Banks Cannot Skirt Contract Remedies in Data Breach Suit Against Retail Merchant
Attempting to advance a novel theory of law, several banks filed a class action in Illinois federal court against a grocery store chain arising out of a data breach that resulted in the theft of 2.4 million credit and debit cards. Community Bank of Trenton v. Schnuck Markets, Inc. After the breach, and based on the terms credit card user agreements, the banks were required to issue new cards and reimburse its customers as required by federal law for financial losses due to unauthorized purchases. In the suit, the financial institutions sought to recover some of their costs from the grocery store chain that was allegedly responsible for the loss of the data. The losses were estimated by the Plaintiffs to be in the tens of millions of dollars. As discussed below, the banks were not successful.
The core question in the case was whether any applicable law provided the cardholders’ banks with a remedy under tort law against a retail merchant who was the subject of a data breach.
Generally speaking the credit card issuing bank, here the Community Bank of Trenton, has a contractual relationships with the consumers to whom the cards are issued and the credit card network, e.g., Visa, Mastercard. The issuing bank does not have a direct relationship with the retail merchant, here Schnuck Markets. From the perspective of a bank such as Community Bank of Trenton, its remedies arise from (a) the contract between it and the consumer, (b) the contract between it and the credit card network, or (c) by operation of federal law that provides limited reimbursement.
Seeking an end around these relationships, the class of banks invoked common law tort theories to go directly against the retail merchant because there was no contractual remedy that would make them whole for their losses.
The banks claimed in part that the merchant was negligent – not in permitting the breach to occur – but in not recognizing that it had occurred for months thereafter. And, once the chain did learn of the breach, it was another two weeks before it was announced publicly. The Plaintiffs alleged that numerous security steps could have prevented the breach and that those steps were required by the credit card network rules (e.g., installing antivirus software, maintaining firewalls, encrypting sensitive data, and implementing two-factor authentication).
Despite seemingly compelling arguments, the Seventh Circuit ultimately upheld the lower court’s dismissal of the banks’ claims finding that they were bound by the contractual provisions of their agreements. Essentially, the court ruled, by joining the credit card system, the banks accepted some risk of not being fully reimbursed for the costs of another party’s mistakes.
With the increasing amount of data breaches occurring in every sector of the economy we can anticipate more and more litigation, including the attempts to assert novel theories to recover significant losses resulting from the breaches.