A relatively new breed of data breach class action involves financial institutions suing merchants for expenses associated with credit card data breaches. Although merchants may not have contractual privity with the card issuers (and instead may have contractual privity with the credit card brands or payment processors), the financial institutions in these cases claim that the retailers should still compensate the financial institutions for costs associated with fraudulent charges and reissuance of credit cards as a result of a data breach. In the most recent decision involving these sorts of claims, an Illinois federal judge found the financial institutions’ claims against the Shnucks grocery store chain too vague to survive Rule 12 dismissal. See Cmty. Bank of Trenton v. Schnuck Mkts., 2016 U.S. Dist. LEXIS 133482 (S.D. Ill. Sept. 28, 2016). The court reasoned that although “the parties are charting relatively new territory in the data breach context by presenting a case between financial institutions and a merchant (as opposed to customers and a merchant), . . . the Court notes that the generality made it difficult to assess the plausibility of such claims.” Id. at *8-9.

The financial institutions asserted 13 counts, which were addressed by the court as follows:

  • The court dismissed without prejudice the first three counts (RICO claims) for failure to allege predicate RICO acts with sufficient particularly. Id. at *19. According to the court, the financial institutions “rely on two theories of fraud–misrepresentation and cheating–but they do not allege with specificity what it was about Schnucks’s conduct that constituted these things.” Id. The court found the RICO conspiracy allegations similarly infirm.
  • As to breach of fiduciary duty, the court found insufficient allegations of a special relationship under Illinois law or a dominant/subservient relationship under Missouri law and thus dismissed that claim without prejudice. Id. at *31-32.
  • The court dismissed the negligent misrepresentation claim without prejudice because the plaintiffs had asserted insufficient allegations of concrete misrepresentations and duty and had not sufficiently addressed the economic loss doctrine under Illinois law, and the plaintiffs’ assumptions of and reliance on compliance with VISA and MasterCard security protocols were insufficient to plead the elements of negligent misrepresentation under Missouri law. Id. at *33-34.
  • As to negligence/gross negligence, the court found no duty to protect data owed by the defendant to the plaintiffs under the FTC Act or common law and thus dismissed the claim without prejudice. Id. at *36-37.
  • The court dismissed the negligence per se claim (with prejudice under Illinois law and without prejudice under Missouri law) because the plaintiffs failed to identify a statute violated, much less one imposing strict liability. Id. at *39-40.
  • As to breach of implied contract, the court dismissed without prejudice because of insufficient allegations of implicit contractual privity between the financial institutions and grocery store chain, and the allegations of pre-existing duty to VISA and MasterCard undercut an implied contract claim under Missouri law. Id. at *43-44.
  • The court dismissed without prejudice the breach of contract damaging third parties claim because of insufficient allegations that the plaintiffs were intended third-party beneficiaries of the grocery store chain and any other participants in the financial network, and the plaintiffs appeared to be incidental beneficiaries that could not recover under Missouri law. Id. at *44-47.
  • As to the Illinois Consumer Fraud and Deceptive Business Practices Act claim, the court dismissed without prejudice because of insufficient allegations of misrepresentation content, timing and nature of communication. Id. at *47-48.
  • The court dismissed the unjust enrichment/assumpsit claim because there were insufficient allegations that the defendant received some benefit from payment via credit card above and beyond payment by some other means. Id. at *48-49. Nor did the plaintiffs adequately articulate what they would have done had they known about the allegedly poor data security practices. Id. at *49-50.
  • As to equitable subrogation, the court dismissed without prejudice because of inadequate allegations that the plaintiffs had paid a third-party debt by reimbursing customers for fraudulent charges. Id. at *51-52.
  • Finally, because the court dismissed all the claims, it did not opine on the claim for declaratory and injunctive relief.

These sorts of cases are in their infancy, and it remains to be seen how they’ll ultimately fare in the face of Rule 12 Rule 23, and Rule 56 challenges. Stay tuned.