Melissa Alleruzzo v. SuperValu, Inc.
870 F.3d 763
| 8th Cir. | 2017Background
- In 2014 defendants SuperValu, AB Acquisition, and New Albertsons suffered two malware intrusions that accessed payment-card processing systems at over 1,000 stores; press releases acknowledged possible theft of card data and ongoing investigations.
- Sixteen named plaintiffs (customers who used cards at affected stores) filed a consolidated putative class action alleging defendants failed to secure Card Information (e.g., used weak/default passwords, lacked network segmentation and lockouts).
- Plaintiffs asserted claims including state consumer-protection statutes, negligence, breach of implied contract, negligence per se, and unjust enrichment.
- The district court dismissed under Fed. R. Civ. P. 12(b)(1) for lack of Article III standing, finding the complaint failed to allege an injury-in-fact; plaintiffs appealed.
- On appeal the Eighth Circuit held that only one named plaintiff (Holmes) alleged a present, concrete injury (an actual fraudulent charge) sufficient for Article III standing; the remaining plaintiffs’ allegations of increased risk of future identity theft were insufficiently supported.
- Court reversed dismissal as to Holmes, affirmed dismissal as to the other named plaintiffs, and remanded for further proceedings (leaving Rule 12(b)(6) issues for the district court).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether plaintiffs have Article III standing based on increased risk of future identity theft after card-data breach | Theft of card data creates a substantial risk of future identity theft sufficient for injury-in-fact | Allegations show only access, not proven theft or misuse; risk is speculative and insufficient for standing | Future-risk allegations insufficient; plaintiffs failed to show a substantial risk of identity theft |
| Whether a named plaintiff alleging actual misuse (fraudulent charge) has standing | Holmes’s alleged fraudulent charge is a concrete injury fairly traceable to the breach | Holmes’ allegation is conclusory, lacks detail, and may be unrelated to defendants’ breach | Holmes has standing: his alleged fraudulent charge is a present injury fairly traceable to the breach |
| Whether mitigation expenditures (time/effort monitoring accounts) can create standing absent substantial future-risk | Time spent mitigating risk is a concrete injury | Self-inflicted mitigation based on speculative future harm cannot create standing | Mitigation costs do not confer standing where future harm is speculative |
| Whether standing must be shown collectively for all named plaintiffs or can be based on one representative | Class action can proceed if at least one named plaintiff has standing | Defendants urged dismissal because only Holmes alleged misuse | Standing is assessed individually; one named plaintiff with standing suffices to confer jurisdiction for the class action to proceed |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (Sup. Ct. 2016) (standing requires concrete and particularized injury)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (Sup. Ct. 1992) (injury must be concrete, particularized, and actual or imminent)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (Sup. Ct. 2013) (future injury requires certainly impending or substantial risk)
- Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (Sup. Ct. 2014) (describing substantial-risk standard for future injury)
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach standing analysis; actual misuse can support standing)
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (actual identity fraud after data loss is fairly traceable to defendant’s failure to secure data)
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (insufficient evidence of substantial future risk based on breach allegations)
- Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (present fraudulent charges and mitigation efforts can support standing for named plaintiff)
- Carlsen v. GameStop, Inc., 833 F.3d 903 (8th Cir. 2016) (pleading-stage standards; accept factual allegations as true)
- Bennett v. Spear, 520 U.S. 154 (Sup. Ct. 1997) (causal-connection discussion relevant to traceability)
- Lexmark Int’l, Inc. v. Static Control Components, Inc., 134 S. Ct. 1377 (Sup. Ct. 2014) (Article III standing not dependent on merits' proximate-cause analysis)