ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Community Banking

Banks Turn to the Courts for Data Breach Claims

September 13, 2018
Reading Time: 3 mins read

By Dawn Causey, Thomas Pinder and Andrew Doersam

Banks frequently absorb fraud losses when the consumer is compensated for damage done by other sectors. When retailers with questionable security protocols are breached, banks support the customer throughout the fraud cycle: consumer outreach and notification, card reissuance, enhanced transaction monitoring and reassurance that the bank’s systems are safe.

The payment brands provide processes for banks to recover some costs and to assign liability for transaction losses—and the EMV chip card transition both created liability incentives for retailers to accept payment credentials which are less susceptible to fraud and introduced technologies to drive down the frequency of card reissuances.

But as data breaches have continued to become more pervasive, some financial institutions are now suing merchants to recover additional data breach costs which may fall outside of those covered in contracts with payment brands. A recent Seventh Circuit decision provides a glimpse into how courts analyze liability for data breaches when there are established contracts governing data security.

In 2012, hackers infiltrated Schnucks, a large Midwestern grocery chain, and stole nearly 2.5 million credit and debit card numbers in a breach believed to have continued for four months before Schnucks detected the intrusion. Once Schnucks recognized that its systems had been compromised by hackers, the grocer took another two weeks before announcing the breach publicly. Financial losses from the unauthorized purchases and cash withdrawals made using the stolen data reached into the millions.

In response, banks issued new cards and promptly reimbursed their customers and sought compensation available under contractual frameworks in place at the time of the breach. Four banks filed a claim against the merchants, seeking to recover the data breach costs that were not reimbursed by their payment brand contracts. The banks invoked several common law tort theories seeking compensation from the grocer and sought damages for losses incurred because Schnucks negligently failed to detect the breach until several months after the initial intrusion.

The Seventh Circuit dismissed the banks’ claims, holding that the banks’ remedies were confined to the provisos of their card brand contracts and, as a result, they could not use alternative litigation to recover additional costs. The court concluded the banks and Schnucks participate in a complicated network of contracts that unite all the participants in the card payment system. When banks and merchants joined the card payment system, they agreed to abide by the payment card industry data security standard, or PCI DSS. Merchants such as Schnucks agreed to pay a fine assessed under payment brand rules in the event that they (the merchants) were responsible for data breaches and unauthorized card activity. The court decided that the banks accepted the risk of not being fully reimbursed for the costs of Schnucks’ mistake, and as a result, cannot seek additional recovery because the banks were “disappointed” with their reimbursement.

The court also reiterated that state courts generally decline to impart tort liability in instances where one business inflicts purely economic loss on another and their interactions are governed by contract. Additionally, the court dismissed the banks’ consumer protection claims, concluding that the banks’ charge that Schnucks failed to implement and maintain reasonable payment card data security measures was not enough to prove fraud by the merchant. Finally, the court rejected the banks’ unjust enrichment, implied contract and third-party beneficiary claims under contract law principles and state laws in Missouri and Illinois.

The court recognized that the electronic card payment processing system is a complex network of contracts between various parties. Although the banks did not contract directly with Schnucks, the court found the card network contract sufficiently demonstrated that the parties had taken adequate steps to allocate the economic risks of a data breach.

In the absence of demonstrated retailer commitment to implement PCI DSS compliant safeguards, banks may continue to turn to the courts while also supporting federal data breach legislation that extends Gramm-Leach-Bliley Act-like requirements to other sectors and creates a legal framework for financial accountability. Even though banks incur obvious costs on the back end of data breaches, the Schnucks decision suggests that banks should not expect relief from the courts when faced with losses caused by retailer negligence.

Dawn Causey is general counsel at ABA, where Thomas Pidner is SVP for litigation and Andrew Doersam is a paralegal.

ADVERTISEMENT
Tags: Credit cardsData breachesDebit cardsPayments system
ShareTweetPin

Related Posts

ABA, associations urge Congress to overturn CFPB credit card late fees rule

Proposed amendment would add credit card rate cap to Senate stablecoin bill

Newsbytes
May 21, 2025

A proposed amendment would add language capping credit card interest rates at 10% to the GENIUS Act, an unrelated bill establishing a regulatory framework for payment stablecoins.

Bank, credit union groups unite against Welch-Gooden bill

ABA, associations urge senators to reject adding credit card routing mandates to stablecoin bill

Newsbytes
May 21, 2025

ABA joined state and national associations in voicing strong opposition to adding credit card routing mandates to an unrelated bill on stablecoins.

ABA urges ‘same risk, same regulation’ for digital assets

Proposed amendment would add Credit Card Competition Act to Senate stablecoin bill

Newsbytes
May 20, 2025

Sen. Roger Marshall (R-Kan.) has filed an amendment to add credit card network routing mandates to an unrelated bill establishing a regulatory framework for payment stablecoins.

ABA, associations urge lawmakers to finalize deal on debt ceiling

Resolution to overturn OCC bank merger rule clears House

Community Banking
May 20, 2025

The House voted in favor of a Senate resolution to overturn a 2024 final rule that changed how the OCC reviews proposed bank mergers. The legislation heads to President Trump for his signature.

OCC sees need for regulatory reform in bank merger process

First National Bank in South Dakota to buy Wyoming Bank & Trust

Community Banking
May 20, 2025

First National Bank in Fort Pierre, South Dakota, has agreed to buy Wyoming Bank & Trust in Cheyenne.

Senate Democrats seek proposals for regulatory changes following recent bank closures

Senate votes to advance stablecoin bill

Newsbytes
May 19, 2025

A bill to create a regulatory framework for payment stablecoins cleared a key procedural hurdle after several Democrats joined Republicans in voting to advance the legislation.

NEWSBYTES

Survey: Majority of financial institutions deploying generative AI

May 22, 2025

#PracticeSafeChecks campaign wins two Telly Awards

May 21, 2025

Proposed amendment would add credit card rate cap to Senate stablecoin bill

May 21, 2025

SPONSORED CONTENT

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025
Six Payments Trends Driving the Future of Transactions

Six Payments Trends Driving the Future of Transactions

March 15, 2025
AI for Banks: A Starter Guide for Community and Regional Institutions

AI for Banks: A Starter Guide for Community and Regional Institutions

March 1, 2025

PODCASTS

Podcast: Accelerating banking for quick-service restaurants

May 8, 2025

How a Georgia community bank supports government-guaranteed lending nationwide

May 1, 2025

Podcast: Quantum computing’s shakeup in payments, cybersecurity

April 24, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.