Payment Card Rules v. PCI DSS: District Court Opens the Door to Potential Data Breach Tort Liability Based on Common Law Duties and Section 5 of the FTC Act
CPW has been covering data breach litigations for some time (as a reminder of recent rulings of significance, check out our prior posts here and here). This includes In Re: Wawa, Inc. Data Security Litigation and key related cases back in November and January. On Thursday, the U.S. District Court for the Eastern District of Pennsylvania issued its long awaited opinion, granting in part and denying in part a motion to dismiss filed by Wawa, a convenience store chain, stemming from a class action lawsuit filed against it by a group of credit unions following an alleged data breach. Read on to learn how it went down and what it may mean for other data breach litigations.
The court held that it was “persuaded by [plaintiffs’] contention that Pennsylvania law, post-Dittman, imparts on companies an independent duty to reasonably secure their payment systems,” thereby rejecting application of Illinois and Missouri’s broad economic loss doctrine. While the court held that this novel theory sufficed to plead a “plausible negligence claim” tied to the Payment Card Industry Data Security Standard (PCI DSS), it acknowledged “the potential dispositive effect” of Wawa’s argument that the “Payment Card Rules” place contractual limits on plaintiffs’ rights and remedies. Additionally, plaintiffs submitted the novel question of whether Section 5 of the FTC Act may serve as a predicate for a negligence per se claim under Pennsylvania law.
With regard to plaintiffs’ negligence claim, Wawa argued that “Payment Card Rules” set forth the rights and responsibilities of network participants, such as plaintiffs. In support of this argument, Wawa attached several exhibits from Visa and Mastercard, which the court deemed admissible at the motion to dismiss stage due to plaintiffs’ indirect references to these rules throughout its complaint. In response, plaintiffs maintained that by affirmatively choosing to accept payment cards, Wawa assumed a common law duty to safeguard any data gleaned from those transactions from the foreseeable harm that would result in the event of a breach. To succeed on this theory, plaintiffs will need to prove the following four elements:
(1) a duty or obligation recognized by the law, requiring the actor to conform to a certain standard of conduct for the protection of others against unreasonable risks; (2) a failure to conform to the standard required; (3) a causal connection between the conduct and the resulting injury; and (4) actual loss or damage resulting in harm to the interests of another.
In relation to these elements, plaintiffs allege:
(1) Wawa had a fundamental common law duty to protect sensitive cardholder information; (2) Wawa failed to secure its payment system terminals and created a risk of foreseeable harm to the Institutions; (3) the Institutions received an alert from Visa and Mastercard identifying specific payment cards that were compromised in the Wawa data breach; and (4) the Institutions were forced to incur significant costs associated with mitigating the impact of the breach.
The court held that, with regard to the fourth element, Wawa’s contention that plaintiffs cannot prove causation due to “numerous breaches” at other stores is not appropriate for resolution at the motion to dismiss stage.
Plaintiffs’ second cause of action for negligence per se alleges that Wawa violated Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The court held that under Pennsylvania law, negligence per se is not a separate cause of action and, even if it were, plaintiffs would have difficulty establishing the final element of negligence per se, which requires demonstration that the FTC Act’s purpose be designed, at least in part, to protect plaintiffs individually, as opposed to the public as a whole. Moreover, Wawa argues that Section 5 of the FTC Act does not provide a private right of action. The court deferred ruling on this question.
Lastly, plaintiffs seek declaratory judgement of rights and injunctive relief requiring Wawa to employ adequate security protocols for its payment systems moving forward. In response, Wawa argued that the court should dismiss these claims as duplicative. The court held that while it may ultimately agree with Wawa that this cause of action is inappropriate, dismissal at this stage would be premature, as it would curtail the court’s broad equitable powers to fashion the most complete relief possible.
One thing is clear from these holdings; Wawa is poised to have a major impact on data privacy litigations, especially with regard to the novel intersect with, and interpretations of, Pennsylvania tort law. For more on this, stay tuned. CPW will be there.