Richard Raysman is a Partner in our New York office.

Grocery stores have been hit with a number of suits by their customers in recent years after a cyberattack of the store leads to a theft of customer financial information. Another type of suit arises frequently when such cyberattacks occur. Often times, the stores will have separate agreements with payment card processors or the payment card companies themselves. Such agreements often delineate how liability should be appropriated amongst such parties in the event of a cyberattack. Another component of these agreements often times stipulates which parties are responsible for indemnifications and reimbursements. Unsurprisingly though, disputes often arise over how to interpret and construe the agreements, as evidenced by the decision issued last week in Schnuck Markets, Inc. v. First Data Merchant Services Corp., No. 4:13-cv-226-JAR (E.D Mo. Jan. 15, 2015).

Facts

From late 2012 to early 2013, Schnuck Markets, Inc. (Schnucks) was the victim of a cyberattack which compromised certain types of credit and debit card information of its customers. Schnucks then sued, inter alia, First Data Merchant Services (First Data), based on alleged violations of the Master Services Agreement (MSA) between the two parties. As background, pursuant to the MSA, First Data provided credit and debit card processing services for Schnucks. The MSA, as well as a later Addendum, incorporated the rules and regulations (CC Rules) of certain credit card companies into its terms. The CC Rules relevant to this case stipulate that the defendants First Data are liable to these credit card companies in the event of a cyberattack.

This particular rule has two components. First, if the credit card companies discover that Schnucks is not in compliance with the Payment Card Industry Data Security Standards (PCIDSS), they are permitted to fine First Data. Second, in the event that the breach results from adulterated data from the magnetic stripe on the payment card, the credit card companies are permitted to seek reimbursement from First Data for the costs of monitoring, canceling, or reissuing payment cards, and for the amount of fraudulent charges on the at risk cards.

The MSA obligates Schnucks to indemnify First Data for "all losses, liabilities, damages and expenses," although such liability is limited to claims of $500,000 and under. However, the MSA did contain a pair of caveats to the liability cap. If Schnucks was found noncompliant with the PCIDSS, the liability ceiling was raised to $3 Million. If First Data's liability arose from "chargebacks, servicers' fees, third party fees, and fees, fines or penalties" levied by the credit card companies, Schnucks' liability resulting therefrom was uncapped. First Data was permitted under a separate section of the MSA to establish and fund a reserve account containing monies from Schnucks' payment card transactions designed to offset its indemnity obligations. With respect to the cyberattack in question, First Data had received estimates of its liabilities to the credit card companies as a result of the attack, and had thereafter begun to fund the aforementioned reserve account by withholding a percent of the funds from Schnucks payment card transactions that it processed.

In essence, Schnucks alleged that First Data withheld funds in an amount that is "substantially more than" the liability cap in the MSA of $500,000. As a result, Schnucks contended that First Data had breached the MSA, and it concomitantly sought a declaratory judgment with respect to its maximum liability under this agreement and the maximum amount First Data may withhold from it to fund the reserve account.

Legal Analysis/Conclusions

First Data defended its use of the reserve account to indemnify itself from the credit card companies in excess of $500,000 on the grounds that the liability cap in the MSA was inapplicable in these circumstances. Specifically, the applicability of this cap was gainsaid by the fact that First Data had to indemnify the credit card companies for fees resulting from both Schnucks' noncompliance with the PCIDSS standards (thereby raising the liability cap under the MSA to $3 million), but also from such fees that would constitute "chargebacks, servicers' fees, third party fees, and fees, fines or penalties" under the MSA, thereby eliminating the liability cap all together. However, only the unlimited liability cap was actually litigated in the case.

In deciding First Data's motion for judgment on the pleadings, the court concluded that the "third party fees, and fees, fines or penalties" referenced in the MSA did not apply to the charges assessed by First Data as a result of the cyberattack. The clause did make any reference to fees resulting from a "data compromise event," although First Data was considered "clearly aware" of such category of fees, according to the court.  Moreover, the court noted that a "fee is an amount paid or charged for service."  The Addendum to the MSA refers to "third party fees" as those fees charged in connection with First Data's processing services, such as interchange fees, and not any liability associated with credit card company losses.  Finally, if the phrase "third party fees, and fees, fines or penalties" was interpreted in accordance with First Data's argument, it would be so overbroad as to encompass any liability imposed on First Data by the CC Rules, liability that would then be shifted to Schnucks. Such losses would be transferred to Schnucks for the consequences of the "cyber attack [sic] and data breach, and, for that matter, any loss of any kind." Such an interpretation would moot the limitation of liability in the MSA, and the court declined to construe the contract in such a way, particularly since the parties were sophisticated business entities that had clearly included this clause in the MSA from the outset.  See also DeJong v. Sioux Center, Iowa, 168 F.3d 115 (8th Cir. 1999) (nothing that a contract interpretation that gives meaning to all terms is preferable to one that renders some terms meaningless or superfluous).

Based on this conclusion, the court denied the motion on the pleadings by First Data, granted in relevant the cross-motion for summary judgment by Schnucks. Therefore, any funds withheld in excess of the $500,000 stipulated in the limitation of liability clause were ordered by the court to be returned to Schnucks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.