January 10, 2018
from the United States District Court for the Southern
District of Illinois. No. 15-cv-1125 - Michael J. Reagan,
Wood, Chief Judge, Hamilton, Circuit Judge, and Bucklo,
District Judge. [*]
Hamilton, Circuit Judge.
2012, hackers infiltrated the computer networks at Schnuck
Markets, a large Midwestern grocery store chain based in
Missouri and known as "Schnucks." The hackers stole
the data of about 2.4 million credit and debit cards. By the
time the intrusion was detected and the data breach was
announced in March 2013, the financial losses from
unauthorized purchases and cash withdrawals had reached into
the millions. Litigation ensued.
many other recent cases around the country, this case
involves a massive consumer data breach. See, e.g.,
Lewert v. P.F. Chang's China Bistro, Inc., 819
F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Group,
LLC, 794 F.3d 688 (7th Cir. 2015). Unlike most other
data-breach cases, however, the proposed class of plaintiffs
in this case is comprised not of consumers but of financial
institutions. Card-issuing banks and credit unions are
required by federal law to indemnify their card-holding
customers for losses from fraudulent activity, so our four
plaintiff-appellant banks here bore the costs of reissuing
cards and indemnifying the Schnucks hackers' fraud. See
15 U.S.C. § 1643(a) (limiting credit-cardholder
liability for unauthorized use); 12 C.F.R. § 205.6
(limiting debit-card-holder liability for unauthorized use).
The Article III standing and injury issues that arose in
Lewert, Remijas, and many other data-breach
cases with consumer plaintiffs are not issues in this case.
principal issues in this case present fairly new variations
on the economic loss rule in tort law. The central issue is
whether Illinois or Missouri tort law offers a remedy to
card-holders' banks against a retail merchant who
suffered a data breach, above and beyond the remedies
provided by the network of contracts that link merchants,
card-processors, banks, and card brands to enable electronic
card payments. The plaintiff banks assert claims under the
common law as well as Illinois consumer protection statutes.
Our role as a federal court applying state law is to predict
how the states' supreme courts would likely resolve these
issues. We predict that both states would reject the
plaintiff banks' search for a remedy beyond those
established under the applicable networks of contracts.
Accordingly, we affirm the district court's dismissal of
the banks' complaint.
Factual Background and Procedural History
Today's Electronic Payment Card System
customer uses a credit or debit card at a retail store, the
merchant collects the customer's information. This
includes the card-holder's name and account number, the
card's expiration date and security code, and, in the
case of a debit card, the personal identification number.
Collectively, this payment card information is known as
"track data." At the time of purchase, the track
data and the amount of the intended purchase are forwarded
electronically to the merchant's bank (the
"acquiring bank"), usually through a payment
processing company. The acquiring bank then requests payment
from the customer's bank (the "issuing bank")
through the relevant card network-in this case, Visa or
MasterCard. If the issuing bank approves the purchase, the
transaction goes through within seconds. The customer's
issuing bank then pays the merchant's acquiring bank the
amount of the customer's purchase, which is credited to
the merchant's account, minus processing fees. Contracts
govern all of these relationships, although typically no
contracts directly link the merchant (e.g., Schnucks) with
the issuing banks (our four plaintiffs here). Here is a
simplified diagram of this series of relationships:
Card Payment System
case, Schnucks routed customer track data through a payment
processor, First Data Merchant Services, to its acquiring
bank, Citicorp. Citicorp then routed customer track data
through the card networks to the issuing banks (plaintiffs
here), who approved purchases and later collected payments
from their customers, the card-holders. This web of
contractual relationships facilitates the dotted line above:
the familiar retail purchase by a customer from a merchant.
Because Schnucks was the weak security link in this regime,
the plaintiff banks seek to recover directly from Schnucks
itself, a proposed line of liability represented by the
dashed line above. This new form of liability would be in
addition to the remedies already provided by the contracts
governing the card payment systems.
The Contracts that Enable the Card Payment System
parties in the card payment system agree to take on certain
responsibilities and to subject themselves to specified
contractual remedies. In joining the card payment system,
issuing banks-including our plaintiffs here-agree to
indemnify their customers in the event that a data breach
anywhere in the network results in unauthorized
transactions. Visa requires issuers to "limit the
Cardholder's liability to zero" when a customer
timely notifies them of unauthorized transactions. Appellee
App. at 99-100 (§ 184.108.40.206). MasterCard has the same
requirement. Id. at 107 (§ 6.3).
their parts, acquiring banks and their agents must abide by
data security requirements. Id. at 102. As a
merchant, Schnucks also agreed to abide by data security
requirements in the contracts linking it to the card payment
system. Id. at 54, 58, 70-72, 73. These data
security rules are called the Payment Card Industry Data
Security Standards or "PCI DSS." In their
contracts, Schnucks, its bank, and its data processor
effectively agreed to share resulting liabilities from any
data breaches. Id. at 53-54, 70-71, 73 (Master
Services Agreement §§ 4, 5.4; Bankcard Addendum
§§ 23, 25, 28); see also Schnuck Markets, Inc.
v. First Data Merchant Services Corp., 852 F.3d 732,
735, 737-39 (8th Cir. 2017) ("First Data")
(interpreting § 5.4 in light of this data breach at
Schnucks). As we explain below, the specific details of these
contractual remedies do not matter here. What is important is
that they exist at all, by agreements among the interested
retailer or other party in the card payment system suffers a
data breach, issuing banks must bear the cost, at least
initially, of indemnifying their customers for unauthorized
transactions and issuing new cards. The contracts that govern
both the Visa and MasterCard networks then provide a cost
recovery process that allows issuing banks to seek
reimbursement for at least some of these losses. See Appellee
App. at 102 (Visa), 110 (MasterCard). Schnucks agreed to
follow card network "compliance requirements" for
data security and to pay "fines" for noncompliance.
Id. at 70. Our colleagues in the Eighth Circuit
later read Schnucks' contract with its data processor and
acquiring bank to include significant limits on Schnucks'
share of the liability for losses of issuing banks. See
First Data, 852 F.3d at 736, 737-39 (holding that
contractual limit on liability favoring Schnucks applied to
limit liabilities resulting from this data
The Schnucks Data Breach and Response
early December 2012, hackers gained access to Schnucks'
computer network in Missouri and installed malicious software
(known as "malware") on its system. This malware
harvested track data from the Schnucks system while payment
transactions were being processed. As soon as payment cards
were swiped at a Schnucks store and the unencrypted payment
card information went from the card reader into the Schnucks
system for payment, customer information was available for
harvesting. The breach affected 79 of Schnucks' 100
stores in the Midwest, many of which are located in Missouri
and Illinois, the states whose laws we consider here.
next four months, hackers harvested and sold customer track
data, which were used to create counterfeit cards and to make
unauthorized cash withdrawals, including from the plaintiff
banks. Schnucks says it did not learn of the breach until
March 14, 2013, when it heard from its card payment
processor. A few days later, an outside consultant quickly
identified the source of the problem. On March 30, Schnucks
issued a press release announcing the data breach.
plaintiff banks estimate that for every day the data breach
continued, approximately 20, 000 cards may have been
compromised. This means around 2.4 million cards in total
were at risk from the Schnucks breach. Given this rate,
plaintiffs estimate that more than 300, 000 cards may have
been compromised between March 14 and March 30, after
Schnucks knew that security had been breached but before it
announced that fact publicly. The plaintiff banks allege that
numerous security steps could have prevented the breach and
that those steps are required by the card network
rules. In fact, under the networks'
contractual provisions, the card networks later assessed over
$1.5 million in reimbursement charges and fees against
Schnucks, which eventually split that liability with its card
processor and acquiring bank. Brief for Appellants at 4,
First Data, 852 F.3d 732 (8th Cir. 2017) (No.
15-3804), 2016 WL 284697, at *4; see also First
Data, 852 F.3d at 735-36 (describing card networks'
expectations, assessments, and resulting litigation).
The Banks' Lawsuit
plaintiff banks, which may or may not have received some of
those reimbursement funds, filed a lawsuit in 2014 seeking to
be made whole directly by Schnucks. The banks dismissed their
first complaint voluntarily and then filed this action in the
Southern District of Illinois in October 2015. They amended
their complaint in October 2016. The banks contend that
despite the existence of the contractual remedies, issuing
banks "cannot always recoup the reimbursed fraudulent
charges" and must pay other fees and bear card reissuing
costs, which these banks seek to recover from Schnucks.
Appellants' Br. at 11.
effect, the banks seek reimbursement for their losses above
and beyond the remedies provided under the card network
contracts. They say their losses include employee time to
investigate and resolve fraud claims, payments to indemnify
customers for fraudulent charges, and lost interest and
transaction fees on account of changes in customer card
usage. Plaintiffs estimate their damages in the tens of
millions of dollars, placing this lawsuit in the same league
as some others between financial institutions and breached
retail merchants. See David L. Silverman, Developments in
Data Security Breach Liability, 72 Bus. Law. 185, 185
(Winter 2016- 17) (discussing three recent data breach cases
settled by retail merchants for more than $15 million,
including attorney fees).
thorough order, the district court dismissed all of the
plaintiff banks' claims against Schnucks. No.
15-cv-01125-MJR, 2017 WL 1551330, at *1-2 (S.D. Ill. May 1,
2017). Jurisdiction was secure under the Class Action
Fairness Act. The proposed plaintiff class of banks includes
both Illinois and Missouri citizens; Schnucks is a citizen of
Missouri; and the matter in controversy exceeds $5 million.
See 28 U.S.C. § 1332(d)(2). The parties agreed that both
Illinois and Missouri laws apply, given the proposed
plaintiff class. None of the plaintiff banks' claims made
it past the pleadings. The complaint was dismissed for
failing to state a plausible claim under any of the
Standard of Review
review de novo the dismissal of a complaint for
failure to state a claim under Rule 12(b)(6), accepting
plaintiffs' factual allegations as true and drawing all
permissible inferences in the plaintiffs' favor. West
Bend Mut. Insurance Co. v. Schumacher, 844 F.3d 670, 675
(7th Cir. 2016). A plaintiff must, however, "provide
more than mere labels and conclusions" and must go
beyond "a formulaic recitation of the elements of a
cause of action for her complaint to be considered
adequate." Id., quoting Bell v. City of
Chicago, 835 F.3d 736, 738 (7th Cir. 2016). A party must
also "proffer some legal basis to support his cause of
action" and cannot expect either the district court or
this court to "invent legal arguments" on his
behalf. County of McHenry v. Insurance Co. of the
West, 438 F.3d 813, 818 (7th Cir. 2006), quoting
Stransky v. Cummins Engine Co., 51 F.3d 1329, 1335
(7th Cir. 1995).
Common Law Claims
Framing the Analysis
plaintiff banks' substantive claims all arise under state
law, but the relevant state courts have not addressed the
specific questions we face. Under Erie Railroad Co. v.
Tompkins, 304 U.S. 64 (1938), our role in deciding these
questions of state law is to predict how the highest courts
of the respective states would answer them. In re Zimmer,
NexGen Knee Implant Products Liability Litig., 884 F.3d
746, 751 (7th Cir. 2018); Cannon v.
Burge, 752 F.3d 1079, 1091 (7th Cir. 2014). We are to
take into account trends in a state's intermediate
appellate decisions, see In re Zimmer, 884 F.3d at
751, but the focus is always a prediction about the
state's highest court. See Santa's Best Craft,
LLC v. St. Paul Fire & Marine Insurance Co., 611
F.3d 339, 349 n.6 (7th Cir. 2010), citing Taco Bell Corp.
v. Continental Cas. Co., 388 F.3d 1069, 1077 (7th Cir.
2004) (concerned with making a "reliable prediction of
how the Supreme Court of Illinois would rule"). In
predicting state law in the relevant states, we try to avoid
simply grafting abstract hornbook law principles onto the
particular fact pattern in front of us, see NLRB v.
Int'l Measurement & Control Co., 978 F.2d 334,
339 (7th Cir. 1992) (refusing to defer to agency's
prediction of state law based on "blackletter
terms" without citing state court decisions), but we can
look to well-reasoned decisions in other jurisdictions for
frame the issues, we begin by examining the economic loss
doctrine in commercial litigation. For more than fifty years,
state courts have generally refused to recognize tort
liabilities for purely economic losses inflicted by one
business on another where those businesses have already
ordered their duties, rights, and remedies by contract. The
reason for this rule is that "liability for purely
economic loss … is more appropriately determined by
commercial rather than tort law, " i.e., by the system
of rights and remedies created by the parties themselves.
Indianapolis-Marion County Public Library v. Charlier
Clark & Linard, P.C., 929 N.E.2d 722, 729 (Ind.
2010), citing Miller v. U.S. Steel Corp., 902 F.2d
573, 574 (7th Cir. 1990) ("tort law is a superfluous and
inapt tool for resolving purely commercial disputes"
whose risks are better allocated by the contracting parties
themselves than by judges), and citing Seely v. White
Motor Co., 403 P.2d 145 (Cal. 1965). "The
issue" in these cases "is not causation; it is
duty, " in the sense that tort law generally does not
supply additional liabilities on top of specified contractual
remedies. Rardin v. T & D Machine Handling,
Inc., 890 F.2d 24, 26, 27-28 (7th Cir. 1989) (applying
invoking the economic loss rule trust the commercial parties
interested in a particular activity to work out an efficient
allocation of risks among themselves in their contracts.
Courts "see no reason to intrude into the parties'
allocation of the risk" when bargaining should be
sufficient to protect the parties' interests, and where
additional tort law remedies would act as something of a wild
card to upset their expectations. East River S.S. Corp.
v. Transamerica Delaval Inc., 476 U.S. 858, 872-73,
875-76 (1986) (adopting economic loss rule in admiralty
cases); see also Sovereign Bank v. BJ's Wholesale
Club, Inc., 533 ...