Merchant’s liability capped under Master Services Agreement
Posted on 03/21/2016 at 12:00 AM by John Lande
Banks are increasingly bearing costs associated with data breaches by merchants. There are costs associated with reimbursing consumers, monitoring accounts, and reissuing cards. In addition, Visa and MasterCard charge fines and fees anytime a data breach occurs.
In Schnuck Markets v. First Data Merchant Data Services, a grocery chain located in Missouri was the victim of a cyber-attack that resulted in the loss of consumer debit and credit card information. Schnuck Markets had unlimited liability under the Master Services Agreement (“MSA”) with the bank that processed credit card transactions (“acquiring bank”) for the costs and fines assessed by Visa and MasterCard. Under the terms the MSA, the acquiring bank began to withhold funds to pay the fines assessed by Visa and MasterCard. However, the acquiring bank also withheld fees assessed by issuing banks that were passed through to the acquiring bank by Visa and MasterCard.
Under the MSA, Schnuck Markets had unlimited liability for Visa and MasterCard fines and a $500,000 liability limit for all other damages. Schnuck Markets claimed that the MSA did not provide unlimited liability for costs from issuing banks that had to reimburse customers and reissue cards. Rather, Schnuck Markets asserted the language of the MSA capped liability for issuing bank charges at $500,000. The acquiring bank disputed Schnuck Markets’ position.
The court concluded that the MSA limited Schnuck Markets’ liability to $500,000 for costs passed through from issuing banks. The Court explained that the MSA did not contain specific language that made clear that the merchant had unlimited liability for issuing bank losses, so the acquiring bank would be liable for those costs once Schnuck Markets’ $500,000 liability limit was reached.
The court’s decision does not disclose the total costs that resulted from the data breach. However, we can probably assume that the acquiring bank had costs well in excess of $500,000 from issuing banks that had to reimburse consumers. Once the Schnuck Markets liability cap was reached, the acquiring bank would be responsible for bearing those costs unless it could turn to an insurance or bond carrier.
This case is a good example of the risks faced by banks that handle credit and debit card processing for merchants. Banks would do well to review their service agreements to determine the extent of their liability in the event of a data breach at the merchant.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.