TECHNOLOGY & CYBER RISK CLIENT ALERT: The Battle for Standing in Data-Breach Litigation Rages On


The battle over standing in cyber-security litigation continues. . . .

The latest example appears to be related to a data-breach involving the Hudson Bay Company. Founded in 1670, the Hudson Bay Company is one of the oldest companies in North America. On April 1, 2018 it joined the ever growing list of corporations that have been victimized by cyber-security breaches. Specifically, the Hudson Bay Company, which is the corporate parent of luxury department stores Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor, posted a statement on its company web pages explaining that it had become aware of a data security issue involving customer payment data at certain North American stores. The statement goes on to inform customers that Hudson Bay Company is working with security investigators regarding the breach. On April 2nd, the statement was updated to reassure customers that there was no indication that social security numbers, drivers licenses numbers, and pins had been compromised, and that the company was conducting a diligent investigation to gain an understanding of the scope of the breach.

Cyber security firm Gemini Advisory, which has expertise in analyzing cyber security breaches, has made a range of comments concerning the data breach. Gemini Advisory disclosed that data may have been stolen with the use of software placed within cash registers at department stores, and has also stated that more than 5 million debit and credit cards may have been stolen.  Gemini Advisory has further disclosed that, in March, 2018, a group of hackers using the name “JokerStash" or "Fin7", were offering the stolen credit card numbers for immediate sale. Gemini Advisory also stated that the breach had started back in May, 2017, and that the breach compromised more than 80 Saks Fifth Avenue locations and nearly the entire Lord & Taylor network.

Naturally, lawsuits followed. On April 9, 2018, a putative class action was filed against Lord & Taylor in the U.S. District Court for the District of Delaware. In her complaint, Plaintiff Bernadette Beekman states typical claims for breach of implied contract, negligence, and unjust enrichment.  Two days later, on April 11, 2018, a second class action suit was filed in U.S. District Court in Tennessee. In that case, Plaintiffs Jeanne Sacklow and Ericka Targum state claims similar to those raised in the Beekman lawsuit.  Both lawsuits seek extensive damages. Moreover, according to industry experts, in addition to the monumental legal exposure, this data breach and the resulting lawsuits will almost certainly impact the corporate brand and customer good will.  

While this may sound like another run-of-the mill data breach case that permeates our news on, what seems like, a daily basis, recent developments in the Delaware litigation highlight a key issue at the heart of data breach litigation: standing. Of course, in all lawsuits – including data-breach litigation – a plaintiff’s case can only proceed if she has standing under Article III of the Constitution, which requires plaintiff to have sustained a sufficient injury to bring suit. The U.S. Supreme Court addressed standing in Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 194 L. Ed. 2d 635 (2016). The Spokeo court explained that, to establish standing, plaintiff needed to plead and prove an “injury in fact” which was “concrete and particularized.” In data-breach litigation, courts evaluate whether the increased likelihood of a possible, future theft of plaintiff’s identity is a “sufficient injury” to support Article III standing. The language from Spokeo has sparked a fierce debate as to the type of damages that do and do not confer Article III standing. 

In light of this fierce debate, it comes as no surprise that Lord & Taylor recently sought a dismissal and transfer of the Beekman lawsuit from Delaware (Third Circuit) to the U.S. District Court for the Southern District of New York(Second Circuit). Notably, the Second Circuit is arguably a more defense-friendly jurisdiction when it comes to standing in these cases. For example, in In re Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017), the Third Circuit ruled that standing did exist based merely on alleged statutory violations.  Alternatively, in Whalen v. Michaels Stores, Inc., 689 Fed.Appx. 89 (2d Cir. 2017), the Second Circuit concluded that the plaintiff-customers in a data-breach matter did not have standing. The Second Circuit concluded that the plaintiff’s claimed injuries were neither concrete nor particularized. These decisions highlight the conflicting rules that have been issued by Circuit Courts across the country in the wake of Spokeo

In support of its attempt to transfer the Beekman case into New York, Lord & Taylor argues that the Southern District of New York is a more appropriate forum. Even though Lord & Taylor is a citizen of Delaware, its corporate headquarters and key witnesses are located in the Southern District of New York, which is therefore a more convenient forum.  Lord & Taylor further argues that, if transferred, the Beekman lawsuit will join five other actions with the same underlying facts and allegations as those that are at issue in Beekman. Additionally, one of the plaintiff’s in New York has already filed a motion with the Judicial Panel on Multidistrict Litigation for a transfer to a single Judge in the Southern District of New York. Consequently, a transfer would allow for greater efficiency in dealing with these actions.

Importantly, a transfer of the Beekman lawsuit to the Southern District of New York would strengthen an argument that the defense-friendly legal opinions on standing from the Second Circuit should apply. At this point, the Delaware District Court has not yet issued a ruling on this important matter . . . stay tuned.

Get Updates By Email

Blog Contributors