Merchant’s liability capped under Master Services Agreement

(Before It's News)

Banks are increasingly bearing costs associated with data breaches by merchants. There are costs associated with reimbursing consumers, monitoring accounts, and reissuing cards. In addition, Visa and MasterCard charge fines and fees anytime a data breach occurs.

In Schnuck Markets v. First Data Merchant Data Services, a grocery chain located in Missouri was the victim of a cyber-attack that resulted in the loss of consumer debit and credit card information.  Schnuck Markets had unlimited liability under the Master Services Agreement (“MSA”) with the bank that processed credit card transactions (“acquiring bank”) for the costs and fines assessed by Visa and MasterCard.  Under the terms the MSA, the acquiring bank began to withhold funds to pay the fines assessed by Visa and MasterCard. However, the acquiring bank also withheld fees assessed by issuing banks that were passed through to the acquiring bank by Visa and MasterCard.

Under the MSA, Schnuck Markets had unlimited liability for Visa and MasterCard fines and a $500,000 liability limit for all other damages. Schnuck Markets claimed that the MSA did not provide unlimited liability for costs from issuing banks that had to reimburse customers and reissue cards. Rather, Schnuck Markets asserted the language of the MSA capped liability for issuing bank charges at $500,000. The acquiring bank disputed Schnuck Markets’ position.

The court concluded that the MSA limited Schnuck Markets’ liability to $500,000 for costs passed through from issuing banks. The Court explained that the MSA did not contain specific language that made clear that the merchant had unlimited liability for issuing bank losses, so the acquiring bank would be liable for those costs once Schnuck Markets’ $500,000 liability limit was reached.

The court’s decision does not disclose the total costs that resulted from the data breach. However, we can probably assume that the acquiring bank had costs well in excess of $500,000 from issuing banks that had to reimburse consumers. Once the Schnuck Markets liability cap was reached, the acquiring bank would be responsible for bearing those costs unless it could turn to an insurance or bond carrier.

This case is a good example of the risks faced by banks that handle credit and debit card processing for merchants. Banks would do well to review their service agreements to determine the extent of their liability in the event of a data breach at the merchant.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

• De Facto versus De Jure – Judge Anna von Reitz
• Answer to Anyone Who Thinks I am Not a Judge —– Judge Anna Von Reitz
• Sharing responsibility: Court makes it harder for banks to sue companies responsible for data breach
• Not so friendly ghosts: Email ghosting represents threat to organizations
• The Down and Dirty for Thomas Deegan, Ammon Bundy, and Everyone Else Facing Prosecution by the Vermin Pretending to Serve and Defend America —by Judge Anna von Reitz
• Dwolla, Inc.: No data security breach, expanded CFPB reach
• FBI Formally Confirms Investigation of Hillary Clinton’s email Server
• The Top Three Reasons to Hire a Personal Injury Attorney
• UNIVERSITY AT ALBANY SEEKS POUND OF FLESH AND DISREGARDS THE RIGHTS OF THREE AFRICAN-AMERICAN FEMALE STUDENTS
• Ben Fulford Update, Oregon Standoff, Pete Santilli,