USAA Federal Savings Bank v. PLS Financial Services, Inc. et al
Filing
129
OPINION AND ORDER. For the reasons stated in the accompanying Opinion and Order, the Court grants PLS' motion for judgment on the pleadings 87 . The Court dismisses the negligence claim (Count I) with prejudice. Signed by the Honorable Sara L. Ellis on 10/23/2018:Mailed notice(rj, )
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
USAA FEDERAL SAVINGS BANK,
)
)
Plaintiff,
)
)
v.
)
)
PLS FINANCIAL SERVICES, INC., PLS
)
GROUP, INC., THE PAYDAY LOAN
)
STORE OF ILLINOIS, INC., and PLS CHECK )
CASHERS OF ILLINOIS,
)
)
Defendants.
)
No. 16 C 7911
Judge Sara L. Ellis
OPINION AND ORDER
After Plaintiff USAA Federal Savings Bank (“USAA”) lost over $7,000,000 in a
fraudulent check cashing scheme, USAA filed suit against Defendants PLS Financial Services,
Inc., PLS Group, Inc., The Payday Loan Store of Illinois, Inc. 1 (collectively, “PLS”), and PLS
Check Cashers of Illinois (“PLS Check”). In its third amended complaint, USAA claims that
PLS acted negligently in protecting USAA members’ financial information so as to allow third
parties to create fraudulent checks with that information and that PLS violated the Illinois
Consumer Fraud and Deceptive Business Practices Act (“ICFA”), 815 Ill. Comp. Stat. 505/1 et
seq. PLS moves for judgment on the pleadings with respect to USAA’s negligence claim. 2
1
The Payday Loan Store of Illinois, Inc. is now known as PLS Financial Solutions of Illinois, Inc.
PLS filed its motion for judgment on the pleadings with respect to USAA’s second amended complaint.
After the parties completed briefing on the motion, USAA moved for leave to file a third amended
complaint that added PLS Check as a party and included additional facts to support its claims. The
parties acknowledged that the third amended complaint does not affect the legal arguments at issue. But
because PLS has not yet filed an answer to the third amended complaint, the Court treats PLS’ motion as
one to dismiss the negligence claim in the third amended complaint. Although PLS Check has not yet
filed an appearance in the case, because PLS’ arguments for dismissal apply equally to PLS Check, the
Court extends them to PLS Check because USAA had the opportunity to respond to them. See Malak v.
Associated Physicians, Inc., 784 F.2d 277, 280 (7th Cir. 1986) (court may sua sponte enter judgment in
2
Because the statute, regulations, and stipulated final judgment on which USAA relies do not
provide a basis to state a negligence claim, the Court dismisses USAA’s negligence claim.
BACKGROUND 3
USAA provides banking services to members and veterans of the United States military.
PLS, through the four individually named Defendants, provides check cashing and payday
lending services at approximately 300 retail locations in eleven states, including Illinois. The
individual Defendants share common directors, officers, and office locations, with centralized
recordkeeping and computer systems, and have similar business practices. PLS is not a bank and
does not provide bank accounts to its customers. Instead, PLS charges customers a fee to cash
checks, obtain money orders, and use other financial services.
As part of its business, PLS cashes checks drawn on USAA. In cashing these checks, as
with any other checks, PLS obtains certain information about the drawer of the check and the
bank on which the check is drawn from the face of the check, including the drawer’s name, the
check number, account number, bank routing number, drawer’s signature, and MICR
information. 4 PLS makes an electronic copy of the check before forwarding the check to the
drawer’s bank for payment.
favor of additional non-moving defendants if motion by one defendant is equally effective in barring
claim against other defendants and plaintiff had adequate opportunity to respond to the motion); Roberts
v. Cendant Mortg. Corp., No. 1:11-CV-01438-JMS, 2013 WL 2467996, at *5 (S.D. Ind. June 7, 2013)
(although three defendants had not entered appearances and it was not clear if they had been served, court
could impute arguments made by other defendant to all of them and dismiss claims against all
defendants).
The facts in the background section are taken from USAA’s third amended complaint and the exhibits
attached thereto and are presumed true for the purpose of resolving PLS’ motion. See Virnich v. Vorwald,
664 F.3d 206, 212 (7th Cir. 2011); Local 15, Int’l Bhd. of Elec. Workers, AFL-CIO v. Exelon Corp., 495
F.3d 779, 782 (7th Cir. 2007).
3
MICR stands for magnetic ink character recognition. The MICR information contains certain encoded
information used to verify the legitimacy of checks.
4
2
In October 2012, the Federal Trade Commission (“FTC”) and PLS agreed to settle a suit
brought by the FTC against PLS in which the FTC alleged that PLS did not properly secure its
customers’ personal information. The stipulated final judgment required PLS to develop a
comprehensive information security program to protect the security, confidentiality, and integrity
of consumers’ personal information, including consumers’ names, addresses, and financial
institution account numbers. PLS also agreed to take reasonable measures to protect against
unauthorized access to or use of such information. PLS thereafter adopted several internal
policies, requiring unique user IDs and difficult-to-guess passwords that users must change every
thirty days.
Problems with unauthorized access to PLS customers’ personal information continued,
however. Specifically, a group of individuals engaged in a check-cashing scheme, creating
counterfeit checks using information obtained from PLS employees. The government has
charged or indicted at least nine individuals for their involvement in this scheme. To facilitate
the scheme, PLS employees provided third parties with access to PLS’ computer systems,
allowing these third parties to copy check images and produce counterfeit checks based off those
images. The checks ranged from between $5 and $10,000. The third parties then used these
counterfeit checks, which included checks drawn on USAA, to obtain money through various
schemes. PLS employees involved in the scheme took a portion of the illegally obtained funds
when they were withdrawn through PLS. The payor banks on the counterfeit checks, including
USAA, ultimately bore the loss because the checks were unauthorized, meaning the members on
whose accounts the checks were drawn could not be held liable for them. USAA has discovered
over 2,000 original checks from its members that members cashed at PLS and schemers
3
subsequently counterfeited, causing USAA to incur $7,865,518.31 in damages associated with
the payment of the forged checks.
In October 2014, USAA notified PLS of the counterfeiting and requested help in
coordinating an investigation into the issue. Another bank in New York also notified PLS of a
similar scheme in December 2014. PLS then began investigating the issue, learning that an
individual accessed Digicheck, PLS’ database of check images, from within PLS to obtain the
information needed to create counterfeit checks. In February 2015, PLS found internal
weaknesses related to application controls and memorialized these findings in an April 2015
memorandum. In addition to this investigation, PLS also undertook an audit in 2015, which
revealed that PLS was not following its access control policies. Despite discovering these
weaknesses, however, PLS did not act and instead allowed the fraudulent check scheme to
continue. And while USAA implemented several rules to restrict fund availability in an attempt
to respond to the check scheme, these efforts did not fully address the harm.
LEGAL STANDARD
A motion to dismiss under Rule 12(b)(6) challenges the sufficiency of the complaint, not
its merits. Fed. R. Civ. P. 12(b)(6); Gibson v. City of Chicago, 910 F.2d 1510, 1520 (7th Cir.
1990). In considering a Rule 12(b)(6) motion to dismiss, the Court accepts as true all wellpleaded facts in the plaintiff’s complaint and draws all reasonable inferences from those facts in
the plaintiff’s favor. AnchorBank, FSB v. Hofer, 649 F.3d 610, 614 (7th Cir. 2011). To survive
a Rule 12(b)(6) motion, the complaint must not only provide the defendant with fair notice of a
claim’s basis but must also be facially plausible. Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S. Ct.
1937, 173 L. Ed. 2d 868 (2009); see also Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.
Ct. 1955, 167 L. Ed. 2d 929 (2007). “A claim has facial plausibility when the plaintiff pleads
4
factual content that allows the court to draw the reasonable inference that the defendant is liable
for the misconduct alleged.” Iqbal, 556 U.S. at 678.
ANALYSIS
PLS seeks the dismissal of USAA’s negligence claim. To succeed on its negligence
claim, USAA must establish that (1) PLS owed USAA a duty, (2) PLS breached that duty, and
(3) PLS’ breach proximately caused USAA injury. Rhodes v. Ill. Cent. Gulf R.R., 665 N.E.2d
1260, 1267, 172 Ill. 2d 213, 216 Ill. Dec. 703 (1996). USAA contends that PLS’ violation of
various statutes, regulations, and orders constitutes prima facie evidence of negligence, relying
on Kalata v. Anheuser-Busch Cos., 581 N.E.2d 656, 661, 144 Ill. 2d 425, 163 Ill. Dec. 502
(1991) and Davis v. Marathon Oil Co., 356 N.E.2d 93, 97, 64 Ill. 2d 380, 1 Ill. Dec. 93 (1976).
These cases establish that USAA may have a negligence claim for violation of a statute,
regulation, or order, notwithstanding the Court’s prior conclusion that no common law duty
exists to safeguard personal information. See Kalata, 581 N.E.2d at 661; Davis, 356 N.E.2d at
97. USAA cites to the Graham-Leach-Bliley Act (“GLBA”) and two accompanying regulations,
the Privacy of Consumer Financial Information Rule (the “Privacy Rule”), 16 C.F.R. § 313, and
the Standards for Safeguarding Customer Information (the “Safeguards Rule”), 16 C.F.R. § 314,
in addition to arguing that PLS violated a stipulated final judgment it entered into with the FTC.
PLS argues that the statutes, regulations, and orders USAA cites do not create legally
enforceable duties so as to sustain a negligence claim. 5
The Court notes that PLS’ current argument seeking dismissal of the negligence claim differs from the
argument it raised to oppose the filing of USAA’s second amended complaint. In opposing that filing,
PLS argued that the statutes, regulations, and orders on which USAA relied did not apply to the
relationship between USAA and PLS because they relate to the protection of a financial institution’s
customers’ information and not PLS’ handling of non-customers’ personal information. See Doc. 53 at 2.
The Court allowed USAA to file its amended negligence claim, concluding that USAA had set forth a
sufficient basis to proceed, particularly in light of legislative history suggesting that the Safeguards Rule
covered more than just a financial institution’s own customers’ information. Id. Although the Court
5
5
A.
The GLBA, the Privacy Rule, and the Safeguards Rule
First, PLS argues that to the extent USAA’s negligence claim depends on the GLBA, the
Privacy Rule, and the Safeguards Rule, it fails because Congress did not intend to create a
private right of action to enforce this statute and its regulations. To pursue a negligence claim
based on a violation of a statute or regulation, USAA must show (1) that it falls within the class
intended to be protected by the statute or regulation, and (2) the injury USAA suffered directly
and proximately resulted from the violation. Kalata, 581 N.E.2d at 661. Additionally, because
USAA seeks to enforce a federal statute and regulations, the Court “must also consider the policy
underlying the legislation and the overriding purpose of the act” to determine if a private cause
of action exists. Martin by Martin v. Ortho Pharm. Corp., 661 N.E.2d 352, 355, 169 Ill. 2d 234,
214 Ill. Dec. 498 (1996). “The determining factor in addressing the issue of implied private
rights with regard to Federal legislation is legislative intent.” Id. The Court must consider
“whether such a cause of action has been recognized by the Federal courts or whether
recognizing such a cause of action comports with Federal legislative intent.” Id.
PLS argues that Martin forecloses this part of USAA’s claim because Congress did not
intend to create a private right of action under the GLBA, the Privacy Rule, and the Safeguards
Rule. Notwithstanding the GLBA’s stated policy that “each financial institution has an
affirmative and continuing obligation to respect the privacy of its customers and to protect the
security and confidentiality of those customers’ nonpublic personal information,” 15 U.S.C.
§ 6801(a), it is well-recognized that the GLBA does not provide a private right of action to
enforce its rules. Am. Fam. Mut. Ins. Co. v. Roth, No. 05 C 3839, 2005 WL 3700232, at *6–9
(N.D. Ill. Aug. 5, 2005) (“In light of Congress’s carefully crafted enforcement and rule-making
indicated it would not entertain a motion to dismiss the negligence claim, id. at 1, PLS has raised a
different basis for dismissal, which the Court finds appropriate to address here.
6
scheme–which entrusts enforcement of the [GLBA] to federal and state agencies, while making
no provision for private enforcement–all the courts that have considered the question of the
existence of an implied claim or cause of action have concluded that none exists.” (collecting
cases)), report & recommendation adopted, 2006 WL 2192004 (N.D. Ill. July 27, 2006); see also
Butler v. CitiMortgage, Inc., No. 17 C 05168, 2017 WL 3620744, at *4 (N.D. Ill. Aug. 23, 2017)
(collecting cases). Similarly, the lack of a private right of action under the GLBA forecloses a
right of action under its regulations, including the Privacy Rule and the Safeguards Rule, for the
agency cannot create a private right of action not authorized by Congress. See Alexander v.
Sandoval, 532 U.S. 275, 291, 121 S. Ct. 1511, 149 L. Ed. 2d 517 (2001) (“Language in a
regulation may invoke a private right of action that Congress through statutory text created, but it
may not create a right that Congress has not.”); Briggs v. Emporia State Bank & Tr. Co., No. 052125-JWL, 2005 WL 2035038, at *4 (D. Kan. Aug. 23, 2005) (noting that regulations cannot
create private rights of action where no right exists under the authorizing statute and concluding
that “regulations promulgated under [the GLBA] cannot provide such a right of action” where
the GLBA itself does not provide a private right of action).
This does not mean, as USAA argues, that PLS had no duty to safeguard personal
information and is “invulnerable to these laws.” See Doc. 103 at 1, 9. It only means that USAA
cannot enforce violations of these rules, with enforcement left instead to state and federal
regulators. See Am. Fam. Mut. Ins. Co., 2005 WL 3700232, at *10 (noting that “[d]enying the
kind of enforcement authority that Congress chose not to accord financial institutions does not
leave misappropriators free to use with impunity the fruits of their illicit endeavors”); 15 U.S.C.
§ 6805 (GLBA’s enforcement provision providing that the GLBA and its regulations “shall be
enforced by the Bureau of Consumer Financial Protection, the Federal functional regulators, the
7
State insurance authorities, and the Federal Trade Commission”). Because the GLBA, the
Privacy Rule, and the Safeguards Rule do not allow for a private right of action, following
Martin, USAA’s negligence claim based on these rules fails.
B.
FTC Stipulated Final Judgment
USAA also argues that the stipulated final judgment between PLS and the FTC creates a
duty because it is an administrative order designed to protect property. See Davis, 356 N.E.2d at
97 (“We find no convincing reason why violation of administrative rules, regulations, and orders
designed to protect human life or property should not also be considered Prima facie evidence of
negligence, provided they are validly adopted and have the force of law.”). The parties disagree
about how to characterize the stipulated final judgment and whether USAA, a non-party to that
judgment, can enforce it.
As USAA acknowledges, the stipulated final judgment between PLS and the FTC
amounts to a consent decree, with “the parties’ agreement . . . serv[ing] as the source of the
court’s authority to enter any judgment at all.” Local No. 93, Int’l Ass’n of Firefighters, AFLCIO C.L.C. v. City of Cleveland, 478 U.S. 501, 521, 106 S. Ct. 3063, 92 L. Ed. 2d 405 (1986).
The Supreme Court has held that “a consent decree is not enforceable directly or in collateral
proceedings by those who are not parties to it even though they were intended to be benefited by
it.” Blue Chip Stamps v. Manor Drug Stores, 421 U.S. 723, 750, 95 S. Ct. 1917, 44 L. Ed. 2d
539 (1975). Many courts have interpreted this ruling narrowly, allowing intended third-party
beneficiaries to sue to enforce a consent decree. See United States v. Dominion Energy, Inc., No.
13-cv-03086, 2014 WL 1476600, at *8–9 (C.D. Ill. Apr. 15, 2014) (collecting cases and noting
that the Seventh Circuit, in South v. Rowe, 759 F.2d 610 (7th Cir. 1985), allowed such
intervention to enforce a consent decree without citing to Blue Chip Stamps). But such an
8
exception “does not apply to consent decrees resulting from actions brought by the government.”
Hodges by Hodges v. Pub. Bldg. Comm’n of Chicago, 864 F. Supp. 1493, 1508–09 (N.D. Ill.
1994). The stipulated final judgment at issue here, in a case brought by the FTC, does not
provide for enforcement by USAA or other third parties. This means that USAA cannot pursue
its negligence claim against PLS based on obligations set forth in the stipulated final judgment,
where such a claim amounts to a collateral proceeding to enforce PLS’ obligations under that
judgment. See Jawad v. Hudson City Sav. Bank, 636 F. App’x 319, 322 (6th Cir. 2016)
(affirming dismissal of negligence claim for lack of duty where plaintiffs claimed the duty arose
from consent judgment, but plaintiffs were not parties to that judgment). The Court therefore
dismisses USAA’s negligence claim predicated on the stipulated final judgment.
C.
USAA’s Request to Amend
In its response to PLS’ motion, USAA included a request to amend to include the
violation of the Illinois Personal Information Protection Act as a basis for a prima facie
negligence claim. The Court granted USAA leave to file a third amended complaint after USAA
made this request. Despite having previously identified the Illinois Personal Information
Protection Act as a potential basis for such claim, USAA did not include it as a basis for its
negligence claim in the third amended complaint. Having considered the viability of USAA’s
evolving negligence claim on more than one occasion and allowed USAA to amend its complaint
three times, the Court finds USAA’s latest attempt to salvage its negligence claim comes too
late. For that reason, the Court denies USAA’s request for leave to amend and dismisses
USAA’s negligence claim with prejudice.
9
CONCLUSION
For the foregoing reasons, the Court grants PLS’ motion for judgment on the pleadings
[87]. The Court dismisses the negligence claim (Count I) with prejudice.
Dated: October 23, 2018
______________________
SARA L. ELLIS
United States District Judge
10
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?