[BreachExchange] Schnucks Shakes Card Issuer Data Breach Class Action, For Now

Tue Oct 4 19:25:30 EDT 2016

http://www.natlawreview.com/article/schnucks-shakes-card-
issuer-data-breach-class-action-now

A relatively new breed of data breach class action involves financial
institutions suing merchants for expenses associated with credit card data
breaches. Although merchants may not have contractual privity with the card
issuers (and instead may have contractual privity with the credit card
brands or payment processors), the financial institutions in these cases
claim that the retailers should still compensate the financial institutions
for costs associated with fraudulent charges and reissuance of credit cards
as a result of a data breach. In the most recent decision involving these
sorts of claims, an Illinois federal judge found the financial
institutions’ claims against the Shnucks grocery store chain too vague to
survive Rule 12 dismissal. See Cmty. Bank of Trenton v. Schnuck Mkts., 2016
U.S. Dist. LEXIS 133482 (S.D. Ill. Sept. 28, 2016). The court reasoned that
although “the parties are charting relatively new territory in the data
breach context by presenting a case between financial institutions and a
merchant (as opposed to customers and a merchant), . . . the Court notes
that the generality made it difficult to assess the plausibility of such
claims.” Id. at *8-9.

The financial institutions asserted 13 counts, which were addressed by the
court as follows:

The court dismissed without prejudice the first three counts (RICO claims)
for failure to allege predicate RICO acts with sufficient particularly. Id.
at *19. According to the court, the financial institutions “rely on two
theories of fraud–misrepresentation and cheating–but they do not allege
with specificity what it was about Schnucks’s conduct that constituted
these things.”Id. The court found the RICO conspiracy allegations similarly
infirm.

As to breach of fiduciary duty, the court found insufficient allegations of
a special relationship under Illinois law or a dominant/subservient
relationship under Missouri law and thus dismissed that claim without
prejudice. Id. at *31-32.

The court dismissed the negligent misrepresentation claim without prejudice
because the plaintiffs had asserted insufficient allegations of concrete
misrepresentations and duty and had not sufficiently addressed the economic
loss doctrine under Illinois law, and the plaintiffs’ assumptions of and
reliance on compliance with VISA and MasterCard security protocols were
insufficient to plead the elements of negligent misrepresentation under
Missouri law. Id. at *33-34.

As to negligence/gross negligence, the court found no duty to protect data
owed by the defendant to the plaintiffs under the FTC Act or common law and
thus dismissed the claim without prejudice. Id. at *36-37.

The court dismissed the negligence per se claim (with prejudice under
Illinois law and without prejudice under Missouri law) because the
plaintiffs failed to identify a statute violated, much less one imposing
strict liability. Id. at *39-40.

As to breach of implied contract, the court dismissed without prejudice
because of insufficient allegations of implicit contractual privity between
the financial institutions and grocery store chain, and the allegations of
pre-existing duty to VISA and MasterCard undercut an implied contract claim
under Missouri law. Id. at *43-44.

The court dismissed without prejudice the breach of contract damaging third
parties claim because of insufficient allegations that the plaintiffs were
intended third-party beneficiaries of the grocery store chain and any other
participants in the financial network, and the plaintiffs appeared to be
incidental beneficiaries that could not recover under Missouri law. Id. at
*44-47.

As to the Illinois Consumer Fraud and Deceptive Business Practices Act
claim, the court dismissed without prejudice because of insufficient
allegations of misrepresentation content, timing and nature of
communication. Id. at *47-48.

The court dismissed the unjust enrichment/assumpsit claim because there
were insufficient allegations that the defendant received some benefit from
payment via credit card above and beyond payment by some other means. Id.
at *48-49. Nor did the plaintiffs adequately articulate what they would
have done had they known about the allegedly poor data security practices.
Id. at *49-50.

As to equitable subrogation, the court dismissed without prejudice because
of inadequate allegations that the plaintiffs had paid a third-party debt
by reimbursing customers for fraudulent charges. Id. at *51-52.

Finally, because the court dismissed all the claims, it did not opine on
the claim for declaratory and injunctive relief.

These sorts of cases are in their infancy, and it remains to be seen how
they’ll ultimately fare in the face of Rule 12 Rule 23, and Rule 56
challenges. Stay tuned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161004/5908b836/attachment.html>