In a cautionary tale for banks, a federal court judge in Illinois dismissed a lawsuit filed by Community Bank of Trenton after concluding the bank’s sophisticated business dealings required a higher standard than consumer data breach suits.

What happened

Between December 2012 and March 2013, Schnuck Markets, Inc., fell prey to a major data breach, with information about approximately 2.4 million consumers compromised. Payment card numbers and expiration dates were allegedly held in unencrypted format on the grocer’s computers while cards were awaiting approval by third-party payment processors, in violation of industry standards.

A group of financial institutions led by Community Bank of Trenton filed suit against the grocer asserting a panoply of 13 different legal claims, including allegations of violations of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Illinois Consumer Fraud and Deceptive Business Practices Act, as well as claims based on tort and breach of contract theories. The plaintiffs challenged Schnuck’s lax data security practices, alleging that the company “fell far short of industry standards” by capturing consumer data in its computer system in an unencrypted format, leaving it vulnerable to hackers. Schnuck knew its data security procedures were outdated and ineffective, the plaintiffs added, and failed to implement preventative measures such as antivirus and firewall software or a risk management system. Schnuck moved to dismiss the suit.

Granting the motion, U.S. District Court Judge Michael J. Reagan distinguished the case as from prior litigation brought by consumers against retailers in the wake of a data breach, such as the suits against Home Depot and Target.

“In the cases brought by consumers, parties have effectively illustrated plausible claims for relief under various theories by appealing to the common life experience of a consumer walking into a merchant to buy a sandwich or a book,” the court said. “The concrete fraud charges on customer payment cards and the familiar expectations of a store customer make the claims in those cases hold together to illustrate a plausible story.”

By contrast, the allegations of harms sustained by the financial institution plaintiffs were too “general,” the court said. “The Complaint alleges that Plaintiffs have incurred and will continue to incur costs to: cancel and reissue cards; close and reopen accounts; notify customers; and, investigate and monitor for fraud. Plaintiffs allege that they may also lose profits if customers use payment cards less frequently.”

Working its way through all 13 counts of the plaintiffs’ complaint, the court found the RICO claims based on wire fraud stretched “the arms of the fraud statutes too far.” He dismissed the bank’s contention that Schnuck engaged in fraud by making misrepresentations, as “[m]erchants are not in the common practice of posting signs by the register assuring data security, so surely there cannot be a misrepresentation or omission there, nor is there any kind of data safety guarantee transmitted across the wires from a merchant to processors when a card is swiped.”

Broad statements that “everyone assumes that merchants and VISA and [other card] participants practice good data security” are insufficient, the court said, distinguishing other data breach cases like the one against Home Depot, where the merchant received numerous warnings that its data security was insufficient but declined to take action, purportedly to save money. “[T]he same degree of intentionality or purpose is not evidence in Schnucks’s alleged conduct,” the court wrote.

Similarly, bank fraud claims failed to provide the basis for the RICO counts as the plaintiffs did “not specify what scheme or artifice was faulty or how it was directed to defrauding them.”

Judge Reagan tossed the bank’s breach of fiduciary duty allegations, rejecting the idea that Schnuck was the dominant party in the relationship. “The Plaintiffs as financial institutions, and Schnucks as a mid-sized grocer, are both ‘sophisticated’ parties who participated in a mutually beneficial business arrangement that allowed individuals to use electronic payment cards to purchase their groceries,” the court said.

The fact that Schnuck participated in the payment networks did not provide the basis for a negligent misrepresentation claim that the grocer took certain data security measures, the judge added.

“The loose assertion seems to be that all parties who interact with VISA and [other card issuers] are assumed to be in compliance with VISA and [their respective organization]’s security protocol, and that compliance with said protocol would successfully protect individual cardholders’ data from security breaches—but these intangible assumptions and the associated abstract reliance on the notion that compliance with the protocol would have prevented data breaches are not pled with sufficient particularity to state a claim nor do they suggest that Schnucks made a misrepresentation or provided patently false information,” the court wrote.

Contract claims did nothing to sway the court, which again distinguished the relationship between a cardholder and a merchant and a merchant and a financial institution. “It is easier to see how a contract might be implied between a cardholder and a merchant where the cardholder provides payment and walks away with tangible goods such as groceries, and in exchange the merchant receives electronic payment thus giving them value for the goods,” the court said. “This elementary transaction much more clearly contains the basic principles of a contract than the relationship between financial institutions and merchants.”

Further, the existence of explicit contracts governing certain aspects of the payment network implied that participants anticipated the need to allocate certain risks and entered into the contracts they saw fit to address the situation, Judge Reagan wrote. He also found it “implausible” to “conceptualize how the Plaintiffs would have done something additional on their end if they knew of the data security issues.”

The court dismissed the complaint in its entirety, albeit only with prejudice for the negligence claims, allowing the plaintiffs to file an amended complaint with greater specificity.

To read the memorandum and order in Community Bank of Trenton v. Schnuck Markets, Inc., click here.

To read the Complaint, click here.

Why it matters

The court acknowledged that “the parties are charting relatively new territory in the data breach context by presenting a case between financial institutions and a merchant,” but appeared to suggest that the presence of a “sophisticated” party such as a bank required a higher standard than a suit brought by a consumer. Significantly, a consumer class action brought by Schnuck customers over the data breach survived a motion to dismiss before the parties reached a settlement last year. Financial institutions should keep the Schnuck litigation in mind and be aware that they may face an uphill battle in data breach cases.