Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Community Bank of Trenton v. Schnuck Markets, Inc.

United States District Court, S.D. Illinois

May 1, 2017



          MICHAEL J. REAGAN Chief Judge.

         A. Introduction and Procedural Overview

         This case is now before the Court on the Plaintiffs' Amended Complaint and the Defendant's Motion to Dismiss (Docs. 52, 55). The underlying dispute concerns a data breach at Defendant's grocery stores between December 2012 and March 2013. The initial complaint identified two grounds for federal jurisdiction-18 U.S.C. § 1961, et seq., pursuant to 18 U.S.C. § 1964(a) & (c) (“Racketeer Influenced and Corrupt Organizations Act” aka “RICO”); and 28 U.S.C. § 1332(d) (“Class Action Fairness Act” aka “CAFA”). The Amended Complaint contains no RICO claims, so the sole remaining jurisdictional basis is CAFA. The Motion to Dismiss having been fully briefed, the Court now finds that Plaintiffs have failed to state a plausible claim for relief.

         This Court accepts all factual allegations as true when reviewing a 12(b)(6) motion to dismiss. Erickson v. Pardus, 551 U.S. 89, 94 (2007). To avoid dismissal for failure to state a claim, a complaint must contain a short and plain statement of the claim sufficient to show entitlement to relief and to notify the defendant of the allegations made against him. Fed.R.Civ.P. 8(a)(2); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555-57 (2007). In order to meet this standard, a complaint must describe the claims in sufficient factual detail to suggest a right to relief beyond a speculative level. Id.; Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); EEOC v. Concentra Health Servs., 496 F.3d 773, 776 (7th Cir. 2007). A complaint need not contain detailed factual allegations, Scott v. Chuhak & Tescon, P.C., 725 F.3d 772, 782 (7th Cir. 2013), but it must go beyond “mere labels and conclusions” and contain “enough to raise the right to relief above the speculative level, ” G&S Holdings, LLC v. Cont'l Cas. Co., 697 F.3d 534, 537-38 (7th Cir. 2012).

         The Seventh Circuit has outlined the boundaries of 12(b)(6) with two major principles. First, that although facts in the pleadings must be accepted as true and construed in the plaintiff's favor, allegations in the form of legal conclusions are insufficient to survive a motion to dismiss. McReynolds v. Merrill Lynch & Co., Inc., 694 F.3d 873, 885 (7th Cir. 2012). And, second, “the plausibility standard calls for ‘context-specific' inquiry that requires the court ‘to draw on its judicial experience and common sense.'” Id. Threadbare recitals of elements and conclusory statements are not sufficient to state a claim. Id. Put another way, to survive a motion to dismiss “the plaintiff must give enough details about the subject-matter of the case to present a story that holds together [. . .] the court will ask itself could these things have happened, not did they happen.” Swanson v. Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010).

         The case before the Court now presents 7 different theories of relief-down from 13 in the initial complaint. As was outlined in this Court's ruling on the initial complaint and initial motion to dismiss, many of the theories have been tested in other data breach litigation against major retailers across the country, such as Target, Jimmy Johns, Barnes and Noble, Home Depot, and Neiman Marcus, to name a few.[1] The initial complaint was dismissed by this Court in large part because it suffered from vast generalizations. The Amended Complaint and pleadings now before the Court have attempted to shore up the problem of generality, doing so in part by narrowing the scope of issues before the Court by removing the RICO and fraud claims, and omitting claims the Court previously dismissed. The additional facts that have been brought forth will be recited below. The Court will then provide a detailed legal analysis of the Amended Complaint.

         However, as a preliminary matter, the Court must address jurisdiction. The Amended Complaint alleges that this Court has subject matter jurisdiction under CAFA. At an earlier point in the proceedings, the Plaintiffs had filed a motion for class certification (Doc. 12), which they voluntarily withdrew, with the opportunity to refile it later without prejudice (Dkt. txt entry 42). Though the Plaintiffs have not refiled their motion for class certification, in part due to this Court's direction that it was not necessary to do so at this point (See Dkt. txt. entry 60 (granting Plaintiffs' unopposed motion for an extension of time to file a class certification motion until after the motion to dismiss was ruled upon), the Court nevertheless finds that it has jurisdiction under CAFA prior to formal class certification. See Greenberger v. GEICO General Ins. Co., 631 F.3d 392, 396 (7th Cir. 2011) (“federal jurisdiction under CAFA does not depend on class certification”).

         B. Factual Allegations

         Many of the facts in the Amended Complaint are identical to those offered in the original complaint. Of new vintage, the Plaintiffs allege that they were intended or third-party beneficiaries to the contracts between the Defendant and others in the card processing network because Plaintiffs received an interchange fee or interest for processing cards. (Doc. 52 at 10-11). Plaintiffs also included allegations that Defendant has yet to upgrade to more secure transaction chip technology to allow customers to pay more safely (Id. at 10).

         Plaintiffs' Amended Complaint presented specific figures about the scope of the data breach-including that unencrypted data was potentially compromised for 2.4 million cards swiped at 79 Schnucks' stores from December 1, 2012 through March 30, 2013 (Doc. 52 at 15). The complaint also contained the allegation that stolen data was used in fraudulent transactions across the globe, evidencing that it was unencrypted and improperly stored (Id. at 29). On March 14, 2013, Defendant first learned of a data breach upon receiving reports of fraudulent card use (Id. at 20). On March 19 it retained Mandiant, a forensic investigation firm, to investigate the issue (Id.). Mandiant took action, identifying the infirmity on March 20 (Id.). However, Defendant did not inform the public of the issue until March 30, 2013, at which time the issue was fully contained (Id.). By their calculations, Plaintiffs allege that the gap from March 19 through March 30th allowed an unnecessary window for the compromise of 340, 000 payment cards, assuming a rate of 20, 000 cards used per day (Id. at 21-22). Plaintiffs allege that Defendant did not pursue a reasonable alternative by posting a “cash or checks only” sign specifically because it knew it would be bad for business (Id. at 22).

         C. Legal Analysis

         1. Negligence/gross negligence - Missouri law only

         Under Missouri law, to establish a claim for negligence a plaintiff must prove: “a (1) legal duty on part of the defendant to conform to a certain standard of conduct to protect others against unreasonable risks; (2) a breach of that duty; (3) a proximate cause between the conduct and the resulting injury; and, (4) actual damages to the claimant's person or property.” Hoover's Dairy, Inc. v. Mid-America Dairymen, Inc. Special Products, Inc., 700 S.W.2d 426, 431 (Mo. 1985). As both parties acknowledge, Missouri law requires notification in the event of a data breach-pursuant to Mo. Rev. Stat. § 407.1500-Missouri's data breach notification law. However, the data breach notification statute exclusively bestows the power to prosecute violations upon the Missouri Attorney General. See Mo Rev. Stat. § 407.1500.4. What is more, the statute does not contemplate a duty or remedies for anything other than a failure to notify. This Court will not read additional duties into a law carefully crafted by the legislature, particularly where the legislatures of other states have explicitly contemplated additional protections in legislation. Compare Mo. Rev. Stat. § 407.1500.4 with Minn. Stat. § 325E.64 (Plastic Card Security Act). Reading the statute as a whole, this means that in Missouri the only statutory duty regarding data security is to provide notice of a breach, and the only authority to prosecute a failure of this duty is the attorney general.

         Statutory duties aside, the Plaintiffs also argue that the Defendant had a duty to safeguard data based on its business relationship; sound public policy; industry standards; best practices; or implied contracts. In support of these arguments, Plaintiffs rely heavily on out-of-circuit precedent from Georgia, Minnesota, and Pennsylvania. See Home Depot, 2016 WL 2897520; Target, 64 F.Supp.3d at 1309-1310; Sovereign Bank v. BJ's Wholesale Club, Inc., 395 F.Supp.2d 183, 193-96 (M.D. Penn. 2005) (finding a common law duty on behalf of a retailer to an issuing bank based on social policy, the business relationship, and the foreseeability of harm); First Choice Federal Credit Union v. The Wendy's Co., 2:16-cv-NBF-MPK (W.D. Pa. Feb. 13, 2017) (Doc. 80) (report and recommendation denying motion to dismiss a financial institution's negligence claim in a data breach case)[2]. The out-of-circuit precedent is distinguishable from the present case.

         First, as to the Georgia precedent in the Home Depot data breach litigation, this precedent does not give rise to a negligence claim under Missouri law because that litigation is factually distinct, and in a subsequent opinion, a Georgia appellate court disagreed with the Northern District of Georgia's interpretation of Georgia law. See Home Depot, 2016 WL 2897520 at *1-2, but cf McConnell v. Dept. of Labor,787 S.E.2d 794, 798-800, n.4 (Ga.Ct.App. 2016). The Home Depot case is factually distinct because the facts in the record suggest that Home Depot's data security conduct in the lead up to their breach was egregious and intentional-Home Depot on numerous occasions ignored warning signs of poor data security, and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures. See Home Depot, 2016 WL 2897520 at *1-2. Such alarming conduct certainly weighed heavily on the Northern District of Georgia when deciding whether or not to let a negligence claim proceed. In allowing the claim to proceed, the Home Depot Court explicitly called upon a proposition of Georgia law, that there is a “general duty one owes to all of the world not to subject them to an unreasonable risk of harm.” See Id. at *3. But subsequent to the Home Depot Court's holding, the Georgia Court of Appeals lamented such a broad interpretation of that ‘general duty' and indicated that Georgia courts would not be bound by a federal court's interpretation of Georgia law. See McConnell, 787 S.E.2d at 798-800, n.4 (declining to recognize a general duty or a theory of negligence in a suit by an employee regarding ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.