Because the data breach class action plaintiffs were unable to show they sustained any actual harm, the Minnesota U.S. District Court granted SuperValu’s Motion to Dismiss their case, without prejudice, on January 7, 2016.
In its Memorandum Opinion, the Court distinguished the Target and Neiman Marcus cases because “[t]hose cases included factual allegations of substantial data misuse which plausibly suggested that the hackers had succeeded in stealing the data and were willing and able to use it for future theft or fraud.” (Mem. Op. 11-12). In the Target case, many of the 114 named plaintiffs actually incurred fraud, and in the Neiman Marcus case, “more than 9,200 customers experienced fraudulent charges on their payment cards within six months after a data breach that occurred at Neiman Marcus.” (Mem. Op. 12).
In this case, there was only one.
The court’s rationale for its dismissal was, “only one unauthorized credit card charge (of an unspecified date and amount) is alleged to have occurred in the fifteen-month time period following the Data Breach that affected over 1,000 of Defendant’s stores. This singular incident from one named Plaintiff over the course of more than a year following the Data Breach is not sufficient to ‘nudge’ Plaintiff’s class claims of data misuse or imminent misuse ‘across the line from conceivable to plausible.'”