Recently, the United States Court of Appeals for the Seventh Circuit issued a comprehensive ruling denying the plaintiffs (a group of banks) ability to recover damages in tort and under Illinois’ consumer fraud law as a result of a merchant’s data breach.
In 2012, computer hackers infiltrated the computer networks of Defendant, Schnuck Markets, Inc., a large Midwestern grocery store, and installed malware that allowed them to harvest data of approximately 2.4 million credit and debit cards. By the time that Defendant was able to discover the hack and announce the breach in March 2013, financial losses from unauthorized purchases and cash withdrawals were substantial, with Plaintiffs, the consumers’ banks, alleging total damages in excess of $5 million.
The Court’s analysis of the Electronic Card Payment System highlighted the fact that within one transaction, the buyer and merchant’s banks work together to authorize and process a transaction. Each bank, as a party in the card payment system, agrees to assume certain responsibilities and to be bound by certain remedies. One of those remedies is that the issuing (customer) bank agrees to indemnify their customers if a data breach occurs within the card payment system and causes unauthorized transactions. If the customer timely notifies its bank of these transactions, both Visa and Mastercard require the issuing bank to limit the cardholder’s liability to zero. As for the merchant, the poor Schnucks, it agreed to abide by data security requirements (Payment Card Industry Data Security Standards or PCI DSS) and to share liabilities as a result of data breaches in its contracts within the card payment system. Schnucks and its card processor and (acquiring) bank were assessed fees and charges of approximately $1.5 million and shared the cost among the three entities.
The Court found that despite the banks and merchant not having a direct contract, their contractual involvement within the “network of contracts that tie together all the participants in the card payment system,” provided a sufficient legal remedy for the parties. Thus, the Court affirmed the dismissal of the tort claims. In its findings, the Court equated this scenario to large construction projects that involve layers of contracts between various entities without direct contractual relationships. And as it found in this case, the Court dicussed that the network of contracts allocates the duties, risks and remedies between the parties, and thus prohibits tort recovery for purely economic losses.
As a note to watch further developments in this area of law, in its decision, the Court analyzed the Plaintiffs claims involving both the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA) and the Illinois Personal Information Protection Act (PIPA). While it affirmed the dismissal of those claims, it specifically noted that it declined to consider whether a violation under PIPA would support a consumer fraud claim arising out of a data breach. The Court did not feel that this issue was properly developed at the trial court level to warrant its consideration on appeal.
The Court’s ruling makes it apparent that a bank cannot recover damages in tort as a result of a data breach within the card payment system. While the same can likely be said for claims under Illinois consumer fraud law, the Court’s refusal to address whether a violation under PIPA can support an ICFA claim brought by one business against another seems to leave open the possibility of recovery. As a result, banks must be cognizant of the fact that in an economy that appears to be driven more and more by electronic and/or card payments, data breaches are a constant liability within the payment system with limited avenues for recovery of damages.
The Court’s full opinion can be found here.
This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.