ContractsProf Blog

Editor: Myanna Dellinger
University of South Dakota School of Law

Thursday, April 6, 2017

Cyberattack liability

“Fees, fines or penalties” do not cover fraudulent charges incurred on commercial parties during a cyberattack. So ruled the Eight Circuit Court of Appeals in Schnuck Markets, Inc., v. First Data Merchant Serivces Corp., et al., (No. 15-3804, Jan. 13, 2017). 

Schnuck is a retail supermarket chain. First Data served as its credit card processor and Citicorp as its “acquiring bank.” Such a bank is one that pays the merchant and is reimbursed by the issuing bank. The acquiring bank sponsors the merchant into credit card association networks, in this case VISA and MasterCard. It also vouches for the merchant’s compliance with the associations’ rules. Unknown

Schnuck signed a contract with First Data and Citicorp for the credit card arrangement. Among other things, the agreement stated that liability under the relevant section of the contract “shall not apply to Schnucks’ liability for chargebacks, servicers’ fees, third party fees, and fees, fines or penalties … by the Association or any other card or debit card provide under this [agreement].”

In March 2013, a cyberattack against Schnucks compromised cardholder data. First Data and Citicorps subsequently withheld not only the fees and costs that MasterCard assessed against these corporations from payments to Schnucks, but also the fraudulent charges from the cyberattack itself. Schnuck filed suit, alleging breach of contract. At bottom, Schnucks agreed that it was liable for only actual fees and fines, but not the actual losses incurred by the issuing banks. Unknown-1

The court agreed. The payment of a “fee” is a payment for a service, not reimbursement for another party’s losses. Furthermore, since the contract does not mention anything about reimbursement for data compromise events, the banks were not in a legal position to get reimbursed for those. “Fines” and “punishment” describe, more narrowly, only sums imposed as a punishment and not data compromise losses.

Supermarket wins; banks lose. Good thing that the card holders were not involved here. The bigger loss is, of course, that shared by all of us; financiers, vendors, and card users when internet-based losses such as this happen. Another cost that undoubtedly will be built into the pricing scheme will result, but apparently, such is the nature of electronic transactions these days.

http://lawprofessors.typepad.com/contractsprof_blog/2017/04/cyberattack-liability.html

Current Affairs, Web/Tech | Permalink

Comments

Post a comment

If you do not complete your comment within 15 minutes, it will be lost. For longer comments, you may want to draft them in Word or another program and then copy them into this comment box.