Judge Denies Bid by Citi, First Data to Reconsider Liability Cap in Data Breach Case
A federal judge in Missouri declined to reconsider arguments from Citicorp Payment Services Inc. and First Data Merchant Data Services Corp. that a $500,000 cap on liability should not apply in a dispute with grocery chain Schnuck Markets Inc. relating to a 2013 data breach.
The dispute followed a cyberattack on Schnuck that compromised the debit and credit card information of the grocery chain’s customers. Schnuck, Citicorp and First Data were parties to a tri-party processing agreement in which Citicorp acted as Schnuck’s acquiring bank and First Data acted as Schnuck’s payment processor. During the initial suit, Citicorp and First Data sought payment from Schnuck for amounts required to be reimbursed to card issuers affected by the data breach in accordance under payment network rules. The trial court found, however, that Citicorp and First Data failed to properly exclude these reimbursements from the tri-party agreement’s $500,000 cap on liability, and Citicorp and First Data were thus obligated to pay the reimbursement amounts over this threshold, as well as any applicable payment network fines and fees.
The tri-party agreement also included a requirement for Schnuck to indemnify Citicorp and First Data for noncompliance with PCI-DSS, subject to a $3 million cap on liability, and for fees, fines and penalties imposed by payment networks subject to no cap on liability. In their motion for reconsideration, Citicorp and First Data argued that Schnuck had been negligent and failed to be noncompliant with PCI-DSS, thus its losses should have been subject to the higher cap of $3 million. The judge refused to consider this argument and held that Citicorp and First Data could not use a motion for reconsideration to go back and make better arguments that Schnuck’s losses should be subject to the higher liability cap.