Customer Data SEC. Breach Litig. Melissa Alleruzzo v. Supervalu, Inc. (In Re Supervalu, Inc.)

925 F.3d 955

• Court: Court of Appeals for the Eighth Circuit
• Decided: May 31, 2019
• Docket: 18-1648
• Status: Published

Opinion

KELLY, Circuit Judge.

In 2014, hackers accessed customer financial information from hundreds of retail grocery stores operated by SuperValu, Inc., AB Acquisition, LLC, and New Albertsons, Inc. A group of customers sued the stores. We previously affirmed dismissal of all but one of the suit's named plaintiffs for lack of standing. See In re SuperValu, Inc. , 870 F.3d 763 (8th Cir. 2017). On remand, the district court 1 dismissed the remaining plaintiff for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6) and denied plaintiffs'

*960 motion for leave to amend their complaint. We affirm both rulings.

I

Our prior opinion summarizes the facts alleged in the consolidated amended complaint, which we accept as true. See id. at 766-67 . We repeat here only the facts relevant to the instant appeal. In 2014, defendants' grocery stores suffered two cyberattacks that allowed hackers to steal customers' card information, including their names, credit or debit card account numbers, expiration dates, personal identification numbers, and card verification value codes. The stolen card information is distinct from the type of personally identifying information generally necessary to open a new fraudulent account, "such as social security numbers, birth dates, or driver's license numbers." Id. at 770 . Defendants notified customers of the first attack, which occurred in late June and early July 2014, via a press release on August 14, 2014. On September 29, 2014, they announced a second attack, which took place in late August or early September 2014. Plaintiffs allege that the two data breaches were connected and resulted from the stores' failure to properly safeguard their customers' personal information.

Plaintiffs filed multiple putative class actions against the stores, which were consolidated. Defendants moved to dismiss, asserting that the court lacked subject-matter jurisdiction because plaintiffs lacked standing, see Fed. R. Civ. P. 12(b)(1), and that plaintiffs failed to state a claim upon which relief could be granted, see Fed. R. Civ. P. 12(b)(6). The district court granted defendants' motion under Rule 12(b)(1) and dismissed the complaint without prejudice. It concluded that none of the plaintiffs had alleged an injury in fact because the complaint's allegations were insufficient to plausibly suggest that plaintiffs were likely to suffer future identity theft. The court did not address defendants' alternative motion under Rule 12(b)(6).

Plaintiffs then filed a motion to alter or amend the judgment under Rule 59(e). Plaintiffs attached three declarations from officers of financial institutions who averred that some payment cards issued by their respective institutions incurred fraudulent charges following the data breaches. Plaintiffs' motion included a request for leave to file an amended complaint but did not attach a proposed amended pleading. The district court denied plaintiffs' Rule 59(e) motion for failing to meet the standard for newly discovered evidence. It also denied the motion for leave to amend because plaintiffs had not submitted a proposed amended complaint, as required by the court's local rules. Plaintiffs appealed the district court's dismissal for lack of subject-matter jurisdiction but did not appeal the denial of their Rule 59(e) motion.

On appeal, we affirmed the district court's dismissal of all of the named plaintiffs for lack of standing, except for David Holmes. We concluded that no plaintiff had alleged a prospective injury in fact because, as pleaded, the likelihood of future identity theft was purely speculative. In re SuperValu , 870 F.3d at 768-72 . But we found that Holmes, the only plaintiff who alleged that he experienced an unauthorized charge to his account, had alleged a present injury in fact. Id. at 772 . According to the complaint, Holmes used his credit card at a Shop 'n Save store operated by SuperValu in Belleville, Illinois, on an unspecified date. "On information and belief," Holmes's card information was compromised as a result of the cyberattacks. Shortly after the data breaches were announced, Holmes noticed a fraudulent *961 charge on his credit card statement and immediately cancelled his credit card, which took two weeks to replace. This was sufficient for standing purposes, but we nonetheless acknowledged that Holmes's failure to allege certain details-such as "the date he shopped at the affected Illinois store, the amount of the charge, or that the charge was unreimbursed"-"could be fatal to the complaint under the 'higher hurdles' of Rules 8(a) and 12(b)(6)." Id. at 773 . We remanded to allow the district court to consider defendants' Rule 12(b)(6) motion as to Holmes in the first instance.

On remand, defendants renewed their motion to dismiss. A week later, plaintiffs filed a second motion for leave to amend. This time, plaintiffs included a proposed amended complaint that added general allegations about the likelihood of identity theft following a data breach. Many of these allegations were based on the same three affidavits plaintiffs had attached to their earlier Rule 59(e) motion. The district court denied plaintiffs' motion, reasoning that futility and undue delay compelled denial of leave to amend under Rule 15(a)(2). The court then dismissed all claims against AB Acquisition and New Albertsons because Holmes did not shop at an Albertsons store. It also found that Holmes's negligence, consumer protection, implied contract, and unjust enrichment claims all failed as a matter of law and therefore granted SuperValu's motion to dismiss in full.

II

We first address the district court's denial of plaintiffs' second motion for leave to amend. As an initial matter, the parties dispute which rules govern this motion. Defendants argue that, because the district court initially dismissed the complaint and entered judgment on January 7, 2016, plaintiffs cannot seek leave to amend their complaint unless that judgment is first set aside or vacated under Rule 59(e) or Rule 60(b). Plaintiffs contend that they need not satisfy the requirements of those rules because the court's initial dismissal was without prejudice. The district court declined to opine on whether the motion was properly construed as a postjudgment motion because, even under the more lenient standards applicable to prejudgment motions, futility and undue delay counseled against granting leave to amend under Rule 15(a)(2).

We have repeatedly explained that "[a] motion for leave to amend after dismissal is subject to different considerations than a motion prior to dismissal." Mountain Home Flight Serv., Inc. v. Baxter Cty. , 758 F.3d 1038 , 1045 (8th Cir. 2014). Leave to amend should be granted liberally under Rule 15 prior to dismissal. After judgment has been entered, district courts may not ignore the considerations of Rule 15, but leave to amend a pleading will be granted only "if it is consistent with the stringent standards governing the grant of Rule 59(e) and Rule 60(b) relief." United States v. Mask of Ka-Nefer-Nefer , 752 F.3d 737 , 743 (8th Cir. 2014). Even if a dismissal is without prejudice, if the court intended the decision to be a final, appealable order, it constitutes dismissal of the entire action, and the more stringent postjudgment standards apply. Mountain Home , 758 F.3d at 1045-46 .

The district court's original dismissal constituted a final, appealable order dismissing the entire action. Plaintiffs acknowledged as much by styling their initial motion to amend as a motion under Rule 59(e) and by appealing the district court's judgment of dismissal to this court. We reversed that judgment with regard to Holmes, but we affirmed it as to every other named plaintiff. To revive those *962 plaintiffs' claims, the original judgment must be set aside under Rule 59 or 60 before amendment can be permitted under Rule 15(a)(2). See generally 6 Charles Alan Wright, Arthur R. Miller & Mary Kay Kane, Federal Practice and Procedure § 1489, at 814-24 (3d ed. 2010). Plaintiffs' proposed amendments relate only to the claims of the previously-dismissed plaintiffs; they do not contain any new allegations specific to Holmes. Thus, the motion must be treated as a postjudgment motion. We review its denial for an abuse of discretion. Middleton v. McDonald , 388 F.3d 614 , 616 (8th Cir. 2004).

The district court did not abuse its discretion because plaintiffs' postjudgment motion is untimely. Plaintiffs filed their motion on November 7, 2017, a year and ten months after the district court's original judgment. This puts the motion well outside the 28-day limitation in Rule 59(e). See Fed. R. Civ. P. 59(e). The motion is also untimely if it is construed as a motion for relief from judgment under Rule 60(b), which must be filed within a "reasonable time" and generally within a year of the original judgment. See Fed. R. Civ. P. 60(c)(1). Accordingly, we affirm the denial of plaintiffs' motion for leave to amend.

III

We review a district court's dismissal for failure to state a claim under Rule 12(b)(6) de novo. United States ex rel. Ambrosecchia v. Paddock Labs., LLC , 855 F.3d 949 , 954 (8th Cir. 2017). "To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.' " Ashcroft v. Iqbal , 556 U.S. 662 , 678, 129 S.Ct. 1937 , 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly , 550 U.S. 544 , 570, 127 S.Ct. 1955 , 167 L.Ed.2d 929 (2007) ). A plaintiff satisfies the plausibility requirement when he "pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. This standard requires the plaintiff to allege "more than a sheer possibility that a defendant has acted unlawfully." Id. "Determining whether a claim is plausible is a 'context-specific task that requires the reviewing court to draw on its judicial experience and common sense.' " Hamilton v. Palm , 621 F.3d 816 , 818 (8th Cir. 2010) (quoting Iqbal , 556 U.S. at 679 , 129 S.Ct. 1937 ).

A complaint's factual allegations do not need to be "detailed," but they must be "more than labels and conclusions" or "a formulaic recitation of the elements of a cause of action." Twombly , 550 U.S. at 555 , 127 S.Ct. 1955 . The plaintiff is obligated to provide within his complaint sufficient facts to establish "the grounds of his entitlement to relief." Id. (cleaned up). We do not assume the truth of allegations that are merely conclusory in nature, Iqbal , 556 U.S. at 681 , 129 S.Ct. 1937 , and we reject "catch-all assertions of law and unwarranted inferences," Rand-Heart of N.Y., Inc. v. Dolan , 812 F.3d 1172 , 1176 (8th Cir. 2016) (quoting In re K-tel Int'l, Inc. Sec. Litig. , 300 F.3d 881 , 889 (8th Cir. 2002) ).

Determining whether Holmes's well-pleaded allegations are sufficient to state a plausible claim for relief requires examination of the specific causes of action that he has asserted. Holmes brings four types of claims under Illinois law: negligence, consumer protection, implied contract, and unjust enrichment. We conclude that Holmes's allegations fall short of stating a claim for relief under each of these four theories.

A

To state a claim for negligence under Illinois law, a complaint must allege *963 "facts that establish the existence of a duty of care owed by the defendant to the plaintiff, a breach of that duty, and an injury proximately caused by that breach." Marshall v. Burger King Corp. , 222 Ill.2d 422 , 305 Ill.Dec. 897 , 856 N.E.2d 1048 , 1053 (2006). Holmes's claim is primarily premised on the view that SuperValu, as a retailer, had a duty to safeguard his credit-card information from cyberattacks. Whether a defendant owes a legal duty to the plaintiff is a question of state law. See Iseberg v. Gross , 227 Ill.2d 78 , 316 Ill.Dec. 211 , 879 N.E.2d 278 , 284 (2007). In Illinois, generally there is no affirmative duty to protect another from a criminal attack unless one of four historically recognized "special relationships" exists between the parties. See id. , 316 Ill.Dec. 211 , 879 N.E.2d at 284-85 .

The parties agree that the Illinois Supreme Court has not yet addressed whether a retailer has a qualifying special relationship with its customers such that it is obligated to protect their financial information from hackers. In these circumstances, our role is to predict how that court would rule if faced with the issue. Blankenship v. USA Truck, Inc. , 601 F.3d 852 , 856 (8th Cir. 2010). The Seventh Circuit recently addressed the same question and predicted that Illinois would not impose such a duty on retailers like SuperValu. See Cmty. Bank of Trenton v. Schnuck Mkts., Inc ., 887 F.3d 803 , 816 (7th Cir. 2018). The Seventh Circuit based its ruling on Cooney v. Chicago Public Schools , an Illinois Appellate Court decision that appears to hold that the state does not recognize a duty in tort to safeguard sensitive personal information. See 407 Ill.App.3d 358 , 347 Ill.Dec. 733 , 943 N.E.2d 23 , 28-29 (2010). Holmes has not drawn our attention to any Illinois authority contrary to Cooney . We agree with the Seventh Circuit's reading of Cooney and accordingly adopt its conclusion. The failure of Illinois law to impose this type of common-law duty on merchants mandates dismissal of Holmes's negligence claim.

In the alternative, Holmes argues that his negligence claim is premised on a duty imposed by federal statute, specifically the Federal Trade Commission Act (FTCA). The FTCA gives the Federal Trade Commission the authority to, among other things, enforce against "unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45 (a). The Commission has used this authority to bring a number of enforcement actions against companies that have purportedly failed to protect consumer financial data against hackers. See FTC v. Wyndham Worldwide Corp. , 799 F.3d 236 , 240 (3d Cir. 2015). The FTCA creates no private right of action. FTC v. Johnson , 800 F.3d 448 , 452 (8th Cir. 2015).

Illinois courts have held that statutes "designed to protect human life or property" can establish the "standard of conduct required of a reasonable person" and therefore "fix the measure of legal duty" in a negligence action. Noyola v. Bd. of Educ. , 179 Ill.2d 121 , 227 Ill.Dec. 744 , 688 N.E.2d 81 , 84-85 (Ill. 1997). If a defendant violates such a statute, a right of action may be implied in tort if four conditions are met: (1) the plaintiff is a member of the class for whose benefit the statute was enacted, (2) the right of action is consistent with the underlying purpose of the statute, (3) the plaintiff's injury is one the statute was designed to prevent, and (4) the right of action is necessary to provide an adequate remedy for violations of the statute. Id. , 227 Ill.Dec. 744 , 688 N.E.2d at 85 .

Several of these conditions are absent here. Congress empowered the Commission-and the Commission alone-to *964 enforce the FTCA. Implying a cause of action would be inconsistent with Congress's anticipated enforcement scheme. Holmes points to nothing suggesting that the Commission's enforcement efforts have been inadequate to redress violations of the statute in this area. At least one court has expressly rejected the proposition that § 45(a) creates a duty enforceable through an Illinois negligence action. See Cmty. Bank of Trenton v. Schnuck Mkts., Inc. , 210 F. Supp. 3d 1022 , 1041 (S.D. Ill. 2016). Holmes cites no authority to the contrary. We conclude that Illinois is unlikely to recognize a legal duty enforceable through a negligence action arising from the FTCA. The district court's dismissal of this claim was proper.

B

The district court also dismissed Holmes's consumer-protection claims brought under the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA), the Illinois Personal Information Protection Act (PIPA), and the Illinois Uniform Deceptive Trade Practices Act (UDTPA). The only way to pursue a claim under PIPA is by satisfying ICFA's requirements because PIPA does not create a separate cause of action. See 815 Ill. Comp. Stat. 530/20 ; Best v. Malec , No. 09 C 7749 , 2010 WL 2364412 , at *7 (N.D. Ill. June 11, 2010). The district court concluded that Holmes failed to adequately plead damages under ICFA and that his UDTPA claim failed because he had not alleged a likelihood of future harm. We agree.

A claim under ICFA requires the plaintiff to have suffered "actual damage" as a result of the defendant's conduct. 815 Ill. Comp. Stat. 505/10a(a) ; see Avery v. State Farm Mut. Auto. Ins. Co. , 216 Ill.2d 100 , 296 Ill.Dec. 448 , 835 N.E.2d 801 , 856 (2005) (summarizing elements of ICFA claim). "The actual damage element of a private ICFA action requires that the plaintiff suffer 'actual pecuniary loss.' " Kim v. Carter's Inc. , 598 F.3d 362 , 365 (7th Cir. 2010) (quoting Mulligan v. QVC, Inc. , 382 Ill.App.3d 620 , 321 Ill.Dec. 257 , 888 N.E.2d 1190 , 1197 (2008) ). This requirement is not onerous; a complaint may survive dismissal if it alleges a "real and measurable" out-of-pocket loss. Dieffenbach v. Barnes & Noble, Inc. , 887 F.3d 826 , 830 (7th Cir. 2018).

Holmes's alleged injuries-the expenditure of time monitoring his account, the single fraudulent charge to his credit card, and the effort expended replacing his card-do not constitute actual damage. The time Holmes spent protecting himself against the threat of future identity theft does not amount to an out-of-pocket loss. We previously held that the risk of future identity theft was too speculative to create standing in this case. In re SuperValu , 870 F.3d at 771 . A purely speculative injury is by definition not "real and measurable" and cannot constitute actual damage. See N. Ill. Emergency Physicians v. Landau, Omahana & Kopka, Ltd. , 216 Ill.2d 294 , 297 Ill.Dec. 319 , 837 N.E.2d 99 , 107 (2005) ("Where the mere possibility of harm exists or damages are otherwise speculative, actual damages are absent ....").

Holmes does not directly allege that the fraudulent charge to his credit card resulted in any pecuniary loss. Instead, he asserts that we must presume that he was required to pay the fraudulent charge even though he has not directly alleged that fact. As the nonmovant, Holmes is entitled to the benefit of all reasonable inferences that may be drawn from the complaint's allegations. Martin v. Iowa , 752 F.3d 725 , 727 (8th Cir. 2014). But the inference Holmes seeks is not a reasonable one. The complaint alleges that *965 Holmes "immediately" reported the suspicious charge and was issued a new credit card. In such a situation, federal law and card-issuer contracts ordinarily absolve the consumer from any obligation to pay the fraudulent charge. See Schnuck Mkts. , 887 F.3d at 807 . Holmes asks us to draw from his conspicuous omission an inference that runs counter to established law and common experience. We decline to do so. Holmes is in the best position to know whether he was ever obligated to pay this unauthorized charge. He is the master of his own complaint, and we are not required to draw unreasonable inferences in his favor. See Brown v. Medtronic, Inc. , 628 F.3d 451 , 461 (8th Cir. 2010).

We also reject Holmes's argument that the collateral source doctrine saves his ICFA claim's failure to allege pecuniary loss. "Under the collateral source rule, benefits received by the injured party from a source wholly independent of, and collateral to, the tortfeasor will not diminish damages otherwise recoverable from the tortfeasor." Wills v. Foster , 229 Ill.2d 393 , 323 Ill.Dec. 26 , 892 N.E.2d 1018 , 1022 (2008) (quoting Arthur v. Catour , 216 Ill.2d 72 , 295 Ill.Dec. 641 , 833 N.E.2d 847 , 851 (2005) ). The rule is ordinarily applied in negligence actions where the injured party obtains benefits from an external source, such as an insurance policy. The justification for the rule is that "the wrongdoer should not benefit from the expenditures made by the injured party or take advantage of contracts or other relations that may exist between the injured party and third persons." Id. , 323 Ill.Dec. 26 , 892 N.E.2d at 1030 (emphasis removed) (quoting Arthur , 295 Ill.Dec. 641 , 833 N.E.2d at 852 ).

Holmes cites no case applying the doctrine to an ICFA claim and we are skeptical that the Illinois Supreme Court would find it applicable to these circumstances. If Holmes was indemnified from any liability arising from the suspicious charge, it was through operation of federal law and his contract with the financial institution that issued his card. That contract is connected to SuperValu through a network of other agreements. See generally Schnuck Mkts. , 887 F.3d at 807-09 . Under those agreements, card-issuing banks generally bear the initial cost of "indemnifying their customers for unauthorized transactions and issuing new cards," but may seek to recoup losses from retailers through a cost recovery process. Id. at 809 . Holmes's indemnity was not "wholly independent" from the alleged tortfeasor; it was an integral component of the card payment system that allowed him to shop at the affected store in the first place. Because his indemnity came from "a source related to [SuperValu] through contract," the collateral source doctrine does not apply. Segovia v. Romero , 380 Ill.Dec. 411 , 8 N.E.3d 581 , 587 (Ill. App. Ct. 2014) ; see also Am. State Bank v. Union Planters Bank, N.A. , 332 F.3d 533 , 538 (8th Cir. 2003) (applying Arkansas's collateral source doctrine).

We conclude that Holmes's UDTPA claim also fails. The only remedy available for a UDTPA claim is injunctive relief. See Glazewski v. Coronet Ins. Co. , 108 Ill.2d 243 , 91 Ill.Dec. 628 , 483 N.E.2d 1263 , 1267 (1985). To obtain an injunction, Holmes must show that he is "likely to be damaged" by SuperValu's practices in the future. 815 Ill. Comp. Stat. 510/3. The complaint fails to allege such a likelihood, see In re SuperValu , 870 F.3d at 771-72 , so this claim was properly dismissed.

C

The district court properly dismissed Holmes's claim for breach of an implied contract. We previously held that "the *966 complaint does not sufficiently allege that plaintiffs were party to [an implied] contract" with SuperValu, id. at 771 n.6, ; therefore it does not state a plausible implied-contract claim.

D

Holmes's remaining claim is for unjust enrichment. To state a claim of unjust enrichment in Illinois, "a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiff's detriment, and that defendant's retention of the benefit violates the fundamental principles of justice, equity, and good conscience." HPI Health Care Servs., Inc. v. Mt. Vernon Hosp., Inc. , 131 Ill.2d 145 , 137 Ill.Dec. 19 , 545 N.E.2d 672 , 679 (1989). According to the complaint, the benefit that SuperValu unjustly retained is the money that Holmes expended on his groceries. Holmes alleges that SuperValu's inadequate security practices resulted in an unreasonable delay between the time that the data breaches occurred and the time that the public was notified of the attacks. Had SuperValu informed its customers immediately, Holmes alleges that he never would have shopped at the store.

Common sense counsels against the viability of Holmes's theory of unjust enrichment. Holmes paid for groceries, the price of which would have been the same whether he paid with cash or a credit card. He did not pay a premium "for a side order of data security and protection." Irwin v. Jimmy John's Franchise, LLC , 175 F. Supp. 3d 1064 , 1072 (C.D. Ill. 2016) (applying Arizona law). Because Holmes does not allege that any specific portion of his payment went toward data protection, he has not alleged a benefit conferred in exchange for protection of his personal information nor has he shown how SuperValu's retention of his payment would be inequitable. Carlsen v. GameStop, Inc. , 833 F.3d 903 , 912 (8th Cir. 2016) (applying Minnesota law). We therefore conclude that Holmes has failed to state a plausible claim of unjust enrichment.

IV

The district court properly denied plaintiffs' motion for leave to amend their complaint and properly dismissed Holmes's claims under Rule 12(b)(6). The judgment of the district court is affirmed.

1 The Honorable Ann D. Montgomery, United States District Judge for the District of Minnesota.