Merchant Found Not Liable for Data Breach Assessments

29 Oct

A federal court’s interpretation of a merchant contract resulted in the merchant not being liable for card brand security breach assessments. It may be worthwhile to examine and revise your merchant agreement in light of that ruling.

In Specs v. First Data, decided June 2019, the US Court of Appeals for the Sixth Circuit ruled that the limitation of liability clause in First Data’s merchant agreement took precedence over the agreement’s indemnification clause, and therefore that the merchant was not liable for card brand penalties. The indemnity obligated the merchant to reimburse First Data for any losses arising out of merchant violations of card brand rules, whereas the limitation of liability exempted the parties from indirect and consequential damages. The court found that card brand penalties qualified as consequential damages.

The merchant, a chain of Texas liquor stores, fell victim to a data breach due to substandard data security measures in violation of PCI requirements. In response, Visa and Mastercard levied millions of dollars in assessments on the acquiring bank. These assessments flowed down to First Data, who in turn tried to pass them through to the merchant.

The merchant refused to reimburse First Data. It cited the contract’s limitation of liability clause which included customary language excluding indirect or consequential damages. The court endorsed the merchant’s position, holding that this provision trumped the merchant’s indemnification obligations.

First Data argued that the penalties were direct, not consequential damages, asserting that the limitation of liability provision did not apply because the card brand fines followed directly from the merchant’s PCI non-compliance. The court disagreed, pointing out that the card brands exercise considerable discretion in imposing assessments following a breach. For this and other reasons, the court concluded that these assessments constituted consequential—not direct—damages, and were therefore covered by the limitation of liability clause.

This outcome may have been avoided if the limitation of liability language carved out assessments from excluded damages by specifically stating that penalties and fines constitute direct damages. Hindsight is 20/20 and such specificity is atypical in merchant contracts. But now that one court has interpreted merchant agreements this way, it may be worth taking a look at, and potentially revising, your merchant agreement to be sure you are covered.

–Holli Targan and Daniel Ungar

Attorneys, Jaffe, Raitt, Heuer & Weiss, P.C.

Daniel Ungar

Daniel Ungar

Daniel M. Ungar is a member of the firm's Electronic Payments Group and Privacy and Datasecurity Group. Daniel, a former patent examiner in the areas of crypto- and cybersecurity, holds an advanced computer science degree from Johns Hopkins University and a J.D. from Harvard Law School.

dungar@jaffelaw.com

Leave a Comment Below

Leave a Reply

Why ask?