Thanks for visiting! Welcome to a new way to research case law. You are viewing a free summary from Descrybe.ai. For citation and good law / bad law checking, legal issue analysis, and other advanced tools, explore our Legal Research Toolkit — not free, but close.
USAA Federal Savings Bank v. PLS Financial Services, Inc.
Citation: 260 F. Supp. 3d 965Docket: No. 16 C 7911
Court: District Court, N.D. Illinois; May 30, 2017; Federal District Court
USAA Federal Savings Bank filed a lawsuit against PLS Financial Services, Inc. and its affiliates after suffering over $3 million in losses due to a fraudulent check cashing scheme. USAA alleged that PLS was negligent in protecting its members' financial information, enabling third parties to create counterfeit checks. The claims included negligence, negligence per se based on violations of state and federal statutes, and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA). The court dismissed USAA’s negligence claim, stating that Illinois law does not impose a common law duty to safeguard personal information. The negligence per se claim was dismissed as well since USAA did not adequately address it in response to PLS’s motion to dismiss. Furthermore, the ICFA claim was dismissed because USAA failed to show that the data breach had a significant impact on its Illinois members or that the unfair conduct primarily occurred in Illinois. USAA provides banking services to military members and veterans, while PLS offers check cashing and payday lending at approximately 300 locations across eleven states, including Illinois. PLS does not operate as a bank and charges fees for its services, which include cashing checks drawn on USAA. In a prior settlement with the U.S. government, PLS had agreed to implement a comprehensive information security program to protect customers' personal data but continued to face issues with unauthorized access. An employee at PLS allegedly facilitated access to its computer systems, enabling third parties to copy check images and produce counterfeit checks. These checks were then used to defraud banks, including USAA, resulting in significant financial losses for USAA, which identified over 2,000 original checks that were counterfeited after being cashed at PLS locations. USAA notified PLS of the issue in 2014, requesting assistance in investigating the counterfeiting, particularly noting the locations involved. PLS indicated it would refer the matter to its legal counsel. A motion to dismiss under Rule 12(b)(6) assesses the complaint's sufficiency rather than its merits, requiring the court to accept all well-pleaded facts as true and draw reasonable inferences in favor of the plaintiff. To survive such a motion, the complaint must provide fair notice of the claim and possess facial plausibility, meaning it must contain factual content that allows the court to reasonably infer the defendant's liability. In the negligence claims, USAA must demonstrate that PLS owed a duty, breached that duty, and that the breach caused USAA injury. USAA claims PLS had a general duty of reasonable care to prevent foreseeable harm and specifically to safeguard financial information. PLS argues that no such duty exists under Illinois law, which determines the existence of a duty as a question of law. USAA cites the Illinois Supreme Court's ruling in Simpkins, which suggests a duty to exercise reasonable care to prevent foreseeable harm, but this is limited by four factors: foreseeability of injury, likelihood of injury, burden of preventing injury, and the consequences of imposing that burden. The court will focus on the specific duty USAA claims PLS breached regarding the protection of confidential financial information. While the Illinois Supreme Court has not addressed this duty, the Illinois Appellate Court has declined to impose a new legal duty to safeguard personal information beyond existing legislative requirements, as seen in Cooney v. Chicago Public Schools, which involved the disclosure of sensitive employee information. This reasoning is applicable to the disclosure of financial information as well. The court in the case No. 16-cv-7619 ruled that there is no legal duty for one party to protect another's confidential information in negligence claims related to fraudulent payment activities, referencing Cooney's application. In Cmty. Bank of Trenton v. Schnuck Markets, the court similarly refused to impose a duty on financial institutions to safeguard personal data in the absence of specific legislation, despite a noted increase in data breaches. USAA contends that financial institutions have a heightened obligation to protect customer information from identity theft, citing Shames-Yeakel v. Citizens Fin. Bank, which established a duty under Indiana law. However, USAA failed to demonstrate that a similar duty exists under Illinois law. Additionally, although USAA argued that duties applicable to banks should extend to PLS due to its check-cashing services, the court noted that the Travelers case did not impose a duty to protect personal information. Consequently, USAA's negligence claim against PLS was dismissed with prejudice due to Illinois’ lack of a recognized common law duty to safeguard personal information. Regarding USAA's negligence per se claim, PLS contended that USAA did not adequately allege violations of the cited statutes. The court pointed out that USAA’s failure to respond to these arguments effectively conceded the issue, leading to the dismissal of the negligence per se claim without prejudice. To establish a claim under the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA), USAA must show: (1) a deceptive or unfair act by PLS, (2) PLS’ intent for USAA to rely on this act, (3) that the act occurred in a trade or commerce context, and (4) that it caused actual damage to USAA. USAA is permitted to recover for either deceptive or unfair conduct. A plaintiff can claim unfair conduct under the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA) without also claiming deceptive conduct. Although USAA's first amended complaint includes both claims, it focuses on unfair practices in response to a motion to dismiss. Unfair practices do not require adherence to Rule 9(b)’s heightened pleading standard, as they are not fraud-based. USAA contends that PLS's violation of the Illinois Personal Information Protection Act (PIPA) constitutes a per se violation of ICFA, but PLS argues that USAA has not adequately alleged a PIPA violation. According to PIPA, data collectors must notify Illinois residents of data breaches, yet PLS asserts that USAA fails to demonstrate that any breach impacted Illinois residents or that PLS discovered such a breach. Furthermore, even if the complaint implies a breach affecting Illinois residents, PLS argues that USAA lacks standing to allege a PIPA violation on behalf of those members since USAA is not an Illinois resident. USAA's inference that PLS's inadequate database security harmed Illinois residents is unsupported by the allegations, which suggest affected members predominantly resided outside Illinois. Consequently, the court cannot conclude that the breach involved Illinois residents, necessitating the dismissal of the ICFA claim based on PIPA without prejudice. USAA also argues for its unfair practices claim, which requires demonstrating that the conduct violates public policy, is excessively oppressive, or causes substantial consumer injury. However, since USAA is not a consumer, it must show that the conduct broadly impacts consumer protection concerns. Additionally, the ICFA's extraterritorial reach is limited; claims must arise primarily in Illinois. The mere fact that PLS operates in Illinois does not grant USAA standing, as the court assesses where the alleged unfair or fraudulent conduct originated. The allegations do not support that the conduct in question occurred in Illinois. USAA's claims against PLS regarding violations of the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA) were dismissed by the Court. The Court found that the connection to Illinois was insufficient, as USAA's allegations primarily involved activities occurring in Texas, Arizona, and California, with Illinois only being relevant due to PLS's headquarters and the location of check deposits. The Court dismissed the negligence claim with prejudice, while the negligence per se and ICFA claims were dismissed without prejudice due to a lack of allegations stating a breach occurred in Illinois or impacted Illinois residents. The Court referenced prior case law, emphasizing that Illinois law does not recognize a duty for entities to safeguard confidential information, even if they have prior knowledge of potential breaches. The Court noted skepticism toward assertions that Indiana law supports negligence claims for data breaches, citing the Seventh Circuit's position that legislative intent would have been clearer if such claims were valid. USAA's references to cases from other jurisdictions recognizing a duty of care did not apply under Illinois law. Additionally, PLS contended that USAA's negligence claims were subject to the economic loss doctrine and lacked specificity regarding the actions of individual defendants; however, the Court did not need to address these arguments after dismissing the claims for other reasons.