We recently commented on one hotly contested legal issue being addressed by the courts in data breach class action litigation, that of plaintiffs’ standing. Another issue that has been the subject of recent court activity in class cases is that of the economic loss doctrine: Can a data breach plaintiff in a contractual relationship with the data breach defendant recover under a negligence or other tort theory, or are its remedies confined to the contract? The issue of course does not arise in situations where the data breach plaintiff is not in contractual privity with the data breach defendant. But in other cases – in particular, cases involving compromised credit card data brought by the financial institutions that issued the cards against merchants who are part of the same payment card network – the issue is very much a live one.
In Community Bank of Trenton v. Schnuck Markets, Inc., the Seventh Circuit considered the application of the economic loss doctrine in this context. The court ultimately dismissed the suit, holding under both Illinois and Missouri law that merchants, card processors and banks voluntarily linked in a card payment system—a network of contracts that expressly allocates risk and defines remedies for data breach incidents—could not sue their card payment partners in tort.
A 2012 data breach led to the compromise of over 2.4 million credit and debit cards, affecting nearly 80 percent of Schnuck’s Midwestern supermarkets. Plaintiffs subsequently brought suit, asserting common law claims under theories of negligence, contract, and other consumer protection laws. Affected customers brought a class suit, but they were not alone: Financial institutions that were exposed to the expense of issuing new cards to customers and reimbursing the costs associated with the hacker’s account fraud also sued the supermarket chain.
Schnuck, the aggrieved financial institutions, and the card processors are all linked through a system of contracts that help streamline consumer payment transactions. Within those contracts, and as part of the bargain, the agreeing parties voluntarily assume some liabilities and voluntarily limit their contractual remedies and recovery. Of note, participants must adhere to the PCI DSS—Payment Card Industry Data Security Standards. As part of that, participants agree to a sharing of the expenses of a network data breach. Based on the cost-sharing provision, Schnuck faced over $1 million in reimbursement fees, which would have then been apportioned throughout the network.
The Seventh Circuit had to determine how best to interpret and apply the economic loss doctrine, and whether Illinois or Missouri laws offered the banks additional remedies beyond those stipulated in the contract. The complaining banks brought negligence claims and alleged that they had been exposed to millions in damages, such as employee time, customer reimbursements, and transaction fees. The payment card agreements’ remedies did not cover the full amount of these losses. The Seventh Circuit, noting that the banks and Schnuck were linked through the payment system, held that the allegation of contractually uncovered losses was insufficient to allow the banks to recover beyond the amounts provided in their “network of contracts.” The banks thus could not escape the contractual limitations on their recovery by suing in tort.
The court reiterated that state courts typically decline to impart tort liability in instances where one business inflicts purely economic loss on another and their interactions are governed by contract. In making this distinction, the court then turned to the issue of duty, stating that neither Illinois nor Missouri would impose a common law data security duty upon Schnuck. The court systematically dismissed the banks remaining common law claims for similar reasons, concluding that the contracts signed by the participating institutions governed all rights and remedies as between the parties.
The banks attempted to argue that they were not in privity with Schnuck, thus making the economic loss doctrine inapplicable. The court disagreed, however, pointing again to the voluntary nature of the payment network system and the parties’ conscious choice to participate in the system—a system with written rules and procedures governing all participants— with both its benefits and allocated risks.
The Seventh Circuit’s dismissal of the banks’ claims in Schnuck teaches that financial institutions, despite the obvious costs they incur on the back end of data breaches, cannot expect extra judicial help in the realm of recovery beyond the contractual terms to which they agreed in issuing payment cards. Sophisticated plaintiffs that had opportunities to negotiate and contract for their share of the risk and liability prior to data breach incidents will not likely be permitted to reapportion such risks through tort claims after a breach has occurred.
While this summary focuses primarily on the economic loss doctrine, another holding is worth noting: Schnuck offers support for the proposition that merchants have no common law duty to protect data. It remains to be seen whether this state law holding will be confined to scenarios where merchants have expressly negotiated to allocate the risk of a breach. In any event, however, statutory and contractual duties will often still exist, and we would not expect the pure “no duty” position to gain quick acceptance across the country, as it has far-reaching implications for all data breach cases.