It was about time for data breach defendants to get a win. The District Court for the Northern District of Illinois delivered one to Barnes & Noble in its long-running class action that stems from a breach suffered in 2012. Plaintiffs’ case was dismissed in its entirety on a motion to dismiss under Rule 12(b)(6). This development—just days after the Sixth Circuit in Nationwide had aligned itself with the Seventh Circuit’s Neiman Marcus and P.F. Chang’s decisions that found standing to sue for breach plaintiffs—shows that the legal battle over “harm” may start with standing, but goes nowhere absent alleged damages that tightly match the substantive elements of each claim.
The Sixth Circuit joined the growing trend of appellate courts holding that plaintiffs had demonstrated standing for data breach class actions in Galaria et al. v. Nationwide Mutual Insurance Company. In a recent order, the Sixth Circuit highlighted yet another fact that supports standing, that clients should consider in their post-breach response efforts: a recommendation that consumers set up fraud alerts and place security freezes on credit reports, without an accompanying offer to pay for the security freeze itself.
Last week, the Seventh Circuit revived a data breach class action against P.F. Chang’s restaurant in an important opinion that continues a plaintiff-friendly trend that began with the court’s opinion in the Neiman Marcus case that we previously reported on here. The court used statements that P.F. Chang’s made in response to the breach and protective remediation measures it implemented to draw inferences that customers were at a risk of identity theft and harm, and then used those inferences to find that plaintiffs had standing to proceed with their litigation. The case raises new issues that organizations should consider in crafting post-breach communications, and important takeaway lessons that may help increase the likelihood of obtaining dismissal of data breach class actions at the pleadings stage.