U.S. Seventh Circuit - The FindLaw 7th Circuit Court of Appeals Opinion Summaries Blog

Data Breach Case Moves One Step Forward Against Barnes & Noble

In remanding a closely-watched data breach case, the U.S. Seventh Circuit Court of Appeals acknowledged that it solved little.

It addressed only whether the plaintiffs had standing to sue in Diefenbach v. Barnes & Noble, Inc. They do, the appeals court said, because they alleged sufficient damages.

But that issue has taken almost six years to resolve, and the biggest practical question remains: can they be certified as a class?

Class Inaction

The case started after two Barnes & Noble customers complained about a data breach that occurred in 2012. They sued, alleging the bookseller failed to protect their PIN-pad information.

Two dismissals later, the Seventh Circuit has cleared the way for them to proceed. But there will be a lot of issues at the trial court.

Judge Frank Easterbrook, writing for the panel, said the plaintiffs have a task that should have been decided years ago. It's "far from clear," he said, that they can get a certified class.

Plus, the law is all over the place. Literally, the allegations point to PIN-pad problems in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island.

Here or There?

With legal observers everywhere, the Seventh Circuit opinion is one among many. Some see the Barnes & Noble case as another kill for plaintiffs in the field of class actions over data breaches.

Others, not so much. "There are at least a few silver linings in the decision for data breach defendants," says Ballard Spahr.

Among others, none of the states make "merchants liable for failure to crime-proof their point of sale systems." Plus, the appeals court said, the states have different laws and "the potential damages are disparate."

Of course, those are problems for the trial judge.

Related Resources: