Schnucks wants federal court to handle data breach lawsuit

St. Louis supermarket chain was recently sued in state court of breach that exposed 2.4 million payment cards

The St. Louis-based grocery chain Schnuck Markets has claimed that a potential class action lawsuit filed against it in an Illinois state court over a recent data breach really belongs in federal court because of the case's scope and damages involved.

In a motion for removal filed earlier this month, Schnucks noted that the damages claimed by the plaintiff in the case easily exceeded the $5 million threshold for a federal case. The number of people that are alleged to have suffered financial injury from the breach and the fact that they are from multiple states also make the case a federal one, the company alleged in its motion.

Schnucks owns 100 stores and 96 in-store pharmacies in a five-stage region in the Midwest. Earlier this year the company disclosed a data breach that it said had exposed data on about 2.4 million credit and debit cards used by customers at 79 stores. The company said that only card numbers and expiration dates were exposed, not the cardholder's name, address or identifying information.

Schnucks's disclosure prompted a lawsuit from an Illinois customer who accused the company of negligence, and of not informing affected individuals quickly enough of the breach.

The lawsuit, filed on behalf of the named plaintiff and others similarly affected, sought actual damages from Schnucks for the numerous hours and effort that individuals had to allegedly put into cancelling affected cards, activating replacements and re-establishing automatic withdrawal authorizations. It also accused Schnucks of willful and wanton neglect, a charge for which punitive damages are available under Illinois law.

In its motion for removal, Schnucks claimed that the "time and effort" claims for Illinois alone easily exceed the $5 million threshold for federal consideration.

"Even valuing Plaintiff's and the putative class members' alleged "time and effort" damages at the federal minimum wage ($7.25 per hour), and interpreting "numerous hours" to equal only two (2) hours, the potential amount in controversy is equal to approximately $7.25 million," for a class of about 500,000 affected individuals in Illinois, Schnucks said in its motion.

In addition, the potential punitive damages involved in the case also far exceed the $5 million requirement, the motion said in arguing for removal of the case to the District Court.

Scott Vernick, an attorney at Fox Rothschild in Philadelphia said that Schnucks' effort to move the case to a federal court appears to be a calculated gambit.

Federal courts are generally better equipped and more experienced at handling large class-action data breach lawsuits, so Schnucks might believe it has a fairer shot there than in a state court, he said.

Importantly, data breach lawsuits such as the one filed against Schnucks have also not tended to fare very well in federal courts, he said. Often, federal courts have tended to dismiss breach lawsuits because they have not been convinced that the alleged victims have in fact suffered actual financial injury from a breach, Vernick said.

The downside to Schnucks' effort to get the case to federal court is that it is in a sense admitting that potential damages against it could be tens of millions of dollars, he said. Any company that admits that it faces more than $5 million in potential damages from a lawsuit will later have a hard time backing away from that number if the case goes against it, he added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about data security in Computerworld's Data Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securitySchnuckssecuritydata protectionprivacy

More about Scott CorporationTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place