Schnucks wants federal court to handle data breach lawsuit
St. Louis supermarket chain was recently sued in state court of breach that exposed 2.4 million payment cards
Computerworld - The St. Louis-based grocery chain Schnuck Markets has claimed that a potential class action lawsuit filed against it in an Illinois state court over a recent data breach really belongs in federal court because of the case's scope and damages involved.
In a motion for removal filed earlier this month, Schnucks noted that the damages claimed by the plaintiff in the case easily exceeded the $5 million threshold for a federal case. The number of people that are alleged to have suffered financial injury from the breach and the fact that they are from multiple states also make the case a federal one, the company alleged in its motion.
Schnucks owns 100 stores and 96 in-store pharmacies in a five-stage region in the Midwest. Earlier this year the company disclosed a data breach that it said had exposed data on about 2.4 million credit and debit cards used by customers at 79 stores. The company said that only card numbers and expiration dates were exposed, not the cardholder's name, address or identifying information.
Schnucks's disclosure prompted a lawsuit from an Illinois customer who accused the company of negligence, and of not informing affected individuals quickly enough of the breach.
The lawsuit, filed on behalf of the named plaintiff and others similarly affected, sought actual damages from Schnucks for the numerous hours and effort that individuals had to allegedly put into cancelling affected cards, activating replacements and re-establishing automatic withdrawal authorizations. It also accused Schnucks of willful and wanton neglect, a charge for which punitive damages are available under Illinois law.
In its motion for removal, Schnucks claimed that the "time and effort" claims for Illinois alone easily exceed the $5 million threshold for federal consideration.
"Even valuing Plaintiff's and the putative class members' alleged "time and effort" damages at the federal minimum wage ($7.25 per hour), and interpreting "numerous hours" to equal only two (2) hours, the potential amount in controversy is equal to approximately $7.25 million," for a class of about 500,000 affected individuals in Illinois, Schnucks said in its motion.
In addition, the potential punitive damages involved in the case also far exceed the $5 million requirement, the motion said in arguing for removal of the case to the District Court.
Scott Vernick, an attorney at Fox Rothschild in Philadelphia said that Schnucks' effort to move the case to a federal court appears to be a calculated gambit.
Federal courts are generally better equipped and more experienced at handling large class-action data breach lawsuits, so Schnucks might believe it has a fairer shot there than in a state court, he said.
Importantly, data breach lawsuits such as the one filed against Schnucks have also not tended to fare very well in federal courts, he said. Often, federal courts have tended to dismiss breach lawsuits because they have not been convinced that the alleged victims have in fact suffered actual financial injury from a breach, Vernick said.
The downside to Schnucks' effort to get the case to federal court is that it is in a sense admitting that potential damages against it could be tens of millions of dollars, he said. Any company that admits that it faces more than $5 million in potential damages from a lawsuit will later have a hard time backing away from that number if the case goes against it, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Data Security in Computerworld's Data Security Topic Center.
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Adobe Creative Cloud for teams Security Overview This white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and your...
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- IT Security by the Numbers: Calculating the Total Cost of Protection Humorist Franklin P. Jones may have said it best: "When you get something for nothing, you just haven't been billed for it yet."...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- It's not too late...Get Your Mobile Questions Answered Live! How can IT provide seamless and secure mobile communications and collaboration for all? Join this live Webcast as IDG asks an expert panel... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!