Attempting to advance a novel theory of law, several banks filed a class action in Illinois federal court against a grocery store chain arising out of a data breach that resulted in the theft of 2.4 million credit and debit cards. Community Bank of Trenton v. Schnuck Markets, Inc. After the breach, and based on the terms credit card user agreements, the banks were required to issue new cards and reimburse its customers as required by federal law for financial losses due to unauthorized purchases. In the suit, the financial institutions sought to recover some of their costs from the grocery store chain that was allegedly responsible for the loss of the data. The losses were estimated by the Plaintiffs to be in the tens of millions of dollars. As discussed below, the banks were not successful.

The core question in the case was whether any applicable law provided the cardholders’ banks with a remedy under tort law against a retail merchant who was the subject of a data breach.

Generally speaking the credit card issuing bank, here the Community Bank of Trenton, has a contractual relationships with the consumers to whom the cards are issued and the credit card network, e.g., Visa, Mastercard. The issuing bank does not have a direct relationship with the retail merchant, here Schnuck Markets. From the perspective of a bank such as Community Bank of Trenton, its remedies arise from (a) the contract between it and the consumer, (b) the contract between it and the credit card network, or (c) by operation of federal law that provides limited reimbursement.

Seeking an end around these relationships, the class of banks invoked common law tort theories to go directly against the retail merchant because there was no contractual remedy that would make them whole for their losses.

The banks claimed in part that the merchant was negligent – not in permitting the breach to occur – but in not recognizing that it had occurred for months thereafter. And, once the chain did learn of the breach, it was another two weeks before it was announced publicly. The Plaintiffs alleged that numerous security steps could have prevented the breach and that those steps were required by the credit card network rules (e.g., installing antivirus software, maintaining firewalls, encrypting sensitive data, and implementing two-factor authentication).

Despite seemingly compelling arguments, the Seventh Circuit ultimately upheld the lower court’s dismissal of the banks’ claims finding that they were bound by the contractual provisions of their agreements. Essentially, the court ruled, by joining the credit card system, the banks accepted some risk of not being fully reimbursed for the costs of another party’s mistakes.

With the increasing amount of data breaches occurring in every sector of the economy we can anticipate more and more litigation, including the attempts to assert novel theories to recover significant losses resulting from the breaches.

Below are additional resources on data breach litigation:

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey M. Schlossberg Jeffrey M. Schlossberg

Jeffrey M. Schlossberg is a Principal in the Long Island, New York, Office of Jackson Lewis P.C. Mr. Schlossberg has devoted his entire career to the employment law field. He is a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jeffrey M. Schlossberg is a Principal in the Long Island, New York, Office of Jackson Lewis P.C. Mr. Schlossberg has devoted his entire career to the employment law field. He is a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals and is an editor of the firm’s EPL Risk Mitigation Blog.

Mr. Schlossberg has extensive experience in handling all aspects of the employer-employee relationship. Areas of concentration include: employment discrimination prevention and litigation; workplace harassment policy development and compliance; social media and information privacy in the workplace; family and medical leave; disability matters; wage and hour investigations and litigation; non-competition agreements; and corporate mergers and acquisitions.

Mr. Schlossberg has defended against claims such as sexual harassment, age, race, national origin and disability discrimination for public and private companies in industries such as media, technology, airline, aircraft components, restaurants, supermarkets, securities, medical, manufacturing, cosmetics, food processing, software, clothing, vitamins and nutritional products, and many other employers of varying size throughout the metropolitan area and across the country.

Mr. Schlossberg lectures frequently about various topics to trade and professional associations, such as the Hauppauge Industrial Association. Mr. Schlossberg is also an active member of the Nassau County Bar Association and is a Past Chair of the Nassau County Bar Association Labor & Employment Law Committee.

Mr. Schlossberg is an appointed member of the Employment Law Panel of arbitrators for National Arbitration and Mediation.