I’ve previously blogged about a new breed of data breach class actions filed by financial institutions against retailers (as opposed to customers suing retailers). In these cases, financial institutions claim that retailers should be liable for their costs associated with fraudulent charges, reissuance of new cards, notifying their customers and investigating alleged fraud from data breaches. Probably the most well-known lawsuit was against Target, which the federal court allowed to proceed past the motion to dismiss and Target settled for approximately $40 million.
Financial institutions were recently dealt a setback. A federal court dismissed the lawsuit against Schnucks arising from its 2013 data breach affecting as many as 2.4 million cardholders. The financial institutions (issuing banks in this case) alleged that Schnucks stored credit card numbers in an unencrypted format on its computers and if it had followed industry security standards (i.e. the PCI DSS) the data breach would not have happened. While dismissing all 13 claims, the most common claims – negligence and contract claims – were bounced because the court found Schnucks owed no duty to the banks and lack of contractual privity between the banks and Schnucks.
In finding no fiduciary duty, the court noted that the banks and Schnucks are both sophisticated parties who participated in mutually beneficial business arrangements that allowed individuals to use credit cards to purchase their groceries – far from the dominant/subservient hierarchical relationship required to establish fiduciary duties. The court dismissed the negligence claim refusing to recognize a new common law duty between two sophisticated parties to protect personal information. This will likely emerge as the strongest challenge by retailers against the banks in data breach litigation.
The court dismissed the contract claims finding there was no contract between the banks and Schnucks regarding the security of cardholder data – despite the “general assertion” that a complex payment network existed which were governed by certain contractual relationships. To do so, the court held, would “mean that the Court was acknowledging implied contracts between every potential merchant where a bank’s customer may choose to pay with a card as opposed to cash.” The court dismissed some claims without prejudice and allowed the plaintiff to amend to plead a higher degree of particularity. We’ll monitor this case to see if the amended pleadings ultimately survive.
This opinion will likely lead to serious challenges to financial institutions suing merchants in data breach cases. They arguably face a higher standard than consumers in data breach class actions. But financial institutions now have a roadmap for how to sufficiently plead their data breach claims.