The United States Court of Appeals for the Seventh Circuit recently affirmed the dismissal of a putative class action brought by financial institutions against Schnuck Markets, Inc., following a data breach impacting Schnuck beginning late 2012. The plaintiffs attempted to assert claims of negligence, negligence per se, various contract claims, and violation of Illinois consumer protection laws, alleging damages in the form of employee time to investigate and resolve fraud claims, payments to indemnify customers for fraudulent charges, and lost interest and transaction fees based on changes in customer card usages.
The principal issue in the case centered on interpretation of the economic loss rule (“ELR”), and “whether Illinois or Missouri tort law offers a remedy to card-holders’ banks against a retail merchant who suffered a data breach, above and beyond the remedies provided by the network of contracts that link merchants, card-processors, banks, and card brands to enable electronic card payments.” Community Bank of Trenton v. Schnuck Markets, Inc., No. 17-2146, – F.3d – , 2018 WL 1737126, at *1 (7th Cir. Apr. 11, 2018). The Court of Appeals answered in the negative, concluding that the financial institutions “and Schnucks all participate in a network of contracts that tie together all the participants in the card payment system.” Id. at *7. The Court declined to further the financial institutions’ attempt to obtain additional recovery simply “because they are disappointed by the reimbursement they received through the contractual card payment systems they joined voluntarily.” Id.
The ELR was not the only reason for dismissal of the financial institutions’ negligence claims. The Court additionally concluded that neither Missouri nor Illinois would recognize a common law data security duty. The financial institutions’ negligence per se claims faced a similar fate. The Court concluded that both Illinois and Missouri limited their statutory intervention in data breaches to notice requirements, and the financial institutions’ “underdeveloped” reference to violation of the Federal Trade Commission (“FTC”) Act failed because they could not point to any FTC or court interpretations that extend the FTC Act to financial institutions in merchant data breach cases. Id. at *10 n.7.
The Court swiftly affirmed dismissal of the common law contract claims, concluding that neither Illinois nor Missouri recognize implied contracts or unjust enrichment where written agreements define the relationship, rights, and remedies, and neither state would recognize a third-party beneficiary claim in this context.
Finally, the Court affirmed dismissal of the consumer protection claims. The Court concluded that the financial institutions’ allegation that Schnuck failed to implement and maintain reasonable payment card data security measures was insufficient to state an unfair practice claim under the Illinois Consumer Fraud and Deceptive Business Practices Act. The Court further found that the financial institutions’ Illinois Personal Information Protection Act claim failed because the financial institutions’ failed to explain whether and how the merchant’s conduct might fall under the statute rather than one of its exceptions.
The Seventh Circuit’s decision in Schnuck is significant for a number of reasons. The Court’s application of the ELR, including its finding that various exceptions to the ELR were not applicable in a data breach case, suggests that financial institutions will face an uphill battle when asserting a negligence claim in the face of the card brand recovery processes already in place. Moreover, the Seventh Circuit has now joined a growing list of courts concluding that a merchant owes no common law duty to safeguard data.