Payment Law Advisor Legal Commentary and Resources for the Payment Industry

Magistrate Recommends Lawsuit Against Global Payments Should Be Dismissed

Posted in Regulatory and Compliance

A federal Magistrate has recommended dismissal with prejudice of all of the cardholder plaintiffs’ claims against payment processor Global Payments, Inc. in a widely-reported data breach case. The plaintiffs seek to recover damages allegedly caused by the 2012 theft of a reported 1.5 million sets of card data from Global Payments’ computer network.

In her decision, Willingham v. Global Payments, Inc., 2013 WL 440702 (N.D. Ga. Feb. 5, 2013), Chief Magistrate Judge Janet F. King found the plaintiffs had failed to allege facts sufficient to support their claims that Global Payments violated three statutes–the federal Stored Communications Act (SCA), the federal Fair Credit Reporting Act (FCRA), and the Georgia Uniform Deceptive Trade Practices Act (UDTPA). She also found that the plaintiffs failed to plead adequate facts to support their negligence, breach of third-party beneficiary contract rights, and breach of implied contract claims.
 
Magistrate King held the plaintiffs’ SCA claim was flawed because they failed to plausibly allege Global Payments was the provider of an “electronic communications service,” i.e., the underlying Internet service by which payment card data was transferred, and because plaintiffs failed to allege Global “knowingly divulged” card data. She held the FCRA did not apply because plaintiffs did not allege Global is a consumer reporting agency, the reports Global sent to card brands were not consumer reports, and the card data was stolen, not “furnished” to the brands. She held the Georgia UDTPA claims were insufficient because the plaintiffs failed to plead they read and relied on Global’s statements regarding data security and because the only harm the plaintiffs identified was future harm based on speculative fears of identity theft.

Magistrate King rejected plaintiffs’ negligence claims because Global had no duty to the plaintiffs, who are not Georgia residents, under Georgia’s data breach notification statute, and because Global owed them no duty of care, given that it had no direct relationship with them. She found plaintiffs’ third-party beneficiary claim deficient because plaintiffs did not plausibly contend they were intended beneficiaries of the contracts between Global and its merchant customers. She recommended dismissal of the implied contract claims because plaintiffs failed to allege they “were aware of, much less relied on” Global’s statements about its services before plaintiffs submitted card data to merchants.

Magistrate King weighed whether to recommend plaintiffs’ claims should be dismissed because plaintiffs failed to allege an injury-in-fact sufficient to meet constitutional standing requirements. She concluded: “The failure of all Plaintiffs to plead that they were not reimbursed or that the charges were not removed appears to be a ‘direct result of plaintiffs’ inability to plead or prove’ actual identity theft. . . . Plaintiffs’ PII [personally identifiable information] does not have an inherent monetary value.” Magistrate King ultimately decided not to rule on Global’s motion to dismiss for lack of standing, recommending the court deny that motion as moot in light of her recommendation that plaintiffs’ claims should be dismissed for failure to state a claim for which relief could be granted.

The plaintiffs may ask District Court Judge Richard W. Story to reject or modify Magistrate King’s recommendation to dismiss the case. If Judge Story accepts Magistrate King’s recommendation, that will end the case in the trial court.