Orrick’s cybersecurity and privacy litigation team today won complete dismissal in a federal appeals court of all class action claims against Supervalu in connection with 2014 cyberattacks. The U.S. Court of Appeals for the Eighth Circuit’s unanimous decision established important limitations on plaintiffs’ ability to bring these types of claims and will likely bolster data breach defendants’ efforts to obtain dismissal.
The published opinion backed the key arguments raised by the Orrick team, led by partner Doug Meal, head of the firm’s Cyber & Privacy litigation practice. The case stems from class action claims raised against Supervalu by sixteen consumer plaintiffs over the cyberattacks that were consolidated in the U.S. District Court for the District of Minnesota. Fifteen of the sixteen named plaintiffs were previously dismissed on Article III standing grounds, and their dismissal was affirmed on a prior appeal, because they failed to plead an actual or imminent injury from the attacks. These plaintiffs then sought to amend the complaint to bolster their injury allegations. Last year, the district court rejected the fifteen plaintiffs’ attempt to amend and also held that the sixteenth plaintiff failed to state a claim for which relief could be granted.
In today’s decision, the Eighth Circuit affirmed, holding that the fifteen plaintiffs’ attempt to amend was untimely, and that the remaining plaintiff failed to adequately plead his claims for negligence, violations of consumer protection statutes, implied contract, and unjust enrichment under Illinois law. The decision will likely set important precedent in data breach litigation, bolstering defendants’ efforts to dismiss these types of claims because it recognizes the important limits the law places on their viability.
For example, the court rejected plaintiff’s argument that a company like Supervalu has a duty to protect against the risk that the company itself would be victimized by a third-party criminal cyberattack. Specifically, in affirming the dismissal for failure to state a claim, the court refused to recognize a negligence-based duty on the part of companies to protect personal information under Illinois law. And in rejecting claims for implied contract and unjust enrichment, the court disagreed with the argument that Supervalu, merely by accepting payment cards in exchange for groceries, somehow impliedly promised consumers it would protect against cyberattacks or charged them for cybersecurity protection. The court also held that the fraudulent credit card charge that the plaintiff allegedly experienced was not an actual loss that can give rise to Illinois consumer protection claims.