Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 17-2146

• Citation: 887 F.3d 803
• Decision Date: 11 April 2018
• Docket Number: No. 17-2146,17-2146
• Parties: COMMUNITY BANK OF TRENTON, et al., Plaintiffs-Appellants, v. SCHNUCK MARKETS, INC., Defendant-Appellee.
• Court: United States Courts of Appeals. United States Court of Appeals (7th Circuit)

887 F.3d 803

COMMUNITY BANK OF TRENTON, et al., Plaintiffs-Appellants,

v.SCHNUCK MARKETS, INC., Defendant-Appellee.

No. 17-2146

United States Court of Appeals, Seventh Circuit.

Argued January 10, 2018

Decided April 11, 2018

John J. Driscoll, Attorney, Driscoll Firm, P.C., St. Louis, MO, for Plaintiffs-Appellants.

Sam A. Camardo, Attorney, Daniel R. Warren, Attorney, Baker & Hostetler LLP, Cleveland, OH, Russell Kenneth Scott, Greensfelder, Hemker & Gale, P.C., Belleville, IL, for Defendant-Appellee.

Before Wood, Chief Judge, Hamilton, Circuit Judge, and Bucklo, District Judge.^*

Hamilton, Circuit Judge.

In late 2012, hackers infiltrated the computer networks at Schnuck Markets, a large Midwestern grocery store chain based in Missouri and known as "Schnucks." The hackers stole the data of about 2.4 million credit and debit cards. By the time the intrusion was detected and the data breach was announced in March 2013, the financial losses from unauthorized purchases and cash withdrawals had reached into the millions. Litigation ensued.

Like many other recent cases around the country, this case involves a massive consumer data breach. See, e.g., Lewert v. P.F. Chang's China Bistro, Inc. , 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Group, LLC , 794 F.3d 688 (7th Cir. 2015). Unlike most other data-breach cases, however, the proposed class of plaintiffs in this case is comprised not of consumers but of financial institutions. Card-issuing banks and credit unions are required by federal law to indemnify their card-holding customers for losses from fraudulent activity, so our four plaintiff-appellant banks here bore the costs of reissuing cards and indemnifying the Schnucks hackers' fraud. See 15 U.S.C. § 1643(a) (limiting credit-card-holder liability for unauthorized use); 12 C.F.R. § 205.6 (limiting debit-card-holder liability for unauthorized use). The Article III standing and injury issues that arose in Lewert , Remijas , and many other data-breach cases with consumer plaintiffs are not issues in this case.

The principal issues in this case present fairly new variations on the economic loss rule in tort law. The central issue is whether Illinois or Missouri tort law offers a remedy to card-holders' banks against a retail merchant who suffered a data breach, above and beyond the remedies provided by the network of contracts that link merchants, card-processors, banks, and card brands to enable electronic card payments. The plaintiff banks assert claims under the common law as well as Illinois consumer protection statutes. Our role as a federal court applying state law is to predict how the states' supreme courts would likely resolve these issues. We predict that both states would reject the plaintiff banks' search for a remedy beyond those established under the applicable networks of contracts. Accordingly, we affirm the district court's dismissal of the banks' complaint.

I. Factual Background and Procedural History

A. Today's Electronic Payment Card System

When a customer uses a credit or debit card at a retail store, the merchant collects the customer's information. This includes the card-holder's name and account number, the card's expiration date and security code, and, in the case of a debit card, the personal identification number. Collectively, this payment card information is known as "track data." At the time of purchase, the track data and the amount of the intended purchase are forwarded electronically to the merchant's bank (the "acquiring bank"), usually through a payment processing company. The acquiring bank then requests payment from the customer's bank (the "issuing bank") through the relevant card network—in this case, Visa or MasterCard. If the issuing bank approves the purchase, the transaction goes through within seconds. The customer's issuing bank then pays the merchant's acquiring bank the amount of the customer's purchase, which is credited to the merchant's account, minus processing fees. Contracts govern all of these relationships, although typically no contracts directly link the merchant (e.g., Schnucks) with the issuing banks (our four plaintiffs here). Here is a simplified diagram of this series of relationships:

The Card Payment System

In this case, Schnucks routed customer track data through a payment processor, First Data Merchant Services, to its acquiring bank, Citicorp. Citicorp then routed customer track data through the card networks to the issuing banks (plaintiffs here), who approved purchases and later collected payments from their customers, the card-holders. This web of contractual relationships facilitates the dotted line above: the familiar retail purchase by a customer from a merchant. Because Schnucks was the weak security link in this regime, the plaintiff banks seek to recover directly from Schnucks itself, a proposed line of liability represented by the dashed line above. This new form of liability would be in addition to the remedies already provided by the contracts governing the card payment systems.

B. The Contracts that Enable the Card Payment System

All parties in the card payment system agree to take on certain responsibilities and to subject themselves to specified contractual remedies. In joining the card payment system, issuing banks—including our plaintiffs here—agree to indemnify their customers in the event that a data breach anywhere in the network results in unauthorized transactions.¹ Visa requires issuers to "limit the Cardholder's liability to zero" when a customer timely notifies them of unauthorized transactions. Appellee App. at 99–100 (§ 4.1.13.3). MasterCard has the same requirement. Id. at 107 (§ 6.3).

For their parts, acquiring banks and their agents must abide by data security requirements. Id. at 102. As a merchant, Schnucks also agreed to abide by data security requirements in the contracts linking it to the card payment system. Id. at 54, 58, 70–72, 73. These data security rules are called the Payment Card Industry Data Security Standards or "PCI DSS." In their contracts, Schnucks, its bank, and its data processor effectively agreed to share resulting liabilities from any data breaches. Id. at 53–54, 70–71, 73 (Master Services Agreement §§ 4, 5.4; Bankcard Addendum §§ 23, 25, 28); see also Schnuck Markets, Inc. v. First Data Merchant Services Corp. , 852 F.3d 732, 735, 737–39 (8th Cir. 2017) (" First Data ") (interpreting § 5.4 in light of this data breach at Schnucks). As we explain below, the specific details of these contractual remedies do not matter here. What is important is that they exist at all, by agreements among the interested parties.

When a retailer or other party in the card payment system suffers a data breach, issuing banks must bear the cost, at least initially, of indemnifying their customers for unauthorized transactions and issuing new cards. The contracts that govern both the Visa and MasterCard networks then provide a cost recovery process that allows issuing banks to seek reimbursement for at least some of these losses. See Appellee App. at 102 (Visa), 110 (MasterCard). Schnucks agreed to follow card network "compliance requirements" for data security and to pay "fines" for noncompliance. Id. at 70. Our colleagues in the Eighth Circuit later read Schnucks' contract with its data processor and acquiring bank to include significant limits on Schnucks' share of the liability for losses of issuing banks. See First Data , 852 F.3d at 736, 737–39 (holding that contractual limit on liability favoring Schnucks applied to limit liabilities resulting from this data breach).²

C. The Schnucks Data Breach and Response

In early December 2012, hackers gained access to Schnucks' computer network in Missouri and installed malicious software (known as "malware") on its system. This malware harvested track data from the Schnucks system while payment transactions were being processed. As soon as payment cards were swiped at a Schnucks store and the unencrypted payment card information went from the card reader into the Schnucks system for payment, customer information was available for harvesting. The breach affected 79 of Schnucks' 100 stores in the Midwest, many of which are located in Missouri and Illinois, the states whose laws we consider here.

For the next four months, hackers harvested and sold customer track data, which were used to create counterfeit cards and to make unauthorized cash withdrawals, including from the plaintiff banks. Schnucks says it did not learn of the breach until March 14, 2013, when it heard from its card payment processor. A few days later, an outside consultant quickly identified the source of the problem. On March 30, Schnucks issued a press release announcing the data breach.

The plaintiff banks estimate that for every day the data breach continued, approximately 20,000 cards may have been compromised. This means around 2.4 million cards in total were at risk from the Schnucks breach. Given this rate, plaintiffs estimate that more than 300,000 cards may have been compromised between March 14 and March 30, after Schnucks knew that security had been breached but before it announced that fact publicly. The plaintiff banks allege that numerous security steps could have prevented the breach and that those steps are required by the card network rules.³ In fact, under the networks' contractual provisions, the card networks later assessed over $1.5 million in reimbursement charges and fees against Schnucks, which eventually split that liability with its card processor and acquiring bank. Brief for Appellants at 4, First Data , 852 F.3d 732 (8th Cir. 2017) (No. 15-3804), 2016 WL 284697, at *4; see also First Data , 852 F.3d at 735–36 (describing card networks' expectations, assessments, and resulting litigation).

D. The Banks' Lawsuit

The plaintiff banks, which may or may not have received some of those reimbursement funds, filed a lawsuit in 2014 seeking to be made whole directly by Schnucks. The banks dismissed...