The year 2012 was a long, long time ago in data breach cases.
So when a lawsuit over old data breaches at 63 bookstores comes around, it’s not about the size of the dog in the fight, it’s about the size of the fight in the dog. In other words, how long will the plaintiffs keep fighting?
Barnes & Noble
Two Barnes & Noble customers complained about a data breach that occurred in 2012, alleging the bookseller failed to protect their PIN-pad information. A trial judge threw out the proposed class action, saying the plaintiffs failed to allege any “economic or out of pocket damages.”
Now a federal appeals court has reversed that decision. Judge Frank Easterbrook, writing for a unanimous panel, said the plaintiffs alleged enough for standing to sue.
It doesn’t mean they have an easy case going forward, however. The appellate panel said it was “far from clear” that the customer claims are similar enough for a class action.
The case will go back to the trial court, but a lot has changed in the past six years. “Skimming” is old school, and the law has evolved.
The Seventh Circuit said that “Barnes & Noble was itself a victim,” and that the plaintiffs may have a “difficult task showing an entitlement to collect damages from a fellow victim of the data thieves.”
The appeals court also noted that none of the states where the breaches occurred make “merchants liable for failure to crime-proof their point-of-sale systems.”
The PIN-pad scams occurred in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island.