Dieffenbach v. Barnes & Noble, Inc., No. 17-2408 (7th Cir. 2018)

Annotate this Case
Justia Opinion Summary

Barnes & Noble discovered that its PIN pads, used to verify payment information, had been compromised. The hackers acquired customers’ names, card numbers and expiration dates, and PINs. Some customers temporarily lost the use of their funds while waiting for banks to reverse unauthorized charges; some spent money on credit-monitoring services; some lost the value of their time devoted to acquiring new account numbers and notifying businesses of these changes. Many people use credit or debit cards to pay bills automatically; every time the account number changes, they must notify merchants. Plaintiffs sought damages from Barnes & Noble. Jurisdiction was based on the Class Action Fairness Act, 28 U.S.C. 1332(d), because the proposed class contains at least 100 members, the amount in controversy exceeds $5 million, and minimal diversity of citizenship exists. The district court dismissed the complaint, ruling that it did not adequately plead damages. The Seventh Circuit vacated. Federal Rule of Civil Procedure 54(c) provides that the prevailing party receives the relief to which it is entitled, whether or not the pleadings have mentioned that relief. While it is not clear that the company is liable, dismissal was inappropriate. Under the federal rules, all this complaint needed to do was allege generally that plaintiffs have been injured.

Download PDF
In the United States Court of Appeals For the Seventh Circuit ____________________ No. 17-2408 HEATHER DIEFFENBACH and SUSAN WINSTEAD, Plaintiffs-Appellants, v. BARNES & NOBLE, INC., Defendant-Appellee. ____________________ Appeal from the United States District Court for the Northern District of Illinois, Eastern Division. No. 12 C 8617 — Andrea R. Wood, Judge. ____________________ ARGUED DECEMBER 6, 2017 — DECIDED APRIL 11, 2018 ____________________ Before WOOD, Chief Judge, and EASTERBROOK and HAMILTON, Circuit Judges. EASTERBROOK, Circuit Judge. In 2012 Barnes & Noble discovered that scoundrels had compromised some of the machines, called PIN pads, that it used to verify payment information. They acquired details such as customers’ names, card numbers and expiration dates, and PINs. Some customers temporarily lost the use of their funds while waiting for banks to reverse unauthorized charges to their accounts. 2 No. 17-2408 Some spent money on credit-monitoring services to protect their nancial interests. Some lost the value of their time devoted to acquiring new account numbers and notifying businesses of these changes. Many people use credit or debit cards to pay bills automatically; every time the account number changes, these people must devote some of their time and mental energy to notifying merchants that the old numbers are invalid and new ones must be used. In this suit under state law, plainti s seek to collect damages not from the data thieves but from Barnes & Noble. Jurisdiction rests on the Class Action Fairness Act, 28 U.S.C. §1332(d), because the proposed class contains at least 100 members, the amount in controversy exceeds $5 million, and minimal diversity of citizenship exists. The district court initially held that the representative plainti s had su ered no loss at all—that they did not even have standing to sue. 2013 U.S. Dist. LEXIS 125730 (N.D. Ill. Sept. 3, 2013). After this court held in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), and Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), that consumers who experience a theft of their data indeed have standing, the district court (acting through a di erent judge) concluded that the complaint alleges injury. 2016 U.S. Dist. LEXIS 137078 at *8–11 (N.D. Ill. Oct. 3, 2016). But the judge nonetheless dismissed the complaint, ruling that it does not adequately plead damages. Id. at *13–25. See also 2017 U.S. Dist. LEXIS 97161 (N.D. Ill. June 13, 2017) (dismissing an amended complaint). This seems to us a new label for an old error. To say that the plainti s have standing is to say that they have alleged injury in fact, and if they have su ered an injury then dam- No. 17-2408 3 ages are available (if Barnes & Noble violated the statutes on which the claims rest). The plainti s have standing because the data theft may have led them to pay money for creditmonitoring services, because unauthorized withdrawals from their accounts cause a loss (the time value of money) even when banks later restore the principal, and because the value of one’s own time needed to set things straight is a loss from an opportunity-cost perspective. These injuries can justify money damages, just as they support standing. Pleading is governed by Fed. R. Civ. P. 8 and 9. Rule 8(a)(3) requires the plainti to identify the remedy sought, but it does not require detail about the nature of the plainti ’s injury. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). What’s more, Rule 54(c) provides that the prevailing party receives the relief to which it is entitled, whether or not the pleadings have mentioned that relief. Rule 9(g), by contrast, does require details, but only with respect to “special damages.” Barnes & Noble does not contend, and the district judge did not nd, that any loss plainti s have identi ed is treated as “special damages.” As far as the federal rules are concerned, then, all this complaint needed to do was allege generally that plainti s have been injured. The district court did not apply these rules, instead demanding that the complaint contain all speci cs that would have been required had this suit been in state court. 2016 U.S. Dist. LEXIS 137078 at *13–19, 22–25. But in federal court it is the federal rules that determine what must be in a complaint. See, e.g., Walker v. Armco Steel Corp., 446 U.S. 740 (1980); Gasperini v. Center for Humanities, Inc., 518 U.S. 415 (1996); Shady Grove Orthopedic Associates, P.A. v. Allstate Insurance Co., 559 U.S. 393 (2010). The fact that the federal rules 4 No. 17-2408 do not require plainti s to identify items of loss (except for special damages) means that this complaint cannot be faulted as insu cient. Still, a district court could grant judgment on the pleadings, see Fed. R. Civ. P. 12(c), if none of the plainti s’ injuries is compensable, as a maoer of law, under the statutes on which they rely. We therefore turn to state law. Heather Die enbach dealt with Barnes & Noble in California and contends on appeal that she su ered four kinds of injury: (1) her bank took three days to restore funds someone else had used to make a fraudulent purchase; (2) she had to spend time sorting things out with the police and her bank; (3) she could not make purchases using her compromised account for three days; and (4) she did not receive the bene t of her bargain with Barnes & Noble. The fourth of these is not a loss; it is the failure to obtain a gain from the transaction. (Die enbach does not contend that any of the items she purchased was defective or that Barnes & Noble promised any particular level of security, for which she paid. See Remijas, 794 F.3d at 694–95.) But the rst three are losses, at least in economic terms. Die enbach invokes two statutes: California’s Customer Records Act and its Unfair Competition Law. The Records Act provides that a “customer injured by a violation of [this Act] may … recover damages.” Cal. Civ. Code §1798.84. The statute does not de ne injury, nor does any state decision we could nd. The district judge took this absence of a de nition as equivalent to conditioning recovery on satisfaction of the Unfair Competition Law, which provides that “lost money or property” supports recovery. Cal. Bus. & Prof. Code §17204. That’s a problematic move; the statutes are distinct, No. 17-2408 5 after all, as is their language. But this does not maoer, because the rst three losses that Die enbach identi es t within the phrase “lost money or property”. California’s judiciary understands “lost money or property” to mean an economic injury and tells us that “[t]here are innumerable ways in which economic injury … may be shown.” Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 323 (2011). An “identi able tri e of economic injury” su ces. Id. at 330 n.15 (internal quotation marks and citation omioed). We know from Marentes v. Impac Funding Corp., 2014 WL 2157539 (Cal. App. May 23, 2014), that the time value of money meets the statutory de nition. Although the loss of use in Marentes was longer (six months there, three days for Die enbach) the principle that the time value of money is “money or property” controls. Cf. Burlington Northern & Santa Fe Ry. v. White, 548 U.S. 53 (2006), which holds that a worker su ers a compensable injury even though the employer awards back pay to make up for salary lost during a 37-day suspension. Losing the use of money for three days may be a tri e to some people (though to others it may be a calamity), but a tri ing loss su ces under California law. And state courts have said that signi cant time and paperwork costs incurred to rectify violations also can qualify as economic losses. Compare Sarun v. Dignity Health, 232 Cal. App. 4th 1159, 1169 (2014) (“The tangible burden of [providing tax return information and other personal nancial data]” satis es the Law), with Lueras v. BAC Home Loans Servicing, LP, 221 Cal. App. 4th 49, 82 (2013) ( nding time spent “preparing and assembling materials” for a loan modi cation application de minimis and insu cient). 6 No. 17-2408 Now for Illinois. Susan Winstead, the second representative plainti , alleges that (1) her bank contacted her about a potentially fraudulent charge on her credit card statement and deactivated her card for several days; and (2) the security breach at Barnes & Noble “was a decisive factor” when she renewed a credit-monitoring service for $16.99 per month. Her claim rests on the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505/2, and the proposed class relies on materially identical laws in other states. A person “who su ers actual damage as a result of a violation of this Act” may recover. 815 ILCS 505/10a(a). A monthly $17 out of pocket is a form of “actual damage”. It is real and measurable; Illinois does not require more. See Avery v. State Farm Mutual Automobile Insurance Co., 216 Ill. 2d 100, 195–99 (2005). And, if the plainti has su ered an economic loss, noneconomic injuries are compensable. See, e.g., Morris v. Harvey Cycle & Camper, Inc., 392 Ill. App. 3d 399, 402–03 (2009). An Illinois appellate court has held that a person who purchases credit-monitoring services after a merchant discloses personal information has not su ered actual damages. Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358, 365–66 (2010). We think it unlikely that the Supreme Court of Illinois would agree with the “actual damages” portion of this decision, given the breadth of the statutory language. Money out of pocket is a standard understanding of actual damages in contract law, antitrust law (Reiter v. Sonotone Corp., 442 U.S. 330 (1979)), the law of fraud, and elsewhere. To get damages plainti s must show that a culpable data breach caused the monthly payments, but the complaint cannot be dismissed before giving the class an opportunity to do so. No. 17-2408 7 Everything we have said about California and Illinois law concerns injury. We have not considered whether Barnes & Noble violated any of these three state laws by failing to prevent villains from stealing plainti s’ names and account data. Barnes & Noble was itself a victim. Its reputation took a hit, it had to replace the compromised equipment plus other terminals that had been shown to be vulnerable, and it lost business. None of the state laws expressly makes merchants liable for failure to crime-proof their point-of-sale systems. Plainti s may have a di cult task showing an entitlement to collect damages from a fellow victim of the data thieves. It is also far from clear that this suit should be certi ed as a class action; both the state laws and the potential damages are disparate. These and other questions need consideration on remand. That the case has been pending for 5½ years without a decision by the district court whether the proposed class can be certi ed is problematic under Fed. R. Civ. P. 23(c)(1)(A), which requires the decision to be made “[a]t an early practicable time after a person sues … as a class representative”. All we hold today is that the complaint cannot be dismissed on the ground that the plainti s do not adequately allege compensable damages. The judgment is vacated, and the case is remanded for proceedings consistent with this opinion.

Primary Holding

Class action based on data breach need not specify damages.

Disclaimer: Justia Annotations is a forum for attorneys to summarize, comment on, and analyze case law published on our site. Justia makes no guarantees or warranties that the annotations are accurate or reflect the current state of law, and no annotation is intended to be, nor should it be construed as, legal advice. Contacting Justia or any attorney through this site, via web form, email, or otherwise, does not create an attorney-client relationship.