Payment card system breaches can cause millions of dollars in damages. Consumer losses are generally minimal, because Regulation E obliges card issuing banks to generally reimburse consumers for fraud. There are nevertheless millions of dollars of damages associated with responding to payment card breaches in the form of fraud reimbursements and card re-issuance costs. These damages are apportioned among the various banks and card networks involved in processing credit and debit card payments. That was the environment the case of Spec’s Family Partners v. First Data Merchant Services arose in, a case decided by the United States Court of Appeals for the Sixth Circuit.
The case involved a credit card breach at dozens of liquor stores in Texas owned by Spec’s Family Partners (“Spec’s”). The breach occurred because of the chain’s failure to comply with and implement the Payment Card Industry Data Security Standard (“PCI DSS”). As a result, fraudsters were able to install malware that harvested the credit and debit card data of Spec’s customers. The damages were created when banks that issued customer credit and debit cards learned of the breach. The issuing banks had to reimburse customers for fraud losses, and incur the costs of reissuing cards to customers.
When the issuing banks incurred losses it set off a chain reaction of cost sharing and liability apportioning among financial institutions and the credit card brands. Under Visa and Mastercard rules, so-called “acquiring banks” are required to reimburse issuing banks for fraud losses. These acquiring banks sponsor retailers—like Spec’s—into the payment card network.
First Data Merchant Services (“First Data”) was Spec’s acquiring bank. First Data received an assessment from Mastercard for losses resulting from Spec’s breach. First Data assessed Spec’s for the damages First Data incurred to the issuing banks. First Data began to withhold the proceeds from Spec’s routine card transactions, and placed them in a reserve account. Eventually, this fund grew to $6.2 million.
Spec’s disputed whether it owed First Data under the Merchant Agreement, which governed the terms of First Data’s sponsorship of Spec’s onto the payment card network. The dispute focused on two sections of the Merchant Agreement governing Spec’s duty to indemnify First Data:
First Data argued that § 15(b) required Spec’s to reimburse First Data for losses resulting from Spec’s failure to comply with PCI DSS. Spec’s, however, argued that § 15(d) clearly waived Spec’s liability for consequential and special damages.
The Court agreed with Spec’s that the contract between First Data and Spec’s eliminated liability for consequential and special damages between the parties. Applying Tennessee law, the Court further concluded that the payment card network assessment was a special or consequential damage that was not covered by the contract. Spec’s therefore avoided having to pay over $6 million in losses resulting from its payment card breach.
Avid readers of this blog will notice the similarities between this case and another recent payment card assessment lawsuit--Schnuck Market, Inc. v. First Data Merchant Servs. Corp. In that case, just like this one, the court held that the merchant agreement did not shift liability to the retailer for a payment card breach. Indeed, the court in the Spec’s case noted the similarities between the two cases.
This case is a cautionary tale for acquiring banks that sponsor retailers onto the payment card network. Banks need to ensure that they are apportioning liability for payment card breaches to the retailer, particularly if the retailer fails to comply with PCI DSS. Retailers can expect that if they haven’t already, merchant agreements will try to shift liability for payment card breaches to the retailer.
The entity liable for payment card breach costs will likely try to purchase insurance to cover its risk. When it does, it will want to make sure it doesn’t suffer the same fate as P.F. Chang’s. Dickinson's blog previously covered the lawsuit that arose when P.F. Chang’s tried to make an insurance claim for a damage assessment after a payment card breach. In that case, an insurance policy exclusion denied coverage for liability to third parties based on a contract.
Acquiring banks and retailers should keep these cases in mind. Banks and retailers should make sure that they closely review their merchant contracts, and then their insurance policies to determine coverage for data security incidents like a payment card breach.