Monday, October 15, 2012
In 2010, US Bank and Elavon Inc. filed a lawsuit with the Third District Court of Utah to collect data breach fines from Cisero's Ristorante Inc. The lawsuit is an attempt to recover more than $82,000 in penalties imposed on Cisero's after a 2008 card company investigation deduced data stolen from cards used at Cisero's resulted in $1.26 million in fraud losses.
In a 2011 counterclaim, Cisero's argued that plaintiffs US Bank and Elavon – Cisero's acquiring bank and processor, respectively – owed it duties that were independent of the parties' merchant services agreement and that said duties were not fulfilled. It also argued that the contract was an unfair contract of adhesion. As a result, the merchant services contract is not enforceable, and Cisero's should not have to pay data breach fines sought by the plaintiffs, the counterclaim further stated.
In a September 2012 ruling, Judge Todd Shaughnessy refused the plaintiffs' request to dismiss the causes of action in the defendant's counterclaim and ruled that Cisero's could amend its counterclaim to "more particularly identify the independent duties it contends US Bank owed it." Days later, Cisero's submitted its amended counterclaim.
The Cisero's merchant contract allows the restaurant to be fined if it is determined, as it was by Visa Inc. and MasterCard Worldwide in this case, that the restaurant's POS system was not in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) at the time of the alleged data thefts.
In its original counterclaim, Cisero's said its merchant contract is an unfair contract of adhesion because the plaintiffs' services were so critical to the restaurant's success that Cisero's had little choice but to accept the terms offered by the plaintiffs no matter how disproportionately advantageous they were to the card companies and plaintiffs. Cisero's also noted that when it signed the contract, its terms were not negotiable, Visa rules were not available to merchants and the PCI DSS had not yet been adopted.
The counterclaim also stated that after an investigation concluded Cisero's was the source of the data breach, Elavon accepted card company fines and passed them on to the restaurant without giving Cisero's the chance to defend itself or challenge the assessments. Cisero's said two independent forensic exams of its POS system found no evidence its terminals were breached.
In addition, Cisero's asserted that because US Bank and Elavon had a much better knowledge of the card companies and their rules, they had a duty independent of the merchant agreement to ensure the restaurant had access to a full hearing process where proof of a data breach or actual fraud loss was presented and the merchant had an opportunity to defend itself.
In its amended counterclaim, Cisero's listed the duties owed it by the plaintiffs, even if those duties were not covered in the merchant contract. Among those duties are:
Constantine Cannon LLP, which represents Cisero's, was the lead firm in a class-action antitrust claim brought by a group of national retailers that resulted in a $3 billion settlement with Visa and MasterCard in 2003. Steve Cannon, Chairman of Constantine Cannon, said the judges ruling in the Cisero's case was a "green light" going forward with the restaurant's counterclaim.
"I believe these are very important principles at issue here," he stated in an interview with The Green Sheet following the submission of the amended claim. "This goes to the basic issues in the merchant acquiring world. We think the indemnification power of the contract is void."
US Bank and Elavon did not reply to a request for comment. For more background on this case, see "Elavon versus Cisero's dispute could have major repercussions," The Green Sheet, Feb. 13, 2012, issue 12:02:01.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.