June 13, 2021

Volume XI, Number 164

Advertisement

June 11, 2021

Subscribe to Latest Legal News and Analysis

Payment Card Rules v. PCI DSS: District Court Opens the Door to Potential Data Breach Tort Liability Based on Common Law Duties and Section 5 of the FTC Act

CPW has been covering data breach litigations for some time (as a reminder of recent rulings of significance, check out our prior posts here and here).  This includes In Re: Wawa, Inc. Data Security Litigation and key related cases back in November and January.  On Thursday, the U.S. District Court for the Eastern District of Pennsylvania issued its long awaited opinion, granting in part and denying in part a motion to dismiss filed by Wawa, a convenience store chain, stemming from a class action lawsuit filed against it by a group of credit unions following an alleged data breach.  Read on to learn how it went down and what it may mean for other data breach litigations.

The court held that it was “persuaded by [plaintiffs’] contention that Pennsylvania law, post-Dittman, imparts on companies an independent duty to reasonably secure their payment systems,” thereby rejecting application of Illinois and Missouri’s broad economic loss doctrine.  While the court held that this novel theory sufficed to plead a “plausible negligence claim” tied to the Payment Card Industry Data Security Standard (PCI DSS), it acknowledged “the potential dispositive effect” of Wawa’s argument that the “Payment Card Rules” place contractual limits on plaintiffs’ rights and remedies.  Additionally, plaintiffs submitted the novel question of whether Section 5 of the FTC Act may serve as a predicate for a negligence per se claim under Pennsylvania law.

With regard to plaintiffs’ negligence claim, Wawa argued that “Payment Card Rules” set forth the rights and responsibilities of network participants, such as plaintiffs.  In support of this argument, Wawa attached several exhibits from Visa and Mastercard, which the court deemed admissible at the motion to dismiss stage due to plaintiffs’ indirect references to these rules throughout its complaint.  In response, plaintiffs maintained that by affirmatively choosing to accept payment cards, Wawa assumed a common law duty to safeguard any data gleaned from those transactions from the foreseeable harm that would result in the event of a breach.  To succeed on this theory, plaintiffs will need to prove the following four elements:

(1) a duty or obligation recognized by the law, requiring the actor to conform to a certain standard of conduct for the protection of others against unreasonable risks; (2) a failure to conform to the standard required; (3) a causal connection between the conduct and the resulting injury; and (4) actual loss or damage resulting in harm to the interests of another.

In relation to these elements, plaintiffs allege:

(1) Wawa had a fundamental common law duty to protect sensitive cardholder information; (2) Wawa failed to secure its payment system terminals and created a risk of foreseeable harm to the Institutions; (3) the Institutions received an alert from Visa and Mastercard identifying specific payment cards that were compromised in the Wawa data breach; and (4) the Institutions were forced to incur significant costs associated with mitigating the impact of the breach.

The court held that, with regard to the fourth element, Wawa’s contention that plaintiffs cannot prove causation due to “numerous breaches” at other stores is not appropriate for resolution at the motion to dismiss stage.

Plaintiffs’ second cause of action for negligence per se alleges that Wawa violated Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”  The court held that under Pennsylvania law, negligence per se is not a separate cause of action and, even if it were, plaintiffs would have difficulty establishing the final element of negligence per se, which requires demonstration that the FTC Act’s purpose be designed, at least in part, to protect plaintiffs individually, as opposed to the public as a whole.  Moreover, Wawa argues that Section 5 of the FTC Act does not provide a private right of action.  The court deferred ruling on this question.

Lastly, plaintiffs seek declaratory judgement of rights and injunctive relief requiring Wawa to employ adequate security protocols for its payment systems moving forward.  In response, Wawa argued that the court should dismiss these claims as duplicative.  The court held that while it may ultimately agree with Wawa that this cause of action is inappropriate, dismissal at this stage would be premature, as it would curtail the court’s broad equitable powers to fashion the most complete relief possible.

One thing is clear from these holdings; Wawa is poised to have a major impact on data privacy litigations, especially with regard to the novel intersect with, and interpretations of, Pennsylvania tort law.  For more on this, stay tuned.  CPW will be there.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 132
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Donald Thompson Litigation Lawyer Squire Patton Boggs
Associate

Donald Thompson is a litigator in our Washington DC office who focuses his practice on complex commercial litigation matters and government investigations.

Donald represents clients in a wide variety of disputes involving commercial contracts, construction claims, terrorism financing, business torts and fraud. Prior to joining our team, Donald worked as an Insider Trading Investigator for FINRA, where he gained first-hand experience conducting investigations into securities trading surrounding corporate disclosures, such as earnings releases,...

202 457 6530
Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Advertisement
Advertisement