On June 7, 2019, in Spec’s Family Partners, Limited v. First Data Merchant Services, LLC, the Sixth Circuit Court of Appeals heard an appeal arising out of two data security breaches at Spec’s Family Partners’ (“Spec’s”) businesses, which compromised customer payment card information. Spec’s operates liquor stores throughout the State of Texas. As many retailers do, Spec’s allows its customers to purchase goods using their credit cards backed by companies like Visa and Mastercard.
In order to accomplish this, Spec’s sits at the bottom of a line of contractual relationships supporting the payments industry. Specifically, Spec’s contracted with processor, First Data, to provide it with credit and debit card processing services. First Data, in turn, contracted with sponsor bank, Citicorp Payment Services, Inc. (“CPSI”), to submit transactions to the card brands on behalf of merchants. CPSI has contracts with the card brands (i.e. Visa and Mastercard), which, in turn, have contracts with banks who issue credit cards (“issuing banks”).
In 2012 and 2013, Spec’s was a victim of attacks on its payment card network when cyber attackers installed malware and accessed customer data. An investigation determined that Spec’s failed to fully comply with the Payment Card Industry Data Security Standard requirements (“PCI DSS”) before the attacks, so its system was particularly vulnerable. The attacks caused a cost-shift down the payments chain. The issuing banks incurred substantial costs from reimbursing defrauded cardholders and replacing cards, and the card brands issued assessments on the sponsor bank, CPSI, to cover those costs. CPSI then demanded reimbursement from First Data pursuant to their contract and, in turn, First Data sought reimbursement from Spec’s pursuant to their contract – the Merchant Agreement. First Data began withholding the proceeds of routine credit card sales transactions from Spec’s and placed the funds in a reserve account to re-coup the amounts it owed to CPSI. But, Spec’s refused to pay First Data relying on the waiver of consequential damages provision in the Merchant Agreement. Spec’s then sued First Data for breach of contract. At the time Spec’s filed suit, First Data had withheld approximately $2.2 million (the total ultimately reached $6.2 million).
First Data sought to recover the assessments from Spec’s under the Merchant Agreement’s indemnity provision. This provision required Spec’s to indemnify First Data for “any and all claims demands, losses, costs, liabilities, damages, judgments, or expenses arising of or relating to certain circumstances.” However, the provision also foreclosed Spec’s liability for “special, indirect, incidental, or consequential losses or damages.” The Merchant Agreement also required Spec’s to pay “any and all third-party fees and charges associated with the use of [First Data’s] services.” The Merchant Agreement contained no reserve language.
The Sixth Circuit ruled in favor of Spec’s, finding that the card brand assessments were consequential damages that were waived under the Merchant Agreement. Under the law in most states, consequential damages are considered to be the natural consequences of the conduct at issue, but not the necessary result. Applying this definition, the court held that the assessments, though a natural result of Spec’s non-compliance with PCI-DSS, did not necessarily follow from it. Put differently, even if a merchant is in violation of PCI-DSS, no data breach may ever result. Also, the card brands exercise discretion when issuing assessments, do not always impose them, and do not impose assessments for PCI-DSS non-compliance alone. Thus, the assessments did not necessarily follow from Spec’s non-compliance. As such, they constituted consequential damages that were expressly waived in the Merchant Agreement.
The court also held that the assessments could not be imposed upon to Spec’s as “third-party fees and charges” for which it had liability under the Merchant Agreement. The court concluded that the plain language of this provision referred to routine charges associated with card processing services rather than liability for a data breach.
Because the Merchant Agreement barred First Data from recovering the card brand assessments from Spec’s, the court held that First Data materially breached the Merchant Agreement when it withheld settlement funds from Spec’s and diverted them to a reserve account.
First Data argued that Spec’s breached the Merchant Agreement first when it failed to comply with PCI-DSS and, thus, First Data could not be responsible for breach when it diverted funds to the reserve. The court acknowledged that Spec’s did technically breach the contract with its PCI-DSS non-compliance, but that the breach was immaterial and Spec’s took steps to cure the breach. In part, the court found that the breach was immaterial because the parties continued to perform under the contract after the attacks highlighted Spec’s compliance issues. Accordingly, First Data could not have considered the non-compliance with PCI-DSS vital to the existence of the contract. The court also concluded that Spec’s non-compliance with PCI-DSS fell short of substantially defeating the contract’s purpose.
On the contrary, the court concluded that the Merchant Agreement’s requirement for First Data to credit and debit Spec’s account in connection with the payment processing services provided was an essential term of performance. As such, when First Data unilaterally diverted funds from Spec’s settlement account to reimburse itself for the assessments, First Data deprived Spec’s of its principal benefit under the contract.
As a result, the court affirmed judgment in favor of Spec’s and First Data was required to bear the entire amount of assessments imposed by the card brands plus interest.
The moral of this story is that the language in your processing contract is critically important. Although this case is only binding on states that are within the Sixth Circuit’s jurisdiction (Tennessee, Ohio, Kentucky, and Michigan), the ruling is instructive as a sign of what may be to come. Courts may not always allow processors to pass through each and every fine, fee, or assessment from the card brands or sponsor banks as many customarily do. The devil is in the details of your contract, which should clearly express the parties’ intent.
Processors, as well as merchants, should therefore carefully review the language of their agreements to make sure that all parties understand what liability can be passed through, as well as when and how a processor may impose a reserve account. For example, carefully review the following provisions:
- Indemnification - ensure the contract clearly describes for what losses and conduct merchants are required to indemnify processors. Among other things, consider specifically calling out fines, fees, and card brand or other issuing or sponsor bank assessments in the indemnity provision.
- Third-Party Fees – make sure the contract clearly states which third-party fees, charges, fines, assessments, or other amounts that the merchant is liable to pay and under what circumstances. Simply saying that a merchant is responsible to pay all third-party fees and charges may not be enough.
- Waiver of consequential damages – parties often fail to carefully consider when they may want to prohibit the recovery of consequential damages, or not. This provision often gets cut and pasted from contract to contract as mere “boilerplate” and slips under the radar because a waiver of consequential damages is often included with a waiver of other types of damages, such as punitive damages, that contracting parties commonly want to avoid. In light of this ruling, and the potential for assessments or other imposed amounts to be considered as consequential damages, consider removing language that waives the recovery of such damages. Alternatively, if you don’t want to allow recovery of all types of consequential damages, consider expressly stating the specific types of consequential damages that may and may not be recovered under the contract.
- Reserve Account – ensure contract language is clear about when and for what reasons settlement funds may be diverted into a reserve account. Also, when deciding whether or not to divert funds into a reserve account, processors should carefully evaluate the contract and ensure there is a valid basis for creating a reserve account before doing so to avoid possible unintended liability for breaching the contract.
It is vitally important to review your processing agreements from time to time and modify them as necessary to ensure that the agreement clearly spells out what each party intends in terms of matters such as passing through fines, fees, and assessments, indemnification, and reserve accounts. Processors should not simply assume that all amounts imposed on them, including fines and assessments, may automatically be passed through to the merchant if the contract does not clearly allow this.
For assistance with reviewing your contracts, or other payment processing matters, please contact Andrea L. Marconi of Fennemore Craig, P.C.