Community Bank of Trenton et al v. Schnuck Markets, Inc.
Filing
50
ORDER: For the reasons stated in the attached memorandum and order, the Court GRANTS Schnucks's motion to dismiss (Doc. #27 ): Counts 1-5 and 8-12 are DISMISSED without prejudice under Illinois and Missouri law, and Counts 6 and 7 are DISMISSED with prejudice under Illinois law and without prejudice under Missouri law. Because all of the substantive claims in this case have been dismissed, the Plaintiffs are DIRECTED to file a first amended complaint by Wednesday, October 19, 2016. If they fail to do so, this entire action will be dismissed and the case will be closed. Signed by Chief Judge Michael J. Reagan on 9/28/2016. (wtw)
IN THE UNITED STATES DISTRICT COURT
FOR THE SOUTHERN DISTRICT OF ILLINOIS
COMMUNITY BANK OF TRENTON,
UNIVERSITY OF ILLINOIS
EMPLOYEES CREDIT UNION,
FIRST FEDERAL SAVINGS
BANK OF CHAMPAIGN-URBANA,
and SOUTHPOINTE CREDIT UNION,
individually and on behalf of all
similarly situated payment card issues,
Plaintiff,
vs.
SCHNUCK MARKETS, INC.,
Defendant.
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
Case No. 15-cv-01125-MJR
MEMORANDUM AND ORDER
REAGAN, Chief District Judge:
A. Introduction and Procedural Overview
Between December 2012 and March 2013, Schnucks (Defendant), a local grocer, fell prey to
the increasingly common woe of a major data breach. As a result of the breach, numerous
customers’ personal information was put at risk, and numerous financial institutions (Plaintiffs)
were required to assist their customers in remedying their personal financial risks and losses. A
number of the financial institutions forced to spend money and time bailing out their customers
filed suit against Schnucks alleging violations of the civil provisions of Racketeer Influenced
1|Page
and Corrupt Organizations Act (“RICO”), contractual breaches, and basic torts. The case is now
before the Court on Schnucks’s motion to dismiss. 1
Plaintiffs brought this action before the Court, arguing two federal jurisdictional grounds—
18 U.S.C. 1961, et seq., pursuant to 18 U.S.C. 1964(a) & (c) (“RICO”); and 28 U.S.C. 1332(d)
(“CAFA”). RICO claims would provide an appropriate basis for federal question jurisdiction
because RICO is a federal statute. CAFA would provide an appropriate basis for jurisdiction
because at least one Plaintiff is an Illinois corporation and Schnucks is a Missouri corporation.
Assuming, without deciding, that either RICO claims or the other CAFA prerequisites could be
satisfied, this Court has jurisdiction over this action. Schnucks does not contest either of these
grounds for jurisdiction, and the Court finds that it enjoys subject matter jurisdiction pursuant
to either ground. Venue is also appropriate because at least one Plaintiff—Community Bank of
Trenton—is located in the Southern District of Illinois, East St. Louis Division, and Schnucks
resided, was found, and conducted business in the Southern District of Illinois, East St. Louis
Division.
This Court accepts all factual allegations as true when reviewing a 12(b)(6) motion to
dismiss. Erickson v. Pardus, 551 U.S. 89, 94 (2007). To avoid dismissal for failure to state a claim, a
complaint must contain a short and plain statement of the claim sufficient to show entitlement
to relief and to notify the defendant of the allegations made against him. FED. R. CIV. P. 8(a)(2);
Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555-57 (2007). In order to meet this standard, a complaint
must describe the claims in sufficient factual detail to suggest a right to relief beyond a
Schnucks appended a number of contracts to the Motion to Dismiss, arguing that the documents could
be considered by the Court because the documents were referred to in the Plaintiffs’ Complaint and were
central to their claims. The Court does not comment on its ability to use these documents, but notes that
the documents were not considered in reviewing the Motion to Dismiss.
1
2|Page
speculative level. Id.; Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); EEOC v. Concentra Health Servs.,
496 F.3d 773, 776 (7th Cir. 2007). A complaint need not contain detailed factual allegations, Scott
v. Chuhak & Tescon, P.C., 725 F.3d 772, 782 (7th Cir. 2013), but it must go beyond “mere labels
and conclusions” and contain “enough to raise the right to relief above the speculative level,”
G&S Holdings, LLC v. Cont’l Cas. Co., 697 F.3d 534, 537-38 (7th Cir. 2012).
The Seventh Circuit has outlined the boundaries of 12(b)(6) with two major principles. First,
that although facts in the pleadings must be accepted as true and construed in the plaintiff’s
favor, allegations in the form of legal conclusions are insufficient to survive a motion to dismiss.
McReynolds v. Merrill Lynch & Co., Inc., 694 F.3d 873, 885 (7th Cir. 2012). And, second, “the
plausibility standard calls for ‘context-specific’ inquiry that requires the court ‘to draw on its
judicial experience and common sense.’” Id. Threadbare recitals of elements and conclusory
statements are not sufficient to state a claim. Id. Put another way, to survive a motion to dismiss
“the plaintiff must give enough details about the subject-matter of the case to present a story
that holds together [. . .] the court will ask itself could these things have happened, not did they
happen.” Swanson v. Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010).
Furthermore, Federal Rule of Civil Procedure 9(b) requires that allegations of fraud be pled
with particularity—a heightened standard of pleading. Windy City Metal Fabricators & Supply,
Inc. v. CIT Technology Financing Serv., Inc., 536 F.3d 663, 668 (7th Cir. 2008). Particularity requires
alleging the circumstances of fraud or mistake, including: “the identity of the person who made
the misrepresentation, the time, place, and content of the misrepresentation, and the method by
which the misrepresentation was communicated to the plaintiff.” Id. (internal citation omitted).
The complete lack of information about the timing, place, or manner of communicating alleged
3|Page
misrepresentations may render a claim insufficiently pled, particularly where the plaintiffs are
the alleged audience for the misrepresentations. See Gandhi v. Sitara Capital Mgmt., LLC, 721 F.3d
865, 870 (7th Cir. 2013).
The case before the Court presents an impressive 13 different theories of relief for the
Plaintiffs to recover against Schnucks. Many of the theories have been tested in other data
breach litigation against major retailers across the country, such as Target, Jimmy Johns, Barnes
and Noble, Home Depot, and Neiman Marcus, to name a few. 2 However, there is a critical
distinction between the present set of claims, and those presented in the aforementioned
cases—the claims in the present case are being brought by the financial institutions as opposed to
by the merchant’s customers. In actions brought by customers, there are typically at least a few
plaintiffs who identify tangible harms such as fraudulent charges on their accounts, late fees
incurred as a result of fraudulent activity, and costs incurred in acquiring ongoing identity theft
monitoring services. In the cases brought by customers, parties have effectively illustrated
plausible claims for relief under various theories by appealing to the common life experience of
a consumer walking into a merchant to buy a sandwich or a book. The concrete fraud charges
on customer payment cards and the familiar expectations of a store customer make the claims in
those cases hold together to illustrate a plausible story.
Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (customer suit reversed and
remanded after standing found appropriate); Irwin v. Jimmy John’s Franchise, LLC, 2016 WL 1355570 (C.D.
Ill. 2016) (customer suit with certain claims under Illinois law dismissed); In re Home Depot, Inc., Customer
Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016) (customer suit involving 56 million
customers allowed to proceed on certain claims beyond motion to dismiss); Remijas v. Neiman Marcus
Group, LLC, 794 F.3d 688 (7th Cir. 2015) (customer suit, standing found to be proper); In re Target Corp.
Data Sec. Breach Litigation, 66 F.Supp.3d 1154 (Minn. D. Ct. 2014) (customer suit dismissed as to some
claims, allowed to proceed as to others); In re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D. Ill.
2013) (customer suit dismissed on standing grounds).
2
4|Page
By contrast, in the present litigation, the allegations of harms sustained are general. For
example, the Complaint says that of the potentially 2.4 million cards breached, the payment
card processor only alerted Schnucks to fraudulent activity on “a handful of payment cards”
(Doc. 1 at 19, ¶ 43). The Complaint alleges that Plaintiffs have incurred and will continue to
incur costs to: cancel and reissue cards; close and reopen accounts; notify customers; and,
investigate and monitor for fraud. Plaintiffs allege that they may also lose profits if customers
use payment cards less frequently. The Complaint also makes an ambiguous statement that
“[w]hile Schnucks threw consumers somewhat of a bone in an effort to rebuild customer loyalty
and improve its financial outlook, it has not offered Plaintiffs and Class Members any
compensation for the damages they have suffered (and will continue to suffer)” (Id. at 23, ¶ 58). 3
The Court finds that more than just the harms are general—all of the pleadings in this case
are highly general. Though the case centers on the notion that Schnucks made fraudulent
representations or omissions regarding their data security practices, the Complaint simply says
“[t]he dates and substance of Schnucks’s internal and external fraudulent communications, via
the interstate wires, in furtherance of the above-described schemes, as well as its fraudulent
communications to Plaintiffs and Class Members, via the interstate wires, in furtherance of such
schemes to cheat and defraud are in Schnucks’s possession, custody, and control, and await
discovery” (Doc. 1 at 26, ¶ 66). Despite vague allegations about the precise statements or
omissions, Plaintiffs nevertheless seem to argue that they relied on said bad information in
In much of the other data breach litigation, standing has been scrutinized closely. However, that issue
has not been put before the Court at this juncture, so the Court is not considering the harms stated from
that perspective without the benefit of argument from the parties.
3
5|Page
releasing customer funds to Schnucks, but that they would not have done so had they known of
poor data security.
Schnucks’s Motion to Dismiss (Doc. 27) and the Plaintiffs’ Response (Doc. 31) suffer
from the same level of generality and ambiguity. In those pleadings, the parties spent much
time reciting elements of claims and identifying precedent without particularizing their
arguments to the facts of the case before the Court. The Court also notes receipt of Schnucks’s
reply brief (Doc. 32), Plaintiffs supplemental authority and letter brief (Doc. 36), and Schnucks’s
response to the authority (Doc. 37). Though the Court recognizes that the parties are charting
relatively new territory in the data breach context by presenting a case between financial
institutions and a merchant (as opposed to customers and a merchant), and that the parties
were subject to page limits in filing, the Court notes that the generality made it difficult to assess
the plausibility of the potential claims. For this reason, the Court dismissed many of the claims
without prejudice to allow the Plaintiffs an opportunity to file more substantive pleadings.
After a brief synopsis of the factual allegations, the Court will assess each of the 13 claims in
turn.
B. Factual Allegations
Between December 2012 and March 2013, Schnucks experienced a data breach, which made
payment card information transmitted through their computer system vulnerable to attack by
cyber criminals. The data breach may have affected as many as 2.4 million cardholders who
shopped at Schnucks during the timeframe of the breach. Plaintiffs allege that the breach took
place in the “internal processing environment” of Schnucks’s computers. Specifically, Plaintiffs
allege that data was at risk from the time of swipe at the point-of-sale terminal as it was
6|Page
awaiting approval by the third-party payment processors. During this waiting period, Plaintiffs
allege that payment card numbers and expiration dates “(and possibly more information)” was
erroneously held in its unencrypted format on Schnucks’s computers, in violation of industry
standards (Doc. 1 at 18, ¶ 41).
Plaintiffs describe the web of payment processing as follows: a customer swipes a card at
the point-of-sale terminal; the card information goes from the point-of-sale terminal into the
merchant’s register; the information is stored in remote access memory in that register; and, the
data sits on the memory of that computer while the merchant awaits transaction approval.
Approval entails the merchant communicating the request for payment to its acquiring bank
(Citicorp), who in turn relays the request to its third-party processor (First Data). The processor
(First Data) communicates with the issuing bank. The issuing bank (the Plaintiffs in this case)
approves or declines the transaction based on the availability of funds in a cardholders account.
Meanwhile, once approval is secured, the merchant processes the transaction and sends a
receipt to its acquiring bank (Citicorp). The acquiring bank then pays the merchant, and works
with the issuing bank for ultimate reimbursement from the cardholder’s funds.
The level of data security over this web of transactions is guided by industry standards (the
PCI DSS) and agreements between merchants, Visa and MasterCard, acquiring banks, and
third-party processors. Plaintiffs allege that Schnucks captured track data in its computer
system including: cardholder names, account numbers, expiration dates, CVV codes, and pin
numbers for debit cards. Plaintiffs allege that this information must be encrypted. Industry
standards require that merchants only store information on the front of the card, and only if it is
encrypted. Plaintiffs allege that the data stolen from Schnucks was “the account numbers and
7|Page
expiration dates (and possibly more information)” (Doc. 1 at 18, ¶ 41). Plaintiffs allege that this
information was poached from Schnucks’s computers “before it [was] transmitted somewhere
else” (Doc. 1 at 20, ¶ 46). Plaintiffs allege that because the data was not encrypted, the hackers
were able to use it freely.
Plaintiffs allege that had Schnucks followed industry security standards, the breach would
not have happened. They allege that Schnucks fell far short of industry standards because: it
knew its security procedures were outdated and ineffective; it knew it was out of compliance
with industry standards; it failed to file routine quarterly data compliance reports; it knowingly
and recklessly failed to implement or maintain adequate data procedures; it permitted a delay
between the March 14, 2013, discovery of the breach to March 28, 2013, when the breach was
isolated or March 30, 2013 when the breach was neutralized; and, it failed to implement
preventative measures such as, an enterprise risk management system, antivirus and firewall
software, and layered security.
Plaintiffs are pursuing the following theories of relief: Counts 1-3 are RICO and RICO
conspiracy claims; Count 4 claims breach of a fiduciary duty; Counts 5-7 allege varying degrees
of negligence; Counts 8-9 allege breaches of contractual relationships; Count 10 alleges violation
of the Illinois Consumer Fraud and Deceptive Business Practices Act; Count 11 alleges unjust
enrichment; Count 12 seeks equitable subrogation; and Count 13 seeks declaratory and
injunctive relief. The Court will address each count in turn, because there are varying standards
of pleading for the different claims.
8|Page
C. Legal Analysis
1-3. RICO Claims
The Plaintiffs’ RICO claims make three simple assertions. First, that Schnucks violated 18
U.S.C. § 1962(c) via their acts of bank and wire fraud in processing customer transactions at
their retail grocery outlets. Second, that Schnucks conspired to take proceeds from their
fraudulent activity to reinvest in the operation of their ongoing business, in violation of 18
U.S.C. § 1962(a) and (d). And, third, that Schnucks conspired to commit wire and bank fraud in
violation of § 1962(c) and (d). All three claims fail for a lack of particularity and plausibility for
reasons that will be discussed in turn.
To allege a violation of section 1962(c), the plaintiff must allege that the defendant (1) was
employed by or associated with (2) an enterprise engaged in, or the activities of which affected,
interstate or foreign commerce, and (3) that the person conducted or participated in the conduct
of the enterprise’s affairs (4) through a pattern of racketeering activity. Haroco, Inc. v. Am. Nat.
Bank and Trust Co. of Chicago, 747 F.2d 384, 387 (7th Cir. 1984). An “enterprise” includes any
individual, partnership, corporation, association, or other legal entity, and any union or group
of individuals associated in fact although not a legal entity. 18 U.S.C. § 1961 (4). A “person”
includes any individual or entity capable of holding a legal or beneficial interest in property. 18
U.S.C. § 1961 (3). And, a “pattern of racketeering activity” requires at least two acts of
racketeering activity. 18 U.S.C. § 1961 (5).
For purposes of alleging a violation of § 1962(c), a corporation “may satisfy the section
1961 definitions of both “person” and “enterprise[.]” Haroco, 747 F.2d at 400. However,
9|Page
allegations of § 1962(c) violations are not sufficient if they allege that a single corporation is
both the person and the enterprise in the same scheme of racketeering activity. See Haroco, 747
F.2d at 399-403 (“1962(c) requires separate entities as the liable person and the enterprise which
has its affairs conducted through a pattern of racketeering activity”).
To establish a pattern of racketeering activity, “the predicate acts must exhibit
‘continuity plus relationship.’” Empress Casino Joliet Corp. v. Balmoral Racing Club, Inc., 2016 WL
4097439 *1, *8 (7th Cir. Aug. 2, 2016). The relationship component may be satisfied where the
predicate acts have same or similar purposes, results, participants, victims, or methods of
commission, or are otherwise interrelated by distinguishing characteristics, and are not isolated
events. Id. The continuity component requires that the RICO allegations identify schemes meant
to last over a long period of time as opposed to one-off instances of criminal behavior. Id.
Closed-end continuity “is satisfied by a series of related predicates extending over a substantial
period of time.´ Id. (citation omitted). By contrast, open-ended continuity “is satisfied by past
conduct that by its nature projects into the future with a threat of repetition. Id. Open-ended
continuity may be satisfied when “(1) a specific threat of repetition exists, (2) the predicates are
a regular way of conducting [an] ongoing legitimate business, or (3) the predicates can be
attributed to a defendant operating as part of a long-term association that exists for criminal
purposes.” Id. A nexus to organized crime is not a requirement to allege a pattern of RICO
activity. See H.J. Inc. v. Northwestern Bell Telephone Co., 492 U.S. 229, 249 (1989).
Here, Plaintiffs allege that Schnucks was a person for purposes of RICO and the VISA
and MasterCard networks were enterprises. Plaintiffs allege that Schnucks and the enterprises
participated in interstate commerce, that Schnucks conducted the activities of the enterprises,
10 | P a g e
and that as a result of Schnucks’s conduct via the enterprises, the Plaintiffs have suffered and
will continue to suffer from a pattern of open-ended and continuous harm. As to the predicate
acts that constitute a pattern of harmful activity, the Plaintiffs allege that Schnucks’s conduct
over its data network constituted both wire and bank fraud, in violation of §§ 1343 and 1344,
respectively. Wire fraud is alleged to have occurred based upon Schnucks’s representations via
electronic communications that it maintained safe data procedures and its requests for
authorization of transactions despite unsafe data practices, while bank fraud is alleged to have
occurred based upon Schnucks securing payment from the Plaintiffs and their customers via
credit or debit cards.
The elements of wire fraud under § 1343 are: a scheme to defraud, a false representation,
and use of interstate communications. U.S. v. Pritchard, 773 F.2d 873, 876 (7th Cir. 1985).
Allegations of fraud must be pled with particularity by identifying the circumstances
constituting fraud or mistake. FED. R. CIV. P. 9(b). In considering wire fraud as a predicate to a
RICO claim, a number of courts have found that plaintiffs failed to meet the requisite
particularity requirement where the allegations about omissions or misrepresentations were
broad or conclusory. Specifically, in Ray v. Spirit Airlines, Inc., 126 F.Supp.3d 1332 (S.D. Fla.
2015), a court recently found that general allegations were insufficient to state a claim under
RICO where the plaintiffs (airline customers) alleged that they were misled or defrauded by a
statement about airline fees. In declining to recognize a RICO claim, the Ray Court emphasized
the fact that the plaintiffs were unable to say where the saw the allegedly misleading
statements, or what about the statements misled them. However, in order to establish a claim
11 | P a g e
for wire or bank fraud a plaintiff need not establish actual reliance on the allegedly offending
representation. Bridge v. Phoenix Bond & Indem. Co., 553 U.S. 639, 649-50 (2008).
The elements of bank fraud under § 1344 are: knowing execution, or attempted
execution of “a scheme or artifice—(1) to defraud a financial institution; or (2) to obtain any of
the moneys, funds, credits, assets, securities, or other property owned by, or under the custody
or control of, a financial institution, by means of false or fraudulent pretenses, representations,
or promises.” § 1344.
In conjunction with section 1962(c), section 1962(d) provides civil liability for conspiring
to commit RICO violations. The United States Supreme Court held that RICO conspiracy shares
major tenants of common law conspiracy, but, in order to be liable for RICO conspiracy as
opposed to ordinary conspiracy, a plaintiff must show that the defendant’s offensive actions
were racketeering activity within the meaning of § 1962. See Beck v. Prupis, 529 U.S. 494, 504-07
(2000). Thus, a RICO conspiracy claim does not properly lie in the absence of any underlying
violations of section 1962. Id. In reaching this holding, the Supreme Court noted that the
purpose of RICO conspiracy, as opposed to regular conspiracy, was to hold co-conspirators
liable who may not have personally committed racketeering acts, but who acted in concert with
those committing racketeering. Id.; Goren v. New Vision Intern., Inc., 156 F.3d 721, 732 (7th Cir.
1998) (“We have stressed that the touchstone of liability under 1962(d) is an agreement to
participate in an endeavor which, if completed, would constitute a violation of the substantive
statute. Accordingly, in order to plead a viable § 1962(d) claim, a plaintiff must allege that a
defendant ‘agreed to the objective of a violation of RICO.’”).
12 | P a g e
First, as to the claim that Schnucks should be held liable under § 1962(c) for conducting a
pattern of racketeering activity, the Plaintiffs have failed to adequately plead this claim. The
fatal flaw at this juncture is that the Plaintiffs fail to allege predicate RICO acts with sufficient
particularity as required by Rule 9(b). Plaintiffs accurately allege that there is some lenience in
pleading fraud if a plaintiff alleges that the fraudulent information is solely in control of the
defendant, but it cannot be true that such leniency applies to every facet of a sufficiently
pleaded claim because if that were true the particularity requirement of Rule 9(b) would be
rendered meaningless. See Gahndi, 721 F.3d at 870 (finding that the complete lack of information
about the timing, place, or manner of alleged misrepresentations may render a claim
insufficiently pled, particularly where the plaintiffs were the alleged audience for the
misrepresentations).
As the Seventh Circuit recently noted, wire fraud is something that could hypothetically
be found in every corporate transaction in the modern business world. U.S. v. Weimert, 819 F.3d
351, 356 (7th Cir. 2016). Thus, the Seventh Circuit noted that courts must take care not to stretch
the arms of the fraud statutes too far. The Weimert court urged that, though it is a difficult task,
the limits of the wire and mail fraud statutes must be drawn carefully. Id. at 370. Here, Plaintiffs
have alleged wire fraud based on the general allegation that some aspect of Schnucks’s
wrongdoing passed over the interstate wires, but they do not identify with any degree of
certainty what that ‘thing’ is. Plaintiffs indicate that wire transmissions could have been
involved in seeking authorization of payments or in maintaining Schnucks’s website, but they
do not identify statements made in these forums or the lack thereof that could support a theory
of fraud. They rely on two alternative theories of fraud—misrepresentation or cheating—but
13 | P a g e
they do not allege with specificity what it was about Schnucks’s conduct that constituted these
things. They do not identify false statements, they do not identify explicit misrepresentations
made to them or their customers assuring that the data security was sufficient, and they do not
explain how it is that Schnucks might have devised some scheme to use wire transmissions as a
cheat.
Applying common sense, it is hard to see how Schnucks could or would have done
these things. Merchants are not in the common practice of posting signs by the register assuring
data security, so surely there cannot be a misrepresentation or omission there, nor is there any
kind of data safety guarantee transmitted across the wires from a merchant to processors when
a card is swiped. What is more, Plaintiffs do not allege that Schnucks communicates directly
with them via the wires. According to Plaintiffs version of the facts, Schnucks communicates via
wire with its acquiring bank who then goes through a data processor to contact the Plaintiffs.
This chain does not evidence any direct, or even indirect, statements by Schnucks to the
Plaintiffs.
Plaintiffs also allege that Schnucks was required to file some sort of compliance report
on data security, but they do not allege when that might have been filed, how it was filed, who
it would have been filed with, or what about it was wrong. So again, there is no basis to say a
misrepresentation was transmitted via the wires if and when a compliance report was
completed.
Turning to the cheat theory of fraud, this theory is implausible for two reasons. First, a
‘cheat’ theory of fraud seems to stretch the definition of RICO too far, and, second, even
assuming such a stretch was warranted, the Plaintiffs have not explained what it was about
14 | P a g e
Schnucks’s conduct that constituted a cheat. Plaintiffs cite a number of cases for the proposition
that there are many theories of fraud which can be flexibly applied to cover a broad swath of
conduct, but Plaintiffs are overextending by trying to use a cheat theory of fraud under RICO
without any factual specificity. The Seventh Circuit has explicitly rejected the seminal case the
Plaintiffs cite for the proposition that fraud is a flexible concept. See Gregory v. U.S., 253 F.2d 104,
109 (5th Cir. 1958) (“noting that fraud was a flexible standard designed to encompass “moral
uprightness, of fundamental honesty, fair play and right dealing in the general and business life
of members of society.”); but c.f. U.S. v. Holzer, 816 F.2d 304, 309 (7th Cir. 1987) (overruled on
other grounds) (expressly rejecting the Gregory definition of fraud as overbroad). So the
Plaintiffs argument that RICO fraud should encompass “cheating” conduct is questionable. But
even taking the proposition as true that cheating conduct can constitute a RICO fraud predicate,
the Plaintiffs have only put forth conclusory statements that they were cheated, without
explaining how or what it was that constituted a cheat.
The notion undergirding the cheating claim is that the Plaintiffs were cheated because
everyone assumes that merchants and VISA and MasterCard participants practice good data
security. But such a broad statement is not enough to paint a plausible story of a claim.
Applying common sense and context, as the Court is entitled to do at the 12(b)(6) stage, it
simply does not make sense how Schnucks had a scheme to defraud or cheat the Plaintiffs.
Allegations considered by other courts in the data breach context make it clear why the present
allegations are implausible.
For example, in the Home Depot data breach case (submitted by the Plaintiffs as
supplemental authority), the merchant received numerous warnings that its data security was
15 | P a g e
insufficient or failing, but they declined to take action, purportedly to save money. In re: The
Home Depot, Inc., Customer Data Security Breach Litigation, 2016 WL 2897520, *1 (N.D. Ga. May 17,
2016). Instead of acting to remedy the data issues, Home Depot further disregarded the issue by
firing employees that brought the data security issues to light. That kind of egregious disregard
of a data security risk might signal an intent to cheat customers out of proper data security
because the merchant blatantly continued an ineffective course of action, but the same degree of
intentionality or purpose is not evident in Schnucks’s alleged conduct.
Additionally, Plaintiffs cite Atlas Pile Driving Co. v. Di Con Fin. Co., for the proposition
that a cheat can constitute RICO fraud, but that case also exhibits a more explicit scheme of
cheating or fraudulent conduct. 886 F.2d 986, 991 (8th Cir. 1989). In Atlas, the defendants created
an entire web of construction contractors and financers, used the scheme to get subcontractors
to do valuable physical labor, and then pulled the rug out from under the subcontractors by
failing to pay them and by obstructing their liens on the property through an intricate
foreclosure process on the properties in question. The scheme operated in such a way that the
defendants retained the full value of the subcontractors work without having to repay them.
RICO claims continued on a theory of fraudulent misrepresentation and mail fraud in that case
because it is obvious that there was a plausible story of false misrepresentations by the
contractors and financers to get the subcontractors to do work without payment. Though the
case did not discuss cheat, as Plaintiffs suggest it might, the case is significant because it shows
a set of facts where a plausible story of fraud can be seen. The defendants created entire
companies and crafted an elaborate foreclosure scheme to retain full value without paying the
subcontractors. The pattern of activity suggested much more than random misfortune.
16 | P a g e
The difference between cases like Home Depot and Atlas Pile Driving versus this case is
that in those cases there is something fishy that makes a fraud or a cheat plausible. In Home
Depot the defendants continually ignored data security warnings, and in Atlas the defendants
carefully crafted a way to hoard profits—these alleged intentional acts evidence a plausible
intention to harm the plaintiffs or to derive undue benefit for the defendants. By contrast, on the
facts alleged in the present case, it is just not clear why or how the alleged cheating or
fraudulent schemes would be purposefully used to defraud Schnucks’s customers, or to help
Schnucks retain an undue benefit. In light of the Seventh Circuit’s explicit rejection of such a
broad definition of fraud, their recent decision stressing the importance of narrowly defining
wire fraud, and the Plaintiffs failure to explain how Schnucks plausibly could have intended a
fraudulent cheat, this claim cannot proceed on the basis of the information pled.
Turning to bank fraud, the allegations are similarly insufficient to support a plausible
claim to relief. The Plaintiffs do not specify what scheme or artifice was faulty or how it was
directed to defrauding them. A theory of misrepresentation does not appear to be sufficiently
pled because the Plaintiffs do not allege that Schnucks made any statement specifically to them
or withheld any information specifically from them in an effort to secure funds that Schnucks
was not entitled to. Plaintiffs attempt to move past this deficiency with the general allegation
that only Schnucks knows what the false statements or omissions were and that such
information is solely in their control, but at some level this general pleading must fail. See
Gandhi, 721 F.3d at 870. Not only do the Plaintiffs fail to allege with particularity what it was
that defrauded them, but they also fail to allege with any specificity what it is that they lost as a
result of being defrauded.
17 | P a g e
For example, they do not allege that they authorized payments to Schnucks
overcompensating them for groceries, nor do they allege any specific amounts at all that they
were required to reimburse their customers for. They make general allegations that they spent
money providing new cards and account services, and that they will spend more future money
doing the same, but they fail to state why this was necessary or to what extent it might be
needed in the future. The ambiguous, conclusory, and broad nature of the Plaintiffs’ pleadings
as to bank fraud are insufficient to state a plausible claim of bank fraud. Accordingly, the Court
finds that it is appropriate to grant the motion to dismiss as it pertains to this theory of fraud.
Having found that neither the wire or bank fraud theories are sufficiently pled, the
Court finds that it is appropriate to dismiss the RICO claim under § 1962(c) at this juncture.
As to the § 1962(d) conspiracy claim, Plaintiffs allege two theories of conspiracy—one in
violation of § 1962(a), and one in violation of § 1962(c). Both theories are insufficient to support
a claim because a claim for conspiracy under § 1962(d) requires the existence of some
underlying § 1962 violation. Although there could plausibly be scenarios where third parties
not involved in the suit are the culprits of the underlying § 1962 acts and the alleged
conspirators did not actually engage in those acts, that is not the allegation being made in the
present suit.
Specifically, as to the allegation that Schnucks participated in a conspiracy under §
1962(a) and (d), this allegation has not been sufficiently pled because Plaintiffs do not allege that
Schnucks violated § 1962(a), nor do they identify any other party who allegedly violated §
1962(a) that Schnucks allegedly conspired with. Absent such allegations, this conspiracy claim
18 | P a g e
has not met the minimum pleading standards sufficient to state a plausible claim or to notify
Schnucks of the nature of the claim against them.
Turning to the conspiracy claim under § 1962(c) and (d), the Plaintiffs allege that
Schnucks violated § 1962(c), and that they conspired to do so. These allegations provide a more
robust foundation for this conspiracy claim than the allegations for the § 1962(a) conspiracy, but
the claim is still insufficiently pled because the underlying § 1962(c) claim has not been pled
with sufficient particularity. Though the Court is not expressing an opinion on the potential
merits of either of these conspiracy claims, it finds that it is inappropriate to allow the § 1962(d)
conspiracy claim to proceed when it has already determined that the Plaintiffs have not
properly alleged the predicate § 1962(c) activity. Accordingly, the conspiracy claims shall be
dismissed without prejudice for failure to make plausible allegations. The Court acknowledges
that the Plaintiffs may be able to identify facts to support these theories of relief with sufficient
particularity, but the Court does not find at this stage that the Plaintiffs have satisfied the
heightened particularity standards. The Plaintiffs are free to file an amended complaint
containing a higher level of particularity regarding these claims.
4. Breach of Fiduciary Duty
a. Illinois
A special fiduciary relationship may exist under Illinois law where “one party places
trust and confidence in another, thereby placing the latter party in a position of influence and
superiority over the former.” Ill. State Bar Ass’n Mut. Ins. Co. v. Cavenagh, 963 N.E.2d 468, 480-81
(Ill. App. Ct. 2012). The existence of such a ‘special’ relationship must be pled with sufficient
19 | P a g e
particularity to establish the placement of trust and the creation of a hierarchical relationship. Id.
However, interpreting Illinois law, the Northern District of Illinois, has found that a contractual
business relationship does not give rise to a fiduciary relationship, and mere allegations of trust
between sophisticated business parties are insufficient to create a fiduciary relationship between
the parties. See 3Com Corp. v. Electronics Recovery Specialists, Inc., 104 F.Supp.2d 932, 941-42 (N.D.
Ill. 2000). Plaintiffs attempt to argue that a fiduciary duty existed because they trusted Schnucks
to comply with certain routine security protocols, but this assertion is threadbare.
Though the Plaintiffs argue that they were in a “special relationship” with Schnucks, the
case that they cite to support the plausibility of this argument is not helpful to their positon
because in that case an Illinois court found that a bare assertion of “trust” or a “special
relationship” is not enough for a claim to survive a motion to dismiss. See Ill. State Bar Ass’n
Mut. Ins. Co., 983 N.E.2d at 480-81. Thus, at this juncture the Court will grant Schnucks’s motion
to dismiss this claim without prejudice and with the caveat that the Plaintiffs may amend if they
are able to provide the Court with additional allegations from which the Court can plausibly
infer a special relationship or a placement of significant trust between the parties.
b. Missouri
Missouri law requires a five part showing to establish a fiduciary duty—(1) one party
must be subservient to the dominant mind and will of the other party as a result of age, state of
health, illiteracy, mental disability, or ignorance; (2) things of value such as land, monies, a
business, or other things of value, which are the property of the subservient party, must be
possessed or managed by the dominant party; (3) there must be a surrender of independence by
the subservient party to the dominant party; (4) there must be an automatic and habitual
20 | P a g e
manipulation of the actions of the subservient party by the dominant party; and, (5) there must
be a showing that the subservient party places a trust and confidence in the dominant party.
Roth v. Equitable Life Assur. Soc. of U.S., 210 S.W.3d 253, 260-61 (Mo. Ct. App. 2006) (finding that
plaintiffs, a married couple and seasoned investors, could not be considered ‘subservient’ in
their relationship with an investment advisor based on their sophistication as prior investors).
Missouri courts have found on multiple occasions that a fiduciary duty is not implied between
sophisticated parties in business dealings. See e.g. id; Chmieleski v. City Products Corp., 660 S.W.2d
275, 294-95 (Mo. Ct. App. 1983) (noting that in Missouri “the existence of a business relationship
does not give rise to a fiduciary relationship, nor a presumption of such a relationship” and
finding that sophisticated parties in a franchisor-franchisee relationship did not have fiduciary
duties to one another).
Here, Plaintiffs argue that a fiduciary duty existed between the parties such that
Schnucks was the dominant party and Plaintiffs were the subservient party subject to the whim
and caprice of Schnucks’s data practices. However, the facts this argument relies upon are not
consistent with the elements of a fiduciary relationship as defined by Missouri law. The
Plaintiffs as financial institutions, and Schnucks as a mid-sized grocer, are both ‘sophisticated’
parties who participated in a mutually beneficial business arrangement that allowed
individuals to use electronic payment cards to purchase their groceries. This sort of relationship
is common place in the modern world of business and banking. There is no factual basis, aside
from
the
Plaintiffs’
conclusory
assertions,
to
suggest
that
the
parties
had
a
dominant/subservient hierarchical relationship, as would be required to establish fiduciary
21 | P a g e
duties. Accordingly, this Court will dismiss the Plaintiffs fiduciary duty claim made under
Missouri law without prejudice.
5. Negligent misrepresentation
a. Illinois
Negligent misrepresentation is established by showing: “(1) a false statement of material
fact, (2) carelessness or negligence in ascertaining the truth of the statement by the party making
it, (3) an intention to induce the other party to act, (4) action by the other party in reliance on the
truth of the statement, and (5) damage to the other party resulting from such reliance, (6) when
the party making the statement is under a duty to communicate accurate information.” Fox
Associates, Inc. v. Robert Half Intern., Inc., 777 N.E.2d 603, 606 (Ill. App. Ct. 2002). However,
Illinois courts have held that a claim for negligent misrepresentation does not lie where the
information transmitted between the parties is “merely ancillary to the sale of a product or
service or in connection with the sale.” Id. at 606-07 (internal citation omitted). Allegations of
negligent misrepresentations about information have been found to be ancillary in transactions
where defendants provided tangible goods such as computers or construction materials. Id.
Schnucks argues that this claim fails because the Plaintiffs have not identified any
specific misrepresentation upon which they relied, any damage as a result of said reliance or
any duty to provide accurate information that Schnucks failed to honor. Schnucks also argues
that a claim for negligent misrepresentation would be barred by the economic loss doctrine
unless the exception was pled that they were in the business of supplying information. The
Plaintiffs attempt to circumvent these arguments by alleging that misrepresentations were
made about data security, but they fail to identify what those misrepresentations were. Instead,
22 | P a g e
they again fall back on the catch-all argument that they would have acted differently in their
interactions with Schnucks had they known of the poor data practices.
The parties make much of the First Midwest Bank, N.A. v. Stewart Title Guar. Co. case
wherein the Illinois Supreme Court affirmed the grant of a motion to dismiss a negligent
misrepresentation claim, 843 N.E.2d 327, 342 (Ill. 2006). However, all that the reliance on that
case really does at this juncture is to highlight the lack of information the parties have put forth
to support or refute this particular claim. The First Midwest Bank Court possessed substantially
more information about the relationship of the parties and the general scope of such a
relationship under Illinois law than this Court does in the context of this case.
At this juncture, the Plaintiffs have failed to make out a plausible claim for negligent
misrepresentation because they have not identified any concrete misrepresentations, they have
not alleged facts sufficient to suggest there was a duty between the parties, and they have not
specifically addressed the economic loss doctrine as it pertains to this claim. The sparsity of
factual allegations in support of this claim is so severe that the Court cannot confidently say
there is any plausible theory of relief. Accordingly, this claim is dismissed without prejudice.
b. Missouri
Under Missouri law, the elements of negligent representation are: “(1) the speaker
supplied information in the course of his business; (2) because of a failure by the speaker to
exercise reasonable care, the information was false; (3) the information was intentionally
provided by the speaker for the guidance of a limited group of persons in a particular business
transaction; (4) the listener justifiably relied on the information; and, (5) due to the listener’s
reliance on the information, the listener suffered a pecuniary loss.” Roth, 210 S.W.3d at 261. A
23 | P a g e
party must prove every element of a claim for negligent misrepresentation for a claim to
succeed. See Renaissance Leasing, LLC v. Vermeer Mfg. Co., 322 S.W.3d 112, 134 (Mo. 2010).
Schnucks argues that this claim fails because there was no information supplied, there
was no reliance on any information, and there was certainly no guidance provided to a limited
number of persons. The Plaintiffs retort that information or representations were provided by
Schnucks, yet the Plaintiffs fail to identify with any degree of specificity what that information
or representation consisted of. The Plaintiffs grasp at the notion that there was information or
representations implicit in Schnucks’s participation in the VISA and MasterCard networks that
Schnucks took certain data security measures, but the facts pled give no indication of how
compliance with a data security protocol would constitute information or representation to the
Plaintiffs or their customers. The loose assertion seems to be that all parties who interact with
VISA and MasterCard are assumed to be in compliance with VISA and MasterCard’s security
protocol, and that compliance with said protocol would successfully protect individual
cardholders’ data from security breaches—but these intangible assumptions and the associated
abstract reliance on the notion that compliance with the protocol would have prevented data
breaches are not pled with sufficient particularity to state a claim nor do they suggest that
Schnucks made a misrepresentation or provided patently false information. Because a party
must prove every element of negligent misrepresentation to succeed and the Plaintiffs have not
even identified the existence of every element, the Court is unable to say that they have
presented a plausible claim. See Renaissance Leasing, 322 S.W.3d at 134. Thus, the negligent
misrepresentation claim under Missouri law is dismissed without prejudice.
24 | P a g e
6. Negligence/gross negligence
a. Illinois
Under Illinois law, to establish a claim for negligence a plaintiff must prove that (1)
defendants owed a duty to plaintiffs; (2) defendants breached that duty; and (3) the breach
caused injury to plaintiffs. Cooney v. Chicago Public Schools, 943 N.E.2d 23, 28 (Ill. App. Ct. 2010).
A duty may exist by way of a statute, or at common law. However, with regard to data security,
Illinois courts have specifically declined to recognize a common law duty to safeguard personal
information even where such information included social security data and medical
information. See id. at 28-29.
Here, the Plaintiffs argue that Schnucks had a duty to protect their customers’ personal
financial information either under the Federal Trade Commission Act (15 U.S.C. §§ 41-58) or at
common law. The FTC Act prohibits “unfair methods of competition in or affecting commerce,
and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). “Unfair
or deceptive acts” are defined as those that: (i) cause or are likely to cause reasonably
foreseeable injury within the United States; or (ii) involve material conduct occurring within the
United States. 15 U.S.C. § 45(4)(A)(i-ii). The sole power to enforce the FTC rests with the
Commission, and there is no private cause of action that can be invoked to redress harms from
such an alleged misdeed. See Baum v. Great Western Cities, Inc. of New Mexico, 703 F.2d 1197, 1209
(10th Cir. 1983); Meyer v. Bell & Howell Co., 453 F.Supp. 801, 802 (E.D. Mo. 1978) (finding that the
federal district court was without jurisdiction to hear private causes of action for alleged
violations of section 5). Thus, the FTC itself does not give rise to an independent duty on
Schnucks’s.
25 | P a g e
The Plaintiffs also argue that they are not asking the Court to create a new common law
duty because Schnucks had a duty under the existing fiduciary relationship between the parties
to safeguard the data in question. The Court has already declined to recognize a plausible claim
of a fiduciary duty on the facts pled and it will not acknowledge a duty premised on the FTC or
common law. As other courts have noted, the legislature could create a duty to safeguard
personal data if it felt it appropriate to do so, and in light of the recent uptick in data breach
cases it may well do so, but in the absence of such legislation, the Court will not recognize a
new duty between two sophisticated parties. See Cooney, 943 F.2d at 28-29 (discussing the
legislature’s ability to address data security). Accordingly, Schnucks’s motion to dismiss the
negligence and gross negligence claims is granted and the claims are dismissed with prejudice.
b. Missouri
The parties did not identify Missouri precedent as closely aligned with the facts of the
present case as those cases discussed in relation to the Plaintiffs allegations under Illinois law,
however, the basic elements of negligence are the same. Under Missouri law to establish a claim
for negligence, a plaintiff must prove: “a (1) legal duty on part of the defendant to conform to a
certain standard of conduct to protect others against unreasonable risks; (2) a breach of that
duty; (3) a proximate cause between the conduct and the resulting injury; and, (4) actual
damages to the claimant’s person or property.” Hoover’s Dairy, Inc. v. Mid-America Dairymen, Inc.
Special Products, Inc., 700 S.W.2d 426, 431 (Mo. 1985). As both parties acknowledge, Missouri law
requires notification in the event of a data breach—but those provisions say nothing about a
duty to otherwise preempt attacks of the data breach variety. Absent any statutory right, and
absent argument or precedent suggesting that Missouri recognizes a common law duty to
26 | P a g e
protect personal information, this Court does not find that Plaintiffs have articulated a plausible
claim for relief. The facts as pled are conclusory and do not demonstrate how Plaintiffs could
establish negligence or gross negligence as pled. Unlike the claims being dismissed under
Illinois law, these claims will be dismissed without prejudice because Missouri law is less clear
on the matter and Plaintiffs may be able to allege facts to state a plausible claim. Thus, the
negligence and gross negligence claims under Missouri law are dismissed without prejudice.
7. Negligence per se
a. Illinois
The pleading requirements for negligence per se under Illinois law are more arduous
than those for negligence or gross negligence. See Abbasi ex rel. Abassi v. Paraskevoulakos, 718
N.E.2d 181, 185 (Ill. 1999) (“In a common law negligence action, a violation of a statute or
ordinance designed to protect human life or property is prima facie evidence of negligence; the
violation does not constitute negligence per se.”). The Plaintiffs have not identified an Illinois
statute that has been violated, nor have they met the higher burden of identifying a statute
imposing strict liability, as they would be required to do to establish negligence per se under
Illinois law. Id. at 186. In light of the dismissal of the negligence claims, this Court hereby
dismisses the negligence per se claim with prejudice.
b. Missouri
Under Missouri law, negligence per se is a type of negligent conduct that results from the
violation of a statute imposing a duty. Lowdermilk v. Vescovo Building & Realty Co., Inc., 91
S.W.3d 617, 628 (Mo. Ct. App. 2002). In Lowdermilk, the Missouri Court of Appeals noted that
any “conduct which constitutes untrustworthy or improper fraudulent or dishonest dealings or
27 | P a g e
demonstrates bad faith or gross incompetence has been held not to be a basis for negligence per
se.” Id. Further, the Lowdermilk Court noted that “the doctrine of negligence per se has
traditionally arisen in cases involving personal injury and physical injury to property” and the
doctrine had not yet been extended to any case that involved damage to economic interests.
Here, this Court has already determined that Plaintiffs have not identified a plausible statutory
duty on Schnucks’s behalf in its finding that the negligence and gross negligence claims fail.
Likewise, this Court dismisses the negligence per se claim under Missouri law without
prejudice.
8. Breach of implied contract
a. Illinois
“An implied in fact contract is created by the parties’ conduct and contains all the
elements of an express contract—offer, acceptance, and consideration—as well as a meeting of
the minds” In re Michaels Stores Pin Pad Litigation, 830 F.Supp.2d 518, 530 (N.D. Ill. 2011).
Applying Illinois law in the data breach context, courts have found that an implied contract to
safeguard customer payment information may exist between card users and merchants
collecting payment. See Irwin, 2016 WL 1355570; In re Target Corp. Data Sec. Breach Litigation, 66
F.Supp.3d at 1176-77; In re Michaels Stores Pin Pad Litigation, 830 F.Supp.2d at 530. The Plaintiffs
also mention an implied in law contract, though they do not indicate that they are relying upon
such a contract.
Based on the sparse arguments and facts presented regarding any potential implied
contractual relationship, the Court does not find that a plausible claim has been presented
suggesting that an implied contract existed between the Plaintiffs and Schnucks under Illinois
28 | P a g e
law. The relationship between a cardholder and a merchant is unique from that between the
Plaintiffs (issuing financial institutions) and Schnucks (a supermarket). It is easier to see how a
contract might be implied between a cardholder and a merchant where the cardholder provides
payment and walks away with tangible goods such as groceries, and in exchange the merchant
receives electronic payment thus giving them value for the goods. This elementary transaction
much more clearly contains the basic principles of a contract than the relationship between
financial institutions and merchants.
The Plaintiffs argue that an implied relationship exists because payment happens over a
complex system of merchants and processors which is governed by a number of contractual
relationships. But the suggestion that certain components of a payment transaction are
governed by explicit contracts takes away from the credibility of the assertion that other aspects
of that transaction would be governed by implied contracts rather than explicit contracts. The
existence of explicit contracts governing certain aspects of the payment network suggests that
participants in the payment network anticipated the need for contracts to allocate certain risks,
and that they entered the contracts they saw fit to adequately assess risks. Based on the facts
presented and the unique differences between the relationships of these parties to the parties in
other cases where implied contracts have been found plausible, the Court dismisses this claim
without prejudice. The Plaintiffs are free to amend this claim to identify more clearly the alleged
components of an implied contract; namely, an offer, acceptance, and consideration.
b. Missouri
The only authority cited by either party with regard to Missouri law is a case regarding
medical staffing at a hospital. Egan v. St. Anthony’s Medical Ctr., 244 S.W.3d 169, 174 (Mo. 2008)
29 | P a g e
(en banc). In that case, the Missouri Supreme Court stated “a preexisting duty cannot furnish
consideration for a contract.” Id. The Missouri Court of Appeals has said a contract may arise by
necessary implication from the parties’ course of conduct. Kosher Zion Sausage Co. of Chicago v.
Roodman’s, Inc., 442 S.W.2d 543, 547 (Mo. Ct. App. 1969). Again, the Plaintiffs tend to rely on the
general assertion that because a large payment network existed and it was governed by certain
contractual relationships, there must have also been a contract between themselves and
Schnucks regarding the security of cardholder data.
As with this claim under Illinois law, Plaintiffs have not sufficiently pled a claim under
Missouri law because they simply do not assert with enough particularity what it is about their
relationship with Schnucks that would give rise to an implied contractual relationship. To take
their assertion that the general structure of payments to merchants by cards, and authorizations,
gives rise to an implied contract would essentially mean that the Court was acknowledging
implied contracts between every potential merchant where a bank’s customer may choose to
pay with a card as opposed to cash. Recognizing such a claim would far exceed the meager
authority on this issue in Missouri. Moreover, Missouri law states that if there is a pre-existing
duty, then a contract will not be implied. Here, taking the Plaintiffs allegations at face value
there was a preexisting duty to comply with VISA and MasterCard’s data practices, so an
implied contract may be impossible under Missouri law. Accordingly, this claim is dismissed
without prejudice for failure to provide more than conclusory allegations suggesting a plausible
claim.
30 | P a g e
9. Breach of contract damaging third-party beneficiaries
a. Illinois
The parties do not delve into detail about third-party beneficiary status under
controlling Illinois law. Illinois distinguishes between direct and incidental third-party
beneficiaries, and only intended beneficiaries—those the parties intended to directly benefit
from the contract—have a right to enforce a contract at law. Bank of Am. Nat. Ass’n v. Bassman
FBT, L.L.C., 981 N.E.2d 1, 11 (Ill. App. Ct. 2012). “That the parties expect, know, or even intend
that the contract benefit others is insufficient to overcome the presumption that the contract was
intended only for the parties’ direct benefit.” Id. (emphasis in original). Rather than address the
core components of third-party beneficiary status, the parties argue in passing about the
traditional tenants of contract law such as a bargained for exchange, consideration, and a
meeting of the minds.
On the record before the Court, the Court does not find that there are sufficient factual
allegations that the Plaintiffs were intended third-party beneficiaries of any contracts between
Schnucks and other participants in the financial network. It is not at all clear how the ability of a
cardholder to use a card at a merchant, or the use of intermediaries to facilitate this process
could be interpreted to directly benefit the Plaintiffs. Plaintiffs do not allege that they get a
commission for each transaction, that they retain customers because customers can use cards at
Schnucks's stores, or anything of that nature. Absent these allegations, the Court dismisses this
claim without prejudice because it does not find that the facts presented are sufficient to state a
plausible claim.
31 | P a g e
b. Missouri
At this juncture, the parties have failed to argue specifics about how the Plaintiffs were
or were not a third-party beneficiary to Schnucks’s numerous contracts governing its finances.
Missouri law recognizes three distinct types of third-party beneficiaries—donee, creditor, and
incidental. Kansas City Hispanic Ass’n Contractors Enterprise, Inc. v. City of Kansas City, 279 S.W.3d
551, 555 (Mo. Ct. App. 2009). Only donees and creditors can recover under contract law, while
incidental beneficiaries cannot. Id. An incidental beneficiary is one “who will benefit from the
performance of a promise but who is neither a promisee nor an intended beneficiary.” Id. On
the facts before the Court, the Plaintiffs are most akin to incidental beneficiaries to any contracts
between Schnucks and other parties in the transaction network. The Plaintiffs benefit by their
customers being able to exchange card payment for groceries or other goods, but they do not
allege that they individually get anything from the transaction. In light of this analysis, and the
sparsity of arguments by the parties, this claim will be dismissed without prejudice.
10. Violation of the Illinois Consumer Fraud and Deceptive Business Practices Act
a. Illinois
“To state a violation of the [Consumer Fraud Act], the plaintiffs must prove three
elements: (1) an unfair or deceptive act or practice by the defendant; (2) the defendant’s intent
that plaintiff rely on the deception; and, (3) the occurrence of the deception in the course of
conduct involving trade or commerce.” Parks v. Wells Fargo Home Mortgage, Inc., 398 F.3d 937,
943 (7th Cir. 2005). Like any fraud claim in Illinois, a plaintiff must plead a consumer fraud
claim with particularity by alleging the identity of the person who made the misrepresentation,
the time, place, and content of the misrepresentation, and the method by which the
32 | P a g e
misrepresentation was communicated. Bankers Trust Co. v. Old Republic Ins. Co., 959 F.2d 677,
683-84 (7th Cir. 1992). Though there may be flexibility in the pleading standard where the
plaintiffs allege that they do not have access to the information needed to show a fraud, the
flexibility is not so great that plaintiffs can satisfy the particularity requirement by simply
asserting that on “information and belief” the defendants committed consumer fraud. Id.
Here, the Plaintiffs have failed to sufficiently plead a claim for consumer fraud because
they have not identified with any degree of specificity the content of the alleged
misrepresentation, when the misrepresentation was made, or how it was communicated.
Plaintiffs again make much of the notion that there was some implicit understanding amongst
cardholders, banks, and merchants that appropriate data security measures would be taken at
all times, but such bare allegations are not enough to satisfy the particularity requirement. See
Bankers Trust Co., 959 F.2d at 683-84. Accordingly, the Plaintiffs claim of consumer fraud is
hereby dismissed without prejudice for failure to sufficiently plead the claim.
11. Unjust enrichment/assumpsit
a. Illinois
In Illinois “a plaintiff must allege that the defendant has unjustly retained a benefit to
the plaintiff’s detriment, and that defendant’s retention of the benefit violates the fundamental
principles of justice, equity, and good conscience. Irwin, 2016 WL 1355570 at *4. In Irwin, the
Court found that plaintiffs failed to state a claim for unjust enrichment where the plaintiffs
(store customers) alleged that the merchant was unjustly enriched by retaining the full purchase
price for goods sold, but not spending part of its profits to maintain adequate data security. The
Target Court rejected essentially the same claim. In re Target Corp. Data Sec. Breach Litigation, 66
33 | P a g e
F.Supp.3d at 1178. Here, the Plaintiffs use a very similar theory of unjust enrichment, in essence
arguing that Schnucks made more money on the sale of groceries than they should have
because they did not spend any of the money they made to maintain sufficient data security
practices. Schnucks did not charge a premium for paying with a card, so it is not plausible that
they were unjustly enriched by payments from cardholders. Furthermore, the Plaintiffs do not
allege that they bestowed additional financial compensation on Schnucks by approving the card
transactions, in excess of what would have been received by a cash payment. Thus, the Court
does not find it plausible that there was unjust enrichment on card payment transactions.
Plaintiffs also assert that had they known about the poor data security practices, they
would have taken measures to protect their customers. A theory similar to this was raised in the
Target litigation where customers argued that if they would have known of the breach early on,
they would not have shopped at the store knowing of the risk. The Target Court found it
plausible that the customers may not have shopped there after learning of the breach, and thus
that portion of the claim was allowed to proceed. However, this argument is unpersuasive and
does not present a plausible theory for relief on the facts before the Court in this case. Although
it is plausible to see individual consumers finding another place to shop, or making the personal
decision to protect their security, it is implausible to conceptualize how the Plaintiffs would
have done something additional on their end if they knew of the data security issues. Plaintiffs
make no suggestion as to how they would have acted differently during the card approval
process, and it is not evident what the Plaintiffs could have done to ensure more security. The
Plaintiffs own allegations are that the data was stolen from Schnucks’s internal processing
environment—something the Plaintiffs do not allege to have any control over. Declining
34 | P a g e
authorization would not have prevented the data breach. What is more, it is not clear how the
Plaintiffs believe that they could have executed the strategy of declining authorization without
prohibiting their customers from shopping at a large local grocer—something that seems
unprecedented and unrealistic.
In addition to the practical reasons why the plaintiffs unjust enrichment claim is
implausible, the Court also notes that in other data breach cases where more particularly pled
unjust enrichment claims have been made, those claims have been dismissed. See Irwin, 2016
WL 1355570 at *4; In re Barnes and Noble Pin Pad Litigation, 2013 WL 4759588, at *5; In re Target
Corp. Data Sec. Breach Litigation, 66 F.Supp.3d at 1178. This Court hereby dismisses the unjust
enrichment claim under Illinois law without prejudice.
b. Missouri
Missouri law is essentially the same concerning unjust enrichment. See J.B. Contracting,
Inc. v. Bierman, 147 S.W.3d 814, 818-19 (Mo. Ct. App. 2004). Neither party makes specific
arguments distinguishing the unjust enrichment claims in Missouri from those in Illinois.
Accordingly, this claim will also be dismissed without prejudice.
12. Equitable subrogation
The parties’ arguments regarding equitable subrogation do not distinguish between
Illinois and Missouri law. In its generic form, equitable subrogation allows party A to seek
reimbursement from party B when party A is required to pay a third-party for expenses caused
by party B. See generally, Home Ins. Co. v. Cincinnati Ins. Co., 821 N.E.2d 269, 323 (Ill. 2004);
Scottsdale Ins. Co. v. Addison Ins. Co., 448 S.W.3d 818, 831-32 (Mo. 2014) (en banc). Plaintiffs argue
that they incurred an expense on behalf of Schnucks when they had to reimburse their
35 | P a g e
customers for fraudulent charges, among other things. But, as Schnucks points out, the Plaintiffs
did not allege that their customers were actually liable for the fraudulent charges, so Plaintiffs
paying the debt may not have constituted a payment of a third-party debt at all. Plaintiffs
attempt to rebut this proposition, as found in the Banknorth, N.A. v. BJ’s Wholesale Club, Inc. case,
but their refutation is unpersuasive and does nothing to distinguish their position as an issuing
bank from the issuing bank in Banknorth. 442 F.Supp.2d 206, 216 (M.D. Penn. 2006). Based on the
argument that Plaintiffs have not repaid a third-party debt, and the lack of a refutation of that
argument, the Court dismisses this claim without prejudice. The Plaintiffs are free to amend this
claim if they are able to explain how their expenses were reimbursement of a third-party debt.
13. Declaratory and Injunctive relief
The Court will not comment on the propriety of the relief sought because it is dismissing
the substantive claims in the Complaint.
14. Conclusion
For the foregoing reasons, the Court GRANTS Schnucks’s Motion to Dismiss (Doc. 27):
Counts 1-5 and 8-12 are DISMISSED without prejudice under Illinois and Missouri law, and
Counts 6 & 7 are DISMISSED with prejudice under Illinois law and without prejudice under
Missouri law. Because all of the substantive claims in this case have been dismissed, the
Plaintiffs are DIRECTED to file a first amended complaint by Wednesday, October 19, 2016. If
they fail to do so, this entire action will be dismissed and the case will be closed.
36 | P a g e
IT IS SO ORDERED.
DATED: September 28, 2016
/s/ Michael J. Reagan
Chief Judge Michael J. Reagan
United States District Court
37 | P a g e
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?