A federal judge in Illinois dismissed the class action lawsuit filed against Barnes & Noble stemming from a data breach in 2013. The breach occurred when credit and debit card PIN pads were compromised at 63 Barnes & Noble stores.

The Judge found that the consumers did not plead sufficient harm in order to state a claim against Barnes & Noble and were unable to provide facts in support of all five claims in the suit. The case was dismissed pursuant to Federal Rule of Civil Procedure 12(b)(6).

Although one of the named plaintiffs was able to show that there was a fraudulent charge made on her credit card, she was unable to show that she suffered any out of pocket damages. She further held that “plaintiffs’ claim that they face an increased risk of future identity theft and must spend money to mitigate that risk is also insufficient to state a claim under ICFA” (the Illinois Consumer Fraud and Deceptive Business Practices Act).

The Judge further found no merit in the plaintiffs’ claims that they overpaid for the goods as they didn’t receive the security protections that they expected, the loss of the value of their data, anxiety, and time spent decreasing the risk of identity theft.

Finally, the Judge rejected the plaintiffs’ invasion of privacy claim as the plaintiffs were unable to show that “highly offensive” private facts were publicly disclosed. According to the Judge “The amended complaint contains no allegation that the exposed PII was widely published; in fact, … the only people who would have had access to the stolen PII would be the skimmers, and potentially whatever third parties to which they sold the PII” and therefore, “The court cannot find that plaintiffs adequately alleged public disclosure give the limited number of people that would have seen the PII as pleaded…”

The case was dismissed without prejudice, and the plaintiffs have until October 31 to restate their claims.

This article originally appeared in Robinson+Cole’s Data Privacy + Security Insider.

Linn Freedman


Linn Freedman practices in data privacy and security law, and complex litigation. She is a member of the Business Litigation Group and chair’s the firm’s Data Privacy and Security Team. She currently serves as general counsel to the Rhode Island Quality Institute. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations, as well as emergency data breach response and mitigation. She counsels clients on state and federal data privacy and security investigations and data breaches. Prior to joining the firm, Linn was a partner at Nixon Peabody, where she served as leader of the firm’s Privacy & Data Protection Group. She also served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.


Submit a Comment

Your email address will not be published. Required fields are marked *