7th Circuit sides with merchants in data breach case, liability

The number of cases involving consumer data breaches is rapidly growing. Data breaches inflict additional costs on financial institutions, leading those institutions to turn to litigation to recoup their losses from merchants.

In the recent case of Community Bank of Trenton v. Schnuck Markets, No. 17-2146, 2018 WL 1737126 (7th Cir., April 11), the 7th U.S. Circuit Court of Appeals dealt a significant blow to attempts by financial institutions to bring negligence claims against merchants for failing to adequately safeguard their customers’ data.

In 2012, hackers infiltrated Schnuck Markets, a large Midwestern grocery chain, and stole the data of about 2.4 million credit and debit cards. Financial losses from the unauthorized purchases and cash withdrawals made with the stolen data reached into the millions.

Because federal law requires the consumers’ banks to indemnify the consumers for losses incurred as a result of fraudulent activity, four banks brought a class action against Schnucks to recover their losses.

The plaintiff banks had no direct contract with Schnucks and instead resorted to common-law negligence and tort claims, common-law contractual claims and several claims under Illinois statutes.

The 7th Circuit affirmed the lower court’s decision to dismiss all claims. Its decision on the economic loss doctrine bears some discussion. The federal appellate court anticipated that the high courts of both Illinois and Missouri would reject imposing tort liability under these circumstances.

Prefacing its decision with a brief overview of the electronic card payment system and the various contracts between the parties to a credit card transaction, the appellate panel noted that when a consumer makes a purchase using an electronic card, the merchant collects that consumer’s information, known as “track data.”

The track data and amount of the purchase are sent to the merchant’s bank (the “acquiring bank”) through a payment processing company. The acquiring bank then requests payment from the consumer’s bank (the “issuing bank”) through the card network, such as Visa or MasterCard. In this case, the plaintiff banks were issuing banks that provided electronic payment cards to consumers.

This entire process is governed by a series of contracts between the various parties. The issuing banks, in joining the electronic card payment system, agree to indemnify their customers in the event of a data breach.

For example, Visa requires issuing banks to “limit the cardholder’s liability to zero” provided a customer notifies the network within a predetermined time limit. Merchants, like Schnucks, and their acquiring banks agree to abide by certain data security requirements in their contracts with card networks.

When a data breach occurs, issuing banks bear the initial cost of reimbursing their consumers, but contracts with the card networks allow issuing banks to recover some of those losses. The plaintiff banks premised their case on their lack of contractual privity with Schnucks.

Under the economic loss doctrine, state courts generally refuse to recognize that a party is liable under a tort theory for purely economic losses inflicted by one entity on another when the relationship between the two is governed by contract.

The general theory behind the economic loss doctrine is that tort law is designed to provide a remedy for a “sudden calamitous accident as distinct from a mere failure to perform up to commercial expectations.”

In this case, the panel found that the plaintiff banks and Schnucks participated in a network of contracts that tie together the participants in the electronic card payment system.

Schnucks agreed to abide by certain data security standards when entering the card payment system, thereby subjecting itself to certain fines and penalties if it was responsible for a data breach. The plaintiff banks, likewise, agreed to limit the cardholders’ liability to zero in their contracts with the card networks. All parties contractually allocated the risks of incurring losses for which they would not be reimbursed.

The plaintiff banks argued that because they were not bound by a contract directly with Schnucks, the economic loss rule should not apply. The court rejected that theory, holding that “what matters is not the details of the remedies but their existence. Merchants and acquiring banks face the financial cost of data breaches through the card networks’ reimbursement regime.”

As the 7th Circuit noted, its decision aligns with decisions in the 1st and 3rd Circuits (In re TJX Cos. Retail Security Breach Litigation, 564 F.3d 489 (1st Cir. 2009) (barring negligence claim by issuing banks against acquiring banks under Massachusetts law due to economic loss doctrine); Sovereign Bank v. BJ’s Wholesale Club Inc., 533 F.3d 152 (3rd Cir. 2008) (barring negligence claims by issuing banks against merchant under Pennsylvania law due to economic loss doctrine)).

In contrast, the 5th Circuit held that in New Jersey’s interpretation of the economic loss doctrine did not bar claims by issuing banks against a merchant’s acquiring bank (Lone Star National Bank N.A. v. Heartland Payment Systems Inc., 729 F.3d 421 (5th Cir. 2013)). The 5th Circuit reasoned that, under New Jersey law, defendants owe a duty “of care to take reasonable measures to avoid the risk of causing economic damages … to particular plaintiffs … comprising an identifiable class with respect to whom defendant knows or has reason to know are likely to suffer such damages from its conduct” (Lone Star, quoting People Express Airlines Inc. v. Consolidated Rail Corp., 100 N.J. 246, 495 A.2d 107, 116 (1985)).

The issuing banks in that case constituted an identifiable class whom the defendant could foresee would suffer economic losses from its negligent conduct.

The 7th Circuit’s decision in Schnuck Markets raises questions about the application of the economic loss doctrine to data breach cases. The panel justified its decision, in part, on the theory behind the economic loss doctrine that parties to a contract voluntarily assign risks as part of the contractual bargaining process.

The panel recognized that the electronic card payment processing system is a complex network of contracts between various parties. Even though the plaintiff banks had no contract with Schnucks, their contract with the card networks was enough for the 7th Circuit to conclude that the parties adequately allocated the economic risks due to a data breach.

Left unanswered is whether issuing banks enjoy the economic leverage to adequately negotiate for reducing their share of the risk.

Given the card networks’ “zero consumer liability” policies, and the card networks’ position in the market, the economic reality suggests that issuing banks cannot negotiate to allocate the risk in a meaningful way.

It is left to future decisions to consider the economic realities of these contractual relationships and provide a clearer application of the economic loss doctrine. Until then, the 7th Circuit handed a shield to merchants to defend themselves.

To view this article as published in the Chicago Daily Law Bulletin, click here.