Login Register Subscribe
Current Issue

Cap on supermarket’s liability in data breach affirmed on appeal

Reprints

A federal appeals court on Friday affirmed a $500,000 cap on a St. Louis-based supermarket chain’s liability to its payment processor and merchant bank in connection with a data breach.

Schnuck Markets Inc., which had suffered a data breach between December 2012 and March 2013, filed suit against Atlanta-based First Data Merchant Data Services Corp. and Jacksonville, Florida-based Citicorp Payment Services Inc., claiming they were withholding more transaction money than their merchant payment processing agreement permits in order to reimburse banks that issued payment cards affected by the attack, according to court papers in Schnuck Markets Inc. v. First Data Merchant Data Services Corp. and Citicorp Payment Services Inc.

At issue in the litigation was the master services agreement between Schnucks and First Data, under which First Data agreed to provide credit and debit card processing service for the supermarket chain.

The agreement states Schnucks must indemnify the defendants for “all losses, liabilities, damages and expenses” under certain circumstances, “but limits Schnucks’ liability to $500,00.”

 An exception to that limit is “chargebacks, services fees, third-party fees and fees, fines or penalties” assessed by payment card networks.

In a June 2015 ruling, the U.S. District Court in St. Louis agreed with Schnucks that the exception does not apply and that Schnucks’ liability is limited to $500,000O.

On appeal, a unanimous three-judge panel of the 8th U.S. Circuit Court of Appeals in St. Louis agreed with the lower court that the exception does not apply. Fees have been defined as sums paid or charged for services, said the opinion.

These fees “do not qualify as payments for services, because they are imposed to compensate issuing banks for losses they sustained as a result of a data breach, not as compensation for performing services,” said the panel
“Defendants argue that the contract is ambiguous because Schnucks’s interpretation leads to the commercially unreasonable result of requiring defendants to act as Schnucks’s insurer,” said the ruling.

“We need not decide this question, because the underlying business arrangements, which represents defendants’ choice to vouch for Schnucks’s compliance with data-security standards, is not rendered commercially unreasonable merely because the limitation on Schnucks’s liability is broader than defendants now wish it to be,” said the ruling, in upholding the lower court’s decision.