Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Court Rules in Favor of Breached RetailerProcessor, Merchant Bank, Liable for More Breach Expenses
A breached retailer has won a court ruling against its payments processor and merchant bank, setting a $500,000 cap on how much it must pay for a point-of-sale breach it suffered in late 2012. Now the processor and bank must pick up the rest of the breach-related tab.
Security and legal experts say the case isn't likely to set a precedent for other breach cases involving retailers, although it could push processors and banks to more carefully spell out retailers' breach-related contractual obligations.
On Jan. 15, the U.S. District Court for the Eastern District of Missouri ruled that the St. Louis-based grocery chain Schnuck Markets Inc. was not the sole party responsible for covering losses and expenses associated with its payments breach, which is estimated to have compromised some 2.4 million credit and debit cards.
In its 18-page ruling, the court found that Schnucks' contractual obligations for breach recovery and losses were limited to $500,000 because the retailer's payments processor, First Data Merchant Services Corp., and its merchant bank, Citicorp Payment Services Inc., did not specify in their contracts that breach liability unrelated to PCI compliance could exceed $500,000.
In fact, the court found that First Data and Citicorp were contractually responsible to cover more of the breach-related expenses than Schnucks, which was breached in late 2012 in a malware attack that infected its POS system.
Schnucks in November sued First Data and Citicorp, claiming the two companies breached their contracts with Schnucks by withholding too much money from card transactions processed for the grocery chain to set aside for anticipated breach expenses.
Schnucks argued that the withheld funds were "in excess of the defined limitation and in violation of the provisions permitting defendants to establish a reserve." First Data and Citicorp claimed those funds were being put toward paying off expenses, fees and losses associated with Schnucks' breach, according to the ruling.
PCI Compliance Not an Issue
In his ruling, District Judge John A. Ross notes that if First Data's and Citicorp had claimed Schnucks was not compliant with the Payment Card Industry Data Security Standard at the time of its breach, then they may have been justified in asking Schnucks to cover breach losses and expenses of up to $3 million.
But because PCI compliance was not brought into question, the judge sided with Schnucks, agreeing with the retailer's claims that its contracts with both parties clearly outline a liability limitation of $500,000.
"Schnucks' maximum liability under the terms of the agreement for issuing bank losses assigned by the [card] associations for monitoring/card replacement and counterfeit fraud losses as a result of the data security breach is $500,000," Judge Ross writes. "Defendants must return to Schnucks any funds held in excess of that amount, plus the Visa fine and MasterCard case management fee."
The total amount withheld from Schnucks for breach-related expenses is not noted in the ruling.
Schnucks declined to comment about the case, and First Data and Citicorp could not be reached for comment.
"Acquirers and processors should be mindful of this ruling," says Al Pascual, Javelin Strategy and Research's director of fraud and security. "It implies that they could have more skin in the game than previously thought. Protecting card data from compromise is best managed as a joint effort between merchants and their payment providers, and other businesses would do well to emulate Schnucks' actions to ensure that the responsibility is shared equally."
Importance of Contract Precision
Jeff Man, security strategist and evangelist at network monitoring specialist Tenable Network Security, says Schnucks appears to have benefitted from the imprecise language of its contracts with First Data and Citicorp.
"Not just First Data, but many payment processors that are also functioning as the acquiring bank, or at least managing the direct relationship with the bank, like a proxy, are in the same boat," Man says. "They all but say 'Do business with us and you will be covered for PCI,' and, really, this is their legitimate risk-based decision. But when a breach happens, they have to absorb the costs, because it was their risk decision, not their merchant customers'."
Man says this is the first breach-related case he's seen involving a retailer that does not call PCI compliance into question, and he speculates that's because First Data was the party responsible for Schnucks' compliance.
Privacy attorney Ron Raether says he doubts the case will have much impact on the payments industry because it involves interpretation of a contract.
"The decision to cap liability at $500,000 was based on language in the agreement," Raether says. "The decision will be important for other merchants that use the same card processors or have similar language. My guess is that the contract language at issue will be changed, and then the subject of more negotiation and scrutiny."
Schnucks, according to the St. Louis Business Journal, previously settled a class-action suit filed by consumers in April, which sought unspecified damages for cardholders whose personally identifiable information was exposed (see Schnucks Sued Over Malware Attack).
In October, a suit filed by Schnucks' insurer, Liberty Mutual Insurance Co., was dropped after the retailer announced that it was working with Liberty Mutual to reach a settlement outside the courts (see Schnucks' Insurer Drops Breach Lawsuit).