In a world where massive data security breaches occur daily, aggrieved parties, including issuing banks, are seeking the bounds of loss recovery. Courts have been confronted with the question of whether plaintiffs in data breach cases can seek recovery through tort law in addition to contract law, and whether retailers have a duty to protect credit- and debit-card information from data breaches. This edition of Morgan Lewis Retail Did You Know? examines a Seventh Circuit decision in Community Bank of Trenton v. Schnuck Markets, Inc. that addresses these issues, including the decision’s practical implications for liability distribution in network contracts between retailers, banks, and credit card companies, as well as alternative approaches aggrieved parties may use to recover data breach losses.
As described in further detail below, the US Court of Appeals for the Seventh Circuit, basing its decision in part on how it predicts that Illinois and Missouri courts would rule, opined that (1) retailers do not have a common law duty to safeguard personal information, and (2) issuing banks cannot use tort law in addition to contract law to recover damages from data security breaches.
A network of contracts—linking merchants, card processors, banks, and card brands—enables credit- and debit-card holders to make electronic purchases in retail stores. Banks, merchants, card networks, and their agents all agree to abide by data security rules called Payment Card Industry Data Security Standards, which distribute liability for data breaches. By contrast, federal law limits liability for credit- and debit-card holders in the event of a data breach. Therefore, if a card holder’s information is stolen and used to make unauthorized purchases in a data breach, the card holder is not liable for the charges incurred. Instead, liability is shared by merchants, banks, card networks, and their agents through the network of contracts.
Community Bank of Trenton v. Schnuck Markets, Inc.
In Community Bank of Trenton, four plaintiff-appellant issuing banks sought tort recovery in addition to contract recovery for losses incurred while investigating fraudulent activity, reissuing cards, and making payments to indemnify customers for fraudulent charges after Schnuck Markets, a St. Louis–based grocery chain, suffered a massive data security breach in December 2012. Hackers harvested credit- and debit-card information from approximately 2.4 million cards from December 2012 until March 2013. Schnucks learned of the breach on March 14, 2013, but waited until March 30, 2013 to disclose the data breach to the public.
The Seventh Circuit, affirming the district court’s decision and predicting how Illinois and Missouri state courts would rule on these issues, declined to expand data breach liability beyond contract law and into tort law. Specifically, the court held that “[it] d[id] not see either a paradigmatic or doctrinal reason why either Illinois or Missouri would recognize a tort claim by the issuing banks in this case, where the claimed conduct and losses are subject to these networks of contracts.” Basing its decision on the economic loss rule, the Seventh Circuit reasoned that liability for purely economic loss is more appropriately governed by the contracts the parties have negotiated and agreed to themselves, rather than by tort law.
The Seventh Circuit rejected the issuing banks’ request to apply the “stranger paradigm,” which allows tort recovery when a negligent actor causes financial harm to a party with which the actor has no preexisting relationship. Instead, it applied the “contracting parties paradigm,” which only applies contract law when additional tort liability is not necessary because an existing contract between the parties reduces “the externalities visited upon by third parties.”
Ultimately, the Seventh Circuit affirmed the district court’s dismissal of the issuing banks’ negligence and negligence per se claims, reasoning that there is no common law duty to safeguard personal information under Illinois and Missouri state law. The court also affirmed the dismissal of the issuing banks’ other common law claims, including unjust enrichment, implied contracts, and third-party beneficiary claims.
Potential Relief Under Illinois Consumer Fraud Act
While the Seventh Circuit declined to expand the liability between banks, card networks, and retailers from contract liability to tort liability, it did point to another potential form of relief under the Illinois Consumer Fraud Act (ICFA). The Seventh Circuit explained that the issuing banks in this case could have potentially recovered under ICFA by alleging that Schnucks violated the Illinois Personal Information Protection Act (PIPA) when it failed to disclose the data breach for two weeks after learning of its occurrence. A PIPA violation, such as failing to provide Illinois residents with notice when they are affected by data breaches, may be sufficient to obtain relief under ICFA.
In the Seventh Circuit, issuing banks are limited to contractual recovery for losses incurred in data breaches; however, additional relief may be sought under the ICFA.
The Seventh Circuit, similar to the Third Circuit and First Circuit, but in contrast to the Fifth Circuit, applied the economic loss rule to bar tort recovery from issuing banks in data breach lawsuits against a retail merchant. Issuing banks should be aware that the trend in federal court decisions is to limit their recovery in data breaches to contractual remedies, even if a retailer did not adequately protect consumer personal information or timely disclose a breach. With this in mind, parties should pay careful attention to how liability is allocated and negotiated in network contracts.
In addition, retailers in Illinois should be aware that issuing banks may be able to recover from PIPA violations under ICFA, and should consider disclosing breaches immediately to avoid this potential liability.