[BreachExchange] In Data Breach Suit, Federal Court Holds Banks To Higher Standard Than Customers

[Audrey McNeil]

http://www.jdsupra.com/legalnews/in-data-breach-suit-
federal-court-holds-38060/

On Wednesday, September 28, 2016, an Illinois federal district
judgedismissed data breach-related claims brought by numerous banks against
a grocer citing the sophistication of the business relationship between the
banks and the grocer as a main reason the claims could not proceed.

Between December 2012 and March 2013, Schnucks, a grocery chain
headquartered in St. Louis, Missouri, experienced a data breach that made
payment card information transmitted through its computer system vulnerable
to attack by cyber criminals. The data breach may have affected as many as
2.4 million cardholders who shopped at Schnucks during the timeframe of the
breach. The banks alleged that Schnucks did not properly encrypt customer
payment information and thus fell short of industry standard. The banks
pursued multiple theories of relief, including RICO conspiracy claims,
breach of fiduciary duty, negligence, breach of contract, and violation of
the Illinois Consumer Fraud and Deceptive Business Practices Act.

The U.S. District Court for the Southern District of Illinois dismissed all
of the banks’ claims, holding that the alleged harms sustained were too
general and that “mere allegations of trust between sophisticated business
parties are insufficient to create a fiduciary relationship between the
parties.” The court observed that in cases brought by customers, the
customers can allege plausible claims based on concrete harm suffered, such
as fraudulent charges on their accounts, late fees incurred as the result
of fraudulent activity, and costs incurred as a result of acquiring an
identity theft monitoring service. Additionally, customers’ data-breach
claims appeal to the common life experience of walking into a merchant to
buy a sandwich or a coffee and the expectation that their data will be kept
safe.

In contrast, according to the court, the banks’ allegations of harm were
too general. For example, the banks alleged that they have incurred and
will continue to incur costs to (1) cancel and reissue cards, (2) close and
reopen accounts, (3) notify customers, and (4) investigate and monitor for
fraud, emphasizing the argument that Schnucks made fraudulent
representations or omissions to the banks regarding its data security
practices, and the banks relied on such misinformation in releasing
customer funds to Schnucks.  The court, however, held that the generality
of these allegations made it too difficult to assess the validity of the
claims. Two of the banks’ claims were dismissed with prejudice. The banks
will have the opportunity to replead the other claims.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161010/8f2fdbfb/attachment.html>