United States District Court, N.D. Illinois, Eastern Division
CHRISTINA MOYER, MICHAEL GOUWENS, JESSICA GOUWENS, NANCY MAIZE, JESSICA GORDON, and DANIEL RIPES, individually and on behalf of all others similarly situated, Plaintiffs,
MICHAELS STORES, INC., Defendant.
MEMORANDUM OPINION AND ORDER
ELAINE E. BUCKLO, District Judge.
Six Illinois residents have sued Michaels Stores, Inc. ("Michaels" or "Defendant"), an arts and crafts retailer, for failing to secure their credit and debit card information during in-store transactions made between May 8, 2013 and January 27, 2014. The complaint asserts claims for breach of implied contract (Count I) and violations of state consumer fraud statutes (Counts II-IV). See Dkt. No. 47 ("Compl."). Michaels argues that Plaintiffs lack standing and have failed to state a claim upon which relief may be granted. See Fed.R.Civ.P. 12(b)(1), 12(b)(6). I grant Defendant's motion to dismiss for the reasons stated below.
In presenting the facts, I accept as true all well-pled allegations in the complaint and draw all reasonable inferences in Plaintiffs' favor. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). However, "[I am] not bound to accept as true a legal conclusion couched as a factual allegation."
On January 25, 2014, Michaels posted the following announcement on its website:
As you may have read in the news, data security attacks against retailers have become a major topic of concern. We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we have experienced a data security attack.
We are working closely with federal law enforcement and are conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information we have received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, we believe it appropriate to notify our customer that a potential issue have may have occurred.
... If we find as part of our investigation that any of our customers were affected, we will offer identity protection and credit monitoring services to them at no cost.
Compl. at ¶ 2 (referencing and providing link to press release that Michaels posted on Jan. 25, 2014); see also Adams v. City of Indianapolis, 742 F.3d 720, 729 (7th Cir. 2014) (documents referenced in the complaint and central to the claims asserted may be considered at the motion to dismiss stage without converting underlying motion to one for summary judgment).
Several Michaels customers filed suit in this district shortly after the company disclosed "possible fraudulent activity" on credit and debit cards used to make in-store purchases. See Moyer v. Michaels Stores, Inc., No. 14 C 561 (N.D. Ill.) (filed on Jan. 27, 2014); Gouwens et al. v. Michaels Stores, Inc., No. 14 C 648 (N.D. Ill.) (filed on January 29, 2014); Maize et al. v. Michaels Stores, Inc., No. 14 C 1299 (N.D. Ill.) (filed on Feb. 21, 2014); Ripes v. Michaels Stores, Inc., 14 C 1827 (N.D. Ill.) (filed on Mar. 14, 2014).
On April 16, 2014, I granted various motions to reassign and consolidate the four cases referenced above. See Dkt. No. 43. One day later, Michaels issued a second press release confirming that the company had, in fact, experienced a data security breach at "a varying number of stores between May 8, 2013 and January 27, 2014." Compl. at ¶ 3 (referencing and providing link to press release that Michaels posted on Apr. 17, 2014). Michaels reported that malicious software or "malware" had attacked point-of-sale systems containing customers' payment card numbers and expiration dates. The company's investigation revealed that the data breach impacted approximately 2.6 million credit or debit cards.
At the time it issued the April 17, 2014 press release, Michaels claimed that it had received a "limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers." Def.'s Ex. B. In light of these reports, Michaels offered twelve months of identity protection, credit monitoring, and fraud assistance services to affected customers at no cost.
Plaintiffs in this consolidated class action are six customers who made a credit or debit card purchase at a Michaels store in Illinois during the data breach period. They believe that their credit or debit card information was exposed and could be misused. Christina Moyer ("Moyer") is the only plaintiff who purchased credit monitoring or other protection to guard against the risk of identity theft. See Compl. at ¶ 12. Notably, Plaintiffs have not incurred fraudulent charges on the credit or debit cards they swiped at a Michaels store during the data breach period.
The consolidated complaint asserts nationwide class claims for breach of implied contract (Count I) and violation of state consumer fraud statutes (Count II). Alternatively, Plaintiffs assert consumer fraud claims on behalf of sub-classes comprised of Illinois (Count III) and New York (Count IV) consumers.
Michaels has moved to dismiss the consolidated complaint on two grounds: (1) Plaintiffs lack standing because their asserted injuries are too speculative and (2) Plaintiffs have failed to state a plausible claim upon which relief may be granted. These arguments raise distinct concerns about jurisdiction and the legal sufficiency of the complaint. See Payton v. County of Carroll, 473 F.3d 845, ...