Login Register Subscribe
Current Issue

Data breach loss capped at $500,000

Reprints

A St. Louis-based supermarket chain has a $500,000 cap on how much it must pay for a data breach it suffered in 2012 and 2013, says a federal court in a case filed by the retailer against its payments processor and merchant bank.

Schnuck Markets Inc. had suffered a data breach between December 2012 and March 2013. The supermarket chain filed suit against Atlanta-based First Data Merchant Data Services Corp. and the associated Jacksonville, Florida-based Citicorp Payment Services Inc., claiming they were withholding more transaction money than their merchant payment processing agreement permits in order to reimburse banks that issued payment cards affected by the attack, according to the Jan. 15 ruling by the U.S. District Court in St. Louis in Schnuck Markets Inc. v. First Data Merchant Data Services Corp. and Citicorp Payment Services Inc.

At issue in the litigation is the master services agreement between Schnucks and First Data, under which First Data agreed to provide credit and debit card processing services for the supermarket chain.

That agreement states Schnucks must indemnify the defendants for “all losses, liabilities, damages and expenses” under certain circumstances, “but limits Schnucks' liability to $500,000.” An exception to that limit is “chargebacks, servicers' fees, third party fees and fees, fines or penalties” assessed by payment card networks.

The two sides disagree on whether this exception applies to this case. In his ruling, U.S. District Judge John A Ross agrees with Schnucks that the exception does not apply and that Schnucks' liability is limited to $500,000.

“After careful review of the parties' agreement as a whole, and following the well-established principles of contract interpretation, the Court finds the exception for 'third party fees' and 'fees, fines and penalties' was not intended to apply to liability for issuer losses assessed” by the payment card networks, Judge Ross said in the ruling.

Among several reasons for this is that while “the exception lists specific fees, fines and penalties that are excluded from the limitation of liability clause,” it “does not list anything equivalent to issuer losses,” Judge Ross said in ruling in Schnucks' favor.

The ruling states the defendants must return to Schnucks any funds held in excess of $500,000, plus the Visa fine and MasterCard case management fee. The amount involved is not specified in the ruling.