Thursday, August 22nd, 2019
The widespread notion among industry merchant acquirers and the businesses they serve is that the merchant takes liability for any fines that result from a retail website’s data breach. However, this may not be the case after a recent ruling by a federal appellate court that saw First Data Corp take liability.
Spec’s Family Partners Ltd, a Texas-based liquor chain store suffered a malware attack on its network in 2012 and 2013. The breach compromised over half a million (550,000) consumer cards, per the court filings.
The liquor store—Spec’s Ltd— then moved to a U.S. District Court in Memphis Tennessee to sue its acquirer— First Data’s segment for merchant services. The district court indeed ruled in favor of the merchant, but the acquirer went to an appellate court. After months of hearing, a three-judge panel from Cincinnati-based Sixth U.S. Circuit Court of Appeal found First Data Corp accountable on June 7 in a unanimous decision.
“The decision is important for retailers… because industry processors assume that they can pass on every liability to the merchants,” says attorney Boomstein.
Spec’s Ltd owns over 100 chain stores distributed all over Texas. The court found the liquor store in breach of the Payment Card Industry standards for data security.
But Visa Inc. and Mastercard Inc. did their investigation, calculated those costs and traced them to the responsible sponsor bank; a division of Citigroup Inc. The bank then passed the liability to the third party processor, First Data Merchant Services.
First Data Merchant Services then started to hold back revenue from day-to-day credit and debit card payments at Spec’s Ltd. and storing them in a reserve fund to compensate the fines.
The acquirer gathered a total of $6.2 million. However, Spec’s declined to pay the fines and took legal action against First Data Merchant Services in the U.S. District Court in Memphis, Tennessee. The jury ruled in favor of the merchant.
The recent ruling by the appellate court only confirmed the district court’s decision.
“The acquirer—First Data Merchant Services acted out of compliance with the merchant agreement when it held back Spec’s Ltd’s funds to compensate itself for the card-brand fines,” wrote Senior Judge Deborah L. Cook for the jury.
The appeal to the higher court depended on specific provisions in the merchant agreement that First Data Merchant Services said made the liquor retailer accountable for the fines. One of them was the ‘third-party fees and charges.’
However, the district court and the appellate court agree that the wording of the contract referred “to routine fees linked to processing services and not the holding funds to compensate a data breach.”
For now, First Data’s only option is to appeal to the full Sixth Circuit. These storms are hitting First Data at a time when the payment provider is waiting for a $22 billion acquisition deal by Fiserv Inc.
The jury’s decision is a blow to First Data but will act as an eye-opener for acquirers to stop imagining that merchants will always be accountable for data breaches.