Massachusetts's Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
...Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach.
The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory.
This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.
Continue Reading
Editor's Note: For those of you who are interested, I've provided a primer on the case below:
Case Background:
Background. We recite the undisputed facts in the summary judgment record, reserving some facts for later discussion. Visa and MasterCard are membership organizations in which issuing and acquiring banks join in order to participate in point of sale transactions using the Visa and MasterCard brands. Issuing banks such as the plaintiff credit unions issue the physical plastic credit cards to cardholders, determine the amount of the authorized credit line available to each cardholder, and approve or decline each transaction when the cardholder presents the credit card to make a purchase.
When a cardholder presents a credit card to a merchant, the merchant transmits the information encoded on the back of the credit card to the acquiring bank. The acquiring bank, in turn, transmits the information to Visa or MasterCard, which submits the request to the appropriate issuer. The issuer then relays its decision to approve or decline the transaction back through the same channels to the merchant. After the transaction is approved, the acquiring bank acquires the merchant's Visa or MasterCard receipt, pays the merchant for the amount of the transaction, and seeks payment from the issuing bank; the issuing bank pays the acquiring bank and debits the cardholder's account. Approximately 16,000 issuers are members of the Visa organization and approximately 20,000 issuers are members of MasterCard. At least 20 million merchants participate in the Visa and MasterCard payment processing systems, but none are members and none contract directly with Visa or MasterCard.
Visa and MasterCard each issue extensive operating regulations that govern the payment processing system and their members' obligations. Every financial institution that becomes a member of the Visa and MasterCard organizations must sign a contract that includes a provision that it will comply with these regulations; acquirers are also contractually obligated to ensure that their merchants comply. Both Visa and MasterCard regulations prohibit merchants and acquirers from storing magnetic stripe data from the back of credit cards, in whole or in part, after a transaction is completed.
In February, 2004, Visa and MasterCard determined that computer thieves had gained access to the computer systems on which BJ's stored credit card transaction data at more than 150 stores, and that the breach had been ongoing since July, 2003. The breach provided the thieves access to the full magnetic stripe data from approximately 9.2 million cardholder accounts, allowing them access to cardholder names, account numbers, account expiration dates, and proprietary Visa and MasterCard security data. It was ultimately determined that the third-party transaction processing software used by BJ's was permanently storing the magnetic stripe data in transaction logs. The agreements between BJ's and Fifth Third contained a requirement that BJ's comply with Visa and MasterCard's regulations, including those prohibiting BJ's from storing any magnetic stripe data after a transaction was completed; the agreements among Fifth Third and Visa and MasterCard required Fifth Third to ensure that its merchants complied with the regulations. BJ's conceded that it was retaining the magnetic stripe data.
Visa and MasterCard notified all their member issuing banks that had issued any of the possibly compromised accounts. In response to this notification, the plaintiff credit unions closed all their potentially compromised accounts, without regard to whether fraudulent charges had been made on a particular account; advised cardholders to destroy their old plastic credit cards; and issued new account numbers and new plastic credit cards to all affected cardholders. Cumis paid the plaintiff credit unions millions of dollars for fraudulent transactions made using the compromised accounts; the plaintiff credit unions and Cumis then commenced this action.
[1] In order to resolve potential customer disputes, merchants are permitted to store the customer's name, credit card number, and the card's expiration date.
[2] In addition, MasterCard reimbursed issuers, including the plaintiff credit unions, $2.4 million for fraudulent transactions.