noting that Visa and MasterCard Card Operating Regulations, which apply between merchants, issuer banks, and acquirer banks, specify procedures for issuer banks to make claims in the event of data breachesSummary of this case from In re Target Corp. Customer Data Sec. Breach Litig.
MDL No. 09–2046.
212 S.W.3d at 153. The court considered no extrinsic evidence. It concluded that the student was not entitled to third-party beneficiary status because the contract did not “directly and clearly express the intent to benefit [the plaintiff] or any class of which [he] claims to be a member.” Id. (Docket Entry No. 42, Ex. 4, ¶ 4.3(b)). The contract contains an identical promise by Heartland Bank to Heartland. ( Id., ¶ 4.3(a)). This exchange of promises does not state an intent to benefit anyone other than the contracting parties. There is no clearly expressed intent to convey any enforceable right to the Financial Institution Plaintiffs or to any class to which they belong.
MEMORANDUM AND OPINION
, District Judge.
In January 2009, Heartland Payment Systems, Inc. (“Heartland”) publicly disclosed that hackers had breached its computer systems and obtained access to confidential payment-card information for over one hundred million consumers. Consumers and financial institutions filed suits across the nation. The Judicial Panel on Multidistrict Litigation consolidated those cases before this court. The cases have proceeded on two tracks, one for the Consumer Plaintiffs and one for the Financial Institution Plaintiffs.
The Financial Institution Plaintiffs filed a master complaint asserting causes of action for breach of contract and implied contract, negligence and negligence per se, negligent and intentional misrepresentation, and violations of consumer-protection statutes in New Jersey and other states. (Docket Entry No. 32). Heartland moved to dismiss. (Docket Entry No. 39). After this court dismissed claims filed by some of the Financial Institution Plaintiffs against the banks that contracted with Heartland, (Docket Entry No. 117), the parties supplemented their briefs. (Docket Entry Nos. 122, 124, 127, 131, 133–35). Based on the master complaint, the motion, the extensive briefing, and the relevant law, this court grants the motion to dismiss in part and denies it in part. The specific rulings are as follows:
The Financial Institution Plaintiffs responded, (Docket Entry No. 50); Heartland replied, (Docket Entry No. 56); the Financial Institution Plaintiffs surreplied, (Docket Entry No. 64); and Heartland supplemented its reply, (Docket Entry No. 69).
The Financial Institution Plaintiffs seek to proceed as a nationwide class or, alternatively, as nine state subclasses. (Docket Entry No. 32, ¶¶ 80–82). The issue of class certification is not yet before this court.
(1) The motion to dismiss is granted with prejudice and without leave to amend as to the claims for negligence and for violations of the New Jersey Consumer Fraud Act, the New York consumer protection law, and the Washington Consumer Protection Act.
(2) The motion to dismiss is granted without prejudice and with leave to amend as to the following claims: breach of contract; breach of implied contract; express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California Unfair Competition Law, the Colorado Consumer Protection Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the Texas Deceptive Trade Practices—Consumer Protection Act.
(3) The motion to dismiss is denied as to the claim brought under the Florida Deceptive and Unfair Trade Practices Act.
The reasons for these rulings are explained in detail below. The Financial Institution Plaintiffs must file an amended complaint no later than December 23, 2011. A status conference is set for January 13, 2012, at 8:30 a.m. in Courtroom 11–B.
The factual allegations, which, if nonconclusory, this court must take as true for purpose of the motion to dismiss, come from the master complaint. See Randall D. Wolcott, M.D., P.A. v. Sebelius, 635 F.3d 757, 763 (5th Cir.2011).
Every day, merchants swipe millions of customers' payment cards. In the seconds that pass between the swipe and approval (or disapproval), the transaction information goes from the point of sale, to an acquirer bank, across the credit-card network, to the issuer bank, and back. Acquirer banks contract with merchants to process their transactions, while issuer banks provide credit to consumers and issue payment cards. The acquirer bank receives the transaction information from the merchant and forwards it over the network to the issuer bank for approval. If the issuer bank approves the transaction, that bank sends money to cover the transaction to the acquirer bank. The acquirer bank then forwards payment to the merchant. A bank often acts as both an issuer and an acquirer. Banks frequently outsource the processing functions to companies specializing in that service.
The term “payment cards” refers to both credit and debit cards distributed by issuer banks.
Visa and MasterCard are two of the largest credit-card networks. They neither issue cards nor contract with merchants to process transactions. Instead, acquirer and issuer banks contract with them for access to the Visa and MasterCard networks. Visa and MasterCard, like the other credit-card networks, impose extensive regulations on acquirer and issuer banks. Visa and MasterCard require the banks they contract with to impose these regulations on the merchants who submit transactions for processing and on the entities that process the transactions.
The Financial Institution Plaintiffs are nine banks suing as issuer banks. Heartland, the defendant, processes merchant transactions on behalf of two acquirer banks, Heartland Bank and KeyBank, N.A. (Docket Entry No. 42, Exs. 4, 5). Heartland's contracts with KeyBank and Heartland Bank required Heartland to comply with Visa and MasterCard network regulations. ( Id., Ex. 4, ¶ 1.1(f); Ex. 5, ¶ 1.1(f)). To the extent that the terms of Heartland's contracts with these and other banks differed from the Visa and MasterCard regulations, the regulations governed. ( Id., Ex. 4, ¶ 1.1(h); Ex. 5, ¶ 1.1(i)).
Five of the Financial Institution Plaintiffs sued Heartland Bank and KeyBank in the Southern District of Texas. That case also is part of the consolidated litigation. (Docket Entry No. 72).
Beginning at least as early as December 2007, three hackers—an American, Albert Gonzalez, and two unknown Russians—infiltrated Heartland's computer systems. (Docket Entry No. 32, ¶¶ 35, 63–64). The hackers installed programs that allowed them to capture some of the payment-card information stored on the Heartland computer systems. ( Id., ¶ 65). In late October 2008, Visa alerted Heartland to suspicious account activity. Heartland, with Visa and MasterCard and others, investigated. ( Id., ¶ 35). Heartland discovered suspicious files in its systems on January 12, 2009. A day later, Heartland uncovered the program creating those files. ( Id., ¶ 37). That program provided the hackers with access to data on the systems. ( Id., ¶¶ 41–42). On January 20, Heartland publicly announced the data breach. ( Id., ¶ 38). The hackers obtained payment-card numbers and expiration dates for approximately 130 million accounts. ( Id., ¶ 5). For some of these accounts, the hackers also obtained cardholder names. ( Id., ¶ 44). They did not obtain any cardholder addresses, however, which meant that the stolen card information generally could be used only for in-person transactions. ( Id., ¶ 70).
The Financial Institution Plaintiffs allege that this data breach resulted from Heartland's failure to follow industry security standards known as PCI–DSS. ( See id., ¶¶ 53–62). After the breach, the Financial Institution Plaintiffs incurred significant expenses replacing payment cards and reimbursing fraudulent transactions. ( Id., ¶ 78). The master complaint asserts ten causes of action:
(I) breach of Heartland's contracts with Heartland Bank, KeyBank, and its merchants, to which the Financial Institution Plaintiffs are third-party beneficiaries;
(III) breach of an implied contract to the Financial Institution Plaintiffs;
(IV) negligence per se;
(V) negligent misrepresentation;
(VI) intentional misrepresentation;
(VII) violations of the New Jersey Consumer Fraud Act; and
(VIII, IX, and X) violations of other states' consumer-protection laws.
The complaint seeks class certification.
Heartland has moved to dismiss the complaint in its entirety. (Docket Entry No. 39). Its arguments, and the Financial Institution Plaintiffs' responses, are addressed in detail below.
II. Rule 12(b)(6)
A complaint may be dismissed when the plaintiff fails “to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). In Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007), and Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 1937, 1949–50, 173 L.Ed.2d 868 (2009), the Supreme Court confirmed that Rule 12(b)(6) must be read in conjunction with Rule 8(a), which requires “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). A complaint must contain “enough facts to state a claim to relief that is plausible on its face” to withstand a Rule 12(b)(6) motion. Iqbal, 129 S.Ct. at 1949. “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. Facial plausibility “does not require ‘detailed factual allegations,’ but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Id. (quoting Twombly, 550 U.S. at 555, 127 S.Ct. 1955). Nor is facial plausibility “akin to a ‘probability requirement’ ”; rather, “it asks for more than a sheer possibility that a defendant has acted unlawfully.” Iqbal, 129 S.Ct. at 1949 (quoting Twombly, 550 U.S. at 556, 127 S.Ct. 1955). Facial plausibility requires “the plaintiff [to] plead [ ] factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 129 S.Ct. at 1949. “Where a complaint pleads facts that are ‘merely consistent with’ a defendant's liability, it ‘stops short of the line between possibility and plausibility of entitlement to relief.’ ” Id. (quoting Twombly, 550 U.S. at 557, 127 S.Ct. 1955).
When a plaintiff's complaint fails to state a claim, a district court generally should provide the plaintiff at least one chance to amend the complaint under Rule 15(a) before dismissing the action with prejudice. See Great Plains Trust Co. v. Morgan Stanley Dean Witter & Co., 313 F.3d 305, 329 (5th Cir.2002) (“district courts often afford plaintiffs at least one opportunity to cure pleading deficiencies before dismissing a case”); see also United States ex rel. Adrian v. Regents of the Univ. of Cal., 363 F.3d 398, 403 (5th Cir.2004) (“Leave to amend should be freely given, and outright refusal to grant leave to amend without a justification ... is considered an abuse of discretion.” (internal citation omitted)). “Denial of leave to amend may be warranted for undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies, undue prejudice to the opposing party, or futility of a proposed amendment.” United States ex rel. Steury v. Cardinal Health, Inc., 625 F.3d 262, 270 (5th Cir.2010) (emphasis added). A district court has broad discretion to dismiss a complaint without leave to amend “where the plaintiff has previously been granted leave to amend [to cure pleading deficiencies] and has subsequently failed to add the requisite particularity to its claims[.]” Zucco Partners, LLC v. Digimarc Corp., 552 F.3d 981, 1007 (9th Cir.2009); see also Carroll v. Fort James Corp., 470 F.3d 1171, 1175 (5th Cir.2006) (affirming a district court's dismissal for failure to state a claim without leave to amend after the court “instructed [the plaintiffs] to plead their fraud claim with greater particularity, but the amended complaint was still woefully inadequate”).
A. The Contract and Implied Contract Claims
The master complaint asserts claims for breach of contract and breach of implied contract. The Financial Institution Plaintiffs base these claims, “without limitation,” on Heartland's contracts with: (1) its merchants; (2) Heartland Bank and KeyBank; and (3) Visa and MasterCard. (Docket Entry No. 32, ¶ 95). They allege that the contracts create duties to safeguard payment-card information. ( Id., ¶ 96). The Financial Institution Plaintiffs assert that they are intended third-party beneficiaries of those contracts and that, “[u]nder the circumstances, recognition of a right to performance by [the Financial Institution Plaintiffs] is appropriate to effectuate the intentions of the parties to these contracts.” ( Id., ¶ 97). They contend that Heartland breached the contracts by “failing to adequately safeguard ... sensitive financial information” of their customers, resulting in the Financial Institution Plaintiffs' financial harm. ( Id., ¶ 98).
Heartland notes that the master complaint does not precisely identify the allegedly breached contracts. Heartland submits what it contends to be the relevant contracts: its contracts with Heartland Bank and KeyBank and an “exemplar” of a contract with a merchant. (Docket Entry No. 40, at 35, 41; Docket Entry No. 42, Exs. 4–6). An affidavit from a Heartland attorney states that these were the only types of contracts in effect at the time of the data breach. ( See Docket Entry No. 41, ¶¶ 6–8).
A court ordinarily may not go outside the pleadings in considering a motion to dismiss. Scanlan v. Tex. A & M Univ., 343 F.3d 533, 536 (5th Cir.2003). The Fifth Circuit “recognize[s] one limited exception” for documents attached to a motion to dismiss “that are referred to in the plaintiff's complaint and are central to the plaintiff's claim.” Id.;accord, e.g., Rodriguez v. Rutter, 310 Fed.Appx. 623, 626 (5th Cir.2009). The contracts on which Heartland relies meet this standard.
1. The Contracts with the Acquirer Banks
The Financial Institution Plaintiffs allege that Heartland's contracts with Heartland Bank and KeyBank required Heartland to take “appropriate steps to safeguard the sensitive financial information” of the Financial Institution Plaintiffs' customers. (Docket Entry No. 32, ¶ 96). The Financial Institution Plaintiffs assert that they are intended third-party beneficiaries to these contracts. ( Id., ¶ 97). Heartland disagrees. According to Heartland, the contracts do not show an intent primarily to benefit the Financial Institution Plaintiffs. Even if the contracts showed such an intent, Heartland argues, the Financial Institution Plaintiffs still cannot recover because they are not creditor or donee beneficiaries of the contracts. Heartland further contends that the incorporated Visa and MasterCard regulations preclude third-party claims. Finally, Heartland argues that even if the Financial Institution Plaintiffs are third-party beneficiaries of the contracts, the allegations are too conclusory to state a plausible breach of contract claim. ( See Docket Entry No. 40, at 37–39).
a. The Heartland Bank Contract
Heartland's contract with Heartland Bank contains a choice-of-law provision specifying Missouri law. (Docket Entry No. 42, Ex. 4, ¶ 4.11). The parties do not dispute that Missouri law applies. Under Missouri law, “[o]nly parties to a contract and any third-party beneficiaries of a contract have standing to enforce that contract.” Verni v. Cleveland Chiropractic Coll., 212 S.W.3d 150, 153 (Mo.2007). Intended beneficiaries qualify as third-party beneficiaries, but incidental beneficiaries do not. See id. A third party is an intendedbeneficiary only when “the contract clearly express[es] intent to benefit that party or an identifiable class of which the party is a member.” Id. (internal quotation marks omitted). Absent such express language, “there is a strong presumption ... that the parties contracted only to benefit only themselves.” Id. (internal quotation marks omitted).
In recent cases, the Missouri Supreme Court has held that a court must limit itself to examining the contract language in determining third-party beneficiary status. In Nitro Distributing, Inc. v. Dunn, 194 S.W.3d 339 (Mo.2006), the court explained that, “[t]o be bound as a third-party beneficiary, the terms of the contract must clearly express intent to benefit that party or an identifiable class of which the party is a member.” Id. at 345 (emphasis added). Looking only to the contract, and not to extrinsic evidence, the court concluded that the contract “expresse[d] no intent whatsoever to benefit” the asserted third parties. Id. In Netco, Inc. v. Dunn, 194 S.W.3d 353 (Mo.2006), decided on the same day, the state supreme court again limited its consideration to the contract language. See id. at 358. In that case, the defendant, an Amway distributor, argued that the plaintiff was bound to the Amway franchise contract as a third-party beneficiary because the plaintiff conceded that “it relied on and profited from [the] relationship, a relationship predicated on the Amway Rules of Conduct and [the defendant's] status as an Amway distributor[.]” Id. (internal quotation marks omitted). The court found this concession irrelevant, explaining that “the mere fact [of] a mutually beneficial relationship ... does not make [the plaintiff] a third-party beneficiary.” Id. The court once again considered only the contract language and found no express statement of intent to make the plaintiff a third-party beneficiary. See id.
The Missouri Supreme Court recently reaffirmed its narrow focus on contract language in determining third-party beneficiary status. In Verni v. Cleveland Chiropractic College, a student—upset with his college after it fired a favorite professor—argued that he was a third-party beneficiary of the professor's employment contract with the college. 212 S.W.3d at 152–53. The court quoted Nitro Distributing 's requirement that the contract clearly state the parties' intent to confer third-party beneficiary status. Id. at 153. The court emphasized its resolution of the issue “by examining the contract's language,” id., citing OFW Corporation v. City of Columbia, 893 S.W.2d 876, 879 (Mo.Ct.App.1995). In OFW, the Missouri Court of Appeals held that, “[i]n determining whether plaintiff was a third-party beneficiary to the contract, the question of intent is paramount and is to be gleaned from the four corners of the contract.” Id. (internal quotation marks and alterations omitted; emphasis added). The Verni court succinctly applied this rule to the professor's employment contract:
The contract is a one-page document providing that [the professor] would be a full-time faculty member ... for one year. The contract required him to be on campus a certain amount of time each week and outlined his teaching duties. In return, the contract provided ... salary and employment benefits. Although the contract might incidentally provide a benefit to ... students, it does not clearly express any intent that [the professor] was undertaking a duty to benefit [the plaintiff] or a class of students.
212 S.W.3d at 153. The court considered no extrinsic evidence. It concluded that the student was not entitled to third-party beneficiary status because the contract did not “directly and clearly express the intent to benefit [the plaintiff] or any class of which [he] claims to be a member.” Id.
Under Missouri law, this court must look only to the contract terms in determining whether there was a direct and clear expression of intent to benefit the third party—in this case, the Financial Institution Plaintiffs. The contract between Heartland and Heartland Bank states:
[Heartland] will safeguard, and hold confidential from disclosure to unauthorized persons, all data relating to Bank business received by [Heartland] pursuant to this Agreement to the same extent that [Heartland] safeguards data relating to its own business[.]
(Docket Entry No. 42, Ex. 4, ¶ 4.3(b)). The contract contains an identical promise by Heartland Bank to Heartland. ( Id., ¶ 4.3(a)). This exchange of promises does not state an intent to benefit anyone other than the contracting parties. There is no clearly expressed intent to convey any enforceable right to the Financial Institution Plaintiffs or to any class to which they belong.
The contract refers to data relating to the business of the contracting parties, indicating an intent to protect the contracting parties' businesses from unauthorized disclosures. The Financial Institution Plaintiffs acknowledge that Heartland's failure to protect consumer payment-card data would harm Heartland's own business. ( See Docket Entry No. 32, ¶¶ 57–60). The Financial Institution Plaintiffs cite the contract's requirement that Heartland indemnify Heartland Bank's “affiliates[.]” (Docket Entry No 42, Ex. 4, ¶ 4.5(a)). But this indemnification clause does not show an intent primarily to benefit the Financial Institution Plaintiffs. The term “affiliate” means “[a] corporation that is related to another corporation by shareholdings or other means of control; a subsidiary, parent, or sibling corporation.” Black's Law Dictionary 63 (8th ed. 2004); see also Nitro Distrib., 194 S.W.3d at 349 (“courts will enforce contracts according to their plain meaning”). The Financial Institution Plaintiffs are not “affiliates” of Heartland Bank within the word's common meaning.
Heartland's motion to dismiss based on the Heartland Bank contract is granted with prejudice and without leave to amend because amendment would be futile. The Financial Institution Plaintiffs emphasize that they have not had a chance to conduct discovery into whether there are other contracts in this category with provisions expressly and directly stating an intent to make them third-party beneficiaries. (Docket Entry No. 50, at 42–43, 45). Leave to amend is granted only insofar as the Financial Institution Plaintiffs are able to plead plausibly that they are third-party beneficiaries to other contracts between Heartland and Heartland Bank.
The reasons for dismissing the Financial Institution Plaintiffs' breach of contract claim based on the KeyBank contract equally support dismissing the claim based on the Heartland Bank contract.
b. The KeyBank Contract
This court previously reviewed Ohio law on third-party beneficiaries in the related case against KeyBank and found the complaint insufficient to state a claim that the issuer banks were third-party beneficiaries to the contract between KeyBank and Heartland. The contract language itself did not show an intent to benefit third parties. Because Ohio law, unlike Missouri law, allows consideration of evidence beyond the contract terms to determine third-party beneficiary status, it was appropriate to grant the issuer banks leave to amend. This court also found that the Financial Institution Plaintiffs had failed to identify any provision of the KeyBank contract that Heartland had breached. (Docket Entry No. 117, at 27–32). For essentially the same reasons set out in the March 31, 2011 memorandum and order, 2011 WL 1232352, the claims based on the KeyBank contract asserted by the Financial Institution Plaintiffs in this case must also be dismissed.
Heartland advances an additional reason to dismiss in this case. The damages the Financial Institution Plaintiffs seek are consequential damages, which the KeyBank contract excludes absent a willful breach. (Docket Entry No. 40, at 40–41). The KeyBank contract states that “damages will be limited to general money damages in an amount not to exceed the actual damages of the party. In no case will the other party be responsible for special, incidental, consequential or exemplary damages, except for willful breach of this Agreement.” (Docket Entry No. 42, Ex. 5, ¶ 4.7). Damages-limitation clauses are generally enforceable under Ohio law. E.g., Skurka Aerospace, Inc. v. Eaton Aerospace, L.L.C., 781 F.Supp.2d 561, 571–72 (N.D.Ohio 2011); TLC Healthcare Servs., L.L.C. v. Enhanced Billing Servs., L.L.C., No. L–08–1121, 2008 WL 3878349, at *3 (Ohio Ct.App. Aug. 22, 2008); Morantz v. Ortiz, No. 07AP–597, 2008 WL 642630, at *7 (Ohio Ct.App. Mar. 11, 2008) (collecting cases).
Nearly identical language appears in the Heartland Bank contract. (Docket Entry No. 42, Ex. 4, ¶ 4.7).
When a contract limits recovery to direct damages, a plaintiff may recover only the difference between the amount paid and the value received. See Nat'l Mulch & Seed, Inc. v. Rexius Forest By–Products Inc., No. 2:02–cv–1288, 2007 WL 894833, at *6 n. 3 (S.D.Ohio Mar. 22, 2007); see also Wartsila NSD N. Am., Inc. v. Hill Int'l, Inc., 530 F.3d 269, 278 (3d Cir.2008) (limiting recovery for a breach in a service contract that excluded consequential damages to “the amount paid ... for [the] services, less the actual value, if any, of those services”); Reynolds Metals Co. v. Westinghouse Elec. Corp., 758 F.2d 1073, 1080 (5th Cir.1985) (same). The damages the Financial Institution Plaintiffs seek are not the difference between the contract price and the value of the payment-card services. Instead, the Financial Institution Plaintiffs seek the costs they incurred in covering fraudulent transactions and replacing payment cards after the hacker intrusion into the Heartland computer systems. These costs are consequential damages, available only if the contract breach is willful. The master complaint alleges insufficient facts to assert a willful breach. See, e.g., Said v. SBS Elecs., Inc., No. CV 08–3067(RJD)(JO), 2010 WL 1265186, at *8 (E.D.N.Y. Feb. 24, 2010) (dismissing a complaint containing conclusory allegations of willfulness), adopted as modified on other grounds in2010 WL 1287080 (E.D.N.Y. Mar. 31, 2010).
The breach of contract allegations based on the KeyBank contract are dismissed, without prejudice and with leave to amend.
2. The Merchant Processing Agreements
Heartland argues that its Merchant Processing Agreements (“Agreements”), an exemplar of which it has produced, do not provide a basis for recovery for breach of contract. The Agreements provide that New Jersey law applies. (Docket Entry No. 42, Ex. 6, ¶ 14.12). The parties do not dispute the application of New Jersey law.
Heartland contends that the Financial Institution Plaintiffs cannot state a claim for breach of contract because: (1) they are not intended third-party beneficiaries of the Agreements; (2) they have not sufficiently pleaded a breach of those Agreements; and (3) the Agreements do not allow recovery for consequential damages. (Docket Entry No. 40, at 41–44). The third contention is dispositive.
Under the Agreements, Heartland's “sole liability ... shall be to correct ... any data in which errors have been caused by [Heartland.]” (Docket Entry No. 42, Ex. 6, ¶ 8.5). The Agreements state that “Heartland shall have no other liability whatsoever to Merchant, and Merchant hereby expressly wa[i]ves any claim against [Heartland] for indirect, special, exemplary, incidental or consequential damages or lost profits or interest.” ( Id., ¶ 8.7). New Jersey generally enforces damages-limitation clauses between businesses. 66 VMD Assocs., LLC v. Melick–Tully & Assocs., P.C., No. L–6584–07, 2011 WL 3503160, at *3 (N.J.Super.Ct.App.Div. Aug. 11, 2011); Marbro, Inc. v. Borough of Tinton Falls, 297 N.J.Super. 411, 688 A.2d 159, 162 (N.J.Super.Ct. Law Div.1996); see also Jasphy v. Osinsky, 364 N.J.Super. 13, 834 A.2d 426, 431 (N.J.Super.Ct.App.Div.2003). The damages the Financial Institution Plaintiffs seek are consequential damages.
The Financial Institution Plaintiffs do not assert that the damages-limitation clauses are unenforceable. Instead, they contend that these clauses only limit a merchant's ability to recover for consequential damages. These clauses, they say, do not apply to their claim as third-party beneficiaries to the Agreements. This contention is unpersuasive. “It is black letter law that a third-party beneficiary is not entitled to any more rights than the actual contracting party.” Merchants Mut. Ins. Co. v. Monmouth Truck Equip., Inc., Civ. A. No. 06–cv–05395 (FLW), 2008 WL 65109, at *5 (D.N.J. Jan. 4, 2008) (citing, for example, United Steelworkers of Am. v. Rawson, 495 U.S. 362, 375, 110 S.Ct. 1904, 109 L.Ed.2d 362 (1990); and Allgor v. Travelers Ins. Co., 280 N.J.Super. 254, 654 A.2d 1375, 1379 (N.J.Super.Ct.App.Div.1995)). The Financial Institution Plaintiffs' breach of contract claim under the Agreements containing the damages-limitation clauses is dismissed, with prejudice. The Financial Institution Plaintiffs may assert a breach of contract claim based on the Agreements only insofar as they have a good-faith basis to believe that: (1) there are Agreements to which they are third-party beneficiaries; and (2) these Agreements do not contain damages-limitation clauses.
3. The Implied Contract Claim
Under New Jersey law, “[a]n implied-in-fact contract is a true contract arising from mutual agreement and intent to promise, but where the agreement and promise have not been verbally expressed.” S. Jersey Hosp., Inc. v. Corr. Med. Servs., Civ. No. 02–2619(JBS), 2005 WL 1410860, at *4 (D.N.J. June 15, 2005) (quoting In re Penn Cent., 831 F.2d 1221, 1228 (3d Cir.1987)). “[C]ontracts implied in fact are no different than express contracts, although they exhibit a different way or form of expressing assent than through statements or writings.” Wanaque Borough Sewerage Auth. v. Twp. of W. Milford, 144 N.J. 564, 677 A.2d 747, 752 (1996). Courts look to the parties' “word[s] and conduct in light of the surrounding circumstances.” Id. (citing Restatement (Second) of Contracts §§ 4 cmt. a, 5 cmt. a (1979)).
The Financial Institution Plaintiffs rely on In re Hannaford Brothers Co. Customer Data Security Breach Litigation, 613 F.Supp.2d 108 (D.Me.2009), aff'd in part, rev'd in part sub nom. Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir.2011). In Hannaford Brothers, customers used payment cards to pay for groceries. A third party breached the grocer's information-technology systems, gaining access to stored payment-card information. See613 F.Supp.2d at 116. The customers filed a class-action lawsuit against the grocer for the unauthorized access to their payment-card information, claiming breach of implied contract. The district court first noted the existence of a direct contract relationship between the grocer and the customers: a contract to buy groceries. Id. at 118. Because that contract required payment, the court held that a customer's use of a payment card would allow a jury to
find certain other implied terms in the grocery purchase contract: for example, that the merchant will not use the card data for other people's purchases, will not sell or give the data to others (except in completing the payment process), and will take reasonable measures to protect the information (which might include meeting industry standards), on the basis that these are implied commitments that are “absolutely necessary to effectuate the contract,” and “indispensable to effectuate the intention of the parties.”
Id. at 119 (emphasis in original) (quoting Seashore Performing Arts Ctr., Inc. v. Town of Old Orchard Beach, 676 A.2d 482, 484–85 (Me.1996)). The court found that the customers had sufficiently stated a claim for breach of implied contract under Maine law. But the starting point for the court's analysis is the parties' direct contractual relationship. See Hannaford Brothers, 613 F.Supp.2d at 118. That is not true in the present case.
The First Circuit recently affirmed the district court's conclusion regarding the implied-contract claim, but with little detail. See Hannaford Brothers, 659 F.3d at 158–59. This court continues to find the district court's “carefully reasoned” analysis persuasive. Id. at 155.
A case with facts more similar to those at issue here is Hammond v. The Bank of New York Mellon Corporation, No. 08 Civ. 6060(RMB)(RLE), 2010 WL 2643307 (S.D.N.Y. June 25, 2010). In Hammond, a company owned by the defendant lost computer-backup tapes that contained the payment-card data of 12.5 million individuals. Id. at *4. A class action against the defendant claimed breach of implied contract. The court emphasized that there was no direct relationship between the individuals whose data was released and the defendant. The court explained:
Rather, Plaintiffs had relationships (only) with institutional clients of Defendant, such as the Walt Disney Company .... Plaintiffs gave their personal data over to these entities, which, in turn, forwarded the data to Defendant (which stored the data on the tapes that ultimately were lost or stolen).
Id. at *9. Applying New York law, the court concluded that, absent evidence of “any direct dealings” between the individuals and the defendant, there was no basis to find the mutual assent necessary for an implied contract. Id. at *11.
Unlike the plaintiffs in Hannaford Brothers, and like those in Hammond, the Financial Institution Plaintiffs do not allege a direct contract relationship with Heartland that would plausibly suggest the mutual assent necessary for an implied contract. The Financial Institution Plaintiffs' contracts are with Heartland's clients, not Heartland. The pleadings allege that the Financial Institution Plaintiffs have at most an indirect relationship with Heartland through Heartland's processing of transactions made with payment cards that they issued. The implied contract claim is dismissed. The Financial Institution Plaintiffs may replead this claim, but only insofar as they have a good-faith basis to allege the existence of a direct contractual relationship between them and Heartland.
Heartland also argues that other elements of an implied contract claim are missing. This court need not address those arguments at this time.
B. The Negligence Claims
1. Negligence Per Se
The Financial Institution Plaintiffs have withdrawn their negligence per se claim based on Heartland's alleged failure to follow the security protocols set out in the Visa and MasterCard regulations. (Docket Entry No. 50, at 23 n. 14).
The Financial Institution Plaintiffs allege that Heartland breached three duties: “a duty to exercise reasonable care in safeguarding and protecting [payment-card] information from being compromised and/or stolen,” (Docket Entry No. 32, ¶ 101); a seemingly related “duty to put into place internal policies and procedures designed to detect and prevent the unauthorized dissemination of [the Financial Institution Plaintiffs'] customers' private, non-public, sensitive financial information,” ( id., ¶ 103); and “a duty to timely disclose to [the Financial Institution Plaintiffs'] customers that the Data Breach had occurred and the private, non-public, sensitive financial information of [the Financial Institution Plaintiffs'] customers” may have been compromised, ( id., ¶ 102).
Suits by issuer banks against other participants in the credit-card processing chain are “of fairly recent vintage.” Rebecca Hatch Weston, Liability of Retailer and Its Affiliate Bank to Credit Card Issuer for Costs Arising out of Breach of Retailer's Computer Security, 51 A.L.R.6th 311, § 2 (2010) (noting that the first published decision appeared in 2005). Courts addressing such claims have generally found that the economic-loss doctrine prevents recovery. Id. at § 5; cf. Juliet M. Moringiello, Warranting Data Security, 5 Brook. J. Corp. Fin. & Com.. L. 63, 71 (2010) (calling the economic-loss doctrine a “major impediment[ ]” to consumer tort actions against payment-card processors). It is instructive to review the cases.
In Banknorth, N.A. v. BJ's Wholesale Club, Inc., 394 F.Supp.2d 283 (D.Me.2005), an issuer bank sued a retailer and an acquiring bank after the retailer's computer systems, which contained customers' payment-card information, were breached. Id. at 284. The issuer bank alleged that the retailer and acquiring bank negligently breached a duty “to safeguard cardholder information from thieves.” Id. at 286. The retailer and acquirer bank argued that the economic-loss doctrine barred recovery on this claim. Id. The court observed that, under Maine law, it was unclear how the doctrine applied outside the products liability context. Id. at 287. The court noted the “complex web of relationships involving numerous players governed by both individual contracts and exhaustive regulations promulgated by Visa and other card networks.” Id. The court reasoned that although there might be a duty of care among the members of the credit-card network, “this web of relationships may or may not render Plaintiff's negligence claim susceptible to the economic loss doctrine.” Id. Because the issuer bank's ability to recover would turn on the specific facts of each case, the court concluded that dismissal was inappropriate. Id.
Another court applying Maine law reached the opposite conclusion. In a case raising the same claims, brought in Pennsylvania federal court, the court found that the economic-loss doctrine precluded liability for negligence. See Banknorth N.A. v. BJ's Wholesale Club, Inc., 442 F.Supp.2d 206, 211–14 (M.D.Pa.2006).
The district court in Hannaford Brothers, see supra at 581–82, declined to dismiss the customers' negligence claim on similar grounds. 613 F.Supp.2d at 127–28. It thereafter certified the question whether customers' time spent canceling cards and otherwise dealing with data breaches was compensable. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 660 F.Supp.2d 94, 99 (D.Me.2009). The Maine Supreme Judicial Court held that “[u]nless the plaintiffs' loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence.” In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492, 497 (Me.2010). The court did not reach the question whether the economic-loss doctrine barred relief. Id. at 498.
In In re TJX Companies Retail Security Breach Litigation, 564 F.3d 489 (1st Cir.2009), the First Circuit considered a negligence claim by issuer banks against a merchant and an acquirer bank for losses stemming from a data breach. Recognizing that “purely economic losses are unrecoverable [under Massachusetts law] in tort and strict liability actions in the absence of personal injury or property damage,” the court affirmed the district court's dismissal of the negligence claim. Id. at 498–99 (quoting Aldrich v. ADD Inc., 437 Mass. 213, 770 N.E.2d 447, 454 (2002)). The court rejected the issuer banks' argument that they suffered compensable property loss. Massachusetts law, the court emphasized, required physical property damage for a negligence claim. Id. at 498. The Massachusetts Supreme Judicial Court reached the same result in Cumis Insurance Society, Inc. v. BJ's Wholesale Club, Inc., 455 Mass. 458, 918 N.E.2d 36 (2009). The issuer banks' insurer attempted to avoid the economic-loss doctrine by arguing that “the plastic credit cards [were] tangible personal property and their damages included physical harm to the plastic cards that had to be canceled following the thefts.” Id. at 46. The court rejected this argument, noting that the relevant issue was not “whether the credit cards are tangible property, but rather the nature of the damages sought by the plaintiffs.” Id.
The Third Circuit reached the same conclusion under Pennsylvania law in Sovereign Bank v. BJ's Wholesale Club, Inc., 533 F.3d 162 (3d Cir.2008). In that case, an issuer bank sued a merchant after a data breach. The court reviewed Pennsylvania cases applying the economic-loss doctrine and dismissed the bank's negligence claim. Id. at 175–78. In rejecting the bank's argument that its loss of money was a loss of property, the court reasoned that accepting “the argument would totally eviscerate the economic loss doctrine because any economic loss would morph into the required loss of property and thereby furnish the damages required for a negligence claim.” Id. at 176.
The Iowa Supreme Court recently rejected a similar negligence claim under the economic-loss doctrine. In Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499 (Iowa 2011), a trucking company's employee used a card issued by the company to make unauthorized purchases at a gas station. Id. at 501. The trucking companysued the gas station. Id. at 502. The Iowa Supreme Court noted that although the trucking company and the gas station lacked privity of contract, the gas station had contracted with the company's credit-card network. “When parties enter into a chain of contracts, even if the two parties at issue have not actually entered into an agreement with each other, courts have applied the ‘contractual economic loss rule’ to bar tort claims for economic loss, on the theory that tort law should not supplant a consensual network of contracts.” Id. at 504;see also Robins Dry Dock & Repair Co. v. Flint, 275 U.S. 303, 308–09, 48 S.Ct. 134, 72 L.Ed. 290 (1927) (applying the economic-loss doctrine to a chain of contracts). The court pointed out that the trucking company would be “fully responsible” for fraudulent charges under its agreement with the network; that the company knew that the network contracted with service centers like the gas station; and that the network would reimburse those service centers, with the expectation that the company would reimburse the network under the terms of the agreement. Annett Holdings, 801 N.W.2d at 505. “It is difficult to see why a tort remedy is needed here,” the court concluded, because the trucking company “contracted to assume certain risks of financial loss and had the ability to minimize these risks.” Id. The court dismissed the negligence claim.
The credit-card network in Annett Holdings was Comdata, not Visa or MasterCard. Nonetheless, the rules governing the risk allocation for fraudulent charges appear to be similar in that the issuer bank, the trucking company, was required to bear the loss for fraudulent charges. See801 N.W.2d at 501. The court considered Cumis, Sovereign Bank, and TJX as analogous cases, and found those opinions to support the court's decision. Id. at 502–03.
Heartland argues that this court must dismiss the negligence claim because Texas law does not allow tort claims for purely economic loss. See Memorial Hermann Healthcare Sys., Inc. v. Eurocopter Deutschland, GMBH, 524 F.3d 676, 678 (5th Cir.2008) (citing Hou–Tex, Inc. v. Landmark Graphics, 26 S.W.3d 103, 107 (Tex.App.-Houston [14th Dist.] 2000, no pet.)). The Financial Institution Plaintiffs do not dispute Heartland's characterization of Texas law. They instead contend that New Jersey law applies. Under New Jersey law, they state, a plaintiff may recover for economic losses resulting from negligence without physical or property injury. Heartland responds that even if New Jersey law applies, it owed no duty to the Financial Institution Plaintiffs to protect cardholder data and therefore cannot be liable for negligence. New Jersey law, however, would not recognize a duty owing by Heartland to the Financial Institution Plaintiffs to protect cardholder data. Even assuming that New Jersey law applies, the Financial Institution Plaintiffs' negligence claim must be dismissed.
Whether Heartland owed a duty of care to individual cardholders is not at issue in this case.
The elements of negligence under New Jersey law are (1) a duty of care, (2) a breach of that duty, (3) proximate cause, and (4) damages. Brunson v. Affinity Fed. Credit Union, 199 N.J. 381, 972 A.2d 1112, 1122–23 (2009); Polzo v. Cnty. of Essex, 196 N.J. 569, 960 A.2d 375, 384 (2008). “The New Jersey Supreme Court has long been a leader in expanding tort liability.” Hakimoglu v. Trump Taj Mahal Assocs., 70 F.3d 291, 295 (3d Cir.1995) (Becker, J., dissenting). In People Express Airlines, Inc. v. Consolidated Rail Corp., 100 N.J. 246, 495 A.2d 107 (1985), the New Jersey Supreme Court abandoned the rule that economic losses, unaccompanied by physical or property damage, are never compensable in tort. See id. at 114–15. In People Express, an airline sued various defendants for business-interruption damages after a volatile chemical caught fire in a rail yard adjacent to the Newark Airport. An evacuation of a one-mile radius closed the airport's northern terminal for 12 hours. That terminal housed the airline's business operations. The evacuation forced the airline to cancel flights and prevented its employees from booking flights for customers. Id. at 108–09. The defendants moved for summary judgment that the economic-loss doctrine prohibited recovery for purely economic loss. The New Jersey Supreme Court concluded that the traditional reasons for prohibiting recovery for economic loss, including fears of unbounded liability and fraudulent claims, were unpersuasive. The court held that a duty generally exists “to take reasonable measures to avoid the risk of causing economic damages, aside from physical injury, to particular plaintiffs or plaintiffs comprising an identifiable class with respect to whom defendant knows or has reason to know are likely to suffer such damages from its conduct.” Id. at 116. Whether a duty exists depends in part on the foreseeability of such damages. “The more particular is the foreseeability that economic loss will be suffered by the plaintiff as the result of the defendant's negligence, the more just is it that liability be imposed and recovery allowed.” Id. The “class of plaintiffs must be particularly foreseeable in terms of the type of persons or entities comprising the class, the certainty or predictability of their presence, the approximate numbers of those in the class, as well as the type of economic expectations disrupted.” Id. The court recognized a “spectrum [of foreseeability] ranging from the general to the particular,” allowing a court to “limit otherwise boundless liability and define an identifiable class of plaintiffs that may recover.” Id. at 115, 116. In holding that the defendants owed a duty to the plaintiffs, the People Express court identified the close proximity of the north terminal to the accident; the “obvious nature” of the airline's presence and operations that made the asserted economic harm foreseeable; the rail company's knowledge of the chemical's volatility; and the existence of an emergency-response plan established with the participation of some of the defendants that called for evacuating the terminal. Id. at 118. Although the airline could seek its economic losses, an example of a class that could not seek such losses was drivers on a highway delayed by a negligently caused accident. The drivers may be a foreseeable class, the court acknowledged, but they were not an identifiable one. Rather, the presence of any particular driver—and therefore the economic injury of that driver—was merely “fortuitous.” Id. at 116.
People Express recognizes that “a plaintiff [can] bring an action for purely economic losses, regardless of any accompanying physical harm or property damage, if the plaintiff [is] a member of an identifiable class that the defendant should have reasonably foreseen was likely to be injured by the defendant's conduct[.]” Carter Lincoln–Mercury, Inc., Leasing Div. v. EMAR Grp., Inc., 135 N.J. 182, 638 A.2d 1288, 1294 (1994). But People Express equally acknowledges that the foreseeability standard will not always adequately guide a court's evaluation of tort duties. In certain cases, “the courts will be required to draw upon notions of fairness, common sense and morality to fix the line limiting liability as a matter of public policy, rather than an uncritical application of particular foreseeability.” People Express, 495 A.2d at 116. The New Jersey Supreme Court has emphasized in decisions since People Express that the “[a]bility to foresee injury to a potential plaintiff does not in itself establish the existence of a duty [.]” Carter Lincoln–Mercury, 638 A.2d at 1294 (citing Goldberg v. Housing Auth. of City of Newark, 38 N.J. 578, 186 A.2d 291, 293 (1962)); see also Clohesy v. Food Circus Supermarkets, Inc., 149 N.J. 496, 694 A.2d 1017, 1020 (1997) (“Foreseeability of harm alone is not dispositive of whether a duty exists.”). Rather, “[o]nce the foreseeability of an injured party is established, [a court] must decide whether considerations of fairness and policy warrant the imposition of a duty.” Carter Lincoln–Mercury, 638 A.2d at 1294.
New Jersey has exhibited a “strong resistance to the usurpation of contract law by tort law[.]” Travelers Indem. Co. v. Dammann & Co., 594 F.3d 238, 248 (3d Cir.2010). “New Jersey courts have consistently held that contract law is better suited to resolve disputes where a plaintiff alleges direct and consequential losses that were within the contemplation of sophisticated business entities that could have been the subject of their negotiations.” Id.;see also Arcand v. Brother Int'l Corp., 673 F.Supp.2d 282, 308 (D.N.J.2009); (Docket Entry No. 117, at 40–43 (discussing cases)). The New Jersey cases repeatedly emphasize that respecting the parties' voluntary agreements to allocate risk best serves the public interest. See Spring Motors Distributors, Inc. v. Ford Motor Co., 98 N.J. 555, 489 A.2d 660, 671 (1985) (“As between commercial parties, [ ] the allocation of risks in accordance with their agreement better serves the public interest than an allocation achieved as a matter of policy without reference to that agreement.”). The decisions represent a “clear rejection of an approach that would allow tort law to substitute for contract law in cases involving sophisticated parties with equal bargaining power[.]” Travelers Indem., 594 F.3d at 251.
One court applying New Jersey law has refused to apply the economic-loss doctrine to contracts for services, not goods. Consult Urban Renewal Dev. Corp. v. T.R. Arnold & Assocs., Inc., Civ. A. No. 06–1684(WJM), 2009 WL 1969083, at *4 (D.N.J. July 1, 2009) (“While some jurisdictions have chosen to extend the economic loss doctrine to services, there is no evidence to suggest that New Jersey law has done so.”). That holding appears to be against the weight of authority. Most courts have applied the economic-loss doctrine to contracts for services. As one commentator persuasively notes, refusing to apply the economic-loss doctrine to such contracts “seems to ignore the intent of the parties as expressed in the contract.” Dan. B. Dobbs, An Introduction to Non–Statutory Economic Loss Claims, 48 ariz. l. rev. 713, 727 (2006).
The New Jersey Supreme Court has made clear that “[p]erfect parity is not required for a finding of substantially equal bargaining power.” Alloway v. Gen. Marine Indus., L.P., 149 N.J. 620, 695 A.2d 264, 268 (1997).
This court previously concluded that, under New Jersey law, Heartland owed no duty to the issuer banks because “relationships among issuers, acquirers, and their contractors—such as Heartland Payment Systems—are governed by the Visa and MasterCard regulations,” not tort law. (Docket Entry No. 117, at 44). The court dismissed vicarious liability claims against an acquirer bank that hired Heartland to process payment-card transactions. In supplemental briefing following that order, the Financial Institution Plaintiffs argue that the economic-loss doctrine does not apply to them because Heartland, unlike the acquirer banks, is not a member of the Visa and MasterCard networks. (Docket Entry No. 124, at 1). The Financial Institution Plaintiffs note that no New Jersey case has applied the economic-loss doctrine to bar tort recovery absent a direct contractual relationship. The Financial Institution Plaintiffs cite Consult Urban, 2009 WL 1969083, in which a district court held that a series of contracts did not preclude recovery in tort. This argument and citation are unpersuasive. An issuer bank's decision to issue payment cards is, of course, a voluntary choice. To participate, issuer banks must accept the Visa and MasterCard regulations. By participating in the Visa and MasterCard networks, the Financial Institution Plaintiffs entered into the web of contractual relationships that included not only issuer and acquirer banks but also third-party businesses, such as Heartland, that process transactions for network members. Heartland agreed to follow the Visa and MasterCard regulations. (Docket Entry No. 32, ¶ 96; Docket Entry No. 42, Ex. 4, ¶ 1.1(f) (requiring Heartland to “comply fully with all by-laws and regulations of Visa and MasterCard, including but not limited to, rules regarding independent sales organizations and member service providers”); id., Ex. 5, ¶ 1.1(f) (same)). The regulations specifically contemplate the possibility of a data breach. They specify procedures for issuer banks to make claims when such data breaches occur through private dispute-resolution systems. (Docket Entry No. 124, Exs. 1, 2); see also Sovereign Bank, 533 F.3d at 165 (describing the “comprehensive provisions for resolving disputes between Visa members,” which allowed Visa to decide disputes “in accordance with risk allocation judgments made by Visa”); Cumis Ins. Soc'y, Inc. v. BJ's Wholesale Club, No. 20051158J, 2008 WL 2345865, at *4 (Mass.Super. Ct. June 4, 2008) (noting that the Visa and MasterCard regulations “provide for an elaborate dispute resolution procedure and for fines for non-compliance”), aff'd, 455 Mass. 458, 918 N.E.2d 36 (2009). Although Heartland is not a direct member of the Visa and MasterCard networks, it was subject to the network regulations. The complaint highlights Visa's investigation into Heartland, alleging that Visa both found Heartland to be “in violation of the Visa operating regulations” and banned network members from using Heartland to process transactions for approximately one week. (Docket Entry No. 32, ¶ 57). Visa also “put Heartland on probationary status,” which “subjected Heartland to more-stringent security assessments, monitoring and reporting[.]” ( Id., ¶ 58). Visa and MasterCard fined Heartland Bank and KeyBank, the network members that had retained Heartland. The banks passed those fines to Heartland under their contracts with Heartland and the Visa and MasterCard networks, the network regulations, not tort law, are the appropriate means for the Financial Institution Plaintiffs to seek relief.
Richard A. Epstein & Thomas P. Brown, Cybersecurity in the Payment Card Industry, 75 U. Chi. L. Rev.. 203, 203 (2008) (“Using a payment card (as opposed to some other form of payment) rests on voluntary decisions by consumers and merchants, as well as the banks with which they interact.”).
Many commentators have written about the fairness and effectiveness of these rules. See Robert G. Ballen & Thomas A. Fox, The Role of Private Sector Payment Rules and a Proposed Approach for Evaluating Future Changes to Payments Law, 83 Chi.-Kent L. Rev. 937 (2008); Duncan B. Douglass, An Examination of the Fraud Liability Shift in Consumer Card–Based Payment Systems,Econ. Persp., Mar. 22, 2009, at 43, available at http:// www. chicagofed. org/ digitalassets/ publications/ economic_ perspectives/ 2009/ ep_ 1 qtr 2009_ part 7_ douglass. pdf; Epstein & Brown, supra; Edward J. Janger, Locating the Regulation of Data Privacy and Data Security, 5 Brook. J. Corp. Fin. & Com.. L. 97 (2010); Adam J. Levitin, Private Disordering? Payment Card Fraud Liability Rules, 5 Brook. J. Corp. Fin. & Com.. L. 1 (2010); Mark MacCarthy, Information Security Policy in the U.S. Retail Payments Industry, 2011 Stan. Tech. L. Rev. . 3; see also Levitin, supra, at 4 nn. 9 & 10 (collecting articles). As explained below, what is relevant here is that the Financial Institution Plaintiffs accepted those rules and issued payment cards.
Additionally, the damages the Financial Institution Plaintiffs seek—the costs of covering fraudulent charges and of reissuing cards—are the kinds of damages ordinarily expected to flow from a data breach, damages that can be addressed in the parties' contractual arrangements. These damages are not the type of injuries for which tort law is appropriate. Arcand, 673 F.Supp.2d at 308;Kearney & Trecker Corp. v. Master Engraving Co., 107 N.J. 584, 527 A.2d 429, 437 (1987) (declining to impose a tort duty between businesses for damages that were not “highly unusual or unforeseeable” in the kind of transaction covered by the parties' contract, and quoting Chatlos Sys., Inc. v. Nat'l Cash Register Corp., 635 F.2d 1081, 1087 (3d Cir.1980)); see also Annett Holdings, 801 N.W.2d at 504–05 (holding that tort law should not displace the risks and responsibilities allocated through a system of contracts for payment cards).
The Financial Institution Plaintiffs rely on the First Circuit's discussion in Hannaford Brothers regarding the foreseeability of the costs to replace payment cards following the data breach in that case. (Docket Entry No. 133, at 3–4 (quoting Hannaford Brothers, 659 F.3d at 164)). That such damages are foreseeable, though, further reinforces the conclusion that New Jersey law would not allow their recovery in tort law.
The New Jersey Supreme Court's recognition that an “allocation of risks in accordance with [a voluntary] agreement better serves the public interest than an allocation achieved as a matter of policy without reference to that agreement” also weighs against creating a tort duty between payment processors and issuer banks to protect payment-card information from unauthorized access. Spring Motors, 489 A.2d at 671. This result also is consistent with the approach of the federal government and most states, which generally have avoided regulating risk allocations in the payment-card industry except to cap consumers' liability. Federal legislation and regulations address consumer-protection concerns, not “further allocation of fraud liability after shifting responsibility from the cardholder to the card insurer.” Douglass, supra, at 45; see also Ballen & Fox, supra, at 939 (noting that federal regulations “do not generally address the interbank payment systems and the liabilities that flow into the interbank system”). The states' approaches are similar. Like most states, New Jersey regulates payment-card privacy. In particular, New Jersey regulates how merchants handle payment-card information and requires businesses holding personal information to notify the public when a data breach occurs. N.J. Stat. §§ 56:8–163; 56:11–17, –21, –24, –25, –42; see also Abraham Shaw, Data Breach: From Notification to Prevention Using PCI DSS, 43 Colum. J.L. & Soc. Probs. 517, 524 n. 36 (listing states with notification laws) (2010). Only Minnesota has statutorily shifted the risk of loss arising from a data breach between the businesses involved in the Visa and MasterCard networks. See Mark MacCarthy, What Payment Intermediaries Are Doing about Online Liability and Why It Matters, 25 Berkeley Tech. L.J. 1037, 1044 n. 25 (2010) (discussing Minn.Stat. § 325E.64, which “holds merchants liable for the costs associated with a breach when they failed to take specific precautions that are part of an industry data security standard”). The fact that New Jersey regulates data-security measures, but does not address risk allocation, weighs against imposing a common-law duty between these entities. See Hojnowski v. Vans Skate Park, 187 N.J. 323, 901 A.2d 381, 389 (2006) (concluding that a New Jersey statute conferring immunity from suit upon certain volunteers but not businesses weighed against recognizing a minor's waiver of liability against a business); Hannaford Bros., 613 F.Supp.2d at 125 (observing that a Maine law requiring notification of a data breach “give[s the court] reason to be wary of creating any new state standards where the Maine Law Court has not already clearly provided a remedy”).
Relying on Dynalectric Company v. Westinghouse Electric Corporation, 803 F.Supp. 985 (D.N.J.1992), and Consult Urban, 2009 WL 1969083, the Financial Institution Plaintiffs argue that the economic-loss doctrine does not apply because the “Visa and MasterCard regulations do not and cannot provide the alternative means of redress requisite to the application of the economic loss doctrine under New Jersey law.” (Docket Entry No. 124, at 8 (emphasis omitted)). In Dynalectric, the plaintiff pursued tort claims against the defendant in federal court while simultaneously pursuing identical breach of contract claims against the defendant in arbitration. Applying New Jersey law, the district court concluded that “when a party has suffered economic loss because of the negligent actions of another, and the party has another means of redress against the alleged tortfeasor, that party may not assert the identical claims for identical damages under tort theories.” 803 F.Supp. at 991. The court refused to hear the tort claim because of the ongoing arbitration. Id. at 991, 993. The court did not address whether a tort duty would exist absent the other avenue of redress against the plaintiff. In Consult Urban, a contractor asserted a negligence claim against a company that a subcontractor had retained to inspect modular housing units for compliance with New Jersey law. 2009 WL 1969083, at *1. The court rejected the company's argument that it owed no duty, noting that the contractor “had no opportunity to negotiate the terms of the agreement or the amount of risk it would accept.” Id. at *4. Neither Dynalectric nor Consult Urban Renewal involved a comprehensive risk-allocation arrangement like the contracts and network regulations in this case. To the extent that the Visa and MasterCard regulations do not allow the Financial Institution Plaintiffs to recover damages directly from Heartland, New Jersey law disfavors a sophisticated business entity's efforts to use tort law “to obtain a better bargain than it made.” Spring Motors, 489 A.2d at 671.
The Financial Institution Plaintiffs' reliance on the First Circuit's recent decision in Hannaford Brothers, 659 F.3d 151, is similarly unavailing. ( See Docket Entry No. 133, at 3–4). In Hannaford Brothers, the First Circuit allowed the plaintiffs, individual consumers, to seek mitigation damages—the costs to procure identity-theft insurance and of replacing payment cards—under theories of negligence and contract law. See id. at 164–67. In reaching its holding, however, the First Circuit applied Maine law. This case involves New Jersey law. For the reasons previously discussed, New Jersey law requires the Financial Institution Plaintiffs, which are sophisticated business entities, to seek relief through the Visa and MasterCard regulations, not tort law.
The negligence claim is dismissed with prejudice and without leave to amend because amendment would be futile.
C. The Misrepresentation Claims
The Financial Institution Plaintiffs allege fraud and negligent misrepresentation under New Jersey law. According to the complaint, numerous statements by Heartland—in S.E.C. filings; in analyst calls; on Heartland's logo; and on Heartland's web site, before and after the data breach—suggested that Heartland's security measures were better than they actually were. The complaint also faults Heartland for failing to disclose information about its security flaws. It additionally asserts that Heartland, by participating in the Visa and MasterCard networks, effectively representedthat it would follow the network security regulations. Heartland argues that, even assuming New Jersey law applies, the allegations are insufficient to state a claim. Heartland contends that the complaint does not allege the material falsity of the statements; that the Financial Institution Plaintiffs were neither intended recipients (as required for fraud) nor reasonably foreseeable recipients (as required for negligent misrepresentation) of those statements; that Heartland had no duty to disclose; that participation in the Visa and MasterCard networks is not an actionable misrepresentation; and that causation is insufficiently alleged. (Docket Entry No. 40, at 18–28).
Under New Jersey law, common-law fraud has five elements: “(1) a material misrepresentation of a presently existing or past fact; (2) knowledge or belief by the defendant of its falsity; (3) an intention that the other person rely on it; (4) reasonable reliance thereon by the other person; and (5) resulting damages.” Banco Popular N. Am. v. Gandi, 184 N.J. 161, 876 A.2d 253, 260 (2005) (quoting Gennari v. Weichert Co. Realtors, 148 N.J. 582, 691 A.2d 350, 367 (1997)). Negligent misrepresentation differs only in that it requires neither intent to deceive nor knowledge that the statement is false. See Kaufman v. i-Stat Corp., 165 N.J. 94, 754 A.2d 1188, 1195–96 (2000).
Federal Rule of Civil Procedure 9(b) applies to fraud allegations. Under the rule, “a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions of a person's mind may be alleged generally.” Fed. R. Civ. P. 9(b). “Put simply, Rule 9(b) requires ‘the who, what, when, where, and how’ to be laid out.” Shandong Yinguang Chem. Indus. Joint Stock Co. v. Potter, 607 F.3d 1029, 1032 (5th Cir.2010) (internal quotation marks omitted). The plaintiff “must specify the statements contended to be fraudulent, identify the speaker, state when and where the statements were made, and explain why the statements were fraudulent.” Southland Secs. Corp. v. INSpire Ins. Solutions, Inc., 365 F.3d 353, 362 (5th Cir.2004) (internal quotation marks omitted). At the same time, “Rule 9(b)'s ultimate meaning is context-specific, and thus there is no single construction of Rule 9(b) that applies in all contexts.” United States ex rel. Grubbs v. Kanneganti, 565 F.3d 180, 188 (5th Cir.2009) (internal quotation marks omitted).
The parties dispute whether the complaint's negligent misrepresentation allegations must comply with Rule 9(b). It is unnecessary to resolve this dispute, for the allegations of negligent misrepresentation fail to meet Rule 8's basic pleading standard.
Heartland asserts that many of the alleged misrepresentations are not the kinds of statements that give rise to liability under either a fraud or negligence theory. New Jersey law distinguishes between factual misrepresentations and “puffery.” It is reasonable to rely on the first but not the second. E.g., Lieberson v. Johnson & Johnson Consumer Cos., –––F.Supp.2d ––––, ––––, 2011 WL 4414214, at *7 (D.N.J.2011). “Advertising that amounts to ‘mere’ puffery is not actionable because no reasonable consumer relies on puffery. The distinguishing characteristics of puffery are vague, highly subjective claims as opposed to specific, detailed factual assertions.” Id. (quoting In re Toshiba Am. HD DVD Mktg. & Sales Practices Litig., Civ. No. 08–939(DRD), MDL No.1956, 2009 WL 2940081, at *10 (D.N.J. Sep. 11, 2009)). For example, the New Jersey Supreme Court held that Allstate Insurance's slogan, “You're in good hands with Allstate,”was not an actionable misrepresentation. “However persuasive, [the slogan] is nothing more than puffery.” Rodio v. Smith, 123 N.J. 345, 587 A.2d 621, 623 (1991). By contrast, specific factual misrepresentations are actionable. In Gennari v. Weichert Company Realtors, for example, the New Jersey Supreme Court allowed homeowners' suits against a realtor who made “affirmative misrepresentations about the builder's experience and qualifications as well as the quality of his homes,” 691 A.2d at 366, such as that the builder “had built hundreds of homes,” id. at 357. Similarly, in Lieberson v. Johnson & Johnson Consumer Companies, a federal district court found actionable a defendant's representation of its products as “ ‘clinically proven’ to help babies sleep better” because stating that a product is “clinically proven” to achieve a result is “ ‘both specific and measurable.’ ” ––– F.Supp.2d at ––––, 2011 WL 4414214, at *7 (quoting Castrol Inc. v. Pennzoil Co., 987 F.2d 939, 946 (3d Cir.1993)).
Certain statements alleged in the master complaint are not actionable misrepresentations, as a matter of law. To the extent that the Financial Institution Plaintiffs argue that Heartland's statements and conduct amounted to a guarantee of absolute data security, reliance on that statement would be unreasonable as a matter of law. Cf. Hannaford Bros., 613 F.Supp.2d at 119 (dismissing under Rule 12(b)(6) a claim for breach of implied contract to keep customer data completely safe because “in today's known world of sophisticated hackers, data theft, software glitches, and computer viruses, a jury could not reasonably find an implied merchant commitment against every intrusion under any circumstances whatsoever” (emphasis in original)). Heartland's slogans—“The Highest Standards” and “The Most Trusted Transactions”—are puffery on which the Financial Institution Plaintiffs could not reasonably rely. Similarly, the following statements relied on by the Financial Institution Plaintiffs are not actionable representations: that Heartland used “layers of state-of-the-art security, technology and techniques to safeguard sensitive credit and debit card account information”; that it used the “state-of-the-art [Heartland] Exchange”; and that its “success is the result of the combination of a superior long-term customer relationship sales model and the premier technology processing platform in the industry today.” (Docket Entry No. 32, ¶¶ 47, 48). See, e.g., Toshiba Am. HD DVD, 2009 WL 2940081, at *10 (“best of high-definition television and DVD” is not an actionable misrepresentation); Bubbles N' Bows, LLC v. Fey Pub'g Co., No. 06–5391(FLW), 2007 WL 2406980, at *9 (D.N.J. Aug. 20, 2007) (“high importance is placed on personal relationships”; “the success of this business always has and always will rely on the satisfaction of our clients”; “if the customer isn't smiling, fix it” are not actionable); N.J. Citizen Action v. Schering–Plough Corp., 367 N.J.Super. 8, 842 A.2d 174, 177 (N.J.Super.Ct.App.Div.2003) (“you ... can lead a normal nearly symptom-free life again” is not actionable (ellipsis in original)).
See also, e.g., In re Aetna, Inc. Secs. Litig., 617 F.3d 272, 284 (3d Cir.2010) (“This is solid and balanced growth that is representative of our dedication to disciplined pricing[.]”); Alpine Bank v. Hubbell, 555 F.3d 1097, 1106–07 (10th Cir.2009) (“You concentrate on your dream [of buying or building a new home]. We'll take care of everything else.”); In re Ford Motor Co. Secs. Litig., 381 F.3d 563, 570–71 (6th Cir.2004) (e.g., “at Ford quality comes first”; “Ford has its best quality ever”; “Ford is a worldwide leader in automotive safety”; Ford has made “quality a top priority”); Corley v. Rosewood Care Ctr., Inc. of Peoria, 388 F.3d 990, 1008–09 (7th Cir.2004) (“high quality” services); Williams v. Aztar Ind. Gaming Corp., 351 F.3d 294, 299 & n. 5 (7th Cir.2003) (“Players Win!” and “the winning is big!”); In re Advanta Corp. Secs. Litig., 180 F.3d 525, 537–38 (3d Cir.1999) (“Our emphasis on gold cards—and targeting of better quality customers—helps us maintain an enviable credit quality profile.”); Shema Kolainu–Hear Our Voices v. Providersoft, LLC, 832 F.Supp.2d 194, 209, 2010 WL 2075921, at *12 (E.D.N.Y.2010) (“state of the art”; “great”; “foolproof”); In re Boston Sci. Corp. Secs. Litig., 490 F.Supp.2d 142, 162 (D.Mass.2007) ( “state-of-the-art quality systems” and “cutting edge”), rev'd on other grounds sub nom. Miss. Pub. Emps.' Ret. Sys. v. Boston Sci. Corp., 523 F.3d 75 (1st Cir.2008).
The master complaint also lists one alleged misrepresentation by Heartland after it publicly disclosed the data breach. According to the complaint:
Even after the Data Breach occurred, [Heartland] continued to provide ... assurances that it was adequately protecting the sensitive financial information with which it was entrusted. For example, the website that Heartland created in connection with its disclosure of the Data Breach claims that “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.”
(Docket Entry No. 32, ¶ 50). Statements after the data breach was announced cannot form the basis of a misrepresentation claim because they could not have been material to the banks' and merchants' decisions to contract with Heartland. See, e.g., Prezant v. Jegou, L–819–07, 2010 WL 2556882, at *5 (N.J.Super.Ct.App.Div. June 23, 2010) (per curiam) (holding that a list of inflated antique-furniture values “could not have been material to the [ ] decision to purchase because the list was prepared after the transactions were complete”); Cole v. Laughrey Funeral Home, 376 N.J.Super. 135, 869 A.2d 457, 462–63 (N.J.Super.Ct.App.Div.2005) (alleged misrepresentations were not material because they “were all acts done after the contract for funeral services was entered into”).
The master complaint also alleges representations about Heartland's information-sharing practices. The statements include that “we have limited our use of consumer information solely to providing services to other businesses and financial institutions,” and that “[w]e limit sharing of non-public personal information to that necessary to complete the transactions on behalf of the consumer and the merchant and to that permitted by federal and state laws.” (Docket Entry No. 32, ¶ 45). These are not statements about Heartland's data-security practices. Instead, these statements are promises that Heartland will not intentionally share consumers' personal information with others. The Financial Institution Plaintiffs have not alleged that Heartland intentionally shared information beyond the limits it stated.
On the other hand, some alleged statements are factual representations that are sufficiently definite to support a claim for negligent misrepresentation. According to the master complaint, Heartland stated that “[w]e maintain current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test our systems for vulnerability to unauthorized access.” Heartland also stated that “we encrypt the cardholder numbers that are stored in our databases using triple-DES protocols, which represent the highest commercially available standard for encryption.” (Id., ¶ 45). These statements are factually concrete and verifiable. Similarly, Heartland's statement that its “Exchange has passed an independent verification process validating compliance with VISA requirements for data security” is susceptible to proof. (Id., ¶ 46). Either Heartland's Exchange passed the independent verification process, or it did not.
Heartland argues that even assuming that some of the alleged misrepresentations are actionable, the master complaint insufficiently alleges reliance. The complaint's allegations of reliance are wholly conclusory. (Docket Entry No. 32, ¶¶ 125 (alleging that the Financial Institution Plaintiffs “justifiably relied”), 129 (alleging that they “reasonably relied”)). It is unclear, for example, if the issuer banks' reliance was through their joining, remaining in, or withdrawing from the Visa and MasterCard networks, or what relationship the statements have to any such actions. See, e.g., Cumis Ins. Soc'y, 918 N.E.2d at 49 (“Because the plaintiff credit unions have presented no evidence that any representations by the defendants induced them to become or remain issuers in the Visa and MasterCard system, or that they have withdrawn from or altered their participation in the system after becoming aware of the defendants' breach, the defendants' motions for summary judgment on the fraud claims were properly allowed.”). Because the complaint does not give sufficient notice of the Financial Institution Plaintiffs' misrepresentation claims either to determine their entitlement to relief or to allow Heartland to prepare its defense, the claims must be dismissed. SeeFed. R. Civ. P. 8(a)(2).
Heartland also asserts that the misrepresentation claims should be dismissed because a misrepresentation made during the course of a contractual relationship generally is actionable only as a breach of contract. See, e.g., Capitalplus Equity, LLC v. Prismatic Dev. Corp., Civ. A. No. 07–321(WHW), 2008 WL 2783339, at *6 (D.N.J. July 16, 2008) (citing Gleason v. Norwest Mortg., Inc., 243 F.3d 130, 144 (3d Cir.2001)). The Financial Institution Plaintiffs respond that this rule does not apply without a direct contractual relationship. This argument is best addressed once the Financial Institution Plaintiffs clarify their misrepresentation theory.
The Financial Institution Plaintiffs assert that their complaint adequately pleads reliance, citing to In re Ford Motor Co. E–350 Van Products Liability Litigation (No. II), Civ. No. 03–4558(HAA), MDL No. 1687, 2008 WL 4126264 (D.N.J. Sep. 2, 2008). There, the district court found that the plaintiffs had adequately stated a claim where they asserted that the “Defendant's conduct constituted acts of ‘deception, fraud, false pretenses, false promises, misrepresentation and/or a knowing concealment, suppression, or omission of material facts with the intent that Plaintiffs ... would rely upon such concealment, suppression, or omission in connection with the sale, marketing, advertisement and subsequently performance of the E350 van.’ ” Id. at *18 (alteration and emphasis in original; quoting complaint). In Ford, however, the form of reliance did not affect the claim's viability. The facts of Ford made the nature of the reliance clearer than in this case. See id.
It is unnecessary to address the remaining arguments at this time. Dismissal is without prejudice and with leave to amend.
2. Implied Misrepresentation
The Financial Institution Plaintiffs allege that “by accepting and agreeing to process the credit cards and/or debit cards issued by [the Financial Institution Plaintiffs], Heartland impliedly agreed that it would adequately protect the sensitive information contained in these cards, as well as comply with applicable standards to safeguard data.” (Docket Entry No. 32, ¶ 52). The Financial Institution Plaintiffs allege that “Heartland knew that by virtue of their membership in the Visa and MasterCard Networks, [they] relied on Heartland to employ appropriate data security measures.” ( Id., ¶ 123). The Massachusetts Supreme Judicial Court rejected the same theory of negligent implied misrepresentation in litigation arising out of a similar data breach. In Cumis Insurance Society v. BJ's Wholesale Club, an insurance company (acting on behalf of 69 issuer banks) and numerous issuer banks sued an acquirer bank and a retailer that allegedly retained payment-card information in a manner that violated the Visa and MasterCard regulations. Hackers obtained information for approximately 9.2 million credit cards from the retailer's database. The plaintiffs alleged both fraud and negligent misrepresentation, “based only on the requirements in the Visa and MasterCard operating regulations and the defendants' contracts with each other that require the defendants to abide by these regulations.” 918 N.E.2d at 48. The plaintiffs conceded that they had not seen the contracts between the defendants before the lawsuit. Id. The court dismissed the claims. It first explained that the plaintiffs had presented “no evidence or contention ... that the defendants never intended to perform their contractual obligations to comply with the operating regulations at the time they entered into the contracts.” Id. at 49. The court next rejected any suggestion that the plaintiffs could reasonably rely on an implied representation of compliance with the Visa and MasterCard regulations during each payment-card transaction. These regulations “explicitly provide for fines for breach of regulations such as storage of magnetic stripe data,” which in turn shows “that the system is designed with the expectation that breaches will occur.” Id. at 50. In fact, issuer banks, in insuring themselves against fraudulent charges through companies like Cumis, anticipated that breaches of the regulations might occur. Id. Additionally, the plaintiffs admitted that before the breach leading to their lawsuit, they had “received numerous and repeated alerts from Visa and MasterCard concerning specific instances of improper storage of magnetic stripe data,” a violation of the regulations. Id. The plaintiffs knew that data breaches could occur, notwithstanding the defendants' contractual obligation to follow the Visa and MasterCard regulations. Id.
In reaching this conclusion, the court disapprovingly cited the plaintiff's attempt to “repackage” an unavailing breach of contract claim “under tort law.” Cumis Ins. Soc'y, 918 N.E.2d at 49.
Before the Massachusetts Supreme Judicial Court reached its decision, a Massachusetts federal district court found that the same theory stated a claim. In re TJX Cos. Retail Sec. Breach Litig., 524 F.Supp.2d 83, 92 (D.Mass.2007). The court relied in part on the Massachusetts Superior Court's initial denial of the motion to dismiss. Id. By the time the First Circuit considered the appeal, the Massachusetts Superior Court had granted summary judgment. The First Circuit stated that, had that decision been available to the district court, “the district court might well have granted the motion [to dismiss.]” TJX Cos., 564 F.3d at 495. The First Circuit thereafter explained, “[S]ummary judgment is the more common method of disposing of claims that are facially valid but prove (usually after discovery) to be unsupported by evidence. The present claim survives, but on life support.” Id.
The Financial Institution Plaintiffs argue that the TJX litigation weighs against dismissal. This court, however, agrees with the Massachusetts Supreme Judicial Court's resolution of that case's implied-misrepresentation claim. The Financial Institution Plaintiffs' implied misrepresentation claim therefore is not a claim that could be supported by evidence uncovered during discovery.
The same reasons and reasoning require dismissal in this case. Under New Jersey law, it is unreasonable to rely on a representation when, as here, a financial arrangement exists to provide compensation if circumstances later prove that representation false. See Russell–Stanley Corp. v. Plant Indus., Inc., 250 N.J.Super. 478, 595 A.2d 534, 549 (N.J.Super.Ct. Ch. Div.1991) (describing as “completely untenable”the plaintiff's claim that it relied on a land seller's statements about environmental damage when the sale contract created an escrow to fund environmental liability). Additionally, the Financial Institution Plaintiffs do not allege that Heartland never intended to follow the Visa and MasterCard regulations. They merely argue that it is premature to dismiss under Rule 12(b)(6). The master complaint, however, alleges no facts suggesting a plausible claim. Dismissal is appropriate, with prejudice, because amendment would be futile.
For their third theory of misrepresentation, the Financial Institution Plaintiffs allege that Heartland failed to disclose weaknesses in its data security. “The deliberate suppression of a material fact is equivalent to a material misrepresentation if the party has a duty to disclose the fact.” Maertin v. Armstrong World Indus. Inc., 241 F.Supp.2d 434, 461 (D.N.J.2002) (citing N.J. Econ. Dev. Auth. v. Pavonia Rest., Inc., 319 N.J.Super. 435, 725 A.2d 1133, 1139 (N.J.Super.Ct.App.Div.1998)). “The concealed facts must be material facts[.]” Maertin, 241 F.Supp.2d at 461. A concealed, or undisclosed, fact is material if the plaintiff would not have entered the contract had he known that fact. See id. A duty may arise whenever “good faith and common decency require it.” Id. (quoting City Check Cashing, Inc. v. Mfrs. Hanover Trust, 166 N.J. 49, 764 A.2d 411, 417 (2001)). “There are three general types of transactions where the duty to disclose arises: (1) where a fiduciary relationship exists between the parties, (2) where the transaction itself calls for perfect good faith and full disclosure, or (3) where one party expressly reposes a trust and confidence in the other.” Maertin, 241 F.Supp.2d at 461 (internal quotation marks omitted). In addition, a party has a duty to disclose whenever necessary to correct a material misrepresentation. See id. at 462 (citing Strawn v. Canuso, 271 N.J.Super. 88, 638 A.2d 141, 149 (N.J.Super.Ct.App.Div.1994)). Whether a party has a duty to disclose is a question of law. Maertin, 241 F.Supp.2d at 461 (citing United Jersey Bank v. Kensey, 306 N.J.Super. 540, 704 A.2d 38, 43 (N.J.Super.Ct.App.Div.1997)).
To the extent the Financial Institution Plaintiffs allege that Heartland had a duty to disclose corrective information unrelated to any material misrepresentation, the complaint alleges insufficient facts to find such a duty. There is no fiduciary relationship alleged. Businesses rarely owe each other fiduciary duties in arms-length business transactions. See City of Millville v. Rock, 683 F.Supp.2d 319, 330 (D.N.J.2010); Maksin Mgmt. Corp. v. Roy A. Rapp, Inc., No. L–4633–03, 2008 WL 3165465, at *8 (N.J.Super.Ct.App.Div. Aug. 8, 2008) (per curiam); Pavonia Rest., 725 A.2d at 1139;Berman v. Gurwicz, 189 N.J.Super. 89, 458 A.2d 1311, 1313–14 (N.J.Super.Ct. Ch. Div.1981). The Financial Institution Plaintiffs have not pleaded facts or presented argument demonstrating why their indirect relationship with Heartland, as one of many payment processors, presents an exception to the general rule.
Although the allegations supporting the duty to disclose are thin, the Financial Institution Plaintiffs' briefing clarifies that the basis of the alleged duty is that “Heartland held itself out to the [Financial Institution Plaintiffs] and the public at large as having adequate system security measures in place.” (Docket Entry No. 50, at 33). “Even where no duty to speak exists, one who elects to speak must tell the truth when it is apparent that another may reasonably rely on the statements made.” Voilas v. Gen. Motors Corp., 170 F.3d 367, 378 (3d Cir.1999) (quoting Strawn, 638 A.2d at 149). Some of the statements identified in the complaint are verifiable factual statements that can give rise to a negligent misrepresentation claim. The Financial Institution Plaintiffs argue that if those statements were material misrepresentations, then Heartland had a duty to correct them. Because the claims based on those alleged misrepresentations have been dismissed, the failure to disclose claim based on the same alleged misrepresentations is also dismissed. The Financial Institution Plaintiffs may amend their negligent misrepresentation claim based on this nondisclosure theory, but only as to the failure to correct verifiable factual statements that are actionable misrepresentations and on which the Financial Institution Plaintiffs relied.
D. The Consumer–Protection Claims
The Financial Institution Plaintiffs allege violations of 23 states' consumer-protection laws. Heartland argues that the Financial Institution Plaintiffs lack standing to bring claims under the laws of states where neither they nor Heartland are located. (Docket Entry No. 56, at 15 n. 25). The Financial Institution Plaintiffs do not dispute this argument. The state-law claims at issue are those brought under the laws of California, Colorado, Florida, Illinois, New Jersey, New York, Texas, and Washington.
The Financial Institution Plaintiffs alleged violations under Arkansas, California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Hawaii, Idaho, Illinois, Massachusetts, Minnesota, Missouri, Nebraska, Nevada, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Rhode Island, Vermont, and Washington law. They withdrew their claims based on District of Columbia, Hawaii, Missouri, Oklahoma, and Rhode Island law. (Docket Entry No. 50, at 42 n. 31).
Heartland argues that this court should consider only the claims under New Jersey law, and that the claims under the remaining states' laws should be dismissed. Heartland contends that multiple states' laws cannot apply to the same set of misrepresentations. It further asserts that the Financial Institution Plaintiffs should not be allowed to plead the application of different states' law so that they can strategically choose which law to apply after seeing which claims survive a motion to dismiss. These arguments are unpersuasive. Courts have applied multiple states' laws in consumer protection cases when choice-of-law rules require doing so. See In re Pharm. Indus. Average Wholesale Price Litig., 252 F.R.D. 83, 93–96 (D.Mass.2008) (considering the appropriate approach to certifying a consumer class action involving multiple states' laws). Even if only one state's law could apply, Rule 8 allows a plaintiff to “set out 2 or more statements of a claim ... alternatively[.]” Fed. R. Civ. P. 8(d)(2). The rule applies equally to contentions regarding the applicable law. See, e.g., Zabors v. Chatsworth Data Corp., 735 F.Supp.2d 1010, 1013–14 (N.D.Ill.2010); see also Levin v. Dalva Bros., Inc., 459 F.3d 68, 73 (1st Cir.2006) (explaining that there is no “definitive point by which a litigant must raise a choice-of-law argument”).
The cases on which Heartland relies to argue that only New Jersey law applies are distinguishable. In a separate Hannaford Brothers opinion, the district court had certified a question to the Maine Law Court based on the defendant's concession that Maine law applied. Judicial estoppel prevented the defendant from later arguing that a different state's law applied. MDL No. 2:08–MD–1954, 2009 WL 3824393, at *3 (D.Me. Nov. 16, 2009). Similarly, in Lott v. Levitt, 556 F.3d 564 (7th Cir.2009), the Seventh Circuit held that the plaintiff had waived his argument that Virginia law applied after having “agreed with Defendants that Illinois law governs this dispute, made no separate choice-of-law analysis, and cited no Virginia cases.” Id. at 567 (internal quotation marks and alteration omitted). The cases do not stand for the proposition that the Financial Institution Plaintiffs, at this stage of the litigation, are limited to pleading the application of only one state's law.
Neither side has briefed the choice-of-law issue. This court will not conduct such an analysis before the parties have done so. The arguments about each state's law instead are analyzed below.
1. The New Jersey Consumer Fraud Act
The parties focus primarily on the New Jersey Consumer Fraud Act (“NJCFA”), N.J. Stat. § 56:8–1 et seq. The NJCFA prohibits
[t]he act, use or employment by any person of any unconscionable commercial practice, deception, fraud, false pretense, false promise, misrepresentation, or the knowing, concealment, suppression, or omission of any material fact with intent that others rely upon such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise or real estate, or with the subsequent performance of such person as aforesaid, whether or not any person has in fact been misled, deceived or damaged thereby, is declared to be an unlawful practice[.]
Id. § 56:8–2. The NJCFA creates a private right of action for “[a]ny person who suffers any ascertainable loss of moneys or property, real or personal, as a result of the use or employment by another person of any method, act, or practice” prohibited under the NJCFA. Id. § 56:8–19. Under the NJCFA, “merchandise” includes “any objects, wares, goods, commodities, services or anything offered, directly or indirectly to the public for sale[.]” Id. § 56:8–1(c). The NJCFA includes business entities in the definition of “person.” Id. § 56:8–1(d); see also Finderne Mgmt. Co. v. Barrett, 402 N.J.Super. 546, 955 A.2d 940, 954 (N.J.Super.Ct.App.Div.2008) (noting that “[u]nlawful practices ... can victimize business entities as well as individual consumers” (internal quotation marks omitted)). The three elements of an NJCFA claim are: “1) unlawful conduct by defendant; 2) an ascertainable loss by plaintiff; and 3) a causal relationship between the unlawful conduct and the ascertainable loss.” Bosland v. Warnock Dodge, Inc., 197 N.J. 543, 964 A.2d 741, 749 (2009); accord Lee v. Carter–Reed Co., 203 N.J. 496, 4 A.3d 561, 576 (2010).
“Because it is remedial legislation, the [NJ]CFA is construed liberally to accomplish its broad purpose of safeguarding the public.” Lee, 4 A.3d at 577 (internal quotation marks and alterations omitted). One early state case observed that “the entire thrust of the [NJCFA] is pointed to products and services sold to consumers in the popular sense.... The legislative language throughout the statute and the evils sought to be eliminated point to an intent to protect the consumer in the context of the ordinary meaning of that term in the market place.” Neveroski v. Blair, 141 N.J.Super. 365, 358 A.2d 473, 480 (N.J.Super.Ct.App.Div.1976) (per curiam), superseded by statute on other grounds as recognized in Lee v. First Union Nat. Bank, 199 N.J. 251, 971 A.2d 1054, 1059–60 (2009);accord Shogen v. Global Aggressive Growth Fund, Ltd., Civ. A. No. 04–5695(SRC), 2007 WL 1237829, at *7–8 (D.N.J. Apr. 26, 2007) (quoting Neveroski and citing J & R Ice Cream Corp. v. Cal. Smoothie Licensing Corp., 31 F.3d 1259, 1272 (3d Cir.1994)). The NJCFA “does not cover every sale in the marketplace.” Papergraphics Int'l Inc. v. Correa, 389 N.J.Super. 8, 910 A.2d 625, 628 (N.J.Super.Ct.App.Div.2006) (citing cases). The New Jersey Supreme Court has emphasized that “the strongest case for relief ... is presented by the poor, the naive and the uneducated consumers[.]” Kugler v. Romain, 58 N.J. 522, 279 A.2d 640, 649 (1971).
State and federal courts have recognized that a business may sue under the NJCFA. J & R Ice Cream, 31 F.3d at 1273–74 (collecting cases). An early case analyzing whether a business could invoke the NJCFA was Hundred East Credit Corporation v. Eric Schuster Corporation, 212 N.J.Super. 350, 515 A.2d 246 (N.J.Super.Ct.App.Div.1986). The plaintiff business purchased computer peripherals to upgrade its computer. When that sale occurred, the defendant, the peripherals manufacturer, knew that the computers for which the peripherals were designed would be discontinued that year. Id. at 247. The manufacturer argued that the NJCFA did not apply to merchandise sales for use in business operations. The court first noted that the statutory language expressly encompassed business entities and defined “ ‘merchandise’ without regard to its intended use or the nature of the buyer.” Id. at 248. The court acknowledged that the NJCFA was concerned primarily with consumers, but pointed out that “a business entity can be, and frequently is, a consumer in the ordinary meaning of that term. Since a business entity is also a ‘person’ entitled to recover under the Act, there is no sound reason to deny it the protection of the Act.” Id. (internal citations omitted). The court acknowledged that the purpose of the NJCFA limited the Act's reach, but explained that in many cases a business needs protection from unfair practices just as much as an individual consumer:
Business entities, like individual consumers, cover a wide range. Some are poor, some wealthy; some are naive, some sophisticated; some are required to submit, some are able to dominate. Even the most world-wise business entity can be inexperienced and uninformed in a given consumer transaction. Unlawful practices thus can victimize business entities as well as individual consumers. It may well be, of course, that certain practices unlawful in a sale of personal goods to an individual consumer would not be held unlawful in a transaction between particular business entities; the Act largely permits the meaning of “unlawful practice” to be determined on a case-by-case basis.
Id. at 249. Subsequent state and federal courts have agreed that a case-by-case approach to NJCFA claims asserted by businesses is appropriate. Papergraphics, 910 A.2d at 628–29 (collecting cases).
Courts generally have limited NJCFA claims by businesses to “consumer oriented situations.” J & R Ice Cream, 31 F.3d at 1273 (citing cases); BOC Grp., Inc. v. Lummus Crest, Inc., 251 N.J.Super. 271, 597 A.2d 1109, 1112 (N.J.Super.Ct. Law Div.1990) (same). Under this approach, “it is the character of the transaction rather than the identity of the purchaser which determines if the [NJCFA] is applicable.” J & R Ice Cream, 31 F.3d at 1273;accord In re Schering–Plough Corp. Intron/Temodar Consumer Class Action, No. 2:06–cv–5774 (SRC), 2009 WL 2043604, at *31 (D.N.J. July 10, 2009) (quoting J & R Ice Cream); Marascio v. Campanella, 298 N.J.Super. 491, 689 A.2d 852, 857–58 (N.J.Super.Ct.App.Div.1997) (explaining that “the focus of the Act is on the nature of the goods and services being sold, and not the nature of the buyer or the buyer's intended use of the goods or services”).
Only a “bona fide consumer” may bring a claim under the NJCFA. Smith v. Trusted Universal Standards in Elec. Transactions, Inc., Civ. No. 09–4567 (RBK/KMW), 2010 WL 1799456, at *4 (D.N.J. May 4, 2010) (“The NJCFA only creates a cause of action for ‘bona fide consumers of a product.’ ” (quoting Grauer v. Norman Chevrolet Geo, 321 N.J.Super. 547, 729 A.2d 522, 524 (N.J.Super. Ct. Law Div.1998))); DIRECTV, Inc. v. Marino, No. Civ. 03–5606(GEB), 2005 WL 1367232, at *3 (D.N.J. June 8, 2005) (citing Grauer ). “The absence of a consumer transaction is fatal to a[n] NJCFA claim.” Smith, 2010 WL 1799456, at *4 (citing DIRECTV ). Business “competitors, direct or otherwise, suffering non-consumer like injuries [lack] standing to sue under the NJCFA.” Church & Dwight Co. v. SPD Swiss Precision Diagnostics, GmBH, Civ. A. No. 10–453, 2010 WL 5239238, at *10 (D.N.J. Dec. 16, 2010). Courts also have held that insurers and assignees lack standing to sue under the NJCFA. Standard Fire Ins. Co. v. MTU Detroit Diesel, Inc., Civ. A. No. 07–3827(GEB), 2009 WL 2568199, at *5 (D.N.J. Aug. 13, 2009) (insurer); Taylor v. Foulke Mgmt. Corp., No. L–1502–08, 2011 WL 10050, at *2 (N.J.Super.Ct.App.Div. Oct. 14, 2010) (per curiam) (assignee) (citing Levy v. Edmund Buick–Pontiac, Ltd., 270 N.J.Super. 563, 637 A.2d 600, 602 (N.J.Super.Ct. Law Div.1993)).
In some cases, courts have recognized that a party who was not a consumer of a company's merchandise nonetheless may recover under the NJCFA. See, e.g., Port Liberte Homeowners Ass'n, Inc. v. Sordoni Constr. Co., 393 N.J.Super. 492, 924 A.2d 592, 597–99 (N.J.Super.Ct.App.Div.2007) (allowing a condominium association to sue a construction company hired by a developer because of “[t]he unique [statutory] relationship between a condominium association and a developer”). The Financial Institution Plaintiffs, however, do not rely on this line of cases.
The Church & Dwight court acknowledged that some courts had stated in dicta and without analysis that a competitor had standing to bring an NJCFA claim. 2010 WL 5239238, at *10 (citing 800–JR Cigar, Inc. v. GoTo.com, Inc., 437 F.Supp.2d 273, 295–96 (D.N.J.2006) and Conte Bros. Automotive, Inc. v. Quaker State–Slick 50, Inc., 992 F.Supp. 709, 716 n. 12 (D.N.J.1998)). The court found those cases unpersuasive, pointing out that they relied on Feiler v. New Jersey Dental Association, 191 N.J.Super. 426, 467 A.2d 276 (N.J.Super.Ct.Ch.Div.1983), “which did not involve NJCFA claims.” Church & Dwight, 2010 WL 5239238, at *10.
Courts uniformly have excluded wholesalers from the NJCFA's protection, because they themselves do not consume merchandise; rather, they pass merchandise along to consumers. See, e.g., Diamond Life Lighting MFG (HK) Ltd. v. Picasso Lighting, Inc., Civ. A. No. 10–161(PGS), 2010 WL 5186168, at *6 (D.N.J. Dec. 14, 2010) (wholesaler of lighting); City Check Cashing, Inc. v. Nat'l State Bank, 244 N.J.Super. 304, 582 A.2d 809, 811 (N.J.Super.Ct.App.Div.1990) (analogizing a check-cashing business's claim against a bank to a wholesaler and denying the claim); Arc Networks, Inc. v. Gold Phone Card Co., 333 N.J.Super. 587, 756 A.2d 636, 638–39 (N.J.Super.Ct. Law Div.2000) (reseller of bulk phone services in the form of phone cards) cf. Viking Yacht Co. v. Composites One LLC, 496 F.Supp.2d 462, 474–75 (D.N.J.2007) (holding that a boat manufacturer that used defective marine gel in its manufacturing process could sue under the NJCFA). Privity is not a requirement, so long as the plaintiff is a consumer of the merchandise. Gonzalez v. Wilshire Credit Corp., 411 N.J.Super. 582, 988 A.2d 567, 574 n. 9 (N.J.Super.Ct.App.Div.2010); Marrone v. Greer & Polman Constr., Inc., 405 N.J.Super. 288, 964 A.2d 330, 335 (N.J.Super.Ct.App.Div.2009), abrogated on other grounds by Dean v. Barrett Homes, Inc., 204 N.J. 286, 8 A.3d 766 (2010); Katz v. Schachter, 251 N.J.Super. 467, 598 A.2d 923, 926 (N.J.Super.Ct.App.Div.1991); Perth Amboy Iron Works, Inc. v. Am. Home Assur. Co., 226 N.J.Super. 200, 543 A.2d 1020, 1026 (N.J.Super.Ct.App.Div.1988), aff'd, 118 N.J. 249, 571 A.2d 294 (1990); Neveroski, 358 A.2d at 479.
Even when a business is a consumer of merchandise, other factors may exclude it from NJCFA protection. The NJCFA applies only to “goods or services generally sold to the public at large.” Cetel v. Kirwan Fin. Grp., Inc., 460 F.3d 494, 514 (3d Cir.2006) (quoting Marascio, 689 A.2d at 857);see also Prof'l Cleaning & Innovative Bldg. Servs., Inc. v. Kennedy Funding Inc., 408 Fed.Appx. 566, 570 (3d Cir.2010) (per curiam) (describing this requirement as the “touchstone for the statute's applicability”). Businesses that have purchased yachts, computer peripherals, cranes, concrete, and commercial-renovation services have brought successful NJCFA claims. But courts have excluded sales of complex business franchises and custom services targeted to businesses. See Prof'l Cleaning, 408 Fed.Appx. at 570–71 (credit services offered by lender of last resort to distressed businesses); Cetel, 460 F.3d at 514–15 (tax shelters sold to businesses); BOC Grp., 597 A.2d at 1113–14 (research and development services). The presence of large transactions or sophisticated business plaintiffs is a factor weighing against the NJCFA's applicability. See Prof'l Cleaning, 408 Fed.Appx. at 571–72;Diamond Life Lighting, 2010 WL 5186168, at *5;Papergraphics, 910 A.2d at 629;BOC Grp., 597 A.2d at 1113–14.
Ford Motor Co. v. Edgewood Props., Inc., Civ. A. Nos. 06–1278, 06–4266, 2007 WL 4526594, at *21 (D.N.J. Dec. 18, 2007) (concrete); Naporano Iron & Metal Co. v. Am. Crane Corp., 79 F.Supp.2d 494, 509 (D.N.J.1999) (crane); Marascio, 689 A.2d at 856–57 (renovation services); Perth Amboy Iron Works, 543 A.2d at 1025 (yacht); Hundred E. Credit Corp., 515 A.2d at 248–49 (computer peripherals).
See also A.H. Meyers & Co. v. CNA Ins. Co., 88 Fed.Appx. 495, 499–500 (3d Cir.2004) (contract dispute between insurance agency and insurance underwriter); J & R Ice Cream, 31 F.3d at 1274 (sale of business franchise excluded from coverage). A panel of the New Jersey Appellate Division disagreed that the sale of a business franchise is per se excluded from the NJCFA's coverage, but agreed with the result in J & R Ice Cream because the case “involved a substantial and complex commercial transaction.” Kavky v. Herbalife Int'l of Am., 359 N.J.Super. 497, 820 A.2d 677, 679–80 (N.J.Super.Ct.App.Div.2003).
The master complaint alleges that the Financial Institution Plaintiffs are “consumers in the marketplace for, inter alia, credit card and/or debit card transaction processing services, and have been injured in this capacity.” (Docket Entry No. 32, ¶ 133). The complaint describes representations and services offered to merchants and members of the Visa and MasterCard networks, including the Financial Institution Plaintiffs. The complaint does not, however, allege that the Financial Institution Plaintiffs purchased any services from Heartland. The Financial Institution Plaintiffs' relationship with Heartland exists only by virtue of their participation in the Visa and MasterCard networks. This relationship is far different from the direct, downstream relationship between a consumer of a good and its manufacturer or seller. Cf., e.g., Diamond Life Lighting, 2010 WL 5186168, at *6. As noted above, the Visa and MasterCard regulations explicitly contemplate the presence of third-party processors, and there is no suggestion that the Financial Institution Plaintiffs had any control over who would perform those tasks. Cf. Messeka Sheet Metal Co. v. Hodder, 368 N.J.Super. 116, 845 A.2d 646, 655 (N.J.Super.Ct.App.Div.2004) (holding that a homeowner could not sue a subcontractor under the NJCFA because the homeowner “left it to the general contractor to make the choices as to who would perform” each task on the project).
Additionally, payment-card processing services are not offered to the general public. Instead, such services are provided by specific entities for members of the Visa and MasterCard networks. Heartland promises in its contracts to comply with the networks' regulations. These regulations significantly protect the Financial Institution Plaintiffs through loss-allocation rules and a cost-recovery process. In turn, issuer banks such as the Financial Institution Plaintiffs are required to maintain fraud-detection programs. These aspects of the Visa and MasterCard networks, along with the Financial Institution Plaintiffs' status as sophisticated financial institutions, set the Financial Institution Plaintiffs apart from the type of consumer protected under the NJCFA. The NJCFA claim is dismissed with prejudice and without leave to amend because amendment would be futile.
In the alternative, the complaint conclusorily alleges that the Financial Institution Plaintiffs are commercial competitors of Heartland. More detailed factual allegations would be unavailing because business competitors lack standing under the NJCFA unless the parties have entered into a consumer-like transaction. See Church & Dwight Co., 2010 WL 5239238, at *10. For the reasons previously discussed, the transactions and relationships at issue here are between sophisticated businesses.
2. The California Unfair Competition Law
The Financial Institution Plaintiffs allege that Heartland violated the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 et seq. “A UCL plaintiff with standing is a person who ‘ has suffered injury in fact and  has lost money or property as a result of the unfair competition.’ ” Degelmann v. Advanced Med. Optics, Inc., 659 F.3d 835, 839 (9th Cir.2011) (quoting Cal. Bus. & Prof. Code § 17204). Through the phrase “as a result of,” the second element “requires a showing of a causal connection or reliance on the alleged misrepresentation.” Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 120 Cal.Rptr.3d 741, 246 P.3d 877, 887 (2011) (quoting Hall v. Time, Inc., 158 Cal.App.4th 847, 70 Cal.Rptr.3d 466, 471–72 (2008)). In Kwikset, the California Supreme Court held that the plaintiffs had sufficiently pleaded standing by alleging that the “plaintiffs saw and relied on the [false] labels for their truth in purchasing Kwikset's locksets, and [the] plaintiffs would not have bought the locksets otherwise.” 120 Cal.Rptr.3d 741, 246 P.3d at 889. The Financial Institution Plaintiffs, by contrast, conclusorily assert reliance. As with the New Jersey misrepresentation claim, they do not explain the nature or form of their reliance. The claim is dismissed, without prejudice and with leave to amend.
3. The Colorado Consumer Protection Act
The complaint alleges that Heartland violated the subsection of the Colorado Consumer Protection Act that prohibits, as a deceptive trade practice, “false or misleading statements of fact concerning the price of goods, services, or property or the reasons for, existence of, or amounts of price reductions.” Colo. Rev. Stat. § 6–1–105(1)( l ). As Heartland points out, there are no allegations in the complaint about pricing. The Financial Institution Plaintiffs contend that Heartland selectively quotes from the Colorado Act, given that it contains “approximately 45 different categories of conduct that are considered deceptive trade practices.” (Docket Entry No. 64, at 14). The complaint, however, refers only to subsection (1)( l ). This claim is dismissed, without prejudice and with leave to amend.
4. The Florida Deceptive and Unfair Trade Practices Act
The Financial Institution Plaintiffs claim a violation of the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”), Fla. Stat. § 501.201 et seq. Heartland argues that this claim must be dismissed because only consumers, as the word is traditionally used, may assert claims under the FDUTPA. The Financial Institution Plaintiffs respond that the Act's definition of “consumer” is broad enough to include them.
The FDUTPA prohibits “[u]nfair methods of competition, unconscionable acts or practices, and unfair or deceptive acts or practices in the conduct of any trade or commerce[.]” Id. § 501.204(1). The Act's purpose is “[t]o protect the consuming public and legitimate business enterprises from those who engage in unfair methods of competition, or unconscionable, deceptive, or unfair acts or practices in the conduct of any trade or commerce.” Id.§ 501.202(2). A practice is unfair if it “offends established public policy” or is “immoral, unethical, oppressive, unscrupulous, or substantially injurious to consumers.” PNR, Inc. v. Beacon Prop. Mgmt., Inc., 842 So.2d 773, 777 (Fla.2003) (internal quotation marks omitted). Courts are to construe the FDUTPA liberally. Fla. Stat. § 501.202.
Before 2001, the FDUTPA allowed “a consumer who has suffered a loss as a result of a violation” of the FDUTPA to bring a cause of action. Am. Honda Motor Co. v. Motorcycle Info. Network, Inc., 390 F.Supp.2d 1170, 1176 (M.D.Fla.2005) (quoting Fla. Stat. § 501.211(2) (2000)) (emphasis in original). The Florida Legislature amended § 501.211(2) to replace “consumer” with “person” in 2001. Id.;see alsoFla. Stat. § 501.211(2) (“a person who has suffered a loss as a result of a violation”). Since that amendment, courts have disagreed as to whether nonconsumers may bring a private action under the FDUTPA. See, e.g., Intercoastal Realty, Inc. v. Tracy, 706 F.Supp.2d 1325, 1334–35 (S.D.Fla.2010). Heartland relies on Kertesz v. Net Transactions, Ltd., 635 F.Supp.2d 1339 (S.D.Fla.2009), in which a Florida federal district court held that the amendment did not broaden the FDUTPA's private right of action. Id. at 1350. The court concluded that the Florida Legislature intended this amendment “to clarify that businesses, just like individuals, could obtain monetary damages in FDUTPA cases,” but that only consumers could bring a private cause of action under the Act. Id. at 1349. Another Florida federal district court reached the opposite conclusion, holding that nonconsumers could sue under the FDUTPA. Kelly v. Palmer, Reifler, & Assocs., P.A., 681 F.Supp.2d 1356, 1373–74 (S.D.Fla.2010). The Kelly court explained:
[I]n 2001, the Legislature made two changes to FDUTPA that are relevant to the issue before us. As noted, the Legislature replaced the word “consumer” with “person.” (The term “person,” the Committee Staff noted, “is understood to include a business.” See Senate Staff Analysis[, CS/SB 208, Mar. 22, 2001,] at 6.) The Legislature also amended the definition of “consumer” in § 501.203(7) to add “business” and “any commercial entity, however denominated.” See Laws of Fla. Ch. 2001–39 § 1 (amending § 501.203(7) as described). So at the same time the Legislature expanded the definition of “consumer,” it replaced the term “consumer” with “person” in the section providing for monetary remedies for a violation of the statute. To us, this evinces an intent to expand the applicability of the remedies provision to more than just consumers. If the purpose had been to assure that businesses could avail themselves of the remedies under § 501.211(2), given “inconsistent court interpretations” in which “remedies available to individual consumers have not always been available to business consumers,” see Senate Staff Analysis at 4, that purpose could have been accomplished by the change to the definition of “consumer” (in § 501.203(7)), such that the term “consumer” did not have to be replaced with “person” in § 501.211(2). Thus a non-consumer (like a competitor, either individually or through a corporate form) could seek relief under the statute so long as the trade or commerce element of the statute was satisfied.
Id. at 1373 n. 9;cf. Hetrick v. Ideal Image Dev. Corp., 372 Fed.Appx. 985, 990 (11th Cir.2010) (per curiam) (allowing individuals who “formed and funded a corporation on the basis of misrepresentations” to proceed with an FDUTPA claim because standing under the Act “is available to any person who was subject to an unfair or deceptive trade practice”).
The question is a close one. The Act's purpose is “[t]o protect the consuming public and legitimate business enterprises.” Fla. Stat. § 501.202(2) (emphasis added). It is unclear if the word “consuming” applies to only “public” or also to “legitimate business enterprises.” The more natural reading is that this clause lists two independent groups that the Act seeks to protect: first, “the consuming public,” and second, “legitimate business enterprises.” See Akzo Nobel Coatings, Inc. v. Auto Paint & Supply of Lakeland, Inc., No. 8:09–cv–2453–T–30TBM, 2011 WL 5597364, at *3 (M.D.Fla. Nov. 17, 2011) (holding that “whether or not an individual non-consumer plaintiff has standing [under the Act], a legitimate business enterprise does” (emphasis in original)); Tracy, 706 F.Supp.2d at 1335 (allowing a claim by a “legitimate business enterprise” without regard to whether the business was a consumer); Kertesz, 635 F.Supp.2d at 1349 (emphasizing only the word “consuming”). Limiting the private right of action to consumers also overlooks that even after the FDUTPA was amended to replace the word “consumer” with “person” in § 501.211(2), the Act continues to include a definition for “consumer,” id. § 501.203(7), and to use that word in other provisions. For example, the Florida state attorney or Department of Legal Affairs may bring “[a]n action on behalf of one or more consumers ... for the actual damages caused by an act or practice in violation” of the FDUTPA. Id. § 501.207(c). The Florida Legislature's use of the word “person” in creating a private right of action suggests a broader reach than the word “consumer.” See Fla. Dep't of Revenue v. Cent. Dade Malpractice Trust Fund, 673 So.2d 899, 901 (Fla.Dist.Ct.App.1996) (noting that “legislative intent may be discerned from the Legislature's election to use different words to convey different meanings within a statute”) (citing Dep't of Prof'l Regulation v. Durrani, 455 So.2d 515, 518 (Fla.Dist.Ct.App.1984)).
The motion to dismiss the FDUTPA claim on the basis of lack of standing is denied.
5. The Illinois Consumer Fraud and Deceptive Business Practices Act
Heartland argues that the Financial Institution Plaintiffs' claim under the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 Ill. Comp. Stat.. § 505/1 et seq. , must be dismissed because the master complaint neither “relate[s] to consumer protection issues” nor alleges reliance. (Docket Entry No. 56, at 15–16). The Illinois statute prohibits “[u]nfair methods of competition and unfair or deceptive acts or practices, including but not limited to the use or employment of any deception, fraud, false pretense, false promise, misrepresentation or the concealment, suppression or omission of any material fact, with intent that others rely upon the concealment, suppression or omission of such material fact[.]” 815 Ill. Comp. Stat.. § 505/2. There are four elements of a claim under the Illinois Act: (1) a deceptive act or practice; (2) the intent that the plaintiff rely on the deception; (3) the deception occurred in the course of conduct involving trade or commerce; and (4) the deceptive act proximately caused the plaintiff's injury. Cozzi Iron & Metal, Inc. v. U.S. Office Equipment, Inc., 250 F.3d 570, 575–76 (7th Cir.2001) (citing Connick v. Suzuki Motor Co., 174 Ill.2d 482, 221 Ill.Dec. 389, 675 N.E.2d 584, 593 (1996)). “[A] statutory consumer fraud claim must be pled with specificity[.]” Avery v. State Farm Mut. Auto. Ins. Co., 216 Ill.2d 100, 296 Ill.Dec. 448, 835 N.E.2d 801, 843 (2005).
The master complaint does not adequately allege that Heartland intended the Financial Institution Plaintiffs to rely on any of its statements. The alleged misstatements in the S.E.C. filings, analyst calls, and the Merchant's Bill of Rights were not directed to issuer banks. Because issuers have no direct dealings with payment-card processors, it is implausible that Heartland intended statements in documents not directed to the Financial Institution Plaintiffs to be relied on by them or by any issuer banks. The master complaint conclusorily alleges reliance, insufficient to state a claim.
Heartland correctly states that under Illinois law, nonconsumers must show that “the complained-of conduct implicates consumer protection concerns.” Speakers of Sport, Inc. v. ProServ, Inc., 178 F.3d 862, 868 (7th Cir.1999) (internal quotation marks omitted); accord, e.g., Gen. Ins. Co. of Am. v. Clark Mali Corp., No. 08 C 2787, 2010 WL 1286076, at *6 (N.D.Ill. Mar. 30, 2010). In light of the sparse briefing on this issue, this court declines to address it at this time. The Illinois claim is dismissed, but without prejudice and with leave to amend.
6. The New York Consumer–Protection Law
The Financial Institution Plaintiffs allege violations of New York's consumer-protection statute, which prohibits “[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service [.]” N.Y. Gen. Bus. Law § 349(a). “Generally, claims under the statute are available to an individual consumer who falls victim to misrepresentations made by a seller of consumer goods through false or misleading advertising.” Eaves v. Designs for Fin., Inc., 785 F.Supp.2d 229, 265 (S.D.N.Y.2011) (quoting Small v. Lorillard Tobacco Co., 94 N.Y.2d 43, 698 N.Y.S.2d 615, 720 N.E.2d 892, 897 (1999)); accord, e.g., Waverly Props., LLC v. KMG Waverly, LLC, 824 F.Supp.2d 547, 566–67, 2011 WL 4472284, at *18 (S.D.N.Y.2011). “Courts have repeatedly held that a consumer, for § 349 purposes, is one who purchases goods and services for personal, family or household use.” Eaves, 785 F.Supp.2d at 265 (quoting Exxonmobil Inter–America, Inc. v. Advanced Info. Eng'g Servs., Inc., 328 F.Supp.2d 443, 448 (S.D.N.Y.2004) (internal alteration omitted)).
“To maintain a cause of action under § 349, a plaintiff must show: (1) that the defendant's conduct is ‘consumer-oriented,’; (2) that the defendant is engaged in a ‘deceptive act or practice’; and (3) that the plaintiff was injured by this practice.” Wilson v. Nw. Mut. Ins. Co., 625 F.3d 54, 64 (2d Cir.2010) (citing Oswego Laborers' Local 214 Pension Fund. v. Marine Midland Bank, N.A., 85 N.Y.2d 20, 623 N.Y.S.2d 529, 647 N.E.2d 741, 744 (1995)). Consumer-oriented conduct is defined as “acts or practices [that] have a broader impact on consumers at large. Private contract disputes, unique to the parties ... would not fall within the ambit of the statute[.]” Oswego, 623 N.Y.S.2d 529, 647 N.E.2d at 744;see also, e.g., N.Y. Workers' Comp. Bd. v. 26–28 Maple Avenue, Inc., 80 A.D.3d 1135, 915 N.Y.S.2d 744, 745 (2011) (defining consumer-oriented conduct as “an act having the potential to affect the public at large, as distinguished from merely a private contractual dispute” (internal quotation marks omitted)). “When more complex claims are asserted under [N.Y. Gen. Bus. Law] § 349, courts have looked to the identity of the parties, their sophistication and experience, and the contract type and amount to determine whether the statute applies.” Wells Fargo Bank Nw., N.A. v. Am. Gen. Life Ins. Co., Civ. A. No. 10–1327(FLW), 2011 WL 1899338, at *6 (D.N.J. May 19, 2011); see also Exxonmobil Inter–America, 328 F.Supp.2d at 449 (explaining that “transactions involving complex arrangements, knowledgeable and experienced parties and large sums of money are different in kind and degree from those that confront the average consumer who requires the protection of a statute against fraudulent practices” (internal quotation marks and alteration omitted)). As one New York federal district court has explained, “While the ‘consumer-orient[ed] act’ prong does not preclude the application of § 349 to disputes between businesses per se, it does severely limit it. Contracts to provide commodities that are available only to businesses do not fall within the parameters of § 349.” Exxonmobil Inter–America, 328 F.Supp.2d at 449 (citing Cruz v. NYNEX Info. Res., 263 A.D.2d 285, 703 N.Y.S.2d 103, 107 (2000)). When the parties are “both sophisticated contracting entities with equal bargaining power, and the contract between them was for a business-only commodity, not a common consumer good,” § 349 is inapplicable. Exxonmobil Inter–America, 328 F.Supp.2d at 450. The act “was designed to protect ‘the little guy’ from false advertising, pyramid schemes, bait-and-switch sales tactics, and other mischievous machinations by swindlers and scallywags.” Id. (citing generally Teller v. Bill Hayes, Ltd., 213 A.D.2d 141, 630 N.Y.S.2d 769 (1995)). If the product or service is not “for ‘personal, family or household use’ and the deceptive conduct alleged by Plaintiffs was not directed at non-business consumers,” the claim does not fall within § 349. Eaves, 785 F.Supp.2d at 266 (citing cases).
Even assuming that the Financial Institution Plaintiffs had adequately pleaded that Heartland engaged in deceptive practices and that those practices injured them, the Financial Institution Plaintiffs are not “consumers.” Nor is the conduct “consumer-oriented” under § 349. The Financial Institution Plaintiffs are far removed from an individual “who purchases goods and services for personal, family or household use,” the paradigmatic § 349 plaintiff. Id. at 265 (quoting Exxonmobil Inter–America, 328 F.Supp.2d at 448 (internal alteration omitted)). To the extent that the Financial Institution Plaintiffs even “purchase” a service from Heartland—questionable, given the nature of their relationship with Heartland —their purchase is solely for commercial use and not personal, family or household use.
See supra at 601–02.
Moreover, Heartland's allegedly deceptive representations—whether made in S.E.C. filings, to acquiring banks, or to merchants—do not qualify as “consumer-oriented conduct,” as required to state a claim under § 349. Heartland made statements to acquiring banks and merchants about card-processing services. Such services are neither marketed nor offered to consumers, but only to specific types of commercial entities. Even assuming that the Financial Institution Plaintiffs can plausibly plead that they were injured by statements not directed toward them, the deceptive conduct they allege was not directed at “non-business consumers.” Eaves, 785 F.Supp.2d at 266. The Financial Institution Plaintiffs' New York claim is dismissed, with prejudice because amendment would be futile.
The reasons discussing why the Financial Institution Plaintiffs' claim under Washington law does not affect the “public interest,” as under that law, also show why their New York claim does not involve consumer-oriented conduct. See infra at 608–09.
7. The Texas Deceptive Trade Practices—Consumer Protection Act
The complaint alleges violations of the Texas Deceptive Trade Practices–Consumer Protection Act (“TDTPA”), Tex. Bus. & Com. Code § 17.41 et seq. Heartland argues that the master complaint fails to state a claim because it does not allege: (1) that Lone Star National Bank, the only Texas plaintiff, has less than $25 million in assets, see id. § 17.45(4) (excluding business entities with more than $25 million in assets from the term “Consumer”); (2) misrepresentations made “ in connection with the [Financial Institution Plaintiffs'] transaction in goods or services,” Amstadt v. U.S. Brass Corp., 919 S.W.2d 644, 650 (Tex.1996) (emphasis in original); and (3) that the Financial Institution Plaintiffs relied on a misrepresentation. (Docket Entry No. 56, at 16).
Like the misrepresentation claim, the TDTPA claim must be dismissed because the conclusory allegation of reliance is insufficient under Rule 8. See, e.g., Rice v. Metro. Life Ins. Co., 324 S.W.3d 660, 676 (Tex.App.-Fort Worth 2010, no pet.) (explaining that reliance is a required element of a TDTPA claim). This claim is dismissed, without prejudice and with leave to amend.
Had the Financial Institution Plaintiffs adequately pleaded reliance, Heartland's reliance on Amstadt would be an insufficient basis to dismiss. In Amstadt, a group of homeowners sued their homebuilder and three manufacturing companies after discovering that their plumbing systems were defective. Among other claims, they asserted violations of the TDTPA. 919 S.W.2d at 647–48. The Texas Supreme Court acknowledged that a claim under the Act did not require privity of contract. But, the court continued, a “defendant's deceptive trade act or practice is not actionable under the DTPA unless it was committed in connection with the plaintiff's transaction in goods or services.” Id. at 650 (emphasis in original). The court then explained that none of the manufacturers made any representations, directly or indirectly, to the homeowners. Any alleged misrepresentations were not in connection with the home sales. Put differently, the misrepresentations played no role in the homeowners' purchase of the home. See id. at 650–52. The court explained that approving liability without such a connection would “shift[ ] the focus of a DTPA claim from whether the defendant committed a deceptive act to whether a product that was sold caused an injury.” Id. at 650. Here, by contrast, the Financial Institution Plaintiffs allege that Heartland made the alleged misrepresentations to them.
8. The Washington Consumer Protection Act
The complaint alleges that Heartland violated Washington's Consumer Protection Act, Wash. Rev.CodeE § 19.86.010 et seq. “To prevail in a private CPA claim, the plaintiff must prove (1) an unfair or deceptive act or practice, (2) occurring in trade or commerce, (3) affecting the public interest, (4) injury to a person's business or property, and (5) causation.” Panag v. Farmers Ins. Co. of Wash., 166 Wash.2d 27, 204 P.3d 885, 889 (2009); see also Segal Co. (E. States), Inc. v. Amazon.Com, 280 F.Supp.2d 1229, 1232 (W.D.Wash.2003) (citing Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wash.2d 778, 719 P.2d 531, 535 (1986)).
A private claim may also be based on a per se violation of the statute. Panag, 204 P.3d at 890 n. 3. That theory is not at issue in this case.
Heartland argues that the complaint insufficiently alleges an effect on the public interest. When a case involves a private dispute, as opposed to an ordinary consumer transaction, the plaintiff must show “a likelihood that additional persons have been or will be injured in the same fashion.” A.G. & Design Assocs., LLC v. Trainman Lantern Co., No. C07–5158RBL, 2009 WL 230083, at *6 (W.D.Wash. Jan. 30, 2009) (citing Goodyear Tire & Rubber Co. v. Whiteman Tire, Inc., 86 Wash.App. 732, 935 P.2d 628, 635 (1997)). “It is the likelihood that additional plaintiffs have been or will be injured in exactly the same fashion that changes a factual pattern from a private dispute to one that affects the public interest.” Michael v. Mosquera–Lacy, 165 Wash.2d 595, 200 P.3d 695, 700 (2009) (internal quotation marks and alteration omitted). The conduct must have “the capacity to deceive a substantial portion of the public.” Columbia Physical Therapy, Inc. v. Benton Franklin Orthopedic Assocs., P.L.L.C., 168 Wash.2d 421, 228 P.3d 1260, 1270 (2010) (internal quotations marks and emphasis omitted). “Where the complaint involves essentially a private dispute such as the provision of professional services,” courts consider four nonexclusive factors:
(1) Were the alleged acts committed in the course of defendant's business? (2) Did defendant advertise to the public in general? (3) Did defendant actively solicit this particular plaintiff, indicating potential solicitation of others? (4) Did plaintiff and defendant occupy unequal bargaining positions?
Stephens v. Omni Ins. Co., 138 Wash.App. 151, 159 P.3d 10, 24 (2007) (quoting Hangman Ridge, 719 P.2d at 538);accord, e.g., Hambleton Bros. Lumber Co. v. Balkin Enters., Inc., 397 F.3d 1217, 1234 (9th Cir.2005). Courts have dismissed cases under the public-interest element under Rule 12(b)(6). See, e.g., Swartz v. KPMG, LLC, 401 F.Supp.2d 1146, 1150, 1153–54 (W.D.Wash.2004), aff'd in part, rev'd in part, 476 F.3d 756 (9th Cir.2007).
The master complaint fails to allege sufficient facts suggesting that the Financial Institution Plaintiffs' claim affects the public interest. The only group likely to be injured in the same fashion—incurring expenses for replacement cards and fraudulent transactions—consists of other issuer banks. Such a group is both too small and too specialized to constitute a substantial portion of the public. See Swartz, 401 F.Supp.2d at 1153–54 (W.D.Wash.2004) (“The number of consumers who could conceivably find themselves in plaintiff's circumstances—looking for a tax savings on millions of dollars of capital gains—is extremely small and unable to qualify as a ‘substantial portion of the public’ under any reasonable definition of that term.”); Goodyear Tire & Rubber Co., 935 P.2d at 635 (finding that a company'srepresentations to its dealers “had no deceptive capacity affecting the public in general”); see also Columbia Physical Therapy, 228 P.3d at 1270 (holding that the complained-of conduct must have “the capacity to deceive a substantial portion of the public” (quoting Hangman Ridge, 719 P.2d at 535)). The Financial Institution Plaintiffs and other issuer banks have “sufficient sophistication to remove them from the class of bargainers subject to exploitation.” Segal Co., 280 F.Supp.2d at 1234 n. 5 (quoting Pac. Nw. Life Ins. Co. v. Turnbull, 51 Wash.App. 692, 754 P.2d 1262, 1269 (1988)); see also Fleetwood v. Stanley Steemer Int'l, Inc., 725 F.Supp.2d 1258, 1276 (E.D.Wash.2010) (explaining that “parties with ‘a history of business experience’ cannot claim a CPA violation because they are ‘not representative of bargainers who are subject to exploitation and unable to protect themselves' ” (quoting Hangman Ridge, 719 P.2d at 540 (alteration omitted))); Swartz, 401 F.Supp.2d at 1154 (noting, in the context of tax products, that, “as a (very small) group, the extremely wealthy [multimillionaires] are neither unsophisticated nor easily subject to chicanery”); Hangman Ridge, 719 P.2d at 540 (noting that the plaintiffs were “not representative of bargainers subject to exploitation and unable to protect themselves”).
The master complaint vaguely alleges that Heartland intended its statements to lull the public into believing that its data security was better than it actually was. That allegation is insufficient to show that a dispute between sophisticated banks that issue payment cards and the company hired by other banks to process payments for merchants affects the public interest. The WCPA claim is dismissed, with prejudice and without leave to amend because amendment would be futile.
The reasons the Financial Institution Plaintiffs' New York claim does not concern “consumer-oriented conduct” within the meaning of that statute also support the conclusion that their Washington claim does not affect the “public interest” under Washington law. See supra at 608–09.
Heartland's motion to dismiss, (Docket Entry No. 39), is granted in part and denied in part. All claims except that under the FDUTPA are dismissed. Leave to amend is granted only as to the following claims: breach of contract and implied contract (both under the limited circumstances described above); express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California Unfair Competition Law, the Colorado Consumer Protection Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the Texas Deceptive Trade Practices—Consumer Protection Act.
The Financial Institution Plaintiffs must amend their master complaint by December 23, 2011. A status conference is set for January 13, 2012, at 8:30 a.m. in Courtroom 11–B.