Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 1 of 12
`
`
`
`ROBERT HARTIGAN, on behalf of
`himself and all others similarly
`situated,
`
`
`
`
`
`
`
`
`
`v.
`
`
`
`
`
`Plaintiff,
`
`
`
`
`
`
`
`
`
`
`MACY’S, INC.,
`
`
`
`
`
`
`
`Defendant.
`
`
`
`
`______________________________
`
`
`UNITED STATES DISTRICT COURT
`DISTRICT OF MASSACHUSETTS
`___________________________________
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`
`
`
`
`
`
`
`
`
`
`Civil Action
`No. 20-10551-PBS
`
`Saris, D.J.
`
`MEMORANDUM AND ORDER
`
`November 5, 2020
`
`INTRODUCTION
`
`This case is about a criminal cyberattack on the online
`
`database of defendant Macy’s, Inc. (“Macy’s”), a well-known
`
`department store chain -- its second hacking in less than a year
`
`and a half. Plaintiff Robert Hartigan (“Hartigan”) brings this
`
`putative class action against Macy’s alleging unreasonable
`
`interference with privacy in violation of M.G.L. c. 214, § 1B
`
`(Count I), negligence (Count II), breach of contract (Count III),
`
`unfair and deceptive business practices in violation of M.G.L. c.
`
`93A, §2 (Count IV), and violation of M.G.L. c. 93H (Count V).
`
`Macy’s moves to dismiss the action for lack of standing pursuant
`
`
`
`
`
`ROBERT HARTIGAN, on behalf of
`himself and all others similarly
`situated,
`
`
`
`
`
`
`
`
`
`v.
`
`
`
`
`
`Plaintiff,
`
`
`
`
`
`
`
`
`
`
`MACY’S, INC.,
`
`
`
`
`
`
`
`Defendant.
`
`
`
`
`______________________________
`
`
`UNITED STATES DISTRICT COURT
`DISTRICT OF MASSACHUSETTS
`___________________________________
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`
`
`
`
`
`
`
`
`
`
`
`Civil Action
`No. 20-10551-PBS
`
`Saris, D.J.
`
`MEMORANDUM AND ORDER
`
`November 5, 2020
`
`INTRODUCTION
`
`This case is about a criminal cyberattack on the online
`
`database of defendant Macy’s, Inc. (“Macy’s”), a well-known
`
`department store chain -- its second hacking in less than a year
`
`and a half. Plaintiff Robert Hartigan (“Hartigan”) brings this
`
`putative class action against Macy’s alleging unreasonable
`
`interference with privacy in violation of M.G.L. c. 214, § 1B
`
`(Count I), negligence (Count II), breach of contract (Count III),
`
`unfair and deceptive business practices in violation of M.G.L. c.
`
`93A, §2 (Count IV), and violation of M.G.L. c. 93H (Count V).
`
`Macy’s moves to dismiss the action for lack of standing pursuant
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 2 of 12
`
`
`
`to Fed. R. Civ. P. 12(b)(1) and for failure to state a claim
`
`pursuant to Fed. R. Civ. P. 12(b)(6).
`
`After hearing, the Court ALLOWS Macy’s motion to dismiss
`
`primarily on the ground of lack of standing.
`
`FACTUAL BACKGROUND
`
`Except where stated, the following facts are alleged in the
`
`First Amended Class Action Complaint and must be taken as true at
`
`this stage. See Newman v. Lehman Bros. Holdings Inc., 901 F.3d 19,
`
`25 (1st Cir. 2018). The Court may also consider additional evidence
`
`in determining a motion to dismiss pursuant to Fed. P. Civ. P.
`
`12(b)(1). Merlonghi v. United States, 620 F.3d 50, 54 (1st Cir.
`
`2010) (citation omitted).
`
`On October 10, 2019, Hartigan, a resident of Massachusetts,
`
`purchased items through Macy’s website with his VISA credit card.
`
`He provided his home address, credit card information, and other
`
`personal information to complete the purchase.
`
`Between October 7 and 15, 2019, hackers installed malware on
`
`Macy’s website in order to access payment information of customers
`
`who completed online purchases. The personal information obtained
`
`included: (1) first and last names; (2) addresses; (3) phone
`
`numbers; (4) email addresses; and (5) credit card numbers,
`
`including expiration dates and security codes. A similar breach of
`
`Macy’s data had occurred in May and June 2018. See Memorandum
`
`2
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 3 of 12
`
`
`
`Opinion at 2, Carroll v. Macy’s Inc., No. 18-01060 (N.D. Ala. June
`
`5, 2020).
`
`Macy’s privacy policy states it “put in place various
`
`procedural, technical, and administrative measures to safeguard
`
`the information [Macy’s] collect[s] and use[s].” Dkt. 19 at 38-
`
`39. The policy also warned users that “no security safeguards or
`
`standards are guaranteed to provide 100% security.” Id. at 39.
`
`On November 14, 2019, Macy’s sent a Breach Notification Letter
`
`to Hartigan and other Macy’s customers about the data infringement.
`
`The breach notice provided information regarding the known risks
`
`of harm associated with data breaches, as well as steps that
`
`customers could take to protect themselves from data infringement.
`
`To address the heightened risk of personal identity theft, Macy’s
`
`offered Hartigan one year of complimentary credit monitoring
`
`services.
`
`As a result of the hack, Hartigan alleges he suffered
`
`emotional distress, a breach of privacy, public disclosure of
`
`private facts, and loss of time. To mitigate against the risk of
`
`identity theft, Hartigan purchased data monitoring services from
`
`LifeLock.
`
`DISCUSSION
`
`The primary issue is whether Hartigan has pled sufficient
`
`injury-in-fact to establish standing. Macy’s argues that Hartigan
`
`3
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 4 of 12
`
`
`
`has failed to do so because he has not alleged that he suffered
`
`economic harm, that his immutable personal information like a
`
`social security number has been misused, or that he faces imminent
`
`risk of future identity theft. Hartigan disagrees, contending that
`
`he has pled sufficient injury-in-fact based on his allegations
`
`that he suffers from increased risk of identity theft, that he has
`
`incurred costs to purchase credit monitoring services, and that he
`
`lost the benefit of the bargain because Macy’s breached its
`
`contract with him.
`
`I.
`
`Standing
`
`“The party invoking the jurisdiction of a federal court
`
`carries the burden of proving its existence.” Murphy v. United
`
`States, 45 F.3d 520, 522 (1st Cir. 1995) (citation omitted). In
`
`analyzing whether a complaint states a basis for jurisdiction
`
`under Rule 12(b)(1), the Court “must credit the plaintiff’s
`
`well-[pleaded] factual allegations and draw all reasonable
`
`inferences in the plaintiff’s favor.” Merlonghi, 620 F.3d at 54.
`
`Standing is a jurisdictional issue properly challenged under
`
`Rule 12(b)(1). See United States v. AVX Corp., 962 F.2d 108, 113
`
`(1st Cir. 1992).
`
`To satisfy Article III standing, a plaintiff bears the burden
`
`of establishing three elements: (1) that he has suffered an
`
`“injury-in-fact” that is “concrete and particularized” and “actual
`
`4
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 5 of 12
`
`
`
`or imminent”; (2) that the injury is “‘fairly traceable’ to the
`
`actions of the defendant”; and (3) that the injury will likely be
`
`redressed by a favorable decision. Bennett v. Spear, 520 U.S. 154,
`
`167 (1997) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555,
`
`560-61 (1992)). Each element must be proved “with the manner and
`
`degree of evidence required at the successive stages of the
`
`litigation.” Id. at 167–68. The Supreme Court has held that a
`
`plaintiff threatened with future injury has standing to sue if the
`
`threatened injury is “certainly impending” or there is a
`
`“substantial risk that the harm will occur.” See Clapper v. Amnesty
`
`Int’l USA, 568 U.S. 398, 414, n. 5 (2013) (citation omitted).
`
`II. Risk of Future Harm
`
`The First Circuit has developed a helpful framework for
`
`considering whether an increased risk of future harm can constitute
`
`sufficient injury-in-fact to satisfy the standing requirement. See
`
`Kerin v. Titeflex Corp., 770 F.3d 978, 979–81 (1st Cir. 2014)
`
`(product liability ligation involving the risk of a product being
`
`vulnerable to failure after a lightning strike). It held that cases
`
`alleging increased risk of future harm, “potentially involve two
`
`injuries: (1) a possible future injury that may or may not happen
`
`(i.e. the harm threatened); and (2) a present injury that is the
`
`cost or inconvenience created by the increased risk of the first,
`
`future injury (e.g., the cost of mitigation).” Id. at 981-982
`
`(citation omitted). Urging Courts to act “cautiously,” it added
`
`5
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 6 of 12
`
`
`
`that even if “one of the alleged injuries is present, satisfying
`
`imminence, the injury may still be speculative.” Id. at 982.
`
`Pre-Clapper, two First Circuit cases directly addressed
`
`whether risk of identity theft constitutes injury-in-fact. In the
`
`first case, Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st
`
`Cir. 2011), involving a theft of electronic data by sophisticated
`
`thieves, the First Circuit found injury-in-fact where more than
`
`1,800 fraudulent uses of customers’ stolen credit card information
`
`had already occurred, and it reasonably appeared that all customers
`
`who used credit or debit cards during the class period “were at
`
`risk of unauthorized charges.” Id. at 164. The following year in
`
`an action against a brokerage firm which failed to protect
`
`sensitive nonpublic personal information, the First Circuit held
`
`that the plaintiff had not demonstrated injury-in-fact because
`
`there was no allegation that the plaintiff’s “nonpublic personal
`
`information has actually been accessed by an unauthorized user.”
`
`Katz v. Pershing, LLC, 672 F.3d 64, 79 (1st Cir. 2012). The First
`
`Circuit further held that the plaintiff’s purchase of identity
`
`theft insurance and credit monitoring service to guard against the
`
`“possibility, remote at best, that her nonpublic personal
`
`information might someday be pilfered” was insufficient because “a
`
`purely theoretical possibility simply does not rise to the level
`
`of a reasonably impending threat.” Id. at 79-80.
`
`6
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 7 of 12
`
`
`
`Circuit courts have taken different paths in analyzing the
`
`risk of future harm in data breach cases. Recently, the D.C.
`
`Circuit found a “substantial risk” of identity theft is plausibly
`
`alleged when hacked data included sensitive personal information
`
`such as social security numbers, birthdates, and credit card
`
`numbers, even when there was no subsequent criminal activity. See
`
`Attias v. Carefirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017)
`
`(finding a substantial risk of harm existed “simply by virtue of
`
`the hack and the nature of the data that the plaintiffs allege was
`
`taken”); see also Krottner v. Starbucks Corp., 628 F.3d 1139, 1143
`
`(9th Cir. 2010) (finding standing where a stolen laptop contained
`
`employees’ unencrypted social security numbers and other personal
`
`information).
`
`Other courts have found injury-in-fact when the theft of
`
`personal data was followed by criminal activity. See Remijas v.
`
`Neiman Marcus Grp., LLC, 794 F.3d 688, 693–94 (7th Cir. 2015)
`
`(plaintiff alleged 9,200 fraudulent uses of stolen credit card
`
`information); Hutton v. Nat’l Bd. Of Examiners in Optometry, Inc.,
`
`892 F.3d 613, 622 (4th Cir. 2018) (plaintiffs alleged fraudulent
`
`use of stolen social security numbers to open new credit cards and
`
`apply for credit); cf. In re Zappos.com, Inc., 888 F.3d 1020, 1027
`
`(9th Cir. 2018) (finding standing where hackers stole sensitive
`
`personal information and some hacked customers in parallel
`
`litigation suffered financial harm); Lewert v. P.F. Chang’s China
`
`7
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 8 of 12
`
`
`
`Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (finding standing
`
`where plaintiff had fraudulent credit card charges made against
`
`his account even though no financial harm was suffered because the
`
`fraudulent charges were stopped by his bank).
`
`Three circuits have declined to find standing where there
`
`were no allegations of criminal activity involving the stolen
`
`information, even when the data involved deeply personal
`
`information like social security numbers. See In re SuperValu,
`
`Inc., 870 F.3d 763, 768-70 (8th Cir. 2017) (holding no injury-in-
`
`fact where stolen information included names, payment card
`
`numbers, expiration dates, card verification codes, and personal
`
`identification numbers); Beck v. McDonald, 848 F.3d 262, 275 (4th
`
`Cir. 2017) (holding that even where social security numbers and
`
`other personal information were hacked, “the mere theft of these
`
`items, without more, cannot confer Article III standing”); Reilly
`
`v. Ceridian Corp., 664 F.3d 38, 40, 44, (3d Cir. 2011) (holding
`
`that even where names, social security numbers, birth dates, and
`
`bank accounts may have been exposed to a hacker, there was no
`
`injury-in-fact because “no identifiable taking occurred; all that
`
`is known is that a firewall was penetrated”).
`
`Here, even under the caselaw most generous to finding
`
`standing, Hartigan has not alleged sufficient facts to support a
`
`substantial risk of future harm for three reasons. First, there
`
`8
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 9 of 12
`
`
`
`are no allegations of any fraudulent use or even attempted use of
`
`the personal information to commit identify theft with respect to
`
`any Macy’s customer whose credit information was stolen. Second,
`
`the information stolen was not highly sensitive or immutable like
`
`social security numbers. Third, immediate cancellation of a credit
`
`card can effectively eliminate risk of credit card fraud in the
`
`future. To be sure, even if the credit card is canceled, there is
`
`still some risk of future harm involving identify theft (like use
`
`of the customer’s name, email, and home address), but it is not
`
`substantial and, at best, speculative.
`
`III. Actual Harm by Cost of Mitigation
`
`Alternatively, Hartigan has alleged actual harm because of
`
`the cost of mitigation. In his view, one year of credit monitoring
`
`is not satisfactory to protect against the risk of personal
`
`identity theft, and so he purchased a product called LifeLock to
`
`get better protection. The First Circuit has held that incurring
`
`credit monitoring costs as a mitigation measure can constitute
`
`injury-in-fact where plaintiffs’ credit card information has been
`
`misused after a data breach. Anderson, 659 F.3d at 165. However,
`
`“[w]here neither the plaintiff nor those similarly situated have
`
`experienced fraudulent charges resulting from a theft or loss of
`
`data, the purchase of credit monitoring services may be
`
`unreasonable and not recoverable.” Id. at 165 n. 10; see also Katz,
`
`9
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 10 of 12
`
`
`
`672 F.3d at 79 (holding that cost of identity theft insurance and
`
`credit monitoring services did not constitute injury-in-fact where
`
`there was no evidence of a data breach because “a possibility,
`
`remote at best, that [plaintiffs’] nonpublic personal information
`
`might someday be pilfered . . . simply does not rise to the level
`
`of a reasonably impending threat”); Clapper, 568 U.S. at 416
`
`(holding that a plaintiff “cannot manufacture standing merely by
`
`inflicting harm on [himself] based on [his] fears of hypothetical
`
`future harm that is not certainly impending”). Other circuits have
`
`taken a similar approach. See Beck, 848 F.3d at 276 (holding no
`
`injury-in-fact based on monitoring costs “incurred in response to
`
`a speculative threat . . . of future identity theft”) (citation
`
`omitted); In re SuperValu, Inc., 870 F.3d at 771 (“Because
`
`plaintiffs have not alleged a substantial risk of future identity
`
`theft, the time they spent protecting themselves against this
`
`speculative threat cannot create an injury.” (citing Clapper, 568
`
`U.S. at 415)).
`
`Here, although a data breach occurred, Hartigan alleges no
`
`misuse of his or any class member’s data. Hartigan’s purchase of
`
`credit monitoring services thus was not “premised on a reasonably
`
`impending threat” and does not constitute injury-in-fact. See
`
`Katz, 672 F.3d at 79. While it is certainly a hassle and annoying
`
`to cancel a credit card and contact all accounts using that card
`
`10
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 11 of 12
`
`
`
`for billing, there is no allegation of economic loss which flowed
`
`from this inconvenience.
`
`IV. Loss of the Benefit of the Bargain
`
`Finally, Hartigan argues that he suffered “loss of the benefit
`
`of the bargain” as a result of Macy’s breach of contract.
`
`Specifically, he says he did not receive what he paid $191.75 for.
`
`The breach of a contractual right can constitute an injury
`
`sufficient to create standing. Katz, 672 F.3d at 72. Hartigan
`
`alleges that Macy’s did not comply with its own rules or company
`
`policy to protect its customers’ personal information.
`
`Macy’s policy states that Macy’s “put in place various
`
`procedural, technical, and administrative measures to safeguard
`
`the information [Macy’s] collect[s] and use[s],” and cautioned
`
`that “no security safeguards or standards are guaranteed to provide
`
`100% security.” Dkt. 19 at 38–39. The Court assumes, without
`
`deciding, that the breach of a privacy policy at a company can
`
`constitute a breach of contract in certain circumstances. See e.g.,
`
`Carlsen v. GameStop, Inc., 833 F.3d 903, 909 (8th Cir. 2016)
`
`(finding injury-in-fact based on breach of contract where
`
`plaintiff alleged that defendant deliberately shared plaintiff’s
`
`information with Facebook, in violation of the privacy policy in
`
`its contract).
`
`11
`
`
`
`Case 1:20-cv-10551-PBS Document 35 Filed 11/05/20 Page 12 of 12
`
`
`
`Even if Hartigan thus has standing under a “loss of the
`
`benefit of the bargain” theory, however, this argument cannot
`
`survive Macy’s motion to dismiss for failure to state a claim. See
`
`Fed. R. Civ. P. 12(b)(6). Hartigan fails to allege specific facts
`
`that plausibly support his claim that Macy’s breached its privacy
`
`policy. See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (“To
`
`survive a [12(b)(6)] motion to dismiss, a complaint must contain
`
`sufficient factual matter, accepted as true, to ‘state a claim to
`
`relief that is plausible on its face.’” (quoting Bell Atl. Corp.
`
`v. Twombly, 550 U.S. 544, 570 (2007)). Because Hartigan’s
`
`conclusory assertion that Macy’s did not comply with its privacy
`
`policy cannot meet Twombly’s plausibility standard, the Court
`
`grants Macy’s motion to dismiss this claim on 12(b)(6) grounds.
`
`See Twombly, 550 U.S. at 570.
`
`ORDER
`
`For the reasons stated above, Macy’s motion to dismiss (Dkt.
`
`20) is ALLOWED with prejudice.
`
`
`
`SO ORDERED.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`/s/ PATTI B. SARIS
`Hon. Patti B. Saris
`United States District Judge
`
`
`
`
`
`12
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
