Friday, June 14, 2019
A June 7, 2019, ruling by Circuit Court Judge Deborah Cook upheld the U.S. District Court of Appeals for the Western District of Tennessee's decision to hold First Data Corp. liable for damages stemming from two data breaches at Spec's Family Partners Ltd., a liquor store chain and First Data merchant.
The unanimous decision by District Court Judges Batchelder, Cook and Kethledge, found that even though Spec's had failed to comply with PCI security standards, which left its stores vulnerable to hackers, First Data's decision to freeze millions of dollars in credit card receivables violated the terms of the merchant's processing agreement.
The data breaches occurred in 2012 and 2013, when hackers planted malware in select Spec's locations and began to harvest credit card data. Forensic investigators confirmed that the compromised locations were using non-compliant POS hardware.
Justices called the financial remediation process a "cost-shifting reaction down the payment card chain." When Visa and Mastercard assessed acquiring bank Citicorp Payment Services Inc. for damages, Citicorp pressured First Data for reimbursement, and First Data withheld money from Spec's to pay damages, the judges noted.
"First Data simultaneously began withholding the proceeds of routine payment card transactions from Spec's, placing them in a reserve account," the justices wrote. But Spec's ultimately objected to reserving funds for payment of assessments, relying on the consequential damages waiver in the Merchant Agreement, the contract between the parties. "When Spec's filed suit, First Data had withheld approximately $2.2 million (the total would eventually reach $6.2 million)," the justices stated.
The district court ruled in favor of Spec's based on two findings: First, the justices determined that card brand assessments are consequential damages, which removes Spec's liability under the merchant agreement's limitation clause. Second, they declined to treat card brand assessments as "third-party fees and charges," again removing Spec's liability, according to agreement terms.
These two determinations paved the way for a decision against First Data, which found the processor had violated the terms of its merchant agreement with Spec's "when it diverted funds to reimburse itself for the card brand assessments."
First Data is vigorously appealing the above definitions, citing language from the contract and pushing for further review. Counsel for the defendant holds that Spec's is liable for assessments under the contract's indemnification clause and that the assessments are clearly "third-party fees and charges," as stated in Section 5 of the agreement. "We find both arguments unpersuasive," the defendant's attorneys stated.
The court concluded that First Data had reasonably expected Spec's to maintain PCI-compliant POS systems, but the merchant's failure to achieve compliance fell short of "substantially defeating the contract's purpose." If upheld in appeal, this decision may ultimately shift data breach expenses and liability to merchant acquirers and processors, legal analysts noted.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.