Login Register Subscribe
Current Issue

Data breach case against Schnuck Markets dismissed

Reprints

A federal district court has dismissed for the second time litigation filed by financial institutions against St. Louis-based supermarket chain Schnuck Markets Inc. in connection with a data breach it suffered in 2012 and 2013, citing the prevalence of data breaches during that period.

A total of 2.4 million cards containing unencrypted data were swiped at 79 Schnuck Markets during the breach, which occurred between Dec. 1, 2012, through March 30, 2013, plaintiffs charged, according to Monday’s ruling by the U.S. District Court in East St. Louis in Community Bank of Trenton et al. vs. Schnuck Markets Inc.

The plaintiffs said Schnuck first learned of the data breach on March 14, 2013, but did not inform the public until March 30, 2013.

The financial institutions first filed a putative class action lawsuit in October 2015, which the court dismissed in September 2016 “in large part because it suffered from vast generalizations,” said Monday’s ruling. An amended complaint, which included charges of negligence and breach of implied contract, was filed in October 2016.

“The court is not persuaded that public policy concerns, the existence of industry standards, or implied contractual relationships should give rise to a duty in this case,” said the ruling.

The breach “took place during what seemed to be the boom of data breach activity, at a time when many retailers were caught either unaware or unluckily in the cross-hairs of cybercrime,” Chief Judge Michael J. Reagan’s ruling said.

“Unfortunately, losses were sustained, losses that in retrospect should have or could have been prevented, but not every loss can be compensated via legal action.

“In the wake of the data breach boom, it seems fair to say retailers will have to act more prudently, but at the time that this breach occurred the law did not contemplate harms of the kind that emerged,” said the ruling, in granting Schnuck’s motion to dismiss the case.

In January 2015, the U.S. District Court in St. Louis ruled that the chain had a $500,000 cap on how much it must pay for the data breach. 

Atlanta-based Home Depot Inc. reached a settlement with shareholders in connection with its 2014 data breach.