In Data Breach Suit, Federal Court Holds Banks To Higher Standard Than Customers

Drew Crawford
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On Wednesday, September 28, 2016, an Illinois federal district judge dismissed data breach-related claims brought by numerous banks against a grocer citing the sophistication of the business relationship between the banks and the grocer as a main reason the claims could not proceed.

Between December 2012 and March 2013, Schnucks, a grocery chain headquartered in St. Louis, Missouri, experienced a data breach that made payment card information transmitted through its computer system vulnerable to attack by cyber criminals. The data breach may have affected as many as 2.4 million cardholders who shopped at Schnucks during the timeframe of the breach. The banks alleged that Schnucks did not properly encrypt customer payment information and thus fell short of industry standard. The banks pursued multiple theories of relief, including RICO conspiracy claims, breach of fiduciary duty, negligence, breach of contract, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The U.S. District Court for the Southern District of Illinois dismissed all of the banks’ claims, holding that the alleged harms sustained were too general and that “mere allegations of trust between sophisticated business parties are insufficient to create a fiduciary relationship between the parties.” The court observed that in cases brought by customers, the customers can allege plausible claims based on concrete harm suffered, such as fraudulent charges on their accounts, late fees incurred as the result of fraudulent activity, and costs incurred as a result of acquiring an identity theft monitoring service. Additionally, customers’ data-breach claims appeal to the common life experience of walking into a merchant to buy a sandwich or a coffee and the expectation that their data will be kept safe.

In contrast, according to the court, the banks’ allegations of harm were too general. For example, the banks alleged that they have incurred and will continue to incur costs to (1) cancel and reissue cards, (2) close and reopen accounts, (3) notify customers, and (4) investigate and monitor for fraud, emphasizing the argument that Schnucks made fraudulent representations or omissions to the banks regarding its data security practices, and the banks relied on such misinformation in releasing customer funds to Schnucks.  The court, however, held that the generality of these allegations made it too difficult to assess the validity of the claims. Two of the banks’ claims were dismissed with prejudice. The banks will have the opportunity to replead the other claims.
 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide