006). The factors
that define unfairness under Section 5 of the Federal Trade Commission Act are: (1) the
consumer injury must be substantial; (2) the injury must not be outweighed by any
countervailing benefits to consumers or competition; and (3) it must be an injury that consumers
themselves could not reasonably have avoided. Id. at 1403. Here, as noted above and in In Re
Michaels and TJX, there is a substantial consumer injury imposed by the theft of PII. This injury
is not offset by a corresponding benefit to consumers. B&N provides no argument, or discussion
at all, of an offsetting benefit to consumers. Further, consumers cannot reasonably avoid this
injury. The PIN pads are in B&N stores and B&N has control over them. Finally, B&N failed to
meet the credit industry’s safety requirements on this very subject. Thus, Plaintiff Diefffenbach
satisfies this analysis as well.
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 34 of 36 PageID #:307
27
B&N also claims that Plaintiffs’UCL claim must fail because there are no allegations of
monetary or property damage. MTD at 13-14. As explained above, this is contradicted by the
allegations of the Complaint and, therefore, B&N’s citations are inapposite. Compl. at ¶¶ 11, 67-
71, 142.
CONCLUSION
For the above reasons, Plaintiffs respectfully request that the Court enter an order
denying Barnes & Noble’s Motion to Dismiss, and granting such other relief the Court deems
just.
Date: May 21, 2013 Respectfully submitted,
Ray Clutts, Heather Dieffenbach,Jonathan Honor, and Susan Winstead,individually and on behalf of all otherssimilarly situated,
/s/ Sharon HarrisBen BarnowSharon HarrisBARNOW AND ASSOCIATES, P.C.One North LaSalle Street, Suite 4600Chicago, IL 60602Tel: (312) 621-2000Fax: (312) [email protected]@barnowlaw.com
/s/ Joseph J. SiprutJoseph J. SiprutSIPRUT PC
17 North State Street, Suite 1600Chicago, IL 60602Tel: (312) 236-0000Fax: (312) [email protected]
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 35 of 36 PageID #:308
28
Aron D. RobinsonLAW OFFICE OF ARON D. ROBINSON
180 W. Washington Suite 700Chicago, Illinois 60602Tel: (312) 857-9050Fax: (312) [email protected]
Adam J. LevittGRANT & EISENHOFER P.A.30 North LaSalle Street, Suite 1200Chicago, IL 60602Tel: (312) 214-0000Fax: (312) [email protected]
Julie D. MillerCOMPLEX LITIGATION GROUP LLC513 Central Avenue, Suite 300Highland Park, Illinois 60035Tel: (847) 433-4500Fax: (847) [email protected]
William A. BairdMARKUN ZUSMAN & COMPTON LLPSunset Blvd., Suite A380Pacific Palisades, California 90272Tel: (310) 454-5900Fax: (310) [email protected]
Attorneys for Plaintiffs
Case: 1:12-cv-08617 Document #: 45-1 Filed: 05/21/13 Page 36 of 36 PageID #:309