Extracted from Law360.com
The explosion of data breaches across all mediums and industries — and payment card breaches in particular — is well known. High-profile payment card breaches have dominated recent headlines, with criminal attacks on Chipotle, Sonic and Under Armour, just to name a few.[1] By the numbers, breach incidents quadrupled in 2017.[2] And not only is the frequency increasing, the cost is as well. The average cost of a data breach in the U.S. was $7.35 million per breach incident in 2017, up 5 percent from 2016.[3] Indeed, some industry analysts predict that the damage from cybercrime generally will reach $6 trillion by 2021.[4]
Coinciding with the increase in payment card breaches, and in fact part of the skyrocketing costs, is a corresponding increase in lawsuits filed by financial institutions against the merchants who fall victim to the criminal cyberattacks. The financial institution plaintiffs allege that they issued payment cards to their customers, that those payment cards were compromised in the breach and, for that reason, they suffered damages in the form of card reissuance and refunding losses from unauthorized use of the customers’ cards.[5] These lawsuits are often filed by repeat players and often by the same contingent of plaintiffs lawyers.[6]
Financial institution litigation brings with it a unique set of issues. At the forefront is the contractual backdrop against which financial institutions issue payment cards in the first place. Financial institutions do not issue payment cards in a vacuum, but rather through a series of contracts. Pursuant to those contracts, financial institutions agree to be bound by the card brand’s (e.g., Visa, MasterCard, etc.) operating rules.[7] Those rules expressly contemplate data breaches and provide a mechanism for financial institutions to recover losses, if any, incurred as a result of a data breach (also known as the “card brand recovery process”).[8]
Despite this web of contracts, the financial institutions often do not bring breach of contract claims.[9] Rather, financial institution litigation plaintiffs frequently assert state law claims for negligence, negligence per se and violations of consumer protection statutes. These claims present a myriad of state law issues, which courts often address as a matter of first impression, including (1) whether a merchant owes a financial institution a duty to safeguard customers’ payment card data, and (2) whether the various state and/or federal consumer protection laws apply to data breaches against merchants.
One of the most important state law issues that arises in these cases is the applicability of the economic loss rule . Although there is significant variation state to state, the ELR generally bars negligence claims for economic damages unless they result from injury to person or property. Often courts find its application to be particularly appropriate when the parties’ relationship is governed by a contract. Merchants almost universally assert the ELR as a defense to the financial institutions’ claims, arguing that the reimbursement costs are purely economic damages, and therefore not recoverable on a negligence theory, while the financial institutions focus their efforts on fitting into an exception to the ELR. For example, financial institutions often argue that the merchants owed them a duty independent from a contract or that they suffered property damage.[10]
In data breach cases, courts are becoming increasingly aware of the contracts financial institution plaintiffs use to issue payment cards, as well as the card brand recovery process and the implications of the ELR. Two recent decisions addressed these issues head on and held, among other things, that the applicable states’ ELRs barred the financial institution plaintiffs’ negligence-based claims, revealing the cracks in the financial institutions’ theories at the early motion to dismiss stage.[11]
These courts found that the financial institutions are engaged in an interconnected web of contracts, which not only provide the sole source of duty, but also adequately compensate plaintiffs for any losses.[12] These two decisions will make it harder for financial institution plaintiffs to survive early dismissal and may stem the growing tide of financial institution litigation.
First, in SELCO Community Credit Union v. Noodles & Company, the district court rejected the financial institutions’ attempt to bring negligence and negligence per se claims based on failure to adhere industry standards (i.e., PCI-DSS standards). There, the court found that no exception to the ELR applied — dooming any merchant liability — because the plaintiffs were already engaged in a risk-allocation system from the interrelated web of contracts.
Just last month, the Seventh Circuit Court of Appeals reached the same conclusion. In Community Bank of Trenton v. Schnuck Markets Inc., the Seventh Circuit dismissed the plaintiffs’ negligence claims, refusing to provide additional recovery simply “because they are disappointed by the reimbursement they received through the contractual card payment systems they joined voluntarily.” As with SELCO, the Schnuck court determined that the financial institutions “and Schnucks all participate in a network of contracts that tie together all the participants in the card payment system.” The court rejected, without the need of extensive discussion, any argument that the “property damage” exception — or any other exception for that matter — would apply to the plaintiffs’ claims.
But the Schnuck court did not stop with the ELR. The court determined that Missouri and Illinois, the states whose laws applied, would not recognize a duty to safeguard data in the first instance because Missouri and Illinois made conscious decisions to only require notice in the event of a data breach, when they certainly could have created a legal duty if they so desired.[13] The financial institutions’ negligence per se claims faced a similar fate when the court dismissed their “underdeveloped” reference to a violation of the Federal Trade Commission Actbecause the plaintiffs could not point to any FTC or court interpretations extending the FTC Act to financial institutions in a merchant data breach.[14]
In addition, the court affirmed dismissal of the consumer protection claims. The court concluded that the financial institutions’ allegation that Schnuck failed to implement and maintain reasonable payment card data security measures was insufficient to state an unfair practice claim under the Illinois Consumer Fraud and Deceptive Business Practices Act. The court further found that the financial institutions’ Illinois Personal Information Protection Act claim failed because the financial institutions failed to explain whether and how the merchant’s conduct might fall under the statute rather than one of its exceptions.
While financial institution litigation has become common immediately following a data breach, the Schnuck and SELCO decisions evidence perhaps the start of a growing trend among courts to disallow claims that some courts have viewed as an attempt to get a second bite at the recovery apple by receiving damages in addition to compensation through the card brand recovery process. These courts’ unwillingness to allow these claims could reduce the volume of financial institution litigation moving forward.
________________________________________
Donald Houser is a partner and Ashley Miller is an associate at Alston & Bird LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] Under Armour Says Data Breach Affected About 150 Million MyFitnessPal Accounts, CNBC, available at https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html; Sonic Drive-In Hit by Security Breach, USA Today, available at https://www.usatoday.com/story/tech/2017/09/27/sonic-drive-hit-security-breach/708850001/; Chipotle Says Hackers Hit Most Restaurants in Data Breach, Reuters, available at https://www.reuters.com/article/us-chipotle-cyber/chipotle-says-hackers-hit-most-restaurants-in-data-breach-idUSKBN18M2BY.
[2] Cyber Incident & Breach Trends Report, Online Trust Alliance, available at https://otalliance.org/system/files/files/initiative/documents/ota_cyber_incident_trends_report_jan2018.pdf.
[3] Id.
[4] Data Privacy and Security Trends for 2018, Security Industry Association, available at https://www.securityindustry.org/wp-content/uploads/2018/01/SIA_DATA_PRIVACY_WHITEPAPER_WEB.pdf
[5] E.g., Bellwether Community Credit Union v. Chipotle Mexican Grill, Inc., No. 1:17-cv-01102, Doc. No. 1 (D. Colo. May 4, 2017)
[6] See id.; Veridian Credit Union v. Eddie Bauer LLC, No. 2:17-cv-00356 (W.D. Wash. Mar. 7, 2017); Midwest AM. Fed. Credit Union v. Arby’s Restaurant Group, No. 1:17-cv-00514 (N.D. Ga. Feb. 10, 2017); SELCO Community Credit Union v. Noodles & Company, No. 1:16-cv-02247 (D. Colo. Sept. 6, 2016).
[7] SELCO, 267 F. Supp. 3d 1288, 1296-97 (D. Colo. 2017).
[8] Id.
[9] See generally Community Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803 (7th Cir. Apr. 11, 2018); SELCO, 267 F. Supp. 3d 1288.
[10] See Schnuck, 887 F.3d at 813; SELCO 267 F. Supp. 3d at 1295.
[11] See generally Schnuck, 887 F.3d 803; SELCO, 267 F. Supp. 3d 1288.
[12] Schnuck, 887 F.3d at 815; SELCO, 267 F. Supp. 3d at 1295.
[13] Id. at 816-18.
[14] Id. at 819 n.7. As detailed above, the financial institution plaintiffs do not raise standard breach of contract claims, but, as in Schnuck, they do occasionally attempt “quasi-contractual” claims. The court also affirmed dismissal of the plaintiffs’ implied contract claims, concluding that neither Illinois nor Missouri recognizes implied contracts or unjust enrichment when written agreements define the relationship, rights and remedies, and neither state would recognize a third-party beneficiary claim in this context. See id. at 819-21.