Summary
finding that when money is wrongfully removed from a debit-card account "the defrauded individual has no ownership rights in certain cash at the bank, just the right against the bank to payment in a certain amount"
Summary of this case from R L ZOOK, INC. v. PACIFIC INDEMNITY COMPANYOpinion
Civil No. 1:CV-04-1554.
May 3, 2005
MEMORANDUM
I. Introduction.
Pursuant to Fed.R.Civ.P. 12(b)(6), third-party defendant, International Business Machines Corporation (IBM), has moved to dismiss the complaint brought against it by the defendant, and third-party plaintiff, BJ's Wholesale Club, Inc. (BJ's), a wholesale club retailer, for failure to state a claim upon which relief can be granted.
Plaintiff, Pennsylvania State Employees Credit Union (PSECU), filed suit against BJ's and Fifth Third Bank, which processes BJ's credit- and debit-card transactions, to recover for the costs of reissuing Visa cards to its members who had used their cards at BJ's. Unauthorized third parties had allegedly accessed BJ's electronic records, obtained the magnetic-stripe information from the cards (which had been retained in BJ's records) and used that information for fraudulent purposes.
BJ's joined IBM, from which it had purchased the software used for its electronic retail transactions, averring that it had specifically requested software that would not retain the magnetic-stripe information after it had been accessed to validate transactions. BJ's seeks to recover from IBM any damages it must pay to PSECU, setting forth eight causes of action.
In considering IBM's motion to dismiss the third-party complaint, we must accept as true the factual allegations in the complaint and construe any inferences to be drawn from them in BJ's favor. See Mariana v. Fisher, 338 F.3d 189, 195 (3d Cir. 2003). We may dismiss the complaint under Fed.R.Civ.P. 12(b)(6) only if it is clear that no relief could be granted to Third-Party Plaintiff under "any set of facts that could be proven consistent with the allegations." Ramadan v. Chase Manhattan Corp., 229 F.3d 194, 195 (3d Cir. 2000). The court is not limited to evaluating the complaint alone; it can also consider documents attached to the complaint, matters of public record, and indisputably authentic documents. Pension Ben. Guar. Corp. v. White Consol. Indus., 998 F.2d 1192, 1196 (3d Cir. 1993). The court may also consider "documents whose contents are alleged in the complaint and whose authenticity no party questions," even though they "are not physically attached to the pleading. . . ." Pryor v. National Collegiate Athletic Ass'n, 288 F.3d 548, 560 (3d Cir. 2002). The complaint requires only a "short and plain statement" to show the right to relief, "not a detailed recitation of the proof that will in the end establish such a right." Id. at 564.
II. Background.
As noted, plaintiff PSECU filed this suit against Fifth Third Bank and BJ's for the costs PSECU incurred in reissuing Visa debit and credit cards to certain of its members who had used their cards in BJ's stores. Customer payment data had allegedly been stolen from BJ's electronic records between approximately July 1, 2003, and February 29, 2004, causing PSECU to reissue the cards that had been compromised.
BJ's in turn filed its third-party complaint against IBM, alleging the following, in pertinent part. BJ's is a wholesale club retailer, currently operating 150 clubs and 78 gas stations from Maine to Miami and in Ohio. (BJ's Compl., ¶ 5). In approximately 1990, BJ's began using IBM's General Systems Application software (GSA) to operate its cash registers and in 1999 decided to begin accepting debit cards and to replace its credit-card processing program. ( Id., ¶¶ 6 and 7). After considering various software vendors, ( id., ¶ 8), BJ's stayed with IBM, signing a "Customer Agreement" and an "Amendment" to the Customer Agreement on March 12, 1999, for the new software "Application." ( Id., ¶ 16). On May 5, 1999, IBM and BJ's also signed a "Statement of Work" for the Application. ( Id.).
The Customer Agreement, Amendment and Statement of Work are attached to IBM's motion to dismiss as Exhibits 1, 2 and 3. BJ's did not attach these documents to its complaint but admits that IBM's exhibits are authentic.
These three contract documents contain the following pertinent provisions. The Customer Agreement has an integration clause providing:
This Agreement and its applicable attachments and Transaction Documents are the complete agreement regarding these transactions, and replace any prior oral or written communications between us.
(Doc. 41, Def.'s Ex. 1, p. 1). It also has a "Limitation of Liability" clause providing that IBM would only be liable to BJ's for:
1. payments referred to in our patents and copyrights terms described above;
2. damages for bodily injury (including death) and damages to real property and tangible, personal property.
. . . .
( Id., Ex. 1, ¶ 1.7, p. 9). This clause also provided that IBM would not be liable for:
1. third-party claims against [BJ's] for losses or damages (other than those under the first two terms listed above);
2. loss of or damage to, your records or data; or
3. special, incidental, or indirect damages or for any economic consequential damages (including lost profits or savings), even if [IBM is] informed of their possibility.
( Id.).
The Amendment provides that no "Transaction Document" "shall modify or become part of this Agreement unless signed by or referenced specifically in a document which is signed by an authorized representative of each party." ( Id., Def.'s Ex. 2, § 1.2). The Amendment also provides that the "laws of the Commonwealth of Massachusetts govern this Agreement." ( Id., Def.'s Ex. 2, § 1.14). Under § 1.1, "Project Scope," the Statement of Work provides as follows: "IBM will provide services to modify IBM's preexisting surepay transaction system base code in developing a Point of Sale (POS) payment system for BJ's Wholesale Club, Inc. . . . which will interface with Midwest Payment Systems (MPS) for debit authorization." (Id., Def.'s Ex. 3, p. 3. Under § 1.3.2, "Task 2-Development of the Application," the Statement of Work provides as follows:
MPS, Midwest Payment Systems, Inc., was Fifth Third's predecessor.
The Application will support debit card authorization and settlement in the U.S. with MPS as the debit provider and will consist of the following components:Client Layer
. . . .
On-Line Processor (SPTSONLx). All online activities will pass through this module. These include authorization, force post Store and Forward (SF) and time-out reversals.Off-Line Processor
Completed TORS and SFs will also be logged to the history file. At end of period, the history file will be archived.
Time out-reversals.
. . . .
Real-Time Monitor
. . . .
The following support will be included in the Application for BJ's:
. . . .
Store and forward off-line debit transactions with a configurable response delay time. . . .
( Id., Def.'s Ex. 3, pp. 5-6).
BJ's alleges that under the Customer Agreement and the Statement of Work, IBM had to: (1) design a project plan for development of the Application; (2) manage the Application development project; (3) develop the Application, (4) ensure, and test to ensure, "that the Application supported credit and debit card processing consistent with the credit card industry in the United States" and with IBM's own "NARSC's procedures and requirements"; and (5) modify "the Application so that it worked with BJ's use of 'T-LOGs,'" which were generated by the software BJ's was currently using to settle credit-card transactions with Fifth Third Bank. (BJ's Compl., ¶¶ 17, 18 and 23).
BJ's alleges that "IBM had an established retail services group known as the North American Retail Services Center (n/k/a National Retail Services Center) ('NARSC'), which catered to retail businesses by marketing its unique understanding of the needs of such businesses and its advantageous relationships and partnerships with credit card companies." ( Id., ¶ 9). "Upon information and belief, IBM's NARSC was (and is) in regular contact with the major companies in the credit and debit card industry, including Visa, regarding the industry's regulations and requirements for processing credit and debit card transactions in the United States, including requirements concerning the storage and retention of Track II data." ( Id., ¶ 11).
While developing the Application, "IBM told BJ's that, among other things, the new software had a function called 'Store Forward,' whereby credit card transactions accepted when the software was off-line (when the network between BJ's and MPS was down) could later be sent to MPS for retroactive processing and authorization once the system came back on-line." ( Id., ¶ 19). "BJ's informed IBM that it did not want the 'Store Forward' capability and did not want the Application delivered with this functionality," ( id., ¶ 21), because: (1) it would interfere "with BJ's previously established system for settling both on-line and off-line transactions that used the T-LOGs," generated by IBM's previous software; and (2) BJ's had no need to retain or aggregate so-called "Track II data" (the data on the magnetic stripe) because BJ's took only six seconds to get approval for its electronic transactions from credit-card companies, after which it had no business need to access or retain Track II data. ( Id., ¶ 21). "IBM was aware of this conflict between BJ's pre-established T-LOG system for processing and settling credit and debit card transactions and committed to harmonize IBM's GSA software and the Application." ( Id., ¶ 22).
As note, MPS was Fifth Third's predecessor.
BJ's alleges that "[w]hen IBM delivered the Application, it represented and specified, among other things, that the Store Forward capability was not functional and that the Application was fully compatible with IBM's GSA software that BJ's already used. IBM also represented that the Application met the requirements of MPS and for debit and credit card authorization and settlement in the United States." ( Id., ¶ 24). Further, "[i]n the Customer Agreement, IBM warranted that the Application would meet these forgoing specifications. . . ." ( Id., ¶ 25).
However, "contrary to IBM's representations and warranties and in conflict with the contractual obligations IBM undertook, the Application included Store Forward functionality that wrote certain Track II data to a system log (named SPTSLOG.LOG) and history log (named SPTHIST.LOG) generated by the Application." ( Id., ¶ 27). IBM included the functionality "purposefully" in "willful disregard" of "the regulations of the major credit card companies — with whom IBM professed strong relationships and an intimate understanding — prohibiting the storage and retention of Track II data following the authorization of a payment transaction." ( Id., ¶ 28). "This data constituted the tangible personal property of the issuing banks, including PSECU, and/or their customers and members." ( Id., ¶ 27).
An "issuing" bank is a bank that issued the debit or credit card used in the transaction. An "acquiring" bank is the bank that processes electronic transactions for a retailer.
In February 2004, BJ's learned of an alleged compromise of its payment processing system that included the possible theft and unauthorized use of Track II data from earlier credit- and debit-card transactions. ( Id. ¶ 29). BJ's immediately retained a computer forensic consultant to investigate the possibility of a compromise of its computer systems, but the consultant found that there had been no breach of BJ's centralized computer system or via the Internet and no direct evidence of a compromise at the club level. ( Id. ¶ 30). The consultant did find the system log (named SPTSLOG.LOG) and history log (named SPTHIST.LOG) that were part of the Store Forward functionality. ( Id.).
"BJ's contacted IBM to determine whether or not these logs contained Track II data. At this point, IBM conceded that even when Store Forward is not functional, the Application still writes Track II data to the . . . system and history logs." ( Id., ¶ 31). BJ's asked IBM to stop the logging of this information, and IBM provided BJ's with a patch that at least concealed the Track II data. ( Id., ¶ 32).
After BJ's discovered that the Application was logging this data, "VISA sent a notice purportedly describing the alleged compromise of BJ's computer systems to those credit and debit card issuing banks, including PSECU, whose members may have used their credit and/or debit cards at BJ's between July 1, 2003, and February 29, 2004." ( Id., ¶ 34). In turn, some of these banks, including plaintiff PSECU, replaced the credit and debit cards of their customers who had used their cards at BJ's between July 1, 2003, and February 29, 2004, with new ones, purportedly to avoid the use of stolen Track II data in future fraudulent payment transactions. ( Id., ¶ 35). BJ's alleges that "these cancelled credit and debit cards constituted the tangible personal property of the issuing banks, including PSECU, and/or their customers and members." ( Id.).
The issuing banks, like PSECU, incurred costs associated with issuing the new cards, and incurred costs to reimburse their customers and members for fraudulent charges on the credit and debit cards. BJ's alleges that the funds taken from customer accounts to pay for these fraudulent transactions constitute the tangible personal property of the customers and the funds paid by PSECU and other issuing banks to reimburse their customers for these fraudulent transactions constitute the tangible personal property of PSECU and the issuing banks. ( Id., ¶¶ 35 and 36).
PSECU's complaint seeks against BJ's the damages it incurred in reissuing its credit and debit cards as the result of the alleged compromise of BJ's computer system that led to the theft of Track II data. ( Id., ¶¶ 37 and 40). Other issuing banks are seeking, or will seek, the same damages for the same reason. ( Id., ¶ 37). BJ's avers that "[t]o the extent that BJ's is determined to be liable for any of the foregoing costs being sought by the issuing banks, such liability is the direct and proximate consequence of IBM's actions, representations, and failures. . . ." ( Id., ¶ 38). BJ's sets forth the following eight claims: (1) indemnification and contribution; (2) breach of contract; (3) breach of warranty; (4) negligent design and provision of services; (5) negligent failure to warn; (6) unfair trade practices under Massachusetts law; (7) deceptive acts and practices under New York law; and (8) a request for declaratory relief.
III. Discussion.
A. IBM's Argument that BJ's Fails to Allege Causation as to All Claims.
In that part of its supporting brief arguing against BJ's breach-of-contract claim, IBM argues that BJ's has failed to allege the essential element of causation and that this defeats not only the contract claim but all the other claims as well. In the context of the contract claim, citing Doyle v. Hasbro, Inc., 103 F.3d 186, 195 (1st Cir. 1996) (applying Massachusetts law), IBM argues that BJ's failed to plead that the damages were "attributable to the breach." In support, IBM points to BJ's allegations that it had hired a forensic consultant to investigate the possibility of a compromise of its computer systems, but that the consultant did not find a breach of BJ's centralized computer system or a breach via the Internet. Nor did the consultant find direct evidence of a compromise at the club level. IBM argues that in the absence of an allegation that BJ's system had in fact been breached, BJ's cannot seek recovery against IBM on the basis that IBM's Application had improperly retained information that had been acquired by a breach of the system.
We reject this argument because, as BJ's contends, Fed.R.Civ.P. 8(e)(2) permits a party to plead hypothetically, that is, plead an "if-then" claim. Diamond Triumph Auto Glass, Inc. v. Safelite Glass Corp., 344 F. Supp. 2d 936, 944 (M.D. Pa. 2004) (quoting Langer v. Monarch Life Ins. Co., 966 F.2d 786, 802 n. 21 (3d Cir. 1992) (cited treatise omitted)). BJ's has made such an if-then claim. It has alleged (in substance) that if BJ's is found liable to PSECU and other issuing banks on the theory that Track II data was taken from its system, then IBM is liable to it for having failed to remove the Store Forward capability from the Application. (BJ's Compl., ¶ 38). Thus, BJ's complaint is not defective simply because it does not aver that its computer system was breached.
B. Breach-of-Contract Claim.
Citing Doyle, supra, 103 F.3d at 194-95, IBM argues that BJ's complaint fails to allege a breach-of-contract claim under Massachusetts law for the following reasons. First, the complaint fails to allege the terms of the contract specifically and in fact contradicts the terms as they actually appear in the contract documents, which IBM has attached to its motion. We disagree. Aside from the parties' substantive dispute over what constitutes the contract's terms, for the purpose of pleading a contract claim, BJ's complaint sufficiently alleges those terms, essentially that IBM had agreed to supply an Application that did not retain Track II data. IBM may disagree that those were the actual terms of the contract, but it is BJ's contract claim, not IBM's, that we deal with here.
In this part of its attack on BJ's contract claim, IBM also argues that BJ's allegation that IBM had to meet certain industry standards in performing under the contract is meritless because the contract documents do not refer to these standards and the standards were promulgated after the contract was made. This argument is properly the subject of a motion for summary judgment, not a motion to dismiss.
Second, relying on the parol evidence rule and the integration clause, IBM argues that BJ's contract claim attempts to vary the terms of the contract as they appear in the written contract documents. As noted above, these contract documents support IBM's contention that a "Store Forward" capability was to be part of the Application and that any modification of the contract could only be in writing signed by both parties. In direct contradiction to these terms, IBM contends, BJ's insists that the contract terms prohibited a "Store Forward" capability, but without referring to any contract documents and in the face of the writings IBM has supplied.
In opposition, BJ's makes two arguments. First, under Massachusetts law a written contract can be orally modified even if the agreement has an integration clause and a provision requiring that any modification be in writing. See Cambridgeport Sav. Bank v. Boersner, 597 N.E.2d 1017, 1021-22 (Mass. 1992); First Pennsylvania Mortgage Trust v. Dorchester Sav. Bank, 481 N.E.2d 1132, 1138-39 (Mass. 1985). BJ's argues that, even if the parties had initially agreed on terms as set forth by IBM, they later "explicitly and orally agreed that Store Forward functionality should not have been operational." (BJ's Opp'n Br. at p. 11).
Second, under Massachusetts's version of the Uniform Commercial Code, see Mass. Gen. L. Ch. 106, § 2-313(1)(a), any affirmation of fact or promise that IBM made to BJ's which became part of the basis of the bargain created an express warranty that the Application would conform to the affirmation or promise, regardless of whether the affirmation was made "before or after the contract was signed. . . ." (BJ's Opp'n Br. at p. 12 n. 3). Thus, BJ's contends that as long as the statements made by IBM became part of the basis of the bargain, which BJ's avers they did, IBM cannot rely on the parol evidence rule or the integration clause to block BJ's reliance on prior or subsequent statements, citing in support Glyptal Inc. v. Engelhard Corp., 801 F. Supp. 887, 896 n. 8 (D. Mass. 1992) ("statements made after the formation of a contract can form the basis of an express warranty") (citing commentary to section 2-313).
Section 2-313 provides in relevant part:
(1) Express warranties by the seller are created as follows:
(a) Any affirmation of fact or promise made by the seller to the buyer which relates to the goods and becomes part of the basis of the bargain creates an express warranty that the goods shall conform to the affirmation or promise.
In reply, IBM argues that BJ's never pleaded that the contract had been orally modified and that Massachusetts requires any oral modification to be specifically pled in the complaint, citing Cormier v. Secor, 737 N.E.2d 1280 (Mass.App. 2000) (unpublished disposition). Additionally, the evidence to support such a modification must have sufficient force to overcome the presumption that an integrated agreement requiring written modification represents the entire agreement between the parties, citing Cambridgeport Sav. Bank, supra, 597 N.E.2d at 1022 n. 10.
We reject IBM's pleading argument. A lone, unpublished disposition is weak authority to begin with, and, in any event, we are required to follow federal procedural rules. Chamberlain v. Giampapa, 210 F.3d 154, 159-60 (3d Cir. 2000). Fed.R.Civ.P. 8(a) requires only a short and plain statement of the claim, which BJ's satisfied by pleading the terms of the contract and that it was breached. Pleading that there was a oral modification would have been helpful but not necessary. We also reject IBM's evidentiary argument since we are only at the motion-to-dismiss stage. In sum, at the current stage of these proceedings, and on the arguments advanced, we will permit the contract claim to proceed.
C. Claim For Breach of Warranty.
IBM moves to dismiss the warranty claim on the grounds advanced against the breach-of-contract claim. For the reasons discussed above, IBM's motion to dismiss this count is denied.
D. The Claims for Negligent Design and Services and Negligent Failure to Warn.
IBM moves to dismiss these claims based on the arguments it made in connection with BJ's contract claim. For the reasons discussed above, these arguments are rejected. IBM also moves to dismiss these claims based on the economic loss doctrine. Under that doctrine, a plaintiff cannot recover economic damages in a negligence action unless there is personal injury or damage to property. See Aldrich v. ADD Inc., 770 N.E.2d 447, 454-55 (Mass. 2002). Based on its arguments above, IBM contends that there was no property damage here, and so these tort claims must be dismissed.
We reject this argument because we have decided, as discussed below, that there was damage to property here, property consisting of the blank cards used to create credit and debit cards.
E. The 93A Claim of Unfair Trade Practices Under Massachusetts Law.
In support of an unfair-trade-practices claim under Massachusetts law, BJ's alleges, in part, that IBM "knowingly" made "false representations and warranties" concerning "the development and delivery of the Application" and "willfully failed to disable the Store Forward functionality." (BJ's Compl., ¶ 64).
IBM argues that BJ's has failed to allege an essential element of this claim, that IBM acted with a coercive or extortionate purpose, and that it is not enough to allege that the breach was done willfully or knowingly.
The statutory language is as follows:
Any person who engages in the conduct of any trade or commerce and who suffers any loss of money or property, real or personal, as a result of the use or employment by another person who engages in any trade or commerce of an unfair method of competition or an unfair or deceptive act or practice declared unlawful by section two [of subchapter 93A] . . . may . . . bring an action. . . ."
Mass. Gen. L. Ch. 93A, § 11. Section 11 allows recovery for attorney's fees and costs. It also allows recovery of double or treble damages if the violation was knowing and willful.
For a 93A claim, "'[a] practice is unfair if it is 'within . . . the penumbra of some common-law, statutory, or other established concept of unfairness; . . . is immoral, unethical, oppressive, or unscrupulous; [and] . . . causes substantial injury to [other businessmen].'" Linkage Corp. v. Trustees of Boston Univ., 679 N.E.2d 191, 209 (Mass. 1997) (quoting PMP Assocs., Inc. v. Globe Newspaper Co., 321 N.E.2d 915, 917 (Mass. 1975)) (brackets added in Linkage Corp.). The nature of the challenged conduct and its purpose and effect are the crucial factors in determining its fairness. Massachusetts Employers Ins. Exch. v. Propac-Mass, Inc., 648 N.E.2d 435, 438 (Mass. 1995); Stagecoach Transp., Inc. v. Shuttle, Inc., 741 N.E.2d 862, 867 n. 6 (Mass.App. 2001).
In the contractual context, "a breach of contract alone does not amount to an unfair act or practice." Massachusetts Employers Ins. Exch., supra, 648 N.E.2d at 438; Commercial Union Ins. Co. v. Seven Provinces Ins. Co., 217 F.3d 33, 40 (1st Cir. 2000) (applying Massachusetts law); Interstate Brands Corp. v. Lily Transp. Corp., 256 F. Supp. 2d 58, 61 (D. Mass. 2003) (applying Massachusetts law). "[A]dding the allegation that the defendant acted 'willfully' or 'knowingly' does not transform a simple breach of contract claim into a 93A claim." Trustees v. Legand Pharmaceuticals, Inc., 2003 WL 1873839 at *4 (D. Del.). However, there can be a 93A claim when a breach occurs "'in disregard of known contractual arrangements'" with the intent "to secure benefits for the breaching party,'" Anthony's Pier Four, Inc. v. HBC Assocs., 583 N.E.2d 806, 821 (Mass. 1991) (collecting cases); Atkinson v. Rosenthal, 598 N.E.2d 666, 670-71 (Mass.App. 1992) (the breaching party's conduct must be used for the purpose of obtaining an advantage over the other party, and without that factor, even conduct that is deliberate and self-interested cannot sustain a 93A claim).
In opposition to IBM's argument, BJ's contends, in part, that it has made out a 92A claim because it has alleged that: (1) IBM represented that its Application would meet the requirements of the credit-card industry; (2) BJ's selected IBM as its vendor in large part because of these representations; (3) BJ's told IBM that it did not want the Application delivered with the Store Forward functionality; (4) BJ's relied on representations and warranties IBM made when it delivered the Application that the Store Forward capability was not functional and that the software was fully compliant with the requirements of Fifth Third Bank and of the debit- and credit-card industry; and (5) IBM did all this purposefully, and willfully failed to disable the Store Forward functionality even though IBM knew about, but willfully disregarded, the credit card companies' prohibition of storing and retaining personal credit-card information.
We reject BJ's position because these allegations assert nothing more than a breach of contract that was done willfully. As noted above, that is not sufficient for a 93A claim. In the absence of an allegation that IBM gained some advantage from its breaches, the 93A claim must be dismissed.
BJ's has footnoted an argument that its allegations also sound in negligent misrepresentation, another basis of liability under chapter 93A, citing Marram v. Kobrick Offshore Fund., Ltd., 809 N.E.2d 1017, 1032-33 (Mass. 2004). (BJ's Opp'n Br. at p. 26 n. 12). We disagree that BJ's has alleged such a 93A claim. However, if BJ's wants to add such a claim, it may file a motion to amend its complaint.
F. Deceptive Acts and Unlawful Practices Under New York Law, N.Y. Gen. Bus. Law § 349.
BJ's has made a claim that IBM's allegedly false representations and warranties constitute deceptive acts and practices under N.Y. Gen. Bus. Law § 349 (the "act"). IBM makes four arguments why this claim should be dismissed: (1) BJ's does not have standing because the act requires a direct injury and BJ's claim is a third-party claim based on injury to issuing banks like PSECU and BJ's customers; (2) the act applies only to deceptive transactions that take place in New York State, and BJ's does not allege it was deceived in New York; (3) the act applies only to deceptive acts or practices that are consumer-oriented, and the contract between BJ's and IBM was a business transaction that, at best, only indirectly involved consumers; and (4) a claim under the act must be pled with specificity, and just as the contract claim was not adequately pled, so also was the claim under the act deficient. We need not address arguments one, three and four because argument two is persuasive.
Section 349(a) makes "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state [i.e., New York]" to be "unlawful." Section 349(h) confers a private right of action on "any person" "injured by reason of" a violation of section 349.
We note, however, that argument three would have a good chance of prevailing at the summary-judgment stage; however, as strong as it is, we nonetheless hesitate to accept it at the 12(b)(6) stage of the litigation.
1. The Injured Party Must Have Been Deceived by Acts and Practices That Occurred in New York State and BJ's Complaint Does Not Allege That Any Such Acts Occurred in the State.
In Goshen v. Mutual Life Ins. Co., 774 N.E.2d 1190, 1195 (N.Y. 2002), the Court of Appeals of New York held that the act has a territorial limitation requiring "that the transaction in which the consumer is deceived must occur in New York." New York's highest court reached this conclusion based on the statutory language (section 349(a) makes illegal deceptive acts or practices occurring "in this state") and the legislative history. In pertinent part, the act was "intended to protect consumers in their transactions in New York State. It was not intended to police the out-of-state transactions of New York companies. . . ." Id. at 1196.
Citing Goshen, IBM argues that BJ's claim under the act must fail because it does not allege that BJ's was deceived by a transaction that happened in New York. In opposition, BJ's relies on its allegation that it "introduced the wholesale club concept to New England . . . and has since expanded to become a leading warehouse chain in the eastern United States . . . operat[ing] 150 clubs and 78 gas stations from Maine to Miami and in Ohio." (BJ's Compl., ¶ 5). BJ's contends that "[t]his allegation constitutes a sufficient connection to New York" by "suggest[ing] that New York citizens have used VISA debit or credit cards at BJ's retail locations (either in New York or elsewhere)." (BJ's Opp'n Br. at p. 28). BJ's also submits a penalty-of perjury declaration that it has been sued by a New York credit union alleging that its members used their debit and credit cards at BJ's locations in New York and had their information stolen by a breach of BJ's computer system. BJ's cites in support Meachum v. Outdoor World Corp., 652 N.Y.S.2d 749 (N.Y.App.Div. 1997), but does not say why Meachum assists it on this issue.
We see no merit in BJ's position. This element of the claim requires that the deceptive transaction take place in New York. BJ's factual averments are not pertinent to that element, dealing instead with the location of BJ's establishments in the eastern United States and a lawsuit against it by a New York credit union alleging that its New York customers have been damaged by the breach of BJ's computer system. BJ's legal conclusion that its claim is therefore valid because these allegations create a "sufficient connection" to New York is not supported by any authority.
Further, Meachum is not relevant. There, the court held that, because the defendants had engaged in deceptive practices in New York by mailing their fraudulent literature to New York residents, Pennsylvania residents could sue under the act even though they executed their contract in Pennsylvania and much of the fraudulent activity occurred in that state. Meachum is not persuasive because it was decided before Goshen, which would not permit such a result now since it requires that the transaction in which the deception occurs take place in New York.
G. The Claim For Indemnity and Contribution.
The Customer Agreement limits IBM's liability. It bars claims by BJ's against IBM for "loss of or damage to, your records or data, and "third-party claims against [BJ's] for losses or damages" except third-party claims for "damages for bodily injury (including death) and damages to real property and tangible, personal property." (Doc. 41, Def.'s Ex. 1, ¶ 1.7, p. 9). It also bars claims for "special, incidental, or indirect damages or for any economic consequential damages (including lost profits or savings). . . ." ( Id.).
IBM argues that these provisions bar BJ's claim for indemnity and contribution. First, the damages BJ's seeks are indirect and consequential damages derivative of harm suffered by BJ's customers and entities like plaintiff PSECU. Second, the damages are third-party claims for damages. In regard to the latter argument, IBM recognizes there are two exceptions to the exclusion for third-party damages claims (bodily injury and damage to tangible personal property) but argues neither one applies here for two reasons. As to the bodily-injury exception, no bodily injury is involved here. As to tangible personal property, data and other information stored on a computer is not tangible personal property as defined by Pagliarulo v. Nat'l Shawmut Bank of Boston, 233 N.E.2d 213, 214 (Mass. 1968) ("'tangible personal property' is "palpable, susceptible to the sense of touch, capable of ownership, and endowed with intrinsic value"). IBM also cites America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 93-98 (4th Cir. 2003) (insurance policy covering damage to tangible property does not cover damage to software and data on a computer). Finally, IBM argues that "BJ's claims also appear to [be] encompass[ed by] the liability limitation for 'loss of or damage to, your records or data. . . .'" (IBM's Supporting Br. at p. 33).
In opposition, BJ's relies on the exception retaining IBM's liability for third-party claims against BJ's for damages to "tangible, personal property," contending that harm to its customers and to entities like PSECU comes within this exception. BJ's identifies three categories of third-party tangible personal property at issue here: "(a) the credit and debit cards that needed to be replaced, (b) the money taken from the accounts of debit card holders, and (c) the personal credit data used to manufacture fraudulent cards." (BJ's Opp'n Br. at p. 15).
1. The Credit And Debit Cards.
For the credit and debit cards, BJ's contends that the cards are tangible personal property, with the damage to these cards arising from PSECU's and other issuing banks' physically having to replace them after destroying the originals because IBM's conduct had compromised their security. BJ's cites a number of cases, arising in other contexts, to support its contention that credit and debit cards are tangible personal property, including Pagliarulo, since "these hard plastic credit and debit cards are physical objects which may be touched, which are owned by persons, and which have independent 'intrinsic' value — a value for which PSECU is seeking reimbursement." (BJ's Opp'n Br. at p. 17).
BJ's has cited United States v. Tobias, 836 F.2d 449, 452 (9th Cir. 1988), holding that a cryptographic card used to decode Navy messages was "tangible property" whose theft was a crime under 18 U.S.C. § 641, making it illegal to steal "government property." It has also cited Saltos v. United States, 2004 WL 1285039 (N.D. Tex.), which without discussion described credit cards as tangible personal property in a suit seeking return of property seized during an arrest. It also relies on American Business Info., Inc. v. Egr, 650 N.W.2d 251 (Neb. 2002), which held, under Nebraska tax law, that hard-copy prospect lists, 3-by-5 index cards, computer diskettes, magnetic tapes, and CD-ROMs were tangible personal property.
In reply, IBM makes two arguments. First, credit and debit cards have no intrinsic value. They are like a check, which as the Supreme Judicial Court of Massachusetts decided in Pagliarulo, is a chose in action, conferring a right to receive the face amount but not particular assets of the bank, 233 N.E.2d at 214, and which has no value as merchandise. Id. Second, even if the cards were tangible personal property, IBM remains liable only for damage to the cards, which means physical damage, and the injury BJ's asserts here is the theft of data from its computer system.
We disagree with IBM's arguments. As to the first argument, the credit and debit cards are tangible personal property. As Pagliarulo puts it, they are palpable, can be touched, capable of ownership, and endowed with intrinsic value. The intrinsic value of each card is probably not very much, whatever the cost of a blank card is, but it nonetheless has intrinsic value.
As to the second argument, IBM cites no authority for its position that the damage to the tangible property must be physical damage. It does not refer us to any contractual definition of the term, and Massachusetts law defines it more broadly: "damages" is "'the word which expresses in dollars and cents the injury sustained by the plaintiff.'" 116 Commonwealth Condominium Trust v. Aetna Cas. Sur. Co., 742 N.E.2d 76, 79 (Mass. 2001) (quoting Turcotte v. DeWitt, 131 N.E.2d 195, 197 (Mass. 1955)). Hence, it would appear that IBM's liability has been preserved as to the injury to these cards as physical objects to be used for credit or debit transactions, the loss of the use of these cards for those purposes, but measured by the value of the cards as blanks.
2. The Money Taken From the Accounts of Debit-Card Holders.
BJ's also argues that IBM's liability has been preserved for third-party claims against it for money fraudulently taken from cardholders' accounts. Citing Temco Metal Prod. Co. v. St. Paul Fire Marine Ins. Co., 543 P.2d 1, 2 (Or. 1975), and Farlee v. Farlee, 235 N.Y.S. 239, 241 (N.Y.Sup.Ct. 1929), BJ's maintains that money taken from these accounts is tangible personal property.
We disagree. As IBM points out, BJ's own case, Temco Metal, refutes its position. In that case, the plaintiff sought to recover from its insurer for an alleged breach of the insurance company's failure to defend the plaintiff against a claim of a third party, a claim that the plaintiff's negligence had allowed a forger to create false checks for the plaintiff's account, which the third party had cashed. The plaintiff argued that the third party's payment of its own money on the forged checks was injury or damage to tangible property, thereby entitling the plaintiff to a defense because the policy covered, in part, claims against it for property damage, defined as "injury to or destruction of tangible property." 543 P.2d at 2.
The Supreme Court of Oregon rejected the argument, stating that, while "money, in certain contexts," could "be considered tangible property and . . . capable of being destroyed . . . paying money out on forged checks [does not] constitute injury to or destruction of it as contemplated by the parties to the policy in question." Id.
We think this reasoning applies to money wrongfully removed from an account by a debit-card transaction. As in the forged-check scenario, the defrauded individual has no ownership rights in certain cash at the bank, just the right against the bank to payment in a certain amount. See Pagliarulo, supra, 233 N.E.2d at 214 (rejecting a claim that a $33,000 cashier's check was tangible property under a will since the check "is analogous to a promise to pay by the bank. It is not a right against any specific $33,000 of the bank's assets. Its value is as a right against the bank to receive its face amount."); see also Travelers Indem. Co. v. State, 680 P.2d 1255, 1256-57 (Ariz.App. 1984) (a bank deposit is not tangible personal property but creates a debtor-creditor relationship between the bank and the depositor so that the depositor has a chose in action against the bank which is intangible property).
3. The Personal Data From the Cards.
BJ's also argues that the personal data taken from the credit and debit cards and used to manufacture fraudulent cards is tangible personal property "because that data has inherent, independent value." (BJ's Opp'n Br. at p. 19).
BJ's has cited in support American Business Info., Inc. v. Egr, 650 N.W.2d 251, 256-57 (Neb. 2002) (on-line data is tangible personal property for purpose of state corporate income tax because electronic signals are physical); Disclosure Info. Group v. Comptroller of the Treasury, 530 A.2d 8, 12 (Md. Ct. Spec. App. 1987) (names, addresses, and other customer information constituted the value inherent in subscription list and, therefore, were tangible personal property subject to sales tax); Millward Brown, Inc. v. Comm'r of Revenue Services, 2001 WL 1004244 at *4 (Conn.Super.) (unpublished disposition) (collection of data involved the use of tangible personal property and hence taxpayer's choice of statutory option for calculating the state corporate business tax was proper).
We need not address whether the data on the cards is by itself tangible personal property. As BJ's notes, the issue is one on which reasonable jurists can differ. See America Online, Inc., supra, 347 F.3d at 99-101 (Traxler, J., dissenting). We believe this claim fails because BJ's is not seeking indemnity for damage to the data, but for a defect in the Application that allowed unauthorized access to the data. As IBM argues, the data was not damaged. Since it was not damaged, the exception to IBM's limitation of liability for third-party claims for damages to tangible personal property does not apply.
H. The Declaratory Judgment Action.
In Count X of its complaint, BJ's alleges that "[t]here is a substantial likelihood that BJ's will be named in additional lawsuits arising from almost identical facts and circumstances as the those alleged by PSECU and that BJ's will have almost identical claims against IBM in such actions." (BJ's Compl., ¶ 74). It seeks a declaratory judgment that it is entitled to a declaration that IBM is liable "for all losses, damages, liabilities, costs and expenses that BJ's has incurred or may incur in defending against, or paying judgments in connection with, any claims arising from the unauthorized use of Track II data written to logs by the Application." ( Id., ¶ 75(a)).
IBM moves to dismiss the declaratory-judgment count, arguing that a declaratory judgment is only appropriate to assist the parties in settling the lawfulness of future conduct and does not apply to adjudicating the legal consequences of wholly past conduct, citing Crown Cork Seal Co. v. Borden, Inc., 779 F. Supp. 33 (E.D. Pa. 1991). Here, because the legal consequences for the parties will depend on wholly past conduct, IBM's provision of software allegedly retaining Track II data, IBM contends we should not permit the declaratory-judgment claim to proceed.
In opposition, citing Reynolds v. Stahr, 758 F. Supp. 1276, 1281 (W.D. Wis. 1991), BJ's argues that declaratory relief is proper when a party is facing numerous claims based on a common set of facts, and here BJ's is facing claims from various issuing banks for costs of replacing credit and debit cards, among other damages, all arising from IBM's defective software.
Under the Declaratory Judgment Act, a district court "may declare the rights and other legal relations of any interested party seeking such declaration." 28 U.S.C. § 2201. "[J]urisdiction conferred by the act [is] discretionary and district courts [are] under no compulsion to exercise it." State Auto Ins. Cos. v. Summy, 234 F.3d 131, 133 (3d Cir. 2000). Some factors the Third Circuit has stated could be considered in deciding whether to grant declaratory relief are:
(1) the likelihood that a federal court declaration will resolve the uncertainty of obligation which gave rise to the controversy; (2) the convenience of the parties; (3) the public interest in settlement of the uncertainty of obligation; and (4) the availability and relative convenience of other remedies.United States v. Commonwealth of Pennsylvania, Dep't of Envtl. Res., 923 F.2d 1071, 1075 (3d Cir. 1991).
Based on this standard, we will dismiss the declaratory-judgment count. We fail to see how any of these four factors would be satisfied by our issuance of the declaratory judgment BJ's seeks. The judgment will not preclude additional actions and demands against BJ's. It might provide some clarity as to IBM's obligation to BJ's to compensate BJ's for the costs of these other actions and demands. But in the court's view, since these costs are going to differ from claim to claim and demand to demand, it seems that BJ's will have to join IBM in other actions (or sue it) to resolve IBM's likely dispute as to any amount it might owe BJ's. In this regard, another remedy (i.e., joinder of IBM in any subsequent litigation) appears to be available and more convenient for resolving BJ's claims against IBM.
In this light, Reynolds is distinguishable. In that case, the petitioners sought only a declaration that employees who had changed employment upon the sale of corporate assets to another corporation were not subject to an involuntary termination of employment that entitled them to a lump-sum benefit under the selling corporation's ERISA plan. Reynolds called for a discrete legal interpretation of the plan language that would have greatly assisted the parties. The same is not true here, for the reasons discussed above.
IV. Conclusion.
Based on the forgoing discussion, the following claims are dismissed: (1) the claims in count I for indemnity or contribution based on theft of funds or injury to data on credit and debit cards; (2) count VIII, the claim under Chapter 93A of the Massachusetts Unfair Trade Practices law; (3) count IX, the claim under the New York Consumer Protection from Deceptive Acts and Practices law; and (4) count X, the claim for relief under the Declaratory Judgment Act.
We will issue an appropriate order.
ORDER
AND NOW, this 3rd day of May, 2005, it is ordered that:
1. The motion (doc. 35) of third-party defendant, IBM, to dismiss the complaint of third-party plaintiff, BJ's, against it is granted as follows.
2. The following claims are dismissed: (a) the claims in count I for indemnity or contribution based on theft of funds or injury to data on credit and debit cards; (b) count VIII, the claim under Chapter 93A of the Massachusetts Unfair Trade Practices law; (c) count IX, the claim under the New York Consumer Protection from Deceptive Acts and Practices law; and (d) count X, the claim for relief under the Declaratory Judgment Act.
3. In all other respects, the motion is denied.