United States District Court, N.D. Illinois, Eastern Division
MEMORANDUM OPINION AND ORDER
R Wood United States District Judge
Ray Clutts, Heather Dieffenbach, Jonathan Honor, and Susan
Winstead filed this putative class action against Defendant
Barnes & Noble, Inc. in the wake of a data breach during
which hackers obtained personal identifying information
(“PII”) belonging to Barnes & Noble customers.
Plaintiffs purchased products with their credit or debit
cards at affected stores during the time period in which this
data breach occurred. This Court previously dismissed
Plaintiffs' Consolidated Class Action Complaint
(“Original Complaint”) for lack of Article III
standing. Plaintiffs subsequently filed their First Amended
Consolidated Class Action Complaint (“Amended
Complaint”), which Barnes & Noble has moved to dismiss
pursuant to Federal Rules of Civil Procedure 12(b)(1) and
12(b)(6) (“Motion”). (Dkt. No. 59.) For the
reasons stated below, the Court finds that Plaintiffs have
established standing but nonetheless have failed to state a
claim and thus dismisses all counts of the Amended Complaint.
September 2012, unsolicited individuals, known as
“skimmers, ” tampered with PIN pad terminals in
63 Barnes & Noble stores located in nine states. (Am. Compl.
¶¶ 2, 50, Dkt. No. 58.) Barnes & Noble uses these
PIN pad terminals to process its customers' credit and
debit card payments in its retail stores. (Id.
¶ 20.) Six weeks after discovering this potential
security breach, Barnes & Noble announced to the public that
these skimmers had potentially stolen customer credit and
debit information from the affected locations. (Id.
¶ 50.) Plaintiffs were customers of Barnes & Noble at
retail stores affected by the data breach during the time
period when this data breach occurred. (Id.
filed the Original Complaint on March 25, 2013. (Dkt. No.
39.) The Original Complaint pleaded five causes of action:
(1) breach of contract; (2) violation of the Illinois
Consumer Fraud and Deceptive Business Practices Act
(“ICFA”), 815 ILCS § 505/1 et seq.;
(3) invasion of privacy; (4) violation of the California
Security Breach Notification Act, Cal. Civ. Code §
1798.80 et seq.; and (5) violation of
California's Unfair Competition Act (“UCL”),
Cal. Bus. & Prof. Code § 17200 et seq.
Plaintiffs sought damages for, among other things:
unauthorized disclosure of their PII, loss of privacy,
expenses incurred attempting to mitigate the increased risk
of identity theft or fraud, time lost mitigating the
increased risk of identity theft or fraud, an increased risk
of identity theft, deprivation of the value of
Plaintiffs' PII, and anxiety and emotional distress.
April 30, 2013, Barnes & Noble filed a motion pursuant to
Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) to
dismiss the Original Complaint. (Dkt. No. 43.) The Court
granted the motion to dismiss the Original Complaint on
September 3, 2013 (“Order of Dismissal”), finding
that the Plaintiffs had failed to establish Article III
standing. (Order of Dismissal at 10, Dkt. No. 57.) The Court
granted Plaintiffs 21 days to re-plead the Complaint.
filed their Amended Complaint on September 24, 2013. (Dkt.
No. 58.) The Amended Complaint charges the same five causes
of action as the Original Complaint and also pleads virtually
identical facts. In fact, of the 143 paragraphs included in
the Amended Complaint, only six of them include factual
allegations that were not included in the Original
Complaint. These new allegations include the
. On information and belief, Barnes & Noble
has complete and full access to the list of credit and debit
card information that was skimmed from the affected PIN pad
devices. (Am. Compl. ¶ 3, Dkt. No. 58.)
. On information and
belief, Plaintiffs' and class
members' PII was stolen and disclosed by the skimmers
when Plaintiffs and class members swiped their credit and
debit cards at the affected Barnes & Noble stores during the
relevant time period. (Id. ¶ 4.)
. The skimmers were able to steal
Plaintiffs' and class members' PII, which caused
costs and expenses to Plaintiffs and class members
attributable to responding, identifying, and correcting
damages that were reasonably foreseeable as a result of
Barnes & Noble's willful and negligent conduct.
(Id. ¶ 5.)
. Winstead became aware of the Barnes &
Noble data breach in October 2012, shortly after a fraudulent
charge was incurred on her credit card in September 2012. At
the time of the fraudulent charge, Winstead was unaware of
any other recent data breaches that would have affected her
credit card. (Id. ¶ 17.)
. Prior to the security breach, Winstead
subscribed to identity protection monitoring, for which she
paid $16.99 per month. After finding out about the security
breach, Winstead continued to subscribe to identity
protection monitoring services, in part because of the
security breach. (Id. ¶ 18.)
. The cost to Barnes & Noble of collecting
and safeguarding PII is built into the purchase price of all
of its products sold at its stores, regardless of the method
of payment used by a purchaser. Plaintiffs and class members
suffered monetary damages in the form of overpaying for the
products they purchased, as they were denied the privacy
protections that they paid for. (Id. ¶ 71.)
& Noble's Motion seeks to dismiss the Amended Complaint
on two separate bases. First, Barnes & Noble moves to dismiss
the Amended Complaint under Federal Rule of Civil Procedure
12(b)(1), arguing that the Court lacks jurisdiction over
these claims because Plaintiffs have failed to allege injury
in fact adequately for purposes of Article III standing.
Second, Defendants move to dismiss all of Plaintiffs'
claims under Federal Rule of Civil Procedure 12(b)(6) for
failure to state a claim. The Court addresses each of these
arguments in turn.
Motion to Dismiss ...