CHICAGO (CN) – The Seventh Circuit ruled Wednesday that customers’ banks cannot recover directly from the grocery chain Schnuck Markets after hackers stole the information of 2.4 million customer credit and debit cards and made millions worth of unauthorized purchases.
In 2013, the St. Louis-based grocery chain Schnuck Markets discovered that hackers had compromised its computer systems and stolen customers’ personal information, including the credit card information and debit card PIN numbers for 2.4 million cards.
By the time Schnuck publicly admitted the breach, the financial losses from unauthorized credit card purchases and cash withdrawals had reached into the millions.
Schnuck not only faced a consumer class action over the security breach, but customers’ banks also sued seeking to recover losses they suffered in investigating the fraudulent activity and reissuing cards.
However, a federal judge ruled against the banks, and the Seventh Circuit affirmed Wednesday.
The Chicago-based appeals court found that allowing the banks’ lawsuit would create a new form of liability in addition to the remedies already provided by the contracts between banks, card networks, and retailers that govern how credit card payments are processed and how losses are covered.
“Given this network of contracts and contractual remedies, we decline plaintiffs’ invitation to apply a version of the stranger paradigm. We doubt the wisdom of recognizing new, supplemental liabilities without a clear sense of why they are necessary,” U.S. Circuit Judge David Hamilton wrote for a unanimous three-judge panel.
While the banks may be disappointed in the amounts they were reimbursed under the contracts, neither Illinois nor Missouri law allows a separate tort recovery for businesses who are disappointed with their contractual remedy, according to the 39-page opinion.
Hamilton noted, “It might be possible for the plaintiff banks to state a different kind of claim under the [Illinois Consumer Fraud Act] by alleging that Schnucks violated the Illinois Personal Information Protection Act by failing to disclose the breach for two weeks after learning of it.”
However, he said that argument was not properly preserved for appeal because it was not clearly asserted before the lower court.