Global Payments, which processes credit card transactions, announced on March 30, 2012 that an unauthorized person gained access to a portion of its processing system. Global Payments later disclosed that Track 2 data (card number, expiration date, verification code but not cardholder name or address) of 1.5 million cardholders were taken. Three individuals brought a putative class action alleging that fraudulent charges were made to the credit card they used at merchants who used Global Payments to process their transactions. The plaintiffs asserted claims of: (1) negligence; (2) violations of the Stored Communications Act (SCA); (3) violations of the Fair Credit Reporting Act (FCRA); (3) violations of the Georgia Uniform Deceptive Trade Practices Act; and (4) implied contract and third party beneficiary breach of contract claims. Global Payments moved to dismiss all claims on the grounds that the plaintiffs failed to allege sufficient facts to establish Article III standing or all of the necessary elements of their seven claims. United States Magistrate Judge Janet King issued a recommended decision on February 5, 2013.
The magistrate addressed the Article III argument first. The plaintiffs only alleged that they discovered fraudulent charges on her account. They did not allege that they actually paid for the fraudulent charges. They also did not allege that their information was used to commit identity theft, which the court used to distinguish the Eleventh Circuit’s decision in AvMed. Accordingly, the magistrate found that the plaintiffs failed to adequately plead an injury in fact. In so doing, the magistrate stated that the plaintiffs’ personal information does not have an inherent monetary value. The magistrate also found that allegations of increased risk of future identity theft were insufficient because they were entirely speculative. However, the magistrate recommended that the Article III argument as moot based on her recommendation that all claims in the plaintiffs’ first amended complaint be dismissed with prejudice for failing to state a claim under Rule 12(b)(6).
The court easily identified why the SCA and FCRA claims were fatally defective—Global Payments does not provide electronic or remote computing services to the public, it did not knowingly divulge plaintiffs’ information, and it does not provide consumer reports or act as a consumer reporting agency. The Georgia Unfair and Deceptive Trade Practices Act claims were dismissed because plaintiffs did not allege any facts showing that they would be harmed without injunctive relief (injunctive relief is the exclusive remedy of this claim), in part because they could not identify any representations from Global Payments that they relied on and because their allegations of increased risk of future harm were speculative. The negligence claim, which was premised on allegations that Global Payments was not PCI DSS compliant at the time it was compromised, was dismissed based on the economic loss doctrine and because plaintiffs could not identify any duty owed by Global Payments because the parties had no direct relationship. The contract claims were dismissed based on precedent from prior breach cases that consumers are not intended beneficiaries of contracts between merchants and the entities that facilitate their card processing and because plaintiffs did not allege that they were aware of or relied on any representations from Global Payments before providing their credit card to a merchant that used Global Payments.
If the district court judge adopts the magistrate’s recommended decision, this will serve as yet another example of why putative class actions arising out of payment card industry breaches are an uphill climb for plaintiffs. For example, similar claims were brought against another payment processor (Heartland) after it disclosed a compromise that affected over 100 million cardholders. Although Heartland settled the consumer claims by establishing a fund of $1 million, only eleven cardholders submitted valid claims. Indeed, the primary sources of liability and expense to breached entities comes from notification costs, attorney and forensic investigation fees, network security remediation costs, and the fines and assessments from the credit card networks. Of the $93.9 million in expenses related to the compromise recorded by Global Payments through November 30, 2012 (as disclosed in its January 8, 2013 10-Q), $35.9 million was their estimate of total fraud losses, fines and other charges that will be imposed by the card networks.