S.M. Oliva

Eight Circuit Dismisses Final Plaintiff from SuperValu Data Breach Lawsuit

S.M. Oliva

June 10, 2019

During June and July of 2014, unknown attackers managed to access the computer network used to process credit and debit card payments for SuperValu, Inc., a Minnesota-based grocery store chain. The attackers installed malware on the network, enabling them to access the names and payment card information of SuperValu customers. SuperValu publicly disclosed the data breach in August 2014. Approximately six weeks later, SuperValu disclosed a second data breach involving “different malicious software” installed to the same network.

In re: SuperValu, Inc., Customer Data Security Breach Litigation

In June 2015, a group of 16 plaintiffs–all SuperValu customers who paid with cards during the period of the breach–sued the company in Minnesota federal court. The trial judge dismissed all of the plaintiffs’ allegations, citing a lack of Article III standing. In August 2017, the U.S. Eighth Circuit Court of Appeals upheld the dismissal of all but one of the plaintiffs from the case. Unlike his co-plaintiffs, this final plaintiff alleged a “present injury in fact,” specifically an unauthorized charge to his credit card following the data breach. This was enough, in the appeals court’s judgment, to establish the lone remaining plaintiff’s standing.

But after the case returned to the trial court in Minnesota, the judge again dismissed the remaining plaintiff’s complaint after finding it “failed to state a claim” justifying any relief. Again, the plaintiff appealed the dismissal to the Eighth Circuit. This time, however, the appeals court agreed with the trial judge and upheld the dismissal in a May 31, 2019 opinion.

Retailers Have No Duty Under Illinois Law to Safeguard Customer Data from Attackers

U.S. Circuit Judge Jane L. Kelly, writing for the appeals court, explained the plaintiff’s allegations were governed by Illinois law, which does not usually impose an “affirmative duty” on retailers to protect a customer from “criminal attack” unless there is a “special relationship” between the parties. Indeed, Judge Kelly said the Illinois Supreme Court has yet to decide whether a retailer is ever obligated to protect customer data “from hackers.” In an April 2018 decision, Community Bank of Trenton v. Schnuck Markets, Inc., the U.S. Seventh Circuit Court of Appeals assumed, based on precedent from an Illinois intermediate appellate court, that state law “does not recognize a duty in tort to safeguard sensitive personal information.” Judge Kelly said the Eighth Circuit would follow its sister court’s position, given the lack of any Illinois Supreme Court ruling to the contrary.

This meant the plaintiff could not proceed with a claim for negligence against SuperValu. But the plaintiff raised several other claims, which the Eighth Circuit also rejected: