Customer Data SEC. Breach Litig. Melissa Alleruzzo v. Supervalu, Inc. (In Re Supervalu, Inc.)
925 F.3d 955
| 8th Cir. | 2019Background
- In 2014, hackers stole customers’ payment-card data from stores operated by SuperValu, AB Acquisition, and New Albertsons; plaintiffs alleged the stores failed to safeguard that data and delayed public notice.
- Multiple putative class actions were consolidated; the district court dismissed for lack of standing (no plausible future identity-theft injury), and plaintiffs appealed.
- This court affirmed dismissal of all named plaintiffs except David Holmes, who alleged a present injury (an unauthorized charge), and remanded for consideration of Rule 12(b)(6) as to Holmes.
- On remand, Holmes’s amended complaint and a later-posted proposed amendment were denied (motion to amend treated as postjudgment and untimely), and the district court dismissed Holmes’s negligence, consumer-protection (ICFA/PIPA/UDTPA), implied-contract, and unjust-enrichment claims for failure to state a claim.
- The Eighth Circuit reviewed denial of leave to amend for abuse of discretion (found untimely under Rules 59/60) and reviewed dismissal de novo under Twombly/Iqbal plausibility standards, affirming dismissal on all claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether postjudgment motion for leave to amend was timely | Plaintiffs contended dismissal was without prejudice and Rule 15 standards apply | Defendants argued judgment was final and postjudgment standards (Rules 59/60) govern | Motion treated as postjudgment and untimely under Rules 59/60; denial affirmed |
| Whether Holmes adequately pleaded negligence under Illinois law | Holmes argued retailers owe a duty to protect card data (or FTCA-based duty) | SuperValu argued Illinois law does not impose such a duty and FTCA creates no private right | Illinois law unlikely to recognize such duty; negligence claim dismissed |
| Whether Holmes pleaded actionable consumer-protection claims (ICFA/PIPA/UDTPA) | Holmes relied on monitoring time, a single fraudulent charge, and card-replacement efforts as damages/likelihood | Defendants argued alleged harms were speculative or non-pecuniary and ICFA requires actual pecuniary loss; UDTPA requires likelihood of future harm | ICFA/PIPA/UDTPA claims fail: no pleaded actual pecuniary loss and no likely future harm; claims dismissed |
| Whether Holmes stated implied-contract or unjust-enrichment claims | Holmes alleged an implied promise to protect data and that his grocery payments unjustly enriched SuperValu due to lack of timely notice | Defendants argued no contract or benefit tied to data-security, and payments were for goods, not security | Implied-contract implausible; unjust enrichment fails because payment was for groceries, not data protection; both claims dismissed |
Key Cases Cited
- In re SuperValu, 870 F.3d 763 (8th Cir. 2017) (prior standing decision in this litigation)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading must be plausible, not mere conclusions)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for dismissal)
- Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803 (7th Cir. 2018) (retailer duty to protect customer data disallowed under Illinois law)
- Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) (FTC enforcement actions addressing data-security practices)
- Cooney v. Chicago Pub. Schs., 943 N.E.2d 23 (Ill. App. Ct.) (Illinois appellate decision suggesting no tort duty to safeguard sensitive personal information)
- HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., 545 N.E.2d 672 (Ill. 1989) (elements for unjust-enrichment in Illinois)