Particularity and plausibility are recurring themes from Judge Reagan’s order last week in the most recent round of litigation stemming from a 2012-2013 data breach at Schnucks grocery. See Community Bank, et al. v. Schnuck Markets, Inc., No. 3:15-cv-01125-MJR-RJD (S.D. Ill. Sept. 28, 2016). Unlike previous litigation brought by the grocery store’s customers, this litigation was initiated by four financial institutions as a putative class action seeking alleged damages incurred while helping their customers affected by the data breach remedy their personal financial risks and losses. Plaintiffs pled thirteen different causes of action in the Complaint, including multiple RICO claims, breach of fiduciary duty, negligence and negligent misrepresentation, breach of implied warranty, breach of contract and unjust enrichment.
After analyzing the facts as pled, the Court struck each of the 13 counts. The Court found that while many of the legal theories had been tested in data breach litigation around the county, plaintiffs’ status as financial institutions, not merchant customers, was a “critical distinction.” “In the cases brought by customers, parties have effectively illustrated plausible claims for relief under various theories by appealing to the common life experience of a consumer walking into a merchant to buy a sandwich or a book. The concrete fraud charges on customer payment cards and the familiar expectations of a store customer make the claims in those cases hold together to illustrate a plausible story.” In contrast, in the financial institutions’ lawsuit, the Court found that, “allegations of harms sustained [were] general” and the details of the alleged fraud, reliance, duty and relationships in an area of “relatively new territory” – i.e. a data breach brought by a financial institution versus a customer — were insufficiently pled and therefore did not support a plausible story.
For example, in analyzing Plaintiffs’ RICO claims, the Court contrasted the implausible allegations pled by Plaintiffs with more specific allegations pled in the Home Depot data breach case and Atlas Pile Driving case, noting that the “alleged intentional acts” pled in those cases evidenced a “plausible intention to harm the plaintiffs or to derive undue benefit for the defendants” to withstand a motion to dismiss. In contrast, in this case, the Court found that plaintiffs failed to clearly set forth “why or how the alleged cheating or fraudulent schemes would be purposefully used to defraud Schnuck’s customers or to help Schnuck’s retain an undue benefit” rendering their claim implausible. Plaintiffs’ allegations of unjust enrichment also fell short. The financial institutions alleged that they would have taken their own additional measures to protect customers if they had known the truth about the security practices of Schnucks. While this theory was similar to the theory advanced by customers in the Target breach — that they would have stopped shopping at Target if they had known early on of the breach — the Court found it unpersuasive under the facts of the Schnucks breach where the financial institutions were two steps away from the data in question. “It is implausible to conceptualize how the Plaintiffs would have done something additional on their end if they knew of the data security issues. Plaintiffs make no suggestion as to how they would have acted differently during the card approval process, and it is not evident what the Plaintiffs could have done to ensure more security.”
These examples are only illustrative. Plaintiffs’ failure to plead specific and plausible claims were systemic and criticized by the Court throughout the opinion. Nevertheless, only two of the 13 counts – negligence and negligence per se under Illinois law – were dismissed with prejudice. Consequently, plaintiffs have a chance to go back to their factual storehouses and plead with more particularity in the hope that this time they might pass through the check out and proceed to discovery.