In re Supervalu, Inc.

IN RE: SuperValu, Inc., Customer Data Security Breach Litigation

This Document Relates to: All Actions

Court File No. 14-MD-2586 ADM/TNL

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MINNESOTA

March 7, 2018

MEMORANDUM OPINION AND ORDER

Ben Barnow, Esq., Barnow and Associates, P.C., Chicago, IL; Kate M. Baxter-Kauf, Esq., Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, on behalf of Plaintiffs.

Harvey J. Wolkoff, Esq., and David T. Cohen, Esq., Ropes & Gray LLP, New York, NY and Boston, MA; Katherine S. Barrett Wiik, Esq., and Stephen P. Safranski, Esq., Robins Kaplan LLP, Minneapolis, MN, on behalf of Defendant SuperValu, Inc.

John L. Landolfi, Esq., Vorys, Sater, Seymour and Pease LLP, Columbus, OH; and Marc A. Al, Esq., Stoel Rives LLP, Minneapolis, MN, on behalf of Defendants AB Acquisition, LLC and New Albertson's Inc.

I. INTRODUCTION

On December 14, 2017, the undersigned United States District Judge heard oral argument on Defendant SuperValu, Inc.'s ("SuperValu") Renewed Motion to Dismiss Plaintiffs' Consolidated Amended Class Action Complaint [Docket No. 78], Defendants AB Acquisition, LLC and New Albertson's, Inc.'s (together, "Albertson's") Renewed Motion to Dismiss Plaintiffs' Consolidated Amended Class Action Complaint [Docket No. 85], and Class Plaintiffs' Motion for Leave to Amend Their Amended Complaint Pursuant to Fed. R. Civ. P. 15(a)(2) [Docket No. 91]. For the reasons set forth below, SuperValu and Albertson's Motions are granted and Plaintiffs' Motion is denied.

II. BACKGROUND¹

A. Data Breach

In this multi-district litigation case, sixteen named plaintiffs ("Plaintiffs") alleged they were harmed after computer hackers breached the payment-processing network owned by SuperValu. See Consolidated Am. Class Action Compl. ("Amended Complaint") [Docket No. 28] ¶¶ 16-45. Both SuperValu and Albertson's (collectively, "Defendants") used the network to process payment card transactions at more than 1,000 of Defendants' retail grocery stores. Id. ¶¶ 3-5. The hackers gained access to and installed malicious software on the payment-processing network in June 2014 and again in late July or early September 2014. Id. ¶¶ 4-6. The malicious software released and disclosed the Personal Identifying Information ("PII") of Plaintiffs and Class Members who used their payment cards at the affected stores. Id. ¶ 36. The PII included cardholder names, account numbers, expiration dates, card verification value ("CVV") codes, and personal identification numbers ("PINs"). Id. ¶¶ 1, 40, 42. Plaintiffs alleged the malware allowed hackers to harvest customers' PII from cash registers and other payment processing terminals at the time customers swiped their cards. Id. ¶¶ 36, 40. Hackers were also able to access customers' PII that had been improperly stored on Defendants' network after customers made purchases at Defendants' stores. Id. ¶ 41.

Of the sixteen named Plaintiffs whose data was allegedly stolen in the breach, only onePlaintiff, David Holmes ("Holmes"), alleged that his PII was misused. See id. ¶¶ 16-31. Holmes alleged that he:

shopped at the Shop 'n Save location [owned and operated by SuperValu] in Belleville, Illinois, and swiped his card through Defendants' POS [point of sale] terminals. On information and belief Holmes' PII was compromised as a result of Defendants' security failures. When the Data Breach was announced, Plaintiff Holmes spent time determining if his card had been compromised, including but not limited to, reviewing information released about the Data Breach and impacted locations. Shortly thereafter, Holmes noticed a fraudulent charge on his credit card, which took two weeks to replace. As a result of such compromise, Holmes suffered losses and damages in an amount yet to be completely determined, as such losses and damages are ongoing and include, but are not limited to, time spent monitoring his account information to guard against potential fraud.

Id. ¶ 31. Holmes' factual allegations do not state the date he shopped at the store, the date the charge was made to his credit card, the amount of the charge, or whether he was required to pay the charge. See id.

The other fifteen named Plaintiffs did not allege that their PII was misused. Rather, they alleged that the theft of their PII subjects them to an imminent risk that they will suffer identity theft in the future. Id. ¶ 60.

B. Procedural History

Following the breach, four putative class actions were filed in federal courts in Illinois, Minnesota, and Idaho. See, McPeak v. SuperValu, Inc., 14-cv-00899 (S.D. Ill., filed Aug. 18, 2014); Hanff v. SuperValu Inc., 14-cv-3252 (D. Minn., filed Aug. 25, 2014); Mertz v. SuperValu, Inc., 14-cv-04660 (D. Minn., filed Nov. 4, 2014); and Rocke v. SuperValu, Inc., 14-cv-00511 (D. Idaho, filed Nov. 26, 2014). In December 2014, the Judicial Panel on Multidistrict Litigation centralized the four complaints to this Court for coordinated pre-trial proceedings.See Transfer Order [Docket No. 1]. On June 26, 2015, pursuant to this Court's first Pretrial Order [Docket No. 14], Plaintiffs filed the Amended Complaint with sixteen named plaintiffs bringing claims on behalf of a putative class of persons affected by the data breach.

1. Defendants' Initial Motion to Dismiss

On August 10, 2015, Defendants moved to dismiss the Complaint under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). See Defs.' Mot. Dism. [Docket No. 33]. On January 7, 2016, this Court granted the motion pursuant to Rule 12(b)(1), finding that none of the Plaintiffs had alleged facts sufficient to establish Article III standing. See generally Dismissal Order. The Court held that Plaintiffs had not plausibly alleged a cognizable injury because (1) they failed to allege misuse of their PII or other harm that was traceable to the data breach, and (2) they had not alleged facts that plausibly suggested a substantial risk of future harm. Id. at *4-7.

In reaching this conclusion, the Court reasoned that because the Amended Complaint alleged only a single incident in which any Plaintiff's PII had been misused in the year and a half since the data breach affecting more than 1,000 stores had occurred, any future harm was speculative. Id. at *5. Future harm depended upon whether the hackers who accessed Defendants' network actually succeeded in capturing the information, whether the hackers would attempt to use the information, and whether their attempts would be successful. Id.

The Court also rejected Plaintiffs' additional theories of standing that were based upon: opportunity and mitigation costs, diminished value of Plaintiffs' payment card PII, delayed or inadequate notification of the data breach, invasion of Plaintiffs' privacy and breach of their PII confidentiality, and Plaintiffs' lost expectation of a bargained-for benefit. Id. at *7-8.

Finding that Plaintiffs lacked standing under Article III, the Court concluded that it waswithout subject matter jurisdiction to address Defendants' Rule 12(b)(6) argument that the Amended Complaint failed to state a claim for which relief can be granted. The Amended Complaint was dismissed without prejudice and final judgment was entered. Id. at *8; Judgment [Docket No. 53].

2. Plaintiffs' Rule 59(e) Motion

On February 4, 2016, Plaintiffs filed a post-judgment motion under Rule 59(e), seeking to vacate the judgment and dismissal of the Amended Complaint. See Pls.' Mot. Alter Amend J. [Docket No. 54]. Alternatively, Plaintiffs requested leave to amend the Amended Complaint but did not submit a proposed Second Amended Complaint. Id.

In support of their motion, Plaintiffs offered, for the first time, declarations of three credit union officers who averred that some payment cards issued by their respective institutions incurred fraudulent charges following the data breach. Id. Ex. 3 ("Anderson Decl."); Pls.' Index [Docket No. 61] Ex. 1 ("Malinowski Decl."), Ex. 2 ("Williams Decl."). Significantly, the declarations did not state that any of the compromised cards belonged to a named Plaintiff or that any cardholder incurred unreimbursed fraudulent charges or other bank charges. Id. Indeed, one declaration stated that the fraudulent charges on cards issued by that credit union were all "absorbed" by the institution. Anderson Decl. ¶ 6.

The Court denied the Rule 59(e) motion, finding: (1) Plaintiffs had not shown that they exercised diligence in obtaining the newly discovered evidence prior to judgment; and (2) none of the tardily filed declarations established that any named Plaintiff or potential class member suffered actual harm or faced a substantial risk of imminent future harm from the potential misuse of their PII. Mem. Op. Order, Apr. 20, 2016 [Docket No. 66] ("Rule 59(e) Order") at5-7.

The Court also denied Plaintiffs' request for leave to amend the Amended Complaint because Plaintiffs had not satisfied the more stringent standards governing post-judgment leave to amend, and because Plaintiffs failed to comply with the requirement under Local Rule 15.1(b) that a motion to amend a pleading must include "a copy of the proposed amended pleading" and "a version of the proposed amended pleading that shows . . . how the proposed amended pleading differs from the operative pleading." Id. at 8 (quoting L.R. 15.1(b)) .

3. Appeal

Plaintiffs then appealed the Court's Dismissal Order to the Eighth Circuit, but did not appeal the denial of the Rule 59(e) motion. See Eighth Cir. Op. at 767 n.2 (declining to consider arguments raised in Plaintiffs' Rule 59(e) motion or declarations attached to the motion because Plaintiffs did not appeal the denial of the Rule 59(e) motion).

On appeal, Plaintiffs argued that the following three rulings in the Dismissal Order were erroneous: (1) that Plaintiffs had not adequately alleged the theft of their personal information, and that theft alone was not insufficient to confer Article III standing; (2) that Plaintiff Holmes did not have standing because the misuse of his PII was not...