Outsourcing of basic business functions is increasingly popular. While businesses would once perform data management in-house and rely on their on-site server infrastructure to store data, businesses today are frequently turning to cloud storage providers and other third-parties to hold and manage data. These third party vendors are frequently charged with holding sensitive personal information, such as protected health information, social security numbers, and payment card information, supplied to them by their customers.
In a breach involving multiple entities in the data-supply chain, companies rely on their contracts to avoid liability—regardless of whether the breach originated with the consumer-facing company, a third party processor, a third party cloud storage provider, or another entity. Yet, in some cases, indemnity clauses inside the vendor agreements aren’t as comprehensive as believed at the time they were negotiated. A recent opinion from the Sixth Circuit, on appeal from the U.S. District Court for the Western District of Tennessee, Spec’s Family Partners Ltd. v. First Data Merchant Services, LLC, highlights the importance of indemnity agreements and consequential damage waivers in the data breach context.[1]
Spec’s Family Partners, Ltd. (“Spec’s”) operates a chain of liquor stores that allow customers to purchase goods using payment cards backed by payment networks like MasterCard and Visa. These payment networks contract with issuing banks, which issue payment cards to consumers, and acquiring banks, which sponsor merchants in the system and process the transactions. Intermediary companies like First Data Merchant Services, LLC (“First Data”) frequently contract with acquiring banks to facilitate transaction processing from merchants.
In 2012 and 2013, Spec’s payment card network was compromised; the attackers installed malware and accessed customer payment data. After the issuing banks reimbursed the affected consumers for the fraudulent charges and replaced cards, Visa and MasterCard issued assessments on the acquiring bank, Citicorp Payment Services, Inc. (“Citicorp”). Citicorp then demanded payment from First Data, which then sought reimbursement from Spec’s. Spec’s refused to pay, relying on the consequential damages waiver in its Merchant Agreement with First Data (“MSA”). In response, First Data began withholding the proceeds of routine payment card transactions from Spec’s, placing them in a reserve account. At the time suit was filed, First Data had withheld approximately $2.2 million, and the total would ultimately reach $6.2 million.
The district court sided with Spec’s, holding that card brand assessments constituted consequential damages (and not “third-party fees and charges”), recovery for which was waived under the MSA. The district court later granted summary judgment in favor of Spec’s, holding that First Data materially breached the MSA when it held funds to reimburse itself for the breach assessments. First Data appealed the grant of summary judgment, and the Sixth Circuit undertook a de novo review of both the contract interpretation and summary judgment decision.[2]
On appeal, First Data claimed that the contract’s indemnification clause assigns responsibility to Spec’s as it stated that Spec’s must indemnify First Data, Visa, and MasterCard, and hold them harmless from and against:
any and all claims, demands, losses, costs, liabilities, damages, judgments, or expenses arising out of or relating to (i) any material breach by [Spec’s] of its representations, warranties or agreements under this Agreement; [or] (ii) any act or omission by [Spec’s] that violates . . . any operating rules or regulations of Visa or MasterCard . . .
Investigation of the data incidents revealed that Spec’s had failed to comply with the Payment Card Industry Data Security Standard[3] (“PCI DSS”) prior to the attacks, which had left it vulnerable to breaches. First Data argued that Spec’s failure to comply plus this contractual clause obligate Spec’s for the third party assessments. However, the MSA also contained the following limitation of liability:
IN NO EVENT SHALL EITHER PARTY’S LIABILITY OF ANY KIND TO THE OTHER HEREUNDER INCLUDE ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL LOSSES OR DAMAGES, EVEN IF SUCH PARTY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH POTENTIAL LOSS OR DAMAGE.
The ultimate question before the Sixth Circuit was whether the card brand assessments passed on by First Data constituted “consequential damages.” Applying classic constructs of contract interpretation, the Sixth Circuit observed that Tennessee law defines consequential damages (or “special damages”) to be damages that “are the natural consequences of the act complained of, though not the necessary results.”). The Sixth Circuit found the data breaches, which resulted in assessments were a natural result of Spec’s PCI DSS non-compliance, but did not necessarily follow from that non-compliance. Citing Spec’s argument, the Sixth Circuit observed that a non-compliant merchant might never suffer a data breach: “Though certainly a foreseeable consequence of a weak data security, the issuance of assessments nevertheless constitutes consequential damages because it did not necessarily follow from Spec’s Family’s non-compliance.”[4] Therefore, the Sixth Circuit confirmed that First Data retained liability for the assessments under the MSA and, consequently, that First Data materially breached the MSA by withholding payment to Spec’s.
First Data countered before the district court and on appeal that Spec’s first breached through its PCI non-compliance. The courts were not persuaded by this argument because, after the first breach in 2012, Spec’s began focusing becoming more PCI compliant.[5] Spec’s hired a PCI consultant, and Spec’s paid a $10,000 non-compliance fine levied by Visa without contest.[6] After the 2012 breach, First Data and Spec’s continued to perform under the MSA, so the district court—and subsequently the Sixth Circuit—determined that the PCI non-compliance could be considered cured and/or did not rise to the level of a breach “vital to the existence of the contract.”
This case highlights the importance of indemnity clauses and consequential damage waivers in data vendor contracts. While a company may be successful in negotiating a favorable indemnity agreement, that indemnity can be undercut by a general consequential damages waiver. Particularly in data breach claims as seen in Spec’s Family Partners, that waiver of consequential damages can result in millions of dollars in liability. Rather than generic waivers and indemnification clauses, parties negotiating contracts that will require sensitive data sharing may want to consider carve-outs specific to data breaches or cyber liability. Parties may also consider breaking out the limitations into categories, based upon the type, cause, or amount of the damages. The parties may also look to cyber insurance to provide coverage. None of these approaches are mutually exclusive nor comprehensive, and parties should discuss all of these with concepts with data counsel when negotiating vendor contracts.
*******************************************************
[1] Case No. 17-5884/5950 (Before J. Batchelder, J. Cook, and J. Kethledge) (available at http://www.opn.ca6.uscourts.gov/opinions.pdf/19a0294n-06.pdf).
[2] Spec’s also appealed the district court’s reduction of prejudgment interest from Tennessee’s standard 6.25% to 1.79% under federal law. The Sixth Circuit ultimately affirmed the 1.79% interest rate.
[3] The PCI DSS is a security standard for organizations that handle branded credit cards from major credit card providers (i.e., Visa, MasterCard, Discover Financial Services, American Express, and JCB International)
[4] The Sixth Circuit noted that their interpretation was consistent with the “only other federal appeals court” to address this precise issue—the Eighth Circuit in Schnuck Markets, Inc. v. First Data Mech. Servs. Corp., 852 F.3d 732 (8th Cir. 2017).
[5] See Spec’s Family Partners Ltd. v. First Data Merch. Serv. Corp., 2017 WL 4547168 (W.D. Tenn. Jul. 7, 2017).
[6] Id. at 8.