Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Schnuck Markets, Inc. v. First Data Merchant Services Corp.

United States Court of Appeals, Eighth Circuit

January 13, 2017

Schnuck Markets, Inc. Plaintiff- Appellee
First Data Merchant Services Corp.; Citicorp Payment Services, Inc. Defendants-Appellants

          Submitted: September 21, 2016

         Appeal from United States District Court for the Eastern District of Missouri - St. Louis

          Before WOLLMAN, ARNOLD, and KELLY, Circuit Judges.

          WOLLMAN, Circuit Judge.

         Grocery store chain Schnuck Markets, Inc. (Schnucks) sued its credit card processor, First Data Merchant Services Corporation (First Data), and the acquiring bank for its credit transactions, Citicorp Payment Services, Inc. (Citicorp). Schnucks alleges that First Data and Citicorp (collectively, Defendants) withheld more money from Schnucks following a data breach at Schnucks than their contract allowed. Schnucks brought declaratory judgment and breach of contract claims, and Defendants brought a declaratory judgment counterclaim. Both parties moved for judgment on the pleadings. Defendants appeal from the district court's[1] order denying their motion for judgment on the pleadings and granting Schnucks's motion for judgment on the pleadings. Defendants also appeal from the district court's order denying their motion for reconsideration, or in the alternative for leave to amend their pleadings. We affirm.


         First Data served as Schnucks's credit card processor. Citicorp served as its acquiring bank. When a merchant such as Schnucks makes a credit card transaction, the acquiring bank pays the merchant and is reimbursed by the bank that issued the credit card (the issuing bank). The acquiring bank sponsors the merchant into credit card association networks, in this case Visa and MasterCard (the Associations), and vouches for the merchant's compliance with the Associations' rules. The Associations' rules provide that the Associations may issue fines against the acquiring bank in the event of a cardholder data breach and assess against the acquiring bank the costs of monitoring or cancelling at-risk cards and the amount of fraudulent charges on the at-risk cards.

         The contract between the parties consists of a Master Services Agreement (MSA) between Schnucks and First Data and a Bankcard Addendum executed by Schnucks, First Data, and Citicorp. The Bankcard Addendum incorporates First Data's Operating Procedures, and the Bankcard Addendum and First Data's Operating Procedures incorporate the rules and regulations of the Associations.[2] The contract imposes upon Schnucks a broad duty to indemnify Defendants for Schnucks's breach of contract. Under § 4.9 of First Data's Operating Procedures, a determination by the Associations that Schnucks is responsible for a data breach requires Schnucks to pay Defendants for "Data Compromise Losses, " defined as "all related expenses, claims, assessments, fines, losses, costs, and penalties and Issuer reimbursements" that the Associations impose on Defendants.

         Under § 5.4 of the MSA, however, Schnucks's liability is limited to $500, 000, with certain exceptions:

Limitation of Liability. Notwithstanding anything in this MSA and any addenda to the contrary, Customer [Schnucks], FDMS [First Data] and its affiliates' cumulative liability . . . for all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever (including, but not limited to, those arising out of or related to this MSA and any addenda) and regardless of the form of action or legal theory shall not exceed $500, 000. Notwithstanding the foregoing, [Schnucks], [First Data] and its affiliates' cumulative liability for its breach under Section 25 (Data Security) shall not exceed $3, 000, 000. . . . This Section 5.4 limitation of liability shall not apply to [Schnucks's] liability for chargebacks, servicers' fees, third party fees, and fees, fines or penalities [sic] by the Association or any other card or debit card provided under this MSA or any addenda.

Section 13.3 of the Bankcard Addendum defines "third party fees" as "all fees and charges . . . without limitation, of any Credit Card Association, Network, card-issuing organization, telecommunications provider, federal, state, or local governmental authority (each a 'Third Party') including, without limitation any switch fee, issuer[] reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee[] (collectively, [']Third Party Fees')." The contract also permits Defendants to retain in a reserve account funds that Schnucks owes them.

         In March 2013, a cyber-attack against Schnucks compromised cardholder data. MasterCard assessed a case-management fee against Citicorp, as well as costs to reimburse issuing banks for card monitoring and replacement and for fraudulent charges. Citicorp projected the total amount of Visa's assessment based on MasterCard's assessment. Based on these assessments and projections, First Data established a reserve account, and Defendants have withheld more than $500, 000 from Schnucks's credit transactions.

         Schnucks's breach of contract and declaratory judgment action alleges that the limitation of liability provision establishes a $500, 000 cap on its liability for the assessments against Citicorp. Defendants' counterclaim seeks a declaration that the limitation of liability provision does not apply to fees charged by the Associations as a result of a cyber-attack, or fees, fines, or penalties charged by the Associations for a merchant's non-compliance with Payment Card Industry Data Security Standards. Defendants moved for judgment on the pleadings. Schnucks filed a cross-motion for partial judgment on the pleadings, seeking judgment on Schnucks's and Defendants' declaratory judgment claims but not on Schnucks's breach of contract claim.

         The district court granted Schnucks's motion and denied Defendants' motion, holding that the assessments for issuing banks' losses were not "third party fees" or "fees, fines or penalties, " and thus did not fall within the exception to limitation of liability set forth in the last sentence of § 5.4 of the MSA. The court reasoned that Defendants would have used the term "Data Compromise Losses" (or similar language) in § 5.4 had they intended to exclude these losses from the limitation of liability. The court explained that the plain meaning of the term "fee" is a payment for a service, not reimbursement for another's losses; furthermore, the court noted that the portions of the contract concerning fees do not mention reimbursement for data compromise events and that the portions concerning data compromise events do not refer to fees. The court ruled that the terms "fine" and "penalty" describe sums imposed as a punishment and do not include within their purview ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.