Not a “fee” or a “fine”: Retailer not liable for all of card-issuing banks’ cyberattack losses, and demonstrates the wisdom of planning ahead
Posted on 01/31/2017 at 01:21 PM by John Lande
The United States Court of Appeals for the Eighth Circuit recently concluded that a retailer was not liable for all of the costs associated with a cyberattack against the retailer. The case of Schnucks Markets v. First Data Merchant Services Corp., Case No. 15-3804, began with a familiar fact pattern. Schnucks Markets (“Schnucks”) is a large grocery store chain in St. Louis. In March 2013 Schnucks’s was the target of a cyberattack that breached customer cardholder data.
Like most retailers, Schnucks’s ability to process card payments requires Schnucks to be party to a number of agreements. In this case, Schnucks had contracted its credit card processing out to a third-party, First Data Merchant Services (“Card Processor”). The Card Processor in turn had a contract with an acquiring bank for all of Schnucks’s card transactions, Citicorp (“Acquiring Bank”). The Acquiring Bank sponsored Schnucks into credit card associations such as Visa and MasterCard.
Whenever a customer used a card at Schnucks, the Card Processor sent the transaction to the Acquiring Bank. The Acquiring Bank then sent the transaction to the card customer’s bank (“Issuing Bank”). The Acquiring Bank paid Schnucks and sought reimbursement from the Issuing Bank.
When Schnucks was the target of a cyberattack, the Issuing Bank paid the costs of reimbursing customers for fraud and re-issuing cards. MasterCard and Visa have rules that require the Acquiring Bank to reimburse the Issuing Bank for the costs associated with a customer card data breach.
The Acquiring Bank’s agreement with Schnucks and the Card Processor required Schnucks and the Card Processor to reimburse the Acquiring Bank for data-breach losses. In this case, the agreements consisted of a Master Services Agreement (“MSA”) between Schnucks and the Card Processor, and a Bankcard Addendum between Schnucks, the Card Processor, and Acquiring Bank.
After the March 2013 data breach at Schnucks, MasterCard, and Visa assessed costs to the Acquiring Bank. The Acquiring Bank assessed those charges against the Card Processor who sought reimbursement from Schnucks. The Card Processor began withholding funds from Schnucks, and accumulated in excess of $500,000 in a reserve account.
Schnucks filed suit against the Card Processor and Acquiring Bank. Schnucks argued that the MSA limited Schnucks’s liability for a data breach to $500,000. The MSA provided that Schnucks’s liability for a data breach was capped at $500,000 except for “third party fees” and “fees, fines, or penalties.” The district court and Eighth Circuit both agreed that the Issuing Bank’s costs associated with fraud losses and re-issuing cards were not “third party fees” nor “fees, fines, or penalties.”
The Eight Circuit explained that when a contract uses plain language it must be enforced as written. The Court then explained that a “fee” is defined as “a sum paid or charged for a service.” The Court concluded that the Issuing Bank’s costs for re-issuing cards and for fraud losses were not sums paid in exchange for a service. Rather, these costs were compensation for losses.
The Court then addressed whether the Issuing Bank’s costs were a “fine” or “penalty.” The Court concluded that fines and penalties are not assessed for compensation, but rather are assessments imposed to punish. Since the Issuing Bank’s losses were assessed against Schnucks in order to compensate the Issuing Bank, they could not be characterized as “fines” or “penalties.” Thus, the Court concluded, Schnucks’s liability was limited to $500,000.
This case serves as a warning for acquiring banks. The language acquiring banks use in their retailer agreements will be strictly enforced. This decision will likely cause many acquiring banks and card processors to take a look at their contracts with retailers to determine whether retailers are fully responsible for cyberattack costs.
This case is a good example of an important lesson. The best time for retailers and banks to minimize their exposure to cyberattacks is before a cyberattack ever occurs. Careful attention to the details of third-party contracts is important because courts will carefully consider the parties’ chosen words when interpreting the contract. In this case, the Acquiring Bank faced liability simply because the words it chose—fees, penalties, and fines—were not broad enough to cover all of the Acquiring Bank’s potential liability.
Having legal counsel involved early in contract negotiations can give parties an opportunity to carefully review the terms of their agreements and identify potential gaps in liability protection. This blog has made this point before. Detailed review is much easier and more effective before a contract is executed and before a cyberattack happens. Once a cyberattack occurs it’s too late to renegotiate.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.