The opinion of the court was delivered by: William W. Caldwell United States District Judge
Plaintiff, Sovereign Bank, filed this lawsuit against defendants, BJ's Wholesale Club, Inc., and Fifth Third Bank, after Sovereign incurred losses when its customer's Visa card numbers were stolen from a computer file maintained by BJ's. The losses were mainly for the cost of issuing new credit cards to replace the ones that had been compromised by the theft and for the cost of reimbursing those card holders who had suffered unauthorized charges to their accounts.
We previously resolved the defendants' motions to dismiss the original complaint, see Sovereign Bank v. Fifth Third Bank, 395 F. Supp. 2d 183 (M.D. Pa. 2005), and Sovereign has now filed an amended complaint, which sets forth claims against BJ's for negligence (count I), breach of fiduciary duty (count II), and promissory estoppel (count III), and against Fifth Third for breach of contract (count IV) and promissory estoppel (count V).
We are considering the defendants' separate motions to dismiss the amended complaint under Fed. R. Civ. P. 12(b)(6). In considering the motions, we must accept as true the factual allegations in the complaint and construe any inferences to be drawn from them in Plaintiff's favor. See Mariana v. Fisher, 338 F.3d 189, 195 (3d Cir. 2003). We may dismiss a complaint under Fed. R. Civ. P. 12(b)(6) only if it is clear that no relief could be granted to Plaintiff under "any set of facts that could be proven consistent with the allegations." Ramadan v. Chase Manhattan Corp., 229 F.3d 194, 195 (3d Cir. 2000). The court is not limited to evaluating the complaint alone; it can also consider documents attached to the complaint, matters of public record, and other documents that are indisputably authentic. Pension Ben. Guar. Corp. v. White Consol. Indus., 998 F.2d 1192, 1196 (3d Cir. 1993). The court may also consider "documents whose contents are alleged in the complaint and whose authenticity no party questions," even though they "are not physically attached to the pleading . . . ." Pryor v. Nat'l Collegiate Athletic Ass'n, 288 F.3d 548, 560 (3d Cir. 2002).
The amended complaint alleges the following. Sovereign is a federal savings and loan association with its principal place of business in Wyomissing, Pennsylvania. (Doc. 19, Am. Compl. ¶ 1.) Visa is a "membership association" owned and controlled by its members. (Id. ¶¶ 5 and 7.) An "issuing member" issues Visa cards to cardholders; the relationship is contractual. (Id. ¶ 9.) An "acquiring member" enters into contracts with "merchants," (id. ¶ 10), to process card transactions at the retail end. For the purposes of the lawsuit, Sovereign is an issuing bank and Fifth Third an acquiring bank. (Id. ¶¶ 12 and 13.) A "merchant" allows cardholders to access the Visa payment system by using their Visa cards to pay for the goods or services the merchant offers. (Id. ¶ 11.)
As established in our prior memorandum, Fifth Third and BJ's have contracted by way of two merchant agreements. One governs the processing of debit-card transactions and the other credit-card transactions. Both contain the following language, quoting in pertinent part from paragraph 16 of each agreement: "This agreement is for the benefit of, and may be enforced only by, Bank and Merchant and their respective successors and permitted transferees and assignees, and is not for the benefit of, and may not be enforced by, any third party." Sovereign Bank, supra, 395 F. Supp. 2d at 189.
"Visa has developed extensive by-laws, operating regulations and other programs to ensure the consistency, reliability and security of the payment system." (Id. ¶ 6.) To become a member of Visa, a financial institution must agree in a "Member Agreement" to abide by Visa's Operating Regulations. (Id. ¶ 15.) A merchant also agrees to abide by the Operating Regulations. (Id. ¶ 17.) The Operating Regulations "require]" an acquiring bank like Fifth Third to "ensure that BJ's complies with the Operating Regulations. (Id. ¶¶ 59 and 68.) The Operating Regulations prohibit a merchant from storing or retaining cardholder information. (Id. ¶¶ 22, 51.)
A bank card contains account information on the cardholder in a magnetic stripe on the back of the card. (Id. ¶ 18).) To complete a transaction, the merchant often runs the card through a magnetic-stripe terminal, which acquires the cardholder information and sends it to the issuing bank. (Id. ¶¶ 18 and 19.) The issuing bank then reviews the information and if everything is valid, approves the transaction. (Id. ¶ 20.) The merchant then completes the transaction with the cardholder. (Id. ¶ 21.)
Sovereign cardholders used their Visa cards at BJ's. (Id. ¶ 24.) "Believing that BJ's would comply with the Operating regulations, Sovereign surrendered the Cardholder Information of its cardholders to BJ's." (Id. ¶ 26.) "Sovereign justifiably trusted" that BJ's would use the information to "obtain[ ] authorizations and would not store or retain" the cardholder information. (Id. ¶ 27.) However, BJ's did retain the information after Sovereign had approved the transactions, rather than delete it as required by the Operating Regulations. (Id. ¶ 28.)
Thereafter, third parties obtained the cardholder information to make unauthorized purchases. (Id. ¶ 29-31.) Sovereign paid for the fraudulent transactions and incurred other damages: the expense of issuing new cards, the loss of fees and commissions while the cards were being replaced, and loss of good will. (Id. ¶¶ 34 and 35.)
For the negligence claim against BJ's in count I, Sovereign alleges that "BJ's had a duty to exercise reasonable care in deleting or erasing cardholder information after a transaction had been approved and/or safeguard such information," (id. ¶ 37), breached that duty by failing to delete the information after Sovereign had approved the transaction, (id. ¶ 39), and that as a result, the cardholder information was lost, causing damage to Sovereign. (Id. ¶¶ 41 and 42.)
For the fiduciary duty claim against BJ's in count II, Sovereign alleges that:
45. A fiduciary relationship exists between Sovereign and BJ's by virtue of the trust Sovereign placed in BJ's when it surrendered the Cardholder Information of its cardholders to BJ's believing that BJ's would comply with the Operating Regulations.
46. This relationship required BJ's to utilize the Cardholder Information for the limited purpose of obtaining authorizations for customer purchases.
47. Because BJ's was expressly prohibited by the Operating regulations to store and retain the Cardholder Information . . .
Sovereign justifiably trusted that BJ's would not retain and store the Cardholder Information . . . . (Id. ¶¶ 45-47.) BJ's breached its duty by retaining and storing the information, ...