Judge dismisses parts of Hy-Vee data breach lawsuit, allows others to proceed

A judge in United States District Court in Illinois has ruled on motions to dismiss a class-action lawsuit against a major Iowa-based supermarket chain, handing victories to both sides, according to new court documents.

The ruling from the Central District of Illinois is related to a class-action lawsuit brought against Hy-Vee, Inc., by plaintiffs in several states, including Iowa. The action was brought after Hy-Vee

involving payment terminals at its gas pumps, drive-through coffee shops, and store-operated restaurants. The plaintiffs claim that Hy-Vee was negligent, failed to notify customers in a timely fashion, breached contracts, and engaged in fraudulent or deceptive business practices.

The judge dismissed some claims while allowing others to proceed in the ruling filed on Monday, April 20. The rulings are based on state laws in Kansas, Illinois, Iowa, Missouri, Minnesota, and Wisconsin, depending on where individual plaintiffs in the complaint live.

The ruling said that the plaintiffs had conceded their claims of negligence in Iowa, so the judge dismissed those claims. Claims of negligence in Kansas, Illinois, and Missouri were also dismissed, while those in Minnesota and Wisconsin were allowed to proceed.

The court allowed a breach of implied contract claim to proceed, saying the plaintiffs had plausibly alleged the existence of an implied contract requiring that Hy-Vee take reasonable measures to protect customers' data. They also plausibly alleged that they would not have conducted business with the company if they had known Hy-Vee would not protect their data, citing precedent that a customer does not expect a merchant to allow unauthorized third parties to access their information.

On a breach of an explicit contract, the court agreed with Hy-Vee that the plaintiffs' allegations are too vague, but allowed them to refile more specific allegations.

The court rejected an allegation that Hy-Vee was unjustly enriched by their purchases. Plaintiffs had argued that part of the money they paid for goods with should have gone to data security, while Hy-Vee argued that they received the goods they had paid for with no evidence of an understanding that some of the purchase price was for security measures. The judge cited precedent saying the allegation would only apply if the customers received defective products, which they did not claim.

On the allegation that Hy-Vee did not inform customers in a timely fashion of the data breach, pursuant to Iowa law, the court rejected Hy-Vee's claim for dismissal. The company argued that the statute did not allow for private citizens to bring lawsuits under it, instead requiring action by the state's Attorney General. The judge cited precedent that said the statute is ambiguous on that matter and it should not be dismissed at this stage in the proceedings.

The court also rejected Hy-Vee's attempt to dismiss the plaintiffs' claims they had violated the Iowa Consumer Fraud Act. The judge said that plaintiffs only had to allege that they suffered an economic injury at this stage in the proceedings, allowing the claim to go forward.

Hy-Vee had filed to dismiss claims of causation between their actions and the plaintiffs' alleged harm, but the court rejected that dismissal. The judge said that plaintiffs' had alleged enough facts to say that, if not for Hy-Vee's conduct, the harm would not have occurred. The judge also said the question of causation is usually left up to a jury, meaning it should not be dismissed at this time.

Lawyers for the plaintiffs said that their lawsuit now continues to the discovery stage.