BENTON, Ill. (Legal Newsline) – A District Court for the Southern District of Illinois has tossed all 13 counts in
data breach case against a grocery store, noting the plaintiffs were too general
in their allegations.
Bank of Trenton, University of Illinois Employees Credit Union, First Federal
Savings Bank of Champaign-Urbana, and Southpointe Credit Union filed a lawsuit Sept.
28, against Schnuck Markets, Inc. alleging allegations of the civil provisions of Racketeer
Influenced and Corrupt Organizations Act (RICO), contractual breaches, and other
torts when it fell victim to a data breach.
The breach, the plaintiffs argued,
caused them to suffer financial losses.
The lawsuit, considered rare
by the court because it was brought by financial institutions rather than
harmed consumers, was dismissed by Judge Michael Reagan Oct. 19, because the plaintiffs
failed to particularize their arguments to the facts of the case.
Between December 2012 and
March 2013, Schnuck’s grocery became a victim of a major data breach. Customers'
personal information was put at risk as a result of the breach. The plaintiffs were
required to assist their customers in resolving their personal financial risks
As such, the institutions sought financial relief from Schnuck's, alleging had it been more careful, the breach might not have occurred.
The court noted in its dismissal, that for
plaintiffs to avoid dismissal for failure to state a claim, the complaint must
contain a short and plain statement of the claim adequate to demonstrate it is
entitled to relief. The court found the plaintiffs failed to satisfy this
The ruling states, “The case
before the court presents an impressive 13 different theories of relief for the plaintiffs to recover against Schnuck's. Many of the theories have been tested
in other data breach litigation against major retailers across the country,
such as Target, Jimmy Johns, Barnes and Noble, Home Depot, and Neiman Marcus,
to name a few. However, there is a critical distinction between the present set
of claims, and those presented in the aforementioned cases—the claims in the
present case are being brought by the financial institutions as opposed
to by the merchant's customers…the
allegations of harms sustained are general.”
Bethany Gayle Lukitsch, a partner
with McGuire Woods, told Legal Newsline,
“Data breach litigation is a growing area of litigation and plaintiffs’ alleged
injuries and pled theories of relief have yet to be established. The court
clearly wanted to see more of a direct connection pled between the data breach
and these financial institutions before expanding the scope of potential
litigants in a data breach situation.”
The court notes the complaint
contained unsubstantiated statements too broad to ascertain harm or entitlement
to relief. It noted statements made by the plaintiffs including. Schnucks was
alerted to fraudulent activity on “a handful of payment cards,” the plaintiffs “may
lose profits if customers use payment cards less frequently,”
fraudulent misrepresentations about its data security practices without
defining how, and “while Schnuck's threw consumers somewhat of a bone in an
effort to rebuild customer loyalty and improve its financial outlook, it has
not offered plaintiffs and class members any compensation for the damages they
have suffered, and will continue to suffer.”
The court summed up the
arguments as highly general, writing, “The court notes the generality made
it difficult to assess the plausibility of the potential claims. For this
reason, the court dismissed many of the claims without prejudice to allow the plaintiffs an opportunity to file more substantive pleadings.”
said she was not surprised by the dismissal.
“As stated throughout the court’s
opinion, plaintiffs’ complaint lacked the specificity required to meet pleading
standards under Twombly and Iqbal, particularly for the fraud
based claims,” she said