SuperValu supermarket.

A federal appeals court has affirmed dismissal of a data breach class action against SuperValu Inc. after finding that the plaintiff did not suffer harm even though he incurred a fraudulent charge to his credit card.

In a decision Friday, the U.S. Court of Appeals for the Eight Circuit found that David Holmes, who used his credit card at a store in Belleville, Illinois, had not alleged harm sufficient to sue — even after the appeals court found he had standing in an earlier decision. Standing is a key hurdle for consumers suing over an increasing number of data breaches, often tied to whether they suffered injuries, although some courts have begun to consider identity theft and other harms in allowing cases to go forward at the dismissal stage.

The Eight Circuit was not one of them.

“Holmes's alleged injuries—the expenditure of time monitoring his account, the single fraudulent charge to his credit card, and the effort expended replacing his card—do not constitute actual damage,” wrote Circuit Judge Jane Kelly. “The time Holmes spent protecting himself against the threat of future identity theft does not amount to an out-of-pocket loss.”

An attorney for Holmes, Ben Barnow, of Chicago's Barnow and Associates, did not respond to a request for comment. SuperValu's lawyer Doug Meal, head of the cyber and privacy litigation and enforcement practice at Orrick, Herrington & Sutcliffe, said in an emailed statement:  “Supervalu is gratified by the court's decision, especially its rejection of the claim that Supervalu somehow violated its duty to, or its bargain with, its customers when Supervalu was victimized by criminal cyberattacks five years ago. We appreciate the court's careful attention to the arguments that were presented.”

Meal, who previously was co-lead of Ropes & Gray's privacy and data security practice, joined Orrick earlier this year to open its Boston office.

SuperValu suffered two cyberattacks in 2014 that compromised customer credit and debit card information. Hackers did not steal personal identification information like Social Security numbers.

The U.S. Judicial Panel on Multidistrict Litigation coordinated class actions over the breach before U.S. District Judge Ann Montgomery in Minnesota, who dismissed a consolidated case in 2016 on standing grounds.

In a 2017 decision affirming dismissal, the Eighth Circuit found no standing for the 15 lead plaintiffs who alleged they suffered the risk of identity theft. But consumers who suffered fraudulent charges to their credit or debit cards might have standing, the panel wrote. In the case against SuperValu, Holmes was the only one who made such a claim.

On remand, Montgomery dismissed Holmes.

The Eighth Circuit affirmed, finding that Holmes could not sue under Illinois consumer fraud statutes, which require a plaintiff to have suffered “actual damage.” In particular, Holmes failed to explain whether he paid the fraudulent charge out of his own pocket or his bank reimbursed him—a key distinction that doomed his case.

“Holmes does not directly allege that the fraudulent charge to his credit card resulted in any pecuniary loss,” Kelly wrote. “Instead, he asserts that we must presume that he was required to pay the fraudulent charge even though he has not directly alleged that fact.”

The panel behind Friday's decision included Circuit Judge James Loken, who wrote a 2017 decision in Kuhns v. Scottrade Inc. dismissing a data breach case for “bare assertions.”

On a separate negligence claim, the panel relied on a 2018 decision by the U.S. Court of Appeals for the Seventh Circuit in Community Bank of Trenton v. Schnuck Markets Inc. that found retailers had no duty, under Illinois law, to protect the financial information of their customers.

The Eighth Circuit also dismissed an unjust enrichment claim, concluding that Holmes did not pay a premium to have data security.

“Holmes paid for groceries, the price of which would have been the same whether he paid with cash or a credit card,” Kelly wrote.