On May 1, 2017, an Illinois federal district judge dismissed data breach-related claims brought by financial institutions against a grocer. The court distinguished the case from similar lawsuits aimed at Home Depot and Target and expressed skepticism about whether the relationship between the financial institutions and the grocer created the kind of duty recognized under negligence and contract law. The court’s dismissal is the second time it has rejected the financial institutions’ claims. In September 2016, the court cited the generality of the claims and the complicated business relationship between the financial institutions and the grocer as the main reasons the claims could not proceed, but dismissed most of the claims without prejudice, allowing the financial institutions to replead. The previous dismissal was discussed in our October 3, 2016 DPS Report.
Between December 2012 and March 2013, Schnucks, a grocery chain headquartered in St. Louis, Missouri, experienced a data breach that made payment card information transmitted through its computer system vulnerable to attack by cyber criminals. The data breach may have affected as many as 2.4 million cardholders who shopped at 79 Schnucks stores during the timeframe of the breach. According to the amended complaint, stolen data was used in fraudulent transactions across the globe. The financial institutions alleged that the fraudulent transactions are evidence that Schnucks did not properly encrypt customer payment information and thus fell short of industry standard. In their original complaint, the banks pursued multiple theories of relief, including RICO conspiracy claims, breach of fiduciary duty, negligence, breach of contract, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.
In their amended complaint, the financial institutions removed the RICO and fraud claims and attempted to address the shortcomings identified in the court’s original dismissal by including additional facts. Despite these changes, the court was not persuaded. In addressing the negligence claims, the court first distinguished the alleged conduct from similar claims made against Home Depot and Target. In Home Depot, the court noted, the company’s alleged conduct in the lead up to the breach was egregious and intentional. In Target, the court observed, the duty recognized was a data security provision unique to Minnesota law with no analogue in Missouri law. But even despite this lack of support from precedent, the court concluded that it was still not persuaded that “public policy concerns, the existence of industry standards, or implied contractual relationships should give rise to a duty,” particularly at the time of the breach, which the court said occurred prior to general awareness of the “data breach boom.” The court dismissed the contract claims because the financial institutions were unable to point to any portion of the contracts that expressly or impliedly contemplate the type of relationship and duty that the banks alleged. Finally, the court concluded that the financial institutions were not third-party beneficiaries to contracts between Schnucks and other participants in the card network because no portion of the contracts contemplate the financial institutions as a beneficiary.
At the core of the court’s opinion is the same rationale it applied in its original dismissal: the complex web of interrelated contracts in the payment card industry made it difficult to assess what, if any, duty existed between Schnucks and the financial institutions. Consequently, unless financial institutions are able to show that the merchant exhibited some sort of egregious disregard for data security, payment card issuers and other financial institutions likely will not be able to recover damages from the merchants that suffered the data breach.