In re Michaels Stores Pin Pad Litigation
830 F. Supp. 2d 518
| N.D. Ill. | 2011Background
- Michaels Stores, Inc. faced a consolidated class action over a 2011 data breach at its stores involving PIN pad tampering and skimming.
- Between February 8 and May 6, 2011, approximately ninety tampered PIN pads were placed in eighty Michaels stores across twenty states.
- Visa’s Global Mandate required Triple Data Encryption Standard by 2010 and PCI PIN Security Requirements to protect cardholder data.
- In 2006, Visa and others formed the PCI Security Standards Council; merchants were urged to implement best practices to prevent skimming and PIN pad swapping.
- Plaintiffs allege violations of the Stored Communications Act, Illinois Consumer Fraud Act (ICFA), negligence, negligence per se, and breach of implied contract.
- The court granted in part and denied in part Michaels’ Rule 12(b)(6) motion, dismissing SCA and negligence claims while allowing the implied contract claim to proceed.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Does SCA apply via electronic/remote computing services? | Plaintiffs allege Michaels provides electronic communications services through PIN pads. | Michaels is not in the business of providing electronic communications or remote computing services. | SCA does not apply; SCA claim dismissed. |
| Did Michaels engage in deceptive practices under ICFA? | Michaels’ failure to disclose security weaknesses constitutes deception. | No deceptive communication by Michaels is identified. | Deceptive-practice ICFA claim dismissed. |
| Were Michaels’ acts an unfair practice under ICFA? | Failure to comply with Visa/PCI security and delayed notice constitutes unfair conduct causing injury. | Plaintiffs failed to demonstrate unfairness beyond general security concerns. | Unfair-practice ICFA claim survives to the extent supported by violation of security standards and notice issues. |
| Have Plaintiffs alleged actual damages under ICFA? | Increased risk and credit-monitoring costs are recoverable damages. | Increased risk/credit monitoring alone is not an injury; actual losses required. | Plaintiffs sufficiently alleged actual injuries from unauthorized withdrawals and related bank fees. |
| Do negligence and negligence-per-se claims survive under Moorman/economic loss rules? | Michaels’ security failures caused economic damages independent of contract. | Economic loss rule bars purely economic tort claims in this context. | Negligence and negligence-per-se claims are dismissed as barred by the economic loss rule; no applicable exception. |
Key Cases Cited
- Moorman Mfg. Co. v. Nat'l Tank Co., 91 Ill.2d 69 (Ill. 1982) (economic loss rule governs tort recovery for purely economic losses)
- Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 159 Ill.2d 137 (Ill. 1994) (professional malpractice exception to economic loss rule; service-intangible analysis)
- Fireman’s Fund Ins. Co. v. SEC Donohue, Inc., 176 Ill.2d 160 (Ill. 1997) (economic loss doctrine applied to engineering context; tangible result doctrine)
- Anderson Elec. v. Ledbetter Erection Corp., 115 Ill.2d 146 (Ill. 1986) (economic loss rule discussed in professional service context)
- De Bouse v. Boyer, 235 Ill.2d 544 (Ill. 2009) (ICFA deception requires communicatd misrepresentation or omission)
- In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489 (1st Cir. 2009) (unfairness under FTC framework recognized in data breach context)
- Robinson v. Toyota Motor Credit Corp., 201 Ill.2d 403 (Ill. 2002) (ICFA injury/consumer protection framework guidance)