Richard Raysman is a Partner in our New York office.

In early February, this blog discussed a case involving a grocery store chain that was a victim of a cyber-attack and its transaction processors. See Schnuck Mrkts. v. First Data Merchant Servs Corp., No. 4:13-cv-2226-JAR, --- F. Supp. 2d --- (E.D. Mo. Jan. 15, 2015). Less than a month later, on Feb. 12, the transaction processors filed a motion for partial reconsideration of the grant of the store's motion on the pleadings, citing procedural errors. See Schnuck Mrkts. v. First Data Merchant Servs. Corp., No. 4:13-cv-2226-JAR (E.D. Mo. Feb. 12, 2015). As this case involves complicated transactions with a number of jargon-laden governing agreements, a truncated recitation of the facts is necessary.

Background and Earlier Ruling

Schnuck Markets, Inc. (Schnucks) was the victim of a cyberattack which compromised certain types of credit and debit card information of its customers. Schnucks then sued, inter alia, First Data Merchant Services (First Data), based on alleged violations of the Master Services Agreement (MSA) between the two parties. As background, pursuant to the MSA, First Data provided credit and debit card processing services for Schnucks. The MSA, as well as a later Addendum, incorporated the rules and regulations (CC Rules) of certain credit card companies into its terms. The CC Rules relevant to this case stipulate that First Data are liable to these credit card companies in the event of a cyberattack.

First, if the credit card companies discover that Schnucks is not in compliance with the Payment Card Industry Data Security Standards (PCIDSS), they are permitted to fine First Data. Second, in the event that the breach results from adulterated data from the magnetic stripe on the payment card, the credit card companies are permitted to seek reimbursement from First Data for the costs of monitoring, canceling, or reissuing payment cards, and for the amount of fraudulent charges on the at risk cards.

The MSA obligates Schnucks to indemnify First Data for "all losses, liabilities, damages and expenses," although such liability is limited to claims of $500,000 and under. However, if Schnucks was found noncompliant with the PCIDSS, the liability ceiling was raised to $3 Million. If First Data's liability arose from "chargebacks, servicers' fees, third party fees, and fees, fines or penalties" levied by the credit card companies, Schnucks' liability resulting therefrom was uncapped. With respect to the cyberattack in question, First Data had begun to fund a reserve account by withholding a percent of the funds from Schnucks payment card transactions that it processed, as it believed that the liability cap within the MSA had been lifted.

Schnucks alleged that First Data withheld funds in an amount that is "substantially more" than the liability cap in the MSA of $500,000. First Data defended its use of the reserve account on the grounds that the liability cap in the MSA was inapplicable in these circumstances. Specifically, the applicability of this cap was gainsaid by the fact that First Data had to indemnify the credit card companies both for fees resulting from Schnucks' violations of the PCIDSS and for the other sets of fees referenced above. Only the unlimited liability cap was actually litigated in the case.

The court concluded that the "third party fees, and fees, fines or penalties" referenced in the MSA did not apply to the charges assessed by First Data as a result of the cyberattack. The Addendum to the MSA refers to "third party fees" as those fees charged in connection with First Data's processing services, such as interchange fees, and not any liability associated with credit card company losses.  Finally, according to the court, if the phrase "third party fees, and fees, fines or penalties" was interpreted in accordance with First Data's argument, it would be so overbroad as to encompass any liability imposed on First Data by the CC Rules. The court denied the motion on the pleadings by First Data, granted in relevant part the cross-motion for summary judgment by Schnucks. Therefore, any funds withheld in excess of the $500,000 were ordered by the court to be returned to Schnucks.

First Data's Motion for Partial Reconsideration

The motion claimed that the trial judge erred for two principal reasons: (1) he relied on extrinsic evidence and (2) he violated the "fundamental" contract construction principle requiring analysis only of the "four corners" of the document.  According to the motion, the judge relied on materials outside of the pleadings, which is impermissible when deciding a motion on the pleadings. Such extrinsic evidence included a reference to the CC Rules in Schnucks' brief to the CC Rules, and the brief is clearing extrinsic to the pleadings, nor were the CC Rules incorporated into the MSA. It then listed some documents it would have put into its pleadings had it known that "extrinsic evidence" would be permitted. For instance, First Data's motion claimed that it would have presented the court with correspondence between Schnucks and one of the credit card companies in which the former characterized the liability assessed to First Data in wake of cyberattack as "penalties."

The motion also deemed the reliance on the CC Rules as violative of the "four corners" canon of contract construction. So goes First Data's argument, that because the court interpolated the CC Rules into its analysis, it violated the "Entire Agreement" clause of the MSA.  As you might expect from its label, this clause stipulated that the MSA, Addendum and unrelated Operating Procedures not discussed here constituted the entirety of the agreements. Of most interest to this argument is First Data's claim that the CC Rules utilized by Schnucks' in its brief were not in existence at the time the MSA was agreed upon. Ergo, the motion argues, how could the CC Rules have influenced the intent of the parties at the time the relevant agreements were memorialized?  Intent of the parties is required to be ascertained at the time of contracting and no intent could be derived from incorporating nonexistent rules into a binding contract.

According to the motion, these failures of the trial judge created "manifest error" and warrants reconsideration of the order that had earlier granted Schnucks' motion on the pleadings.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.