A federal appellate court upheld a lower court’s ruling that banks whose customers’ information was compromised in a grocery store data breach cannot recover losses directly from the retailer.
The data breach occurred in 2012 at Schnuck Markets in Illinois and Missouri. Hackers stole the data of about 2.4 million credit and debit card customers. By the time the breach was identified and announced four months later, losses had reached the millions.
In a unique twist on data breach litigation, Schnucks found itself sued not by its customers, but by their banks. Four card-issuing banks brought a class action in federal court in the Southern District of Illinois in East St. Louis, to try and recover their losses due to the breach from Schnucks.
John J. Driscoll
| The Driscoll Firm
The case eventually landed before a three-judge panel of the U.S. Seventh Circuit Court of Appeals, which heard arguments in the case in January and issued an opinion April 11. The court’s opinion was written by U.S. Seventh Circuit Court of Appeals Circuit Judge David F. Hamilton. Seventh Circuit Chief Judge Diane P. Wood and U.S. District Judge Elaine E. Bucklo concurred.
“The principal issues in this case present fairly new variations on the economic loss rule in tort law,” the appellate judges wrote. “Our role as a federal court applying state law is to predict how the states’ supreme courts would likely resolve these issues.”
The plaintiffs sued under Missouri and Illinois state law, and the court predicted both states would reject the arguments, upholding the district court’s dismissal of the complaint.
Retailers and customer banks are linked in the card payment system through a complex network of contracts, but they do not contract directly with one another. When a customer uses a bank-issued credit or debit card at a retail merchant, the data goes through a payment processor to an acquiring bank, which routes the data through the card network, such as Visa, to the customer’s bank. Each level in this system is represented by contractual relationships in which both sides agree to certain responsibilities and liabilities.
These contracts require merchants and banks to adhere to the Payment Card Industry Data Security Standards (PCI DSS). In their contracts, Schnucks, its bank and its data processor agreed to share liability in any data breach. Schnucks agreed to follow compliance requirements for data security and pay fines for noncompliance. In the 2012 breach, Schnucks was assessed more than $1.5 million in reimbursement charges and fees, which it eventually split with its card processor and bank.
In 2014, the plaintiff banks sued seeking to be made whole directly by Schnucks. They contended that despite contractual remedies, they still suffered losses in fraudulent charges, fees and card reissuing costs. The district court dismissed all of the banks’ claims for failing to state a plausible claim.
On review, the appellate court noted that the details of the contractual remedies are not important – what is important is that they exist.
“All parties involved in the complicated network of contracts that establish the card payment system have voluntarily decided to participate and to accept responsibility for the risks inherent in their participation,” the court wrote. “That includes at least some risk of not being fully reimbursed for the costs of another party’s mistake.”
The court wrote that the plaintiffs made no effort to explain how the existing system of contracts is inadequate, but essentially ask the court “to predict the recognition of new theories of state tort liability.”
“The plaintiff banks are disappointed in the amounts the card networks’ contractual reimbursement process provided,” the court wrote. “That type of tort claim is not permitted.”
Plaintiffs were represented in the action by attorneys Richard L. Coffman and Mitchell A Toups, each of Beaumont, Texas; and John J. Driscoll and Christopher J. Quinn, of the Driscoll Firm, of St. Louis.
Schnucks is defended by attorneys Daniel R Warren, Sam A. Camardo and James A. Slater, of the firm of Baker & Hostetler, of Cleveland; and Russell K. Scott, of the firm of Greensfelder, Hemker & Gale PC, of downstate Swansea.