BENTON, Ill. (Legal Newsline) – A District Court for the Southern District of Illinois has tossed all 13 counts in data breach case against a grocery store, noting the plaintiffs were too general in their allegations.
The Community Bank of Trenton, University of Illinois Employees Credit Union, First Federal Savings Bank of Champaign-Urbana, and Southpointe Credit Union filed a lawsuit Sept. 28, against Schnuck Markets, Inc. alleging allegations of the civil provisions of Racketeer Influenced and Corrupt Organizations Act (RICO), contractual breaches, and other torts when it fell victim to a data breach.
The breach, the plaintiffs argued, caused them to suffer financial losses.
The lawsuit, considered rare by the court because it was brought by financial institutions rather than harmed consumers, was dismissed by Judge Michael Reagan Oct. 19, because the plaintiffs failed to particularize their arguments to the facts of the case.
Between December 2012 and March 2013, Schnuck’s grocery became a victim of a major data breach. Customers' personal information was put at risk as a result of the breach. The plaintiffs were required to assist their customers in resolving their personal financial risks and losses.
As such, the institutions sought financial relief from Schnuck's, alleging had it been more careful, the breach might not have occurred.
The court noted in its dismissal, that for plaintiffs to avoid dismissal for failure to state a claim, the complaint must contain a short and plain statement of the claim adequate to demonstrate it is entitled to relief. The court found the plaintiffs failed to satisfy this requirement.
The ruling states, “The case before the court presents an impressive 13 different theories of relief for the plaintiffs to recover against Schnuck's. Many of the theories have been tested in other data breach litigation against major retailers across the country, such as Target, Jimmy Johns, Barnes and Noble, Home Depot, and Neiman Marcus, to name a few. However, there is a critical distinction between the present set of claims, and those presented in the aforementioned cases—the claims in the present case are being brought by the financial institutions as opposed to by the merchant's customers…the allegations of harms sustained are general.”
Bethany Gayle Lukitsch, a partner with McGuire Woods, told Legal Newsline, “Data breach litigation is a growing area of litigation and plaintiffs’ alleged injuries and pled theories of relief have yet to be established. The court clearly wanted to see more of a direct connection pled between the data breach and these financial institutions before expanding the scope of potential litigants in a data breach situation.”
The court notes the complaint contained unsubstantiated statements too broad to ascertain harm or entitlement to relief. It noted statements made by the plaintiffs including. Schnucks was alerted to fraudulent activity on “a handful of payment cards,” the plaintiffs “may lose profits if customers use payment cards less frequently,”
Schnuck's made fraudulent misrepresentations about its data security practices without defining how, and “while Schnuck's threw consumers somewhat of a bone in an effort to rebuild customer loyalty and improve its financial outlook, it has not offered plaintiffs and class members any compensation for the damages they have suffered, and will continue to suffer.”
The court summed up the arguments as highly general, writing, “The court notes the generality made it difficult to assess the plausibility of the potential claims. For this reason, the court dismissed many of the claims without prejudice to allow the plaintiffs an opportunity to file more substantive pleadings.”
Lukitsch said she was not surprised by the dismissal.
“As stated throughout the court’s opinion, plaintiffs’ complaint lacked the specificity required to meet pleading standards under Twombly and Iqbal, particularly for the fraud based claims,” she said