United States District Court, E.D. Missouri, Eastern Division
January 15, 2015
SCHNUCK MARKETS, INC., Plaintiff,
FIRST DATA MERCHANT DATA SERVICES CORP., and CITICORP PAYMENT SERVICES, INC., Defendants
For Schnuck Markets, Inc., Plaintiff: Craig A. Hoffman, LEAD ATTORNEY, PRO HAC VICE, BAKER AND HOSTETLER, Cincinnati, OH; Daniel R. Warren, LEAD ATTORNEY, BAKER AND HOSTETLER, LLP, Cleveland, OH; David P. Niemeier, Kevin F. Hormuth, LEAD ATTORNEYS, GREENSFELDER AND HEMKER, PC, St. Louis, MO.
For First Data Merchant Data Services Corp., Citicorp Payment Services, Inc., Defendants, Counter Claimants: Amy C. Purcell, Joshua Horn, LEAD ATTORNEYS, FOX ROTHCHILD, LLP, Philadelphia, PA; Lucy H. Unger, LEAD ATTORNEY, Patrick I. Chavez, WILLIAMS AND VENKER, St. Louis, MO; Nicholas T. Solosky, LEAD ATTORNEY, FOX ROTHSCHILD LLP, Washington, DC.
For Schnuck Markets, Inc., Counter Defendant: Daniel R. Warren, LEAD ATTORNEY, BAKER AND HOSTETLER, LLP, Cleveland, OH; David P. Niemeier, Kevin F. Hormuth, LEAD ATTORNEYS, GREENSFELDER AND HEMKER, PC, St. Louis, MO.
MEMORANDUM AND ORDER
JOHN A. ROSS, UNITED STATES DISTRICT JUDGE.
This matter is before the Court on cross-motions for judgment on the pleadings. (Doc. Nos. 37, 43) The motions are fully briefed and ready for disposition.
This action arises out of a cyber attack on grocery store chain Schnuck Markets, Inc. (" Schnucks" ) in late 2012 through early 2013 which compromised certain of its customers' debit and credit card information. Schnucks asserts causes of action for breach of contract and declaratory judgment against its transaction processing servicers, First Data Merchant Services Corporation (" First Data" ) and Citicorp Payment Services, Inc. (" Citicorp" ) (collectively " Defendants" ), claiming Defendants are withholding more transaction money than their merchant payment processing agreement permits in order to reimburse banks that issued payment cards affected by the attack.
In October 2011, Schnucks and First Data entered into a Master Services Agreement (" MSA" ) under which First Data agreed to provide credit and debit card processing services for Schnucks. (Doc. No. 37-1) At the same time, Schnucks, First Data, and Citicorp entered into a Bankcard Addendum to Master Services Agreement (" Bankcard Addendum" ), which set forth the terms and conditions by which Defendants agreed to provide credit and debit card processing services
for Schnucks. (Doc. No. 37-2) The Bankcard Addendum incorporates the terms of the MSA and First Data's Program Terms and Conditions (" Operating Procedures" ). (Doc. No. 37-3) Both the MSA and Bankcard Addendum incorporate the rules and regulations of the card brands Visa and MasterCard (" the Associations" ). (See Visa International Operating Regulations (" VIOR" ) (Doc. No. 44-2); MasterCard Security Rules and Procedures (" MasterCard Rules" ) (Doc. No. 44-3), collectively " Association Rules" ). The Association Rules subject Defendants to liability to the Associations in the event of data breach. If the Associations determine that a merchant was not compliant with payment card industry data security practices, they may assess a " non-compliance fine" and/or a " case management fee" against the acquiring bank, in this case, Citicorp. In addition, when the data breach involves data from the magnetic stripe of payment cards, the Association may issue assessments against the acquiring bank to reimburse banks that issued the compromised cards for two categories of losses: (1) the amount the issuing banks spent to monitor or cancel and re-issue at risk cards; and (2) the amount of fraudulent charges on the at risk cards. (See Visa Global Compromised Account Recovery (" GCAR" ) program (VIOR at 802); MasterCard Account Data Compromise Recovery (" ADCR" ) program (MasterCard Rules § § 10.2.5.3; 10.2.6))
The MSA, Bankcard Addendum, and Operating Procedures (collectively referred to as the " Agreement" ) constitute the entire agreement between the parties. (See, Complaint (" Compl." ), Doc. No. 9 at ¶ ¶ 16-17; Doc. No. 37-2 (Bankcard Addendum) at § 26.3 (" The Bankcard Addendum, along with the [MSA] . . . and the Operating Procedures, constitutes the entire agreement between the parties with respect to the subject matter" ).
The Agreement obligates Schnucks to indemnify Defendants for " all losses, liabilities, damages and expenses" under certain circumstances, but also limits Schnucks' liability to $500,000, with two exceptions. For noncompliance with an industry-imposed network security framework known as Payment Card Industry Data Security Standards (" PCI DSS" ), the limit is higher ($3,000,000), while for " chargebacks, servicers' fees, third party fees, and fees, fines or penalties" assessed by the Associations, the limit does not apply at all.
In addition, the Agreement authorizes Defendants to establish and fund a reserve account from Schnucks' payment card transactions to offset its indemnity obligations in an amount not to " exceed ... any current and anticipated Association fees or fines." (Bankcard Addendum at § 22.1) Schnucks alleges that following the data breach, " First Data received a preliminary case management report from MasterCard outlining the case management fee and the amount of monitoring/card replacement and fraud loss reimbursement it was assessing against Citicorp." (Compl. at ¶ 28) Based on the amount of MasterCard's assessment, First Data then projected the total amount of Visa's assessment (id. at ¶ 29), and established the reserve account by withholding a percentage each day from the funds it collected for Schnucks from its payment card transactions. (Id. at ¶ ¶ 30-31)
Schnucks further alleges that Defendants have breached the Agreement by wrongfully withholding funds owed to Schnucks in an amount that is substantially more than the liability limitation of $500,000. (Id. at ¶ ¶ 3-4) Schnucks also seeks a declaratory judgment with respect to its maximum liability under the Agreement and the maximum amount Defendants may withhold from it to fund the reserve account. (Id. at ¶ 5)
Defendants assert a counterclaim against Schnucks for declaratory judgment that the limitation of liability in the Agreement " does not apply to: (i) fees charged by MasterCard or Visa to Defendants as a result of a cyber-attack experienced by a merchant including, but not limited to, servicers' fees, third-party fees, fees related to [fraud reimbursement and recovery]; and/or (ii) fees, fines or penalties charged by Visa or MasterCard for a merchant's failure to comply with the Payment Card Industry Data Security (PCIDSS) requirements." (Counterclaim, Doc. No. 20 at ¶ 23)
Each side asserts that the contract language at issue is not ambiguous and can be interpreted in accordance with its plain meaning. See Murr v. Midland National Life Ins. Co., 758 F.3d 1016, 1021 (8th Cir. 2014) (" Under Missouri law, unambiguous contracts are enforced according to their plain language." ). Accordingly, the parties have filed cross-motions for judgment on the pleadings.
In deciding a motion for judgment on the pleadings, the Court " accept[s] all facts pled by the nonmoving party as true and draw[s] all reasonable inferences from the facts in favor of the nonmovant."
Unite Here Local 74 v. Pinnacle Entertainment, Inc., 2011 WL 65934, at *2-3 (E.D.Mo. Jan. 10, 2011) (quoting Waldron v. Boeing Co., 388 F.3d 591, 593 (8th Cir. 2004)). This is a strict standard, as " [j]udgment on the pleadings is not properly granted unless the moving party has clearly established that no material issue of fact remains to be resolved and the party is entitled to judgment as a matter of law." Id. (quoting United States v. Any and All Radio Station Transmission Equip., 207 F.3d 458, 462 (8th Cir. 2000)). As summarized in Federal Practice and Procedure:
[A] Rule 12(c) motion is designed to provide a means of disposing of cases
when the material facts are not in dispute between the parties and a judgment on the merits can be achieved by focusing on the content of the competing pleadings, exhibits thereto, matters incorporated by reference in the pleadings, whatever is central or integral to the claim for relief or defense, and any facts of which the district court will take judicial notice.
[WL], at *3 (quoting 5C Charles Alan Wright & Arthur Miller, Federal Practice and Procedure § 1367 (3d ed. 2010)).
" In considering a Rule 12(c) motion, the Court may consider the pleadings themselves, materials embraced by the pleadings, exhibits attached to the pleadings, and matters of public record." Nationwide Mut. Ins. Co. v. Harris Medical Associates, LLC, 973 F.Supp.2d 1045, 1051 (E.D. Mo. 2013). Here, the MSA, Bankcard Addendum, and Operating Procedures are all attached to the pleadings.
Arguments of the parties
The focus of the parties' arguments is on section 5.4 of the MSA, which limits Schnucks' liability for " all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever ..." to $500,000, and the exception for " chargebacks, servicers' fees, third party fees, and fees, fines or penalties" assessed by payment card networks. The issue presented by the parties' competing motions is whether the exception for " third party fees" or " fees, fines or penalties" applies to liability for issuer losses. The application of the exception creating a separate $3,000,000 limitation for fines for PCI DSS non-compliance has not been raised by either side. (See Doc. No. 37 at ¶ 22; Doc. No. 38 at 13; Doc. No. 43 at 2 n.1; Doc. No. 44 at 2).
Schnucks argues that the plain and unambiguous language of the Agreement establishes that the exception only applies to fees charged by Defendants or third parties for a service related to processing transactions, and fees or punitive amounts (i.e., fine or penalty) charged by Visa or MasterCard. (Doc. No. 44 at 15-17) As support for its position, Schnucks examines the use of the terms " third party fee" and " fee, fine, or penalty" in the Agreement and incorporated documents.
" Third party fees" is defined in Section 13.3 of the Bankcard Addendum as fees assessed by the credit card Associations against Defendants, including " any switch fee, issuer, [sic] reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee (collectively, " Third Party Fees" )."  Schnucks notes the definition of
" Third Party Fees" does not reference " fraud reimbursement and recovery" or fees charged " as the result of a data breach." (Id. at 15) Nor does the definition mention that it relates to a data compromise event. (Id.) Moreover, the section of the Bankcard Addendum in which the term is defined relates to " fees for Services," indicating that the enumerated " Third Party Fees" are intended to be fees charged by third parties in connection with Defendants' processing services. (Id. at 16) Indeed, Schedule A to the MSA, and Attachments I and II thereto, sets out the types of fees charged by Defendants and third parties for their services; " interchange fee," " access fee," and " assessment fee" are all payments for a service. (Doc. No. 44-1)
In addition, the VIOR refer to an " interchange reimbursement fee" as " a default transfer price between acquirers and issuers within the Visa system" (VIOR at 993-94); define an " access fee" as " [a] fee that is imposed by an ATM Acquirer as part of a Cash Disbursement Transaction, to a Cardholder for use of its ATM" (id. at 1046); refer to an " annual assessment fee" that an acquirer must pay (id. at 782); and refer to " issuer fees." (Id. at 303, 702) (Doc. No. 44 at 16) The MasterCard Rules refer to " issuer reimbursement fees" in the context of excessive chargebacks. (MasterCard Rules at § § 8.3.3, 126.96.36.199, 8.3.4) (Id.; Doc. No. 52 at 7 n.6) Schnucks argues these documents, when read as a whole, clearly establish that " Third Party Fees" refers to fees charged by the Association for a service related to processing transactions and not to reimburse issuer for losses. See Tuttle v. Muenks, 21 S.W.3d 6, 11 (Mo. App. W.D. 2000) (noting that the terms of a written contract must be read in context and as a whole).
Schnucks argues that further support for its position can be found from the fact that neither the GCAR nor ADCR operating regulations refer to reimbursing issuing banks for their losses as a " fee, fine, or penalty."  (See, VIOR at 802-806; MasterCard Rules at § 10-1 through 10-29) (Doc. No. 44 at 9-10, 16; Doc. No. 52 at 7) In fact, the regulations do not use the term " fee" at all. Under its GCAR program, Visa may issue a monetary assessment to recover and distribute to affected issuers a portion of their incremental counterfeit fraud losses and operating expenses due to an " account data compromise event." (See VIOR at 802) (" [A]n Issuer in Visa International or Visa Europe may recover a portion of its Incremental Counterfeit Fraud losses and operating expenses resulting from an Account Data Compromise Event involving a compromise of Magnetic-Stripe Data, and PIN data for events
that also involve PIN compromise, under the Global Compromised Account Recovery (GCAR) program from an Acquirer(s) to whom liability for such loss has been assigned under the GCAR program." ). The GCAR regulations state that these assessments are an assignment of liability for loss to the acquirer for the purpose of reimbursing issuers for their losses.
Similarly, MasterCard may levy a monetary assessment under its ADCR program to reimburse issuing banks for their losses. (See MasterCard Rules at § 10.2.5.3) (" ADC operational reimbursement enables an Issuer to partially recover costs incurred in reissuing Cards and for enhanced monitoring of compromised and/or potentially compromised accounts associated with an ADC Event. ADC fraud recovery enables an Issuer to recover partial incremental magnetic-stripe (POS 90) and/or Hybrid POS Terminal unable to process (POS 80) counterfeit fraud losses associated with an ADC Event. MasterCard determines ADC operational reimbursement and ADC fraud recovery." ) MasterCard may also assess a " case management fee" for the investigation costs and other costs incurred by MasterCard in connection with an account data compromise event. (MasterCard Rules at § 10.2.6; July 11, 2012 MasterCard Account Data Compromise User Guide (hereinafter " MasterCard ADC" ) at § 7.2.5) (Doc. No. 44 at 9-10)
According to Schnucks, the plain language of these regulations, which are expressly incorporated as part of the Agreement, shows that assignment of liability for issuer losses under GCAR and ADCR are calculations of the actual losses and damages incurred by banks that issued cards targeted in the attack - they are not fees of any kind. (Doc. No. 44 at 16; Doc. No. 52 at 6-7)
As for " fees, fines or penalties," because the term is not defined in either the Bankcard Addendum or the Operating Procedures, Schnucks argues the terms must be given their ordinary meanings. See American Family Mut. Ins. Co. v. Van Gerpen, 151 F.3d 886, 887-88 (8th Cir. 1998) (when interpreting the language of a contract, the court gives a term its ordinary meaning, unless it plainly appears that a technical meaning was intended). To determine the ordinary meaning of a term, courts consult standard English language dictionaries. Farmland Indus., Inc. v. Republic Ins. Co., 941 S.W.2d 505, 508 (Mo. 1997). The ordinary meaning of a " fine" or " penalty" is " a sum imposed as punishment." Id. at 511 (citing Webster's Third New International Dictionary 852, 1668 (1961)). A " fee" means " a sum paid or charged for a service." Strader v. Progressive Ins., 230 S.W.3d 621, 625 (Mo.Ct.App. 2007) (citing Merriam Webster's Collegiate Dictionary, 459 (11th ed. 2005); Webster's Third New International Dictionary 833 (1976); Black's Law Dictionary 647 (8th ed. 2004)). Thus, the ordinary meaning of a " fee," " fine," or " penalty" does not encompass liability to reimburse issuers for their losses. (Doc. No. 44 at 17)
First Data and Citicorp
Defendants argue that read as a whole, the plain and unambiguous language of the Agreement establishes that Schnucks is liable for all of the financial responsibility -- without limitation -- associated with the cyber attack and resulting data breach. (Doc. No. 38 at 9) Specifically, Defendants rely on § 4.9 of the Operating Procedures (Doc. No. 37-3), which requires Schnucks to pay Defendants for " all related expenses,
claims, assessments, fines, losses, costs and penalties and Issuer reimbursements" imposed by Visa and MasterCard in connection with a data compromise event (" Data Compromise Losses" ). In addition, § 10.2 of the Operating Procedures authorizes Defendants to assess against Schnucks " Card Organization fees, charges, fines, penalties ... or other assessments including any fees levied against [Defendants] or any amount for which [Schnucks is] obligated to indemnify [Defendants]." Finally, § § 13.3, 13.5 and 25 of the Bankcard Addendum establish Schnucks' liability to pay all fees, fines or penalties imposed by Visa and MasterCard against Defendants in connection with a data compromise event. (Doc. No. 38 at 11-12)
Defendants further argue that " Third Party Fees," as defined by the Bankcard Addendum, include both " issuer reimbursement fees"  and " assessment fees," and that the term " fees" as used in the exception encompass " reimbursements and assessments." (Id. at 13-14; Doc. No. 49 at 5) According to Defendants, Schnucks has admitted in its Complaint that virtually all of the actual and anticipated assessments imposed by the Associations are for the reimbursement of losses claimed by issuing banks as a result of the data breach. (Compl. at ¶ 30) (" [A]pproximately 97% of the actual and projected amount of the assessments imposed by [the Associations] was for reimbursement of losses claimed by issuing banks." ) Thus, Schnucks is responsible for all Third Party Fees, and Defendants properly funded the reserve account to cover all of these assessments. (Doc. No. 39 at 14-15; Doc. No. 49 at 5)
In addition, Defendants assert that the plain language of the Agreement makes no distinction between " fees, fines and penalties" and issuer losses; the terms " fees," " fines," and " penalties" are used throughout the Agreement to refer to assessments by " Third Parties," i.e., the Associations, related to data compromise events, as well
as assessments arising out of specific instances of misfeasance or Schnucks' PCI noncompliance. For instance, § 13.5 of the Bankcard Addendum addresses Schnucks' agreement to pay " any fines, fees, or penalties imposed by an Association" with respect to its negligent acts or omissions, and § 25 addresses Schnucks' responsibility " to maintain compliance with all Association PCI Data Security procedures and regulations, and to pay any and all fines levied by the applicable Association for its non-compliance..." (Doc. No. 49 at 7) Defendants also argue that the inclusion of the words " all fees and charges... without limitation, of [the Associations]" in the definition of " Third Party Fees" (see Bankcard Addendum at § 13.3) lends additional support for their interpretation of " Third Party Fees" to encompass " issuer reimbursements." (Doc. No. 49 at 8-9) According to Defendants, these provisions demonstrate that the Associations' fees arise as assessments imposed on Defendants in connection with Schnucks' PCI non-compliance and resulting data breach. The same is true of " fines" and " penalties" in that issuer reimbursements are assessed by the Associations in a punitive context following a data compromise event. (Id. at 9)
Finally, Defendants point to Visa's use of the terms " fines and penalties" in a " preamble" to the applicable 2011 ADCR program. According to Defendants, Visa used the preamble to characterize its authority to impose all assessments (such as financial responsibility for a data breach) on an acquiring bank based on its merchant's conduct. (Doc. No. 55 at 3-4) This " preamble reference" to " fines and penalties" shows the parties intended that any and all assessments by the Associations in enforcing their rules and regulations, described by the Associations as " fines and penalties," are Schnucks' responsibility without limitation. (Doc. No. 55 at 3-4) Further, Defendants contend that when read in context, the GCAR and ADCR provisions are only operating programs and procedures used by the Associations to calculate the fines and penalties levied against acquiring banks for their merchants' violations of various security rules and do not define the nature of the liability imposed. (Doc. No. 55 at 5-6)
The interpretation of a contract is a question of law. Adbar Co., L.C. v. PCAA Missouri, LLC, 2008 WL 68858 at *4 (E.D.Mo. Jan. 4, 2008). " The cardinal principle" of contract interpretation is " to ascertain the intention of the parties and to give effect to that intent." Monarch Fire Protection District of St. Louis County, Missouri v. Freedom Consulting & Auditing Services, Inc., 644 F.3d 633, 638 (8th Cir. 2011). In interpreting a contract, the Court uses " the plain, ordinary, and usual meaning of the contract's words" and considers the " whole document." Adbar, 2008 WL 68858, at *4 (citing Jackson County v. McClain Enters., 190 S.W.3d 633, 640 (Mo.Ct.App.2006)). See also, Shaw Hofstra & Associates v. Ladco Development, Inc., 673 F.3d 819, 826 (8th Cir. 2012). If a contract is unambiguous, the " intent of the parties will be gathered solely from the terms of the contract." Id. (quoting State ex rel. Vincent v. Schneider, 194 S.W.3d 853, 860 (Mo.2006)). Where, as here, the parties are sophisticated business entities who rely on experts to advise them, the language they have mutually negotiated and agreed to is the best evidence of what they intended. See, e.g., In re SRC Holding Corp., 545 F.3d 661, 668 (8th Cir. 2008); enxco Development Corp. v. Northern States Power Co., 758 F.3d 940, 947 (8th Cir. 2014).
After careful review of the parties' Agreement as a whole, and following the well-established principles of contract interpretation, the Court finds the exception for " third party fees" and " fees, fines and penalties" was not intended to apply to liability for issuer losses assessed by the Associations. This is clear for several reasons.
First, the exception lists specific fees, fines, and penalties that are excluded from the limitation of liability clause, but does not list anything equivalent to issuer losses. The exception makes no reference to the Association rules that create the liability for issuer losses (GCAR or ADCR) or any reference to liability for a data compromise event. Defendants argue that an exclusion to a limitation of liability clause does not have to list each and every source of liability it seeks to exclude in order to be effective. (Doc. No. 49 at 10-11) Whether or not this is true, Defendants' position is undermined by the omission of the term " Data Compromise Losses" (or any equivalent language) from the list of forms of liability excepted from the limitation of liability clause. Defendants were clearly aware of this category of losses and didn't include it. If Defendants had intended for the exception to have the meaning they claim it does, then inserting the term " Data Compromise Losses," which encompasses all forms of liability for a
data breach (" all related expenses, claims, assessments, fines, losses, costs and penalties and Issuer reimbursements imposed by the Card Organizations" ) would have clearly manifested that intent. See New Madrid County Reorganized School Dist. No. 1 v. Continental Cas. Co., 904 F.2d 1236, 1240-41 (8th Cir. 1990) (" If Continental Casualty wanted to exclude this type of liability from its policy it could and should have done so explicitly. Absent an explicit exclusion, we must apply the language as written." ).
Second, the plain reading of a " fee" is an amount paid or charged for a service.
Strader, 230 S.W.3d at 625. The term " Third Party Fees," as defined in the Bankcard Addendum, refers to fees charged by third parties in connection with Defendants' processing services, such as " interchange fees" and " access fees" (see Doc. No. 44-1), as opposed to liability for actual issuer losses. Defendants argue in conclusory fashion that the term " fees" encompasses both " reimbursements" and " assessments," yet nowhere in the Agreement is the stand-alone term " fee" defined as including " reimbursement" or " assessment" arising out of a data compromise event. Moreover, the term " Data Compromise Losses" as defined in the Operating Procedures makes no reference to fees. Rather, liability under the GCAR and ADCR programs is referred to as " Issuer reimbursements imposed by the Card Organizations against us ..." (Operating Procedures, Doc. No. 37-3 at § 4.9) The term " issuer reimbursement fees" does appear in the MasterCard operating regulations, but solely in the context of an excessive chargeback, not an account data compromise event, and not as an assessment for the purpose of reimbursing issuing banks. (MasterCard Rules at § § 8.3.3, 188.8.131.52, 8.3.4.)
Third, the ordinary meaning of the terms " fines" and " penalties" is a sum imposed as punishment.
See Farmland Indus., 941 S.W.2d at 511. Defendants contend that issuer reimbursements are assessed by the Associations in a punitive context following a data compromise event. However, the two provisions of the Bankcard Addendum Defendants rely on in support of their contention are unrelated to a data compromise event; § 13.5 is a general indemnity obligation arising from Schnucks' " negligent acts or omissions," and § 25 relates to an obligation to pay a fine for PCI DSS non-compliance, which can occur even in the absence of a data compromise event. Furthermore, Defendants do not allege that Schnucks was either negligent or PCI DSS non-compliant.
If the Court were to adopt Defendants' interpretation that the terms " Third Party Fees" and " fees, fines or penalties" apply to liability for issuer losses, then Schnucks would be responsible for all of the financial liability imposed on Defendants by the Associations relating to the cyber attack and data breach, and, for that matter, any loss of any kind. As a result, the limitation of liability would have no meaning. The Court rejects such an interpretation. The parties are sophisticated businesses who clearly had a purpose for including the limitation of liability exception in the Agreement. In re SRC, 545 F.3d at 668. A well established rule of contract interpretation is that an " interpretation which gives a reasonable, lawful, and effective meaning to all terms is preferred to an interpretation which leaves a part unreasonable, unlawful, or of no effect." DeJong v. Sioux Center, Iowa, 168 F.3d 1115, 1120 (8th Cir. 1999) (internal quotation omitted). See also Schoemehl v. Renaissance Elec. Co., Inc., 334 F.App'x 772, 2009 WL 1587285, at *2 (8th Cir. 2009) (quoting Beister v. John Hancock Mut. Life Ins. Co., 356 F.2d 634, 641 (8th Cir. 1966)).
For the foregoing reasons, the Court finds and concludes that Schnucks' obligation to indemnify Defendants for liability for losses incurred by issuing banks is limited to $500,000.00. The Court will, therefore, deny Defendants' motion for judgment on the pleadings, grant Schnucks's partial cross-motion for judgment on the pleadings, and enter a declaratory judgment that Schnucks' maximum liability under the terms of the Agreement for issuing bank losses assigned by the Associations for monitoring/card replacement and counterfeit fraud losses as a result of the data security breach is $500,000.00 and that Defendants must return to Schnucks any funds held in excess of that amount plus the Visa fine and MasterCard case management fee.
IT IS HEREBY ORDERED that Defendants First Data Merchant Services Corporation and Citicorp Payment Services, Inc.'s Motion for Judgment on the Pleadings  is DENIED. Judgment on Defendants' Counterclaim is entered in favor of Plaintiff Schnuck Markets, Inc. and against Defendants First Data Merchant Services Corporation and Citicorp Payment Services, Inc.
IT IS FURTHER ORDERED that Plaintiff Schnuck Markets, Inc.'s partial Cross-Motion for Judgment on the Pleadings  is GRANTED as follows:
Judgment on Count II (Declaratory Judgment) of Plaintiff's complaint is entered in favor of Plaintiff Schnuck Markets, Inc. and against Defendants First Data Merchant Services Corporation and Citicorp Payment Services, Inc. in accordance with this Memorandum and Order.
IT IS FINALLY ORDERED that this matter is set for a telephone conference with counsel on Thursday, January 22, 2015 at 2:00 p.m. to discuss scheduling regarding all remaining issues.