As we reported in December 2010, after an online merchant suffered chargeback losses of almost $12,000 on nine fraudulent orders, it sued the bank that issued the nine cards that were fraudulently used alleging that the most likely cause of the fraud was a data security breach at the bank that the bank ignored.  The merchant claimed that the bank knows when “fraudulent orders come through the system because the cardholder typically has processed a change of address shortly before placing a large volume of orders on several different websites.”

The federal district court dismissed all four of the merchant’s claims. On May 18, 2012, the Eighth Circuit Court of Appeals affirmed the dismissal, finding that the merchant failed to make sufficient allegations that, if true, would show that the bank knew of the fraudulent transactions and “substantially assisted or encouraged” it. The Eighth Circuit found that it was not sufficient for the merchant to allege that two unidentified bank employees at unmentioned times and with unspecified positions acknowledged the breach. Rather, the court stated that the merchant was required to describe the circumstances surrounding the breach—“the who, what, when, where and how U.S. Bank’s conduct amounted to false, deceptive, or misleading conduct.” In sum, a bare assertion that fraudulent charges must have occurred because of a data breach was insufficient to state claims for aiding and abetting fraudulent transactions, intentional interference with contractual relations, violations of Minnesota consumer protection laws, and unjust enrichment.

Not only did the merchant’s argument suffer from a lack of specificity, the underlying premise that the issuing bank was the most likely source of the compromise was tenuous. If the fraudulent transactions did appear shortly after a change of address was made with the cardholder’s issuing bank, it is just as likely, if not more likely, that the cardholder was the source of the compromise (e.g. malware on the cardholder’s computer that resulted in compromised on-line banking credentials). Even if the merchant had alleged that the issuing bank had received notice prior to the fraudulent transactions from one of the card networks that the cards involved were considered to be at-risk of fraud because of a prior breach somewhere in the processing chain, such an allegation would still fall short of alleging that the bank substantially assisted or encouraged fraud.