The opinion of the court was delivered by: Charles P. Kocoras, District Judge:
This Document Relates to All Actions
This case comes before the Court on the motion of Defendant Michaels Stores, Inc. ("Michaels") to dismiss the Consolidated Amended Class Action Complaint (the "Complaint") pursuant to Federal Rule of Civil Procedure 12(b)(6). For the reasons stated below, the motion is granted in part and denied in part.
Michaels is a specialty arts and crafts retailer. Like many other retailers, Michaels uses PIN pads to process customers' debit and credit card payments. To make a debit or credit card purchase through a PIN pad, a cardholder swipes his or her card through the PIN pad and, if necessary, inputs a personal identification number ("PIN"). A properly operating PIN pad encrypts the cardholder's PIN, temporarily stores the encrypted PIN, and transmits the information to a transaction manager, card company, or bank for verification.
"Skimming" is the unauthorized capture of debit and/or credit card data by unauthorized persons, often referred to as "skimmers." Skimmers use the information in a number of illegal ways, including selling the information or creating a fraudulent duplicate card. One method skimmers use to obtain debit and credit card information from retail stores is referred to as "PIN pad swapping." Using this method, skimmers remove a legitimate PIN pad from a merchant's store and replace it with a modified PIN pad that captures the debit and credit card information and the customer's PIN. The swapped PIN pad then stores the data for later physical retrieval by the skimmers or wirelessly transmits the data to the skimmers.
Michaels accepts customer payments for purchases through credit and debit cards issued by members of the payment card industry ("PCI"), such as Visa USA ("Visa"). Some card issuers, like Visa, contractually obligate merchants, like Michaels, to comply with various PIN pad security standards that protect customer financial information as a condition to processing transactions through the card issuer. In 2005, Visa issued a global mandate ("Visa's Global Mandate") that required merchants to discontinue the use of PIN pad terminals that do not meet the Triple Data Encryption Standard by July 1, 2010. Visa also required merchants to implement certain operating regulations to protect the security of cardholder information (the "PCI PIN Security Requirements"). Among numerous other requirements, the PCI PIN Security Requirements direct merchants to ensure that a legitimate device has not been substituted with a counterfeit device. In 2006, Visa and other PCI members established the Security Standards Council ("PCI SSC"), which has developed stringent standards for PIN pad terminals. Additionally, PCI SSC, PIN pad manufacturers, and credit card processors have developed and implemented a series of best practices for merchants to prevent or identify instances of skimming, including PIN pad swapping.
On May 4, 2011, Michaels reported that PIN pad tampering may have occurred in its Chicago area stores. Michaels later revealed that between February 8, 2011, and May 6, 2011, skimmers placed approximately ninety tampered PIN pads in eighty Michaels stores across twenty states. At the time of the security breaches, Michaels was not in compliance with Visa's Global Mandate or the PCI PIN Security Requirements.
On July 8, 2011, Plaintiffs Mary Allen, Kelly M. Maucieri, Brandi Ramundo, and Adrianna Sierra (collectively, "Plaintiffs") filed the Complaint against Michaels individually and on behalf of all consumers whose financial information was stolen from Michaels. Plaintiffs allege that Michaels failed to adequately protect their financial information and failed to promptly and properly notify consumers of the security breach. Plaintiffs further allege that the data breach resulted in unauthorized withdrawals from their bank accounts and/or bank fees. Plaintiffs assert claims under the Stored Communications Act, 18 U.S.C. § 2702, and the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 Ill. Comp. Stat. 505/1, and for negligence, negligence per se, and breach of implied contract. Michaels now moves to dismiss the Complaint.
A pleading must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Rule 8 does not require detailed factual allegations, but requires more than legal conclusions or a formulaic recitation of the elements of a cause of action. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). To survive a motion to dismiss, the complaint must contain sufficient facts to state a claim for relief that is plausible on its face. Id. at 570. In ruling on a motion to dismiss, a court accepts the well-pleaded allegations in the complaint as true, construes the allegations of the complaint in the light most favorable to the plaintiff, and draws all reasonable inferences in favor of the plaintiff. Hentosh v. Herman M. Finch Univ. of Health Scis./The Chi. Med. Sch., 167 F.3d 1170, 1173 (7th Cir. 1999).
I. Stored Communications Act*fn2
The Stored Communications Act ("SCA") states that "a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service." 18 U.S.C. § 2702(a)(1). The SCA further states that "a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service." 18 U.S.C. § 2702(a)(2). Michaels argues that the SCA does not apply because it does not provide electronic communication services or remote computing services.
A. Electronic Communication Services
The first issue is whether Michaels provides electronic communication services under the SCA. An "electronic communication service" is "any service which provides to users the ability to send or receive wire or electronic communications." 18 U.S.C. §§ 2510(15), 2711(1). According to the SCA's legislative history, telephone companies and electronic mail companies provide electronic communication services. S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3558. Since the enactment of the SCA, courts have consistently acknowledged that internet service providers, e-mail service providers, and telecommunication companies also provide electronic communication services under the SCA. Steinbach v. Village of Forest Park, 2009 WL 2605283, at *5 (N.D. Ill. Aug. 25, 2009) (finding that the Village of Forest Park did not provide electronic communication services because it provided the e-mail address and not the e-mail or internet service); United States v. Weaver, 636 F. Supp. 2d 769, 769-70 (C.D. Ill. 2009) (noting that Microsoft, the internet and e-mail service provider, provided electronic communication services and remote computing services); Terkel v. AT&T Corp., 441 F. Supp. 2d 899, 901-04 (N.D. Ill. 2006) (assuming that AT&T, a telecommunications company providing telephone and internet services, provides electronic communication services); Andersen Consulting LLP v. UOP, 991 F. Supp. 1041, 1043 (N.D. Ill. 1998) (concluding that defendant who did not provide internet services did not provide electronic communication services by maintaining an internal e-mail system).
When determining whether an entity provides electronic communication services, courts consider whether the entity is in the business of providing electronic communication services. See, e.g., In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 307 (E.D.N.Y. 2005) (explaining that JetBlue's maintenance of a website did not convert it into a provider of electronic communication services; rather, JetBlue is a provider of air travel services and a consumer of electronic communication services); Dyer v. Northwest Airlines Corps., 334 F. Supp. 2d 1196, 1199 (D.N.D. 2004) ("businesses offering their traditional products and services online through a website are not providing an 'electronic communication service'"); Andersen Consulting, 991 F. Supp. at 1043 (explaining that the defendant, a supplier to the petroleum and gas processing industries, was not in the business of providing electronic communication services even though it maintained an internal e-mail system). Ultimately, the provider of an electronic communication service is the provider of the underlying service which transports the data, such as an internet service provider or a telecommunications company whose cables and phone lines carry internet traffic, and not the provider of a product or service which facilitates the data transport.
Here, Plaintiffs allege that Michaels provides electronic communication services because Michaels, through its PIN pads, enables consumers to pay with credit and debit cards and send or receive electronic communications concerning their account data and PINs to transaction managers, card companies, or banks. Significantly, Plaintiffs do not allege that Michaels provides the internet or phone service through which the PIN pad communicates. This insufficiency is fatal to Plaintiffs' claim that Michaels provides electronic communication services under the SCA. Further, Michaels, a retailer of specialty arts and crafts, is not in the business of providing electronic communication services, even though it maintains PIN pads, a necessary tool for almost any retailer today. See, e.g. Andersen Consulting, 991 F. Supp. at 1043 (explaining that defendant's internal e-mail system is a necessary tool for most businesses). This Court shares the concern of the Andersen court, as Plaintiffs' interpretation of the statute would convert every single retailer using a PIN pad into a provider of electronic communication services under the SCA. Finally, the alleged data breach has nothing to do with the provision of ...