Takeaway: Data breaches are now a fact of life, whether for card-carrying consumers or commercial entities that are either victims of hacking or otherwise required to deal with the consequences. Class action litigation often ensues, not only on behalf of the impacted consumers, but also by affected financial institutions, including, for example, card-issuing banks. In Community Bank of Trenton v. Schnuck Markets, Inc., — F.3d –, No. 17-2146, 2018 WL 1737126 (7th Cir. Apr. 11, 2018), the Seventh Circuit breathed new life into the economic loss doctrine, holding as a matter of state (Illinois and Missouri) law that the commercial participants in the card payment system – a system governed by a network of contracts allocating risk for data breaches – could not sue another participant (a merchant that suffered a breach) in tort to supplement existing contractual remedies. This decision emphasizes the need for any participant in a contractual network to scrutinize the remedies provided in the contractual framework, because tort liability might otherwise be foreclosed.
In Schnuck, Midwestern grocery store chain Schnuck Markets (Schnucks) suffered a data breach in 2012. Cybercriminals gained access to the Missouri-based Schnucks’ computer system, ultimately stealing data pertaining to over two million credit and debit cards. The breach affected 79 of Schnucks’ 100 stores in the Midwest, many of which are in Illinois and Missouri.
Data breach litigation ensued. One of the cases was filed not by consumers but by financial institutions (card-issuing banks) that bore the costs of reissuing credit and debit cards and otherwise providing financial indemnity for the cybercriminals’ fraud.
A network of contracts connects all of the participants in the card payment system – merchants such as Schnucks, card-processors, banks, and card brands – to facilitate credit and debit card payments. In these contracts, all participating parties agree to assume certain responsibilities and be subject to certain contractual remedies. One of the responsibilities is to abide by data security rules called PCI DSS (Payment Card Industry Data Security Standards). And one of the contractual remedies provides for the sharing among the participants of the costs arising from any data breach.
Under this network of contracts, the card networks eventually imposed over $1.5 million in reimbursement charges and other fees against Schnucks, which liability was later split between Schnucks and other network participants (Schnuck’s card processor and acquiring bank).
The central issues in the case arose under Illinois and Missouri law, where many of the affected Schnucks stores are located, and “present[ed] fairly new variations on the economic loss rule in tort cases.” Id. at *1. That is because network participants – the plaintiff banks – brought a putative class action against Schnucks seeking to impose tort liability for the data breach in the form of claims for negligence and negligence per se. The plaintiff banks further alleged that they suffered tens of millions of dollars of damages that were not covered by the existing contractual remedies, arising from lost employee time, indemnity payments, and transaction fees and lost interest. As the Seventh Circuit observed, “the banks seek reimbursement for their losses above and beyond the remedies provided under the card network contracts.” Id. at *4.
In its analysis of the common law claims, the panel examined the economic loss doctrine in commercial litigation. As the court observed, “state courts have generally refused to recognize tort liabilities for purely economic losses inflicted by one business on another where those businesses have already ordered their duties, rights, and remedies by contract.” Id. The main issue, according to the court, was one of duty, “in the sense that tort law generally does not supply additional liabilities on top of specified contractual remedies.” Id.
The plaintiff banks argued forcefully they had no direct contractual relationship with Schnucks and therefore should not be bound by the economic loss doctrine. That argument did not persuade the panel: “[P]arties to the card payment system are not ships passing (or colliding) in the night. All parties involved in the complicated network of contracts that establish the card payment system have voluntarily decided to participate and to accept responsibility for the risks inherent in their participation. This includes at least some risk of not being fully reimbursed for the costs of another party’s mistake.” Id. at *7.
While the specifics of the contractual remedies were not readily apparent from the record excerpts of the relevant contracts, “what matters is not the details of the remedies but their existence.” Id. (emphasis in original). According to the panel, the banks could not seek additional recovery in tort just “because they are disappointed by the reimbursement they received through the contractual card payment systems they joined voluntarily.” Id. The court concluded: “we do not see either a paradigmatic or doctrinal reason why either Illinois or Missouri would recognize a tort claim by the issuing banks in this case, where the claimed conduct and losses are subject to these networks of contracts.” Id. at *8.