A common assumption among merchant acquirers and retailers is that merchants are the ones who ultimately are liable for network fines after a merchant’s data breach. But a recent decision by a federal appellate court that ruled against First Data Corp., the nation’s largest payment processor, sends a message that such assumptions aren’t always valid.
The unanimous June 7 decision by a three-judge panel of the Sixth U.S. Circuit Court of Appeals in Cincinnati involves a Houston-based liquor-store chain, Spec’s Family Partners Ltd., which sued its acquirer, First Data’s First Data Merchant Services unit. Malware on Spec’s payment system in 2012 and 2013 compromised about 550,000 cards, according to court filings and press reports at the time.
Spec’s, which has more than 100 stores across Texas, was found to be out of compliance with the Payment Card Industry data-security standards, according to court documents. Visa Inc. and Mastercard Inc., after getting reports from their card issuers about fraud and card-reissuance expenses stemming from the breach, tallied up those costs and assessed them to the sponsor bank involved, a unit of Citigroup Inc., which in turn passed the bills on to its third-party processor, First Data Merchant Services.
FDMS then began withholding the proceeds from routine credit and debit card transactions at Spec’s and placing them in a reserve fund in order to recoup the assessments, commonly called fines in the acquiring industry. Ultimately, they totaled $6.2 million. Spec’s refused to pay the fines and sued FDMS in U.S. District Court in Memphis, Tenn., which issued summary judgment in favor of the retailer.
The appellate court affirmed the district court’s finding that “First Data materially breached the merchant agreement when it diverted funds to reimburse itself for the card-brand assessments,” Senior Judge Deborah L. Cook wrote for the panel.
The dispute centered on various provisions in the merchant contract that FDMS said made Spec’s liable for the assessments. One involved so-called third-party fees and charges. But the lower court, with the appellate court agreeing, said the wording referred “to routine charges associated with card-processing services rather than liability for a data breach,” Cook wrote.
Another provision involved indemnification of the contracting parties for assessments resulting from violations of network rules, and the related issue of so-called consequential damages. Spec’s, even though it was not in compliance with the PCI security standard, argued the contract limited either party from imposing consequential damages on the other.
“The dispute between the parties boils down to whether the card-brand assessments passed down to First Data constituted consequential damages, thus exempting Spec’s from liability,” Cook wrote. “The district court held that they did, and we agree.”
First Data’s options now include appealing to the full Sixth Circuit. A spokesperson for the Atlanta-based processor, which has a $22 billion deal to be acquired by Fiserv Inc., did not respond to a Digital Transactions News request for comment. A Spec’s executive also did not reply to an email requesting comment.
The Sixth Circuit’s decision is binding only in the court’s jurisdiction—Tennessee, Kentucky, Ohio, and Michigan. Still, the ruling could induce acquirers and merchants nationally to take a closer look at how merchant contracts assign liability for data breaches and other network assessments.
“It’s an important decision on those grounds because processors typically are of the view that they can pass on everything from the networks to the merchants,” says attorney Anita Boomstein, who represents merchants as a partner and chairperson of the global payments practice at Manatt, Phelps & Phillips LLP in New York. “The court is saying that’s not necessarily the case. It depends on the wording of the agreement.”