A federal judge in Illinois dismissed the class action lawsuit filed against Barnes & Noble stemming from a data breach in 2013. The breach occurred when credit and debit card PIN pads were compromised at 63 Barnes & Noble stores.
The Judge found that the consumers did not plead sufficient harm in order to state a claim against Barnes & Noble and were unable to provide facts in support of all five claims in the suit. The case was dismissed pursuant to Federal Rule of Civil Procedure 12(b)(6).
Although one of the named plaintiffs was able to show that there was a fraudulent charge made on her credit card, she was unable to show that she suffered any out of pocket damages. She further held that “plaintiffs’ claim that they face an increased risk of future identity theft and must spend money to mitigate that risk is also insufficient to state a claim under ICFA” (the Illinois Consumer Fraud and Deceptive Business Practices Act).
The Judge further found no merit in the plaintiffs’ claims that they overpaid for the goods as they didn’t receive the security protections that they expected, the loss of the value of their data, anxiety, and time spent decreasing the risk of identity theft.
Finally, the Judge rejected the plaintiffs’ invasion of privacy claim as the plaintiffs were unable to show that “highly offensive” private facts were publicly disclosed. According to the Judge “The amended complaint contains no allegation that the exposed PII was widely published; in fact, … the only people who would have had access to the stolen PII would be the skimmers, and potentially whatever third parties to which they sold the PII” and therefore, “The court cannot find that plaintiffs adequately alleged public disclosure give the limited number of people that would have seen the PII as pleaded…”
The case was dismissed without prejudice, and the plaintiffs have until October 31 to restate their claims.
This article originally appeared in Robinson+Cole’s Data Privacy + Security Insider.