Eighth Circuit Finds No Duty For Retailers To Safeguard Personal Data Of Customers

Author:Mr Hanley Chew and Tyler G. Newby
Profession:Fenwick & West LLP

Consumer Protection Violation Requires Actual Damages

Pursuing negligence claims in the Eighth Circuit following a data breach just got harder. On May 31, 2019, the U.S. Court of Appeals for the Eighth Circuit again dismissed the data breach claims in In re SuperValu, Inc. Customer Data Security Breach Litigation, where the court had previously dismissed the claims of all but one of the 16 named plaintiffs for failing to allege actual injuries that would establish Article III standing. In addition to affirming the denial of the 15 plaintiffs' motion for leave to amend, the Eighth Circuit held that the remaining plaintiff failed to state a claim in his complaint because he could not establish that SuperValu, Inc. had a duty to safeguard his personal data or that he had suffered actual damages or future likelihood of harm.


SuperValu, AB Acquisition and New Albertson (collectively, defendants) owned and operated a chain of retail grocery stores. In 2014, the defendants suffered two data breaches. The first breach occurred from June 22 through July 17, when hackers gained access to the payment information of defendants' customers including their names, credit or debit card account numbers, card expiration dates, card verification value codes and personal identification numbers. The second breach took place in late August or early September and involved the same type of customer information. After each breach, defendants issued a press release notifying customers of the breach but indicating that there had been no determination that customer information had in fact been stolen or misused.

Customers from several states allegedly affected by the breaches filed putative class actions in different district courts, all of which were transferred to and consolidated in the U.S. District Court for the District of Minnesota. Sixteen named plaintiffs filed a consolidated amended complaint asserting claims for violations of state consumer protection and data breach notification statutes, negligence, breach of implied contract and unjust enrichment. Only one of the named plaintiffs, David Holmes, alleged that he had suffered a fraudulent charge on his credit card statement, resulting in the replacement of that card.

The district court evaluated the standing of the named plaintiffs collectively and dismissed the complaint without prejudice, finding that plaintiffs had not alleged an injury in fact and, therefore, lacked standing. The Eighth...

To continue reading