Community Bank of Trenton et al v. Schnuck Markets, Inc.

Filing 68

ORDER: For the reasons set forth in the attached Memorandum and Order, the Court GRANTS Schnucks's Motion to Dismiss For Failure to State a Claim (Doc. #55 ): all counts are dismissed with prejudice because the Court is of the opinion that further amendments will not present a plausible theory for relief. Signed by Chief Judge Michael J. Reagan on 5/1/17. (rah)

Download PDF
IN THE UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF ILLINOIS COMMUNITY BANK OF TRENTON, UNIVERSITY OF ILLINOIS EMPLOYEES CREDIT UNION, FIRST FEDERAL SAVINGS BANK OF CHAMPAIGN-URBANA, and SOUTHPOINTE CREDIT UNION, individually and on behalf of all similarly situated payment card issues, Plaintiff, vs. SCHNUCK MARKETS, INC., Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) Case No. 15-cv-01125-MJR MEMORANDUM AND ORDER REAGAN, Chief District Judge: A. Introduction and Procedural Overview This case is now before the Court on the Plaintiffs’ Amended Complaint and the Defendant’s Motion to Dismiss (Docs. 52, 55). The underlying dispute concerns a data breach at Defendant’s grocery stores between December 2012 and March 2013. The initial complaint identified two grounds for federal jurisdiction—18 U.S.C. § 1961, et seq., pursuant to 18 U.S.C. § 1964(a) & (c) (“Racketeer Influenced and Corrupt Organizations Act” aka “RICO”); and 28 U.S.C. § 1332(d) (“Class Action Fairness Act” aka “CAFA”). The Amended Complaint contains no RICO claims, so the sole remaining jurisdictional basis is CAFA. The Motion to Dismiss 1|Page having been fully briefed, the Court now finds that Plaintiffs have failed to state a plausible claim for relief. This Court accepts all factual allegations as true when reviewing a 12(b)(6) motion to dismiss. Erickson v. Pardus, 551 U.S. 89, 94 (2007). To avoid dismissal for failure to state a claim, a complaint must contain a short and plain statement of the claim sufficient to show entitlement to relief and to notify the defendant of the allegations made against him. FED. R. CIV. P. 8(a)(2); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555-57 (2007). In order to meet this standard, a complaint must describe the claims in sufficient factual detail to suggest a right to relief beyond a speculative level. Id.; Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); EEOC v. Concentra Health Servs., 496 F.3d 773, 776 (7th Cir. 2007). A complaint need not contain detailed factual allegations, Scott v. Chuhak & Tescon, P.C., 725 F.3d 772, 782 (7th Cir. 2013), but it must go beyond “mere labels and conclusions” and contain “enough to raise the right to relief above the speculative level,” G&S Holdings, LLC v. Cont’l Cas. Co., 697 F.3d 534, 537-38 (7th Cir. 2012). The Seventh Circuit has outlined the boundaries of 12(b)(6) with two major principles. First, that although facts in the pleadings must be accepted as true and construed in the plaintiff’s favor, allegations in the form of legal conclusions are insufficient to survive a motion to dismiss. McReynolds v. Merrill Lynch & Co., Inc., 694 F.3d 873, 885 (7th Cir. 2012). And, second, “the plausibility standard calls for ‘context-specific’ inquiry that requires the court ‘to draw on its judicial experience and common sense.’” Id. Threadbare recitals of elements and conclusory statements are not sufficient to state a claim. Id. Put another way, to survive a motion to dismiss “the plaintiff must give enough details about the subject-matter of the case to present a 2|Page story that holds together [. . .] the court will ask itself could these things have happened, not did they happen.” Swanson v. Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010). The case before the Court now presents 7 different theories of relief—down from 13 in the initial complaint. As was outlined in this Court’s ruling on the initial complaint and initial motion to dismiss, many of the theories have been tested in other data breach litigation against major retailers across the country, such as Target, Jimmy Johns, Barnes and Noble, Home Depot, and Neiman Marcus, to name a few.1 The initial complaint was dismissed by this Court in large part because it suffered from vast generalizations. The Amended Complaint and pleadings now before the Court have attempted to shore up the problem of generality, doing so in part by narrowing the scope of issues before the Court by removing the RICO and fraud claims, and omitting claims the Court previously dismissed. The additional facts that have been brought forth will be recited below. The Court will then provide a detailed legal analysis of the Amended Complaint. However, as a preliminary matter, the Court must address jurisdiction. The Amended Complaint alleges that this Court has subject matter jurisdiction under CAFA. At an earlier point in the proceedings, the Plaintiffs had filed a motion for class certification (Doc. 12), which they voluntarily withdrew, with the opportunity to refile it later without prejudice (Dkt. txt Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (customer suit reversed and remanded after standing found appropriate); Irwin v. Jimmy John’s Franchise, LLC, 2016 WL 1355570 (C.D. Ill. 2016) (customer suit with certain claims under Illinois law dismissed); In re Home Depot, Inc., Customer Data Security Breach Litigation, 2016 WL 2897520 (N.D. Ga. 2016) (customer suit involving 56 million customers allowed to proceed on certain claims beyond motion to dismiss); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (customer suit, standing found to be proper); In re Target Corp. Data Sec. Breach Litigation, 66 F.Supp.3d 1154 (Minn. D. Ct. 2014) (customer suit dismissed as to some claims, allowed to proceed as to others); In re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D. Ill. 2013) (customer suit dismissed on standing grounds). 1 3|Page entry 42). Though the Plaintiffs have not refiled their motion for class certification, in part due to this Court’s direction that it was not necessary to do so at this point (See Dkt. txt. entry 60 (granting Plaintiffs’ unopposed motion for an extension of time to file a class certification motion until after the motion to dismiss was ruled upon), the Court nevertheless finds that it has jurisdiction under CAFA prior to formal class certification. See Greenberger v. GEICO General Ins. Co., 631 F.3d 392, 396 (7th Cir. 2011) (“federal jurisdiction under CAFA does not depend on class certification”). B. Factual Allegations Many of the facts in the Amended Complaint are identical to those offered in the original complaint. Of new vintage, the Plaintiffs allege that they were intended or third-party beneficiaries to the contracts between the Defendant and others in the card processing network because Plaintiffs received an interchange fee or interest for processing cards. (Doc. 52 at 10-11). Plaintiffs also included allegations that Defendant has yet to upgrade to more secure transaction chip technology to allow customers to pay more safely (Id. at 10). Plaintiffs’ Amended Complaint presented specific figures about the scope of the data breach—including that unencrypted data was potentially compromised for 2.4 million cards swiped at 79 Schnucks’ stores from December 1, 2012 through March 30, 2013 (Doc. 52 at 15). The complaint also contained the allegation that stolen data was used in fraudulent transactions across the globe, evidencing that it was unencrypted and improperly stored (Id. at 29). On March 14, 2013, Defendant first learned of a data breach upon receiving reports of fraudulent card use (Id. at 20). On March 19 it retained Mandiant, a forensic investigation firm, to investigate the issue (Id.). Mandiant took action, identifying the infirmity on March 20 (Id.). 4|Page However, Defendant did not inform the public of the issue until March 30, 2013, at which time the issue was fully contained (Id.). By their calculations, Plaintiffs allege that the gap from March 19 through March 30th allowed an unnecessary window for the compromise of 340,000 payment cards, assuming a rate of 20,000 cards used per day (Id. at 21-22). Plaintiffs allege that Defendant did not pursue a reasonable alternative by posting a “cash or checks only” sign specifically because it knew it would be bad for business (Id. at 22). C. Legal Analysis 1. Negligence/gross negligence – Missouri law only Under Missouri law, to establish a claim for negligence a plaintiff must prove: “a (1) legal duty on part of the defendant to conform to a certain standard of conduct to protect others against unreasonable risks; (2) a breach of that duty; (3) a proximate cause between the conduct and the resulting injury; and, (4) actual damages to the claimant’s person or property.” Hoover’s Dairy, Inc. v. Mid-America Dairymen, Inc. Special Products, Inc., 700 S.W.2d 426, 431 (Mo. 1985). As both parties acknowledge, Missouri law requires notification in the event of a data breach—pursuant to MO. REV. STAT. § 407.1500—Missouri’s data breach notification law. However, the data breach notification statute exclusively bestows the power to prosecute violations upon the Missouri Attorney General. See MO REV. STAT. § 407.1500.4. What is more, the statute does not contemplate a duty or remedies for anything other than a failure to notify. This Court will not read additional duties into a law carefully crafted by the legislature, particularly where the legislatures of other states have explicitly contemplated additional protections in legislation. Compare MO. REV. STAT. § 407.1500.4 with MINN. STAT. § 325E.64 (Plastic Card Security Act). Reading the statute as a whole, this means that in Missouri the 5|Page only statutory duty regarding data security is to provide notice of a breach, and the only authority to prosecute a failure of this duty is the attorney general. Statutory duties aside, the Plaintiffs also argue that the Defendant had a duty to safeguard data based on its business relationship; sound public policy; industry standards; best practices; or implied contracts. In support of these arguments, Plaintiffs rely heavily on out-ofcircuit precedent from Georgia, Minnesota, and Pennsylvania. See Home Depot, 2016 WL 2897520; Target, 64 F.Supp.3d at 1309-1310; Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F. Supp.2d 183, 193-96 (M.D. Penn. 2005) (finding a common law duty on behalf of a retailer to an issuing bank based on social policy, the business relationship, and the foreseeability of harm); First Choice Federal Credit Union v. The Wendy’s Co., 2:16-cv-NBF-MPK (W.D. Pa. Feb. 13, 2017) (Doc. 80) (report and recommendation denying motion to dismiss a financial institution’s negligence claim in a data breach case)2. The out-of-circuit precedent is distinguishable from the present case. First, as to the Georgia precedent in the Home Depot data breach litigation, this precedent does not give rise to a negligence claim under Missouri law because that litigation is factually distinct, and in a subsequent opinion, a Georgia appellate court disagreed with the Northern District of Georgia’s interpretation of Georgia law. See Home Depot, 2016 WL 2897520 at *1-2, but cf McConnell v. Dept. of Labor, 787 S.E.2d 794, 798-800, n.4 (Ga. Ct. App. 2016). The Home Depot case is factually distinct because the facts in the record suggest that Home Depot’s data security conduct in the lead up to their breach was egregious and intentional—Home Depot on 2 This report and recommendation allows negligence claims to proceed beyond a motion to dismiss without citing any authority for or against the recommendation. What is more, the recommendation acknowledges the potential latent issues regarding choice of law, etc. that may ultimately weigh on the appropriateness of a negligence claim. 6|Page numerous occasions ignored warning signs of poor data security, and even went so far as to fire tech employees who tried to alert the company to the risks of the poor data security measures. See Home Depot, 2016 WL 2897520 at *1-2. Such alarming conduct certainly weighed heavily on the Northern District of Georgia when deciding whether or not to let a negligence claim proceed. In allowing the claim to proceed, the Home Depot Court explicitly called upon a proposition of Georgia law, that there is a “general duty one owes to all of the world not to subject them to an unreasonable risk of harm.” See id. at *3. But subsequent to the Home Depot Court’s holding, the Georgia Court of Appeals lamented such a broad interpretation of that ‘general duty’ and indicated that Georgia courts would not be bound by a federal court’s interpretation of Georgia law. See McConnell, 787 S.E.2d at 798-800, n.4 (declining to recognize a general duty or a theory of negligence in a suit by an employee regarding an employer’s data security practices over employee data). The McConnell Court’s analysis emphasized the egregious nature of Home Depot’s conduct in declining to allow a negligence claim to proceed regarding data security of an employee’s personal information. See id. at 798-800, n.4. Based on these distinctions, this Court is not persuaded that it should follow the Home Depot Court in recognizing a duty here. Second, as to the Target precedent, this Court does not find the duty recognized in that litigation to play a role in this case because the Target Court relied in part upon data security provisions unique to Minnesota law—provisions which have no analogue in Missouri law. See In re Target Corp. Customer Data Sec. Breach Litigation, 64 F.Supp.3d at 1310, 1312-13 (noting Minnesota’s policy of punishing companies that do not secure customer data); MINN. STAT. § 325E.64 (Plastic Card Security Act). As was noted above, the Missouri legislature has not 7|Page crafted such particularized data security legislation. In the absence such legislation, this Court declines to sua sponte create a duty where the Missouri government has declined to do so. Third, as to the Pennsylvania precedent cited by Plaintiffs, this Court finds the precedent unpersuasive because the BJ’s case is frankly outdated, and the other case cited has no authoritative force whatsoever as a contested report and recommendation. See Sovereign Bank v. BJ’s Wholesale Club, Inc., 395 F.Supp.2d at 193-95 (assessing potential elements of negligence and concluding that the negligence claim could proceed beyond the motion to dismiss). The BJ’s case was decided in 2005, prior to the onslaught of data breaches and litigation, and prior to the time when many legislatures began considering the issue of data security legislation. Id. Missouri’s own data security legislation post-dates BJ’s. See MO. REV. STAT. § 407.1500 (enacted in 2009). Thus, the Court will not rely on such old precedent to acknowledge a duty in a rapidly changing area of law. Precedent aside, the Court is not persuaded that public policy concerns, the existence of industry standards, or implied contractual relationships should give rise to a duty in this case. The parties squabble over their respective levels of sophistication, the foreseeability of data security risks, and the best ways to address losses incurred in the aftermath of a breach. The breach at Defendant’s stores took place during what seemed to be the boom of data breach activity, at a time when many retailers were caught either unaware or unluckily in the crosshairs of cybercrime. Unfortunately losses were sustained, losses that in retrospect should have or could have been prevented, but not every loss can be compensated via legal action. In the wake of the data breach boom, it seems fair to say retailers will have to act more prudently, but 8|Page at the time that this breach occurred the law did not contemplate harms of the kind that emerged.3 Finally, as to the theory that Section 5 of the Federal Trade Commission (FTC) Act gives rise to a duty and negligence, the Court previously declined this argument under Illinois law, and hereby extends that rational to claims under Missouri law (See Doc. 50 at 25-26). The sole power to enforce the FTC rests with the Commission, and there is no private cause of action. See e.g. Baum v. Great Western Cities, Inc. of New Mexico, 703 F.2d 1197, 1209 (10th Cir. 1983); Meyer v. Bell & Howell Co., 453 F.Supp. 801, 802 (E.D. Mo. 1978). In sum, the Court finds that under Missouri law the Defendant had no duty to protect customer information on the Plaintiffs’ behalf. 2. Negligence per se – Missouri law only This Court dismissed the negligence per se claim from the original complaint after finding that Plaintiffs had failed to identify a duty the Defendant violated. (Doc. 50 at 27-28). Here, the Court will do the same. 3. Breach of implied contract—Missouri law, or for subclass in Missouri and Illinois Under Missouri and Illinois law an implied contract is created by the parties’ conduct and must contain all of the elements of a traditional contract, including offer, acceptance, consideration, and a meeting of the minds. See C. Szabo Contracting Inc. v. Lorig Constr. Co., 19 N.E.3d 638, 644 (Ill. App. Ct. 2014); Kosher Zion Sausage Co. of Chicago v. Roodman’s, Inc., 442 S.W.2d 543, 546 (Mo. Ct. App. 1969). 3 It is interesting to note that the breach at Defendant’s stores came before the breach at Target (December 2013), and before the breach at Home Depot (2014). This timeline weighs against finding that the litigation or conduct in either of those breaches should have put Defendant on heightened notice or imposed a stricter duty for Defendant to monitor data security. 9|Page Plaintiffs’ theory of implied contract in the amended complaint relies heavily upon the assertion that Plaintiffs authorized transactions on the “implicit promise” that Defendant had adequate data security measures. As consideration for this exchange, Plaintiffs assert that they got interchange fees and Defendant got payment for the goods purchased by Plaintiffs’ customers. Plaintiffs urge that absent the “implicit promise” of a secure data network, they would have refused to authorize payments, advised their customers to shop elsewhere, canceled and reissued compromised cards, and taken other cost-saving or protective measures. These assertions are in large part a repeat of what was set forth in the original complaint, although the facts have been enhanced somewhat by the scarce details about interchange fees as consideration. See Egan v. St. Anthony’s Medical Ctr., 244 S.W.3d 169, 174 (Mo. 2008) (finding that a preexisting duty cannot furnish consideration for a contract). Other parties (Defendant, Defendant’s banks, VISA, and Mastercard) had explicit contracts and duties to each other, so this Court will not stretch those preexisting relationships and agreements to impliedly include Plaintiffs. In the first instance, this Court dismissed the theory of implied contract because the Plaintiffs had failed to make out the essential elements of a contract—offer, exchange, and acceptance. Here, the Court finds that the implied contract theory continues to suffer from this infirmity. It is still not clear what ‘contract’ was made between these parties, or how there was a direct violation of said relationship. The implied contract theory seems to bleed over into the theory of third-party beneficiary because the Plaintiffs repeatedly allege that the Defendant was required to maintain proper data security per its agreements with VISA and MasterCard, but the parties have not cited any portion of those contracts that expressly or impliedly 10 | P a g e contemplates the alleged relationship Plaintiffs now rely upon. Under Missouri law this is particularly problematic because Missouri law will not imply a contract where there is a preexisting relationship. The allegations that Plaintiffs would have withheld authorization or taken other protective measures are irrelevant to the issue of an implied contract because these things do not bear on the offer-acceptance-consideration trio, or if they do, they do not relate in a way that feasibly could have prevented a breach. A financial institution’s decision to decline authorization, thereby declining acceptance, does not prevent a data breach because the data has already been gathered by the Defendant at that time—so declining ‘acceptance’ of the transaction offers no protection of the sort sought under the theory of implied contract. Withholding authorization or canceling compromised cards are steps that the Plaintiffs could have and perhaps did take after the breach became apparent to mitigate harms, but these things are extraneous to the formation of an implied contract in the first instance. Once again, the Plaintiffs reference the term ‘implied in law’ contract, but they offer little factual or legal argument on the matter. Instead, they point to the unjust enrichment count of their complaint, where the argument focuses primarily on unjust enrichment. An ‘implied in law’ contract has elements distinct from an implied in fact contract, so without any argument or factual allegations this Court will not allow this count to proceed under the guise of that legal theory. 4. Breach of contracts to which Plaintiffs are third-party beneficiaries Under either Illinois or Missouri law, the showing required to establish third-party beneficiary status to a contract is relatively high. The primary component under the laws of 11 | P a g e both states is that the party claiming third-party status must be able to show that they are more than an incidental or happenstance beneficiary. Under Illinois law a party must make a significant showing about their status as an intended beneficiary to a contract before a court will recognize such a relationship. See e.g. Bank of Am. Nat. Ass’n v. Bassman FBT, L.L.C., 981 N.E.2d 1, 11 (Ill. App. Ct. 2012) (“That the parties expect, know, or even intend that the contract benefit others is insufficient to overcome the presumption that the contract was intended only for the parties’ direct benefit.”); Kansas City Hispanic Ass’n Contractors Enterprise, Inc. v. City of Kansas City, 279 S.W.3d 551, 555 (Mo. Ct. App. 2009). To be recognized as a third-party beneficiary, Plaintiffs must identify an express portion of a contract that contemplates their status as a beneficiary. On the record before the Court, the Court does not find that there are sufficient factual allegations that the Plaintiffs were intended third-party beneficiaries of any contracts between the Defendant and other participants in the card network. It is not at all clear how the ability of a cardholder to use a card at a merchant, or the use of intermediaries to facilitate this process could be interpreted to directly benefit the Plaintiffs. Plaintiffs do allege in the Amended Complaint that they get an interchange fee or interest related to each customer transaction, but this peripheral benefit does not support the assertion that they were intended to directly enforce or otherwise control the contractual relationship between the merchant and the card processing network. Absent these allegations, the Court dismisses this claim because it does not find that the facts presented are sufficient to state a plausible claim. 12 | P a g e 5. Violation of the Illinois Consumer Fraud and Deceptive Business Practices Act “To state a violation of the [Consumer Fraud Act], the plaintiffs must prove three elements: (1) an unfair or deceptive act or practice by the defendant; (2) the defendant’s intent that plaintiff rely on the deception; and, (3) the occurrence of the deception in the course of conduct involving trade or commerce.” Parks v. Wells Fargo Home Mortgage, Inc., 398 F.3d 937, 943 (7th Cir. 2005). Like any fraud claim in Illinois, a plaintiff must plead a consumer fraud claim with particularity by alleging the identity of the person who made the misrepresentation, the time, place, and content of the misrepresentation, and the method by which the misrepresentation was communicated. Bankers Trust Co. v. Old Republic Ins. Co., 959 F.2d 677, 683-84 (7th Cir. 1992). Though there may be flexibility in the pleading standard where the plaintiffs allege that they do not have access to the information needed to show a fraud, the flexibility is not so great that plaintiffs can satisfy the particularity requirement by simply asserting that on “information and belief” the defendants committed consumer fraud. Id. Aside from specific claims of fraud or deception, Illinois courts also allow general claims that certain conduct is unfair or deceptive. See e.g. Wendorf v. Landers, 755 F.Supp.2d 972, 97879 (N.D. Ill. 2010). Such a claim is subject to a multi-part test: “(1) whether the practice offends public policy; (2) whether it is immoral, unethical, oppressive, or unscrupulous; [and] (3) whether it causes substantial injury to consumers.” FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 244, n.5 (1972). Illinois courts have held that a claim need not fulfill all three factors. See Robinson v. Toyota Motor Credit Corp., 775 N.E.2d 951, 961 (Ill. Sup. 2002). “To constitute an unfair practice, the defendant’s conduct must violate public policy, be so oppressive that it leaves the consumer with little alternative except to submit to it, and injure the consumer.” 13 | P a g e Rockford Memorial Hosp. v. Havrilesko, 858 N.E.2d 56, 65 (Ill. App. 2d Dist. 2006). Such a claim must still be pled with sufficient particularity. See Demitro v. General Motors Acceptance Corp., 902 N.E.2d 1163, 1168-70 (Ill. App. Ct. 1st Dist. 2009). In Demitro an Illinois appellate court found that an automobile lender’s conduct was oppressive where the conduct effectively gave a leasee the choice of paying more than $39,000 within a few weeks’ notice, or face permanent repossession of his vehicle, rather than allowing him to pay just over two-thousand dollars to remedy a default on his payments. Id. The Demitro Court was particularly sensitive to the “oppressive” impact of the lending company prematurely repossessing the vehicle, despite letters and conversations suggesting plaintiff had more time to remedy his default. Id. Research did not reveal a published decision where an Illinois Court considered a data breach incident at a merchant. Most similar was a case where an Illinois appellate court considered a data breach in the context of theft of medical records. See Maglio v. Advocate Health and Hospitals Corp., 40 N.E.3d 746 (Ill. App. Ct. 2d Dist. 2015) (affirming dismissal of plaintiff-patients’ data breach suit against health care provider based on finding that plaintiffs did not suffer actual injury and thus lacked standing). Also similar was a case where an Illinois appellate court considered the risk of a security breach at an ATM machine. See Popp v. Cash Station, Inc., 613 N.E.2d 1150 (Ill. App. Ct. 1st Dist. 1992) (finding that plaintiff cash machine customers failed to plead a sufficiently particular misrepresentation or fraud where they did not identify a statement or misrepresentation made to them about cash machine security). Neither of these cases lends traction to Plaintiffs’ claims in the matter before the Court. 14 | P a g e Interpreting ICFA, the Seventh Circuit held that an unfair or deceptive practice claim must be based on more than a simple breach of contract. Greenberger, 631 F.3d at 399-400. In their initial complaint, Plaintiffs pursued a claim under ICFA on the premise that Defendant made an unfair, false, or fraudulent misrepresentation about their data security practices. The claim invoked the particularity pleading standard, and this Court dismissed the claim because it was not clear what misrepresentation or fraudulent statement was made and relied upon. (See Doc. 50 at 32-33). Rather than clarifying their original claim to identify a particular misrepresentation, Plaintiffs Amended Complaint contains an ICFA claim centered on the theory that Defendant participated in an unfair practice by failing to maintain adequate data security. Defendant retorted that Plaintiffs’ claim could not succeed because Plaintiffs failed to allege that the consumers were harmed by the unfairness. Plaintiffs put significant weight on the Home Depot Court’s finding that financial institutions could maintain a claim against that retailer under ICFA. However, as was previously discussed, the Home Depot opinion appears to be an outlier, and was based on facts indicating egregious conduct by the retailer. Thus, the conduct by Home Depot might arguable have risen to the level of oppressive conduct. Home Depot aside, the Court finds Plaintiffs’ factual and legal allegations to be too threadbare to suggest a plausible theory of relief. The Court does not find a concrete public policy that has been violated. Defendant was not explicitly advertising data security or luring customers into the store on the premise that it practiced better data security than other retailers, nor were issuing banks being lured into authorizing transactions on the basis that Defendant’s data security was top notch. Though there might have been a general market expectation that any retailer would practice prudent 15 | P a g e data security, the facts do not suggest that Defendant gamed the market to take advantage of consumers of financial institutions on these grounds. The Plaintiffs’ complaint also lacks any suggestion of oppressive conduct. Unlike Home Depot’s conduct of skirting warnings and firing employees, Defendant retained a firm to investigate a potential breach within a day of learning of it. Finally, as to the requirement that consumers be injured, it is noteworthy that the consumers were apparently reimbursed for the trouble caused by the breach, so there is a possibility that Plaintiffs’ claim would also fail on this basis. Accordingly, this count is dismissed. 6. Unjust enrichment/assumpit The Court dismissed the unjust enrichment/assumpit claims in its review of the original complaint because it found that Defendant did not retain an added bonus from customers shopping with a card as opposed to those shopping with cash. (Doc. 50 at 33-35). The only alteration to the arguments on this claim in the Amended Complaint is that Plaintiffs now argue there was unjust enrichment from March 14 to March 30, the date Defendant learned of a potential breach until the date it was locked down and announced to the public. However, the Court does not find this narrower range to remedy the defect it identified earlier with this claim—shoppers still did not pay more for groceries via card than they would have with cash, so it cannot be said Defendant made more than it should have for those particular groceries. Accordingly, this Count is dismissed for the same reasons set forth in this Court’s initial dismissal. (Doc. 50 at 33-35). 16 | P a g e 7. Declaratory and injunctive relief The Court will not comment on the propriety of the relief sought because it is dismissing the substantive claims in the Complaint. 8. Conclusion For the foregoing reasons, the Court GRANTS Schnucks’s Motion to Dismiss (Doc.[55]): all counts are dismissed with prejudice because the Court is of the opinion that further amendments will not present a plausible theory for relief. IT IS SO ORDERED. DATED: May 1, 2017 s/ Michael J. Reagan MICHAEL J. REAGAN Chief Judge United States District Court 17 | P a g e

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?