United States District Court, S.D. Illinois
COMMUNITY BANK OF TRENTON, UNIVERSITY OF ILLINOIS EMPLOYEES CREDIT UNION, FIRST FEDERAL SAVINGS BANK OF CHAMPAIGN-URBANA, and SOUTHPOINTE CREDIT UNION, individually and on behalf of all similarly situated payment card issues, Plaintiff,
SCHNUCK MARKETS, INC., Defendant.
MEMORANDUM AND ORDER
MICHAEL J. REAGAN Chief Judge.
Introduction and Procedural Overview
case is now before the Court on the Plaintiffs' Amended
Complaint and the Defendant's Motion to Dismiss (Docs.
52, 55). The underlying dispute concerns a data breach at
Defendant's grocery stores between December 2012 and
March 2013. The initial complaint identified two grounds for
federal jurisdiction-18 U.S.C. § 1961, et seq., pursuant
to 18 U.S.C. § 1964(a) & (c) (“Racketeer
Influenced and Corrupt Organizations Act” aka
“RICO”); and 28 U.S.C. § 1332(d)
(“Class Action Fairness Act” aka
“CAFA”). The Amended Complaint contains no RICO
claims, so the sole remaining jurisdictional basis is CAFA.
The Motion to Dismiss having been fully briefed, the Court
now finds that Plaintiffs have failed to state a plausible
claim for relief.
Court accepts all factual allegations as true when reviewing
a 12(b)(6) motion to dismiss. Erickson v. Pardus,
551 U.S. 89, 94 (2007). To avoid dismissal for failure to
state a claim, a complaint must contain a short and plain
statement of the claim sufficient to show entitlement to
relief and to notify the defendant of the allegations made
against him. Fed.R.Civ.P. 8(a)(2); Bell Atl. Corp. v.
Twombly, 550 U.S. 544, 555-57 (2007). In order to meet
this standard, a complaint must describe the claims in
sufficient factual detail to suggest a right to relief beyond
a speculative level. Id.; Ashcroft v. Iqbal, 556
U.S. 662, 678 (2009); EEOC v. Concentra Health
Servs., 496 F.3d 773, 776 (7th Cir. 2007). A complaint
need not contain detailed factual allegations, Scott v.
Chuhak & Tescon, P.C., 725 F.3d 772, 782 (7th Cir.
2013), but it must go beyond “mere labels and
conclusions” and contain “enough to raise the
right to relief above the speculative level, ”
G&S Holdings, LLC v. Cont'l Cas. Co., 697
F.3d 534, 537-38 (7th Cir. 2012).
Seventh Circuit has outlined the boundaries of 12(b)(6) with
two major principles. First, that although facts in the
pleadings must be accepted as true and construed in the
plaintiff's favor, allegations in the form of legal
conclusions are insufficient to survive a motion to dismiss.
McReynolds v. Merrill Lynch & Co., Inc., 694
F.3d 873, 885 (7th Cir. 2012). And, second, “the
plausibility standard calls for ‘context-specific'
inquiry that requires the court ‘to draw on its
judicial experience and common sense.'”
Id. Threadbare recitals of elements and conclusory
statements are not sufficient to state a claim. Id.
Put another way, to survive a motion to dismiss “the
plaintiff must give enough details about the subject-matter
of the case to present a story that holds together [. . .]
the court will ask itself could these things have
happened, not did they happen.” Swanson v.
Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010).
case before the Court now presents 7 different theories of
relief-down from 13 in the initial complaint. As was outlined
in this Court's ruling on the initial complaint and
initial motion to dismiss, many of the theories have been
tested in other data breach litigation against major
retailers across the country, such as Target, Jimmy Johns,
Barnes and Noble, Home Depot, and Neiman Marcus, to name a
The initial complaint was dismissed by this Court in large
part because it suffered from vast generalizations. The
Amended Complaint and pleadings now before the Court have
attempted to shore up the problem of generality, doing so in
part by narrowing the scope of issues before the Court by
removing the RICO and fraud claims, and omitting claims the
Court previously dismissed. The additional facts that have
been brought forth will be recited below. The Court will then
provide a detailed legal analysis of the Amended Complaint.
as a preliminary matter, the Court must address jurisdiction.
The Amended Complaint alleges that this Court has subject
matter jurisdiction under CAFA. At an earlier point in the
proceedings, the Plaintiffs had filed a motion for class
certification (Doc. 12), which they voluntarily withdrew,
with the opportunity to refile it later without prejudice
(Dkt. txt entry 42). Though the Plaintiffs have not refiled
their motion for class certification, in part due to this
Court's direction that it was not necessary to do so at
this point (See Dkt. txt. entry 60 (granting
Plaintiffs' unopposed motion for an extension of time to
file a class certification motion until after the motion to
dismiss was ruled upon), the Court nevertheless finds that it
has jurisdiction under CAFA prior to formal class
certification. See Greenberger v. GEICO General Ins.
Co., 631 F.3d 392, 396 (7th Cir. 2011) (“federal
jurisdiction under CAFA does not depend on class
the facts in the Amended Complaint are identical to those
offered in the original complaint. Of new vintage, the
Plaintiffs allege that they were intended or third-party
beneficiaries to the contracts between the Defendant and
others in the card processing network because Plaintiffs
received an interchange fee or interest for processing cards.
(Doc. 52 at 10-11). Plaintiffs also included allegations that
Defendant has yet to upgrade to more secure transaction chip
technology to allow customers to pay more safely
(Id. at 10).
Amended Complaint presented specific figures about the scope
of the data breach-including that unencrypted data was
potentially compromised for 2.4 million cards swiped at 79
Schnucks' stores from December 1, 2012 through March 30,
2013 (Doc. 52 at 15). The complaint also contained the
allegation that stolen data was used in fraudulent
transactions across the globe, evidencing that it was
unencrypted and improperly stored (Id. at 29). On
March 14, 2013, Defendant first learned of a data breach upon
receiving reports of fraudulent card use (Id. at
20). On March 19 it retained Mandiant, a forensic
investigation firm, to investigate the issue (Id.).
Mandiant took action, identifying the infirmity on March 20
(Id.). However, Defendant did not inform the public
of the issue until March 30, 2013, at which time the issue
was fully contained (Id.). By their calculations,
Plaintiffs allege that the gap from March 19 through March
30th allowed an unnecessary window for the compromise of 340,
000 payment cards, assuming a rate of 20, 000 cards used per
day (Id. at 21-22). Plaintiffs allege that Defendant
did not pursue a reasonable alternative by posting a
“cash or checks only” sign specifically because
it knew it would be bad for business (Id. at 22).
Negligence/gross negligence - Missouri law only
Missouri law, to establish a claim for negligence a plaintiff
must prove: “a (1) legal duty on part of the defendant
to conform to a certain standard of conduct to protect others
against unreasonable risks; (2) a breach of that duty; (3) a
proximate cause between the conduct and the resulting injury;
and, (4) actual damages to the claimant's person or
property.” Hoover's Dairy, Inc. v. Mid-America
Dairymen, Inc. Special Products, Inc., 700 S.W.2d 426,
431 (Mo. 1985). As both parties acknowledge, Missouri law
requires notification in the event of a data breach-pursuant
to Mo. Rev. Stat. § 407.1500-Missouri's data breach
notification law. However, the data breach notification
statute exclusively bestows the power to prosecute violations
upon the Missouri Attorney General. See Mo Rev.
Stat. § 407.1500.4. What is more, the statute does not
contemplate a duty or remedies for anything other than a
failure to notify. This Court will not read additional duties
into a law carefully crafted by the legislature, particularly
where the legislatures of other states have explicitly
contemplated additional protections in legislation.
Compare Mo. Rev. Stat. § 407.1500.4
with Minn. Stat. § 325E.64 (Plastic Card
Security Act). Reading the statute as a whole, this means
that in Missouri the only statutory duty regarding data
security is to provide notice of a breach, and the only
authority to prosecute a failure of this duty is the attorney
duties aside, the Plaintiffs also argue that the Defendant
had a duty to safeguard data based on its business
relationship; sound public policy; industry standards; best
practices; or implied contracts. In support of these
arguments, Plaintiffs rely heavily on out-of-circuit
precedent from Georgia, Minnesota, and Pennsylvania. See
Home Depot, 2016 WL 2897520; Target, 64 F.Supp.3d at
1309-1310; Sovereign Bank v. BJ's Wholesale Club,
Inc., 395 F.Supp.2d 183, 193-96 (M.D. Penn. 2005)
(finding a common law duty on behalf of a retailer to an
issuing bank based on social policy, the business
relationship, and the foreseeability of harm); First
Choice Federal Credit Union v. The Wendy's Co.,
2:16-cv-NBF-MPK (W.D. Pa. Feb. 13, 2017) (Doc. 80) (report
and recommendation denying motion to dismiss a financial
institution's negligence claim in a data breach
case). The out-of-circuit precedent is
distinguishable from the present case.
as to the Georgia precedent in the Home Depot data
breach litigation, this precedent does not give rise to a
negligence claim under Missouri law because that litigation
is factually distinct, and in a subsequent opinion, a Georgia
appellate court disagreed with the Northern District of
Georgia's interpretation of Georgia law. See Home
Depot, 2016 WL 2897520 at *1-2, but cf McConnell v.
Dept. of Labor,787 S.E.2d 794, 798-800, n.4 (Ga.Ct.App.
2016). The Home Depot case is factually distinct because the
facts in the record suggest that Home Depot's data
security conduct in the lead up to their breach was egregious
and intentional-Home Depot on numerous occasions ignored
warning signs of poor data security, and even went so far as
to fire tech employees who tried to alert the company to the
risks of the poor data security measures. See Home
Depot, 2016 WL 2897520 at *1-2. Such alarming conduct
certainly weighed heavily on the Northern District of Georgia
when deciding whether or not to let a negligence claim
proceed. In allowing the claim to proceed, the Home
Depot Court explicitly called upon a proposition of
Georgia law, that there is a “general duty one owes to
all of the world not to subject them to an unreasonable risk
of harm.” See Id. at *3. But subsequent to the
Home Depot Court's holding, the Georgia Court of
Appeals lamented such a broad interpretation of that
‘general duty' and indicated that Georgia courts
would not be bound by a federal court's interpretation of
Georgia law. See McConnell, 787 S.E.2d at 798-800,
n.4 (declining to recognize a general duty or a theory of
negligence in a suit by an employee regarding ...