Macy’s Escapes Liability in Data Breach Suit

A Massachusetts federal court has dismissed a complaint against Macy’s, Inc. in a case concerning consumer data stolen in a 2019 cyberattack. The filing brought claims against the well-known department store chain for unreasonable interference with privacy and unfair and deceptive business practices, along with two other state law claims. In March, the defendant removed the plaintiff’s November 2019 complaint to federal court.

The court’s order explains that the plaintiff, Robert Hartigan, filed a class action lawsuit after he made an online purchase through Macy’s website. Hackers who installed malware on the site subsequently stole his information.

A month later, in November 2019, Macy’s sent Hartigan a letter informing him that hackers had stolen his personal information including his name, address, phone number, e-mail, and credit card details. Hartigan alleged that he suffered “emotional distress, a breach of privacy, public disclosure of private facts, and loss of time.” To reduce the risk of identity theft, Hartigan purchased personal information monitoring services.

According to the court, Macy’s privacy policy states that it has measures to ensure against information theft, but also warns that safeguards do not provide a 100% security guarantee. The order also notes that Macy’s experienced a similar information security breach in May and June 2018.

Macy’s moved to dismiss the first amended complaint for lack of standing and failure to state a claim in May. In its order, the court wrote that “[t]he primary issue is whether Hartigan has pled sufficient injury-in-fact to establish standing.”

After a review of case law, the court held that the plaintiff failed to meet the pleading standard. It reasoned that first, “there are no allegations of any fraudulent use or even attempted use of the personal information to commit identify [sic] theft with respect to any Macy’s customer whose credit information was stolen.” Second, the court ruled, “the information stolen was not highly sensitive or immutable like social security numbers.”

Finally, the court explained that an individual could easily cancel their credit card to eliminate the risk of fraud, even though it acknowledged that “there is still some risk of future harm involving identify [sic] theft (like use of the customer’s name, email, and home address), but it is not substantial and, at best, speculative.” The court concluded that the claim fell short of the injury-in-fact standard, writing that “[w]hile it is certainly a hassle and annoying to cancel a credit card and contact all accounts using that card for billing, there is no allegation of economic loss which flowed from this inconvenience.”

Under the plaintiff’s alternative “loss of the benefit of the bargain” theory, the court similarly held that even if Hartigan had standing, his argument failed because the facts plead were insufficient to support his claim that Macy’s breached its aforementioned privacy policy. Accordingly, the court dismissed the complaint with prejudice.

The plaintiff is represented by Forrest Lamothe and Macy’s by Dechert and Goodwin Procter.