Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Schnuck Markets, Inc. v. First Data Merchant Data Services Corporation

United States District Court, E.D. Missouri, Eastern Division

July 31, 2015

SCHNUCK MARKETS, INC., Plaintiff,
v.
FIRST DATA MERCHANT DATA SERVICES CORPORATION and CITICORP PAYMENT SERVICES, INC., Defendants.

MEMORANDUM AND ORDER

JOHN A. ROSS, District Judge.

This matter is before the Court on Defendants' Motion for Partial Reconsideration of the Court's January 15, 2015 Order granting Plaintiff's partial cross-motion for judgment on the pleadings, filed pursuant to Fed.R.Civ.P. 54(b). (Doc. No. 84) Alternatively, Defendants move for leave to amend their pleadings pursuant to Fed.R.Civ.P. 15(a)(2). The motion is fully briefed and ready for disposition.[1]

Background

The background of this case is set out in detail in the Court's January 15, 2015 Order. (Doc. No. 69 at 1-4) Briefly, the parties' dispute arises from a cyber attack and data breach of Schnucks' payment and card processing systems in late 2012 through early 2013. The parties' relationship is governed by a Master Services Agreement ("MSA") between Schnucks and First Data, a Bankcard Addendum to Master Services Agreement ("Bankcard Addendum") between Schnucks, First Data, and Citicorp, and First Data's Program Terms and Conditions ("Operating Procedures") (collectively referred to as "the Agreement"). The Agreement obligates Schnucks to indemnify Defendants for "all losses, liabilities, damages and expenses" under certain circumstances, but also limits Schnucks' liability to $500, 000, with two exceptions. For noncompliance with an industry-imposed network security framework known as Payment Card Industry Data Security Standards ("PCI DSS"), the limit is higher ($3, 000, 000), while for "chargebacks, servicers' fees, third party fees, and fees, fines or penalties" assessed by Visa and MasterCard ("the Associations"), the limit does not apply at all.[2] The Agreement authorizes Defendants to establish and fund a reserve account from Schnucks' payment card transactions to offset its indemnity obligations in an amount not to exceed current and anticipated Association fees or fines.

Schnucks alleged Defendants breached the Agreement by wrongfully withholding funds owed to Schnucks in an amount that was substantially more than the liability limitation of $500, 000. Schnucks also sought a declaration that its obligation to indemnify Defendants for losses incurred by issuing banks was limited to $500, 000 under the terms of the parties' Agreement and that Defendants must return to Schnucks the amount of Schnucks' funds placed in a Reserve Account that exceeded the amount of the Visa fine and MasterCard case management fee. Defendants asserted a counterclaim against Schnucks for a declaration that the limitation of liability in the Agreement did not apply to: (i) fees charged by MasterCard or Visa to Defendants including, but not limited to, servicers' fees, third-party fees, fees related to fraud reimbursement and recovery, and/or (ii) fees, fines or penalties charged by Visa or MasterCard for failure to comply with the PCI DSS requirements.

Both sides asserted the contract language was unambiguous. Neither side undertook any discovery and proceeded on cross-motions for judgment on the pleadings. The issue presented by the parties' competing motions was whether the exception for "third party fees" or "fees, fines or penalties" applied to liability for issuer losses. The Court denied Defendants' motion and granted Schnucks' motion, ruling that Schnucks' maximum liability under the terms of the Agreement for issuing bank losses assigned by the Associations for monitoring and/or card replacement and counterfeit fraud losses as a result of the data security breach was $500, 000.00, and that Defendants must return to Schnucks any funds held in excess of that amount plus the Visa fine and MasterCard case management fee.

Defendants make three arguments in favor of reconsideration. First, Defendants argue the Court misapplied the standard for ruling on a motion for judgment on the pleadings by failing to accept as true their allegations of Schnucks' negligence and PCI DSS non-compliance and draw all reasonable inferences from the pleadings in their favor. As a result, the Court failed to consider the circumstances in which the $3 million limitation of liability applied. (Doc. No. 85 at 4-6) Second, Defendants assert the Court considered documents outside the pleadings, namely the Association Rules, thereby converting Schnucks' motion into a motion for summary judgment without permitting Defendants to present competing evidence. (Id. at 6-10) Third, Defendants argue these errors led to a commercially unreasonable result, i.e., making Defendants an insurer for Schnucks' data breaches. (Id. at 10-14)

Legal standard

Under Rule 54(b), the Court may amend or reconsider any ruling to correct any "clearly or manifestly erroneous findings of facts or conclusions of law." Prosser v. Nagaldinne, 2013 WL 308770 at *1 (E.D.Mo. Jan. 25, 2013) (quoting Jones v. Casey's Gen. Stores, 551 F.Supp.2d 848, 854 (S.D.Iowa 2008)). A motion to reconsider under Rule 54(b) cannot be used to identify facts or legal arguments which could have been, but were not, raised in the original motion. Id.

Discussion

Defendants first argue the Court overlooked their explicit allegations concerning Schnucks' negligence in connection with the data breach, as well as allegations within the pleadings concerning Schnucks' PCI DSS noncompliance. According to Defendants, if the Court had applied the proper Rule 12 (c) standard, [3] it would have had to decide whether Schnucks' negligence and PCI DSS noncompliance, both of which constitute breaches of § 25 of the Bankcard Addendum (Data Security), rendered the $3 million, rather than the $500, 000, limitation of liability provision applicable to Defendants' assessment against Schnucks through the Reserve Account. Although Defendants now point to their ninth and tenth affirmative defenses wherein they raised Schnucks' negligence and its own actions or inactions as the cause of their damages, neither side addressed this in their prior briefing. Even accepting Defendants' allegations of negligence or non-compliance resulting in fines as true, their argument fails.

Section 25 (Data Security) of the Bankcard Addendum authorizes the Associations to impose "restrictions, fines, or prohibit CUSTOMER [Schnucks] from participating in Association programs if it is determined CUSTOMER is non-compliant with such programs." The $3 million limitation of liability provision applies as a limit to those fines imposed by the Associations for PCI DSS non-compliance. The parties acknowledged that virtually all of the actual and projected assessments ("approximately 97%") imposed by the Associations were for reimbursement of losses claimed by issuing banks.[4] The Court rejected Defendants' argument that "Third Party Fees, " as defined in the Bankcard Addendum, includes both "issuer reimbursement fees" and "assessment fees, " and that "fees" as used in the exception encompasses "reimbursements and assessments." In so doing, the Court found the exception for "Third Party Fees" and "fees, fines and penalties" was not intended to apply to liability for issuer losses assessed by the Association. Thus, this exception does not apply to liability to reimburse issuers for their losses. Defendants' counterclaim and Rule 12(c) briefs never asserted that the $3 million limitation applied to liability for issuer losses.

Because assessments for the purpose of reimbursing issuing banks are not fines for noncompliance with § 25 of the Bankcard Addendum, the $3 million exception would only apply if the remaining 3% was a "fine" or "fee." The general allegation in the affirmative defenses of Schnucks' negligence is conclusory and certainly insufficient to even suggest a fine or fee for PCI DSS noncompliance. Neither side addressed the remainder of the assessments imposed by the Associations in the earlier arguments and pleadings and the Court will not do so at this juncture.

Next, Defendants assert the Court erred in considering and relying on the Association Rules, which they now contend were neither part of the pleadings nor the Agreement. The Court finds no basis for finding it improperly considered the Association Rules in light of the information presented to the Court on the parties' motions for judgment on the pleadings. The parties agreed the MSA, Bankcard Addendum, and Operating Procedures, all attached to the pleadings, constitute the entire agreement between the parties. The Operating Procedures are essentially a summary of common Association Rules paired with a ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.