Michaels Data Breach Class Action Lawsuits Should Be Dismissed, Company Tells Judge

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

After a series of announcements of major data breaches suffered by consumers in late 2013 and January 2014, and a raft of apologies by the companies whose data fell victim to hackers or thieves, those same companies are now asserting in court filings that customers were not harmed.

One of those companies, Michaels Stores Inc., asked an Illinois federal judge to dismiss a class action lawsuit against the craft supply store chain, insisting plaintiffs failed to demonstrate any fraudulent charges or other harm related to the breach.

Just two days after Michaels announced the data breach on Jan. 25, 2014, multiple consumer began filing class action lawsuits against the store. The Michaels data breach class action lawsuits have now been consolidated.

Michaels said in a May 28 motion to dismiss the class action lawsuit that none of the plaintiffs had suffered from, or paid, fraudulent charges on their cards.

“Michaels has confirmed that it suffered a data security incident, but a data security incident does not, nor should it ever, result automatically in cognizable injury to Plaintiffs,” wrote the company in its motion for dismissal, calling the Michaels data breach class action lawsuits a “misunderstanding of the fundamental rule of law.”

Only one of the plaintiffs, said Michaels, had made any allegation that her credit card information could have been confirmed to have been stolen, and even she had not alleged any fraudulent charges or financial losses of any sort as a result of the data theft, “cryptically alleging instead that her card was merely ‘presented’ for a purchase,” scoffed the company in its filing.

“While plaintiffs devote several pages to generalized stories regarding identity theft, they do not allege any facts suggesting that any plaintiff has been or will be the victim of identity theft. Instead, they rely on vague assertions of speculative future injury, which have been consistently rejected as insufficient to create standing or state a claim for which relief can be granted,” Michaels said.

The Michaels data breaches were the result of a criminal attack on the store’s computer systems, which left vulnerable the payment card account numbers used at a variety of Michaels stores between May 8, 2013 and January 27, 2014. Michaels also claimed that “at least three” of the plaintiffs had not even alleged they used their cards at Michaels stores during the data breach period.

Michaels is basing its motion, in part, on its belief that only card numbers and expiration dates were exposed, and no other personal data, which it asserts means that no actual identity theft occurred.

Michaels writes that it sent an update letter to customers on April 17, telling customers, “[f]irst, the only data at risk was payment card number and expiration date; no other personal data, such as name, address, or PIN, was at risk. Second, the data security incident affected only a limited number of the point-of-sale systems at a limited number of stores. Third, credit monitoring services are offered to affected Michaels customers for twelve months at no cost.”

Michaels says that, because its customers had no “government identifier,” such as Social Security number or drivers license number, stolen, no identity theft occurred. “The theft of payment card numbers alone is insufficient as a matter of law to plausibly allege identity theft,” the company wrote in its motion to dismiss the class action lawsuits against it.

The plaintiffs are represented by Joseph J. Siprut of Siprut PC, by Mark T. Lavery of Hyslip & Taylor and by Katrina Carroll and Kyle Alan Shamberg of Lite DePalma Greenberg LLC.

The Michaels Data Breach Class Action Lawsuits are  Christina Moyer, et. al. v. Michaels Stores Inc., Case Nos. 14-CV-00561; 14-CV-00648; 14-CV-1229 and 14-CV-1827, in the U.S. District Court for the Northern District of Illinois.