June 18, 2019

Sixth circuit holds that retailer is not liable for reimbursement costs for data breach under contract with payment card processing company

On June 7, 2019, the Sixth Circuit affirmed the grant of summary judgment in a case brought by Spec’s Family Partners, Limited, a Texas liquor store chain,  to recover credit card payments owed to it by First Data Merchant Services LLC, which processed payment card transactions for Spec’s.  The payment processing system of the liquor store chain had been the victim of malware attacks in 2012 and 2013.  The issuers of the hacked payment cards reimbursed the defrauded cardholders and replaced the cards, then demanded payment from the acquiring bank to cover those costs.  The acquiring bank turned to First Data to reimburse it for the costs, and First Data sought reimbursement from Spec’s.  Pending reimbursement from Spec’s, First Data began withholding the proceeds of routine payment card transactions from Spec’s.  Claiming protection under the consequential damages limitations clause in the merchant agreement between it and First Data, Spec’s refused to pay.

Spec’s then filed suit in the US District Court for the Western District of Tennessee to recover millions of dollars in withheld payment card proceeds.  Interpreting the merchant agreement pursuant to Tennessee law, the district court held that the card brand assessments made by the issuing banks constituted consequential damages, which were precluded by a consequential damages limitation on liability in the merchant agreement. The lower court also held that the issuing banks’ assessments were not third-party fees and charges, which would have been covered by the merchant agreement.  The court granted summary judgment in favor of Spec’s on the grounds that First Data materially breached the merchant agreement by withholding card payments from Spec’s.

On appeal, the Sixth Circuit affirmed the lower court’s interpretation, and rejected First Data’s argument that the data breaches, the resulting reimbursement to cardholders, and the ensuing card brand assessments necessarily followed from Spec’s established failure to comply with the Payment Card Industry Data Security Standard.  Instead, the court held that the damages were consequential, and liability remained with First Data.