In the fast-moving and expanding world of data breach litigation, a recent decision from a federal court in Illinois styled Community Bank of Trenton, et al. v. Schnuck Markets, Inc. suggests that, in civil lawsuits against the company that incurred the breach, financial institutions must satisfy a higher pleading standard to survive a motion to dismiss than do the defendant’s customers.

Between December 2012 and March 2013, Schnucks, the owner and operator of approximately 100 retail supermarkets, experienced a data breach that made payment card information transmitted through its computer system vulnerable to attack by cyber criminals. The data breach may have affected as many as 2.4 million cardholders who shopped at Schnucks during the timeframe of the breach.

In November 2015, four banks that had issued payment cards to customers compromised by the breach filed a proposed class action lawsuit against Schnucks. The banks sought damages under multiple theories of relief, including RICO, breach of fiduciary duty, negligence, breach of contract and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act. The banks alleged that had Schnucks followed industry standards, the breach would have not occurred.

In September 2016, the Illinois federal court dismissed the banks’ claims, citing both the complex nature of the credit and debit payment process and the sophistication of the business relationship between the banks and Schnucks as the main reasons the banks’ claims could not proceed. The court held that the pleadings and the alleged harms were too general and that “mere allegations of trust between sophisticated business parties are insufficient to create a fiduciary relationship between the parties”.

Jan-Mar 2017 issue

King & Spalding