Merchant Tries to Do Endrun Around Its Data Breach Obligation

I would love to see federal law impose direct liability on merchants for the costs associated with data breaches that compromise credit and debit cards. After all, there is not only the direct cost of reissuing the cards but the reputational cost of being associated with a data breach for which you are not responsible.

But in the absence of my dream legislation, at least the card networks have the ability to indirectly shift costs to negligent merchants if they choose to do so. Now, however, the merchants are trying to get out of this obligation as well. Fortunately, in an extremely important ruling, [Paymentech v. Landry's, Docket No. 21-20447 (5th Cir. Aug 24, 2021), Court Docket] the Court of Appeals for the 5th Circuit ruled in a decision filed on Thursday that merchants can be made responsible for reimbursing financial institutions for costs related to data breaches.

First, a quick refresher. A payment network is a giant set of overlapping contractual obligations.  The two most important relationships are the contract between the card issuing financial institution and the card network, and the contract between an acquirer bank and the card network. An acquirer or merchant bank contracts with a merchant to facilitate card payments. By agreeing to network rules, acquirers are responsible for ensuring that the merchants for whom they work comply with The Payment Card Industry Data Security Standard (PCI DSS). The network rules also decide when a breach of network rules has been committed and whether or not the breaching party should be assessed a penalty for a violation. The Card networks don’t  directly contract with merchants; instead merchants are connected to the network through the contract they sign with their acquirer.

Landry’s is a billion-dollar company that runs casinos and restaurants throughout the nation. For several months starting in 2014, it was victimized by hackers who were able to compromise an estimated 180,000 credit cards. Following the breach, Mandiant was retained to investigate and it determined, among other things, that Landry’s did not comply with PCI standards. For example, it did not require dual factor identification to guard against intruders breaking into its systems. PaymentTech, a subsidiary of JP Morgan Chase, was Landry’s acquirer and was responsible for ensuring that the merchant complied with PCI standards. Based on Mandiant’s findings, Visa and MasterCard fined Chase a combined $20 million.

JP Morgan Chase made its merchants agree to the following clause in return for processing their payments: “You [Landry’s] understand that your failure to comply with the Payment Brand Rules, including the Security Guidelines, or the compromise of any Payment Instrument Information, may result in assessments, fines, and/or penalties by the Payment Brands, and you agree to indemnify and reimburse us [Chase] immediately for any such assessment, fine, or penalty imposed on [Chase].”

The language seems clear enough, but Landry’s has resisted paying up. Instead, it has advanced a series of arguments which, had they been accepted by the courts, would have gutted much of the existing cost shifting framework and made it even more difficult to hold merchants responsible.

Generally speaking, indemnification clauses don’t apply if a party seeks reimbursement for a payment it didn’t have to make. Landry’s argued that Visa and MasterCard didn’t have the right to compel the bank to pay the $20 million in the first place. It argued that since the network contracts gave Visa and MasterCard discretion regarding whether or not to impose an assessment, a fair reading of the contract gave the bank the discretion to not pay the assessment.

Fortunately, the court not only rejected this argument. Although Visa and MasterCard have discretion as to whether to impose an assessment, they have no discretion with regard to promptly dispersing that money to impacted issuers in order to compensate them with costs related to a breach. Second, the merchant argued that it could not be found liable for violating PCI standards based entirely on the Mandiant investigation. In rejecting this argument, the court looked no further than the indemnification clause, which it interpreted as making Landry’s responsible based on any finding of a PCI violation by the network. Whether or not Landry’s agreed with this finding was irrelevant.

So where does all this leave us? The answer: In slightly better shape than we were before this litigation. We have a court decision essentially codifying the right of issuing banks to receive compensation, at least in some circumstances. We also know that merchants can continue to be indirectly responsible when they fail to comply with PCI standards. But as you walk around Washington, D.C., you may want to point out how dangerous it is that an already limited merchant obligation to guard against data breaches largely depends on a well-drafted contract as opposed to a clearly written statute.

Henry Meier is the former General Counsel of the New York Credit Union Association, where he authored the popular New York State of Mind blog. He now provides legal advice to credit unions on a broad range of legal, regulatory and legislative issues. He can be reached at (518) 223-5126 or via email at henrymeieresq@outlook.com.