By Dawn Causey, Thomas Pinder and Andrew DoersamBanks frequently absorb fraud losses when the consumer is compensated for damage done by other sectors. When retailers with questionable security protocols are breached, banks support the customer throughout the fraud cycle: consumer outreach and notification, card reissuance, enhanced transaction monitoring and reassurance that the bank’s systems are safe.
The payment brands provide processes for banks to recover some costs and to assign liability for transaction losses—and the EMV chip card transition both created liability incentives for retailers to accept payment credentials which are less susceptible to fraud and introduced technologies to drive down the frequency of card reissuances.
But as data breaches have continued to become more pervasive, some financial institutions are now suing merchants to recover additional data breach costs which may fall outside of those covered in contracts with payment brands. A recent Seventh Circuit decision provides a glimpse into how courts analyze liability for data breaches when there are established contracts governing data security.
In 2012, hackers infiltrated Schnucks, a large Midwestern grocery chain, and stole nearly 2.5 million credit and debit card numbers in a breach believed to have continued for four months before Schnucks detected the intrusion. Once Schnucks recognized that its systems had been compromised by hackers, the grocer took another two weeks before announcing the breach publicly. Financial losses from the unauthorized purchases and cash withdrawals made using the stolen data reached into the millions.
In response, banks issued new cards and promptly reimbursed their customers and sought compensation available under contractual frameworks in place at the time of the breach. Four banks filed a claim against the merchants, seeking to recover the data breach costs that were not reimbursed by their payment brand contracts. The banks invoked several common law tort theories seeking compensation from the grocer and sought damages for losses incurred because Schnucks negligently failed to detect the breach until several months after the initial intrusion.
The Seventh Circuit dismissed the banks’ claims, holding that the banks’ remedies were confined to the provisos of their card brand contracts and, as a result, they could not use alternative litigation to recover additional costs. The court concluded the banks and Schnucks participate in a complicated network of contracts that unite all the participants in the card payment system. When banks and merchants joined the card payment system, they agreed to abide by the payment card industry data security standard, or PCI DSS. Merchants such as Schnucks agreed to pay a fine assessed under payment brand rules in the event that they (the merchants) were responsible for data breaches and unauthorized card activity. The court decided that the banks accepted the risk of not being fully reimbursed for the costs of Schnucks’ mistake, and as a result, cannot seek additional recovery because the banks were “disappointed” with their reimbursement.
The court also reiterated that state courts generally decline to impart tort liability in instances where one business inflicts purely economic loss on another and their interactions are governed by contract. Additionally, the court dismissed the banks’ consumer protection claims, concluding that the banks’ charge that Schnucks failed to implement and maintain reasonable payment card data security measures was not enough to prove fraud by the merchant. Finally, the court rejected the banks’ unjust enrichment, implied contract and third-party beneficiary claims under contract law principles and state laws in Missouri and Illinois.
The court recognized that the electronic card payment processing system is a complex network of contracts between various parties. Although the banks did not contract directly with Schnucks, the court found the card network contract sufficiently demonstrated that the parties had taken adequate steps to allocate the economic risks of a data breach.
In the absence of demonstrated retailer commitment to implement PCI DSS compliant safeguards, banks may continue to turn to the courts while also supporting federal data breach legislation that extends Gramm-Leach-Bliley Act-like requirements to other sectors and creates a legal framework for financial accountability. Even though banks incur obvious costs on the back end of data breaches, the Schnucks decision suggests that banks should not expect relief from the courts when faced with losses caused by retailer negligence.
Dawn Causey is general counsel at ABA, where Thomas Pidner is SVP for litigation and Andrew Doersam is a paralegal.