The St. Louis-based grocery chain Schnuck Markets has claimed that a potential class action lawsuit filed against it in an Illinois state court over a recent data breach really belongs in federal court because of the case's scope and damages involved.
In a motion for removal filed earlier this month, Schnucks noted that the damages claimed by the plaintiff in the case easily exceeded the $5 million threshold for a federal case. The number of people that are alleged to have suffered financial injury from the breach and the fact that they are from multiple states also make the case a federal one, the company alleged in its motion.
Schnucks owns 100 stores and 96 in-store pharmacies in a five-stage region in the Midwest. Earlier this year the company disclosed a data breach that it said had exposed data on about 2.4 million credit and debit cards used by customers at 79 stores. The company said that only card numbers and expiration dates were exposed, not the cardholder's name, address or identifying information.
Schnucks's disclosure prompted a lawsuit from an Illinois customer who accused the company of negligence, and of not informing affected individuals quickly enough of the breach.
The lawsuit, filed on behalf of the named plaintiff and others similarly affected, sought actual damages from Schnucks for the numerous hours and effort that individuals had to allegedly put into cancelling affected cards, activating replacements and re-establishing automatic withdrawal authorizations. It also accused Schnucks of willful and wanton neglect, a charge for which punitive damages are available under Illinois law.
In its motion for removal, Schnucks claimed that the "time and effort" claims for Illinois alone easily exceed the $5 million threshold for federal consideration.
"Even valuing Plaintiff's and the putative class members' alleged "time and effort" damages at the federal minimum wage ($7.25 per hour), and interpreting "numerous hours" to equal only two (2) hours, the potential amount in controversy is equal to approximately $7.25 million," for a class of about 500,000 affected individuals in Illinois, Schnucks said in its motion.
In addition, the potential punitive damages involved in the case also far exceed the $5 million requirement, the motion said in arguing for removal of the case to the District Court.
Scott Vernick, an attorney at Fox Rothschild in Philadelphia said that Schnucks' effort to move the case to a federal court appears to be a calculated gambit.
Federal courts are generally better equipped and more experienced at handling large class-action data breach lawsuits, so Schnucks might believe it has a fairer shot there than in a state court, he said.
Importantly, data breach lawsuits such as the one filed against Schnucks have also not tended to fare very well in federal courts, he said. Often, federal courts have tended to dismiss breach lawsuits because they have not been convinced that the alleged victims have in fact suffered actual financial injury from a breach, Vernick said.
The downside to Schnucks' effort to get the case to federal court is that it is in a sense admitting that potential damages against it could be tens of millions of dollars, he said. Any company that admits that it faces more than $5 million in potential damages from a lawsuit will later have a hard time backing away from that number if the case goes against it, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about data security in Computerworld's Data Security Topic Center.