MEMORANDUM AND ORDER
A. Introduction and Procedural Overview
Between December 2012 and March 2013, Schnucks (Defendant), a local grocer, fell prey to the increasingly common woe of a major data breach. As a result of the breach, numerous customers’ personal information was put at risk, and numerous financial institutions (Plaintiffs) were required to assist their customers in remedying their personal financial risks and losses. A number of the financial institutions forced to spend money and time bailing out their customers filed suit against Schnucks alleging violations of the civil
Plaintiffs brought this action before the Court, arguing two federal jurisdictional grounds—18 U.S.C. 1961, et seq., pursuant to 18 U.S.C. 1964(a) & (c) (“RICO”); and 28 U.S.C. 1332(d) (“CAFA”). RICO claims would provide an appropriate basis for federal question jurisdiction because RICO is a federal statute. CAFA would provide an appropriate basis for jurisdiction because at least one Plaintiff is an Illinois corporation and Schnucks is a Missouri corporation. Assuming, without deciding, that either RICO claims or the other CAFA prerequisites could be satisfied, this Court has jurisdiction over this action. Schnucks does not contest either of these grounds for jurisdiction, and the Court finds that it enjoys subject matter jurisdiction pursuant to either ground. Venue is also appropriate because at least one Plaintiff—Community Bank of Trenton—is located in the Southern District of Illinois, East St. Louis Division, and Schnucks resided, was found, and conducted business in the Southern District of Illinois, East St. Louis Division.
This Court accepts all factual allegations as true when reviewing a 12(b)(6) motion to dismiss. Erickson v. Pardus,
The Seventh Circuit has outlined the boundaries of 12(b)(6) with two major principles. First, that although facts in the pleadings must be accepted as true and construed in the plaintiffs favor, allegations in the form of legal conclusions are insufficient to survive a motion to dismiss. McReynolds v. Merrill Lynch & Co., Inc.,
The case before the Court presents an impressive 13 different theories of relief for the Plaintiffs to recover against Schnucks. Many of the theories have been tested in other data breach litigation against major retailers across the country, such as Target, Jimmy Johns, Barnes and Noble, Home Depot, and Neiman Marcus, to name a few.
By contrast, in the present litigation, the allegations of harms sustained are general. For example, the Complaint says that of the potentially 2.4 million cards breached, the payment card processor only alerted Schnucks to fraudulent activity on “a handful of payment cards” (Doc. 1 at 19, ¶ 43). The Complaint alleges that Plaintiffs have incurred and will continue to incur costs to: cancel and reissue cards; close and reopen accounts; notify customérs; and, investigate and monitor for fraud. Plaintiffs allege that they may also lose profits if customers use payment cards less frequently. The Complaint also makes an ambiguous statement that “[wjhile Schnucks threw consumers somewhat of a bone in an effort to rebuild customer loyalty and improve its financial outlook, it has not offered Plaintiffs and Class Members
The Court finds that more than just the harms are general—all of the pleadings in this case are highly general. Though the case centers on the notion that Schnucks made fraudulent representations or omissions regarding their data security practices, the Complaint simply says “[t]he dates and substance of Schnucks’s internal and external fraudulent communications, via the interstate wires, in furtherance of the above-described schemes, as well as its fraudulent communications to -Plaintiffs and Class Members, via the interstate wires, in furtherance of such schemes to cheat and defraud are in Schnucks’s possession, custody, and control, and await discovery” (Doc. 1 at 26, ¶ 66). Despite vague allegations about the precise statements or omissions, Plaintiffs nevertheless seem to argue that they relied on said bad information in releasing customer funds to Schnucks, but that they would not have done so had they known of poor data security.
Schnucks’s Motion to Dismiss (Doc. 27) and the Plaintiffs’ Response (Doc. 31) suffer from the same level of generality and ambiguity. In those pleadings, the parties spent much time reciting elements of claims and identifying precedent without particularizing their arguments to the facts of the ease before the Court. The Court also notes receipt of Schnucks’s reply brief (Doc. 32), Plaintiffs supplemental authority and letter brief (Doc. 36), and Schnucks’s response to the authority (Doc. 37). Though the Court recognizes that the parties are charting relatively new territory in the data breach context by presenting a case between financial institutions and a merchant (as opposed to customers and a merchant), and that the parties were subject to page limits in filing, the Court notes that the generality made it difficult to assess the plausibility of the potential claims. For this reason, the Court dismissed many of the claims without prejudice to allow the Plaintiffs an opportunity to file more substantive pleadings. After a brief synopsis of the factual allegations, the Court will assess each of the 13 claims in turn.
B. Factual Allegations
Between December 2012 and March 2013, Schnucks experienced a data breach, which made payment card information transmitted through their computer system vulnerable to attack by cyber criminals. The data breach may have affected as many as 2.4 million cardholders who shopped at Schnucks during the timeframe of the breach. Plaintiffs allege that the breach took place in the “internal processing environment” of Schnucks’s computers. Specifically, Plaintiffs allege that data was at risk from the time of swipe at the point-of-sale terminal as it was awaiting approval by the third-party payment processors. During this waiting period, Plaintiffs allege that payment card numbers and expiration dates “(and possibly more information)” was erroneously held in its unencrypted format on Schnucks’s computers, in violation of industry standards (Doc. 1 at 18, ¶ 41).
Plaintiffs describe the web of payment processing as follows: a customer swipes a card at the point-of-sale terminal; the card information goes from the point-of-sale terminal into the merchant’s register; the information is stored in remote access
The level of data security over this web of transactions is guided by industry standards (the PCI DSS) and agreements between merchants, Visa and MasterCard, acquiring banks, and third-party processors. Plaintiffs allege that Schnucks captured track data in its computer system including: cardholder names, account numbers, expiration dates, CW codes, and pin numbers for debit cards. Plaintiffs allege that this information must be encrypted. Industry standards require that merchants only store information on the front of the card, and only if it is encrypted. Plaintiffs allege that the data stolen from Schnucks was “the account numbers and expiration dates (and possibly more information)” (Doc. 1 at 18, ¶ 41). Plaintiffs allege that this information was poached from Schnucks’s computers “before it [was] transmitted somewhere else” (Doc. 1 at 20, ¶46). Plaintiffs allege that because the data was not encrypted, the hackers were able to use it freely.
Plaintiffs allege that had Schnucks followed industry security standards, the breach would not have happened. They allege that Schnucks fell far short of industry standards because: it knew its security procedures were outdated and ineffective; it knew it was out of compliance with industry standards; it failed to file routine quarterly data compliance reports; it knowingly and recklessly failed to implement or maintain adequate data procedures; it permitted a delay between the March 14, 2013, discovery of the breach to March 28, 2013, when the breach was isolated or March 30, 2013 when the breach was neutralized; and, it failed to implement preventative measures such as, an enterprise risk management system, antivirus and firewall software, and layered security.
Plaintiffs are pursuing the following theories of relief: Counts 1-3 are RICO and RICO conspiracy claims; Count 4 claims breach of a fiduciary duty; Counts 5-7 allege varying degrees of negligence; Counts 8-9 allege breaches of contractual relationships; Count 10 alleges violation of the Illinois Consumer Fraud and Deceptive Business Practices Act; Count 11 alleges unjust enrichment; Count 12 seeks equitable subrogation; and Count 13 seeks declaratory and injunctive relief. The Court will address each count in turn, because there are varying standards of pleading for the different claims.
C. Legal Analysis
1-3. RICO Claims
The Plaintiffs’ RICO claims make three simple assertions. First, that Schnucks violated 18 U.S.C. § 1962(c) via their acts of bank and wire fraud in processing customer transactions at their retail grocery outlets. Second, that Schnucks conspired to take proceeds from their fraudulent activity to reinvest in the operation of their ongoing business, in violation of 18 U.S.C. § 1962(a) and (d). And, third, that Schnucks conspired to commit wire and bank fraud in violation of § 1962(c) and (d). All three claims fail for a lack of
To allege a violation of section 1962(c), the plaintiff must allege that the defendant (1) was employed by or associated with (2) an enterprise engaged in, or the activities of which affected, interstate or foreign commerce, and (3) that the person conducted or participated in the conduct of the enterprise’s affairs (4) through a pattern of racketeering activity. Haroco, Inc. v. Am. Nat. Bank and Trust Co. of Chicago,
For purposes of alleging a violation of § 1962(c), a corporation “may satisfy the section 1961 definitions of both “person” and “enterprise^]” Haroco,
To establish a pattern of racketeering activity, “the predicate acts must exhibit ‘continuity plus relationship.’ ” Empress Casino Joliet Corp. v. Balmoral Racing Club, Inc.,
Here, Plaintiffs allege that Schnucks was a person for purposes of RICO and the VISA and MasterCard networks were enterprises. Plaintiffs allege that Schnucks and the enterprises participated in interstate commerce, that Schnucks conducted the activities of the enterprises, and that as a result of Schnucks’s conduct via the enterprises, the Plaintiffs have suffered and will continue to suffer from a pattern of open-ended and continuous harm. As to the predicate acts that constitute a pattern of harmful activity, the Plaintiffs allege that Schnucks’s conduct over its data network constituted both wire and bank fraud, in violation of §§ 1343 and 1344, respectively. Wire fraud is alleged to have occurred based upon Schnucks’s representations via electronic communications that it maintained safe data procedures and its requests for authorization of transactions
The elements of wire fraud under § 1343 are: a scheme to defraud, a false representation, and use of interstate communications. U.S. v. Pritchard,
The elements of bank fraud under § 1344 are: knowing execution, or attempted execution of “a scheme or artifice—(1) to defraud a financial institution; or (2) to obtain any of the moneys, funds, credits, assets, securities, or other property owned by, or under the custody or control of, a financial institution, by means of false or fraudulent pretenses, representations, or promises.” § 1344.
In conjunction with section 1962(c), section 1962(d) provides civil liability for conspiring to commit RICO violations. The United States Supreme Court held that RICO conspiracy shares major tenants of common law conspiracy, but, in order to be liable for RICO conspiracy as opposed to ordinary conspiracy, a plaintiff must show that the defendant’s offensive actions were racketeering activity within the meaning of § 1962. See Beck v. Prupis,
First, as to the claim that Schnucks should be held liable under § 1962(c) for conducting a pattern of racketeering activity, the Plaintiffs have failed to adequately plead this claim. The fatal flaw at this juncture is that the Plaintiffs fail to allege predicate RICO acts with sufficient particularity as required by Rule 9(b). Plaintiffs accurately allege that there is some lenience in pleading fraud if a plaintiff alleges that the fraudulent information is solely in control of the defendant,
As the Seventh Circuit recently noted, wire fraud is something that could hypothetically be found in every corporate transaction in the modern business world. U.S. v. Weimert,
Applying common sense, it is hard to see how Schnucks could or would have done these things. Merchants are not in the common practice of posting signs by the register assuring data security, so surely there cannot be a misrepresentation or omission there, nor is there any kind of data safety guarantee transmitted across the wires from a merchant to processors when a card is swiped. What is more, Plaintiffs do not allege that Schnucks communicates directly with them via the wires. According to Plaintiffs version of the facts, Schnucks communicates via wire with its acquiring bank who then goes through a data processor to contact the Plaintiffs. This chain does not evidence any direct, or even indirect, statements by Schnucks to the Plaintiffs.
Plaintiffs also allege that Schnucks was required to file some sort of compliance report on data security, but they do not allege when that might have been filed, how it was filed, who it would have been filed with, or what about it was wrong. So again, there is no basis to say a misrepresentation was transmitted via the wires if and when a compliance report was completed.
Turning to the cheat theory of fraud, this theory is implausible for two reasons. First, a ‘cheat’ theory of fraud seems to stretch the definition of RICO too far, and, second, even assuming such a stretch was warranted, the Plaintiffs have not explained what it was about Schnucks’s conduct that constituted a cheat. Plaintiffs cite a number of cases for the proposition that there are many theories of fraud which can be flexibly applied to cover a broad swath of conduct, but Plaintiffs are overextending by trying to use a cheat theory of fraud under RICO without any factual specificity. The Seventh Circuit has explicitly rejected the seminal case the Plaintiffs cite for the proposition that fraud is a
The notion undergirding the cheating claim is that the Plaintiffs were cheated because everyone assumes that merchants and VISA and MasterCard participants practice good data security. But such a broad statement is not enough to paint a plausible story of a claim. Applying common sense and context, as the Court is entitled to do at the 12(b)(6) stage, it simply does not make sense how Schnucks had a scheme to defraud or cheat the Plaintiffs. Allegations considered by other courts in the data breach context make it clear why the present allegations are implausible.
For example, in the Home Depot data breach case (submitted by the Plaintiffs as supplemental authority), the merchant received numerous warnings that its data security was insufficient or failing, but they declined to take action, purportedly to save money. In re: The Home Depot, Inc., Customer Data Security Breach Litigation,
Additionally, Plaintiffs cite Atlas Pile Driving Co. v. Di Con Fin. Co., for the proposition that a cheat can constitute RICO fraud, but that case also exhibits a more explicit scheme of cheating or fraudulent conduct.
The difference between cases like Home Depot and Atlas Pile Driving versus this case is that in those cases there is something fishy that makes a fraud or a cheat plausible. In Home Depot the defendants
Turning to bank fraud, the allegations are similarly insufficient to support a plausible claim to relief. The Plaintiffs do not specify what scheme or artifice was faulty or how it was directed to defrauding them. A theory of misrepresentation does not appear to be sufficiently pled because the Plaintiffs do not allege that Schnucks made any statement specifically to them or withheld any information specifically from them in an effort to secure funds that Schnucks was not entitled to. Plaintiffs attempt to move past this deficiency with the general allegation that only Schnucks knows what the false statements or omissions were and that such information is solely in their control, but at some level this general pleading must fail. See Gandhi,
For example, they do not allege that they authorized payments to Schnucks overcompensating them for groceries, nor do they allege any specific amounts at all that they were required to reimburse their customers for. They make general allegations that they spent money providing new cards and account services, and that they will spend more future money doing the same, but they fail to state why this was necessary or to what extent it might be needed in the future. The ambiguous, con-clusory, and broad nature of the Plaintiffs’ pleadings as to bank fraud are insufficient to state a plausible claim of bank fraud. Accordingly, the Court finds that it is appropriate to grant the motion to dismiss as it pertains to this theory of fraud.
Having found that neither the wire or bank fraud theories are sufficiently pled, the Court finds that it is appropriate to dismiss the RICO claim under § 1962(c) at this juncture.
As to the § 1962(d) conspiracy claim, Plaintiffs allege two theories of conspiracy—one in violation of § 1962(a), and one in violation of § 1962(c). Both theories are insufficient to support a claim because a claim for conspiracy under § 1962(d) requires the existence of some underlying § 1962 violation. Although there could plausibly be scenarios where third parties not involved in the suit are the culprits of the underlying § 1962 acts and the alleged conspirators did not actually engage in those acts, that is not the allegation being made in the present suit.
Specifically, as to the allegation that Schnucks participated in a conspiracy under § 1962(a) and (d), this allegation has not been sufficiently pled because Plaintiffs do not allege that Schnucks violated § 1962(a), nor do they identify any other party who allegedly violated § 1962(a) that Schnucks allegedly conspired with. Absent such allegations, this conspiracy claim has not met the minimum pleading standards sufficient to state a plausible claim or to
Turning to the conspiracy claim under § 1962(c) and (d), the Plaintiffs allege that Schnucks violated § 1962(c), and that they conspired to do so. These allegations provide a more robust foundation for this conspiracy claim than the allegations for the § 1962(a) conspiracy, but the claim is still insufficiently pled because the underlying § 1962(c) claim has not been pled with sufficient particularity. Though the Court is not expressing an opinion on the potential merits of either of these conspiracy claims, it finds that it is inappropriate to allow the § 1962(d) conspiracy claim to proceed when it has already determined that the Plaintiffs have not properly alleged the predicate § 1962(c) activity. Accordingly, the conspiracy claims shall be dismissed without prejudice for failure to make plausible allegations. The Court acknowledges that the Plaintiffs may be able to identify facts to support these theories of relief with sufficient particularity, but the Court does not find at this stage that the Plaintiffs have satisfied the heightened particularity standards. The Plaintiffs are free to file an amended complaint containing a higher level of particularity regarding these claims.
4. Breach of Fiduciary Duty
a. Illinois
A special fiduciary relationship may exist under Illinois law where “one party places trust and confidence in another, thereby placing the latter party in a position of influence and superiority over the former.” Ill. State Bar Ass’n Mut. Ins. Co. v. Cavenagh,
Though the Plaintiffs argue that they were in a “special relationship” with Schnucks, the case that they cite to support the plausibility of this argument is not helpful to their position because in that case an Illinois court found that a bare assertion of “trust” or a “special relationship” is not enough for a claim to survive a motion to dismiss. See Ill. State Bar Ass’n Mut. Ins. Co.,
b. Missouri
Missouri law requires a five part showing to establish a fiduciary duty—(1) one party must be subservient to the dominant mind and will of the other party as a result of age, state of health, illiteracy, mental disability, or ignorance; (2) things of value such as land, monies, a business, or other things of value, which are the property of the subservient party, must be possessed or managed by the dominant party; (3) there must be a surrender of independence by the subservient party to
Here, Plaintiffs argue that a fiduciary duty existed between the parties such that Schnucks was the dominant party and Plaintiffs were the subservient party subject to the whim and caprice of Schnucks’s data practices. However, the facts this argument relies upon are not consistent with the elements of a fiduciary relationship as defined by Missouri law. The Plaintiffs as financial institutions, and Schnucks as a mid-sized grocer, are both ‘sophisticated’ parties who participated in a mutually beneficial business arrangement that allowed individuals to use electronic payment cards to purchase their groceries. This sort of relationship is common place in the modern world of business and banking. There is no factual basis, aside from the Plaintiffs’ conclusory assertions, to suggest that the parties had a domi-nanVsubservient hierarchical relationship, as would be required to establish fiduciary duties. Accordingly, this Court will dismiss the Plaintiffs fiduciary duty claim made under Missouri law without prejudice.
5. Negligent misrepresentation
a. Illinois
Negligent misrepresentation is established by showing: “(1) a false state-' ment of material fact, (2) carelessness or negligence in ascertaining the truth of the statement by the party making it, (3) an intention to induce the other party to act, (4) action by the other party in reliance on the truth of the statement, and (5) damage to the other party resulting from such reliance, (6) when the party making the statement is under a duty to communicate accurate information.” Fox Associates, Inc. v. Robert Half Intern., Inc.,
Schnucks argues that this claim fails because the Plaintiffs have not identified any specific misrepresentation upon which they relied, any damage as a result of said reliance or any duty to provide accurate information that Schnucks failed to honor. Schnucks also argues that a claim for negligent misrepresentation would be barred by the economic loss doctrine unless the exception was pled that they were in the business of supplying information. The Plaintiffs attempt to circumvent these arguments by alleging that
The parties make much of the First Midwest Bank, N.A. v. Stewart Title Guar. Co. case wherein the Illinois Supreme Court affirmed the grant of a motion to dismiss a negligent misrepresentation claim,
At this juncture, the Plaintiffs have failed to make out a plausible claim for negligent misrepresentation because they have not identified any concrete misrepresentations, they have not alleged facts sufficient to suggest there was a duty between the parties, and they have not specifically addressed the economic loss doctrine as it pertains to this claim. The sparsity of factual allegations in support of this claim is so severe that the Court cannot confidently say there is any plausible theory of relief. Accordingly, this claim is dismissed without prejudice,
b. Missouri
Under Missouri law, the elements of negligent representation are: “(1) the speaker supplied information in the course of his business; (2) because of a failure by the speaker to exercise reasonable care, the information was false; (3) the information was intentionally provided by the speaker for the guidance of a limited group of persons in a particular business transaction; (4) the listener justifiably relied on the information; and, (5) due to the listener’s reliance on the information, the listener suffered a pecuniary loss.” Roth,
Schnucks argues that this claim fails because there was no information supplied, there was no reliance on any information, and there was certainly no guidance provided to a limited number of persons. The Plaintiffs retort that information or representations were provided by Schnucks, yet the Plaintiffs fail to identify with any degree of specificity what that information or representation consisted of. The Plaintiffs grasp at the notion that there was information or representations implicit in Schnucks’s participation in the VISA and MasterCard networks that Schnucks took certain data security measures, but the facts pled give no indication of how compliance with a data security protocol would constitute information or representation to the Plaintiffs or their customers. The loose assertion seems to be that all'parties who interact with VISA and MasterCard are assumed to be in compliance with VISA and MasterCard’s security protocol, and that compliance with said protocol would successfully protect individual cardholders’ data from security breaches—but these intangible assumptions and the associated abstract reliance on the notion that compliance with the protocol would have prevented data breaches are not pled with sufficient particularity to state a claim nor do they suggest that Schnucks made a misrepresentation or provided patently false information. Because a party must prove every element of negligent misrepresentation to
6. Negligence/gross negligence
a. Illinois
Under Illinois law, to establish a claim for negligence a plaintiff must prove that (1) defendants owed a duty to plaintiffs; (2) defendants breached that duty; and (3) the breach caused injury to plaintiffs. Cooney v. Chicago Public Schools,
Here, the Plaintiffs argue that Schnucks had a duty to protect their customers’ personal financial information either under the Federal Trade Commission Act (15 U.S.C. §§ 41-58) or at common law. The FTC Act prohibits “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). “Unfair or deceptive acts” are defined as those that: (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States. 15 U.S.C. § 45(4)(A)(i-ii). The sole power to enforce the FTC rests with the Commission, and there is no private cause of action that can be invoked to redress harms from such an alleged misdeed. See Baum v. Great Western Cities, Inc. of New Mexico,
The Plaintiffs also argue that they áre not asking the Court to create a new common law duty because Schnucks had a duty under the existing fiduciary relationship between the parties to safeguard the data in question. The Court has already declined to recognize a plausible claim of a fiduciary duty on the facts pled and it will not acknowledge a duty premised on the FTC or common law. As other courts have noted, the legislature could create a duty to safeguard personal data if it felt it appropriate to do so, and in light of the recent uptick in data breach cases it may well do so, but in the absence of such legislation, the Court will not recognize a new duty between two sophisticated parties. See Cooney,
b. Missouri
The parties did not identify Missouri precedent as closely aligned with the facts of the present case as those cases discussed in relation to the Plaintiffs allegations under Illinois law, however, the basic elements of negligence are the same. Under Missouri law to establish a claim for negligence, a plaintiff must prove: “a (1) legal duty on part of the defendant to conform to a certain standard of conduct to protect others against unreasonable risks; (2) a breach of that duty; (3) a proximate cause between the conduct and
7. Negligence per se
a. Illinois
The pleading requirements for negligence per se under Illinois law are more arduous than those for negligence or gross negligence. See Abbasi ex rel. Abassi v. Paraskevoulakos,
b. Missouri
Under Missouri law, negligence per se is a type of negligent conduct that results from the violation of a statute imposing a duty. Lowdermilk v. Vescovo Building & Realty Co., Inc.,
8. Breach of implied contract
a. Illinois
“An implied in fact contract is created by the parties’ conduct and contains all the elements of an express contract— offer, acceptance, and consideration—as well as a meeting of the minds” In re Michaels Stores Pin Pad Litigation,
Based on the sparse arguments and facts presented regarding any potential implied contractual relationship, the Court does not find that a plausible claim has been presented suggesting that an implied contract existed between the Plaintiffs and Schnueks under Illinois law. The relationship between a cardholder and a merchant is unique from that between the Plaintiffs (issuing financial institutions) and Schnueks (a supermarket). It is easier to see how a contract might be implied between a cardholder and a merchant where the cardholder provides payment and walks away with tangible goods such as groceries, and in exchange the merchant receives electronic payment thus giving them value for the goods. This elementary transaction much more clearly contains the basic principles of a contract than the relationship between financial institutions and merchants.
The Plaintiffs argue that an implied relationship exists because payment happens over a complex system of merchants and processors which is governed by a number of contractual relationships. But the suggestion that certain components of a payment transaction are governed by explicit contracts takes away from the credibility of the assertion that other aspects of that transaction would be governed by implied contracts rather than explicit contracts. The existence of explicit contracts governing certain aspects of the payment network suggests that participants in the payment network anticipated the need for contracts to allocate certain risks, and that they entered the contracts they saw fit to adequately assess risks. Based on the facts presented and the unique differences between the relationships of these parties to the parties in other cases where implied contracts have been found plausible, the Court dismisses this claim without prejudice. The Plaintiffs are free to amend this claim to identify more clearly the alleged components of an implied contract; namely, an offer, acceptance, and consideration,
b. Missouri
The only authority cited by either party with regard to Missouri law is a case regarding medical staffing at a hospital. Egan v. St. Anthony’s Medical Ctr.,
As with this claim under Illinois law, Plaintiffs have not sufficiently pled a claim under Missouri law because they simply do not assert with enough particularity what it is about their relationship with Schnueks that would give rise to an implied contractual relationship. To take their assertion that the general structure of payments to merchants by cards, and authorizations, gives rise to an implied contract would essentially mean that the Court was acknowledging implied contracts between every potential merchant where a bank’s customer may choose to pay with a card as opposed to cash. Recognizing such a claim would far exceed the meager authority on this issue in Missouri. Moreover, Missouri law states that if there is a pre-existing
9. Breach of contract damaging third-party beneficiaries
a. Illinois
The parties do not delve into detail about third-party beneficiary status under controlling Illinois law. Illinois distinguishes between direct and incidental third-party beneficiaries, and only intended beneficiaries—those the parties intended to directly benefit from the contract— have a right to enforce a contract at law. Bank of Am. Nat. Ass’n v. Bassman FBT, L.L.C.,
On the record before the Court, the Court does not find that there are sufficient factual allegations that the Plaintiffs were intended third-party beneficiaries of any contracts between Schnucks and other participants in the financial network. It is not at all clear how the ability of a cardholder to use a card at a merchant, or the use of intermediaries to facilitate this process could be interpreted to directly benefit the Plaintiffs. Plaintiffs do not allege that they get a commission for each transaction, that they retain customers because customers can use cards at Schnucks’s stores, or anything of that nature. Absent these allegations, the Court dismisses this claim without prejudice because it does not find that the facts presented are sufficient to state a plausible claim.
b. Missouri
At this juncture, the parties have failed to argue specifics about how the Plaintiffs were or were not a third-party beneficiary to Schnucks’s numerous contracts governing its finances. Missouri law recognizes three distinct types of third-party beneficiaries—donee, creditor, and incidental. Kansas City Hispanic Ass’n Contractors Enterprise, Inc. v. City of Kansas City,
10. Violation of the Illinois Consumer Fraud and Deceptive Business Practices Act
a. Illinois
“To state a violation of the [Consumer Fraud Act], the plaintiffs must prove three elements: (1) an unfair or deceptive act or practice by the defendant;
Here, the Plaintiffs have failed to sufficiently plead a claim for consumer fraud because they have not identified with any degree of specificity the content of the alleged misrepresentation, when the misrepresentation was made, or how it was communicated. Plaintiffs again make much of the notion that there was some implicit understanding amongst cardholders, banks, and merchants that appropriate data security measures would be taken at all times, but such bare allegations are not enough to satisfy the particularity requirement. See Bankers Trust Co.,
11. Unjust enrichmenVassumpsit
a. Illinois
In Illinois “a plaintiff must allege that the defendant has unjustly retained a benefit to the plaintiffs detriment, and that defendant’s retention of the benefit violates the fundamental principles of justice, equity, and good conscience. Irwin,
Plaintiffs also assert that had they known about the poor data security practices, they would have taken measures to protect their customers. A theory similar to this was raised in the Target litigation where customers argued that if they would have known of the breach early on, they would not have shopped at the store knowing of the risk. The Target Court found it plausible that the customers may not have shopped there after learning of the breach, and thus that portion of the claim was allowed to proceed. However, this argu
In addition to the practical reasons why the plaintiffs unjust enrichment claim is implausible, the Court also notes that in other data breach cases where more particularly pled unjust enrichment claims have been made, those claims have been dismissed. See Irwin,
b. Missouri
Missouri law is essentially the same concerning unjust enrichment. See J.B. Contracting, Inc. v. Bierman,
12. Equitable subrogation
The parties’ arguments regarding equitable subrogation do not distinguish between Illinois and Missouri law. In its generic form, equitable subrogation allows party A to seek reimbursement from party B when party A is required to pay a third-party for expenses caused by party B. See generally, Home Ins. Co. v. Cincinnati Ins. Co.,
13. Declaratory and Injunctive relief
The Court will not comment on the propriety of the relief sought because it is
14. Conclusion
For the foregoing reasons, the Court GRANTS Schnucks’s Motion to Dismiss (Doc. 27): Counts 1-5 and 8-12 are DISMISSED without prejudice under Illinois and Missouri law, and Counts 6 & 7 are DISMISSED with prejudice under Illinois law and without prejudice under Missouri law. Because all of the substantive claims in this ease have been dismissed, the Plaintiffs are DIRECTED to file a first amended complaint by Wednesday, October 19, 2016. If they fail to do so, this entire action will be dismissed and the case will be closed.
IT IS SO ORDERED.
Notes
. Schnucks appended a number of contracts to the Motion to Dismiss, arguing that the documents could be considered by the Court because the documents were referred to in the Plaintiffs’ Complaint and were central to their claims. The Court does not comment on its ability to use these documents, but notes that the documents were not considered in reviewing the Motion to Dismiss.
. Lewert v. P.F. Chang’s China Bistro, Inc.,
. In much of the other data breach litigation, standing has been scrutinized closely. However, that issue has not been put before the Court at this juncture, so the Court is not considering the harms stated from that perspective without the benefit of argument from the parties.