In re Barnes & Noble Pin Pad Litig.

Full title: IN RE BARNES & NOBLE PIN PAD LITIGATION

Court: UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

Date published: Oct 3, 2016

No. 12-cv-08617 (N.D. Ill. Oct. 3, 2016)

Opinion

No. 12-cv-08617

10-03-2016

IN RE BARNES & NOBLE PIN PAD LITIGATION

Judge Andrea R. Wood

MEMORANDUM OPINION AND ORDER

Plaintiffs Ray Clutts, Heather Dieffenbach, Jonathan Honor, and Susan Winstead filed this putative class action against Defendant Barnes & Noble, Inc. in the wake of a data breach during which hackers obtained personal identifying information ("PII") belonging to Barnes & Noble customers. Plaintiffs purchased products with their credit or debit cards at affected stores during the time period in which this data breach occurred. This Court previously dismissed Plaintiffs' Consolidated Class Action Complaint ("Original Complaint") for lack of Article III standing. Plaintiffs subsequently filed their First Amended Consolidated Class Action Complaint ("Amended Complaint"), which Barnes & Noble has moved to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) ("Motion"). (Dkt. No. 59.) For the reasons stated below, the Court finds that Plaintiffs have established standing but nonetheless have failed to state a claim and thus dismisses all counts of the Amended Complaint.

BACKGROUND

In September 2012, unsolicited individuals, known as "skimmers," tampered with PIN pad terminals in 63 Barnes & Noble stores located in nine states. (Am. Compl. ¶¶ 2, 50, Dkt. No. 58.) Barnes & Noble uses these PIN pad terminals to process its customers' credit and debit card payments in its retail stores. (Id. ¶ 20.) Six weeks after discovering this potential security breach, Barnes & Noble announced to the public that these skimmers had potentially stolen customer credit and debit information from the affected locations. (Id. ¶ 50.) Plaintiffs were customers of Barnes & Noble at retail stores affected by the data breach during the time period when this data breach occurred.¹ (Id. ¶¶ 12-15.)

1 The Court presented a more detailed version of the facts concerning Plaintiffs' claims in its previous decision. See Barnes & Noble, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013). The Court presumes the reader's familiarity with those background facts.

Plaintiffs filed the Original Complaint on March 25, 2013. (Dkt. No. 39.) The Original Complaint pleaded five causes of action: (1) breach of contract; (2) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act ("ICFA"), 815 ILCS § 505/1 et seq.; (3) invasion of privacy; (4) violation of the California Security Breach Notification Act, Cal. Civ. Code § 1798.80 et seq.; and (5) violation of California's Unfair Competition Act ("UCL"), Cal. Bus. & Prof. Code § 17200 et seq. Plaintiffs sought damages for, among other things: unauthorized disclosure of their PII, loss of privacy, expenses incurred attempting to mitigate the increased risk of identity theft or fraud, time lost mitigating the increased risk of identity theft or fraud, an increased risk of identity theft, deprivation of the value of Plaintiffs' PII, and anxiety and emotional distress.

On April 30, 2013, Barnes & Noble filed a motion pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) to dismiss the Original Complaint. (Dkt. No. 43.) The Court granted the motion to dismiss the Original Complaint on September 3, 2013 ("Order of Dismissal"), finding that the Plaintiffs had failed to establish Article III standing. (Order of Dismissal at 10, Dkt. No. 57.) The Court granted Plaintiffs 21 days to re-plead the Complaint. (Id.)

Plaintiffs filed their Amended Complaint on September 24, 2013. (Dkt. No. 58.) The Amended Complaint charges the same five causes of action as the Original Complaint and also pleads virtually identical facts. In fact, of the 143 paragraphs included in the Amended Complaint, only six of them include factual allegations that were not included in the Original Complaint.² These new allegations include the following:

2 Paragraphs 3, 4, 17, and 18 consist of entirely new allegations. Plaintiffs added factual material to paragraphs 5 and 71.

• On information and belief, Barnes & Noble has complete and full access to the list of credit and debit card information that was skimmed from the affected PIN pad devices. (Am. Compl. ¶ 3, Dkt. No. 58.)

• On information and belief, Plaintiffs' and class members' PII was stolen and disclosed by the skimmers when Plaintiffs and class members swiped their credit and debit cards at the affected Barnes & Noble stores during the relevant time period. (Id. ¶ 4.)

• The skimmers were able to steal Plaintiffs' and class members' PII, which caused costs and expenses to Plaintiffs and class members attributable to responding, identifying, and correcting damages that were reasonably foreseeable as a result of Barnes & Noble's willful and negligent conduct. (Id. ¶ 5.)

• Winstead became aware of the Barnes & Noble data breach in October 2012, shortly after a fraudulent charge was incurred on her credit card in September 2012. At the time of the fraudulent charge, Winstead was unaware of any other recent data breaches that would have affected her credit card. (Id. ¶ 17.)

• Prior to the security breach, Winstead subscribed to identity protection monitoring, for which she paid $16.99 per month. After finding out about the security breach, Winstead continued to subscribe to identity protection monitoring services, in part because of the security breach. (Id. ¶ 18.)

• The cost to Barnes & Noble of collecting and safeguarding PII is built into the purchase price of all of its products sold at its stores, regardless of the method of payment used by a purchaser. Plaintiffs and class members suffered monetary damages in the form of overpaying for the products they purchased, as they were denied the privacy protections that they paid for. (Id. ¶ 71.)

DISCUSSION

Barnes & Noble's Motion seeks to dismiss the Amended Complaint on two separate bases. First, Barnes & Noble moves to dismiss the Amended Complaint under Federal Rule of Civil Procedure 12(b)(1), arguing that the Court lacks jurisdiction over these claims because Plaintiffs have failed to allege injury in fact adequately for purposes of Article III standing. Second, Defendants move to dismiss all of Plaintiffs' claims under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim.³ The Court addresses each of these arguments in turn.

3 Because the Court dismissed the Original Complaint pursuant to Rule 12(b)(1), its Order of Dismissal did not reach the merits of Barnes & Noble's arguments pursuant to Rule 12(b)(6). Accordingly, the parties incorporated by reference their 12(b)(6) arguments from the briefing on the motion to dismiss the Original Complaint into the briefing on the current Motion. (See Mot. at 1, Dkt. No. 59; Pls.' Resp. in Opp. at 4, Dkt. No. 63.)

I. Motion to Dismiss Pursuant to Rule 12(b)(1)

Rule 12(b)(1) provides that a party may move to dismiss an action when the Court lacks subject matter jurisdiction. Fed. R. Civ. P. 12(b)(1). "Federal courts are courts of limited jurisdiction and may only exercise jurisdiction where it is specifically authorized by federal statute." Evers v. Astrue, 536 F.3d 651, 657 (7th Cir. 2008) (internal quotation omitted). In considering a motion to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), the Court must accept the complaint's well-pleaded factual allegations as true and draw all reasonable inferences from those allegations in the plaintiff's favor. Transit Express, Inc. v. Ettinger, 246 F.3d 1018, 1023 (7th Cir. 2001).

Barnes & Noble argues that the Amended Complaint should be dismissed because Plaintiffs lack standing to sue. "[T]he question of standing is whether the litigant is entitled to have the court decide the merits of the dispute or of particular issues." Warth v. Seldin, 422 U.S. 490, 498 (1975). To establish standing, a plaintiff must demonstrate: "'(1) that [plaintiff] suffered an injury in fact (2) that is fairly traceable to the action of the defendant and (3) that will likely be redressed with a favorable decision.'" Kathrein v. City of Evanston, Ill., 636 F.3d 906, 914 (7th Cir. 2011) (quoting Books v. City of Elkhart, 235 F.3d 292, 299 (7th Cir. 2000)). The plaintiff bears the burden of alleging facts sufficient to establish standing; there is no burden on the defendant to show standing does not exist. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). The United States Supreme Court has explained an injury that is "certainly impending" can establish injury in fact for the purposes of standing, but "[a]llegations of possible future injury are not sufficient." Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 1147 (2013) (emphasis in original; citation and internal quotation marks omitted). However, plaintiffs need not "demonstrate that it is literally certain that the harms they identify will come about;" standing can be established where there is "a 'substantial risk' that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm." Id. at 1150 n.5 (citation omitted).

The Court finds that Plaintiffs have met their burden in pleading injury in fact under the recent Seventh Circuit case Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015). In that case, several plaintiffs filed suit as part of a putative class action against the retailer Neiman Marcus after hackers attacked that company and stole the credit card numbers of its customers. Id. at 689-90. During this attack, 350,000 cards were potentially exposed, and 9,200 of those cards were known to have been used fraudulently. Id. at 690. The Remijas plaintiffs alleged that they had made purchases using credit or debit cards during the time period in which the hackers stole the credit card information. Id. at 691. According to the complaint in that case, several of the Remijas plaintiffs had been the target of fraudulent charges, while others merely received notifications that their debit cards had been compromised. Id. at 690. The Remijas plaintiffs sought to represent themselves and the approximately 350,000 other customers whose data may have been breached. Id.

After the district court granted Neiman Marcus's motion to dismiss the complaint for lack of standing, the Remijas plaintiffs appealed and the Seventh Circuit reversed the district court's decision, finding that allegations that unreimbursed fraudulent charges and identity theft may occur in the future were sufficient to establish injury in fact. Id. Because the Remijas plaintiffs alleged that the hackers deliberately targeted Neiman Marcus in order to obtain their credit card information, the Seventh Circuit found that it was "plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach."⁴ Id. at 693. Furthermore, the Seventh Circuit found that the Remijas plaintiffs established injury in fact through their allegations that they lost time and money protecting themselves against future identity theft and fraudulent charges. Id. Although acknowledging that "[m]itigation expenses do not qualify as actual injuries where the harm is not imminent," the court indicated that those allegations were sufficient to establish standing in light of the "substantial risk of harm" posed by the data breach. Id. at 694. Thus, the Seventh Circuit found that "[t]he injuries associated with resolving fraudulent charges and protecting oneself against future identity theft . . . are sufficient to satisfy" the injury in fact requirement of Article III standing. Id. at 696.

4 In Remijas, the Seventh Circuit also stated that standing was supported because the plaintiffs there had shown an "'objectively reasonable likelihood' that such an injury will occur." Remijas, 794 F.3d at 693 (quoting Clapper, 133 S. Ct. at 1147). In fact, Clapper explicitly rejected the "objectively reasonable" standard that had previously been used by the Second Circuit. 133 S. Ct. at 1147. However, this Court does not consider the use of this discredited standard as material to the Seventh Circuit's ruling in Remijas; rather, the Seventh Circuit's decision can be justified on its citation of Clapper's "substantial risk" test. Remijas, 794 F.3d at 693 (citing Clapper, 133 S.Ct. at 1150 n.5.)

The Amended Complaint here, like the complaint considered by the Seventh Circuit in Remijas, sufficiently pleads injury in fact. The Amended Complaint alleges that skimmers tampered with Barnes & Nobles's PIN pad devices for the purpose of stealing customers' PII. (Am. Compl. ¶ 2, 4-5, 22-23, 50, 52, Dkt. No. 58.) Plaintiffs allege that they made purchases at several of the affected Barnes & Noble stores during the time period when skimmers were collecting PII from the compromised PIN pad devices. (Id. ¶¶ 12-15.) Plaintiffs further allege that skimmers made unauthorized purchases using the stolen PII.⁵ (Id. ¶ 52.) Furthermore, Plaintiffs have alleged they have devoted time and money to preventing improper use of their PII. (Id. ¶ 72(iv)-(v)). Under the Seventh Circuit's opinion in Remijas, these allegations are sufficient to establish Article III standing, as Plaintiffs allege that they incurred injuries in the course of protecting themselves from a "substantial risk" of fraudulent charges.

5 Barnes & Noble protests that because none of the Plaintiffs here have alleged that they have been the victim of identity theft, the allegations in the Amended Complaint are distinguishable from the facts alleged in Remijas. (Def.'s Resp. to Ntc. of Supp. Authority at 1, Dkt. No. 110.) However, Barnes & Noble misreads Remijas. There, the Seventh Circuit found injury in fact on the basis that the plaintiffs in that case, like Plaintiffs here, took precautions to protect themselves against a "substantial risk" of injury created by a data breach at issue there; not because the plaintiffs there had actually suffered fraudulent charges. Remijas, 794 F.3d at 696 (injury in fact established by "[t]he injuries associated with resolving fraudulent charges and protecting oneself against future identity theft . . . .").

Accordingly, the Court denies the Motion to the extent it asks the Court to dismiss on the basis of lack of Article III standing. Because there is standing, the Court has subject matter jurisdiction over this action under the Class Action Fairness Act ("CAFA"), 28 U.S.C. § 1332(d)(2), which "provides the federal district courts with 'original jurisdiction' to hear a 'class action' if the class has more than 100 members, the parties are minimally diverse, and the 'matter in controversy exceeds the sum or value of $5,000,000.'" Standard Fire Ins. Co. v. Knowles, 133 S. Ct. 1345, 1348 (2013) (quoting 28 U.S.C. § 1332(d)(2), (d)(5)(B)).

II. Motion to Dismiss Pursuant to Rule 12(b)(6)

When ruling on a Rule 12(b)(6) motion to dismiss, the Court must determine whether the plaintiff's complaint states a plausible claim for relief. Olson v. Champaign Cnty., Ill., 784 F.3d 1093, 1099 (7th Cir. 2015); see also Fed. R. Civ. P. 8(a)(2). To survive a motion to dismiss, a plaintiff must do more than provide "labels and conclusions" or "a formulaic recitation of the elements of a cause of action." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). Although the Court should assume the truthfulness of a plaintiff's well-pleaded factual allegations, the Court need not accept that all of the plaintiff's legal conclusions are true. Ashcroft v. Iqbal, 556 U.S. 662, 677-79 (2009). "Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. at 678. Instead, a complaint survives a motion to dismiss only when it contains "sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Id. (quoting Twombly, 550 U.S. at 570).

This case alleges causes of action under California and Illinois law. Thus, under CAFA, the Court considers whether a claim has been stated under the substantive laws of those states. Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (citing State Farm Mut. Auto. Ins. Co. v. Pate, 275 F.3d 666, 669 (7th Cir. 2001)).

A. Breach of Implied Contract (Count I)

Plaintiffs allege that, in providing their financial information to Barnes & Noble, they "entered into an implied contract . . . whereby Barnes & Noble became obligated to reasonably safeguard Plaintiffs' and the other Class members' PII." (Am. Compl. ¶ 91, Dkt. No. 58.) Barnes & Noble does not contest the issue of whether there was an implied contract between it and Plaintiffs. Rather, it claims that this count must be dismissed because Plaintiffs fail to allege any cognizable damages.

Under both Illinois and California law, a plaintiff must allege that he or she suffered damages in order to plead a cause of action for breach of contract. TAS Distrib. Co., Inc. v. Cummins Engine Co., Inc., 491 F.3d 625, 631 (7th Cir. 2007) (citing Transp. & Transit Assocs., Inc. v. Morrison Knudsen Corp., 255 F.3d 397, 401 (7th Cir. 2001)); Bushell v. JPMorgan Chase Bank, N.A., 163 Cal. Rptr. 3d 539, 544 (Cal. Ct. App. 2013). "Merely showing that a contract has been breached without demonstrating actual damage does not suffice . . . to state a claim for breach of contract." TAS Distrib. Co., 491 F.3d at 631 (citing Morrison Knudsen Corp., 255 F.3d at 401). Thus, even where there are sufficient allegations of harm to establish standing, a contract claim can still be dismissed for failing to allege recoverable economic damages. See, e.g., Pisciotta, 499 F.3d at 632; Moyer v. Michaels Stores, Inc., No. 14-cv-00561, 2014 WL 3511500, at *7 (N.D. Ill. July 14, 2014) ("[A]lthough Plaintiffs have standing, they have not pled the type of actual economic damage necessary to" state breach of contract claims sufficient under Rule 12(b)(6).).

The Amended Complaint is deficient in just this manner—as it fails to plead any economic or out-of-pocket damages that were caused by the Barnes & Noble data breach. Plaintiffs argue that they suffered damages in the form of overpayment for purchases and the loss of value of their PII. However, Remijas specifically cast doubt on whether such harms would be sufficient even to establish standing, much less to establish out of pocket losses. See Remijas, 794 F.3d at 694-95. Accordingly, the Court rejects Plaintiffs' arguments that overpayment for goods at Barnes & Nobles, or the loss of the value of Plaintiffs' PII, represent damages for the purposes of the breach of contract count. See id.; see also Pisciotta, 499 F.3d at 637 (rejecting idea that loss of value of personal information can serve as damages in breach of contract cause of action); Sterk v. Best Buy Stores, L.P., No. 11-cv-01894, 2012 WL 5197901, at *7 (N.D. Ill. Oct. 17, 2012) (where defendants charged the same price whether or not they obtain personal information from the plaintiff, the "value" of that information cannot be found to be plausibly factored into the sale price). Furthermore, although Plaintiffs argue that Dieffenbach "suffered anxiety as a result of the Security Breach," they fail to cite any authority allowing compensation for anxiety in a breach of contract matter. Finally, Plaintiffs argue that they "are entitled to nominal damages for the injury from the breach of implied contract." (Pls.' Resp. at 12, Dkt. No. 48.) Although nominal damages are available in circumstances where a plaintiff can establish damages, but cannot quantify the amount with reasonable certainty, the fact still remains that a plaintiff must allege actual damages to state a claim for relief for breach of contract. TAS Distrib. Co., 491 F.3d at 631.

Plaintiffs do attempt to plead several sources of economic damages suffered particularly by Winstead. Plaintiffs first allege that Winstead suffered damages owing to the data breach in the form of money Winstead paid to subscribe to an identity protection monitoring service. However, the Amended Complaint reveals that even "[p]rior to the Security Breach, Winstead subscribed to identity protection monitoring services from Identity Guard at a cost of $16.99 per month," and that Winstead renewed those services "in part, because of the [Barnes & Noble] Security Breach." (Am. Compl. ¶ 18, Dkt. No. 58.) Because the Amended Complaint concedes that Winstead subscribed data protection services even before the Barnes & Noble data breach, and only renewed the services "in part" due to the Barnes & Noble breach, the Court finds that the Amended Complaint does not plausibly allege damages attributable to that breach. Plaintiffs also argue that Winstead suffered damages in the form of "[taking] time to dispute an unauthorized charge and have a new card issued." (Pls.' Resp. at 12, Dkt. No. 48.) However, Plaintiffs have not pled that Winstead suffered any actual injury or monetary loss due to the fraudulent charge.

With its failure to actually allege any economic damages, Plaintiffs' complaint is distinguishable from the claims asserted in In re Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518 (N.D. Ill. 2011), which Plaintiffs claim "reject[ed] arguments repeated by [Barnes & Noble] here." (Pls.' Resp. at 13, Dkt. No. 48.) In that case, the court permitted a breach of implied contract claim premised on a data breach to proceed only after noting that the plaintiffs in that case had specifically alleged actual misuse of their financial information that "caused Plaintiffs to lose money from unauthorized withdrawals and/or related bank fees." In re Michaels, 830 F. Supp. 2d at 531 n.6. Here, unlike in Michaels, Plaintiffs do not allege that they have lost money from unauthorized withdrawals or bank fees.

Accordingly, the Court dismisses Plaintiffs' breach of contract claim.

B. Violation of the ICFA (Count II)

Plaintiffs also allege that Barnes & Noble violated the ICFA, 815 ILCS 505/2, by "failing to properly implement adequate, commercially reasonable security measures to protect Plaintiffs' and the other Class members' PII and by failing to inform Plaintiffs and Class members of these material facts." (Am. Compl. ¶ 105, Dkt. No. 58.) To state a claim for damages under the ICFA, Plaintiffs must plead: (1) a deceptive act or practice by Barnes & Noble; (2) that the act or practice occurred in the course of conduct involving trade or commerce; (3) that Barnes & Noble intended Plaintiffs and the members of the class to rely on the deception; and (4) that actual damages were proximately caused by the deception. Oshana v. Coca-Cola Co., 472 F.3d 506, 513 (7th Cir. 2006) (citing Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 850 (Ill. 2005); Oliveira v. Amoco Oil Co., 776 N.E.2d 151, 164 (Ill. 2002)). Thus, "a damages claim under the ICFA requires that the plaintiff was deceived in some manner and damaged by the deception." Id. at 513-14.

Again, Plaintiffs' failure to plead any economic damages whatsoever in the Complaint is fatal to this cause of action. Plaintiffs fail to state a viable claim because "[o]nly a person who suffers actual damage may bring an action under the ICFA." Michaels, 830 F. Supp. 2d at 526 (citing 815 ILCS 505/10a(a)); Oliveira, 776 N.E.2d at 160 (a "private cause of action brought under [ICFA] requires proof of 'actual damage' . . . [and] proof that the damage occurred 'as a result of' the deceptive act or practice.")). Although Plaintiffs allege that a fraudulent charge was made on Winstead's credit card, there is no allegation that she suffered out-of-pocket losses due to that charge. See Michaels, 830 F. Supp. 2d at 527 ("Plaintiffs suffer[] no actual [actionable] injury under the ICFA if Plaintiffs were reimbursed for all unauthorized withdrawals and bank fees and, thus, suffered no out-of-pocket losses."). Further, Plaintiffs' claim that they face an increased risk of future identity theft and must spend money to mitigate that risk is also insufficient to state a claim under ICFA; under that statute, "a plaintiff does not suffer actual damage simply because of the increased risk of future identity theft or because the plaintiff purchased credit monitoring services." Id. at 526; see also Cooney v. Chicago Pub. Sch., 943 N.E.2d 23, 31 (Ill. App. Ct. 2010) (credit monitoring costs and risk of future injury are not a present harm in and of themselves sufficient to support ICFA claim) (collecting cases).

Plaintiffs protest that the district court in Michaels, 830 F. Supp. 2d 518 (N.D. Ill. 2011), on similar allegations, denied a motion to dismiss those plaintiffs' ICFA claims. As discussed above, however, unlike in the Amended Complaint, the complaint in Michaels alleged that the plaintiffs had suffered actual monetary losses. Id. at 527. For the same reason, Plaintiffs' argument that this Court should follow the Michaels court and find that Plaintiffs here stated a claim under ICFA through Barnes & Noble's violation of the Illinois Personal Information Protection Act ("PIPA"), 815 ILCS 530/1, et seq., is misplaced. While a violation of PIPA "constitutes an unlawful practice under" ICFA, see 815 ILCS 530/20, there still must be "actual damages" to state a claim under ICFA. See Oshana, 472 F.3d at 513. Finally, although Plaintiffs correctly note that nominal damages are available under ICFA, those are only recoverable where there are allegations (and proof) of actual damages. See Kirkpatrick v. Strosberg, 894 N.E.2d 781, 794 (Ill. App. Ct. 2008) (affirming trial court's award of nominal damages based on its "specific finding of fact that plaintiffs did indeed prove actual damages").

Accordingly, the Court dismisses Plaintiffs' ICFA claim as well.

C. Invasion of Privacy (Count III)

In Count III of the Amended Complaint, Plaintiffs attempt to state a cause of action based on Barnes & Noble's purported invasion of privacy through public disclosure of Plaintiffs' PII. Under Illinois law, a claim for invasion of privacy based on public disclosure of private facts requires Plaintiffs to plead three elements: (1) the disclosure must be public; (2) the facts must be private facts; and (3) the matter made public would be highly offensive to a reasonable person. Johnson v. K mart Corp., 723 N.E.2d 1192, 1197 (Ill. App. Ct. 2000). These same three elements apply under California law. Daly v. Viacom, Inc., 238 F. Supp. 2d 1118, 1124 (N.D. Cal. 2002).

Here, Plaintiffs fail to state a claim because they fail to allege that there was a public disclosure within the meaning of the common law cause of action. To state a claim that there was a public disclosure of private data, a plaintiff must plead that the disclosure "'communicate[d] the matter to the public at large or to so many persons that the matter must be regarded as one of general knowledge.'" Chisholm v. Foothill Capital Corp., 3 F. Supp. 2d 925, 940 (N.D. Ill. 1998) (quoting Roerhborn v. Lambert, 660 N.E.2d 180, 184 (Ill. App. Ct. 1995)); see also Hill v. Nat'l Collegiate Athletic Assn., 865 P.2d 633, 648-49 (Cal. 1994) ("[C]ommon law invasion of privacy by public disclosure of private facts requires that the actionable disclosure be widely published and not confined to a few persons or limited circumstances.") (citing Restatement (Second) of Torts § 652D, cmt. a.). The Amended Complaint, however, contains no allegation that the exposed PII was widely published; in fact, even reading the Amended Complaint broadly, the only people who would have had access to the stolen PII would be the skimmers, and potentially whatever third parties to which they sold the PII. The Court cannot find that Plaintiffs adequately alleged public disclosure given the limited number of people that would have seen the PII as pleaded in the Amended Complaint.

Furthermore, even had the PII been sufficiently widely disseminated to count as a public disclosure, the PII cannot be considered private information that would be highly offensive to a reasonable person. "Private facts" only include facts that are "facially revealing, compromising, or embarrassing." Busse v. Motorola Inc., 813 N.E.2d 1013, 1018 (Ill. App. Ct. 2004). Information such as names, birth dates, and social security numbers, do not fall into this category. Id. The PII involved in this case "include[e] . . . credit and debit card information, personal identification numbers . . . , and Plaintiffs' and Class members' names . . . ." (Am. Compl. ¶ 1, Dkt. No. 58.) The Court finds that this information is not the type of "private facts," the disclosure of which would be "highly offensive to a reasonable person." Busse, 813 N.E.2d at 1017 (internal quotations and citations omitted). Thus, Plaintiffs' invasion of privacy claim fails.

D. Violation of the California Security Breach Notification Act (Count IV)

The Amended Complaint also includes a claim, on behalf of Dieffenbach, that Barnes & Noble violated the California Security Breach Notification Act. That statute provides that a business that conducts business in California "shall disclose a breach of the security of [computerized data] following discovery . . . of the breach in the security of the data to a resident of California whose unencrypted personal information was. . . acquired by an unauthorized person." Cal. Civ. Code § 1798.82(a). Such disclosure must occur "in the most expedient time possible . . . ." Id. "Any customer injured by a violation of" section 1798.82 "may institute a civil action to recover damages." Cal. Civ. Code § 1798.84(b).

The Amended Complaint here adequately alleges that Barnes & Noble was insufficiently prompt in notifying Dieffenbach of the data breach, as Barnes & Noble did not reveal its discovery of the breach for "nearly six weeks." (Am. Compl. ¶ 2, Dkt. No. 58.) But, as with the other counts pled in the Amended Complaint, Plaintiffs fail to state a claim with respect to Count IV because they fail to plead adequately that Dieffenbach was injured by any violation of the California Security Breach Notification Act. Even assuming that any of the injuries alleged in the Complaint—e.g., loss of value of Dieffenbach's PII, the time and expense of mitigating the risk of identity theft, or anxiety— are cognizable under that statute, to establish an injury under the California Security Breach Notification Act, a plaintiff must allege that her injuries were caused by the delay between the time she was notified of the breach and the time she contends she should have been notified. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 965 (S.D. Cal. 2014) (dismissing claim that defendant unduly delayed disclosure of data breach where the plaintiffs "failed to allege that their injuries . . . were proximately caused by [defendant's] alleged untimely delay"); see also Boorstein v. Men's Journal LLC, 12-cv-00771, 2012 WL 2152815, at *2 (C.D. Cal. June 14, 2012) (allegation that sale of plaintiff's information to third parties decreased its market value insufficient to state a claim because plaintiff could not show how that purported injury was "caused by a violation of the statute"). The Amended Complaint fails to plead facts that would establish such a causal connection between the six-week delay in reporting the Barnes & Noble breach and any damages suffered by Dieffenbach. The Court thus dismisses the California Security Breach Notification Act claim.

E. Violation of UCL (Count V)

Finally, the Amended Complaint, on behalf of Dieffenbach, alleges that Barnes & Noble engaged in "unlawful, unfair and fraudulent business practices" in violation of the UCL. (Am. Compl. ¶ 134, Dkt. No. 58.) California's UCL "prohibits any unfair competition, which means 'any unlawful, unfair or fraudulent business act or practice.'" Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121, 1127 (N.D. Cal. 2008) (quoting In re Pomona Valley Med. Group, 476 F.3d 665, 674 (9th Cir. 2007)), aff'd, 380 F. App'x 689 (9th Cir. 2010). To pursue a claim under the UCL, a plaintiff must allege a personal loss of "money" or "property" as a result of any allegedly unlawful, unfair, or fraudulent conduct. Yunker v. Pandora Media, Inc., No. 11-cv-03113, 2013 WL 1282980, at *11 (N.D. Cal. Mar. 26, 2013); Cal. Bus. & Prof. Code § 17204 (private plaintiff must have "suffered an injury in fact and . . . lost money or property as a result of the unfair competition").

As pleaded in the Amended Complaint, Dieffenbach cannot state a claim under the UCL, as she has not sufficiently pleaded a loss of money or property. As discussed above, the Amended Complaint generally fails to allege any out of pocket or economic damages to any Plaintiff, Dieffenbach included. Furthermore, case law interpreting the UCL has rejected the notion that an unauthorized release of personal information constitutes a loss of money or property within the meaning of that statute. In re iPhone Application Litig., No. 11-md-02250, 2011 WL 4403963, at *14 (N.D. Cal. Sept. 20, 2011) ("Numerous courts have held that a plaintiff's 'personal information' does not constitute money or property under the UCL."); see also, e.g., Ruiz, 540 F. Supp. 2d at 1127; Pandora, 2013 WL 1282980, at Furthermore, "heightened risk of identity theft, time and money spent on mitigation of that risk, and property value in one's information, do not suffice as injury under the UCL . . . ." In re Sony, 903 F. Supp. 2d at 966. Because the Amended Complaint fails to sufficiently allege any loss of money or property within the meaning of the UCL, the Court dismisses the UCL claim.

CONCLUSION

For the foregoing reasons, the Court finds that Plaintiffs have alleged standing sufficiently in the Amended Complaint, and thus denies the Motion to the extent it proceeds under Federal Rule of Civil Procedure 12(b)(1). However, the Court finds that Plaintiffs have failed to state a claim for relief on any of the Counts set forth in the Amended Complaint, and thus grants the Motion in full to the extent it proceeds under Federal Rule of Civil Procedure 12(b)(6). Dated: October 3, 2016

ENTERED:

/s/_________

Andrea R. Wood

United States District Judge