United States District Court, N.D. Illinois, Eastern Division
July 14, 2014
CHRISTINA MOYER, MICHAEL GOUWENS, JESSICA GOUWENS, NANCY MAIZE, JESSICA GORDON, and DANIEL RIPES, individually and on behalf of all others similarly situated, Plaintiffs,
MICHAELS STORES, INC., Defendant.
MEMORANDUM OPINION AND ORDER
ELAINE E. BUCKLO, District Judge.
Six Illinois residents have sued Michaels Stores, Inc. ("Michaels" or "Defendant"), an arts and crafts retailer, for failing to secure their credit and debit card information during in-store transactions made between May 8, 2013 and January 27, 2014. The complaint asserts claims for breach of implied contract (Count I) and violations of state consumer fraud statutes (Counts II-IV). See Dkt. No. 47 ("Compl."). Michaels argues that Plaintiffs lack standing and have failed to state a claim upon which relief may be granted. See Fed.R.Civ.P. 12(b)(1), 12(b)(6). I grant Defendant's motion to dismiss for the reasons stated below.
In presenting the facts, I accept as true all well-pled allegations in the complaint and draw all reasonable inferences in Plaintiffs' favor. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). However, "[I am] not bound to accept as true a legal conclusion couched as a factual allegation."
On January 25, 2014, Michaels posted the following announcement on its website:
As you may have read in the news, data security attacks against retailers have become a major topic of concern. We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we have experienced a data security attack.
We are working closely with federal law enforcement and are conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information we have received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, we believe it appropriate to notify our customer that a potential issue have may have occurred.
... If we find as part of our investigation that any of our customers were affected, we will offer identity protection and credit monitoring services to them at no cost.
Compl. at ¶ 2 (referencing and providing link to press release that Michaels posted on Jan. 25, 2014); see also Adams v. City of Indianapolis, 742 F.3d 720, 729 (7th Cir. 2014) (documents referenced in the complaint and central to the claims asserted may be considered at the motion to dismiss stage without converting underlying motion to one for summary judgment).
Several Michaels customers filed suit in this district shortly after the company disclosed "possible fraudulent activity" on credit and debit cards used to make in-store purchases. See Moyer v. Michaels Stores, Inc., No. 14 C 561 (N.D. Ill.) (filed on Jan. 27, 2014); Gouwens et al. v. Michaels Stores, Inc., No. 14 C 648 (N.D. Ill.) (filed on January 29, 2014); Maize et al. v. Michaels Stores, Inc., No. 14 C 1299 (N.D. Ill.) (filed on Feb. 21, 2014); Ripes v. Michaels Stores, Inc., 14 C 1827 (N.D. Ill.) (filed on Mar. 14, 2014).
On April 16, 2014, I granted various motions to reassign and consolidate the four cases referenced above. See Dkt. No. 43. One day later, Michaels issued a second press release confirming that the company had, in fact, experienced a data security breach at "a varying number of stores between May 8, 2013 and January 27, 2014." Compl. at ¶ 3 (referencing and providing link to press release that Michaels posted on Apr. 17, 2014). Michaels reported that malicious software or "malware" had attacked point-of-sale systems containing customers' payment card numbers and expiration dates. The company's investigation revealed that the data breach impacted approximately 2.6 million credit or debit cards.
At the time it issued the April 17, 2014 press release, Michaels claimed that it had received a "limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers." Def.'s Ex. B. In light of these reports, Michaels offered twelve months of identity protection, credit monitoring, and fraud assistance services to affected customers at no cost.
Plaintiffs in this consolidated class action are six customers who made a credit or debit card purchase at a Michaels store in Illinois during the data breach period. They believe that their credit or debit card information was exposed and could be misused. Christina Moyer ("Moyer") is the only plaintiff who purchased credit monitoring or other protection to guard against the risk of identity theft. See Compl. at ¶ 12. Notably, Plaintiffs have not incurred fraudulent charges on the credit or debit cards they swiped at a Michaels store during the data breach period.
The consolidated complaint asserts nationwide class claims for breach of implied contract (Count I) and violation of state consumer fraud statutes (Count II). Alternatively, Plaintiffs assert consumer fraud claims on behalf of sub-classes comprised of Illinois (Count III) and New York (Count IV) consumers.
Michaels has moved to dismiss the consolidated complaint on two grounds: (1) Plaintiffs lack standing because their asserted injuries are too speculative and (2) Plaintiffs have failed to state a plausible claim upon which relief may be granted. These arguments raise distinct concerns about jurisdiction and the legal sufficiency of the complaint. See Payton v. County of Carroll, 473 F.3d 845, 851 (7th Cir. 2007) (cautioning against the conflation of standing analysis and analysis on the merits).
I start with a preliminary issue that neither party has address: whether the injuries allegedly sustained by a New York resident and putative class member, Mary Jane Whalen ("Whalen"), can provide standing for the six Illinois consumers with live claims against Michaels.
Whalen was the named plaintiff in the only data breach case filed against Michaels outside of Illinois. See Whalen v. Michaels Stores, Inc., No. 14 C 1756 (E.D.N.Y.). According to Whalen's complaint, she made a purchase from a Michaels store in Manhasset, New York using her credit card on December 31, 2013. See id., Dkt. No. 1 ("Whalen Compl.") at ¶ 12. Approximately two weeks after making this purchase, Whalen received notice that the credit card she swiped at Michaels had been charged by a gym and a concert ticket company in Ecuador. Id. at ¶¶ 29, 31. Whalen had never been to Ecuador or voluntarily given her credit card information to anyone traveling there. Id. at ¶ 30. Based on these facts, Whalen surmised that someone had obtained her credit card information from the point-of-sale system at Michaels and created a counterfeit card. Id. at ¶ 33. She promptly called American Express, which cancelled her card and issued a replacement. Id. at ¶ 32.
On March 18, 2014, Whalen filed a four-count class action complaint against Michaels. She voluntarily dismissed this case on April 11, 2014, less than one month after filing the complaint. This dismissal mooted Defendant's motion for a multi-district litigation proceeding encompassing all data breach cases. See In re Michaels Stores, Inc. Customer Data Security Litigation, MDL No. 2547, Dkt. No. 15 (terminating Def.'s motion as moot on Apr. 29, 2014).
Whalen has not re-filed her case against Michaels in another judicial district. Nor has she moved to intervene in any of the cases consolidated before me. Although Whalen may be a putative class member (assuming she has not released her claims against Michaels in exchange for voluntarily dismissing her individual case), she is not a party to this action. Therefore, I must dismiss Count IV, which alleges a violation of New York's consumer fraud statute. See Goshen v. Mutual Life Ins. Co. of New York, 774 N.E.2d 1190, 1195 (N.Y. 2002) (holding that New York's consumer fraud statute extends only to deception of consumers occurring in New York). Despite Whalen's status as only a putative class member, the consolidated complaint describes her as a "Plaintiff" and lifts allegations from the complaint that she voluntarily dismissed. See Compl. at ¶ 15. The signature line of the complaint also lists Whalen's name, but does not specify which attorney(s) or law firm(s) purports to represent her. Curiously, Michaels also refers to Whalen as a plaintiff and argues that she does not have standing.
It is well-established that Plaintiffs cannot establish standing based solely on injuries sustained by members of the putative class they seek to represent:
That a suit may be a class action... adds nothing to the question of standing, for even named plaintiffs who represent a class "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent."
Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 40 n.20 (1976) (quoting Warth v. Seldin, 422 U.S. 490, 502 (1975)); see also O'Shea v. Littleton, 414 U.S. 488, 494 (1974) ("[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class."); Payton v. County of Kane, 308 F.3d 673, 682 (7th Cir. 2002) ("Standing cannot be acquired through the back door of a class action." (internal quotation omitted)).
"[F]or any of the individual plaintiffs to continue to litigate on behalf of the class in the present case, he or she must establish standing in his or her own right." Hope, Inc. v. DuPage County, Ill., 738 F.2d 797, 805 (7th Cir. 1984) (en banc). However, as explained infra in Section III.B, Whalen's allegations inform my analysis of whether the risk of identity theft facing Plaintiffs is sufficiently imminent to give them Article III standing.
"To establish Article III standing, a plaintiff must show (1) an injury in fact (2) a sufficient causal connection between the injury and the conduct complained of, and (3) a likelihood that the injury will be redressed by a favorable decision." Susan B. Anthony List v. Driehaus, ___ S.Ct. ___ (2014), 2014 WL 2675871, at *5 (internal quotations omitted). "An injury sufficient to satisfy Article III must be concrete and particularized and actual or imminent, not conjectural or hypothetical." Id. (internal quotations omitted).
There is a subtle but important distinction between (1) whether an injury gives a litigant standing and (2) whether the same injury gives rise to a legal claim upon which relief may be granted. "[W]hile a litigant need not definitively establish that a right of his has been infringed, ' he must have a colorable claim to such a right' to satisfy Article III." Bond v. Utreras, 585 F.3d 1061, 1073 (7th Cir. 2009) (quoting Aurora Loan Servs., Inc. v. Craddieth, 442 F.3d 1018, 1024 (7th Cir. 2006)). An Article III injury "must be to the sort of interest that the law protects when it is wrongfully invaded." Aurora Loan Servs., 442 F.3d at 1018 (emphasis in original). This is "quite different from requiring [Plaintiffs] to establish a meritorious legal claim" as an precondition for standing. Id. (emphasis in original).
Defendant first argues that three Plaintiffs-Michael and Jessica Gouwens (the "Gouwens") and Daniel Ripes ("Ripes")- suffered no cognizable injury because they did not shop at an affected Michaels store during the data breach exposure period. I cannot accept Defendant's assertions about the scope of the data breach as true at the motion to dismiss stage. The consolidated complaint cites a press release that Michaels issued on April 17, 2014, which refers to a separate list of impacted stores and exposure dates. See Compl. at ¶ 3. Although the complaint links to the April 17 press release, it does not link or otherwise refer to the separate list detailing when and where the data breach allegedly occurred. See Def.'s Ex. C ("Affected U.S. Michaels Stores and Dates of Exposure, " available at www.michaels.com/mik-list). Absent a citation to this specific list, I decline to find that the Gouwens and Ripes have pled themselves out of court by adopting the company's statements about the scope of the data security breach.
Turning to the asserted bases for Article III standing in this case, Plaintiffs argue that they suffered the following injuries: (1) an elevated risk of identity theft and costs associated with protecting themselves against this risk; (2) overpayment for goods that Michaels allegedly priced to reflect the added cost of securing credit and debit card information; (3) a lost property interest in their personal identifying information and its alleged commercial value; and (4) "additional... monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charged to their accounts, " Compl. at ¶ 41. The only concrete monetary loss incurred by any of the six Plaintiffs is Moyer's purchase of credit monitoring protection to mitigate the risk of identity theft. Id. at ¶ 11. The other alleged monetary losses alleged are intangible or conclusory. See infra at Section IV.
I start (and ultimately end) with the first type of asserted injury: the elevated risk of identity theft arising from the data security breach. Michaels argues that this injury is too speculative to establish Article III standing.
The Supreme Court has repeatedly held that "imminent" as opposed to "actual" injuries are sufficient to satisfy the constitutional injury-in-fact requirement: "An allegation of future injury may suffice if the threatened injury is certainly impending, ' or there is a substantial risk' that the harm will occur." Susan B. Anthony List, 2014 WL 2675871, at *5 (quoting Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138, 1147, 1150 n.5 (2013)).
The Seventh Circuit has held that a consumer who faces an elevated risk of identity theft stemming from a data security breach satisfies the injury-in-fact requirement even if he or she has not suffered a direct financial loss. See Pisciotta v. Old National Bancorp., 499 F.3d 629, 634 (7th Cir. 2007) (noting that "the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions"); see also Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) (identifying circuit split over whether increased risk of harm stemming from a data security breach constitutes an Article III injury).
Michaels argues that the Supreme Court's recent decision in Clapper effectively abrogates Pisciotta by imposing a tighter imminence requirement for plaintiffs seeking to establish standing based on a future risk of harm. Two courts in this district have agreed with Michaels on this point. See Strautins v. Trustware Holdings, Inc., No. 12 C 9115, 2014 WL 960816, at *4 (N.D. Ill. Mar. 12, 2014) (Tharp, J.) (" Clapper compels rejection of Strautins' claim that an increased risk of identity theft is sufficient to satisfy the injury-in-fact requirement for standing."); In re Barnes & Noble Pin Pad Litig., No. 12 C 8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3, 2013) (Darrah, J.) (citing Clapper in support of the proposition that "[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing").
I respectfully disagree with my colleagues that Clapper should be read to overrule Pisciotta 's holding that an elevated risk of identity theft is a cognizable injury-in-fact. See In re Sony Gaming Networks and Customer Data Security Breach Litig., MDL No. 11-md-2258, 2014 WL 223677, at *8-9 (S.D. Cal. Jan. 21, 2014) (rejecting argument that Clapper overruled Ninth Circuit precedent, Krottner v. Starbucks, 628 F.3d 1139, 1142-43 (9th Cir. 2010), that adopts Pisciotta 's reasoning).
First, Clapper applied the imminence requirement in an "especially rigorous" fashion given that the merits of the case would have required the Court to decide whether the FISA Amendments Act of 2008, 122 Stat. 2426, was unconstitutional. See 133 S.Ct. at 1147. The extent to which Clapper 's admittedly rigorous standing analysis should apply in a case that presents neither national security nor constitutional issues is an open question. See Strautins, 2014 WL 960816, at *5 n.11 ("[T]he question of whether the risk of identity theft confers standing on [a consumer], and the import of Clapper for standing analysis in the Seventh Circuit, is a question on which reasonable minds may differ.").
Second, the Supreme Court's most recent decision on the injury-in-fact requirement, Susan B. Anthony List, catalogues the myriad circumstances in which a risk of future harm-such as enforcement of an allegedly unconstitutional law-has been deemed sufficiently imminent to establish Article III standing. See 2014 WL 2675871, at *6-7 (citing Steffel v. Thompson, 415 U.S. 452, 459 (1979) (finding sufficiently imminent injury where risk of enforcement was not "chimerical"); Babbitt v. Farm Workers, 442 U.S. 289, 302 (1979) (finding sufficiently imminent injury where fear of prosecution was not "imaginary or wholly speculative"); Virginia v. American Booksellers Ass'n Inc., 484 U.S. 383, 393 (1988) (finding sufficiently imminent injury where fear of prosecution was "well-founded"); Holder v. Humanitarian Law Project, 561 U.S. 1, 15 (2010) (finding sufficiently imminent injury where fear of prosecution was "credible"). The labels used to describe the imminence requirement in these cases-i.e., injury risks that are not "chimerical, " "imaginary, " or "wholly speculative" or, conversely, ones that are "credible" and "well-founded"-sound less demanding than Clapper 's rigorous application of the "certainly impending" standard. 133 S.Ct. at 1147.
Here, as in Susan B. Anthony List and the cases cited therein, Plaintiffs have presented evidence that they face a credible, non-speculative risk of future harm. Although Plaintiffs cannot establish standing based solely on Whalen's injuries, the fraudulent charges she incurred within two weeks of shopping at Michaels informs my analysis of whether the risk of identity theft facing these Plaintiffs is substantial and well-founded. See Susan B. Anthony List, 2014 WL 2675871 at *9-10 (citing past enforcement of challenged law as evidence that threat of future enforcement was substantial); Humanitarian Law Project, 561 U.S. at 16 (same); Steffel, 415 U.S. at 459 (same); cf. Clapper, 133 S.Ct. at 1148 (noting absence of evidence that asserted risk of injury had ever materialized in the past). The allegation that Whalen incurred fraudulent credit card charges makes this case analogous to cases where the Court found a sufficiently imminent risk of injury based on evidence that the relevant risk had materialized in similar circumstances.
Third, the chain of causation connecting a data security breach and identity theft is not so attenuated that is makes the latter risk speculative or hypothetical. The Supreme Court found a sufficiently imminent risk of future harm in Monsanto v. Geertson Seed Farms, 561 U.S. 139 (2010), based on a causal chain that was less direct than the link between a malware attack on credit and debit card systems and identity theft.
In Monsanto, conventional alfalfa farmers had standing to seek injunctive relief because the agency's decision to deregulate a variety of genetically engineered alfalfa gave rise to a "significant risk of gene flow to non-genetically-engineered varieties of alfalfa." The standing analysis in that case hinged on evidence that genetically engineered alfalfa "seed fields were currently being planted in all the major alfalfa seed production areas"; the bees that pollinate alfalfa "have a range of at least two to ten miles"; and the alfalfa seed farms were concentrated in an area well within the bees' pollination range.
Clapper, 133 S.Ct. at 1153-54 (quoting Monsanto, 561 U.S. at 155 and n.3). If a bee's anticipated pollination patterns create a sufficiently imminent risk of injury to alfalfa farmers who fear gene flow from genetically engineered plants in nearby fields, I fail to see how the transfer of information from a data hacker to an identity thief (assuming they are not one and the same) could be deemed an overly attenuated risk of harm.
In sum, I conclude that the elevated risk of identity theft stemming from the data breach at Michaels is sufficiently imminent to give Plaintiffs standing. This conclusion follows from Pisciotta and is consistent with a host of Supreme Court decisions finding standing based on an imminent risk of future injury. Clapper is distinguishable based on its admittedly rigorous application of the "certainly impending" standard in a case that involved (1) national security and constitutional issues and (2) no evidence that the relevant risk of harm had ever materialized in similar circumstances.
Having found standing based on one of Plaintiffs' asserted injuries, I need not address their other standing theories. See Bd. of Educ. of Ottawa Township High Sch. Dist. 140 v. Spellings, 517 F.3d 922, 925 (7th Cir. 2008) (declining to address alternative standing theories where one asserted injury satisfied Article III requirements).
Defendant's alternative argument for dismissal is that Plaintiffs have failed to state any claims upon which relief may be granted. See Gould v. Schneider, 448 Fed.Appx. 615, 618 (7th Cir. 2011) ("Having standing... does not mean that [Plaintiffs have] stated a claim."). In order to survive a motion to dismiss under Rule 12(b)(6), Plaintiffs must plead enough facts to "state a claim to relief that is plausible on its face." Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007).
Plaintiffs' state law claims for breach of implied contract (Count I) and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act ("Consumer Fraud Act") (Counts II and III), 815 ILCS § 505/1 et seq., contain the same flaw that led to dismissal of similar claims in Pisciotta. The banking customers in Pisciotta whose personal information was stolen in a data security breach brought claims under Indiana law for negligence and breach of implied contract. See 499 F.3d at 632. The plaintiffs were not identity theft victims and had not incurred any direct financial losses to their bank accounts. Id. Nevertheless, they sought "compensation for past and future credit monitoring services that they have obtained in response to the compromise of their personal data." Id. at 631. After holding that the plaintiffs had suffered a cognizable injury-in-fact because they faced an elevated risk of identity theft, the Seventh Circuit affirmed judgment for the bank in Pisciotta because actual monetary damage (beyond the cost of credit monitoring services) was a required element of their state law claims. Id. at 635.
Here, as in Pisciotta, Plaintiffs' claims must be dismissed because they have failed to plead a required element of their Illinois law claims for breach of contract and consumer fraud: actual monetary damages. "Damages are an essential element of a breach of contract action and a claimant's failure to [plead or] prove damages entitles the defendant to judgment as a matter of law." In re Illinois Bell Tele. Link-Up II, 994 N.E.2d 553, 558 (Ill.App.Ct. 2013) (noting that "proper measure of damages for a breach of contract is the amount of money necessary to place the plaintiff in a position as if the contract had been performed"). Actual damages are also a required element of Consumer Fraud Act claims. See Cooney v. Chicago Public Schools, 943 N.E.2d 23, 30-31 (Ill.App.Ct. 2010) ("[P]laintiffs must allege actual damages to bring a Consumer Fraud Act action." (citing 815 ILCS § 505/10(a)); see also Morris v. Harvey Cycle & Camper, Inc., 911 N.E.2d 1049, 1053 (Ill.App.. Ct. 2009) (affirming dismissal of Consumer Fraud Act claim that failed to allege specific economic injuries).
All of Plaintiffs' alleged injuries do not constitute actual economic damage under Illinois law. Illinois courts have rejected the argument that an elevated risk of identity theft constitutes actual damage for purposes of stating common law or statutory claims. See Williams v. Manchester, 888 N.E.2d 1, 13 (Ill. 2008) ("[A]s a matter of law, an increased risk of future harm is an element of damages that can be recovered for a present injury-it is not the injury itself." (emphasis in original)); see also Cooney, 943 N.E.2d at 31 (citing Williams in support of holding that increased risk of identity theft is not a form of "actual damages" under the Consumer Fraud Act).
Moyer's purchase of credit monitoring protection also falls short of constituting an economic injury under Illinois law. Id. (collecting N.D.Ill. cases holding that purchase of credit monitoring services, without more, is not an economic injury under Illinois law); see also Worix v. MedAssets, Inc., 857 F.Supp.2d 699, 704-5 (N.D. Ill. 2012) (collecting cases dismissing negligence claims where the only damage alleged was the cost of guarding against risk of identity theft).
The other monetary losses alleged in the complaint are conclusory. For instance, Plaintiffs allegedly suffered "monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charged to their accounts." Compl. at ¶ 41. This allegation is entirely conclusory, particularly compared to In re Michaels Store Pin Pad Litigation, 830 F.Supp.2d 518, 527, 531-32 (N.D. Ill. 2011), where the court denied a motion to dismiss breach of contract and consumer fraud claims because plaintiffs alleged specific unauthorized withdrawals from their bank accounts. See Def.'s Ex. E at ¶¶ 16-19 (identifying specific unauthorized withdrawals allegedly resulting from data security breach).
As for the allegation that Plaintiffs overpaid for goods that Michaels supposedly priced to reflect the added cost of protecting credit and debit card information, Plaintiffs have not pled enough facts to support an inference that Michaels charged customers a premium for data security protection. See In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588 at *5 ("Plaintiffs have not pled that [retailer] charged a higher price for goods [where] a customer pays with credit, and therefore, that additional value is expected in the use of a credit card.").
In sum, although Plaintiffs have standing, they have not pled the type of actual economic damage necessary to state Illinois law claims for breach of implied contract (Count I) or violation of the Consumer Fraud Act (Counts II and III). These claims are therefore dismissed.
Defendant's motion to dismiss is GRANTED for the reasons stated above.