USAA Federal Savings Bank v. PLS Financial Services, Inc.

OPINION AND ORDER

SARA L. ELLIS, United States District Judge

After Plaintiff USAA Federal Savings Bank (“USAA”) lost over $3,000,000 in a fraudulent check cashing scheme, USAA filed suit against Defendants PLS Financial Services, Inc., PLS Group, Inc., and The Payday Loan Store of Illinois, Inc. (collectively, “PLS”), claiming PLS acted negligently in protecting USAA members’ financial information so as to allow third parties to create fraudulent checks with that information, that PLS’ negligence can be established based on the per se violation of various state and federal statutes, and that PLS violated the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”), 815 Ill. Comp. Stat. 505/1 et seq. PLS has moved to dismiss USAA’s first amended complaint. Because no cbm-mon law duty exists to safeguard personal information under Illinois law, the Court dismisses USAA’s negligence claim. And because USAA effectively abandons its negligence per se claim in response to PLS’ motion to dismiss, the Court dismisses that claim as well. Finally, the Court dismisses USAA’s ICFA claim because USAA has not adequately alleged that the data breach affected its Illinois members or that the underlying unfair conduct took place primarily in Illinois.

BACKGROUND1

USAA provides banking services to members and veterans of the United States military. PLS, through the three individually named Defendants, ■ provides check cashing and payday lending services at approximately 300 retail locations in eleven states, including Illinois. The individual Defendants share common directors, officers, and office locations, with centralized recordkeeping and computer systems, and have similar business practices. PLS is not a bank' and does not provide bank accounts to its customers. Instead, PLS charges customers a fee to cash checks, obtain money orders, and use other financial services.

*968In the course of doing business, PLS-cashes checks drawn on USAA, In cashing these checks, as with any other checks, PLS obtains certain information about the drawer of the check and the bank on which the. check is drawn from the face of the check, including the drawer’s name, the-check number, account number, bank routing number, drawer’s signature,' and MICR information.2 PLS makes an electronic copy of the check before forwarding the check to the drawer’s bank for payment.

;.In October 2012, the United States and PLS agreed to settle a suit brought by the United States against PLS in which the United States alleged that PLS .did not properly secure its customers’ personal information. The stipulated final injunction required PLS to- develop a comprehensive information security program to protect the security, confidentiality, and integrity of consumers’ personal information, including consumers’ names, addresses, and financial institution account numbers. PLS also agreed to take reasonable measures to protect against unauthorized access to or use of such information..

Problems with unauthorized access to PLS customers’ personal information continued, however. Specifically, an unidentified female PLS employee provided third parties with access to PLS’ computer systems, which allowed these third parties to copy, check images and produce counterfeit checks based off those images. The checks ranged from between $5 and $10,000. The third parties- then used these counterfeit checks, which. included checks drawn on USAA, to obtain money through various schemes. The payor banks on the counterfeit checks, including ÚSAA, ultimately bore the loss because the checks were unauthorized, meaning, the members on whose accounts the checks were drawn could not be held liable for them. USAA has discovered over 2,000 original checks from its members that were cashed at PLS and subsequently counterfeited, causing USAA to’incur over $3,000,000 in damages;

In October 2014, USAA notified PLS of. the issue and requested help in coordinating an investigation into the counterfeiting. USAA indicated it had noticed most of the checks that were subsequently counterfeited had been cashed at PLS locations in Texas, Arizona, and. California and subsequently deposited through a bank in Rose-mont, Illinois. PLS responded that it would refer the matter to its general counsel.

LEGAL STANDARD

A motion to dismiss under Rule 12(b)(6) challenges the sufficiency of the complaint, not its merits. Fed. R. Civ. P. 12(b)(6); Gibson v. City of Chicago, 910 F.2d 1510, 1520 (7th Cir. 1990). In considering a Rule 12(b)(6) motion to dismiss, the Court accepts as true all well-pleadéd facts in the plaintiffs complaint and draws all reasonable inferences from those facts in the plaintiffs favor. AnchorBank, FSB v. Hofer, 649 F.3d 610, 614 (7th Cir. 2011). To survive a Rule 12(b)(6) motion, the complaint must not only provide the defendant with fair notice of a claim’s basis but must also be facially plausible. Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009); see also Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the miscon*969duct alleged.” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937.

ANALYSIS

I. Negligence Claims

A. Existence of a Duty

To succeed on its negligence claim, USAA must establish that (1) PLS owed USAA a duty, (2) PLS breached that duty, and (3) PLS’ breach proximately caused USAA injury. Rhodes v. Ill. Cent. Gulf R.R., 665 N.E.2d 1260, 1267, 172 Ill.2d 213, 216 Ill.Dec. 703 (1996). USAA contends that PLS owed USAA a general duty of reasonable care to avoid causing foreseeable harm to USAA and, more specifically, a duty to safeguard financial information. But PLS claims that no such duty exists under Illinois law. The existence of a duty under Illinois law is a question of law. Simpkins v. CSX Transp., Inc., 965 N.E.2d 1092, 1096, 2012 IL 110662, 358 Ill.Dec. 613 (2012).

USAA relies on the Illinois Supreme Court’s decision in Simpkins to argue that PLS had a duty to exercise reasonable care to avoid causing foreseeable harm to USAA in that PLS should have taken steps to prevent unauthorized access to its database of financial information. See id., 358 Ill.Dec. 613, 965 N.E.2d at 1097 (“[Ejvery person owes a duty of ordinary care to all others to guard against injuries which naturally flow as a reasonably probable and foreseeable consequence of an act, and such a duty does not depend upon contract, privity of interest or the proximity of relationship, but extends to remote and unknown persons.” (quoting Widlowski v. Durkee Foods, Div. of SCM Corp., 562 N.E.2d 967, 968, 138 Ill.2d 369, 150 Ill.Dec. 164 (1990)))) But Simpkins did not establish a “duty to the world at large” and instead limited the duty to one bounded by four factors: “(l) the reasonable foreseeability of the injury, (2) the likelihood of the injury, (3) the magnitude of the burden of guarding against the injury, and (4) the consequences of placing that burden on the defendant.” Id. Although these general guideposts are helpful, here, the Court more narrowly considers the specific contours of the duty USAA claims PLS allegedly breached in its first amended complaint — that of safeguarding allegedly confidential financial information. See Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947, at *5-6 (N.D. Ill. Jan. 21, 2015) (refusing to consider plaintiffs argument that a more general “ordinary care standard” applied whére plaintiff based her negligence claim on defendant’s “failure to exercise reasonable care and caution in safeguarding and protecting” personal information).

Although the Illinois Supreme Court has not opined on the issue, the Illinois Appellate Court has refused to create “a new legal duty beyond legislative requirements” to safeguard an individual’s personal information or protect it from disclosure. Cooney v. Chicago Pub. Schs., 943 N.E.2d 23, 28-29, 407 Ill.App.3d 358, 347 Ill.Dec. 733 (2010). Although Cooney involved the disclosure of employees’ health insurance information, in addition to names, addresses, and social security numbers, the same analysis extends to the disclosure of financial information. See Landale Signs & Neon, Ltd. v. Runnion Equip. Co., No. 16-cv-7619, 2016 WL 7409916, at *3 (N.D. Ill. Dec. 22, 2016) (applying Cooney to find no duty to safeguard another party’s confidential information with respect to claim concerning fraudulent wiring of payment to third party);3 Cmty. Bank of Trenton v. Schnuck Markets, Inc., 210 F.Supp.3d 1022, 1041 *970(S.D. Ill. 2016) (refusing to recognize a duty to protect customers’ personal financial information, noting that “the legislature could create a duty to safeguard personal data if it felt it appropriate to do so, and in light of the recent uptick in data breach cases it may well do so, but in the absence of such legislation, the Court will not recognize a new duty between two sophisticated parties”). Nonetheless, USAA argues that a heightened requirement applies to financial institutions, which must protect their customers’ confidential information from identity theft. See Shames-Yeakel v. Citizens Fin. Bank, 677 F.Supp.2d 994, 1008 (N.D. Ill. 2009) (finding that, under Indiana law, a bank “has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest” and so “must certainly employ sufficient security measures to protect their customers’ online accounts” (citation omitted)). But Shames-Yeakel applied Indiana law, and USAA has provided no cases suggesting that a similar duty exists under Illinois law.4 USAA also argues that even though PLS is not a bank, a bank’s duties of care apply equally to PLS because PLS offers check cashing services, relying on Travelers Casualty & Surety Co. of America v. Wells Fargo Bank N.A., 374 F.3d 521, 525-27 (7th Cir. 2004). While the Travelers court did extend the duty to “exercise due care to make sure that the drawer (the third party) intended the depositor to receive the drawer’s money” to “other financial institutions that perform bank-type services,” id., the court said nothing about imposing a duty to safeguard personal information, the duty at issue here. Therefore, because Illinois does not recognize a common law duty to safeguard personal information, USAA cannot establish its claim for negligence against PLS and so the Court dismisses that claim with prejudice. See Landale Signs, 2016 WL 7409916, at *3; Cooney, 347 Ill.Dec. 733, 943 N.E.2d at 29.

B. Negligence Per Se

USAA purports to bring a claim for negligence per se, setting forth various statutes in the first amended eomplaint that PLS allegedly violated. PLS argues that USAA has not alleged facts to demonstrate that PLS violated any of these cited statutes. Setting aside the issue of whether *971any of the statutes cited give rise to a pure negligence per se claim or merely provides for the creation of a duty of care where none otherwise exists at common law, see Abbasi ex rel. Abbasi v. Paraskevoulakos, 718 N.E.2d 181, 186, 187 Ill.2d 386, 240 Ill.Dec. 700 (1999) (explaining that “the violation of a statute is not negligence per se, which refers to strict liability, but rather only prima facie evidence of negligence, unless the legislature clearly intends to impose strict liability” (citations omitted)), USAA did not respond to PLS’ arguments concerning its negligence per se claim. USAA’s failure to respond effectively concedes the issue, and so the Court dismisses the negligence per se claim without prejudice. See Bonte v. U.S. Bank, NA., 624 F.3d 461, 466 (7th Cir. 2010) (“Failure to respond to an argument ... results in waiver.”).5

II. ICFA

To state an ICFA claim, USAA must allege (1) a deceptive or unfair act or practice by PLS, (2) PLS’ intent that USAA rely on the deceptive or unfair practice, (3) the deceptive or unfair practice occurred in the course of conduct involving trade or commerce, and (4) PLS’ deceptive or unfair practice caused USAA actual damage. Wigod v. Wells Fargo Bank, N.A., 673 F.3d 547, 574 (7th Cir. 2012); Kim v. Carter’s Inc., 598 F.3d 362, 365 (7th Cir. 2010). USAA may recover for either deceptive or unfair conduct. Robinson v. Toyota Motor Credit Corp., 775 N.E.2d 951, 960, 201 Ill.2d 403, 266 Ill.Dec. 879 (2002); Siegel v. Shell Oil Co., 612 F.3d 932, 935 (7th Cir. 2010) (“A plaintiff may allege that conduct is unfair under ICFA without alleging that the conduct is deceptive.”). Although USAA appears to pursue a claim for both deceptive and unfair conduct in the first amended complaint, in response to PLS’ motion to dismiss, USAA addresses only an unfair practices claim and so the Court does the same. An unfair practices claim need not meet Rule 9(b)’s heightened pleading standard because it is not based on fraud. Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 737 (7th Cir. 2014).

First, USAA argues that by violating the Illinois Personal Information Protection Act (the “PIPA”), 815 Ill. Comp. Stat. 530/1 et seq., PLS has per se committed a violation of ICFA. See 815 Ill. Comp. Stat. 505/2Z; 815 Ill. Comp. Stat. 530/20. But PLS argues that USAA has not sufficiently alleged a PIPA violation. Section 10 of the PIPA provides that “[a]ny data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.” 815 Ill. Comp. Stat. 530/10(a). PLS argues that USAA has not alleged that the data breach affected any Illinois residents or that PLS discovered a breach affecting an Illinois resident. Alternatively, to the extent the first amended complaint can be read to imply a data breach affecting Illinois residents, PLS contends that USAA, which is not an Illinois resident, does not have standing to allege a violation of the PIPA on behalf of any of its Illinois members. Although USAA argues that the Court can infer that PLS’ conduct in not securing its database affected Illinois residents, the first amended complaint says nothing about the residency of the affected USAA members. An email from USAA to PLS notifying PLS of the counterfeiting scheme suggests that the affected USAA members had written *972checks cashed at PLS locations in Texas, Arizona, and California, with the only connection to Illinois being that PLS then deposited these checks at a bank in Illinois. See Doc. 22-3. But this, along with the copy of a USAA member's check showing its deposit in Illinois, says nothing about the residency of the affected USAA members and the email instead could be read to suggest that the breach affected USAA members mainly residing outside of Illinois. The Court thus cannot infer, as USAA requests, that the breach affected Illinois residents so as to make the PIPA applicable, requiring the Court to dismiss the ICFA claim to the extent it is premised on a violation of the PIPA without prejudice.

Alternatively, USAA argues that it can proceed on an unfair practices claim. Conduct is considered unfair if it (1) violates public policy, (2) is “so oppressive that the consumer has little choice but to submit,” or (3) causes consumers substantial injury. Siegel, 612 F.3d at 935. Additionally, because USAA is not a consumer, it must establish that the conduct complained of generally affects consumer protection concerns. Thrasher-Lyon v. Ill. Farmers Ins. Co., 861 F.Supp.2d 898, 911—12 (N.D. Ill. 2012). As with USAA’s more specific ICFA claim based on violation of the PIPA,' USAA’s unfair practices' claim fails because ICFA has a limited extraterritorial reach, applying to/claims “only if the circumstances relating to the alleged fraudulent transaction occurred mostly in Illinois.” Crichton v. Golden Rule Ins. Co., 576 F.3d 392, 396 (7th Cir. 2009) (citing Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 852-53, 216 Ill.2d 100, 296 Ill.Dec. 448 (2005)). The fact that PLS is headquartered in Illinois does not confer USAA with standing to pursue its ICFA claim because the Court instead looks to where the circumstances underlying the alleged unfair or fraudulent activity arose. Id. The Court cannot infer from the allegations of the first amended complaint that the allegedly unfair conduct occurred in Illinois. Instead, USAA’s attached email suggests that the conduct occurred in Texas, Arizona, and California, with the only link to Illinois being the fact that PLS has its headquarters here, meaning that checks received by PLS ultimately were deposited through a bank in. Rosemont, Illinois. The location of these check deposits is not enough to extend ICFA’s reach to -USAA’s allpged ICFA unfair practices claim, where no- allegations- suggest that the breach occurred in Illinois or affected Illinois residents. Without moré; the Court also dismisses this aspect of USAA’s ICFA claim without prejudice.

CONCLUSION

For the foregoing reasons, the Court grants PLS’ motion to dismiss [28], The Court dismisses the negligence claim with prejudice and the negligence per se and ICFA claims without prejudice.

. The facts in the background section are taken from USAA’s first amended complaint and the exhibits attached thereto and are presumed true for the purpose of resolving PLS' motion to dismiss. See Virnich v. Vorwald, 664 F.3d 206, 212 (7th Cir. 2011); Local 15, Int’l Bhd. of Elec. Workers, AFL-CIO v. Exelon Corp., 495 F.3d 779, 782 (7th Cir. 2007).

. MICR stands’ for magnetic ink character recognition. The MICR information contains certain encoded information used to verify the legitimacy of checks.

. The plaintiff in Landale Signs sought reconsideration of the court's decision finding no *970duty to safeguard plaintiffs confidential information. The court reiterated its conclusion that Illinois law does not recognize such a duty, even where the defendant has prior knowledge of a data breach, creates a situation conducive to a data breach, and the injury was foreseeable. See Landale Signs & Neon, Ltd. v. Runnion Equip. Co., No. 16-cv-7619, — F.Supp.3d —, —, 2017 WL 1208506, at *3 (N.D. Ill. Apr. 3, 2017).

. The Shames-Yeakel court’s statement that Indiana would recognize a negligence claim for a data breach by a bank has been questioned as unsupported and contrary to the Seventh Circuit’s decision in Pisciotta v. Old National Bancorp, where the Seventh Circuit stated that "[h]ad the Indiana legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent.” 499 F.3d 629, 637 (7th Cir. 2007); see In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953, 1004-05 (N.D. Cal. 2016) (noting that Shames-Yeakel has not been relied on for the proposition "that a bank’s duty not to disclose must include a duly to protect customers’ personal information”). And while USAA cites additional cases recognizing a duty to exercise reasonable care in safeguarding financial information, none of those cases apply Illinois law. See In re: The Home Depot, Inc., Customer Data Sec. Breach Litig., 1:14-md-2583-TWT, 2016 WL 2897520, at *3-4 (N.D. Ga. May 18, 2016) (applying Georgia law); In re Target Corp. Customer Data Sec. Breach Litig., 64 F.Supp.3d 1304, 1309-10 (D. Minn. 2014) (applying Minnesota law); Lone Star Nat’l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421, 426 (5th Cir. 2013) (applying New Jersey law).

. PLS also argues that the negligence claims should be dismissed because they are barred by the economic loss doctrine and because USAA has not identified the specific actions taken by each of the three individual Defendants. Because the Court dismisses the claims on alternative grounds, it need not reach these arguments at this time.