Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Community Bank of Trenton v. Schnuck Markets, Inc.

United States District Court, S.D. Illinois

September 28, 2016




         A. Introduction and Procedural Overview

         Between December 2012 and March 2013, Schnucks (Defendant), a local grocer, fell prey to the increasingly common woe of a major data breach. As a result of the breach, numerous customers' personal information was put at risk, and numerous financial institutions (Plaintiffs) were required to assist their customers in remedying their personal financial risks and losses. A number of the financial institutions forced to spend money and time bailing out their customers filed suit against Schnucks alleging violations of the civil provisions of Racketeer Influenced and Corrupt Organizations Act (“RICO”), contractual breaches, and basic torts. The case is now before the Court on Schnucks's motion to dismiss.[1]

         Plaintiffs brought this action before the Court, arguing two federal jurisdictional grounds- 18 U.S.C. 1961, et seq., pursuant to 18 U.S.C. 1964(a) & (c) (“RICO”); and 28 U.S.C. 1332(d) (“CAFA”). RICO claims would provide an appropriate basis for federal question jurisdiction because RICO is a federal statute. CAFA would provide an appropriate basis for jurisdiction because at least one Plaintiff is an Illinois corporation and Schnucks is a Missouri corporation. Assuming, without deciding, that either RICO claims or the other CAFA prerequisites could be satisfied, this Court has jurisdiction over this action. Schnucks does not contest either of these grounds for jurisdiction, and the Court finds that it enjoys subject matter jurisdiction pursuant to either ground. Venue is also appropriate because at least one Plaintiff-Community Bank of Trenton-is located in the Southern District of Illinois, East St. Louis Division, and Schnucks resided, was found, and conducted business in the Southern District of Illinois, East St. Louis Division.

         This Court accepts all factual allegations as true when reviewing a 12(b)(6) motion to dismiss. Erickson v. Pardus, 551 U.S. 89, 94 (2007). To avoid dismissal for failure to state a claim, a complaint must contain a short and plain statement of the claim sufficient to show entitlement to relief and to notify the defendant of the allegations made against him. Fed.R.Civ.P. 8(a)(2); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555-57 (2007). In order to meet this standard, a complaint must describe the claims in sufficient factual detail to suggest a right to relief beyond a speculative level. Id.; Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); EEOC v. Concentra Health Servs., 496 F.3d 773, 776 (7th Cir. 2007). A complaint need not contain detailed factual allegations, Scott v. Chuhak & Tescon, P.C., 725 F.3d 772, 782 (7th Cir. 2013), but it must go beyond “mere labels and conclusions” and contain “enough to raise the right to relief above the speculative level, ” G&S Holdings, LLC v. Cont'l Cas. Co., 697 F.3d 534, 537-38 (7th Cir. 2012).

         The Seventh Circuit has outlined the boundaries of 12(b)(6) with two major principles. First, that although facts in the pleadings must be accepted as true and construed in the plaintiff's favor, allegations in the form of legal conclusions are insufficient to survive a motion to dismiss. McReynolds v. Merrill Lynch & Co., Inc., 694 F.3d 873, 885 (7th Cir. 2012). And, second, “the plausibility standard calls for ‘context-specific' inquiry that requires the court ‘to draw on its judicial experience and common sense.'” Id. Threadbare recitals of elements and conclusory statements are not sufficient to state a claim. Id. Put another way, to survive a motion to dismiss “the plaintiff must give enough details about the subject-matter of the case to present a story that holds together [. . .] the court will ask itself could these things have happened, not did they happen.” Swanson v. Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010).

         Furthermore, Federal Rule of Civil Procedure 9(b) requires that allegations of fraud be pled with particularity-a heightened standard of pleading. Windy City Metal Fabricators & Supply, Inc. v. CIT Technology Financing Serv., Inc., 536 F.3d 663, 668 (7th Cir. 2008). Particularity requires alleging the circumstances of fraud or mistake, including: “the identity of the person who made the misrepresentation, the time, place, and content of the misrepresentation, and the method by which the misrepresentation was communicated to the plaintiff.” Id. (internal citation omitted). The complete lack of information about the timing, place, or manner of communicating alleged misrepresentations may render a claim insufficiently pled, particularly where the plaintiffs are the alleged audience for the misrepresentations. See Gandhi v. Sitara Capital Mgmt., LLC, 721 F.3d 865, 870 (7th Cir. 2013).

         The case before the Court presents an impressive 13 different theories of relief for the Plaintiffs to recover against Schnucks. Many of the theories have been tested in other data breach litigation against major retailers across the country, such as Target, Jimmy Johns, Barnes and Noble, Home Depot, and Neiman Marcus, to name a few.[2] However, there is a critical distinction between the present set of claims, and those presented in the aforementioned cases-the claims in the present case are being brought by the financial institutions as opposed to by the merchant's customers. In actions brought by customers, there are typically at least a few plaintiffs who identify tangible harms such as fraudulent charges on their accounts, late fees incurred as a result of fraudulent activity, and costs incurred in acquiring ongoing identity theft monitoring services. In the cases brought by customers, parties have effectively illustrated plausible claims for relief under various theories by appealing to the common life experience of a consumer walking into a merchant to buy a sandwich or a book. The concrete fraud charges on customer payment cards and the familiar expectations of a store customer make the claims in those cases hold together to illustrate a plausible story.

         By contrast, in the present litigation, the allegations of harms sustained are general. For example, the Complaint says that of the potentially 2.4 million cards breached, the payment card processor only alerted Schnucks to fraudulent activity on “a handful of payment cards” (Doc. 1 at 19, ¶ 43). The Complaint alleges that Plaintiffs have incurred and will continue to incur costs to: cancel and reissue cards; close and reopen accounts; notify customers; and, investigate and monitor for fraud. Plaintiffs allege that they may also lose profits if customers use payment cards less frequently. The Complaint also makes an ambiguous statement that “[w]hile Schnucks threw consumers somewhat of a bone in an effort to rebuild customer loyalty and improve its financial outlook, it has not offered Plaintiffs and Class Members any compensation for the damages they have suffered (and will continue to suffer)” (Id. at 23, ¶ 58).[3]

         The Court finds that more than just the harms are general-all of the pleadings in this case are highly general. Though the case centers on the notion that Schnucks made fraudulent representations or omissions regarding their data security practices, the Complaint simply says “[t]he dates and substance of Schnucks's internal and external fraudulent communications, via the interstate wires, in furtherance of the above-described schemes, as well as its fraudulent communications to Plaintiffs and Class Members, via the interstate wires, in furtherance of such schemes to cheat and defraud are in Schnucks's possession, custody, and control, and await discovery” (Doc. 1 at 26, ¶ 66). Despite vague allegations about the precise statements or omissions, Plaintiffs nevertheless seem to argue that they relied on said bad information in releasing customer funds to Schnucks, but that they would not have done so had they known of poor data security.

         Schnucks's Motion to Dismiss (Doc. 27) and the Plaintiffs' Response (Doc. 31) suffer from the same level of generality and ambiguity. In those pleadings, the parties spent much time reciting elements of claims and identifying precedent without particularizing their arguments to the facts of the case before the Court. The Court also notes receipt of Schnucks's reply brief (Doc. 32), Plaintiffs supplemental authority and letter brief (Doc. 36), and Schnucks's response to the authority (Doc. 37). Though the Court recognizes that the parties are charting relatively new territory in the data breach context by presenting a case between financial institutions and a merchant (as opposed to customers and a merchant), and that the parties were subject to page limits in filing, the Court notes that the generality made it difficult to assess the plausibility of the potential claims. For this reason, the Court dismissed many of the claims without prejudice to allow the Plaintiffs an opportunity to file more substantive pleadings. After a brief synopsis of the factual allegations, the Court will assess each of the 13 claims in turn.

         B. Factual Allegations

         Between December 2012 and March 2013, Schnucks experienced a data breach, which made payment card information transmitted through their computer system vulnerable to attack by cyber criminals. The data breach may have affected as many as 2.4 million cardholders who shopped at Schnucks during the timeframe of the breach. Plaintiffs allege that the breach took place in the “internal processing environment” of Schnucks's computers. Specifically, Plaintiffs allege that data was at risk from the time of swipe at the point-of-sale terminal as it was awaiting approval by the third-party payment processors. During this waiting period, Plaintiffs allege that payment card numbers and expiration dates “(and possibly more information)” was erroneously held in its unencrypted format on Schnucks's computers, in violation of industry standards (Doc. 1 at 18, ¶ 41).

         Plaintiffs describe the web of payment processing as follows: a customer swipes a card at the point-of-sale terminal; the card information goes from the point-of-sale terminal into the merchant's register; the information is stored in remote access memory in that register; and, the data sits on the memory of that computer while the merchant awaits transaction approval. Approval entails the merchant communicating the request for payment to its acquiring bank (Citicorp), who in turn relays the request to its third-party processor (First Data). The processor (First Data) communicates with the issuing bank. The issuing bank (the Plaintiffs in this case) approves or declines the transaction based on the availability of funds in a cardholders account. Meanwhile, once approval is secured, the merchant processes the transaction and sends a receipt to its acquiring bank (Citicorp). The acquiring bank then pays the merchant, and works with the issuing bank for ultimate reimbursement from the cardholder's funds.

         The level of data security over this web of transactions is guided by industry standards (the PCI DSS) and agreements between merchants, Visa and MasterCard, acquiring banks, and third-party processors. Plaintiffs allege that Schnucks captured track data in its computer system including: cardholder names, account numbers, expiration dates, CVV codes, and pin numbers for debit cards. Plaintiffs allege that this information must be encrypted. Industry standards require that merchants only store information on the front of the card, and only if it is encrypted. Plaintiffs allege that the data stolen from Schnucks was “the account numbers and expiration dates (and possibly more information)” (Doc. 1 at 18, ¶ 41). Plaintiffs allege that this information was poached from Schnucks's computers “before it [was] transmitted somewhere else” (Doc. 1 at 20, ¶ 46). Plaintiffs allege that because the data was not encrypted, the hackers were able to use it freely.

         Plaintiffs allege that had Schnucks followed industry security standards, the breach would not have happened. They allege that Schnucks fell far short of industry standards because: it knew its security procedures were outdated and ineffective; it knew it was out of compliance with industry standards; it failed to file routine quarterly data compliance reports; it knowingly and recklessly failed to implement or maintain adequate data procedures; it permitted a delay between the March 14, 2013, discovery of the breach to March 28, 2013, when the breach was isolated or March 30, 2013 when the breach was neutralized; and, it failed to implement preventative measures such as, an enterprise risk management system, antivirus and firewall software, and layered security.

         Plaintiffs are pursuing the following theories of relief: Counts 1-3 are RICO and RICO conspiracy claims; Count 4 claims breach of a fiduciary duty; Counts 5-7 allege varying degrees of negligence; Counts 8-9 allege breaches of contractual relationships; Count 10 alleges violation of the Illinois Consumer Fraud and Deceptive Business Practices Act; Count 11 alleges unjust enrichment; Count 12 seeks equitable subrogation; and Count 13 seeks declaratory and injunctive relief. The Court will address each count in turn, because there are varying standards of pleading for the different claims.

         C. Legal Analysis

         1-3. RICO Claims

         The Plaintiffs' RICO claims make three simple assertions. First, that Schnucks violated 18 U.S.C. § 1962(c) via their acts of bank and wire fraud in processing customer transactions at their retail grocery outlets. Second, that Schnucks conspired to take proceeds from their fraudulent activity to reinvest in the operation of their ongoing business, in violation of 18 U.S.C. § 1962(a) and (d). And, third, that Schnucks conspired to commit wire and bank fraud in violation of § 1962(c) and (d). All three claims fail for a lack of particularity and plausibility for reasons that will be discussed in turn.

         To allege a violation of section 1962(c), the plaintiff must allege that the defendant (1) was employed by or associated with (2) an enterprise engaged in, or the activities of which affected, interstate or foreign commerce, and (3) that the person conducted or participated in the conduct of the enterprise's affairs (4) through a pattern of racketeering activity. Haroco, Inc. v. Am. Nat. Bank and Trust Co. of Chicago, 747 F.2d 384, 387 (7th Cir. 1984). An “enterprise” includes any individual, partnership, corporation, association, or other legal entity, and any union or group of individuals associated in fact although not a legal entity. 18 U.S.C. § 1961 (4). A “person” includes any individual or entity capable of holding a legal or beneficial interest in property. 18 U.S.C. § 1961 (3). And, a “pattern of racketeering activity” requires at least two acts of racketeering activity. 18 U.S.C. § 1961 (5).

         For purposes of alleging a violation of § 1962(c), a corporation “may satisfy the section 1961 definitions of both “person” and “enterprise[.]” Haroco, 747 F.2d at 400. However, allegations of § 1962(c) violations are not sufficient if they allege that a single corporation is both the person and the enterprise in the same scheme of racketeering activity. See Haroco, 747 F.2d at 399-403 (“1962(c) requires separate entities as the liable person and the enterprise which has its affairs conducted through a pattern of racketeering activity”).

         To establish a pattern of racketeering activity, “the predicate acts must exhibit ‘continuity plus relationship.'” Empress Casino Joliet Corp. v. Balmoral Racing Club, Inc., 2016 WL 4097439 *1, *8 (7th Cir. Aug. 2, 2016). The relationship component may be satisfied where the predicate acts have same or similar purposes, results, participants, victims, or methods of commission, or are otherwise interrelated by distinguishing characteristics, and are not isolated events. Id. The continuity component requires that the RICO allegations identify schemes meant to last over a long period of time as opposed to one-off instances of criminal behavior. Id. Closed-end continuity “is satisfied by a series of related predicates extending over a substantial period of time.´ Id. (citation omitted). By contrast, open-ended continuity “is satisfied by past conduct that by its nature projects into the future with a threat of repetition. Id. Open-ended continuity may be satisfied when “(1) a specific threat of repetition exists, (2) the predicates are a regular way of conducting [an] ongoing legitimate business, or (3) the predicates can be attributed to a defendant operating as part of a long-term association that exists for criminal purposes.” Id. A nexus to organized crime is not a requirement to allege a pattern of RICO activity. See H.J. Inc. v. Northwestern Bell Telephone Co., 492 U.S. 229, 249 (1989).

         Here, Plaintiffs allege that Schnucks was a person for purposes of RICO and the VISA and MasterCard networks were enterprises. Plaintiffs allege that Schnucks and the enterprises participated in interstate commerce, that Schnucks conducted the activities of the enterprises, and that as a result of Schnucks's conduct via the enterprises, the Plaintiffs have suffered and will continue to suffer from a pattern of open-ended and continuous harm. As to the predicate acts that constitute a pattern of harmful activity, the Plaintiffs allege that Schnucks's conduct over its data network constituted both wire and bank fraud, in violation of §§ 1343 and 1344, respectively. Wire fraud is alleged to have occurred based upon Schnucks's representations via electronic communications that it maintained safe data procedures and its requests for authorization of transactions despite unsafe data practices, while bank fraud is alleged to have occurred based upon Schnucks securing payment from the Plaintiffs and their customers via credit or debit cards.

         The elements of wire fraud under § 1343 are: a scheme to defraud, a false representation, and use of interstate communications. U.S. v. Pritchard, 773 F.2d 873, 876 (7th Cir. 1985). Allegations of fraud must be pled with particularity by identifying the circumstances constituting fraud or mistake. Fed.R.Civ.P. 9(b). In considering wire fraud as a predicate to a RICO claim, a number of courts have found that plaintiffs failed to meet the requisite particularity requirement where the allegations about omissions or misrepresentations were broad or conclusory. Specifically, in Ray v. Spirit Airlines, Inc., 126 F.Supp.3d 1332 (S.D. Fla. 2015), a court recently found that general allegations were insufficient to state a claim under RICO where the plaintiffs (airline customers) alleged that they were misled or defrauded by a statement about airline fees. In declining to recognize a RICO claim, the Ray Court emphasized the fact that the plaintiffs were unable to say where the saw the allegedly misleading statements, or what about the statements misled them. However, in order to establish a claim for wire or bank fraud a plaintiff need not establish actual reliance on the allegedly offending representation. Bridge v. Phoenix Bond & Indem. Co., 553 U.S. 639, 649-50 (2008).

         The elements of bank fraud under § 1344 are: knowing execution, or attempted execution of “a scheme or artifice-(1) to defraud a financial institution; or (2) to obtain any of the moneys, funds, credits, assets, securities, or other property owned by, or under the custody or control of, a financial institution, by means of false or fraudulent pretenses, representations, or promises.” § 1344.

         In conjunction with section 1962(c), section 1962(d) provides civil liability for conspiring to commit RICO violations. The United States Supreme Court held that RICO conspiracy shares major tenants of common law conspiracy, but, in order to be liable for RICO conspiracy as opposed to ordinary conspiracy, a plaintiff must show that the defendant's offensive actions were racketeering activity within the meaning of § 1962. See Beck v. Prupis, 529 U.S. 494, 504-07 (2000). Thus, a RICO conspiracy claim does not properly lie in the absence of any underlying violations of section 1962. Id. In reaching this holding, the Supreme Court noted that the purpose of RICO conspiracy, as opposed to regular conspiracy, was to hold co-conspirators liable who may not have personally committed racketeering acts, but who acted in concert with those committing racketeering. Id.; Goren v. New Vision Intern., Inc., 156 F.3d 721, 732 (7th Cir. 1998) (“We have stressed that the touchstone of liability under 1962(d) is an agreement to participate in an endeavor which, if completed, would constitute a violation of the substantive statute. Accordingly, in order to plead a viable § 1962(d) claim, a plaintiff must allege that a defendant ‘agreed to the objective of a violation of RICO.'”).

         First, as to the claim that Schnucks should be held liable under § 1962(c) for conducting a pattern of racketeering activity, the Plaintiffs have failed to adequately plead this claim. The fatal flaw at this juncture is that the Plaintiffs fail to allege predicate RICO acts with sufficient particularity as required by Rule 9(b). Plaintiffs accurately allege that there is some lenience in pleading fraud if a plaintiff alleges that the fraudulent information is solely in control of the defendant, but it cannot be true that such leniency applies to every facet of a sufficiently pleaded claim because if that were true the particularity requirement of Rule 9(b) would be rendered meaningless. See Gahndi, 721 F.3d at 870 (finding that the complete lack of information about the timing, place, or manner of alleged misrepresentations may render a claim insufficiently pled, particularly where the plaintiffs were the alleged audience for the misrepresentations).

         As the Seventh Circuit recently noted, wire fraud is something that could hypothetically be found in every corporate transaction in the modern business world. U.S. v. Weimert, 819 F.3d 351, 356 (7th Cir. 2016). Thus, the Seventh Circuit noted that courts must take care not to stretch the arms of the fraud statutes too far. The Weimert court urged that, though it is a difficult task, the limits of the wire and mail fraud statutes must be drawn carefully. Id. at 370. Here, Plaintiffs have alleged wire fraud based on the general allegation that some aspect of Schnucks's wrongdoing passed over the interstate wires, but they do not identify with any degree of certainty what that ‘thing' is. Plaintiffs indicate that wire transmissions could have been involved in seeking authorization of payments or in maintaining Schnucks's website, but they do not identify statements made in these forums or the lack thereof that could support a theory of fraud. They rely on two alternative theories of fraud-misrepresentation or cheating-but they do not allege with specificity what it was about Schnucks's conduct that constituted these things. They do not identify false statements, they do not identify explicit misrepresentations made to them or their customers assuring that the data security was sufficient, and they do not explain how it is that Schnucks might have devised some scheme to use wire transmissions as a cheat.

         Applying common sense, it is hard to see how Schnucks could or would have done these things. Merchants are not in the common practice of posting signs by the register assuring data security, so surely there cannot be a misrepresentation or omission there, nor is there any kind of data safety guarantee transmitted across the wires from a merchant to processors when a card is swiped. What is more, Plaintiffs do not allege that Schnucks communicates directly with them via the wires. According to Plaintiffs version of the facts, Schnucks communicates via wire with its acquiring bank who then goes through a data processor to contact the Plaintiffs. This chain does not evidence any direct, or even indirect, statements by Schnucks to the Plaintiffs.

         Plaintiffs also allege that Schnucks was required to file some sort of compliance report on data security, but they do not allege when that might have been filed, how it was filed, who it would have been filed with, or what about it was wrong. So again, there is no basis to say a ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.