U.S. Bank removed a putative class action complaint filed by an online merchant named Paintball Punks to U.S. District Court in Minneapolis on December 6. The complaint (Paintball v USBank.pdf) alleges that Paintball Punks suffered chargeback losses of $11,259.91 from nine transactions that were fraudulently billed to U.S. Bank-issued credit cards as a result of U.S. Bank's failure to "remedy known data breaches in its own system." Indeed, Paintball Punks claims that U.S. Bank must have suffered a data breach (an allegation supported by alleged acknowledgements to Paintball Punks from two U.S. Bank employees that the bank knew for some time that it had a data breach), but that U.S. Bank did not immediately notify all affected cardholders and it did not cancel the at-risk cards. Instead, the complaint claims that U.S. Bank concealed the breach and only cancelled cards on a case-by-case basis after it received complaints about fraudulent transactions on a specific card.
The putative class is all merchants in the United States that received chargeback claims from U.S. Bank "with regard to cards that were the subject of a data breach at U.S. Bank or its affiliates." The complaint contains three claims: (1) Aiding and Abetting Fraudulent Transactions; (2) Intentional Interference with Contractual Relations with Merchant Bank; and (3) Violation of Minnesota's Consumer Protection Statutes.
It is worth noting that, although Paintball Punks' complaint faults U.S. Bank for not giving notice of a purported data breach, Paintball Punks does not allege where such a notice obligation arises from. Indeed, Paintball Punks does not allege privity of contract with U.S. Bank, nor does it claim that U.S. Bank failed to comply with any state or federal notice obligation.