Class Action Lawsuit Filed Against Tempur Sealy and Aptos for Payment Card Data Breach


By: Agne Krutules

A putative consumer class action lawsuit arising from a large data breach was recently filed in the U.S. District Court for the Northern District of Georgia against Tempur Sealy International, Inc. and Aptos, Inc.

Tempur Sealy is a mattress, bedding, and pillow retailer based in Lexington, Kentucky. Aptos is based in Atlanta, Georgia, and formerly hosted and maintained Tempur Sealy’s website and online payment system. The complaint alleges that Aptos discovered a data breach involving the theft of customers’ personal information in November 2016. However, after removing the malicious software that caused the data breach in December 2016, the complaint alleges that Aptos waited two months to disclose the breach to its clients, which included Tempur Sealy and 48 other online retailers. In turn, the complaint alleges that Tempur Sealy, after learning about the breach, also waited nearly two months to notify its customers about the data breaches. 

The named plaintiff alleges that the breach compromised her and other Tempur Sealy customers’ name, address, telephone number, payment card account number, and card expiration date. The complaint asserts violations of 49 jurisdictions’ consumer protection laws, 39 jurisdictions’ breach notification laws, as well as causes of action for negligence, breach of implied contract, and unjust enrichment. The complaint alleges that the breach was caused by Aptos’s and Tempur Sealy’s knowing violation of their obligations to abide by best practices and industry security standards in protecting personal information, and requests injunctive relief and various forms of monetary damages.

Neither Aptos nor Tempur Sealy have filed an answer or other response to the complaint, but a motion to dismiss is likely. As we have written about before, although some courts have found standing to exist in payment card data breach cases like this, the majority of courts still find that, absent an actual, tangible harm to the plaintiffs, the mere loss of their credit card information does not result in an injury that gives plaintiffs standing to file a lawsuit because their cards are typically replaced at no cost to them and they are not responsible for any fraudulent charges that may have been made.

For example, the U.S. District Court for the Northern District of Illinois recently dismissed with prejudice a putative consumer class action filed against Barnes & Nobles for the third time. The lawsuit was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. Although the court eventually found that the plaintiffs’ amended complaint sufficiently alleged Article III standing under the U.S. Constitution, it concluded that none of the alleged damages, including injuries stemming from emotional distress, loss of PII value, expended time spent with bank and police employees, used cell phone minutes, inability to use payment cards during the replacement period and the cost of credit monitoring services were cognizable injuries.

For any questions, please contact Agne Krutules at