In Re Supervalu, Inc.: an Analysis of Article Iii Standing and the Circuit Split in Data Breach Cases

• Publication year: 2022

52 Creighton L. Rev. 97. IN RE SUPERVALU, INC.: AN ANALYSIS OF ARTICLE III STANDING AND THE CIRCUIT SPLIT IN DATA BREACH CASES

IN RE SUPERVALU, INC.: AN ANALYSIS OF ARTICLE III STANDING AND THE CIRCUIT SPLIT IN DATA BREACH CASES

JENNIFER A. NOVOTNY-'20

I. INTRODUCTION

In 2017, the number of data breaches affecting the United States reached an all-time high with 1,579 breaches exposing roughly 179 million records. ^[1] The prevalence of data breaches has resulted in more litigation and larger verdicts, making it important for both companies and consumers to consider their risks and rights in mitigating the disastrous effects of data breaches. ^[2] When a data breach occurs, the threat of future fraudulent activity or identity theft resulting from the breach must be considered to determine if a party can bring an action for recovery. ^[3]

Article III of the United States Constitution gives federal courts the authority to hear cases and controversies. ^[4] The United States Supreme Court established the Article III standing doctrine, which enabled courts to determine if complaints present cases or controversies. ^[5] The standing doctrine requires that the plaintiff meet three requirements: (1) the plaintiff suffered an injury in fact, (2) there is a causal connection linking the injury suffered and the conduct complained of, and (3) the injury is redressable by the court. ^[6] The injury required by the standing doctrine must be concrete and particularized and actual or imminent. ^[7] The injury requirement can be complicated in cases involving the threat of future injuries or current injuries that are selfimposed to mitigate the effects of future harms. ^[8]

Circumstances involving future injuries often arise in data breach cases. ^[9] Courts are currently split on whether a plaintiff can bring an action for a data breach that has not yet resulted in identity theft or fraudulent charges, but has the potential to cause such harms in the future. ^[10] The United States Courts of Appeals for the Ninth, Sixth, and Seventh Circuits have found the threat of future harm following a data breach sufficient for standing, but the Eighth and Fourth Circuits have determined that the threats of future harm are too speculative or attenuated to establish standing. ^[11]

The United States Court of Appeals for the Eighth Circuit addressed the standing issue for data breaches in In re SuperValu, Inc. ^[12] and affirmed in part and reversed in part the United States District Court for the District of Minnesota's dismissal of a putative class action for lack of standing. ^[13] Sixteen plaintiffs brought a class action against the owners of several grocery stores that suffered data breaches in which hackers were able to access the companies' computer networks using malicious software. ^[14] The District of Minnesota dismissed the claim because the plaintiffs lacked standing. ^[15] On appeal, the Eighth Circuit agreed that the threat of future injury from fraudulent activity or identity theft was too speculative to be considered an imminent injury sufficient for Article III standing. ^[16]

This Note will discuss the Eighth Circuit's incorrect conclusion in In re SuperValu, Inc. in light of the decisions of other circuit courts that found data breaches can present sufficiently imminent injuries to satisfy the Article III standing requirements. ^[17] First, this Note will describe the facts and holding of SuperValu. ^[18] Next, this Note will detail the background and origins of the standing doctrine. ^[19] This Note will then discuss Clapper v. Amnesty International, ^[20] which is relied on by a majority of the circuit courts to determine if a plaintiff has the proper injury to establish standing. ^[21] Additionally, this Note will discuss the circuit split concerning whether the threat of a future harm, arising from a data breach, constitutes an injury in fact. ^[22] Finally, this Note will argue that the Eighth Circuit erred in determining that the plaintiffs in SuperValu did not have a proper injury to establish standing. ^[23]

II. FACTS AND HOLDING

In In re SuperValu, Inc., ^[24] the United States Court of Appeals for the Eighth Circuit reversed in part and affirmed in part the United States District Court for the District of Minnesota's dismissal of a putative class action suit for lack of standing. ^[25] The defendants, SuperValu, Inc., AB Acquisition, LLC, and New Albertsons, Inc., owned and operated several grocery stores in Missouri, Illinois, Maryland, Pennsylvania, Delaware, Idaho, and New Jersey. ^[26] In 2014, from late June to mid-July, cyber criminals compromised defendants' computer network system, which controlled transactions for 1,045 of their stores, by installing malicious software. ^[27] The malicious software allowed the cyber criminals to gain access to valuable customer information including account numbers, names, CVV codes, ^[28] and personal identification numbers. ^[29] The defendants acknowledged the security breach and notified their customers through a press release, however, it was unclear whether customers' personal information was stolen or misused. ^[30] Shortly thereafter, another security breach occurred when cyber criminals used malicious software again to access the defendants' computer network. ^[31] On September 29, 2014, the defendants notified customers about the second security breach. ^[32]

Twelve customers who believed they were affected by the security breach originally brought four separate putative class actions against the defendants in various district courts. ^[33] The Judicial Panel on Multidistrict Litigation joined the cases for combined pretrail proceedings in the United States District Court for the District of Minnesota. ^[34] Eventually, sixteen named plaintiffs filed an amended complaint on June 26, 2015. ^[35] The plaintiffs alleged six causes of action and violations of both state consumer protection and data breach notification laws. ^[36] Only one of the plaintiffs, David Holmes, received a fraudulent charge on his credit card, which he alleged was a result of the defendants' security breach. ^[37] The defendants moved to dismiss for lack of subject matter jurisdiction and for failure to state a claim. ^[38]

The district court reasoned that speculation and fear of future identity theft or fraud resulting from the data breach was not an actual or imminent injury. ^[39] Therefore, the plaintiffs' alleged injuries did not meet the requirements for standing, so the district court granted the defendants' motion to dismiss the class action. ^[40]

The plaintiffs filed a motion to alter or amend the judgment, claiming that the district court erred in drawing inferences from the data breach, and did not adequately consider the benefit of the bargain theory of standing. ^[41] The plaintiffs also claimed there was new evidence that would establish standing. ^[42] The district court determined that it did not err in drawing inferences in favor of the nonmoving party because drawing inferences in favor of the plaintiffs would require the court to accept the plaintiffs' conclusory allegations and speculate about the actions of third parties. ^[43] The district court rejected the plaintiffs' argument that their benefit of the bargain theory was overlooked, by restating its original conclusion and refusing to allow the plaintiffs a second chance to reargue the theory. ^[44] Finally, the court reasoned that the plaintiffs' argument regarding the new evidence was not persuasive because the evidence could have been discovered earlier with proper due diligence and it was not likely to produce a different result. ^[45] Because it did not find merit in any of the plaintiffs' arguments, the district court denied the plaintiffs' motion to alter or amend the judgment. ^[46]

The plaintiffs appealed and the defendants cross-appealed to the United States Court of Appeals for the Eighth Circuit. ^[47] The Eighth Circuit agreed with the district court that the alleged future injury of fraudulent use of the stolen information was too speculative to be a concrete injury. ^[48] Furthermore, the Eighth Circuit found that because the stolen information did not contain social security numbers, driver's license information, or other personal identification matters, there was little risk that new fraudulent accounts would be opened up in the plaintiffs' names. ^[49] The plaintiffs relied on a report published by the United States Government Accountability Office, asserting that identity theft includes many activities such as fraudulent charges, creating new accounts, and utilizing stolen credit card information; however, the court determined that the data in the report showed that there was only a small possibility that the data breach would result in account fraud. ^[50] Because the Eighth Circuit determined that there was not a strong likelihood that any future injury would result from the data breaches, it found that the plaintiffs did not have standing. ^[51] However, one plaintiff, Holmes, whose account had a fraudulent charge following the data breach, did have standing because he suffered an actual injury. ^[52] Therefore, the United States Court of Appeals for the Eighth Circuit reversed the district court's dismissal of Holmes' claim and affirmed the dismissal of the claims brought by the remaining plaintiffs for lack of standing. ^[53]

III. BACKGROUND

A...