
    USAA FEDERAL SAVINGS BANK, Plaintiff, v. PLS FINANCIAL SERVICES, INC., PLS Group, Inc., The Payday Loan Store of Illinois, Inc., and PLS Check Cashers of Illinois, Defendants.
    No. 16 C 7911
    United States District Court, N.D. Illinois, Eastern Division.
    Signed October 23, 2018
    Charles David Kinder, Pro Hac Vice, Mark J. Barrera, Melanie L. Fry, Pro Hac Vice, Dykema Cox Smith, San Antonio, TX, Ashley Simone Anderson Jackson, Harry N. Arger, Molly E. Thompson, Dykema Gossett PLLC, Chicago, IL, for Plaintiff.
    Charles A. Valente, Heather Kuhn O'Toole, Kaplan Saunders Valente & Beninati, LLP, Stephen J. Siegel, Carl Michael Johnson, Rebekah Hava Parker, Novack and Macey LLP, Chicago, IL, for Defendants.
    OPINION AND ORDER
   SARA L. ELLIS, United States District Judge

After Plaintiff USAA Federal Savings Bank ("USAA") lost over $7,000,000 in a fraudulent check cashing scheme, USAA filed suit against Defendants PLS Financial Services, Inc., PLS Group, Inc., The Payday Loan Store of Illinois, Inc. (collectively, "PLS"), and PLS Check Cashers of Illinois ("PLS Check"). In its third amended complaint, USAA claims that PLS acted negligently in protecting USAA members' financial information so as to allow third parties to create fraudulent checks with that information and that PLS violated the Illinois Consumer Fraud and Deceptive Business Practices Act ("ICFA"), 815 Ill. Comp. Stat. 505/1 et seq. PLS moves for judgment on the pleadings with respect to USAA's negligence claim. Because the statute, regulations, and stipulated final judgment on which USAA relies do not provide a basis to state a negligence claim, the Court dismisses USAA's negligence claim.

BACKGROUND

USAA provides banking services to members and veterans of the United States military. PLS, through the four individually named Defendants, provides check cashing and payday lending services at approximately 300 retail locations in eleven states, including Illinois. The individual Defendants share common directors, officers, and office locations, with centralized recordkeeping and computer systems, and have similar business practices. PLS is not a bank and does not provide bank accounts to its customers. Instead, PLS charges customers a fee to cash checks, obtain money orders, and use other financial services.

As part of its business, PLS cashes checks drawn on USAA. In cashing these checks, as with any other checks, PLS obtains certain information about the drawer of the check and the bank on which the check is drawn from the face of the check, including the drawer's name, the check number, account number, bank routing number, drawer's signature, and MICR information. PLS makes an electronic copy of the check before forwarding the check to the drawer's bank for payment.

In October 2012, the Federal Trade Commission ("FTC") and PLS agreed to settle a suit brought by the FTC against PLS in which the FTC alleged that PLS

did not properly secure its customers' personal information. The stipulated final judgment required PLS to develop a comprehensive information security program to protect the security, confidentiality, and integrity of consumers' personal information, including consumers' names, addresses, and financial institution account numbers. PLS also agreed to take reasonable measures to protect against unauthorized access to or use of such information. PLS thereafter adopted several internal policies, requiring unique user IDs and difficult-to-guess passwords that users must change every thirty days.

Problems with unauthorized access to PLS customers' personal information continued, however. Specifically, a group of individuals engaged in a check-cashing scheme, creating counterfeit checks using information obtained from PLS employees. The government has charged or indicted at least nine individuals for their involvement in this scheme. To facilitate the scheme, PLS employees provided third parties with access to PLS' computer systems, allowing these third parties to copy check images and produce counterfeit checks based off those images. The checks ranged from between $5 and $10,000. The third parties then used these counterfeit checks, which included checks drawn on USAA, to obtain money through various schemes. PLS employees involved in the scheme took a portion of the illegally obtained funds when they were withdrawn through PLS. The payor banks on the counterfeit checks, including USAA, ultimately bore the loss because the checks were unauthorized, meaning the members on whose accounts the checks were drawn could not be held liable for them. USAA has discovered over 2,000 original checks from its members that members cashed at PLS and schemers subsequently counterfeited, causing USAA to incur $7,865,518.31 in damages associated with the payment of the forged checks.

In October 2014, USAA notified PLS of the counterfeiting and requested help in coordinating an investigation into the issue. Another bank in New York also notified PLS of a similar scheme in December 2014. PLS then began investigating the issue, learning that an individual accessed Digicheck, PLS' database of check images, from within PLS to obtain the information needed to create counterfeit checks. In February 2015, PLS found internal weaknesses related to application controls and memorialized these findings in an April 2015 memorandum. In addition to this investigation, PLS also undertook an audit in 2015, which revealed that PLS was not following its access control policies. Despite discovering these weaknesses, however, PLS did not act and instead allowed the fraudulent check scheme to continue. And while USAA implemented several rules to restrict fund availability in an attempt to respond to the check scheme, these efforts did not fully address the harm.

LEGAL STANDARD

A motion to dismiss under Rule 12(b)(6) challenges the sufficiency of the complaint, not its merits. Fed. R. Civ. P. 12(b)(6) ; Gibson v. City of Chicago , 910 F.2d 1510, 1520 (7th Cir. 1990). In considering a Rule 12(b)(6) motion to dismiss, the Court accepts as true all well-pleaded facts in the plaintiff's complaint and draws all reasonable inferences from those facts in the plaintiff's favor. AnchorBank, FSB v. Hofer , 649 F.3d 610, 614 (7th Cir. 2011). To survive a Rule 12(b)(6) motion, the complaint must not only provide the defendant with fair notice of a claim's basis but must also be facially plausible. Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) ; see also Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal , 556 U.S. at 678, 129 S.Ct. 1937.

ANALYSIS

PLS seeks the dismissal of USAA's negligence claim. To succeed on its negligence claim, USAA must establish that (1) PLS owed USAA a duty, (2) PLS breached that duty, and (3) PLS' breach proximately caused USAA injury. Rhodes v. Ill. Cent. Gulf R.R. , 172 Ill. 2d 213, 216 Ill.Dec. 703, 665 N.E.2d 1260, 1267 (1996). USAA contends that PLS' violation of various statutes, regulations, and orders constitutes prima facie evidence of negligence, relying on Kalata v. Anheuser-Busch Cos. , 144 Ill. 2d 425, 163 Ill.Dec. 502, 581 N.E.2d 656, 661 (1991) and Davis v. Marathon Oil Co. , 64 Ill. 2d 380, 1 Ill.Dec. 93, 356 N.E.2d 93, 97 (1976). These cases establish that USAA may have a negligence claim for violation of a statute, regulation, or order, notwithstanding the Court's prior conclusion that no common law duty exists to safeguard personal information. See Kalata , 163 Ill.Dec. 502, 581 N.E.2d at 661 ; Davis , 1 Ill.Dec. 93, 356 N.E.2d at 97. USAA cites to the Graham-Leach-Bliley Act ("GLBA") and two accompanying regulations, the Privacy of Consumer Financial Information Rule (the "Privacy Rule"), 16 C.F.R. § 313, and the Standards for Safeguarding Customer Information (the "Safeguards Rule"), 16 C.F.R. § 314, in addition to arguing that PLS violated a stipulated final judgment it entered into with the FTC. PLS argues that the statutes, regulations, and orders USAA cites do not create legally enforceable duties so as to sustain a negligence claim.

A. The GLBA, the Privacy Rule, and the Safeguards Rule

First, PLS argues that to the extent USAA's negligence claim depends on the GLBA, the Privacy Rule, and the Safeguards Rule, it fails because Congress did not intend to create a private right of action to enforce this statute and its regulations. To pursue a negligence claim based on a violation of a statute or regulation, USAA must show (1) that it falls within the class intended to be protected by the statute or regulation, and (2) the injury USAA suffered directly and proximately resulted from the violation. Kalata , 163 Ill.Dec. 502, 581 N.E.2d at 661. Additionally, because USAA seeks to enforce a federal statute and regulations, the Court "must also consider the policy underlying the legislation and the overriding purpose of the act" to determine if a private cause of action exists. Martin by Martin v. Ortho Pharm. Corp. , 169 Ill. 2d 234, 214 Ill.Dec. 498, 661 N.E.2d 352, 355 (1996). "The determining factor in addressing the issue of implied private rights with regard to Federal legislation is legislative intent." Id. The Court must consider "whether such a cause of action has been recognized by the Federal courts or whether recognizing such a cause of action comports with Federal legislative intent." Id.

PLS argues that Martin forecloses this part of USAA's claim because Congress did not intend to create a private right of action under the GLBA, the Privacy Rule, and the Safeguards Rule. Notwithstanding the GLBA's stated policy that "each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information," 15 U.S.C. § 6801(a), it is well-recognized that the GLBA does not provide a private right of action to enforce its rules. Am. Fam. Mut. Ins. Co. v. Roth , No. 05 C 3839, 2005 WL 3700232, at *6-9 (N.D. Ill. Aug. 5, 2005) ("In light of Congress's carefully crafted enforcement and rule-making scheme-which entrusts enforcement of the [GLBA] to federal and state agencies, while making no provision for private enforcement-all the courts that have considered the question of the existence of an implied claim or cause of action have concluded that none exists." (collecting cases) ), report & recommendation adopted , 2006 WL 2192004 (N.D. Ill. July 27, 2006) ; see also Butler v. CitiMortgage, Inc. , No. 17 C 05168, 2017 WL 3620744, at *4 (N.D. Ill. Aug. 23, 2017) (collecting cases). Similarly, the lack of a private right of action under the GLBA forecloses a right of action under its regulations, including the Privacy Rule and the Safeguards Rule, for the agency cannot create a private right of action not authorized by Congress. See Alexander v. Sandoval , 532 U.S. 275, 291, 121 S.Ct. 1511, 149 L.Ed.2d 517 (2001) ("Language in a regulation may invoke a private right of action that Congress through statutory text created, but it may not create a right that Congress has not."); Briggs v. Emporia State Bank & Tr. Co. , No. 05-2125-JWL, 2005 WL 2035038, at *4 (D. Kan. Aug. 23, 2005) (noting that regulations cannot create private rights of action where no right exists under the authorizing statute and concluding that "regulations promulgated under [the GLBA] cannot provide such a right of action" where the GLBA itself does not provide a private right of action).

This does not mean, as USAA argues, that PLS had no duty to safeguard personal information and is "invulnerable to these laws." See Doc. 103 at 1, 9. It only means that USAA cannot enforce violations of these rules, with enforcement left instead to state and federal regulators. See Am. Fam. Mut. Ins. Co. , 2005 WL 3700232, at *10 (noting that "[d]enying the kind of enforcement authority that Congress chose not to accord financial institutions does not leave misappropriators free to use with impunity the fruits of their illicit endeavors"); 15 U.S.C. § 6805 (GLBA's enforcement provision providing that the GLBA and its regulations "shall be enforced by the Bureau of Consumer Financial Protection, the Federal functional regulators, the State insurance authorities, and the Federal Trade Commission"). Because the GLBA, the Privacy Rule, and the Safeguards Rule do not allow for a private right of action, following Martin , USAA's negligence claim based on these rules fails.

B. FTC Stipulated Final Judgment

USAA also argues that the stipulated final judgment between PLS and the FTC creates a duty because it is an administrative order designed to protect property. See Davis , 1 Ill.Dec. 93, 356 N.E.2d at 97 ("We find no convincing reason why violation of administrative rules, regulations, and orders designed to protect human life or property should not also be considered Prima facie evidence of negligence, provided they are validly adopted and have the force of law."). The parties disagree about how to characterize the stipulated final judgment and whether USAA, a non-party to that judgment, can enforce it.

As USAA acknowledges, the stipulated final judgment between PLS and the FTC amounts to a consent decree, with "the parties' agreement ... serv[ing] as the source of the court's authority to enter any judgment at all." Local No. 93, Int'l Ass'n of Firefighters, AFL-CIO C.L.C. v. City of Cleveland , 478 U.S. 501, 521, 106 S.Ct. 3063, 92 L.Ed.2d 405 (1986). The Supreme Court has held that "a consent decree is not enforceable directly or in collateral proceedings by those who are not parties to it even though they were intended to be benefited by it." Blue Chip Stamps v. Manor Drug Stores , 421 U.S. 723, 750, 95 S.Ct. 1917, 44 L.Ed.2d 539 (1975). Many courts have interpreted this ruling narrowly, allowing intended third-party beneficiaries to sue to enforce a consent decree. See United States v. Dominion Energy, Inc. , No. 13-cv-03086, 2014 WL 1476600, at *8-9 (C.D. Ill. Apr. 15, 2014) (collecting cases and noting that the Seventh Circuit, in South v. Rowe , 759 F.2d 610 (7th Cir. 1985), allowed such intervention to enforce a consent decree without citing to Blue Chip Stamps ). But such an exception "does not apply to consent decrees resulting from actions brought by the government." Hodges by Hodges v. Pub. Bldg. Comm'n of Chicago , 864 F.Supp. 1493, 1508-09 (N.D. Ill. 1994). The stipulated final judgment at issue here, in a case brought by the FTC, does not provide for enforcement by USAA or other third parties. This means that USAA cannot pursue its negligence claim against PLS based on obligations set forth in the stipulated final judgment, where such a claim amounts to a collateral proceeding to enforce PLS' obligations under that judgment. See Jawad v. Hudson City Sav. Bank , 636 F. App'x 319, 322 (6th Cir. 2016) (affirming dismissal of negligence claim for lack of duty where plaintiffs claimed the duty arose from consent judgment, but plaintiffs were not parties to that judgment). The Court therefore dismisses USAA's negligence claim predicated on the stipulated final judgment.

C. USAA's Request to Amend

In its response to PLS' motion, USAA included a request to amend to include the violation of the Illinois Personal Information Protection Act as a basis for a prima facie negligence claim. The Court granted USAA leave to file a third amended complaint after USAA made this request. Despite having previously identified the Illinois Personal Information Protection Act as a potential basis for such claim, USAA did not include it as a basis for its negligence claim in the third amended complaint. Having considered the viability of USAA's evolving negligence claim on more than one occasion and allowed USAA to amend its complaint three times, the Court finds USAA's latest attempt to salvage its negligence claim comes too late. For that reason, the Court denies USAA's request for leave to amend and dismisses USAA's negligence claim with prejudice.

CONCLUSION

For the foregoing reasons, the Court grants PLS' motion for judgment on the pleadings [87]. The Court dismisses the negligence claim (Count I) with prejudice. 
      
      The Payday Loan Store of Illinois, Inc. is now known as PLS Financial Solutions of Illinois, Inc.
     
      
      PLS filed its motion for judgment on the pleadings with respect to USAA's second amended complaint. After the parties completed briefing on the motion, USAA moved for leave to file a third amended complaint that added PLS Check as a party and included additional facts to support its claims. The parties acknowledged that the third amended complaint does not affect the legal arguments at issue. But because PLS has not yet filed an answer to the third amended complaint, the Court treats PLS' motion as one to dismiss the negligence claim in the third amended complaint. Although PLS Check has not yet filed an appearance in the case, because PLS' arguments for dismissal apply equally to PLS Check, the Court extends them to PLS Check because USAA had the opportunity to respond to them. See Malak v. Associated Physicians, Inc. , 784 F.2d 277, 280 (7th Cir. 1986) (court may sua sponte enter judgment in favor of additional non-moving defendants if motion by one defendant is equally effective in barring claim against other defendants and plaintiff had adequate opportunity to respond to the motion); Roberts v. Cendant Mortg. Corp. , No. 1:11-CV-01438-JMS, 2013 WL 2467996, at *5 (S.D. Ind. June 7, 2013) (although three defendants had not entered appearances and it was not clear if they had been served, court could impute arguments made by other defendant to all of them and dismiss claims against all defendants).
     
      
      The facts in the background section are taken from USAA's third amended complaint and the exhibits attached thereto and are presumed true for the purpose of resolving PLS' motion. See Virnich v. Vorwald , 664 F.3d 206, 212 (7th Cir. 2011) ; Local 15, Int'l Bhd. of Elec. Workers, AFL-CIO v. Exelon Corp. , 495 F.3d 779, 782 (7th Cir. 2007).
     
      
      MICR stands for magnetic ink character recognition. The MICR information contains certain encoded information used to verify the legitimacy of checks.
     
      
      The Court notes that PLS' current argument seeking dismissal of the negligence claim differs from the argument it raised to oppose the filing of USAA's second amended complaint. In opposing that filing, PLS argued that the statutes, regulations, and orders on which USAA relied did not apply to the relationship between USAA and PLS because they relate to the protection of a financial institution's customers' information and not PLS' handling of non-customers' personal information. See Doc. 53 at 2. The Court allowed USAA to file its amended negligence claim, concluding that USAA had set forth a sufficient basis to proceed, particularly in light of legislative history suggesting that the Safeguards Rule covered more than just a financial institution's own customers' information. Id. Although the Court indicated it would not entertain a motion to dismiss the negligence claim, id. at 1, PLS has raised a different basis for dismissal, which the Court finds appropriate to address here.
     