A district court has dismissed a data breach suit against grocer Schnuck Markets brought by financial institutions.
While making distinctions between the Schnuck's case and other high-profile data-breach cases involving retailers like Target and Home Depot, Chief Judge Michael Reagan of the U.S. District Court for the Southern District of Illinois granted the motion for dismissal on May 1.
Reagan held that plaintiffs—which included Community Bank of Trenton, University of Illinois Employees Credit Union, First Federal Savings Bank of Champaign-Urbana and Southpointe Credit Union—failed to state a plausible claim.
Reagan addressed the difference between Community Bank of Trenton et al. v. Schnuck Markets Inc. and other data breach suits like the one against Home Depot by stating, “Home Depot’s data security conduct in the lead up to their breach was egregious and intentional.” In the case of Target's breach, Reagan explained the courts operated under data security provisions unique to Minnesota law.
An amended complaint against Schnuck's brought seven counts including negligence, breach of contract and consumer fraud violation during a data breach at 79 stores that compromised potentially 2.4 million credit cards belonging to shoppers between December 2012 and March 2013.
According to the record, Schnuck's received reports on March 14, 2013, of fraudulent card use. Schnuck then utilized a forensics investigation firm beginning March 19 which identified the problem by March 20. Schnuck's waited until the situation was completely under control before informing the public on March 30, 2013.
The financial institutions claimed that Schnuck's did not take reasonable action to reduce the use of cards from March 19-30, 2013, and allowed an estimated additional use of 340,000 cards.
The order explained that “[t]he breach at Defendant’s stores took place during what seemed to be the boom of data breach activity, at a time when many retailers were caught either unaware or unluckily in the crosshairs of cybercrime. Unfortunately losses were sustained, losses that in retrospect should have or could have been prevented, but not every loss can be compensated via legal action.”
Schnuck's claimed it did not have a legal obligation to reimburse the financial institutions for the fraudulent charges.
The amended complaint came after the initial complaint was dismissed for “vast generalizations.” The order of the dismissal of the amended complaint noted the new complaint addressed some of the generalizations but stated a complaint such as this must still include more than “mere labels and conclusions” and that “allegations in the form of legal conclusions are insufficient to survive a motion to dismiss.”