Citations

Full opinion text

MEMORANDUM AND OPINION LEE H. ROSENTHAL, District Judge. In January 2009, Heartland Payment Systems, Inc. (“Heartland”) publicly disclosed that hackers had breached its computer systems and obtained access to confidential payment-card information for over one hundred million consumers. Consumers and financial institutions filed suits across the nation. The Judicial Panel on Multidistrict Litigation consolidated those cases before this court. The cases have proceeded on two tracks, one for the Consumer Plaintiffs and one for the Financial Institution Plaintiffs. The Financial Institution Plaintiffs filed a master complaint asserting causes of action for breach of contract and implied contract, negligence and negligence per se, negligent and intentional misrepresentation, and violations of consumer-protection statutes in New Jersey and other states. (Docket Entry No. 32). Heartland moved to dismiss. (Docket Entry No. 39). After this court dismissed claims filed by some of the Financial Institution Plaintiffs against the banks that contracted with Heartland, (Docket Entry No. 117), the parties supplemented their briefs. (Docket Entry Nos. 122, 124, 127, 131, 133-35). Based on the master complaint, the motion, the extensive briefing, and the relevant law, this court grants the motion to dismiss in part and denies it in part. The specific rulings are as follows: (1) The motion to dismiss is granted with prejudice and without leave to amend as to the claims for negligence and for violations of the New Jersey Consumer Fraud Act, the New York consumer protection law, and the Washington Consumer Protection Act. (2) The motion to dismiss is granted without prejudice and with leave to amend as to the following claims: breach of contract; breach of implied contract; express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California Unfair Competition Law, the Colorado Consumer Protection Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the Texas Deceptive Trade Practices— Consumer Protection Act. (3) The motion to dismiss is denied as to the claim brought under the Florida Deceptive and Unfair Trade Practices Act. The reasons for these rulings are explained in detail below. The Financial Institution Plaintiffs must file an amended complaint no later than December 23, 2011. A status conference is set for January 13, 2012, at 8:30 a.m. in Courtroom 11-B. I. Background Every day, merchants swipe millions of customers’ payment cards. In the seconds that pass between the swipe and approval (or disapproval), the transaction information goes from the point of sale, to an acquirer bank, across the credit-card network, to the issuer bank, and back. Acquirer banks contract with merchants to process their transactions, while issuer banks provide credit to consumers and issue payment cards. The acquirer bank receives the transaction information from the merchant and forwards it over the network to the issuer bank for approval. If the issuer bank approves the transaction, that bank sends money to cover the transaction to the acquirer bank. The acquirer bank then forwards payment to the merchant. A bank often acts as both an issuer and an acquirer. Banks frequently outsource the processing functions to companies specializing in that service. Visa and MasterCard are two of the largest credit-card networks. They neither issue cards nor contract with merchants to process transactions. Instead, acquirer and issuer banks contract with them for access to the Visa and MasterCard networks. Visa and MasterCard, like the other credit-card networks, impose extensive regulations on acquirer and issuer banks. Visa and MasterCard require the banks they contract with to impose these regulations on the merchants who submit transactions for processing and on the entities that process the transactions. The Financial Institution Plaintiffs are nine banks suing as issuer banks. Heartland, the defendant, processes merchant transactions on behalf of two acquirer banks, Heartland Bank and KeyBank, N.A. (Docket Entry No. 42, Exs. 4, 5). Heartland’s contracts with KeyBank and Heartland Bank required Heartland to comply with Visa and MasterCard network regulations. (Id., Ex. 4, ¶ 1.1(f); Ex. 5, ¶ 1.1(f)). To the extent that the terms of Heartland’s contracts with these and other banks differed from the Visa and MasterCard regulations, the regulations governed. (Id., Ex. 4, ¶ 1.1(h); Ex. 5, ¶ l.l(i)). Beginning at least as early as December 2007, three hackers — an American, Albert Gonzalez, and two unknown Russians — infiltrated Heartland’s computer systems. (Docket Entry No. 32, ¶¶ 35, 63-64). The hackers installed programs that allowed them to capture some of the payment-card information stored on the Heartland computer systems. (Id., ¶ 65). In late October 2008, Visa alerted Heartland to suspicious account activity. Heartland, with Visa and MasterCard and others, investigated. (Id., ¶ 35). Heartland discovered suspicious files in its systems on January 12, 2009. A day later, Heartland uncovered the program creating those files. (Id., ¶ 37). That program provided the hackers with access to data on the systems. (Id., ¶¶ 41-42). On January 20, Heartland publicly announced the data breach. (Id., ¶ 38). The hackers obtained payment-card numbers and expiration dates for approximately 130 million accounts. (Id., ¶ 5). For some of these accounts, the hackers also obtained cardholder names. (Id., ¶ 44). They did not obtain any cardholder addresses, however, which meant that the stolen card information generally could be used only for in-person transactions. (Id., ¶ 70). The Financial Institution Plaintiffs allege that this data breach resulted from Heartland’s failure to follow industry security standards known as PCI-DSS. (See id., ¶¶ 53-62). After the breach, the Financial Institution Plaintiffs incurred significant expenses replacing payment cards and reimbursing fraudulent transactions. (Id., ¶ 78). The master complaint asserts ten causes of action: (I) breach of Heartland’s contracts with Heartland Bank, KeyBank, and its merchants, to which the Financial Institution Plaintiffs are third-party beneficiaries; (II) negligence; (III) breach of an implied contract to the Financial Institution Plaintiffs; (IV) negligence per se; (V) negligent misrepresentation; (VI) intentional misrepresentation; (VII) violations of the New Jersey Consumer Fraud Act; and (VIII, IX, and X) violations of other states’ consumer-protection laws. The complaint seeks class certification. Heartland has moved to dismiss the complaint in its entirety. (Docket Entry No. 39). Its arguments, and the Financial Institution Plaintiffs’ responses, are addressed in detail below. II. Rule 12(b)(6) A complaint may be dismissed when the plaintiff fails “to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6). In Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007), and Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 1937, 1949-50, 173 L.Ed.2d 868 (2009), the Supreme Court confirmed that Rule 12(b)(6) must be read in conjunction with Rule 8(a), which requires “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). A complaint must contain “enough facts to state a claim to relief that is plausible on its face” to withstand a Rule 12(b)(6) motion. Iqbal, 129 S.Ct. at 1949. “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. Facial plausibility “does not require ‘detailed factual allegations,’ but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Id. (quoting Twombly, 550 U.S. at 555, 127 S.Ct. 1955). Nor is facial plausibility “akin to a ‘probability requirement’ rather, “it asks for more than a sheer possibility that a defendant has acted unlawfully.” Iqbal, 129 S.Ct. at 1949 (quoting Twombly, 550 U.S. at 556, 127 S.Ct. 1955). Facial plausibility requires “the plaintiff [to] plead[] factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 129 S.Ct. at 1949. “Where a complaint pleads facts that are ‘merely consistent with’ a defendant’s liability, it ‘stops short of the line between possibility and plausibility of entitlement to relief.’ ” Id. (quoting Twombly, 550 U.S. at 557, 127 S.Ct. 1955). Wfiien a plaintiffs complaint fails to state a claim, a district court generally should provide the plaintiff at least one chance to amend the complaint under Rule 15(a) before dismissing the action with prejudice. See Great Plains Trust Co. v. Morgan Stanley Dean Witter & Co., 313 F.3d 305, 329 (5th Cir.2002) (“district courts often afford plaintiffs, at least one opportunity to cure pleading deficiencies before dismissing a case”); see also United States ex rel. Adrian v. Regents of the Univ. of Cal., 363 F.3d 398, 403 (5th Cir.2004) (“Leave to amend should be freely given, and outright refusal to grant leave to amend without a justification ... is considered an abuse of discretion.” (internal citation omitted)). “Denial of leave to amend may be warranted for undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies, undue prejudice to the opposing party, or futility of a proposed amendment.” United States ex rel. Steury v. Cardinal Health, Inc., 625 F.3d 262, 270 (5th Cir.2010) (emphasis added). A district court has broad discretion to dismiss a complaint without leave to amend “where the plaintiff has previously been granted leave to amend [to cure pleading deficiencies] and has subsequently failed to add the requisite particularity to its claims[.]” Zucco Partners, LLC v. Digimarc Corp., 552 F.3d 981, 1007 (9th Cir.2009); see also Carroll v. Fort James Corp., 470 F.3d 1171, 1175 (5th Cir.2006) (affirming a district court’s dismissal for failure to state a claim without leave to amend after the court “instructed [the plaintiffs] to plead their fraud claim with greater particularity, but the amended complaint was still woefully inadequate”). III. Analysis A. The Contract and Implied Contract Claims The master complaint asserts claims for breach of contract and breach of implied contract. The Financial Institution Plaintiffs base these claims, “without limitation,” on Heartland’s contracts with: (1) its merchants; (2) Heartland Bank and Key-Bank; and (3) Visa and MasterCard. (Docket Entry No. 32, ¶ 95). They allege that the contracts create duties to safeguard payment-card information. (Id., ¶ 96). The Financial Institution Plaintiffs assert that they are intended third-party beneficiaries of those contracts and that, “[u]nder the circumstances, recognition of a right to performance by [the Financial Institution Plaintiffs] is appropriate to effectuate the intentions of the parties to these contracts.” (Id., ¶ 97). They contend that Heartland breached the contracts by “failing to adequately safeguard ... sensitive financial information” of their customers, resulting in the Financial Institution Plaintiffs’ financial harm. (Id., ¶ 98). Heartland notes that the master complaint does not precisely identify the allegedly breached contracts. Heartland submits what it contends to be the relevant contracts: its contracts with Heartland Bank and KeyBank and an “exemplar” of a contract with a merchant. (Docket Entry No. 40, at 35, 41; Docket Entry No. 42, Exs. 4-6). An affidavit from a Heartland attorney states that these were the only types of contracts in effect at the time of the data breach. (See Docket Entry No. 41, ¶¶ 6-8). A court ordinarily may not go outside the pleadings in considering a motion to dismiss. Scanlan v. Tex. A & M Univ., 343 F.3d 533, 536 (5th Cir.2003). The Fifth Circuit “recognize[s] one limited exception” for documents attached to a motion to dismiss “that are referred to in the plaintiffs complaint and are central to the plaintiffs claim.” Id.; accord, e.g., Rodriguez v. Rutter, 310 Fed.Appx. 623, 626 (5th Cir.2009). The contracts on which Heartland relies meet this standard. 1. The Contracts with the Acquirer Banks The Financial Institution Plaintiffs allege that Heartland’s contracts with Heartland Bank and KeyBank required Heartland to take “appropriate steps to safeguard the sensitive financial information” of the Financial Institution Plaintiffs’ customers. (Docket Entry No. 32, ¶ 96). The Financial Institution Plaintiffs assert that they are intended third-party beneficiaries to these contracts. (Id., ¶ 97). Heartland disagrees. According to Heartland, the contracts do not show an intent primarily to benefit the Financial Institution Plaintiffs. Even if the contracts showed such an intent, Heartland argues, the Financial Institution Plaintiffs still cannot recover because they are not creditor or donee beneficiaries of the contracts. Heartland further contends that the incorporated Visa and MasterCard regulations preclude third-party claims. Finally, Heartland argues that even if the Financial Institution Plaintiffs are third-party beneficiaries of the contracts, the allegations are too conclusory to state a plausible breach of contract claim. (See Docket Entry No. 40, at 37-39). a. The Heartland Bank Contract Heartland’s contract with Heartland Bank contains a choice-of-law provision specifying Missouri law. (Docket Entry No. 42, Ex. 4, ¶ 4.11). The parties do not dispute that Missouri law applies. Under Missouri law, “[o]nly parties to a contract and any third-party beneficiaries of a contract have standing to enforce that contract.” Verni v. Cleveland Chiropractic Coll., 212 S.W.3d 150, 153 (Mo.2007). Intended beneficiaries qualify as third-party beneficiaries, but incidental beneficiaries do not. See id. A third party is an intended beneficiary only when “the contract clearly expresses] intent to benefit that party or an identifiable class of which the party is a member.” Id. (internal quotation marks omitted). Absent such express language, “there is a strong presumption ... that the parties contracted only to benefit only themselves.” Id. (internal quotation marks omitted). In recent eases, the Missouri Supreme Court has held that a court must limit itself to examining the contract language in determining third-party beneficiary status. In Nitro Distributing, Inc. v. Dunn, 194 S.W.3d 339 (Mo.2006), the court explained that, “[t]o be bound as a third-party beneficiary, the terms of the contract must clearly express intent to benefit that party or an identifiable class of which the party is a member.” Id. at 345 (emphasis added). Looking only to the contract, and not to extrinsic evidence, the court concluded that the contract “expressed no intent whatsoever to benefit” the asserted third parties. Id. In Netco, Inc. v. Dunn, 194 S.W.3d 353 (Mo.2006), decided on the same day, the state supreme court again limited its consideration to the contract language. See id. at 358. In that case, the defendant, an Amway distributor, argued that the plaintiff was bound to the Amway franchise contract as a third-party beneficiary because the plaintiff conceded that “it relied on and profited from [the] relationship, a relationship predicated on the Amway Rules of Conduct and [the defendant’s] status as an Amway distributor^]” Id. (internal quotation marks omitted). The court found this concession irrelevant, explaining that “the mere fact [of] a mutually beneficial relationship ... does not make [the plaintiff] a third-party ' beneficiary.” Id. The court once again considered only the contract language and found no express statement of intent to make the plaintiff a third-party beneficiary. See id. The Missouri Supreme Court recently reaffirmed its narrow focus on contract language in determining third-party beneficiary status. In Verni v. Cleveland Chiropractic College, a student — upset with his college after it fired a favorite professor — argued that he was a third-party beneficiary of the professor’s employment contract with the college. 212 S.W.3d at 152-53. The court quoted Nitro Distributing ’s requirement that the contract clearly state the parties’ intent to confer third-party beneficiary status. Id. at 153. The court emphasized its resolution of the issue “by examining the contract’s language,” id., citing OFW Corporation v. City of Columbia, 893 S.W.2d 876, 879 (Mo.Ct.App.1995). In OFW, the Missouri Court of Appeals held that, “[i]n determining whether plaintiff was a third-party beneficiary to the contract, the question of intent is paramount and is to be gleaned from the four comers of the contract.” Id. (internal quotation marks and alterations omitted; emphasis added). The Vemi court succinctly applied this rule to the professor’s employment contract: The contract is a one-page document providing that [the professor] would be a full-time faculty member ... for one year. The contract required him to be on campus a certain amount of time each week and outlined his teaching duties. In return, the contract provided ... salary and employment benefits. Although the contract might incidentally provide a benefit to ... students, it does not clearly express any intent that [the professor] was undertaking a duty to benefit [the plaintiff] or a class of students. 212 S.W.3d at 153. The court considered no extrinsic evidence. It concluded that the student was not entitled to third-party beneficiary status because the contract did not “directly and clearly express the intent to benefit [the plaintiff] or any class of which [he] claims to be a member.” Id. Under Missouri law, this court must look only to the contract terms in determining whether there was a direct and clear expression of intent to benefit the third party — in this case, the Financial Institution Plaintiffs. The contract between Heartland and Heartland Bank states: [Heartland] will safeguard, and hold confidential from disclosure to unauthorized persons, all data relating to Bank business received by [Heartland] pursuant to this Agreement to the same extent that [Heartland] safeguards data relating to its own business!.] (Docket Entry No. 42, Ex. 4, ¶ 4.3(b)). The contract contains an identical promise by Heartland Bank to Heartland. (Id., ¶ 4.3(a)). This exchange of promises does not state an intent to benefit anyone other than the contracting parties. There is no clearly expressed intent to convey any enforceable right to the Financial Institution Plaintiffs or to any class to which they belong. The contract refers to data relating to the business of the contracting parties, indicating an intent to protect the contracting parties’ businesses from unauthorized disclosures. The Financial Institution Plaintiffs acknowledge that Heartland’s failure to protect consumer payment-card data would harm Heartland’s own business. (See Docket Entry No. 32, ¶¶ 57-60). The Financial Institution Plaintiffs cite the contract’s requirement that Heartland indemnify Heartland Bank's “affiliates!.]” (Docket Entry No 42, Ex. 4, ¶ 4.5(a)). But this indemnification clause does not show an intent primarily to benefit the Financial Institution Plaintiffs. The term “affiliate” means “[a] corporation that is related to another corporation by shareholdings or other means of control; a subsidiary, parent, or sibling corporation.” Black’s Law Dictionary 63 (8th ed. 2004); see also Nitro Distrib., 194 S.W.3d at 349 (“courts will enforce contracts according to their plain meaning”). The Financial Institution Plaintiffs are not “affiliates” of Heartland Bank within the word’s common meaning. Heartland’s motion to dismiss based on the Heartland Bank contract is granted with prejudice and without leave to amend because amendment would be futile. The Financial Institution Plaintiffs emphasize that they have not had a chance to conduct discovery into whether there are other contracts in this category with provisions expressly and directly stating an intent to make them third-party beneficiaries. (Docket Entry No. 50, at 42-43, 45). Leave to amend is granted only insofar as the Financial Institution Plaintiffs are able to plead plausibly that they are third-party beneficiaries to other contracts between Heartland and Heartland Bank. b. The KeyBank Contract This court previously reviewed Ohio law on third-party beneficiaries in the related case against KeyBank and found the complaint insufficient to state a claim that the issuer banks were third-party beneficiaries to the contract between KeyBank and Heartland. The contract language itself did not show an intent to benefit third parties. Because Ohio law, unlike Missouri law, allows consideration of evidence beyond the contract terms to determine third-party beneficiary status, it was appropriate to grant the issuer banks leave to amend. This court also found that the Financial Institution Plaintiffs had failed to identify any provision of the KeyBank contract that Heartland had breached. (Docket Entry No. 117, at 27-32). For essentially the same reasons set out in the March 31, 2011 memorandum and order, 2011 WL 1232352, the claims based on the KeyBank contract asserted by the Financial Institution Plaintiffs in this case must also be dismissed. Heartland advances an additional reason to dismiss in this case. The damages the Financial Institution Plaintiffs seek are consequential damages, which the KeyBank contract excludes absent a willful breach. (Docket Entry No. 40, at 40-41). The KeyBank contract states that “damages will be limited to general money damages in an amount not to exceed the actual damages of the party. In no case will the other party be responsible for special, incidental, consequential or exemplary damages, except for willful breach of this Agreement.” (Docket Entry No. 42, Ex. 5, ¶4.7). Damages-limitation clauses are generally enforceable under Ohio law. E.g., Skurka Aerospace, Inc. v. Eaton Aerospace, L.L.C., 781 F.Supp.2d 561, 571-72 (N.D.Ohio 2011); TLC Healthcare Servs., L.L.C. v. Enhanced Billing Servs., L.L.C., No. L-08-1121, 2008 WL 3878349, at *3 (Ohio Ct.App. Aug. 22, 2008); Morantz v. Ortiz, No. 07AP-597, 2008 WL 642630, at *7 (Ohio Ct.App. Mar. 11, 2008) (collecting cases). When a contract limits recovery to direct damages, a plaintiff may recover only the difference between the amount paid and the value received. See Nat’l Mulch & Seed, Inc. v. Rexius Forest By-Products Inc., No. 2:02-cv-1288, 2007 WL 894833, at *6 n. 3 (S.D.Ohio Mar. 22, 2007); see also Wartsila NSD N. Am., Inc. v. Hill Int’l, Inc., 530 F.3d 269, 278 (3d Cir.2008) (limiting recovery for a breach in a service contract that excluded consequential damages to “the amount paid ... for [the] services, less the actual value, if any, of those services”); Reynolds Metals Co. v. Westinghouse Elec. Corp., 758 F.2d 1073, 1080 (5th Cir.1985) (same). The damages the Financial Institution Plaintiffs seek are not the difference between the contract price and the value of the payment-card services. Instead, the Financial Institution Plaintiffs seek the costs they incurred in covering fraudulent transactions and replacing payment cards after the hacker intrusion into the Heartland computer systems. These costs are consequential damages, available only if the contract breach is willful. The master complaint alleges insufficient facts to assert a willful breach. See, e.g., Said v. SBS Elecs., Inc., No. CV 08-3067(RJD)(JO), 2010 WL 1265186, at *8 (E.D.N.Y. Feb. 24, 2010) (dismissing a complaint containing conclusory allegations of willfulness), adopted as modified on other grounds in 2010 WL 1287080 (E.D.N.Y. Mar. 31, 2010). The breach of contract allegations based on the KeyBank contract are dismissed, without prejudice and with leave to amend. 2. The Merchant Processing Agreements Heartland argues that its Merchant Processing Agreements (“Agreements”), an exemplar of which it has produced, do not provide a basis for recovery for breach of contract. The Agreements provide that New Jersey law applies. (Docket Entry No. 42, Ex. 6, ¶ 14.12). The parties do not dispute the application of New Jersey law. Heartland contends that the Financial Institution Plaintiffs cannot state a claim for breach of contract because: (1) they are not intended third-party beneficiaries of the Agreements; (2) they have not sufficiently pleaded a breach of those Agreements; and (3) the Agreements do not allow recovery for consequential damages. (Docket Entry No. 40, at 41-44). The third contention is dispositive. Under the Agreements, Heartland’s “sole liability ... shall be to correct ... any data in which errors have been caused by [Heartland.]” (Docket Entry No. 42, Ex. 6, ¶ 8.5). The Agreements state that “Heartland shall have no other liability whatsoever to Merchant, and Merchant hereby expressly wa[i]ves any claim against [Heartland] for indirect, special, exemplary, incidental or consequential damages or lost profits or interest.” (Id,., ¶ 8.7). New Jersey generally enforces damages-limitation clauses between businesses. 66 VMD Assocs., LLC v. Melick-Tully & Assocs., P.C., No. L-6584-07, 2011 WL 3503160, at *3 (N.J.Super.Ct.App.Div. Aug. 11, 2011); Marbro, Inc. v. Borough of Tinton Falls, 297 N.J.Super. 411, 688 A.2d 159, 162 (N.J.Super.Ct. Law Div.1996); see also Jasphy v. Osinsky, 364 N.J.Super. 13, 834 A.2d 426, 431 (N.J.Super.Ct.App.Div.2003). The damages the Financial Institution Plaintiffs seek are consequential damages. The Financial Institution Plaintiffs do not assert that the damages-limitation clauses are unenforceable. Instead, they contend that these clauses only limit a merchant’s ability to recover for consequential damages. These clauses, they say, do not apply to their claim as third-party beneficiaries to the Agreements. This contention is unpersuasive. “It is black letter law that a third-party beneficiary is not entitled to any more rights than the actual contracting party.” Merchants Mut. Ins. Co. v. Monmouth Truck Equip., Inc., Civ. A. No. 06-cv-05395 (FLW), 2008 WL 65109, at *5 (D.N.J. Jan. 4, 2008) (citing, for example, United Steelworkers of Am. v. Rawson, 495 U.S. 362, 375, 110 S.Ct. 1904, 109 L.Ed.2d 362 (1990); and Allgor v. Travelers Ins. Co., 280 N.J.Super. 254, 654 A.2d 1375, 1379 (N.J.Super.Ct.App.Div.1995)). The Financial Institution Plaintiffs’ breach of contract claim under the Agreements containing the damages-limitation clauses is dismissed, with prejudice. The Financial Institution Plaintiffs may assert a breach of contract claim based on the Agreements only insofar as they have a good-faith basis to believe that: (1) there are Agreements to which they are third-party beneficiaries; and (2) these Agreements do not contain damages-limitation clauses. 3. The Implied Contract Claim Under New Jersey law, “[a]n implied-in-fact contract is a true contract arising from mutual agreement and intent to promise, but where the agreement and promise have not been verbally expressed.” S. Jersey Hosp., Inc. v. Corr. Med. Servs., Civ. No. 02-2619(JBS), 2005 WL 1410860, at *4 (D.N.J. June 15, 2005) (quoting In re Penn Cent., 831 F.2d 1221, 1228 (3d Cir.1987)). “[C]ontracts implied in fact are no different than express contracts, although they exhibit a different way or form of expressing assent than through statements or writings.” Wanaque Borough Sewerage Auth. v. Twp. of W. Milford, 144 N.J. 564, 677 A.2d 747, 752 (1996). Courts look to the parties’ “word[s] and conduct in light of the surrounding circumstances.” Id. (citing Restatement (Second) of Contracts §§ 4 cmt. a, 5 cmt. a (1979)). The Financial Institution Plaintiffs rely on In re Hannaford Brothers Co. Customer Data Security Breach Litigation, 613 F.Supp.2d 108 (D.Me.2009), aff'd in part, rev’d in part sub nom. Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir.2011). In Hannaford Brothers, customers used payment cards to pay for groceries. A third party breached the grocer’s information-technology systems, gaining access to stored payment-card information. See 613 F.Supp.2d at 116. The customers filed a class-action lawsuit against the grocer for the unauthorized access to their payment-card information, claiming breach of implied contract. The district court first noted the existence of a direct contract relationship between the grocer and the customers: a contract to buy groceries. Id. at 118. Because that contract required payment, the court held that a customer’s use of a payment card would allow a jury to find certain other implied terms in the grocery purchase contract: for example, that the merchant will not use the card data for other people’s purchases, will not sell or give the data to others (except in completing the payment process), and will take reasonable measures to protect the information (which might include meeting industry standards), on the basis that these are implied commitments that are “absolutely necessary to effectuate the contract,” and “indispensable to effectuate the intention of the parties.” Id. at 119 (emphasis in original) (quoting Seashore Performing Arts Ctr., Inc. v. Town of Old Orchard Beach, 676 A.2d 482, 484-85 (Me.1996)). The court found that the customers had sufficiently stated a claim for breach of implied contract under Maine law. But the starting point for the court’s analysis is the parties’ direct contractual relationship. See Hannaford Brothers, 613 F.Supp.2d at 118. That is not true in the present case. A case with facts more similar to those at issue here is Hammond v. The Bank of New York Mellon Corporation, No. 08 Civ. 6060(RMB)(RLE), 2010 WL 2643307 (S.D.N.Y. June 25, 2010). In Hammond, a company owned by the defendant lost computer-backup tapes that contained the payment-card data of 12.5 million individuals. Id. at *4. A class action against the defendant claimed breach of implied contract. The court emphasized that there was no direct relationship between the individuals whose data was released and the defendant. The court explained: Rather, Plaintiffs had relationships (only) with institutional clients of Defendant, such as the Walt Disney Company .... Plaintiffs gave their personal data over to these entities, which, in turn, forwarded the data to Defendant (which stored the data on the tapes that ultimately were lost or stolen). Id. at *9. Applying New York law, the court concluded that, absent evidence of “any direct dealings” between the individuals and the defendant, there was no basis to find the mutual assent necessary for an implied contract. Id. at *11. Unlike the plaintiffs in Hannaford Brothers, and like those in Hammond, the Financial Institution Plaintiffs do not allege a direct contract relationship with Heartland that would plausibly suggest the mutual assent necessary for an implied contract. The Financial Institution Plaintiffs’ contracts are with Heartland’s clients, not Heartland. The pleadings allege that the Financial Institution Plaintiffs have at most an indirect relationship with Heartland through Heartland’s processing of transactions made with payment cards that -they issued. The implied contract claim is dismissed. The Financial Institution Plaintiffs may replead this claim, but only insofar as they have a good-faith basis to allege the existence of a direct contractual relationship between them and Heartland. B. The Negligence Claims 1. Negligence Per Se The Financial Institution Plaintiffs have withdrawn their negligence per se claim based on Heartland’s alleged failure to follow the security protocols set out in the Visa and MasterCard regulations. (Docket Entry No. 50, at 23 n. 14). 2. Negligence The Financial Institution Plaintiffs allege that Heartland breached three duties: “a duty to exercise reasonable care in safeguarding and protecting [payment-card] information from being compromised and/or stolen,” (Docket Entry No. 32, ¶ 101); a seemingly related “duty to put into place internal policies and procedures designed to detect and prevent the unauthorized dissemination of [the Financial Institution Plaintiffs’] customers’ private, non-public, sensitive financial information,” (id., ¶ 103); and “a duty to timely disclose to [the Financial Institution Plaintiffs’] customers that the Data Breach had occurred and the private, non-public, sensitive financial information of [the Financial Institution Plaintiffs’] customers” may have been compromised, (id., ¶ 102). Suits by issuer banks against other participants in the credit-card processing chain are “of fairly recent vintage.” Rebecca Hatch Weston, Liability of Retailer and Its Affiliate Bank to Credit Card Issuer for Costs Arising out of Breach of Retailer’s Computer Security, 51 A.L.R.6th 311, § 2 (2010) (noting that the first published decision appeared in 2005). Courts addressing such claims have generally found that the economic-loss doctrine prevents recovery. Id. at § 5; cf. Juliet M. Moringiello, Warranting Data Security, 5 Brook. J. Corp. Fin. & Com. L. 63, 71 (2010) (calling the economic-loss doctrine a “major impediment[ ]” to consumer tort actions against payment-card processors). It is instructive to review the cases. In Banknorth, N.A. v. BJ’s Wholesale Club, Inc., 394 F.Supp.2d 283 (D.Me.2005), an issuer bank sued a retailer and an acquiring bank after the retailer’s computer systems, which contained customers’ payment-card information, were breached. Id. at 284. The issuer bank alleged that the retailer and acquiring bank negligently breached a duty “to safeguard cardholder information from thieves.” Id. at 286. The retailer and acquirer bank argued that the economic-loss doctrine barred recovery on this claim. Id. The court observed that, under Maine law, it was unclear how the doctrine applied outside the products liability context. Id. at 287. The court noted the “complex web of relationships involving numerous players governed by both individual contracts and exhaustive regulations promulgated by Visa and other card networks.” Id: The court reasoned that although there might be a duty of care among the members of the credit-card network, “this web of relationships may or may not render Plaintiffs negligence claim susceptible to the economic loss doctrine.” Id. Because the issuer bank’s ability to recover would turn on the specific facts of each case, the court concluded that dismissal was inappropriate. Id. Another court applying Maine law reached the opposite conclusion. In a case raising the same claims, brought in Pennsylvania federal court, the court found that the economic-loss doctrine precluded liability for negligence. See Banknorth N.A. v. BJ’s Wholesale Club, Inc., 442 F.Supp.2d 206, 211-14 (M.D.Pa.2006). In In re TJX Companies Retail Security Breach Litigation, 564 F.3d 489 (1st Cir.2009), the First Circuit considered a negligence claim by issuer banks against a merchant and an acquirer bank for losses stemming from a data breach. Recognizing that “purely economic losses are unrecoverable [under Massachusetts law] in tort and strict liability actions in the absence of personal injury or property damage,” the court affirmed the district court’s dismissal of the negligence claim. Id. at 498-99 (quoting Aldrich v. ADD Inc., 437 Mass. 213, 770 N.E.2d 447, 454 (2002)). The court rejected the issuer banks’ argument that they suffered compensable property loss. Massachusetts law, the court emphasized, required physical property damage for a negligence claim. Id. at 498. The Massachusetts Supreme Judicial Court reached the same result in Cumis Insurance Society, Inc. v. BJ’s Wholesale Club, Inc., 455 Mass. 458, 918 N.E.2d 36 (2009). The issuer banks’ insurer attempted to avoid the economic-loss doctrine by arguing that “the plastic credit cards [were] tangible personal property and their damages included physical harm to the plastic cards that had to be canceled following the thefts.” Id. at 46. The court rejected this argument, noting that the relevant issue was not “whether the credit cards are tangible property, but rather the nature of the damages sought by the plaintiffs.” Id. The Third Circuit reached the same conclusion under Pennsylvania law in Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162 (3d Cir.2008). In that case, an issuer bank sued a merchant after a data breach. The court reviewed Pennsylvania cases applying the economic-loss doctrine and dismissed the bank’s negligence claim. Id. at 175-78. In rejecting the bank’s argument that its loss of money was a loss of property, the court reasoned that accepting “the argument would totally eviscerate the economic loss doctrine because any economic loss would morph into the required loss of property and thereby furnish the damages required for a negligence claim.” Id. at 176. The Iowa Supreme Court recently rejected a similar negligence claim under the economic-loss doctrine. In Annett Holdings, Inc. v. Kum & Go, L.C., 801 N.W.2d 499 (Iowa 2011), a trucking company’s employee used a card issued by the company to make unauthorized purchases at a gas station. Id. at 501. The trucking company sued the gas station. Id. at 502. The Iowa Supreme Court noted that although the trucking company and the gas station lacked privity of contract, the gas station had contracted with the company’s credit-card network. “When parties enter into a chain of contracts, even if the two parties at issue have not actually entered into an agreement with each other, courts have applied the ‘contractual economic loss rule’ to bar tort claims for economic loss, on the theory that tort law should not supplant a consensual network of contracts.” Id. at 504; see also Robins Dry Dock & Repair Co. v. Flint, 275 U.S. 303, 308-09, 48 S.Ct. 134, 72 L.Ed. 290 (1927) (applying the economic-loss doctrine to a chain of contracts). The court pointed out that the trucking company would be “fully responsible” for fraudulent charges under its agreement with the network; that the company knew that the network contracted with service centers like the gas station; and that the network would reimburse those service centers, with the expectation that the company would reimburse the network under the terms of the agreement. Annett Holdings, 801 N.W.2d at 505. “It is difficult to see why a tort remedy is needed here,” the court concluded, because the trucking company “contracted to assume certain risks of financial loss and had the ability to minimize these risks.” Id. The court dismissed the negligence claim. Heartland argues that this court must dismiss the negligence claim because Texas law does not allow tort claims for purely economic loss. See Memorial Hermann Healthcare Sys., Inc. v. Eurocopter Deutschland, GMBH, 524 F.3d 676, 678 (5th Cir.2008) (citing Hou-Tex, Inc. v. Landmark Graphics, 26 S.W.3d 103, 107 (Tex.App.-Houston [14th Dist.] 2000, no pet.)). The Financial Institution Plaintiffs do not dispute Heartland’s characterization of Texas law. They instead contend that New Jersey law applies. Under New Jersey law, they state, a plaintiff may recover for economic losses resulting from negligence without physical or property injury. Heartland responds that even if New Jersey law applies, it owed no duty to the Financial Institution Plaintiffs to protect cardholder data and therefore cannot be liable for negligence. New Jersey law, however, would not recognize a duty owing by Heartland to the Financial Institution Plaintiffs to protect cardholder data. Even assuming that New Jersey law applies, the Financial Institution Plaintiffs’ negligence claim must be dismissed. The elements of negligence under New Jersey law are (1) a duty of care, (2) a breach of that duty, (3) proximate cause, and (4) damages. Brunson v. Affinity Fed. Credit Union, 199 N.J. 381, 972 A.2d 1112, 1122-23 (2009); Polzo v. Cnty. of Essex, 196 N.J. 569, 960 A.2d 375, 384 (2008). “The New Jersey Supreme Court has long been a leader in expanding tort liability.” Hakimoglu v. Trump Taj Mahal Assocs., 70 F.3d 291, 295 (3d Cir.1995) (Becker, J., dissenting). In People Express Airlines, Inc. v. Consolidated Rail Corp., 100 N.J. 246, 495 A.2d 107 (1985), the New Jersey Supreme Court abandoned the rule that economic losses, unaccompanied by physical or property damage, are never compensable in tort. See id. at 114-15. In People Express, an airline sued various defendants for business-interruption damages after a volatile chemical caught fire in a rail yard adjacent to the Newark Airport. An evacuation of a one-mile radius closed the airport’s northern terminal for 12 hours. That terminal housed the airline’s business operations. The evacuation forced the airline to cancel flights and prevented its employees from booking flights for customers. Id. at 108-09. The defendants moved for summary judgment that the economic-loss doctrine prohibited recovery for purely economic loss. The New Jersey Supreme Court concluded that the traditional reasons for prohibiting recovery for economic loss, including fears of unbounded liability and fraudulent claims, were unpersuasive. The court held that a duty generally exists “to take reasonable measures to avoid the risk of causing economic damages, aside from physical injury, to particular plaintiffs or plaintiffs comprising an identifiable class with respect to whom defendant knows or has reason to know are likely to suffer such damages from its conduct.” Id. at 116. Whether a duty exists depends in part on the foreseeability of such damages. “The more particular is the foreseeability that economic loss will be suffered by the plaintiff as the result of the defendant’s negligence, the more just is it that liability be imposed and recovery allowed.” Id. The “class of plaintiffs must be particularly foreseeable in terms of the type of persons or entities comprising the class, the certainty or predictability of their presence, the approximate numbers of those in the class, as well as the type of economic expectations disrupted.” Id. The court recognized a “spectrum [of foreseeability] ranging from the general to the particular,” allowing a court to “limit otherwise boundless liability and define an identifiable class of plaintiffs that may recover.” Id. at 115, 116. In holding that the defendants owed a duty to the plaintiffs, the People Express court identified the close proximity of the north terminal to the accident; the “obvious nature” of the airline’s presence and operations that made the asserted economic harm foreseeable; the rail company’s knowledge of the chemical’s volatility; and the existence of an emergency-response plan established with the participation of some of the defendants that called for evacuating the terminal. Id. at 118. Although the airline could seek its economic losses, an example of a class that could not seek such losses was drivers on a highway delayed by a negligently caused accident. The drivers may be a foreseeable class, the court acknowledged, but they were not an identifiable one. Rather, the presence of any particular driver — and therefore the economic injury of that driver — was merely “fortuitous.” Id. at 116. People Express recognizes that “a plaintiff [can] bring an action for purely economic losses, regardless of any accompanying physical harm or property damage, if the plaintiff [is] a member of an identifiable class that the defendant should have reasonably foreseen was likely to be injured by the defendant’s conduct[.]” Carter Lincoln-Mercury, Inc., Leasing Div. v. EMAR Grp., Inc., 135 N.J. 182, 638 A.2d 1288, 1294 (1994). But People Express equally acknowledges that the foreseeability standard will not always adequately guide a court’s evaluation of tort duties. In certain cases, “the courts will be required to draw upon notions of fairness, common sense and morality to fix the line limiting liability as a matter of public policy, rather than an uncritical application of particular foreseeability.” People Express, 495 A.2d at 116. The New Jersey Supreme Court has emphasized in decisions since People Express that the “[ability to foresee injury to a potential plaintiff does not in itself establish the existence of a duty[.]” Carter Lincoln-Mercury, 638 A.2d at 1294 (citing Goldberg v. Housing Auth. of City of Newark, 38 N.J. 578, 186 A.2d 291, 293 (1962)); see also Clohesy v. Food Circus Supermarkets, Inc., 149 N.J. 496, 694 A.2d 1017, 1020 (1997) (“Foreseeability of harm alone is not dispositive of whether a duty exists.”). Rather, “[o]nce the foreseeability of an injured party is established, [a court] must decide whether considerations of fairness and policy warrant the imposition of a duty.” Carter Lincoln-Mercury, 638 A.2d at 1294. New Jersey has exhibited a “strong resistance to the usurpation of contract law by tort law[.]” Travelers Indem. Co. v. Dammann & Co., 594 F.3d 238, 248 (3d Cir.2010). “New Jersey courts have consistently held that contract law is better suited to resolve disputes where a plaintiff alleges direct and consequential losses that were within the contemplation of sophisticated business entities that could have been the subject of their negotiations.” Id.; see also Arcand v. Brother Int’l Corp., 673 F.Supp.2d 282, 308 (D.N.J.2009); (Docket Entry No. 117, at 40-43 (discussing cases)). The New Jersey cases repeatedly emphasize that respecting the parties’ voluntary agreements to allocate risk best serves the public interest. See Spring Motors Distributors, Inc. v. Ford Motor Co., 98 N.J. 555, 489 A.2d 660, 671 (1985) (“As between commercial parties, [ ] the allocation of risks in accordance with their agreement better serves the public interest than an allocation achieved as a matter of policy without reference to that agreement.”). The decisions represent a “clear rejection of an approach that would allow tort law to substitute for contract law in cases involving sophisticated parties with equal bargaining power[.]” Travelers Indem., 594 F.3d at 251. This court previously concluded that, under New Jersey law, Heartland owed no duty to the issuer banks because “relationships among issuers, acquirers, and their contractors — such as Heartland Payment Systems — are governed by the Visa and MasterCard regulations,” not tort law. (Docket Entry No. 117, at 44). The court dismissed vicarious liability claims against an acquirer bank that hired Heartland to process payment-card transactions. In supplemental briefing following that order, the Financial Institution Plaintiffs argue that the economic-loss doctrine does not apply to them because Heartland, unlike the acquirer banks, is not a member of the Visa and MasterCard networks. (Docket Entry No. 124, at 1). The Financial Institution Plaintiffs note that no New Jersey case has applied the economic-loss doctrine to bar tort recovery absent a direct contractual relationship. The Financial Institution Plaintiffs cite Consult Urban, 2009 WL 1969083, in which a district court held that a series of contracts did not preclude recovery in tort. This argument and citation are unpersuasive. An issuer bank’s decision to issue payment cards is, of course, a voluntary choice. To participate, issuer banks must accept the Visa and MasterCard regulations. By participating in the Visa and MasterCard networks, the Financial Institution Plaintiffs entered into the web of contractual relationships that included not only issuer and acquirer banks but also third-party businesses, such as Heartland, that process transactions for network members. Heartland agreed to follow the Visa and MasterCard regulations. (Docket Entry No. 32, ¶ 96; Docket Entry No. 42, Ex. 4, ¶ 1.1(f) (requiring Heartland to “comply fully with all by-laws and regulations of Visa and MasterCard, including but not limited to, rules regarding independent sales organizations and member service providers”); id., Ex. 5, ¶ 1.1(f) (same)). The regulations specifically contemplate the possibility of a data breach. They specify procedures for issuer banks to make claims when such data breaches occur through private dispute-resolution systems. (Docket Entry No. 124, Exs. 1, 2); see also Sovereign Bank, 533 F.3d at 165 (describing the “comprehensive provisions for resolving disputes between Visa members,” which allowed Visa to decide disputes “in accordance with risk allocation judgments made by Visa”); Cumis Ins. Soc’y, Inc. v. BJ’s Wholesale Club, No. 20051158J, 2008 WL 2345865, at *4 (Mass.Super. Ct. June 4, 2008) (noting that the Visa and MasterCard regulations “provide for an elaborate dispute resolution procedure and for fines for non-compliance”), aff'd, 455 Mass. 458, 918 N.E.2d 36 (2009). Although Heartland is not a direct member of the Visa and MasterCard networks, it was subject to the network regulations. The complaint highlights Visa’s investigation into Heartland, alleging that Visa both found Heartland to be “in violation of the Visa operating regulations” and banned network members from using Heartland to process transactions for approximately one week. (Docket Entry No. 32, ¶ 57). Visa also “put Heartland on probationary status,” which “subjected Heartland to more-stringent security assessments, monitoring and reporting[.]” (Id., ¶ 58). Visa and MasterCard fined Heartland Bank and KeyBank, the network members that had retained Heartland. The banks passed those fines to Heartland under their contracts with Heartland and the Visa and MasterCard networks, the network regulations, not tort law, are the appropriate means for the Financial Institution Plaintiffs to seek relief. Additionally, the damages the Financial Institution Plaintiffs seek — the costs of covering fraudulent charges and of reissuing cards — are the kinds of damages ordinarily expected to flow from a data breach, damages that can be addressed in the parties’ contractual arrangements. These damages are not the type of injuries for which tort law is appropriate. Arcand, 673 F.Supp.2d at 308; Kearney & Trecker Corp. v. Master Engraving Co., 107 N.J. 584, 527 A.2d 429, 437 (1987) (declining to impose a tort duty between businesses for damages that were not “highly unusual or unforeseeable” in the kind of transaction covered by the parties’ contract, and quoting Chatlos Sys., Inc. v. Nat’l Cash Register Corp., 635 F.2d 1081, 1087 (3d Cir.1980)); see also Annett Holdings, 801 N.W.2d at 504-05 (holding that tort law should not displace the risks and responsibilities allocated through a system of contracts for payment cards). The New Jersey Supreme Court’s recognition that an “allocation of risks in accordance with [a voluntary] agreement better serves the public interest than an allocation achieved as a matter of policy without reference to that agreement” also weighs against creating a tort duty between payment processors and issuer banks to protect payment-card information from unauthorized access. Spring Motors, 489 A.2d at 671. This result also is consistent with the approach of the federal government and most states, which generally have avoided regulating risk allocations in the payment-card industry except to cap consumers’ liability. Federal legislation and regulations address consumer-protection concerns, not “further allocation of fraud liability after shifting responsibility from the cardholder to the card insurer.” Douglass, supra, at 45; see also Ballen & Fox, supra, at 939 (noting that federal regulations “do not generally address the interbank payment systems and the liabilities that flow into the interbank system”). The states’ approaches are similar. Like most states, New Jersey regulates payment-card privacy. In particular, New Jersey regulates how merchants handle payment-card information and requires businesses holding personal information to notify the public when a data breach occurs. N.J. Stat. §§ 56:8-163; 56:11-17, - 21, -24, -25, -42; see also Abraham Shaw, Data Breach: From Notification to Prevention Using PCI DSS, 43 Colum. J.L. & Soc. Pkobs. 517, 524 n. 36 (listing states with notification laws) (2010). Only Minnesota has statutorily shifted the risk of loss arising from a data breach between the businesses involved in the Visa and MasterCard networks. See Mark MacCarthy, What Payment Intermediaries Are Doing about Online Liability and Why It Matters, 25 Berkeley Tech. L.J. 1037, 1044 n. 25 (2010) (discussing Minn. Stat. § 325E.64, which “holds merchants liable for the costs associated with a breach when they failed to take specific precautions that are part of an industry data security standard”). The fact that New Jersey regulates data-security measures, but does not address risk allocation, weighs against imposing a common-law duty between these entities. See Hojnowski v. Vans Skate Park, 187 N.J. 323, 901 A.2d 381, 389 (2006) (concluding that a New Jersey statute conferring immunity from suit upon certain volunteers but not businesses weighed against recognizing a minor’s waiver of liability against a business); Hannaford Bros., 613 F.Supp.2d at 125 (observing that a Maine law requiring notification of a data breach “give[s the court] reason to be wary of creating any new state standards where the Maine Law Court has not already clearly provided a remedy”). Relying on Dynalectric Company v. Westinghouse Electric Corporation, 803 F.Supp. 985 (D.N.J.1992), and Consult Urban, 2009 WL 1969083, the Financial Institution Plaintiffs argue that the economic-loss doctrine does not apply because the “Visa and MasterCard regulations do not and cannot provide the alternative means of redress requisite to the application of the economic loss doctrine under New Jersey law.” (Docket Entry No. 124, at 8 (emphasis omitted)). In Dynalectric, the plaintiff pursued tort claims against the defendant in federal court while simultaneously pursuing identical breach of contract claims against the defendant in arbitration. Applying New Jersey law, the district court concluded that “when a party has suffered economic loss because of the negligent actions of another, and the party has another means of redress against the alleged tortfeasor, that party may not assert the identical claims for identical damages under tort theories.” 803 F.Supp. at 991. The court refused to hear the tort claim because of the ongoing arbitration. Id. at 991, 993. The court did not address whether a tort duty would exist absent the other avenue of redress against the plaintiff. In Consult Urban, a contractor asserted a negligence claim against a company that a subcontractor had retained to inspect modular housing units for complianee with New Jersey law. 2009 WL 1969083, at *1. The court rejected the company’s argument that it owed no duty, noting that the contractor “had no opportunity to negotiate the terms of the agreement or the amount of risk it would accept.” Id. at *4. Neither Dynalectric nor Consult Urban Renewal involved a comprehensive risk-allocation arrangement like the contracts and network regulations in this case. To the extent that the Visa and MasterCard regulations do not allow the Financial Institution Plaintiffs to recover damages directly from Heartland, New Jersey law disfavors a sophisticated business entity’s efforts to use tort law “to obtain a better bargain than it made.” Spring Motors, 489 A.2d at 671. The negligence claim is dismissed with prejudice and without leave to amend because amendment would be futile. C. The Misrepresentation Claims The Financial Institution Plaintiffs allege fraud and negligent misrepresentation under New Jersey law. According to the complaint, numerous statements by Heartland — in S.E.C. filings; in analyst calls; on Heartland’s logo; and on Heartland’s web site, before and after the data breach— suggested that Heartland’s security measures were better than they actually were. The complaint also faults Heartland for failing to disclose information about its security flaws. It additionally asserts that Heartland, by participating in the Visa and MasterCard networks, effectively represented that it would follow the network security regulations. Heartland argues that, even assuming New Jersey law applies, the allegations are insufficient to state a claim. Heartland contends that the complaint does not allege the material falsity of the statements; that the Financial Institution Plaintiffs were neither intended recipients (as required for fraud) nor reasonably foreseeable recipients (as required for negligent misrepresentation) of those statements; that Heartland had no duty to disclose; that participation in the Visa and MasterCard networks is not an actionable misrepresentation; and that causation is insufficiently alleged. (Docket Entry No. 40, at 18-28). Under New Jersey law, common-law fraud has five elements: “(1) a material misrepresentation of a presently existing or past fact; (2) knowledge or belief by the defendant of its falsity; (3) an intention that the other person rely on it; (4) reasonable reliance thereon by the other person; and (5) resulting damages.” Banco Popular N. Am. v. Gandi 184 N.J. 161, 876 A.2d 253, 260 (2005) (quoting Gennari v. Weichert Co. Realtors, 148 N.J. 582, 691 A.2d 350, 367 (1997)). Negligent misrepresentation differs only in that it requires neither intent to deceive nor knowledge that the statement is false. See Kaufman v. i-Stat Corp., 165 N.J. 94, 754 A.2d 1188, 1195-96 (2000). Federal Rule of Civil Procedure 9(b) applies to fraud allegations. Under the rule, “a party must state with particularity the circumstances constituting fraud or mistake. Malice, intent, knowledge, and other conditions of a person’s mind may be alleged generally.” Fed. R. Civ. P. 9(b). “Put simply, Rule 9(b) requires ‘the who, what, when, where, and how’ to be laid out.” Shandong Yinguang Chem. Indus. Joint Stock Co. v. Potter, 607 F.3d 1029, 1032 (5th Cir.2010) (internal quotation marks omitted). The plaintiff “must specify the statements contended to be fraudulent, identify the speaker, state when and where the statements were made, and explain why the statements were fraudulent.” Southland Secs. Corp. v. INSpire Ins. Solutions, Inc., 365 F.3d 353, 362 (5th Cir.2004) (internal quotation marks omitted). At the same time, “Rule 9(b)’s ultimate meaning is context-specific, and thus there is no single construction of Rule 9(b) that applies in all contexts.” United States ex rel. Grubbs v. Kanneganti, 565 F.3d 180, 188 (5th Cir.2009) (internal quotation marks omitted). The parties dispute whether the complaint’s negligent misrepresentation allegations must comply with Rule 9(b). It is unnecessary to resolve this dispute, for the allegations of negligent misrepresentation fail to meet Rule 8’s basic pleading standard. 1. Misrepresentation Heartland asserts that many of the alleged misrepresentations are not the kinds of statements that give rise to liability under either a fraud or negligence theory. New Jersey law distinguishes between factual misrepresentations and “puffery.” It is reasonable to rely on the first but not the second. E.g., Lieberson v. Johnson & Johnson Consumer Cos., — F.Supp.2d —, —, 2011 WL 4414214, at *7 (D.N.J.2011). “Advertising that amounts to ‘mere’ puffery is not actionable because no reasonable consumer relies on puffery. The distinguishing characteristics of puffery are vague, highly subjective claims as opposed to specific, detailed factual assertions.” Id. (quoting In re Toshiba Am. HD DVD Mktg. & Sales Practices Litig., Civ. No. 08-939(DRD), MDL No.1956, 2009 WL 2940081, at *10 (D.N.J. Sep. 11, 2009)). For example, the New Jersey Supreme Court held that Allstate Insurance’s slogan, “You’re in good hands with Allstate,” was not an actionable misrepresentation. “However persuasive, [the slogan] is nothing more than puffery.” Rodio v. Smith, 123 N.J. 345, 587 A.2d 621, 623 (1991). By contrast, specific factual misrepresentations are