Skip to Content
Cyber security firm Gemini Advisory, which has expertise in analyzing cyber security breaches, has made a range of comments concerning the data breach. Gemini Advisory disclosed that data may have been stolen with the use of software placed within cash registers at department stores, and has also stated that more than 5 million debit and credit cards may have been stolen. Gemini Advisory has further disclosed that, in March, 2018, a group of hackers using the name “JokerStash" or "Fin7", were offering the stolen credit card numbers for immediate sale. Gemini Advisory also stated that the breach had started back in May, 2017, and that the breach compromised more than 80 Saks Fifth Avenue locations and nearly the entire Lord & Taylor network.
Naturally, lawsuits followed. On April 9, 2018, a putative class action was filed against Lord & Taylor in the U.S. District Court for the District of Delaware. In her complaint, Plaintiff Bernadette Beekman states typical claims for breach of implied contract, negligence, and unjust enrichment. Two days later, on April 11, 2018, a second class action suit was filed in U.S. District Court in Tennessee. In that case, Plaintiffs Jeanne Sacklow and Ericka Targum state claims similar to those raised in the Beekman lawsuit. Both lawsuits seek extensive damages. Moreover, according to industry experts, in addition to the monumental legal exposure, this data breach and the resulting lawsuits will almost certainly impact the corporate brand and customer good will.
While this may sound like another run-of-the mill data breach case that permeates our news on, what seems like, a daily basis, recent developments in the Delaware litigation highlight a key issue at the heart of data breach litigation: standing. Of course, in all lawsuits – including data-breach litigation – a plaintiff’s case can only proceed if she has standing under Article III of the Constitution, which requires plaintiff to have sustained a sufficient injury to bring suit. The U.S. Supreme Court addressed standing in Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 194 L. Ed. 2d 635 (2016). The Spokeo court explained that, to establish standing, plaintiff needed to plead and prove an “injury in fact” which was “concrete and particularized.” In data-breach litigation, courts evaluate whether the increased likelihood of a possible, future theft of plaintiff’s identity is a “sufficient injury” to support Article III standing. The language from Spokeo has sparked a fierce debate as to the type of damages that do and do not confer Article III standing.
In light of this fierce debate, it comes as no surprise that Lord & Taylor recently sought a dismissal and transfer of the Beekman lawsuit from Delaware (Third Circuit) to the U.S. District Court for the Southern District of New York(Second Circuit). Notably, the Second Circuit is arguably a more defense-friendly jurisdiction when it comes to standing in these cases. For example, in In re Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017), the Third Circuit ruled that standing did exist based merely on alleged statutory violations. Alternatively, in Whalen v. Michaels Stores, Inc., 689 Fed.Appx. 89 (2d Cir. 2017), the Second Circuit concluded that the plaintiff-customers in a data-breach matter did not have standing. The Second Circuit concluded that the plaintiff’s claimed injuries were neither concrete nor particularized. These decisions highlight the conflicting rules that have been issued by Circuit Courts across the country in the wake of Spokeo.
In support of its attempt to transfer the Beekman case into New York, Lord & Taylor argues that the Southern District of New York is a more appropriate forum. Even though Lord & Taylor is a citizen of Delaware, its corporate headquarters and key witnesses are located in the Southern District of New York, which is therefore a more convenient forum. Lord & Taylor further argues that, if transferred, the Beekman lawsuit will join five other actions with the same underlying facts and allegations as those that are at issue in Beekman. Additionally, one of the plaintiff’s in New York has already filed a motion with the Judicial Panel on Multidistrict Litigation for a transfer to a single Judge in the Southern District of New York. Consequently, a transfer would allow for greater efficiency in dealing with these actions.
Importantly, a transfer of the Beekman lawsuit to the Southern District of New York would strengthen an argument that the defense-friendly legal opinions on standing from the Second Circuit should apply. At this point, the Delaware District Court has not yet issued a ruling on this important matter . . . stay tuned.