Community Bank of Trenton v. Schnuck Markets, Incorporated, 887 F.3d 803

Background

In late 2012 Schnuck Markets suffered a data breach that exposed track data for ~2.4 million cards; card fraud and losses followed.
Four issuing banks (plaintiffs) paid cardholder indemnities and card replacement costs and sued Schnucks seeking recovery beyond the card-network contractual remedies.
The card payment system operates via a network of contracts (merchant → processor → acquiring bank → card network → issuing bank); parties agreed to PCI DSS and reimbursement/assessment rules.
Plaintiffs alleged negligence, negligence per se, unjust enrichment, implied contract, third‑party beneficiary theories, and violations of Illinois statutes (ICFA and PIPA).
The district court dismissed all claims for failure to state a claim; the Seventh Circuit affirmed, predicting Illinois and Missouri law would not permit the additional tort or quasi‑contract remedies sought.

Issues

Issue	Plaintiff's Argument	Defendant's Argument	Held
Whether Illinois/Missouri common law imposes a tort duty on Schnucks to banks for data breaches	Banks: Schnucks owed an extra‑contractual duty to safeguard track data and to banks harmed by breach	Schnucks: duties and remedies are governed by the card‑network contracts; economic‑loss doctrine bars tort recovery	Held: No new common‑law duty; economic‑loss rule/contracting‑parties paradigm bars tort recovery
Whether negligence per se applies via statutes or industry standards	Banks: violation of industry data‑security standards (and possibly FTC guidance) establishes negligence per se	Schnucks: no statutory duty imposing monetary liability; statutes (IL/MO) only require breach notice	Held: Negligence per se fails — no statutory violation that creates private cause of action for banks
Whether quasi‑contractual remedies (unjust enrichment, implied contract, third‑party beneficiary) are available	Banks: contractual network left them uncompensated; equity or implied rights should permit recovery from Schnucks	Schnucks: existing express contracts govern allocation of risk; no direct contract or clear intent to benefit banks	Held: Quasi‑contract claims barred where contract network governs; no third‑party beneficiary shown
Whether Illinois statutory claims (ICFA/PIPA) support bank recovery	Banks: Schnucks’ deficient security and delayed disclosure were unfair/deceptive, and PIPA violations are ICFA violations	Schnucks: ICFA requires a deceptive act causing proximate harm to consumers (or nexus); PIPA provides notice regime and is not a springboard for this claim	Held: ICFA/PIPA claims dismissed — banks failed to plead particularized deceptive acts, causation, or properly invoke PIPA; courts decline to expand ICFA to this scenario

Key Cases Cited

Moorman Mfg. Co. v. Nat’l Tank Co., 435 N.E.2d 443 (Ill. 1982) (establishes Illinois economic‑loss rule limiting tort recovery for purely economic losses)
East River S.S. Corp. v. Transamerica Delaval Inc., 476 U.S. 858 (U.S. 1986) (endorses economic‑loss rule in commercial contexts)
Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162 (3d Cir. 2008) (applied economic‑loss rule to bar issuing‑bank negligence claims against merchant)
Lone Star Nat’l Bank v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013) (recognized negligence claim against processor under New Jersey law — contrasted here)
In re TJX Companies Retail Security Breach Litigation, 564 F.3d 489 (1st Cir. 2009) (applied economic‑loss reasoning and rejected third‑party beneficiary claim in card‑breach context)
First Data Merchant Services Corp. v. Schnuck Markets, Inc., 852 F.3d 732 (8th Cir. 2017) (interpreted Schnucks’ contracts and allocation of liability in the same breach)
De Bouse v. Bayer AG, 922 N.E.2d 309 (Ill. 2009) (rejects broad ‘market‑theory’ causation for ICFA claims)
Cooney v. Chicago Pub. Schools, 943 N.E.2d 23 (Ill. App. Ct. 2010) (declined to recognize a new common‑law duty to safeguard personal information)