Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Community Bank of Trenton v. Schnuck Markets, Inc.

United States Court of Appeals, Seventh Circuit

April 11, 2018

Community Bank of Trenton, et al., Plaintiffs-Appellants,
Schnuck Markets, Inc., Defendant-Appellee.

          Argued January 10, 2018

          Appeal from the United States District Court for the Southern District of Illinois. No. 15-cv-1125 - Michael J. Reagan, Chief Judge.

          Before Wood, Chief Judge, Hamilton, Circuit Judge, and Bucklo, District Judge. [*]

          Hamilton, Circuit Judge.

         In late 2012, hackers infiltrated the computer networks at Schnuck Markets, a large Midwestern grocery store chain based in Missouri and known as "Schnucks." The hackers stole the data of about 2.4 million credit and debit cards. By the time the intrusion was detected and the data breach was announced in March 2013, the financial losses from unauthorized purchases and cash withdrawals had reached into the millions. Litigation ensued.

         Like many other recent cases around the country, this case involves a massive consumer data breach. See, e.g., Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). Unlike most other data-breach cases, however, the proposed class of plaintiffs in this case is comprised not of consumers but of financial institutions. Card-issuing banks and credit unions are required by federal law to indemnify their card-holding customers for losses from fraudulent activity, so our four plaintiff-appellant banks here bore the costs of reissuing cards and indemnifying the Schnucks hackers' fraud. See 15 U.S.C. § 1643(a) (limiting credit-cardholder liability for unauthorized use); 12 C.F.R. § 205.6 (limiting debit-card-holder liability for unauthorized use). The Article III standing and injury issues that arose in Lewert, Remijas, and many other data-breach cases with consumer plaintiffs are not issues in this case.

         The principal issues in this case present fairly new variations on the economic loss rule in tort law. The central issue is whether Illinois or Missouri tort law offers a remedy to card-holders' banks against a retail merchant who suffered a data breach, above and beyond the remedies provided by the network of contracts that link merchants, card-processors, banks, and card brands to enable electronic card payments. The plaintiff banks assert claims under the common law as well as Illinois consumer protection statutes. Our role as a federal court applying state law is to predict how the states' supreme courts would likely resolve these issues. We predict that both states would reject the plaintiff banks' search for a remedy beyond those established under the applicable networks of contracts. Accordingly, we affirm the district court's dismissal of the banks' complaint.

         I. Factual Background and Procedural History

         A. Today's Electronic Payment Card System

         When a customer uses a credit or debit card at a retail store, the merchant collects the customer's information. This includes the card-holder's name and account number, the card's expiration date and security code, and, in the case of a debit card, the personal identification number. Collectively, this payment card information is known as "track data." At the time of purchase, the track data and the amount of the intended purchase are forwarded electronically to the merchant's bank (the "acquiring bank"), usually through a payment processing company. The acquiring bank then requests payment from the customer's bank (the "issuing bank") through the relevant card network-in this case, Visa or MasterCard. If the issuing bank approves the purchase, the transaction goes through within seconds. The customer's issuing bank then pays the merchant's acquiring bank the amount of the customer's purchase, which is credited to the merchant's account, minus processing fees. Contracts govern all of these relationships, although typically no contracts directly link the merchant (e.g., Schnucks) with the issuing banks (our four plaintiffs here). Here is a simplified diagram of this series of relationships:

         The Card Payment System

         (Image Omitted)

         In this case, Schnucks routed customer track data through a payment processor, First Data Merchant Services, to its acquiring bank, Citicorp. Citicorp then routed customer track data through the card networks to the issuing banks (plaintiffs here), who approved purchases and later collected payments from their customers, the card-holders. This web of contractual relationships facilitates the dotted line above: the familiar retail purchase by a customer from a merchant. Because Schnucks was the weak security link in this regime, the plaintiff banks seek to recover directly from Schnucks itself, a proposed line of liability represented by the dashed line above. This new form of liability would be in addition to the remedies already provided by the contracts governing the card payment systems.

         B. The Contracts that Enable the Card Payment System

         All parties in the card payment system agree to take on certain responsibilities and to subject themselves to specified contractual remedies. In joining the card payment system, issuing banks-including our plaintiffs here-agree to indemnify their customers in the event that a data breach anywhere in the network results in unauthorized transactions.[1] Visa requires issuers to "limit the Cardholder's liability to zero" when a customer timely notifies them of unauthorized transactions. Appellee App. at 99-100 (§ MasterCard has the same requirement. Id. at 107 (§ 6.3).

         For their parts, acquiring banks and their agents must abide by data security requirements. Id. at 102. As a merchant, Schnucks also agreed to abide by data security requirements in the contracts linking it to the card payment system. Id. at 54, 58, 70-72, 73. These data security rules are called the Payment Card Industry Data Security Standards or "PCI DSS." In their contracts, Schnucks, its bank, and its data processor effectively agreed to share resulting liabilities from any data breaches. Id. at 53-54, 70-71, 73 (Master Services Agreement §§ 4, 5.4; Bankcard Addendum §§ 23, 25, 28); see also Schnuck Markets, Inc. v. First Data Merchant Services Corp., 852 F.3d 732, 735, 737-39 (8th Cir. 2017) ("First Data") (interpreting § 5.4 in light of this data breach at Schnucks). As we explain below, the specific details of these contractual remedies do not matter here. What is important is that they exist at all, by agreements among the interested parties.

         When a retailer or other party in the card payment system suffers a data breach, issuing banks must bear the cost, at least initially, of indemnifying their customers for unauthorized transactions and issuing new cards. The contracts that govern both the Visa and MasterCard networks then provide a cost recovery process that allows issuing banks to seek reimbursement for at least some of these losses. See Appellee App. at 102 (Visa), 110 (MasterCard). Schnucks agreed to follow card network "compliance requirements" for data security and to pay "fines" for noncompliance. Id. at 70. Our colleagues in the Eighth Circuit later read Schnucks' contract with its data processor and acquiring bank to include significant limits on Schnucks' share of the liability for losses of issuing banks. See First Data, 852 F.3d at 736, 737-39 (holding that contractual limit on liability favoring Schnucks applied to limit liabilities resulting from this data breach).[2]

         C. The Schnucks Data Breach and Response

         In early December 2012, hackers gained access to Schnucks' computer network in Missouri and installed malicious software (known as "malware") on its system. This malware harvested track data from the Schnucks system while payment transactions were being processed. As soon as payment cards were swiped at a Schnucks store and the unencrypted payment card information went from the card reader into the Schnucks system for payment, customer information was available for harvesting. The breach affected 79 of Schnucks' 100 stores in the Midwest, many of which are located in Missouri and Illinois, the states whose laws we consider here.

         For the next four months, hackers harvested and sold customer track data, which were used to create counterfeit cards and to make unauthorized cash withdrawals, including from the plaintiff banks. Schnucks says it did not learn of the breach until March 14, 2013, when it heard from its card payment processor. A few days later, an outside consultant quickly identified the source of the problem. On March 30, Schnucks issued a press release announcing the data breach.

         The plaintiff banks estimate that for every day the data breach continued, approximately 20, 000 cards may have been compromised. This means around 2.4 million cards in total were at risk from the Schnucks breach. Given this rate, plaintiffs estimate that more than 300, 000 cards may have been compromised between March 14 and March 30, after Schnucks knew that security had been breached but before it announced that fact publicly. The plaintiff banks allege that numerous security steps could have prevented the breach and that those steps are required by the card network rules.[3] In fact, under the networks' contractual provisions, the card networks later assessed over $1.5 million in reimbursement charges and fees against Schnucks, which eventually split that liability with its card processor and acquiring bank. Brief for Appellants at 4, First Data, 852 F.3d 732 (8th Cir. 2017) (No. 15-3804), 2016 WL 284697, at *4; see also First Data, 852 F.3d at 735-36 (describing card networks' expectations, assessments, and resulting litigation).

         D. The Banks' Lawsuit

         The plaintiff banks, which may or may not have received some of those reimbursement funds, filed a lawsuit in 2014 seeking to be made whole directly by Schnucks. The banks dismissed their first complaint voluntarily and then filed this action in the Southern District of Illinois in October 2015. They amended their complaint in October 2016. The banks contend that despite the existence of the contractual remedies, issuing banks "cannot always recoup the reimbursed fraudulent charges" and must pay other fees and bear card reissuing costs, which these banks seek to recover from Schnucks. Appellants' Br. at 11.[4]

         In effect, the banks seek reimbursement for their losses above and beyond the remedies provided under the card network contracts. They say their losses include employee time to investigate and resolve fraud claims, payments to indemnify customers for fraudulent charges, and lost interest and transaction fees on account of changes in customer card usage. Plaintiffs estimate their damages in the tens of millions of dollars, placing this lawsuit in the same league as some others between financial institutions and breached retail merchants. See David L. Silverman, Developments in Data Security Breach Liability, 72 Bus. Law. 185, 185 (Winter 2016- 17) (discussing three recent data breach cases settled by retail merchants for more than $15 million, including attorney fees).

         In a thorough order, the district court dismissed all of the plaintiff banks' claims against Schnucks. No. 15-cv-01125-MJR, 2017 WL 1551330, at *1-2 (S.D. Ill. May 1, 2017). Jurisdiction was secure under the Class Action Fairness Act. The proposed plaintiff class of banks includes both Illinois and Missouri citizens; Schnucks is a citizen of Missouri; and the matter in controversy exceeds $5 million. See 28 U.S.C. § 1332(d)(2). The parties agreed that both Illinois and Missouri laws apply, given the proposed plaintiff class. None of the plaintiff banks' claims made it past the pleadings. The complaint was dismissed for failing to state a plausible claim under any of the banks' theories.

         II. Analysis

         A. Standard of Review

         We review de novo the dismissal of a complaint for failure to state a claim under Rule 12(b)(6), accepting plaintiffs' factual allegations as true and drawing all permissible inferences in the plaintiffs' favor. West Bend Mut. Insurance Co. v. Schumacher, 844 F.3d 670, 675 (7th Cir. 2016). A plaintiff must, however, "provide more than mere labels and conclusions" and must go beyond "a formulaic recitation of the elements of a cause of action for her complaint to be considered adequate." Id., quoting Bell v. City of Chicago, 835 F.3d 736, 738 (7th Cir. 2016). A party must also "proffer some legal basis to support his cause of action" and cannot expect either the district court or this court to "invent legal arguments" on his behalf. County of McHenry v. Insurance Co. of the West, 438 F.3d 813, 818 (7th Cir. 2006), quoting Stransky v. Cummins Engine Co., 51 F.3d 1329, 1335 (7th Cir. 1995).

         B. Common Law Claims

         1. Framing the Analysis

         The plaintiff banks' substantive claims all arise under state law, but the relevant state courts have not addressed the specific questions we face. Under Erie Railroad Co. v. Tompkins, 304 U.S. 64 (1938), our role in deciding these questions of state law is to predict how the highest courts of the respective states would answer them. In re Zimmer, NexGen Knee Implant Products Liability Litig., 884 F.3d 746, 751 (7th Cir. 2018); Cannon v. Burge, 752 F.3d 1079, 1091 (7th Cir. 2014). We are to take into account trends in a state's intermediate appellate decisions, see In re Zimmer, 884 F.3d at 751, but the focus is always a prediction about the state's highest court. See Santa's Best Craft, LLC v. St. Paul Fire & Marine Insurance Co., 611 F.3d 339, 349 n.6 (7th Cir. 2010), citing Taco Bell Corp. v. Continental Cas. Co., 388 F.3d 1069, 1077 (7th Cir. 2004) (concerned with making a "reliable prediction of how the Supreme Court of Illinois would rule"). In predicting state law in the relevant states, we try to avoid simply grafting abstract hornbook law principles onto the particular fact pattern in front of us, see NLRB v. Int'l Measurement & Control Co., 978 F.2d 334, 339 (7th Cir. 1992) (refusing to defer to agency's prediction of state law based on "blackletter terms" without citing state court decisions), but we can look to well-reasoned decisions in other jurisdictions for guidance.

         To frame the issues, we begin by examining the economic loss doctrine in commercial litigation. For more than fifty years, state courts have generally refused to recognize tort liabilities for purely economic losses inflicted by one business on another where those businesses have already ordered their duties, rights, and remedies by contract. The reason for this rule is that "liability for purely economic loss … is more appropriately determined by commercial rather than tort law, " i.e., by the system of rights and remedies created by the parties themselves. Indianapolis-Marion County Public Library v. Charlier Clark & Linard, P.C., 929 N.E.2d 722, 729 (Ind. 2010), citing Miller v. U.S. Steel Corp., 902 F.2d 573, 574 (7th Cir. 1990) ("tort law is a superfluous and inapt tool for resolving purely commercial disputes" whose risks are better allocated by the contracting parties themselves than by judges), and citing Seely v. White Motor Co., 403 P.2d 145 (Cal. 1965). "The issue" in these cases "is not causation; it is duty, " in the sense that tort law generally does not supply additional liabilities on top of specified contractual remedies. Rardin v. T & D Machine Handling, Inc., 890 F.2d 24, 26, 27-28 (7th Cir. 1989) (applying Illinois law).

         Courts invoking the economic loss rule trust the commercial parties interested in a particular activity to work out an efficient allocation of risks among themselves in their contracts. Courts "see no reason to intrude into the parties' allocation of the risk" when bargaining should be sufficient to protect the parties' interests, and where additional tort law remedies would act as something of a wild card to upset their expectations. East River S.S. Corp. v. Transamerica Delaval Inc., 476 U.S. 858, 872-73, 875-76 (1986) (adopting economic loss rule in admiralty cases); see also Sovereign Bank v. BJ's Wholesale Club, Inc., 533 ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.