In January 2009, Heartland Payment Systems, Inc. (“Heartland”) publicly disclosed that hackers had breached its computer systems and obtained access to confidential payment-card information for over one hundred million consumers. Consumers and financial institutions filed suits across the nation. The Judicial Panel on Multidistrict Litigation consolidated those cases before this court. The cases have proceeded on two tracks, one for the Consumer Plaintiffs and one for the Financial Institution Plaintiffs.
The Financial Institution Plaintiffs filed a master complaint asserting causes of action for breach of contract and implied contract, negligence and negligence per se, negligent and intentional misrepresentation, and violations of consumer-protection statutes in New Jersey and other states. (Docket Entry No. 32). Heartland moved to dismiss. (Docket Entry No. 39).
(1) The motion to dismiss is granted with prejudice and without leave to amend as to the claims for negligence and for violations of the New Jersey Consumer Fraud Act, the New York consumer protection law, and the Washington Consumer Protection Act.
(2) The motion to dismiss is granted without prejudice and with leave to amend as to the following claims: breach of contract; breach of implied contract; express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California Unfair Competition Law, the Colorado Consumer Protection Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the Texas Deceptive Trade Practices— Consumer Protection Act.
(3) The motion to dismiss is denied as to the claim brought under the Florida Deceptive and Unfair Trade Practices Act.
The reasons for these rulings are explained in detail below. The Financial Institution Plaintiffs must file an amended complaint no later than December 23, 2011. A status conference is set for January 13, 2012, at 8:30 a.m. in Courtroom 11-B.
I. Background
Every day, merchants swipe millions of customers’ payment cards.
Visa and MasterCard are two of the largest credit-card networks. They neither issue cards nor contract with merchants to process transactions. Instead, acquirer and issuer banks contract with
The Financial Institution Plaintiffs are nine banks suing as issuer banks. Heartland, the defendant, processes merchant transactions on behalf of two acquirer banks, Heartland Bank and KeyBank, N.A.
Beginning at least as early as December 2007, three hackers — an American, Albert Gonzalez, and two unknown Russians — infiltrated Heartland’s computer systems. (Docket Entry No. 32, ¶¶ 35, 63-64). The hackers installed programs that allowed them to capture some of the payment-card information stored on the Heartland computer systems. (Id., ¶ 65). In late October 2008, Visa alerted Heartland to suspicious account activity. Heartland, with Visa and MasterCard and others, investigated. (Id., ¶ 35). Heartland discovered suspicious files in its systems on January 12, 2009. A day later, Heartland uncovered the program creating those files. (Id., ¶ 37). That program provided the hackers with access to data on the systems. (Id., ¶¶ 41-42). On January 20, Heartland publicly announced the data breach. (Id., ¶ 38). The hackers obtained payment-card numbers and expiration dates for approximately 130 million accounts. (Id., ¶ 5). For some of these accounts, the hackers also obtained cardholder names. (Id., ¶ 44). They did not obtain any cardholder addresses, however, which meant that the stolen card information generally could be used only for in-person transactions. (Id., ¶ 70).
The Financial Institution Plaintiffs allege that this data breach resulted from Heartland’s failure to follow industry security standards known as PCI-DSS. (See id., ¶¶ 53-62). After the breach, the Financial Institution Plaintiffs incurred significant expenses replacing payment cards and reimbursing fraudulent transactions. (Id., ¶ 78). The master complaint asserts ten causes of action:
(I) breach of Heartland’s contracts with Heartland Bank, KeyBank, and its merchants, to which the Financial Institution Plaintiffs are third-party beneficiaries;
(II) negligence;
(III) breach of an implied contract to the Financial Institution Plaintiffs;
(IV) negligence per se;
(V) negligent misrepresentation;
(VI) intentional misrepresentation;
(VII) violations of the New Jersey Consumer Fraud Act; and
(VIII, IX, and X) violations of other states’ consumer-protection laws.
The complaint seeks class certification.
Heartland has moved to dismiss the complaint in its entirety. (Docket Entry No. 39). Its arguments, and the Financial Institution Plaintiffs’ responses, are addressed in detail below.
A complaint may be dismissed when the plaintiff fails “to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). In Bell Atlantic Corp. v. Twombly,
Wfiien a plaintiffs complaint fails to state a claim, a district court generally should provide the plaintiff at least one chance to amend the complaint under Rule 15(a) before dismissing the action with prejudice. See Great Plains Trust Co. v. Morgan Stanley Dean Witter & Co.,
III. Analysis
A. The Contract and Implied Contract Claims
The master complaint asserts claims for breach of contract and breach of implied
Heartland notes that the master complaint does not precisely identify the allegedly breached contracts. Heartland submits what it contends to be the relevant contracts: its contracts with Heartland Bank and KeyBank and an “exemplar” of a contract with a merchant. (Docket Entry No. 40, at 35, 41; Docket Entry No. 42, Exs. 4-6). An affidavit from a Heartland attorney states that these were the only types of contracts in effect at the time of the data breach. (See Docket Entry No. 41, ¶¶ 6-8).
A court ordinarily may not go outside the pleadings in considering a motion to dismiss. Scanlan v. Tex. A & M Univ.,
1. The Contracts with the Acquirer Banks
The Financial Institution Plaintiffs allege that Heartland’s contracts with Heartland Bank and KeyBank required Heartland to take “appropriate steps to safeguard the sensitive financial information” of the Financial Institution Plaintiffs’ customers. (Docket Entry No. 32, ¶ 96). The Financial Institution Plaintiffs assert that they are intended third-party beneficiaries to these contracts. (Id., ¶ 97). Heartland disagrees. According to Heartland, the contracts do not show an intent primarily to benefit the Financial Institution Plaintiffs. Even if the contracts showed such an intent, Heartland argues, the Financial Institution Plaintiffs still cannot recover because they are not creditor or donee beneficiaries of the contracts. Heartland further contends that the incorporated Visa and MasterCard regulations preclude third-party claims. Finally, Heartland argues that even if the Financial Institution Plaintiffs are third-party beneficiaries of the contracts, the allegations are too conclusory to state a plausible breach of contract claim. (See Docket Entry No. 40, at 37-39).
a. The Heartland Bank Contract
Heartland’s contract with Heartland Bank contains a choice-of-law provision specifying Missouri law. (Docket Entry No. 42, Ex. 4, ¶ 4.11). The parties do not dispute that Missouri law applies. Under Missouri law, “[o]nly parties to a contract and any third-party beneficiaries of a contract have standing to enforce that contract.” Verni v. Cleveland Chiropractic Coll.,
In recent eases, the Missouri Supreme Court has held that a court must limit itself to examining the contract language in determining third-party beneficiary status. In Nitro Distributing, Inc. v. Dunn,
The Missouri Supreme Court recently reaffirmed its narrow focus on contract language in determining third-party beneficiary status. In Verni v. Cleveland Chiropractic College, a student — upset with his college after it fired a favorite professor — argued that he was a third-party beneficiary of the professor’s employment contract with the college.
The contract is a one-page document providing that [the professor] would be a full-time faculty member ... for one year. The contract required him to be on campus a certain amount of time each week and outlined his teaching duties. In return, the contract provided ... salary and employment benefits. Although the contract might incidentally provide a benefit to ... students, it does not clearly express any intent that [the professor] was undertaking a duty to benefit [the plaintiff] or a class of students.
Under Missouri law, this court must look only to the contract terms in determining whether there was a direct and clear expression of intent to benefit the third party — in this case, the Financial Institution Plaintiffs. The contract between Heartland and Heartland Bank states:
[Heartland] will safeguard, and hold confidential from disclosure to unauthorized persons, all data relating to Bank business received by [Heartland] pursuant to this Agreement to the same extent that [Heartland] safeguards data relating to its own business!.]
(Docket Entry No. 42, Ex. 4, ¶ 4.3(b)). The contract contains an identical promise by Heartland Bank to Heartland. (Id., ¶ 4.3(a)). This exchange of promises does not state an intent to benefit anyone other than the contracting parties. There is no clearly expressed intent to convey any enforceable right to the Financial Institution Plaintiffs or to any class to which they belong.
The contract refers to data relating to the business of the contracting parties, indicating an intent to protect the contracting parties’ businesses from unauthorized disclosures. The Financial Institution Plaintiffs acknowledge that Heartland’s failure to protect consumer payment-card data would harm Heartland’s own business. (See Docket Entry No. 32, ¶¶ 57-60). The Financial Institution Plaintiffs cite the contract’s requirement that Heartland indemnify Heartland Bank's “affiliates!.]” (Docket Entry No 42, Ex. 4, ¶ 4.5(a)). But this indemnification clause does not show an intent primarily to benefit the Financial Institution Plaintiffs. The term “affiliate” means “[a] corporation that is related to another corporation by shareholdings or other means of control; a subsidiary, parent, or sibling corporation.” Black’s Law Dictionary 63 (8th ed. 2004); see also Nitro Distrib.,
Heartland’s motion to dismiss based on the Heartland Bank contract is granted with prejudice and without leave to amend because amendment would be futile.
b. The KeyBank Contract
This court previously reviewed Ohio law on third-party beneficiaries in the related case against KeyBank and found the complaint insufficient to state a claim that the issuer banks were third-party beneficiaries to the contract between KeyBank and Heartland. The contract language itself did not show an intent to benefit third parties. Because Ohio law, unlike Missouri law, allows consideration of evidence beyond the contract terms to determine third-party beneficiary status, it was appropriate to grant the issuer banks leave
Heartland advances an additional reason to dismiss in this case. The damages the Financial Institution Plaintiffs seek are consequential damages, which the KeyBank contract excludes absent a willful breach.
When a contract limits recovery to direct damages, a plaintiff may recover only the difference between the amount paid and the value received. See Nat’l Mulch & Seed, Inc. v. Rexius Forest By-Products Inc., No. 2:02-cv-1288,
The breach of contract allegations based on the KeyBank contract are dismissed, without prejudice and with leave to amend.
2. The Merchant Processing Agreements
Heartland argues that its Merchant Processing Agreements (“Agreements”), an exemplar of which it has produced, do not provide a basis for recovery for breach of contract. The Agreements provide that New Jersey law applies. (Docket Entry No. 42, Ex. 6, ¶ 14.12). The parties do not dispute the application of New Jersey law.
Under the Agreements, Heartland’s “sole liability ... shall be to correct ... any data in which errors have been caused by [Heartland.]” (Docket Entry No. 42, Ex. 6, ¶ 8.5). The Agreements state that “Heartland shall have no other liability whatsoever to Merchant, and Merchant hereby expressly wa[i]ves any claim against [Heartland] for indirect, special, exemplary, incidental or consequential damages or lost profits or interest.” (Id,., ¶ 8.7). New Jersey generally enforces damages-limitation clauses between businesses. 66 VMD Assocs., LLC v. Melick-Tully & Assocs., P.C., No. L-6584-07,
The Financial Institution Plaintiffs do not assert that the damages-limitation clauses are unenforceable. Instead, they contend that these clauses only limit a merchant’s ability to recover for consequential damages. These clauses, they say, do not apply to their claim as third-party beneficiaries to the Agreements. This contention is unpersuasive. “It is black letter law that a third-party beneficiary is not entitled to any more rights than the actual contracting party.” Merchants Mut. Ins. Co. v. Monmouth Truck Equip., Inc., Civ. A. No. 06-cv-05395 (FLW),
3. The Implied Contract Claim
Under New Jersey law, “[a]n implied-in-fact contract is a true contract arising from mutual agreement and intent to promise, but where the agreement and promise have not been verbally expressed.” S. Jersey Hosp., Inc. v. Corr. Med. Servs., Civ. No. 02-2619(JBS),
The Financial Institution Plaintiffs rely on In re Hannaford Brothers Co. Customer Data Security Breach Litigation,
find certain other implied terms in the grocery purchase contract: for example, that the merchant will not use the card data for other people’s purchases, will not sell or give the data to others (except in completing the payment process), and will take reasonable measures to protect the information (which might include meeting industry standards), on the basis that these are implied commitments that are “absolutely necessary to effectuate the contract,” and “indispensable to effectuate the intention of the parties.”
Id. at 119 (emphasis in original) (quoting Seashore Performing Arts Ctr., Inc. v. Town of Old Orchard Beach,
A case with facts more similar to those at issue here is Hammond v. The Bank of New York Mellon Corporation, No. 08 Civ. 6060(RMB)(RLE),
Rather, Plaintiffs had relationships (only) with institutional clients of Defendant, such as the Walt Disney Company .... Plaintiffs gave their personal data over to these entities, which, in turn, forwarded the data to Defendant (which stored the data on the tapes that ultimately were lost or stolen).
Id. at *9. Applying New York law, the court concluded that, absent evidence of “any direct dealings” between the individuals and the defendant, there was no basis to find the mutual assent necessary for an implied contract. Id. at *11.
Unlike the plaintiffs in Hannaford Brothers, and like those in Hammond, the Financial Institution Plaintiffs do not allege a direct contract relationship with Heartland that would plausibly suggest the mutual assent necessary for an implied contract. The Financial Institution Plaintiffs’ contracts are with Heartland’s clients, not Heartland. The pleadings allege that the Financial Institution Plaintiffs have at most an indirect relationship with Heartland through Heartland’s processing of
B. The Negligence Claims
1. Negligence Per Se
The Financial Institution Plaintiffs have withdrawn their negligence per se claim based on Heartland’s alleged failure to follow the security protocols set out in the Visa and MasterCard regulations. (Docket Entry No. 50, at 23 n. 14).
2. Negligence
The Financial Institution Plaintiffs allege that Heartland breached three duties: “a duty to exercise reasonable care in safeguarding and protecting [payment-card] information from being compromised and/or stolen,” (Docket Entry No. 32, ¶ 101); a seemingly related “duty to put into place internal policies and procedures designed to detect and prevent the unauthorized dissemination of [the Financial Institution Plaintiffs’] customers’ private, non-public, sensitive financial information,” (id., ¶ 103); and “a duty to timely disclose to [the Financial Institution Plaintiffs’] customers that the Data Breach had occurred and the private, non-public, sensitive financial information of [the Financial Institution Plaintiffs’] customers” may have been compromised, (id., ¶ 102).
Suits by issuer banks against other participants in the credit-card processing chain are “of fairly recent vintage.” Rebecca Hatch Weston, Liability of Retailer and Its Affiliate Bank to Credit Card Issuer for Costs Arising out of Breach of Retailer’s Computer Security,
In Banknorth, N.A. v. BJ’s Wholesale Club, Inc.,
In In re TJX Companies Retail Security Breach Litigation,
The Third Circuit reached the same conclusion under Pennsylvania law in Sovereign Bank v. BJ’s Wholesale Club, Inc.,
The Iowa Supreme Court recently rejected a similar negligence claim under the economic-loss doctrine. In Annett Holdings, Inc. v. Kum & Go, L.C.,
Heartland argues that this court must dismiss the negligence claim because Texas law does not allow tort claims for purely economic loss. See Memorial Hermann Healthcare Sys., Inc. v. Eurocopter Deutschland, GMBH,
The elements of negligence under New Jersey law are (1) a duty of care, (2) a breach of that duty, (3) proximate cause, and (4) damages. Brunson v. Affinity Fed. Credit Union,
People Express recognizes that “a plaintiff [can] bring an action for purely economic losses, regardless of any accompanying physical harm or property damage, if the plaintiff [is] a member of an identifiable class that the defendant should have reasonably foreseen was likely to be injured by the defendant’s conduct[.]” Carter Lincoln-Mercury, Inc., Leasing Div. v. EMAR Grp., Inc.,
New Jersey has exhibited a “strong resistance to the usurpation of contract law by tort law[.]” Travelers Indem. Co. v. Dammann & Co.,
This court previously concluded that, under New Jersey law, Heartland owed no duty to the issuer banks because “relationships among issuers, acquirers, and their contractors — such as Heartland Payment Systems — are governed by the Visa and MasterCard regulations,” not tort law. (Docket Entry No. 117, at 44). The court dismissed vicarious liability claims against an acquirer bank that hired Heartland to process payment-card transactions. In supplemental briefing following that order, the Financial Institution Plaintiffs argue that the economic-loss doctrine does not apply to them because Heartland, unlike the acquirer banks, is not a member of the Visa and MasterCard networks. (Docket Entry No. 124, at 1). The Financial Institution Plaintiffs note that no New Jersey case has applied the economic-loss doctrine to bar tort recovery absent a direct contractual relationship. The Financial Institution Plaintiffs cite Consult Urban,
Additionally, the damages the Financial Institution Plaintiffs seek — the costs of
The New Jersey Supreme Court’s recognition that an “allocation of risks in accordance with [a voluntary] agreement better serves the public interest than an allocation achieved as a matter of policy without reference to that agreement” also weighs against creating a tort duty between payment processors and issuer banks to protect payment-card information from unauthorized access. Spring Motors,
Relying on Dynalectric Company v. Westinghouse Electric Corporation,
The negligence claim is dismissed with prejudice and without leave to amend because amendment would be futile.
C. The Misrepresentation Claims
The Financial Institution Plaintiffs allege fraud and negligent misrepresentation under New Jersey law. According to the complaint, numerous statements by Heartland — in S.E.C. filings; in analyst calls; on Heartland’s logo; and on Heartland’s web site, before and after the data breach— suggested that Heartland’s security measures were better than they actually were. The complaint also faults Heartland for failing to disclose information about its security flaws. It additionally asserts that Heartland, by participating in the Visa and MasterCard networks, effectively repre
Under New Jersey law, common-law fraud has five elements: “(1) a material misrepresentation of a presently existing or past fact; (2) knowledge or belief by the defendant of its falsity; (3) an intention that the other person rely on it; (4) reasonable reliance thereon by the other person; and (5) resulting damages.” Banco Popular N. Am. v. Gandi
Federal Rule of Civil Procedure 9(b) applies to fraud allegations. Under the rule, “a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions of a person’s mind may be alleged generally.” Fed. R. Civ. P. 9(b). “Put simply, Rule 9(b) requires ‘the who, what, when, where, and how’ to be laid out.” Shandong Yinguang Chem. Indus. Joint Stock Co. v. Potter,
The parties dispute whether the complaint’s negligent misrepresentation allegations must comply with Rule 9(b). It is unnecessary to resolve this dispute, for the allegations of negligent misrepresentation fail to meet Rule 8’s basic pleading standard.
1. Misrepresentation
Heartland asserts that many of the alleged misrepresentations are not the kinds of statements that give rise to liability under either a fraud or negligence theory. New Jersey law distinguishes between factual misrepresentations and “puffery.” It is reasonable to rely on the first but not the second. E.g., Lieberson v. Johnson & Johnson Consumer Cos., — F.Supp.2d —, —,
Certain statements alleged in the master complaint are not actionable misrepresentations, as a matter of law. To the extent that the Financial Institution Plaintiffs argue that Heartland’s statements and conduct amounted to a guarantee of absolute data security, reliance on that statement would be unreasonable as a matter of law. Cf. Hannaford Bros.,
Even after the Data Breach occurred, [Heartland] continued to provide ... assurances that it was adequately protecting the sensitive financial information with which it was entrusted. For example, the website that Heartland created in connection with its disclosure of the Data Breach claims that “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.”
(Docket Entry No. 32, ¶ 50). Statements after the data breach was announced cannot form the basis of a misrepresentation claim because they could not have been material to the banks’ and merchants’ decisions to contract with Heartland. See, e.g., Prezant v. Jegou, L-819-07,
The master complaint also alleges representations about Heartland’s information-sharing practices. The statements include that “we have limited our use of consumer information solely to providing services to other businesses and financial institutions,” and that “[w]e limit sharing of non-public personal information to that necessary to complete the transactions on behalf of the consumer and the merchant and to that permitted by federal and state laws.” (Docket Entry No. 32, ¶ 45). These are not statements about Heartland’s data-security practices. Instead, these statements are promises that Heartland will not intentionally share consumers’ personal information with others. The Financial Institution Plaintiffs have not alleged that Heartland intentionally shared information beyond the limits it stated.
On the other hand, some alleged statements are factual representations that are sufficiently definite to support a claim for negligent misrepresentation. According to the master complaint, Heartland stated that “[w]e maintain current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test our systems for vulnerability to unauthorized access.” Heartland also stated that “we encrypt the cardholder numbers that are stored in our databases using triple-DES protocols, which represent the highest commercially available standard for encryption.” (Id., ¶ 45). These statements are factually concrete and verifiable. Similarly, Heartland’s statement that its “Exchange has passed an independent verification process validating compliance with VISA requirements for data security” is
Heartland argues that even assuming that some of the alleged misrepresentations are actionable, the master complaint insufficiently alleges reliance. The complaint’s allegations of reliance are wholly conclusory. (Docket Entry No. 32, ¶¶ 125 (alleging that the Financial Institution Plaintiffs “justifiably relied”), 129 (alleging that they “reasonably relied”)). It is unclear, for example, if the issuer banks’ reliance was through their joining, remaining in, or withdrawing from the Visa and MasterCard networks, or what relationship the statements have to any such actions. See, e.g., Cumis Ins. Soc’y,
not give sufficient notice of the Financial Institution Plaintiffs’ misrepresentation claims either to determine their entitlement to relief or to allow Heartland to prepare its defense, the claims must be dismissed.
It is unnecessary to address the remaining arguments at this time. Dismissal is without prejudice and with leave to amend.
2. Implied Misrepresentation The Financial Institution Plaintiffs allege that “by accepting and agreeing to process the credit cards and/or debit cards issued by [the Financial Institution Plaintiffs], Heartland impliedly agreed that it would adequately protect the sensitive information contained in these cards, as well as comply with applicable standards to safeguard data.” (Docket Entry No. 32, ¶ 52). The Financial Institution Plaintiffs allege that “Heartland knew that by virtue of their membership in the Visa and MasterCard Networks, [they] relied on Heartland to employ appropriate data security measures.” (Id., ¶ 123). The Massachusetts Supreme Judicial Court rejected the same theory of negligent implied misrepresentation in litigation arising out of a similar data breach. In Cumis Insurance
The same reasons and reasoning require dismissal in this case. Under New Jersey law, it is unreasonable to rely on a representation when, as here, a financial arrangement exists to provide compensation if circumstances later prove that representation false. See Russell-Stanley Corp. v. Plant Indus., Inc.,
3. Nondisclosure
For their third theory of misrepresentation, the Financial Institution Plaintiffs allege that Heartland failed to disclose weaknesses in its data security. “The deliberate suppression of a material fact is equivalent to a material misrepresentation if the party has a duty to disclose the fact.” Maertin v. Armstrong World Indus. Inc.,
To the extent the Financial Institution Plaintiffs allege that Heartland had a duty to disclose corrective information unrelated to any material misrepresentation, the complaint alleges insufficient facts to find such a duty. There is no fiduciary relationship alleged. Businesses rarely owe each other fiduciary duties in arms-length business transactions. See City of Millville v. Rock,
Although the allegations supporting the duty to disclose are thin, the Financial Institution Plaintiffs’ briefing clarifies that the basis of the alleged duty is that “Heartland held itself out to the [Financial Institution Plaintiffs] and the public at large as having adequate system security measures in place.” (Docket Entry No. 50, at 33). “Even where no duty to speak exists, one who elects to speak must tell the truth when it is apparent that another
D. The Consumer-Protection Claims
The Financial Institution Plaintiffs allege violations of 23 states’ consumer-protection laws.
Heartland argues that this court should consider only the claims under New Jersey law, and that the claims under the remaining states’ laws should be dismissed. Heartland contends that multiple states’ laws cannot apply to the same set of misrepresentations. It further asserts that the Financial Institution Plaintiffs should not be allowed to plead the application of different states’ law so that they can strategically choose which law to apply after seeing which claims survive a motion to dismiss. These arguments are unpersuasive. Courts have applied multiple states’ laws in consumer protection cases when choice-of-law rules require doing so. See In re Pharm. Indus. Average Wholesale Price Litig.,
The cases on which Heartland relies to argue that only New Jersey law applies are distinguishable. In a separate Hanna-ford Brothers opinion, the district court had certified a question to the Maine Law Court based on the defendant’s concession that Maine law applied. Judicial estoppel prevented the defendant from later arguing that a different state’s law applied. MDL No. 2:08-MD-1954,
Neither side has briefed the choice-of-law issue. This court will not conduct such an analysis before the parties have done so. The arguments about each state’s law instead are analyzed below.
1. The New Jersey Consumer Fraud Act
The parties focus primarily on the New Jersey Consumer Fraud Act (“NJCFA”), N.J. Stat. § 56:8-1 et seq. The NJCFA prohibits
[t]he act, use or employment by any person of any unconscionable commercial practice, deception, fraud, false pretense, false promise, misrepresentation, or the knowing, concealment, suppression, or omission of any material fact with intent that others rely upon such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise or real estate, or with the subsequent performance of such person as aforesaid, whether or not any person has in fact been misled, deceived or damaged thereby, is declared to be an unlawful practiee[.]
Id. § 56:8-2. The NJCFA creates a private right of action for “[a]ny person who suffers any ascertainable loss of moneys or property, real or personal, as a result of the use or employment by another person of any method, act, or practice” prohibited under the NJCFA. Id. § 56:8-19. Under the NJCFA, “merchandise” includes “any objects, wares, goods, commodities, services or anything offered, directly or indirectly to the public for sale[.]” Id. § 56:8-1(c). The NJCFA includes business entities in the definition of “person.” Id. § 56:8 — 1(d); see also Finderne Mgmt. Co. v. Barrett,
“Because it is remedial legislation, the [NJJCFA is construed liberally to accomplish its broad purpose of safeguarding the public.” Lee,
State and federal courts have recognized that a business may sue under the NJCFA. J & R Ice Cream,
Business entities, like individual consumers, cover a wide range. Some are poor, some wealthy; some are naive, some sophisticated; some are required to submit, some are able to dominate. Even the most world-wise business entity can be inexperienced and uninformed in a given consumer transaction. Unlawful practices thus can victimize business entities as well as individual consumers. It may well be, of course, that certain practices unlawful in a sale of personal goods to an individual consumer would not be held unlawful in a transaction between particular business entities; the Act largely permits the meaning of “unlawful practice” to be determined on a case-by-case basis.
Id. at 249. Subsequent state and federal courts have agreed that a case-by-case approach to NJCFA claims asserted by businesses is appropriate. Papergraphics,
Courts generally have limited NJCFA claims by businesses to “consumer oriented situations.” J & R Ice Cream,
Only a “bona fide consumer” may bring a claim under the NJCFA. Smith v. Trusted Universal Standards in Elec. Transactions, Inc., Civ. No. 09-4567 (RBK/KMW),
Courts uniformly have excluded wholesalers from the NJCFA’s protection, because they themselves do not consume merchandise; rather, they pass merchandise along to consumers. See, e.g., Diamond Life Lighting MFG (HK) Ltd. v. Picasso Lighting, Inc., Civ. A. No. 10-161(PGS),
Even when a business is a consumer of merchandise, other factors may exclude it from NJCFA protection. The NJCFA applies only to “goods or services generally sold to the public at large.” Cetel v. Kirwan Fin. Grp., Inc.,
The master complaint alleges that the Financial Institution Plaintiffs are “consumers in the marketplace for, inter alia^ credit card and/or debit card transaction processing services, and have been injured in this capacity.” (Docket Entry No. 32, ¶ 133). The complaint describes representations and services offered to merchants and members of the Visa and MasterCard networks, including the Financial Institution Plaintiffs. The complaint does not, however, allege that the Financial Institution Plaintiffs purchased any services from Heartland. The Financial Institution Plaintiffs’ relationship with Heartland exists only by virtue of their participation in the Visa and MasterCard networks. This relationship is far different from the direct, downstream relationship between a consumer of a good and its manufacturer or seller. Cf., e.g., Diamond Life Lighting,
Additionally, payment-card processing services are not offered to the general public. Instead, such services are provided by specific entities for members of the Visa and MasterCard networks. Heartland promises in its contracts to comply with the networks’ regulations. These regulations significantly protect the Financial Institution Plaintiffs through loss-allocation rules and a cost-recovery process. In turn, issuer banks such as the Financial Institution Plaintiffs are required to maintain fraud-detection programs. These aspects of the Visa and MasterCard networks, along with the Financial Institution Plaintiffs’ status as sophisticated financial institutions, set the Financial Institution Plaintiffs apart from the type of consumer protected under the NJCFA. The NJCFA claim is dismissed with prejudice and without leave to amend because amendment would be futile.
2. The California Unfair Competition Law
The Financial Institution Plaintiffs allege that Heartland violated the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 et seq. “A UCL plaintiff with standing is a person who ‘[1] has suffered injury in fact and [2] has lost money or property as a result of the unfair competition.’ ” Degelmann v. Advanced Med. Optics, Inc.,
3. The Colorado Consumer Protection Act
The complaint alleges that Heartland violated the subsection of the Colorado Consumer Protection Act. that prohibits, as a deceptive trade practice, “false or misleading statements of fact concerning the price of goods, services, or property or the reasons for, existence of, or amounts of price reductions.” Colo. Rev. Stat. § 6-1-105(1)(1). As Heartland points out, there are no allegations in the complaint about
4. The Florida Deceptive and Unfair Trade Practices Act
The Financial Institution Plaintiffs claim a violation of the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”), Fla. Stat. § 501.201 et seq. Heartland argues that this claim must be dismissed because only consumers, as the word is traditionally used, may assert claims under the FDUTPA. The Financial Institution Plaintiffs respond that the Act’s definition of “consumer” is broad enough to include them.
The FDUTPA prohibits “[u]nfair methods of competition, unconscionable acts or practices, and unfair or deceptive acts or practices in the conduct of any trade or commerce[.]” Id. § 501.204(1). The Act’s purpose is “[t]o protect the consuming public and legitimate business enterprises from those who engage in unfair methods of competition, or unconscionable, deceptive, or unfair acts or practices in the conduct of any trade or commerce.” Id. § 501.202(2). A practice is unfair if it “offends established public policy” or is “immoral, unethical, oppressive, unscrupulous, or substantially injurious to consumers.” PNR, Inc. v. Beacon Prop. Mgmt., Inc.,
Before 2001, the FDUTPA allowed “a consumer who has suffered a loss as a result of a violation” of the FDUTPA to bring a cause of action. Am. Honda Motor Co. v. Motorcycle Info. Network, Inc.,
[I]n 2001, the Legislature made two changes to FDUTPA that are relevant to the issue before us. As noted, the Legislature replaced the word “consumer” with “person.” (The term “person,” the Committee Staff noted, “is understood to include a business.” See Senate Staff Analysis[, CS/SB 208, Mar. 22, 2001,] at 6.) The Legislature also amended the definition of “consumer” in § 501.203(7) to add “business” and “any commercial entity, however denom*604 mated.” See Laws of Fla. Ch. 2001-39 § 1 (amending § 501.203(7) as described). So at the same time the Legislature expanded the definition of “consumer,” it replaced the term “consumer” with “person” in the section providing for monetary remedies for a violation of the statute. To us, this evinces an intent to expand the applicability of the remedies provision to more than just consumers. If the purpose had been to assure that businesses could avail themselves of the remedies under § 501.211(2), given “inconsistent court interpretations” in which “remedies available to individual consumers have not always been available to business consumers,” see Senate Staff Analysis at 4, that purpose could have been accomplished by the change to the definition of “consumer” (in § 501.203(7)), such that the term “consumer” did not have to be replaced with “person” in § 501.211(2). Thus a non-consumer (like a competitor, either individually or through a corporate form) could seek relief under the statute so long as the trade or commerce element of the statute was satisfied.
Id. at 1373 n. 9; cf. Hetrick v. Ideal Image Dev. Corp.,
The question is a close one. The Act’s purpose is “[t]o protect the consuming public and legitimate business enterprises.” Fla. Stat. § 501.202(2) (emphasis added). It is unclear if the word “consuming” applies to only “public” or also to “legitimate business enterprises.” The more natural reading is that this clause lists two independent groups that the Act seeks to protect: first, “the consuming public,” and second, “legitimate business enterprises.” See Akzo Nobel Coatings, Inc. v. Auto Paint & Supply of Lakeland, Inc., No. 8:09-CV-2453-T-30TBM,
The motion to dismiss the FDUTPA claim on the basis of lack of standing is denied.
5. The Illinois Consumer Fraud and Deceptive Business Practices Act
Heartland argues that the Financial Institution Plaintiffs’ claim under the
The master complaint does not adequately allege that Heartland intended the Financial Institution Plaintiffs to rely on any of its statements. The alleged misstatements in the S.E.C. filings, analyst calls, and the Merchant’s Bill of Rights were not directed to issuer banks. Because issuers have no direct dealings with payment-card processors, it is implausible that Heartland intended statements in documents not directed to the Financial Institution Plaintiffs to be relied on by them or by any issuer banks. The master complaint conclusorily alleges reliance, insufficient to state a claim.
Heartland correctly states that under Illinois law, nonconsumers must show that “the complained-of conduct implicates consumer protection concerns.” Speakers of Sport, Inc. v. ProServ, Inc.,
6. The New York Consumer-Protection Law
The Financial Institution Plaintiffs allege violations of New York’s consumer-protection statute, which prohibits “[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service[J” N.Y. Gen. Bus. Law § 349(a). “Generally, claims under the statute are available to an individual consumer who falls victim to misrepresentations made by a seller of consumer goods through false or misleading advertising.” Eaves v. Designs for Fin., Inc.,
Even assuming that the Financial Institution Plaintiffs had adequately pleaded that Heartland engaged in deceptive practices and that those practices injured them, the Financial Institution Plaintiffs are not “consumers.” Nor is the conduct “consumer-oriented” under § 349. The Financial Institution Plaintiffs are far removed from an individual “who purchases goods and services for personal, family or household use,” the paradigmatic § 349 plaintiff. Id. at 265 (quoting Exxonmobil Inter-America,
Moreover, Heartland’s allegedly deceptive representations — whether made in S.E.C. filings, to acquiring banks, or to merchants — do not qualify as “consumer-oriented conduct,” as required to state a claim under § 349. Heartland made statements to acquiring banks and merchants about card-processing services. Such services are neither marketed nor offered to consumers, but only to specific types of commercial entities. Even assuming that the Financial Institution Plaintiffs can plausibly plead that they were injured by statements not directed toward them, the deceptive conduct they allege was not directed at “non-business consumers.” Eaves,
7. The Texas Deceptive Trade Practices — Consumer Protection Act
The complaint alleges violations of the Texas Deceptive Trade Practices-Consumer Protection Act (“TDTPA”), Tex. Bus. & Com. Code § 17.41 et seq. Heartland argues that the master complaint fails to state a claim because it does not allege: (1) that Lone Star National Bank, the only Texas plaintiff, has less than $25 million in assets, see id. § 17.45(4) (excluding business entities with more than $25 million in assets from the term “Consumer”); (2) misrepresentations made “in connection with the [Financial Institution Plaintiffs’] transaction in goods or services,” Amstadt v. U.S. Brass Corp.,
Like the misrepresentation claim, the TDTPA claim must be dismissed because the conclusory allegation of reliance is insufficient under Rule 8. See, e.g., Rice v. Metro. Life Ins. Co.,
The complaint alleges that Heartland violated Washington’s Consumer Protection Act, Wash. Rev.Code § 19.86.010 et seq. “To prevail in a private CPA claim, the plaintiff must prove (1) an unfair or deceptive act or practice, (2) occurring in trade or commerce, (3) affecting the public interest, (4) injury to a person’s business or property, and (5) causation.” Panag v. Farmers Ins. Co. of Wash.,
Heartland argues that the complaint insufficiently alleges an effect on the public interest. When a case involves a private dispute, as opposed to an ordinary consumer transaction, the plaintiff must show “a likelihood that additional persons have been or will be injured in the same fashion.” AG. & Design Assocs., LLC v. Trainman Lantern Co., No. C07-5158RBL,
(1) Were the alleged acts committed in the course of defendant’s business? (2) Did defendant advertise to the public in general? (3) Did defendant actively solicit this particular plaintiff, indicating potential solicitation of others? (4) Did plaintiff and defendant occupy unequal bargaining positions?
Stephens v. Omni Ins. Co.,
The master complaint fails to allege sufficient facts suggesting that the Financial Institution Plaintiffs’ claim affects the public interest. The only group likely to be injured in the same fashion- — ■ incurring expenses for replacement cards and fraudulent transactions — consists of other issuer banks. Such a group is both too small and too specialized to constitute a substantial portion of the public. See Swartz,
The master complaint vaguely alleges that Heartland intended its statements to lull the public into believing that its data security was better than it actually was. That allegation is insufficient to show that a dispute between sophisticated banks that issue payment cards and the company hired by other banks to process payments for merchants affects the public interest.
IV. Conclusion
Heartland’s motion to dismiss, (Docket Entry No. 39), is granted in part and denied in part. All claims except that under the FDUTPA are dismissed. Leave to amend is granted only as to the following claims: breach of contract and implied contract (both under the limited circumstances described above); express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California Unfair Competition Law, the Colorado Consumer Protection Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the Texas Deceptive Trade Practices — Consumer Protection Act.
The Financial Institution Plaintiffs must amend their master complaint by December 23, 2011. A status conference is set for January 13, 2012, at 8:30 a.m. in Courtroom 11-B.
Notes
. The Financial Institution Plaintiffs responded, (Docket Entry No. 50); Heartland replied,
. The Financial Institution Plaintiffs seek to proceed as a nationwide class or, alternatively, as nine state subclasses. (Docket Entry No. 32, ¶¶ 80-82). The issue of class certification is not yet before this court.
. The factual allegations, which, if nonconclusoiy, this court must take as true for purpose of the motion to dismiss, come from the master complaint. See Randall D. Wolcott, M.D., P.A. v. Sebelius,
. The term "payment cards” refers to both credit and debit cards distributed by issuer banks.
. Five of the Financial Institution Plaintiffs sued Heartland Bank and KeyBank in the Southern District of Texas. That case also is part of the consolidated litigation. (Docket Entry No. 72).
. The reasons for dismissing the Financial Institution Plaintiffs' breach of contract claim based on the KeyBank contract equally support dismissing the claim based on the Heartland Bank contract.
. Nearly identical language appears in the Heartland Bank contract. (Docket Entry No. 42, Ex. 4, ¶ 4.7).
. The First Circuit recently affirmed the district court's conclusion regarding the implied-contract claim, but with little detail. See Hannaford Brothers,
. Heartland also argues that other elements of an implied contract claim are missing. This court need not address those arguments at this time.
. The district court in Hannaford Brothers, see supra at 581-82, declined to dismiss the customers' negligence claim on similar grounds.
. The credit-card network in Annett Holdings was Comdata, not Visa or MasterCard. Nonetheless, the rules governing the risk allocation for fraudulent charges appear to be similar in that the issuer bank, the trucking company, was required to bear the loss for fraudulent charges. See
. Whether Heartland owed a duty of care to individual cardholders is not at issue in this case.
. One court applying New Jersey law has refused to apply the economic-loss doctrine to contracts for services, not goods. Consult Urban Renewal Dev. Corp. v. T.R. Arnold & Assocs., Inc., Civ. A. No. 06-1684(WJM),
. The New Jersey Supreme Court has made clear that "[pjerfect parity is not required for a finding of substantially equal bargaining power.” Alloway v. Gen. Marine Indus., L.P.,
. Richard A. Epstein & Thomas P. Brown, Cybersecurity in the Payment Card Industry, 75 U. Chi. L. Rev. 203, 203 (2008) (“Using a payment card (as opposed to some other form of payment) rests on voluntary decisions by consumers and merchants, as well as the banks with which they interact.”).
. Many commentators have written about the fairness and effectiveness of these rules. See Robert G. Bailen & Thomas A. Fox, The Role of Private Sector Payment Rules and a Proposed Approach for Evaluating Future Changes to Payments Law, 83 Chi.-Kent L. Rev. 937 (2008); Duncan B. Douglass, An Examination of the Fraud Liability Shift in Consumer Card-Based Payment Systems, Econ. Persp., Mar. 22, 2009, at 43, available at http://www. chicagofed.org/digitalassets/publications/ economic_perspectives/2009/ep_lqtr2009_ part7_douglass.pdf; Epstein & Brown, supra; Edward J. Janger, Locating the Regulation of Data Privacy and Data Security, 5 Brook. J. Corp. Fin. & Com. L. 97 (2010); Adam J. Levi-tin, Private Disordering? Payment Card Fraud Liability Rules, 5 Brook. J. Corp. Fin. & Com. L. 1 (2010); Mark MacCarthy, Information Security Policy in the U.S. Retail Payments Industry, 2011 Stan. Tech. L. Rev. 3; see also Levi-tin, supra, at 4 nn. 9 & 10 (collecting articles). As explained below, what is relevant here is that the Financial Institution Plaintiffs accepted those rules and issued payment cards.
. The Financial Institution Plaintiffs rely on the First Circuit's discussion in Hannaford Brothers regarding the foreseeability of the costs to replace payment cards following the data breach in that case. (Docket Entry No. 133, at 3-4 (quoting Hannaford Brothers,
. The Financial Institution Plaintiffs' reliance on the First Circuit’s recent decision in Hannaford Brothers,
. See also, e.g., In re Aetna, Inc. Secs. Litig.,
. Heartland also asserts that the misrepresentation claims should be dismissed because a misrepresentation made during the course of a contractual relationship generally is actionable only as a breach of contract. See, e.g., Capitalplus Equity, LLC v. Prismatic Dev. Corp., Civ. A. No. 07-321 (WHW),
. The Financial Institution Plaintiffs assert that their complaint adequately pleads reliance, citing to In re Ford Motor Co. E-350 Van Products Liability Litigation (No. II), Civ. No. 03-4558(HAA), MDL No. 1687,
. In reaching this conclusion, the court disapprovingly cited the plaintiffs attempt to "repackage” an unavailing breach of contract claim "under tort law.” Cumis Ins. Soc’y,
. Before the Massachusetts Supreme Judicial Court reached its decision, a Massachusetts federal district court found that the same theory stated a claim. In re TJX Cos. Retail Sec. Breach Litig.,
The Financial Institution Plaintiffs argue that the TJX litigation weighs against dismissal. This court, however, agrees with the Massachusetts Supreme Judicial Court’s resolution of that case's implied-misrepresentation claim. The Financial Institution Plaintiffs’ implied misrepresentation claim therefore is not a claim that could be supported by evidence uncovered during discovery.
. The Financial Institution Plaintiffs alleged violations under Arkansas, California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Hawaii, Idaho, Illinois, Massachusetts, Minnesota, Missouri, Nebraska, Nevada, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Rhode Island, Vermont, and Washington law. They withdrew their claims based on District of Columbia, Hawaii, Missouri, Oklahoma, and Rhode Island law. (Docket Entry No. 50, at 42 n. 31).
. In some cases, courts have recognized that a party who was not a consumer of a company's merchandise nonetheless may recover under the NJCFA. See, e.g., Port Liberte Homeowners Ass’n, Inc. v. Sordoni Constr. Co.,
. The Church & Dwight court acknowledged that some courts had stated in dicta and without analysis that a competitor had standing to bring an NJCFA claim.
. Ford. Motor Co. v. Edgewood Props., Inc., Civ. A. Nos. 06-1278, 06-4266,
. See also A.H. Meyers & Co. v. CNA Ins. Co.,
. In the alternative, the complaint conclusorily alleges that the Financial Institution Plaintiffs are commercial competitors of Heartland. More detailed factual allegations would be unavailing because business competitors lack standing under the NJCFA unless the parties have entered into a consumer-like transaction. See Church & Dwight Co.,
. See supra at 601-02.
. The reasons discussing why the Financial Institution Plaintiffs' claim under Washington law does not affect the "public interest,” as under that law, also show why their New York claim does not involve consumer-oriented conduct. See infra at 608-09.
. Had the Financial Institution Plaintiffs adequately pleaded reliance, Heartland's reliance on Amstadt would be an insufficient basis to dismiss. In Amstadt, a group of homeowners sued their homebuilder and three manufacturing companies after discovering that their plumbing systems were defective. Among other claims, they asserted violations of the TDTPA.
. A private claim may also be based on a per se violation of the statute. Panag,
. The reasons the Financial Institution Plaintiffs' New York claim does not concern "consumer-oriented conduct” within the meaning of that statute also support the conelusion that their Washington claim does not affect the "public interest” under Washington law. See supra at 608-09.