As we noted earlier this year, Saks Fifth Avenue LLC, Saks Incorporated, and Lord & Taylor previously disclosed, on April 1, 2018, that some of their customers’ personal information may have been compromised in a data breach. Those companies all share the Canadian business group Hudson’s Bay Company (collectively with Lord & Taylor LLC, Saks Fifth Avenue LLC, and Saks Incorporated, “Defendants”) as their corporate parent. As a result of the breach, it is believed that more than five million stolen credit and debit cards were put up for sale on the dark web.
Recently, on July 26, 2018, the U.S. Judicial Panel on Multidistrict Litigation (JPML) heard oral argument from the parties with regard to potentially centralizing roughly nine putative class action suits currently pending in a number of districts—all arising out of the April breach disclosure. There are currently cases pending in the Southern District of New York, Central District of California, Middle District of Tennessee, the District of Delaware. Notably, Lord and Taylor previously moved to transfer the case pending in the District of Delaware to the Southern District of New York—which is ironically the home district of the underlying plaintiff in that action.
The Defendants, along with several groups of underlying plaintiffs, maintain that the Southern District of New York is most aptly suited to serve as home to the MDL. Indeed, more than half of the underlying actions are pending in the S.D.N.Y. However, some plaintiffs also contended that the Middle District of Tennessee would be a similarly appropriate district, and one of the underlying plaintiffs argued to the JPML that centralization of the case would not be appropriate.
The Defendants opposed centralization in the Middle District of Tennessee because: 1) in their view, only a de minimis number of customers who could have been affected by the breach were Tennessee residents; and 2) that district was recently described as being in a “crisis mode,” given several judicial vacancies.
The geographic diversity of the actions pending against the Defendants could, in and of itself, present a unique challenge, especially when one considers the split of authority regarding Article III standing for alleged victims of data breaches. Compare In re SuperValu, Inc., Customer Data Security Breach Litigation, 870 F.3d 763 (8th Cir. 2017) (allegations of theft of credit card information is insufficient to support standing) with Ree v. Zappos.com, Inc. (In re Zappos.com, Inc.), 888 F.3d 1020, 1027 (9th Cir. 2018) (finding standing where “the information taken in the data breach  gave hackers the means to commit fraud or identity theft”). However, given both the size of the Defendants’ business operations and the size of the underlying breach, it is entirely possible that—unless the JPML orders otherwise—the Defendants could be forced to litigate essentially identical claims in a myriad of forums. It will be interesting to see whether the JPML favors centralization of these actions or allows them to proceed on separate tracks across the country. Either way, the procedural posture of these matters can serve as a cautionary tale with regard to the potential costs of litigation relating to a large data breach.