In the fast-moving and expanding world of data breach litigation, a recent decision from a federal court in Illinois suggests that, in civil lawsuits against the company that incurred the breach, financial institutions must satisfy a higher pleading standard to survive a motion to dismiss than do the defendant’s customers.

In Community Bank of Trenton, et al. v. Schnucks Markets Inc., Case No. 15-cv-01125-MJR, 2016 (S.D. Ill. Sept. 28, 2016), a judge for the United States District Court for the Southern District of Illinois dismissed data breach-related claims brought by numerous banks against a grocer (Schnucks) that had sustained a data breach, citing both the complex nature of the credit and debit payment process and the sophistication of the business relationship between the banks and Schnucks as the main reasons the banks’ claims could not proceed.

This decision is significant because many legal theories have been tested in data breach litigation against major retailers (e.g., Target, Jimmy Johns, Barnes & Noble, Home Depot and Neiman Marcus), but typically the claims are brought by the merchant’s customers. In the Schnucks case, however, the claims were brought by the financial institutions responsible for issuing debit and credit cards used by customers.

The Schnucks case stands in contrast to such cases as In re Target Corp. Customer Data Security Breach Litigation, 64 F. Supp. 3d 1304 (D. Minn. 2014), in which a Minnesota federal court, applying the same legal standard to claims brought by customers and financial institutions, allowed financial institutions to proceed past the motion to dismiss phase on some of their claims against Target. Target ultimately settled the financial institutions’ claims for $67 million in 2015.

Background

Between December 2012 and March 2013, Schnucks, headquartered in St. Louis and the owner and operator of approximately 100 retail supermarkets, experienced a data breach that made payment card information transmitted through its computer system vulnerable to attack by cyber criminals. The data breach may have affected as many as 2.4 million cardholders who shopped at Schnucks during the time frame of the breach.

In November 2015, four banks that had issued payment cards to customers compromised by the breach filed a proposed class action lawsuit against Schnucks. The banks sought damages under multiple theories of relief, including the Racketeer Influenced and Corrupt Organizations Act, breach of fiduciary duty, negligence, breach of contract, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.

According to the banks, had Schnucks followed industry standards, the breach would have not occurred. Specifically, the banks alleged that Schnucks (1) knew that its security procedures were outdated and ineffective; (2) knew it was out of compliance with industry standards; (3) failed to file routine quarterly data compliance reports; (4) knowingly and recklessly failed to implement or maintain adequate data procedures; (5) permitted a delay between the March 14, 2013, discovery of the breach to March 28, 2013, when the breach was isolated or March 30, 2013, when the breach was neutralized; and (6) failed to implement preventative measures, such as an enterprise risk management system, antivirus and firewall software, and layered security.[1]

Consequently, the banks averred, Schnucks was noncompliant with Visa operating regulations, MasterCard rules, Payment Card Industry Data Security Standards, and Section 5 of the Federal Trade Commission Act.[2]

The Court’s Holding

The court dismissed all of the banks’ claims, holding that the pleadings and the alleged harms were too general and that "mere allegations of trust between sophisticated business parties are insufficient to create a fiduciary relationship between the parties."[3] The court observed that in data breach cases brought by customers, the customers can allege plausible claims based on concrete harm suffered, such as fraudulent charges on their accounts, late fees incurred as the result of fraudulent activity, and costs incurred as a result of acquiring an identity theft monitoring service. Additionally, the court reasoned that customers’ data breach claims appeal to the common life experience of walking into a merchant to buy a sandwich or a book and the expectation that their data will be kept safe.[4]

In contrast, the banks’ allegations that they were deceived by Schnucks were ambiguous, conclusory and too general. The banks alleged the same types of harms that customers typically press in their data breach claims: that they incurred, and will continue to incur, costs to (1) cancel and reissue cards, (2) close and reopen accounts, (3) notify customers, and (4) investigate and monitor for fraud, emphasizing the argument that Schnucks made fraudulent representations or omissions to the banks regarding its data security practices, and the banks relied on such misinformation in releasing customer funds to Schnucks. The court, however, held that the generality of these allegations made it too difficult to assess the validity of the claims. Two of the banks’ claims were dismissed with prejudice. The banks will have the opportunity to replead the other claims.

Analysis

Each of the court’s reasons for dismissing the banks’ claims is closely tied to an observation made by the banks in one of their briefs: Unlike the relationship between Schnucks and its customers, the banks and Schnucks are part of a "complex association" of banks, processors and merchants that come together to enable consumers to use payment cards.[5] It is this complex association, the court reasoned, that put the Schnucks and the banks at too great a distance for the banks to plead valid claims.

For example, in dismissing the banks’ RICO claims, the court observed that there were no direct — or even indirect — statements made by Schnucks that passed to the banks when a transaction was processed.

In dismissing the banks’ breach of fiduciary duty claims, the court noted that the banks and Schnucks "are both ‘sophisticated’ parties who participated in a mutually beneficial business arrangement" allowing individuals to use electronic payment cards to purchase their groceries.[6] According to the court, "[t]his sort of relationship is commonplace in the modern world of business and banking."[7] In dismissing the bank’s negligent misrepresentation claims, the court found that the "loose assertion" that Schnucks failed to comply with certain security protocols was insufficient to suggest that Schnucks made a misrepresentation or provided patently false information to the banks.[8] In dismissing the banks’ breach of implied contract claims, the court held that the relationship between Schnucks and its customers is different than the relationship between the banks and Schnucks. Specifically, the court observed it is easier to understand how a contract might be implied between a cardholder and a merchant where the cardholder provides payment and walks away with tangible goods such as groceries, and in exchange the merchant receives electronic payment, thus giving them value for the goods.[9] According to the court, this elementary transaction more clearly contains the basic principles of a contract than does the relationship between banks and merchants such as Schnucks.

Each of these reasons is tied to the reality that, unlike customers, banks issuing payment cards are often several steps removed from the merchant. In Schnucks, the banks were in contracts with Visa and MasterCard. Schnucks was in a contract with CitiCorp. Through these separate contracts, all the parties agreed to be bound by Visa’s and MasterCard’s rules, and, according to Schnucks, these rules expressly allocate the participants’ rights and obligations in the event of cyberattack. It is this complex web of interrelated contracts which made it difficult for the court to assess how Schnucks could have deceived or defrauded the banks when the grocer and the bank are not communicating directly.

The Schnucks decision is noteworthy because it renders much more difficult the chances for financial institutions to survive a motion to dismiss in a data breach suit against a merchant. The banks in Schnucks pleaded harms that are essentially identical to those pleaded by merchant customers in similar cases, i.e., costs associated with fraudulent charges and monitoring for actual or potential fraud. While some courts have allowed customers to survive motions to dismiss based on these legal theories, the banks in Schnucks likely will not.

While the court permitted the banks to amend their complaint by Oct. 19, 2016, the banks will be challenged to marshal the type of evidence that the court found lacking. The likely consequence of the court’s ruling, if followed by other federal courts, is that financial institutions will only be able to maintain claims against a merchant that has suffered a data breach when the merchant exhibited some sort of egregious disregard for its data security risk that might signal some sort of intent to cheat customers and payment card issuers out of proper data security, and the plaintiffs/financial institutions can make a showing at the pleading stage that the merchant engaged in such egregious conduct.

Short of such conduct, however, payment card issuers and other financial institutions likely will not be able to recover damages from the merchants that suffered the data breach.

By Barry Goheen and Andrew K. Crawford, King & Spalding LLP Barry Goheen is a partner at King & Spalding in Atlanta. Andrew Crawford is an associate at King & Spalding in Washington, D.C. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] Community Bank of Trenton, et al. v. Schnucks Markets Inc., Case No. 15-cv-01125-MJR, 2016 WL 5409014, at *4 (S.D. Ill. Sept. 28, 2016). [2] Class Action Complaint and Jury Demand at 2-3, Community Bank of Trenton, et al. v. Schnucks Markets Inc., Case No. 15-cv-01125-MJR (S.D. Ill. Oct. 9, 2015). [3] Community Bank of Trenton, et al. v. Schnucks Markets Inc., Case No. 15-cv-01125-MJR, 2016 WL 5409014, at *9 (S.D. Ill. Sept. 28, 2016). [4] Id. at *2. [5] Plaintiffs’ Response to Defendant’s Motion to Dismiss at 13, Community Bank of Trenton, et al. v. Schnucks Markets Inc., Case No. 15-cv-01125-MJR (S.D. Ill. Feb. 1, 2016). [6] Community Bank of Trenton, et al. v. Schnucks Markets Inc., Case No. 15-cv-01125-MJR, 2016 WL 5409014, at *10 (S.D. Ill. Sept. 28, 2016). [7] Id. [8] Id. at *11. [9] Id. at *13.

First published in Law360. All Content © 2003-2016, Portfolio Media, Inc