The U.S. Court of Appeals for the Fifth Circuit recently held that a merchant had a contractual obligation to indemnify its payment processor after a data breach at the merchant compromised customer credit card data.
A copy of the opinion in Paymentech v. Landry’s is available at: Link to Opinion.
A major data breach compromised sensitive consumer information on thousands of credit cards at multiple businesses owned by a company that operates restaurants, hotels, and casinos throughout the United States. Many of those cards belonged to two specific credit card issuers.
In response, the two credit card corporations imposed over $20 million in assessments on the payment processor responsible for securely processing card purchases at the company’s properties. The payment processor then sued the company for indemnification, and the company impleaded the two credit card issuers.
The trial court dismissed the company’s third-party complaints against the credit card corporations and granted summary judgment for the payment processor, finding that the company had a contractual obligation to indemnify the payment processor. The company timely appealed.
The company first argued on appeal that the assessments on the payment processor were not valid liquidated damages under applicable state laws. All parties agreed that New York law governed the payment processor’s contract with one of the credit card corporations and California law governed the contract with the other corporation. The premise of the company’s argument was that liquidated damages must estimate damages only to the nonbreaching party, not to a third party.
The Fifth Circuit began by noting that California and New York law treat liquidated damages similarly. Both presume the validity of liquidated damages in commercial contracts unless the challenging party shows otherwise. See Cal. Civ. Code § 1671(b); JMD Holding Corp. v. Cong. Fin. Corp., 828 N.E.2d 604, 609 (N.Y. 2005). Under both states’ laws, the key question is whether the amount of contractual damages is proportionate to the harm the parties could have reasonably foreseen would flow from a breach. See, e.g., Ridgley v. Topa Thrift & Loan Ass’n, 953 P.2d 484, 488 (Cal. 1998); Truck Rent-A-Ctr., Inc. v. Puritan Farms 2nd, Inc., 361 N.E.2d 1015, 1018 (N.Y. 1977).
Ultimately, the Fifth Circuit concluded that the company did not provide any relevant state authority barring parties in commercial contracts from tying liquidated damages to the anticipated harm to a third party. The company therefore did not rebut the assessments’ presumptive validity. See Cal. Civ. Code § 1671(b); JMD Holding Corp., 828 N.E.2d at 609.
Additionally, the Fifth Circuit held that the company was mistaken that the assessments did not estimate the credit card corporations’ own losses. The Court reasoned that the assessments reflected the credit card corporations’ damages because the corporations were contractually obligated to pay any assessments they collected to intermediary card issuers. The company contended that the assessments could not be liabilities because the credit card corporations imposed and distributed assessments as a matter of discretion, not contractual obligation. But the Court disagreed and stated that the company conflated the credit card corporations’ front-end discretion to impose assessments with their back-end obligation to distribute the assessments they collect.
Alternatively, the company argued that summary judgment for the payment processor was improper because genuine disputes remained over whether the company had a duty to indemnify.
The Merchant Agreement between the company and the payment processor, which was governed by Texas law, contained the following indemnification provision:
You [the company] understand that your failure to comply with the Payment Brand Rules, including the Security Guidelines, or the compromise of any Payment Instrument Information, may result in assessments, fines, and/or penalties by the [credit card corporations], and you agree to indemnify and reimburse us [the payment processor] immediately for any such assessment, fine, or penalty imposed on [the payment processor].
The company argued that this clause required the payment processor to prove that the company violated the Security Guidelines or that card data was compromised — it was not enough that the credit card corporations imposed assessments. The payment processor countered that the company’s duty arose when the credit card corporations imposed assessments after making their own determination that the company violated the Security Guidelines.
The Fifth Circuit favored the payment processor’s interpretation because it was within the text of the clause that the assessments were imposed “by the [credit card corporations]” as a “result” of the company’s “failure to comply with the Payment Brand Rules.” Furthermore, the Merchant Agreement incorporated the Payment Brand Rules, which gave the credit card corporations the right to determine whether someone violated them.
Thus, the Fifth Circuit held that summary judgment in favor of the payment processor was appropriate.
The company also argued that it should be allowed to pursue its third-party complaints to recoup its liability from the credit card corporations. The company brought six claims against each credit card corporation, four as the payment processor’s equitable subrogee — that is, standing in the payment processor’s shoes and asserting its rights — and two as “direct” claims “in its own right.”
The company compared itself to an insurer, arguing that if it must indemnify the payment processor, then it should be able to recover the losses that the processor sustained by reason of the wrongful conduct of the credit card corporations. The wrongful conduct the company alleged for all its subrogated claims was the credit card issuers’ levying of “illegal assessments” on the payment processor.
However, the Fifth Circuit determined that the company’s analogy fell short for one overarching reason: the company paid its own debt, not the credit card issuers’ debt. As the Court pointed out, equitable subrogation only exists to prevent an innocent party from having to bear a loss attributable to a wrongdoing third party. See Md. Cas. Co. v. W.R. Grace & Co., 218 F.3d 204, 211 (2d Cir. 2000). Therefore, the Court held that the company’s subrogation claims were properly dismissed.
The Fifth Circuit also concluded that the company’s direct claims for unjust enrichment and deceptive business practices were properly dismissed because these claims were, as a practical matter, also subrogated claims. While the company styled these claims as “direct” and made “in [the company’s] own right,” the Court reasoned that they required litigating the payment processor’s contractual relationships with the credit card corporations just as the subrogated claims did. Therefore, these claims failed for the same reason given above.
Accordingly, the Fifth Circuit affirmed the trial court’s decision and remanded solely to allow the trial court to determine whether the payment processor should receive prejudgment interest.