In a data breach putative class action brought by financial institutions against a retail grocery store chain, the U.S. Court of Appeals for the Seventh Circuit recently held that the economic loss doctrine prevented recovery of economic losses in tort cases.

Although the financial institutions had no direct contractual relationship with the retail grocery store chain, the Seventh Circuit noted that the banks and the merchant all participated in a network of contracts that tied together all the participants in the card payment system.

In so ruling, the Seventh Circuit joined the Third and First Circuits in rejecting negligence theory in a data breach case by card issuers against merchants.

The Seventh Circuit also rejected the financial institutions’ efforts to bring UDAP claims to recover their losses against the retailer.

A copy of the opinion in Community Bank of Trenton v. Schnuck Markets, Inc. is available at: Link to Opinion.

In December 2012, hackers installed malicious software on the grocery store chain’s (“merchant”) computer network and harvested data from the merchant’s system while payment transactions were being processed. The breach affected 79 of the merchant’s 100 stores in the Midwest, many of which are located in Missouri and Illinois.

The hackers harvested and sold customers’ stolen data which was used to create counterfeit cards and to make unauthorized cash withdrawals, including from the plaintiff banks — four financial institutions that issued cards and participated in the card payment system (the “banks”)

The merchant claimed that it did not learn of the breach until March 2013. The banks estimated that for every day the data breach continued, approximately 20,000 cards may have been comprised, and a total of 2.4 million cards may be at risk from the breach. The banks alleged that the numerous security steps could have prevented the breach and that those steps were required by the card network rules — a network of contracts between the retail merchant, issuing bank, acquiring bank, and the card network (e.g., VISA, MasterCard).

Additionally, under the card network rules, the banks agreed to indemnify their customers in the event that a data breach anywhere in the network results in unauthorized transactions. The contracts provided a cost recovery process that allowed issuing banks to seek reimbursement for at least some of their losses.

In 2014, the banks, which may or may not have received some of those reimbursements, filed a lawsuit seeking to be made whole directly by the merchant. In effect, the banks sought reimbursement for their losses above and beyond the remedies provided under the card network contracts.

Several of the banks filed a putative class action against the merchant. The putative class of banks included both Illinois and Missouri citizens.

The trial court dismissed all of the banks’ claims, holding that the Illinois and Missouri tort law did not offer a remedy to card-holders’ banks against a retail merchant who suffered a data breach, above and beyond the remedies provided by the contracts between the parties.

This appeal followed.

The Seventh Circuit began its analysis by examining the economic loss doctrine in commercial litigation.

As you may recall, many states generally refuse to recognize tort liabilities for purely economic losses inflicted by one business on another where those businesses have already ordered their duties, rights, and remedies by contract.

In Illinois, this is known as the Moorman doctrine, from Moorman Mfg. Co. v. Nat’l Tank Co., 435 N.E.2d 443 (Ill. 1982). Missouri generally prohibits “a plaintiff from seeking to recover in tort for economic losses that are contractual in nature.” Autry Morlan Chevrolet Cadillac, Inc. v. RJF Agencies, Inc., 332 S.W.3d 184, 192 (Mo. App. 2010).

The banks argued that they had no direct contractual relationship with the merchant. Although that was true, the Seventh Circuit noted that the banks and the merchant all participated in a network of contracts that tied together all the participants in the card payment system.

Specifically, when the parties joined the card payment system they agreed to abide by the data security standards of the industry, the PCI DSS. The merchant agreed to be subject to assessments and fines from the card networks in the event that it was responsible for data breaches and unauthorized card activity. The banks agreed to exceed federal requirements for indemnifying their card holders and also consented to the remedial assessment and reimbursement process provisions and related risks.

In the Seventh Circuit’s view, this network of contracts imposed duties and provided contractual remedies for breach of those duties. The banks accepted some risk of not being fully reimbursed for the costs of another party’s mistake, and as such, the banks cannot seek additional recovery because they were disappointed by the reimbursement they received through the contract that they voluntarily entered into.

The Seventh Circuit concluded that neither Illinois nor Missouri would recognize a tort claim from the banks where the claimed conduct and losses were subject to contract.

The Seventh Circuit then turned to the banks’ specific common law claims.

First, the banks argued that the merchant had a common law duty to safeguard customers’ data and that duty extends to its customers’ banks.

The Illinois Supreme Court has not directly spoken on this issue in the context of data breaches. However, the Illinois Appellate Court addressed this topic in Cooney v. Chicago Public Schools, 943 N.E.2d 23, 28 (Ill. App. 2010) and rejected “‘a new common law duty’ to safeguard information.” Relying on Cooney, the Seventh Circuit predicted that the Illinois Supreme Court would not impose a common law data security duty proposed by the banks.

The Seventh Circuit noted that Missouri Appellate Courts have said less than Illinois Appellate Courts on the question of duty. However, the Seventh Circuit indicated that Missouri would likely reach the same conclusion as it applies the same common law duty test that was important to the Cooney court. See Hoffman v. Union Elec. Co., 176 S.W.3d 706, 708 (Mo. 2005).

In any event, the Seventh Circuit predicted that Illinois and Missouri courts would apply the economic loss doctrine to bar recovery anyways, as courts in both states do not permit tort recovery for businesses who seek to correct the purely economic “defeated expectations of a commercial bargain.”

Therefore, the Seventh Circuit determined that the District Court’s rejection of the banks’ negligence claim was consistent with Illinois and Missouri law.

Similarly, the Seventh Circuit found that the banks’ negligence per se claims failed because neither Illinois nor Missouri have legislatively imposed liability for personal data breaches. This is critical, according to the Seventh Circuit, as the first element of a negligence per se action is a showing that a statute or ordinance had been violated.

The banks also asserted three other claims sounding in the common law of contracts: unjust enrichment, implied contract, and third-party beneficiary.

The Seventh Circuit noted that Illinois law and Missouri law on these common law contract theories were similar — they both refused to recognize unjust enrichment claims where contracts already establish rights and remedies. Illinois and Missouri also do not recognize implied contracts where written agreements define the business relationship. And, neither state recognizes third-party beneficiary claims unless the beneficiary is identified or the third-party beneficiary benefit is clearly intended by the contracting parties.

Moreover, the Seventh Circuit noted that the merchant was not unjustly enriched — its card-paying customers paid the same amount as those paying in cash — and there was no unjust enrichment left uncovered outside of the card payment system contracts.

Thus, because the network contracts precluded secondary common law contract theories, the Seventh Circuit concluded that the district court properly rejected these claims.

The Seventh Circuit acknowledged that the Fifth Circuit predicted that New Jersey would recognize a negligence claim brought by an issuing bank against a payment processor, although not retail merchants. See Lone Star Nat’l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013).

However, the Seventh Circuit provides two reasons for reaching a different conclusion. One, the Lone Star court relied on New Jersey’s practice of being “a leader in expanding tort liability.” Id., at 426-27. Two, unlike the Lone Star court, there was sufficient information about the card network agreements in the record to inform the Seventh Circuit’s analysis.

The Seventh Circuit’s reasoned that its predictions were closer to Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008) (applied economic loss rule to bar negligence claims and rejected most of the other theories invoked by issuing banks against a breached retail merchant) and In re TJX Companies Retail Security Breach Litig., 564 F.3d 489 (1st Cir. 2009) (rejected negligence theory because of the economic loss rule and a third-party beneficiary theory under the card payment system contracts).

Thus, the Seventh Circuit joined the Third and First Circuits in rejecting negligence theory in a data breach case where the parties’ duties and remedies were defined by contract.

The Seventh Circuit then turned to the banks’ claim that the merchant violated the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA), 815 Ill. Comp. Stat. 505/2, 505/10a, by allegedly engaging in an unfair practice of having poor data security procedures.

As you may recall, Illinois courts are skeptical of business-v.-business ICFA claims when neither party is actually a consumer in the transaction. See Athey Prods. Corp. v. Harris Bank Roselle, 89 F.3d 430, 437 (7th Cir. 1996) (a business plaintiff under the ICFA must show a “nexus between the complained of conduct and consumer protection concerns”).

However, the Seventh Circuit did not decide whether the banks could establish a consumer nexus in an ICFA data breach claim, because the banks failed to allege any ICFA violation that would make that secondary consumer nexus determination necessary.

The banks advanced a theory that the merchant engaged in unfair practice by not warning customers or the banks of its compromised payment system, and it acted deceptively to maintain its prices and to ensure business as usual until it publicly announced the data breach. The Seventh Circuit found this argument unpersuasive because this type of “market theory of causation” has been rejected in Illinois. See Oliveira v. Amoco Oil Co., 776 N.E.2d 151 (Ill. 2002).

The banks also argued that the merchant violated the ICFA by violating the Illinois Personal Information Protection Act (PIPA), 815 Ill. Comp. Stat. 530/10, which requires notice to Illinois residents affected by data breaches.

As you may recall, a violation of PIPA constitutes an unlawful practice under the ICFA. See 815 Ill. Comp. Stat. 530/20.

The problem was, as the Seventh Circuit explained, the banks failed to explain whether and how the merchant’s conduct fell under one of the operative subsections of the notice statute and not any of its exceptions. Id. This was critical as the banks were advancing a novel legal theory. Because the banks did not adequately develop its arguments in District Court, the Seventh Circuit concluded that the banks failed to preserve the argument on appeal.

Accordingly, the Seventh Circuit affirmed the judgment dismissing the action.