[BreachExchange] The Economic Loss Doctrine as a Barrier to Data Breach Recovery

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 21 19:29:45 EDT 2018


We recently commented on one hotly contested legal issue being addressed by
the courts in data breach class action litigation, that of plaintiffs’
standing. Another issue that has been the subject of recent court activity
in class cases is that of the economic loss doctrine: Can a data breach
plaintiff in a contractual relationship with the data breach defendant
recover under a negligence or other tort theory, or are its remedies
confined to the contract? The issue of course does not arise in situations
where the data breach plaintiff is not in contractual privity with the data
breach defendant. But in other cases – in particular, cases involving
compromised credit card data brought by the financial institutions that
issued the cards against merchants who are part of the same payment card
network – the issue is very much a live one.

In Community Bank of Trenton v. Schnuck Markets, Inc., the Seventh Circuit
considered the application of the economic loss doctrine in this context.
The court ultimately dismissed the suit, holding under both Illinois and
Missouri law that merchants, card processors and banks voluntarily linked
in a card payment system—a network of contracts that expressly allocates
risk and defines remedies for data breach incidents—could not sue their
card payment partners in tort.


A 2012 data breach led to the compromise of over 2.4 million credit and
debit cards, affecting nearly 80 percent of Schnuck’s Midwestern
supermarkets. Plaintiffs subsequently brought suit, asserting common law
claims under theories of negligence, contract, and other consumer
protection laws. Affected customers brought a class suit, but they were not
alone: Financial institutions that were exposed to the expense of issuing
new cards to customers and reimbursing the costs associated with the
hacker’s account fraud also sued the supermarket chain.

Schnuck, the aggrieved financial institutions, and the card processors are
all linked through a system of contracts that help streamline consumer
payment transactions. Within those contracts, and as part of the bargain,
the agreeing parties voluntarily assume some liabilities and voluntarily
limit their contractual remedies and recovery. Of note, participants must
adhere to the PCI DSS—Payment Card Industry Data Security Standards. As
part of that, participants agree to a sharing of the expenses of a network
data breach. Based on the cost-sharing provision, Schnuck faced over $1
million in reimbursement fees, which would have then been apportioned
throughout the network.

The Seventh Circuit had to determine how best to interpret and apply the
economic loss doctrine, and whether Illinois or Missouri laws offered the
banks additional remedies beyond those stipulated in the contract. The
complaining banks brought negligence claims and alleged that they had been
exposed to millions in damages, such as employee time, customer
reimbursements, and transaction fees. The payment card agreements’ remedies
did not cover the full amount of these losses. The Seventh Circuit, noting
that the banks and Schnuck were linked through the payment system, held
that the allegation of contractually uncovered losses was insufficient to
allow the banks to recover beyond the amounts provided in their “network of
contracts.” The banks thus could not escape the contractual limitations on
their recovery by suing in tort.

The court reiterated that state courts typically decline to impart tort
liability in instances where one business inflicts purely economic loss on
another and their interactions are governed by contract. In making this
distinction, the court then turned to the issue of duty, stating that
neither Illinois nor Missouri would impose a common law data security duty
upon Schnuck. The court systematically dismissed the banks remaining common
law claims for similar reasons, concluding that the contracts signed by the
participating institutions governed all rights and remedies as between the

The banks attempted to argue that they were not in privity with Schnuck,
thus making the economic loss doctrine inapplicable. The court disagreed,
however, pointing again to the voluntary nature of the payment network
system and the parties’ conscious choice to participate in the system—a
system with written rules and procedures governing all participants— with
both its benefits and allocated risks.

Looking Forward

The Seventh Circuit’s dismissal of the banks’ claims in Schnuck teaches
that financial institutions, despite the obvious costs they incur on the
back end of data breaches, cannot expect extra judicial help in the realm
of recovery beyond the contractual terms to which they agreed in issuing
payment cards. Sophisticated plaintiffs that had opportunities to negotiate
and contract for their share of the risk and liability prior to data breach
incidents will not likely be permitted to reapportion such risks through
tort claims after a breach has occurred.

While this summary focuses primarily on the economic loss doctrine, another
holding is worth noting:  Schnuck offers support for the proposition that
merchants have no common law duty to protect data. It remains to be seen
whether this state law holding will be confined to scenarios where
merchants have expressly negotiated to allocate the risk of a breach.  In
any event, however, statutory and contractual duties will often still
exist, and we would not expect the pure “no duty” position to gain quick
acceptance across the country, as it has far-reaching implications for all
data breach cases.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180521/9c90ee12/attachment.html>

More information about the BreachExchange mailing list