On May 31, 2019, the United States Court of Appeals for the Eighth Circuit affirmed the dismissal of a putative class action filed against grocery store chains SuperValu, Inc., AB Acquisition, LLC, and New Albertsons, Inc. The plaintiffs alleged that they made credit or debit card purchases at the defendants’ locations in seven states in 2014, and that hackers installed malicious software on the defendants’ servers, and stole the plaintiffs’ payment card information in at least two separate incidents between June and September 2014. The case was the last remaining putative class action after the Court’s 2017 affirmance of the dismissal of several other putative class actions arising from the breach on standing grounds. In the 2017 decision, In re: SuperValue, Inc., Customer Data Security Breach Litigation, 870 F.3d 763, 768-72 (8th Cir. 2017), the Court held that the risk of future identity theft was too speculative to create standing and dismissed the claims of all named plaintiffs, except David Holmes and remanded his putative class action for further proceeding on a motion to dismiss.
On remand, the District Court again dismissed Mr. Holmes’ claims, which dismissal was affirmed by the Eighth Circuit. Unlike the other named plaintiffs, Mr. Holmes alleged that a fraudulent purchase was made with the hacked information. The Court found this allegation insufficient to state a claim for relief against the grocery store chains under each of his four theories of liability: negligence, consumer protection, implied contract, and unjust enrichment. As to the negligence claim, the Court found the grocery store chain owes a consumer no duty “to protect another from a criminal attack” in these circumstances. In re SuperValu , Inc., Customer Data Sec. Breach Litig., No. 18-1648, slip op. at 7 (8th Cir. May 31, 2019). The Court rejected Mr. Holmes’ s argument that the Federal Trade Commission Act imposed a duty to safeguard consumer information because the FTCA creates no private right of action by affected consumers. The Court also dismissed the consumer protection claim because plaintiff failed to allege actual damages. Here, the Court held that “alleged injuries — the expenditure of time monitoring his account, the single fraudulent charge to his credit card, and the effort expended replacing his card — do not constitute actual damage,” and that the time the plaintiff spent protecting himself against the threat of future identity theft “does not amount to an out-of-pocket loss.” Id. at 10. With respect to the allegedly fraudulent charge, the Court noted that Mr. Holmes did not allege that he suffered any “pecuniary loss” as it is customary in the payment card industry for the financial institution to reimburse the account holder for fraudulent charges and plaintiff did not allege that the charges were unreimbursed.