Seventh Circuit Deals Blow to Banks in Putative Data Breach Class Action Seventh Circuit Deals Blow to Banks in Putative Data Breach Class Action

Seventh Circuit Deals Blow to Banks in Putative Data Breach Class Action

The Seventh Circuit recently affirmed a Southern District of Illinois decision dismissing a putative data breach class action against Schnuck Markets, Inc. (“Schnucks”). Cmty. Bank of Trenton, et al. v. Schnuck Markets, Inc., No. 17-2146, 2018 WL 1737126 (7th Cir. Apr. 11, 2018). According to the complaint, in late 2012, hackers stole the data of about 2.4 million credit and debit cards from Schnucks, a Midwestern grocery store chain, resulting in millions of dollars of unauthorized purchases and cash withdrawals. Id. at *1. This case is unusual in the data breach context, because the proposed class consisted not of the consumers affected by the Schnucks’ breach, but instead of the financial institutions who incurred costs to reissue cards and indemnify consumers for subsequent fraudulent activity. Id.

Whenever there is a data breach involving credit cards that are used to make unauthorized transactions, it is the issuing banks that first must bear the cost of indemnifying their customers for the unauthorized charges and issuing new cards. Id. at *2. However, the contracts between banks and card networks allow banks to seek reimbursement for at least part of these losses. Id. Here, Plaintiff banks sought reimbursement from the card networks, who in turn received “fines” from Schnucks for not complying with card network requirements for data security. Id. at *2–3. Although the reimbursements/fines flowed from Schnucks to the card networks to the Plaintiff banks, the Plaintiff banks filed suit against Schnucks, arguing that Illinois and Missouri tort law would provide them a remedy above and beyond the remedies spelled out in the various contracts linking the three groups. Id. at *1–2. The district court granted Schnucks’ motion to dismiss for failure to state a claim, reasoning that all of Plaintiff banks’ claims were covered by the terms of the contracts between Schnucks, the card networks, and the banks. Id. at *4.

On appeal, the Seventh Circuit framed the issue as “whether Illinois or Missouri tort law offers a remedy to cardholders’ banks against a retail merchant who suffered a data breach, above and beyond the remedies provided by the network of contracts that link merchants, card-processors, banks, and card brands to enable electronic card payments.” Id. at *1.  Finding that the highest courts of the relevant states had not addressed the specific questions at issue, the Court predicted they would find that the “economic loss rule,” which was recognized by both Illinois and Missouri, prevented the Plaintiff banks from pursuing a tort claim for purely economic losses, which have already been remedied by contract. Id. at *4–7.

In affirming the district court’s dismissal, the Seventh Circuit reasoned this was not a case where the Plaintiff banks had no remedy at all. Id. at *7. Under the terms of the applicable contracts, Schnucks had already paid a $1.5 million fine to the card networks, who in turn distributed the funds to the banks to pay for the costs of re-issuing the cards. Id. at *3. The Plaintiff banks were seeking an additional reimbursement, because they had not been made whole by virtue of their contractual remedies. Id. According to the Seventh Circuit, “what matters is not the details of the [contractual] remedies but their existence.Id. at *7 (emphasis in original).

This case provides a glimpse into how courts analyze liability for data breaches when there are contracts governing data security, even when the contracts are not directly between the parties, and illustrates how quickly the legal landscape is changing in the area of data breach litigation. For guidance on responding to data breaches to minimize the risk of litigation and handling such litigation if it occurs, please contact Stephen Reynolds, Jenny Buchheit, or Martha Kohlstrand. Stephen Reynolds, a former computer programmer and IT analyst, is a partner in Ice Miller’s Litigation Group and co-chair of Ice Miller’s Data Security and Privacy Practice. Jenny Buchheit is a senior counsel in Ice Miller’s Litigation Group who represents clients at both the trial and appellate levels and focuses much of her work on defending companies in both state and national putative class actions. Martha Kohlstrand is an associate in Ice Miller’s Litigation Group and focuses much of her work on class actions and data security and privacy issues.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized