In this second article of our three-part series on payments contracts and drafting considerations, recent case law issued by the Sixth Circuit Court of Appeals is discussed.
In Spec’s Family Partners, Ltd. v. First Data Merch. Servs. LLC, No. 17-5884, 2019 WL 2407306 (6th Cir. June 7, 2019) a unanimous three-judge panel ruled that the payment processor was liable to Spec’s for withholding certain payments it used to reimburse itself for data breach-related fines. The case involved a Houston-based liquor-store chain, Spec’s Family Partners, which sued its payment processor, First Data Merchant Services, over withheld payments. Spec’s, which operates dozens of liquor stores around Texas, fell victim to attacks on its payment card network. This led to millions of dollars in damage-control costs, which the major credit card brands and their associated banks passed on to First Data.
An investigation revealed that Spec’s was out of compliance with the Payment Card Industry Data Security Standards (“PCI-DSS”). First Data footed the data-breach related costs and began withholding routine payments to Spec’s to make up the difference. Spec’s sued, and the district court awarded judgment to Spec’s. See Spec’s Family Partners, Ltd. v. First Data Merch. Servs. LLC., at *1.
On appeal, First Data asserted that the Merchant Agreement, which governed its payment processing relationship with Spec’s, made Spec’s liable for the card brand assessments. It argued that an indemnification provision and a third-party fees provision in the contract assigned liability to Spec’s for costs incurred as a result of the data breach:
[First Data is held harmless from and against] any and all claims, demands, losses, costs, liabilities, damages, judgments, or expenses arising out of or relating to (i) any material breach…;[or] (ii) any act or omission by [Spec’s] that violates…any operating rules or regulations of Visa or MasterCard;
[First Data had a right to receive] any and all third-party fees and charges associated with the use of [First Data’s] services, as modified from time to time, including without limitation all telecommunications costs (except for toll charges relating to dial-up transactions) and all Network fees and charges. [First Data] will debit Merchant’s designated settlement account daily in the amount of the interchange fees owed a Credit Card Issuer or other Networks.
Spec’s countered that limitations in the “consequential damages” provision trumped the provisions First Data relied on:
In no event shall either party’s liability of any kind to the other hereunder include any special, indirect, incidental, or consequential losses or damages, even if such party shall have been advised of the possibility of such potential loss or damage.
Accordingly, the dispute between the parties boiled down to whether the card brand assessments passed down to First Data from the banks or card brands constituted “consequential” damages. Id. at *2-4 (noting that consequential damages are losses that “are a natural or foreseeable result of a party’s conduct but do not necessarily follow from the conduct” in agreeing with Spec’s argument that the data breach was a consequential damage, as the breach did not result from its non-compliance with industry standards). If they did, Spec’s was exempt under the limitation provision; if not, First Data was entitled to withhold payments.
The Court carefully reviewed the Merchant Agreement, noting that it failed to define the term “third-party fees and charges,” requiring the Court to look at the usual and ordinary meaning of the words in the dictionary. After its own analysis, the Court determined that “third-party fees and charges” did not include assessments, and Spec’s could not be required to pay for the costs relating to the data breach based on that language. Furthermore, the Court determined that First Data never included assessments within any of its “fees” set out in the “Merchant Data Sheet.” Id. (noting “the Data Sheet lists routine transaction costs like a ‘Monthly maintenance/Support’ fee and fees for ‘Adjustments/Chargebacks.’”) Although the Data Sheet did reference “issuer reimbursement fees,” the principal Mastercard operating regulations reveal that the phrase referred to “excessive chargebacks,” not assessments arising from a data breach. Id. (noting excessive chargebacks are “fees imposed by the card brands when they reverse a transaction and recoup funds from a merchant, not assessments arising from a data breach.”).
The Court determined that the data breach was a consequential damage of non-compliance with the PCI-DSS rather than a direct result, which brought the consequential damages provision of the Merchant Agreement to the forefront. The Court also determined that First Data could neither shift costs to Spec’s under the indemnification provision nor rely on the “third-party fees and charges” language, which the Court determined referenced routine charges associated with card processing services, not amounts assessed due to a data breach.
This decision reflects a shift from the common assumption that all third-party liabilities are passed on to merchants under merchant agreements. Although the Sixth Circuit’s decision primarily bears weight within the Court’s geographic footprint—Kentucky, Ohio, Michigan, and Tennessee—the ruling should encourage acquirers, sponsors, processors, and merchants across the nation to take a close look at how their contracts assign liability for data breaches and other network assessments. Specifically, all parties should ensure their contract accurately—and unambiguously—reflects the agreement of the parties as to risk allocation.
This post originally appeared in Frost Brown Todd’s Blockchain and Banking Blog on July 15, 2019.