Despite heightened awareness of the risk of identity theft, credit card data breaches have become all too common at retail stores over the last decade. Merchants in nearly every sector, including BJ’s Wholesale, Home Depot, Michaels, Neiman Marcus, and Target have been hacked. The explosion of class action lawsuits by customers whose credit card information was compromised should come as no surprise. These plaintiffs, however, have faced substantial difficulty advancing their claims against merchants due largely to the absence of tangible damages from data breaches. See, e.g., Alison Frankel, Why (Most) Consumer Data Breach Class Actions vs Target Are Doomed, Reuters (Jan. 13, 2014), http://blogs.reuters.com/alison-frankel/2014/01/13/why-most-consumer-data-breach-class-actions-vs-target-are-doomed.
Cardholders are not the only group taking aim at merchants. The companies providing consumer credit cards, known as “issuer banks,” have now set their sights on merchants and other banks to recoup the costs associated with responding to a data breach. This group of plaintiffs may succeed in overcoming motions to dismiss where many consumers have failed because the alleged damages for issuer banks are often quantifiable. See In re: Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522 (PAM/JJK), ECF No. 261 (D. Minn. Dec. 2, 2014) (allowing issuer banks to proceed with negligence claims against merchant in data breach litigation). Damages to the issuer banks are potentially massive and include everything from the costs of replacing cards and reimbursing fraudulent purchases to monitoring accounts for active fraud.
This Legal Backgrounder examines the new wave of issuer-bank litigation against merchants and other banks following a data breach and outlines potential future developments in such litigation.
Credit Card Transactions: The Players and the Litigation
Unbeknownst to most consumers, the most basic credit card transactions involve at least three separate parties handling a consumer’s sensitive financial information. In a typical transaction, a consumer’s credit card is provided by the issuer bank. During a sale, the merchant forwards the credit card information, along with the price of the goods, to an “acquiring” or “acquirer” bank that processes the transaction. The acquirer bank then contacts the issuer bank to determine if the consumer has sufficient credit to make the purchase. Assuming the consumer has sufficient credit, the issuer bank then releases the funds to the acquirer bank to complete the transaction for the merchant.
Figure 1: Illustration of a typical credit card transaction. The credit card company has a relationship with both the Issuer Bank and Acquirer Bank allowing them to use its credit card. A consumer provides his or her credit card to a merchant, who sends the information to an acquirer bank. The acquirer bank then sends the credit request to the issuer bank, which approves the transaction, releases funds, and sends it back to the acquirer bank for processing.
Most articles on data breach lawsuits in the news media have focused on suits brought by consumers against merchants and acquiring banks. Though they have received less attention, parallel litigation between issuer banks and acquirer banks or merchants is often present as well. Issuer banks sue acquirer banks or merchants seeking compensation for the costs of reimbursing customers for fraudulent charges on their credit cards and the costs of replacing those cards. See, e.g., Consol. Class Action Compl., Umpqua Bank v. Target Corp., MDL No. 14-2522 (PAM/JJK), ECF No. 163 (D. Minn. Aug. 1, 2014). These suits allege theories sounding in tort, contract, or both. Issuing bank plaintiffs have a significant advantage over customers in data breach lawsuits because actual damages are often present, giving the issuer banks Article III standing that customers often lack due to their inability to show harm. High hurdles to recovery nevertheless remain for issuer bank plaintiffs under either tort or contract theory.
Bank v. Bank Litigation: Acquirer Banks and Merchants Have Many Viable Defenses
Issuer bank plaintiffs have historically had difficulty establishing viable claims against acquirer banks and merchants. For instance, in Bancfirst v. Dixie Restaurants, Inc., No. CIV-11-174-L, 2012 WL 12879 (W.D. Okla. Jan. 4, 2012), the court found that an issuer bank could not maintain negligence claims against a merchant restaurant following a data breach. The bank’s claims were dismissed because it failed to allege facts sufficient to establish that a special relationship existed with the merchant. The court held that there was, therefore, no duty of care on the part of the merchant to the issuer bank. Id. at *4.
Likewise, in Banknorth, N.A. v. BJ’s Wholesale Club, Inc., 442 F. Supp. 2d 206 (M.D. Pa. 2006), the court found that an issuer bank could not maintain its contract and tort claims against an acquirer bank and a merchant for a data breach. The court reasoned that because the plaintiff issuer bank was not a third-party beneficiary of the contract between the acquirer bank and merchant, it could not recover for the merchant’s alleged breach of Visa regulations. Id. at 210-11. Likewise, the plaintiff issuer bank could not recover under Maine law in tort because of the economic loss rule, which bars recovery in tort for economic damages alone, and because a theory of equitable subrogation was untenable when the plaintiff issuer bank was the primary obligor. Id. at 211-16. Other courts also have rejected suits by issuer banks based in part on the application of the economic loss doctrine. See, e.g., Digital Fed. Credit Union v. Hannaford Bros. Co., No. BCD-CV-10-4, 2012 WL 1521479 (Me. B.C.D. Mar. 14, 2012); Cumis Ins. Soc. Inc. v. BJ’s Wholesale Club, Inc., 918 N.E.2d 36 (Mass. 2009). The economic loss doctrine remains the strongest tort defense for acquirer banks and merchants in data breach litigation brought by issuer banks.
Bank v. Bank Litigation: Issuer Banks Gain Ground
Though they are in the minority, a growing number of courts have allowed suits by plaintiff issuer banks to proceed against acquirer banks and/or merchants. For example, last year the Fifth Circuit reversed summary judgment in favor of a defendant acquirer bank in an issuer bank’s lawsuit. See Lone Star Nat’l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013). Applying New Jersey law, the court found that the economic loss doctrine did not prevent issuer banks from recovering economic damages flowing from a data breach suffered by an acquirer bank. The court explained that issuer banks represented a class of plaintiffs the acquirer bank had reason to foresee would suffer economic losses in the event of a data breach. Thus, even absent physical harm, the acquirer bank could be found liable under a tort theory. Id. at 426. This case remains pending in the Southern District of Texas. See In re: Heartland Payment Sys. Inc. Customer Data Sec. Breach Litig., No. 4:09-md-02046 (S.D. Tex. 2009).
Another appellate court found that a plaintiff issuer bank could proceed with claims against an acquirer bank based on the terms of the acquirer bank’s contract with Visa to ensure that merchants using Visa’s credit card network complied with data protection protocols under a theory that the issuer bank was a third-party beneficiary of the agreement. See Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 168-73 (3d Cir. 2008). However, that court also held that Pennsylvania’s economic loss doctrine barred a claim sounding in tort against either the acquirer bank or merchant. Id. at 173-83. Following remand to the Middle District of Pennsylvania, the case was voluntarily dismissed. See Order Dismissing Case, Sovereign Bank v. BJ’s Wholesale Club, Inc., No. 1:05-cv-01150-WWC, ECF No. 81 (M.D. Pa. Oct. 26, 2009).
Figure 2: Data Breach Lawsuits. Though suits by consumers against merchants and acquirer banks have proved largely unsuccessful, issuer banks are finding greater success in overcoming motions to dismiss in lawsuits against acquirer banks and merchants. This is largely because they have experienced actual financial losses due to the reimbursement to consumers of the cost of fraudulent transactions.
The Future of Bank v. Bank Data Breach Litigation
Acquirer banks and merchants have mostly fended off attacks from plaintiff issuer banks sounding in tort or contract under the twin theories of the economic loss doctrine and privity of contract. As data breaches become more and more prevalent, however, it is possible that courts will experience greater discomfort leaving issuer banks without a remedy. Acquirer banks and merchants may therefore need to develop new defenses to such claims. Proximate cause remains a viable defense to any tort claim. If an issuer bank has been made aware by an acquirer bank or a credit card company that a merchant might be violating data protection protocols, and the issuer bank chooses to continue to do business with that merchant, any breach of the merchant or acquirer bank’s alleged duty of care might not be the cause-in-fact of the issuer bank’s injury. Cf. In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389, 395-97 (D. Mass. 2007) (suggesting proximate cause defenses in a data breach litigation). Likewise, a related defense based on assumption of the risk might prove successful. Issuer banks should be well aware by now of the volume of data breaches worldwide. Thus, an acquirer bank or merchant should be able to argue that data breaches are an expected cost of doing business, that the danger of such breaches was open and obvious, and that if the issuer bank wanted to allocate those expected losses, it should have bargained for greater protection from those losses when negotiating relationships with the acquirer banks or credit card companies.
Bank v. Bank data breach lawsuits promise to be a burgeoning area of litigation over the next decade. The plaintiffs’ bar will likely gravitate to this litigation in greater numbers due to the arguably better chance of success in overcoming early dispositive motions. Both issuer banks and acquirer banks have a strong interest in greater definition of this area of law, so that the financial risks of processing consumer transactions in the 21st century can be predicted with greater certainty.
Philip M. Busman is a Partner with the law firm Hollingsworth LLP in Washington, D.C. John M. Kalas is an Associate at the firm.