Schnucks wants federal court to handle data breach lawsuit
St. Louis supermarket chain was recently sued in state court of breach that exposed 2.4 million payment cards
Computerworld - The St. Louis-based grocery chain Schnuck Markets has claimed that a potential class action lawsuit filed against it in an Illinois state court over a recent data breach really belongs in federal court because of the case's scope and damages involved.
In a motion for removal filed earlier this month, Schnucks noted that the damages claimed by the plaintiff in the case easily exceeded the $5 million threshold for a federal case. The number of people that are alleged to have suffered financial injury from the breach and the fact that they are from multiple states also make the case a federal one, the company alleged in its motion.
Schnucks owns 100 stores and 96 in-store pharmacies in a five-stage region in the Midwest. Earlier this year the company disclosed a data breach that it said had exposed data on about 2.4 million credit and debit cards used by customers at 79 stores. The company said that only card numbers and expiration dates were exposed, not the cardholder's name, address or identifying information.
Schnucks's disclosure prompted a lawsuit from an Illinois customer who accused the company of negligence, and of not informing affected individuals quickly enough of the breach.
The lawsuit, filed on behalf of the named plaintiff and others similarly affected, sought actual damages from Schnucks for the numerous hours and effort that individuals had to allegedly put into cancelling affected cards, activating replacements and re-establishing automatic withdrawal authorizations. It also accused Schnucks of willful and wanton neglect, a charge for which punitive damages are available under Illinois law.
In its motion for removal, Schnucks claimed that the "time and effort" claims for Illinois alone easily exceed the $5 million threshold for federal consideration.
"Even valuing Plaintiff's and the putative class members' alleged "time and effort" damages at the federal minimum wage ($7.25 per hour), and interpreting "numerous hours" to equal only two (2) hours, the potential amount in controversy is equal to approximately $7.25 million," for a class of about 500,000 affected individuals in Illinois, Schnucks said in its motion.
In addition, the potential punitive damages involved in the case also far exceed the $5 million requirement, the motion said in arguing for removal of the case to the District Court.
Scott Vernick, an attorney at Fox Rothschild in Philadelphia said that Schnucks' effort to move the case to a federal court appears to be a calculated gambit.
Federal courts are generally better equipped and more experienced at handling large class-action data breach lawsuits, so Schnucks might believe it has a fairer shot there than in a state court, he said.
Importantly, data breach lawsuits such as the one filed against Schnucks have also not tended to fare very well in federal courts, he said. Often, federal courts have tended to dismiss breach lawsuits because they have not been convinced that the alleged victims have in fact suffered actual financial injury from a breach, Vernick said.
The downside to Schnucks' effort to get the case to federal court is that it is in a sense admitting that potential damages against it could be tens of millions of dollars, he said. Any company that admits that it faces more than $5 million in potential damages from a lawsuit will later have a hard time backing away from that number if the case goes against it, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Data Security in Computerworld's Data Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Mitigate the OWASP Top 10 Web Application Security Risks This technical brief analyzes each of the ten risks and outlines how you can protect your organization from threats targeting your high-value applications...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts