The litigation arising out of the data breach at Schnuck’s Markets (“Schnuck’s) occurring from December of 2012 through March of 2013 is still providing us with insight as to how courts may treat data breach claims. The latest development related to this breach was recently seen in Community Bank of Trenton v. Schnuck Markets, 2017 WL 1551330 (May 1, 2017), when the District Court for the Southern District of Illinois granted Schnuck’s motion to dismiss Trenton’s complaint.
Trenton, a bank that issued credit cards allegedly compromised in this data breach, filed its complaint seeking recovery for damages based on a theory that it would have instructed its customers to shop elsewhere or use cash or checks for purchases if Schnucks had been more upfront about the security of its data network. Specifically, Trenton attempted to support its cause of action with allegations “that they were intended or third-party beneficiaries to the contracts between [Schnucks] and others in the card processing network because [Trenton] received an interchange fee or interest for processing cards.” Trenton’s complaint further alleged that unencrypted data “was potentially compromised for 2.4 million cards swiped at Schnucks’ stores from December 1, 2012 through March 30, 2013. The Complaint alleged Schnucks’ learned of the breach on March 14, 2013, but did not notify the public of the incident until March 30, 2013. Trenton claimed that during this time an estimated 340,000 additional cards may have been compromised (based on its calculations that 20,000 cards were being used each day).
In granting Schnucks’ motion to dismiss, the District Court first analyzed Trenton’s negligence claim brought under Missouri law. Specifically, Trenton asserted Schnucks should be held liable under Missouri’s data breach notification law (Mo. Rev. Stat. § 407.500). The District Court rejected Trenton’s argument finding “the data breach notification statute exclusively bestows the power to prosecute violations upon the Missouri Attorney General.” (“What is more, the statute does not contemplate a duty or remedies for anything other than a failure to notify.”) The District Court further rejected Trenton’s attempt to establish a private cause of action under Missouri’s breach notification laws by refusing to “read additional duties into a law carefully crafted by the legislature, particularly where the legislatures of other states have explicitly contemplated additional protections in legislation.”
After finding Trenton did not have a private cause of action based on Missouri’s breach notification laws, the District Court distinguished “out-of-circuit precedent” where courts have found defendants had a duty to safeguard data based on a business relationship. (In re Home Depot, Inc. Customer Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016); Target Corp. Data Sec. Breach Litigation, 66 F. Supp.3d 1154 (Minn. D. Ct. 2014); and Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp.2d 183, 193-96 (M.D. Penn. 2005). The District Court found these cases unpersuasive because the record in the Home Depot breach litigation suggest “Home Depot’s data security conduct…was egregious and intentional,” the Target Court relied on provisions that were unique to Minnesota law and the holding in BJ’s Wholesale Club “is frankly outdated.”
The holding in Schnuck’s provides clarity that many courts are not willing to find legislatures intended to create a private cause of action out of state breach notification laws. Rather, as pointed out by the Schnucks court, plaintiff’s may need to show a data breach resulted from the “egregious and intentional” conduct seen in the Home Depot breach litigation. The Schnucks court distinguishes this case from the record in the Home Depot litigation where there was evidence showing Home Depot may have ignored warning signs of poor data security “and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures.”
The cyber security world has dramatically changed since the Home Depot breach and many data collectors have gained a better understanding of the importance of network security. Therefore, there is less chance that a breach today would be handled in the same manner as the Home Depot breach. Consequently, plaintiffs may have difficulty showing this level of intentional conduct giving rise to recent data breaches.