Login Register Subscribe
Current Issue

Store's data breach reveals payment card liability quandary

Reprints

A data breach at Midwest grocer Schnucks raises questions about the limitations and enforcement of payment card agreements with banks and card processors. Eduard Goodman, chief privacy officer of data privacy consulting firm IDT911, discusses the likelihood that such agreements will be rewritten, ensuring retailers are liable for settlements resulting from legal action around breaches.

A recent ruling in a data breach lawsuit could have ramifications that spread far across the retail sector and insurance industry. The breach at Schnuck Markets Inc., a grocery chain with locations throughout the Midwest, ran for more than three months from late 2012 to early 2013 and involved malicious code inserted into the retailer's systems that siphoned data from payment cards swiped at 79 of its nearly 100 stores.

After being alerted to the possibility of an intrusion by its card processor, it took Schnucks and an outside security firm another two weeks to identify, isolate and close down the breach. In all, 2.4 million credit and debit cards were exposed.

Afterward, Schnucks faced several liabilities, not the least of which were class action lawsuits by customers whose cards were affected that resulted in a $2.1 million settlement agreement. However, one of the most problematic liabilities was the imposition of “assessments” against Schnucks by its card processor and bank — First Data Merchant Services Corp. and Citicorp Payment Services Inc., respectively. These costs were claimed under contracts First Data and Citicorp say made Schnucks liable for uncapped liability regarding “third-party fees” or “fees, fines or penalties.”

Schnucks, in turn, sued First Data and Citicorp, asserting that they had withheld too much money to cover the reimbursements requested by banks whose cards were affected by the exposure. The merchant payment processing agreement is at the crux of the litigation. Schnucks argued that the agreements limited the company's liability to $500,000 with certain enumerated exceptions that included reimbursement for disputed charges and other fees, fines and penalties.

Schnucks further claimed that there was no reference to data breach in the liability limit exceptions. First Data and Citicorp contended the exceptions were applicable to data breaches and to this particular breach. A federal judge agreed with Schnucks and ruled that its liability in the exposure should be capped. The decision leaves the bank and payment processor responsible for the rest.

This is likely to force a language change to future payment card processor, bank and payment card operating agreements to specifically include breaches in these penalty-based fines and assessments. With that in mind, there are a few main points business owners, risk managers and management should understand about this case and its potential implications.

The first is that potential contractual liability for data breaches under bank, payment processor and card agreements is intended by those organizations to be uncapped. While the court has agreed with Schnucks that the language of the agreements in question was vague at best, organizations must closely review all applicable agreements they sign and execute with all parties when it comes to payment card processing. There needs to be an understanding that any perceived failures in security that lead to a card breach will result in an attempt by the payment card industry to impose massive penalties, or “assessments.”

The Schnucks case made it clear that payment card institutions, banks, and processors can only hold a retailer liable for $500,000 for various fines and penalties under the standard payment card operating agreements. Unfortunately, most organizations prefer to pay these assessments rather than fight them.

Second, corporate risk managers need to recognize that while liability in the form of consumer class actions for these card breaches is typically very low, the contractual liability to the processors, banks and card companies remains wide open. In many cases, the assessments that result from a breach event will simply be taken from the retailer based on some questionable, predetermined formulas cooked up by the card companies. In looking at the Schnucks situation, it's clear that few protections exist for the breached organizations unless the organizations choose the route of costly defensive litigation against corporate behemoths like VISA or Mastercard.

This is where commercial insurance coverage, particularly cyber policies, comes into play. From a company's risk management perspective, one may think that such coverage will protect against these payment card industry driven assessments. However, a close read of many commercial cyber and data breach coverages reveals that the vast majority of “off the shelf” data breach policies specifically exclude contractual liability related to a breach. This means that there would be no coverage for legal defense against the imposition of assessments, let alone to pay the contract-based assessment.

Finally, businesses large and small need to recognize that the banks, card processors and card brands are not their friends — or enemies — but rather they are necessary players when it comes to an entity's ability to accept payment cards. While banks, payment processors and the card companies are partners in the payment ecosystem in which businesses participate, these institutions have their own agendas, goals and legitimate interests in preserving the system they have built into a billion dollar industry.

Where does the breach fallout go from here?

This case gets to the heart of the reasonableness (or lack thereof) of nebulous assessments within the payment card system. The card companies have been trying to avoid these cases and decisions as they set very bad precedents for them when it comes to their ability to recoup losses, particularly without solid data to substantiate their claims.

And a few public attempts to claw back the overzealous fines have been made. One state court case, Cisero's Inc. and Theodora McComb v. ELAVON Inc., filed in Summit County District Court, Utah, on Aug. 8, 2011, involving Cisero's Ristorante and Nightclub in Park City, Utah, involved a similar situation. Cisero's was targeted by the card companies for a perceived data breach affecting cards at their institution. Cisero's suit centered on the fact that after Cisero's had closed its accounts with U.S. Bank, the restaurant was sued for an overdraft after the bank paid of an assessment to a VISA and Mastercard without Cisero's consent. The case quietly disappeared, possibly indicating that a settlement was reached that prohibited its public disclosure.

Another case, Genesco Inc. v. VISA U.S.A. Inc.; VISA Inc.; and VISA International Service Association, filed in U.S. District Court, Middle District of Tennessee, March 7, 2013, disputes the imposition of assessments by the card companies against Tennessee-based retail giant Genesco Inc., whose brands include Johnston & Murphy, Journeys shoe stores and Dockers Footwear.

There, a payment card situation arose that resulted in a $13 million assessment levied against Genesco by Visa Inc. The dispute centers on whether a breach even occurred as well as the extremely vague and sometimes contradictory language in the agreement. That case is ongoing, with Genesco trying to levy sanctions on Visa last summer for failing to cooperate with discovery requests in good faith. That development is not surprising, though the outcome is still up in the air.

Since these are standard agreements used by payment card processors, banks, and card companies, many other retailers likely have similar liability limitations. This means that these agreements will likely change. Prudent businesses and the insurers that underwrite them may consider reviewing those agreements and their liabilities associated with accepting payment cards as the data breach and litigation landscapes evolve.

Eduard Goodman is chief privacy officer at IDT911. He can be reached at egoodman@idt911.com or 480-355-4940.