Seventh Circuit Hands Win to Merchants in Data Breach Case
An attorney explains how courts handed a shield to merchants to defend themselves in a data breach case.
The number of cases involving consumer data breaches is rapidly growing. Data breaches inflict additional costs on financial institutions, leading those institutions to turn to litigation to recoup their losses from merchants. In a recent case, the United States Court of Appeals for the Seventh Circuit Court dealt a significant blow to attempts by financial institutions to bring negligence claims against merchants for failing to adequately safeguard their customers’ data.
In 2012, hackers infiltrated Schnuck Markets, a large Midwestern grocery chain, and stole the data of about 2.4 million credit and debit cards. Financial losses from the unauthorized purchases and cash withdrawals made with the stolen data reached into the millions. Because federal law requires the consumers’ financial institutions to indemnify the consumers for losses incurred as a result of fraudulent activity, four banks brought a class-action lawsuit against Schnucks to recover their losses. The plaintiff banks had no direct contract with Schnucks, and instead resorted to common-law negligence/tort claims, common-law contractual claims and several claims under Illinois statutes. The Seventh Circuit affirmed the lower court’s decision to dismiss all claims, and its decision on the economic loss doctrine bears some discussion. The federal appellate court anticipated that the high courts of both Illinois and Missouri would reject imposing tort liability under these circumstances.
Prefacing its decision with a brief overview of the electronic card payment system and the various contracts between the parties to a credit card transaction, the three-judge panel noted that when a consumer makes a purchase using an electronic card, the merchant collects that consumer’s information, known as “track data.” The track data and amount of the purchase are sent to the merchant’s bank (the acquiring bank) through a payment processing company. The acquiring bank then requests payment from the consumer’s bank (the issuing bank) through the card network (e.g. Visa or MasterCard). In this case, the plaintiff banks were issuing banks that provided electronic payment cards to consumers.
This entire process is governed by a series of contracts between the various parties. The issuing banks, in joining the electronic card payment system, agree to indemnify their customers in the event of a data breach. For example, Visa requires issuing banks to “limit the cardholder’s liability to zero” provided a customer notifies the network within a pre-determined time limit. Merchants, like Schnucks, and their acquiring banks agree to abide by certain data security requirements in their contracts with card networks. When a data breach occurs, issuing banks bear the initial cost of reimbursing their consumers, but contracts with the card networks allow issuing banks to recover some of those losses. The plaintiff banks’ case was premised on their lack of contractual privity with Schnucks.
Under the economic loss doctrine, state courts generally refuse to recognize that a party is liable under a tort theory for purely economic losses inflicted by one entity on another when the relationship between the two is governed by contract. The general theory behind the economic loss doctrine is that tort law is designed to provide a remedy for a “sudden calamitous accident as distinct from a mere failure to perform up to commercial expectations.”
In this case, the panel found that the plaintiff banks and Schnucks participated in a network of contracts that tie together the participants in the electronic card payment system. Schnucks agreed to abide by certain data security standards when entering the card payment system, thereby subjecting itself to certain fines and penalties if it was responsible for a data breach. The plaintiff banks, likewise, agreed to limit the cardholders’ liability to zero in their contracts with the card networks. All parties contractually allocated the risks of incurring losses for which they would not be reimbursed.
The plaintiff banks argued that because they were not bound by a contract directly with Schnucks, the economic loss rule should not apply. The court rejected that theory, holding that “what matters is not the details of the remedies but their existence. Merchants and acquiring banks face the financial cost of data breaches through the card networks’ reimbursement regime.”
As the Seventh Circuit noted, its decision aligns with decisions in the First and Third Circuits. In contrast, the Fifth Circuit held in that New Jersey’s interpretation of the economic loss doctrine did not bar claims by issuing banks against a merchant’s acquiring bank. The Fifth Circuit reasoned that, under New Jersey law, defendants owe a duty “of care to take reasonable measures to avoid the risk of causing economic damages … to particular plaintiffs … comprising an identifiable class with respect to whom defendant knows or has reason to know are likely to suffer such damages from its conduct.” The issuing banks in that case comprised an identifiable class whom the defendant could foresee would suffer economic losses from its negligent conduct.
The Seventh Circuit’s decision raises questions about the application of the economic loss doctrine to data breach cases. The panel justified its decision, in part, on the theory behind the economic loss doctrine that parties to a contract voluntarily assign risks as part of the contractual bargaining process. The panel recognized that the electronic card payment processing system is a complex network of contracts between various parties. Even though the plaintiff banks had no contract with Schnucks, their contract with the card networks was enough for the Seventh Circuit to conclude that the parties adequately allocated the economic risks due to a data breach.
Left unanswered is whether issuing banks enjoy the economic leverage to adequately negotiate for reducing their share of the risk. Given the card networks’ “zero consumer liability” policies, and the card networks’ position in the market, the economic reality suggests that issuing banks cannot negotiate to allocate the risk in a meaningful way. It is left to future decisions to consider the economic realities of these contractual relationships and provide a clearer application of the economic loss doctrine. Until then, the Seventh Circuit handed a shield to merchants to defend themselves.
Ehren M. Fournier, J.D. is an Associate with Schoenberg Finkel Newman & Rosenberg, LLC. He can be reached at 312-648-2300, Ext. 297, ehren.fournier@sfnr.com.