Financial institutions face an uncertain legal environment when they attempt to obtain reimbursement for losses associated with a data breach at a credit card processor. When a data breach at a credit card processor or large merchant occurs, financial institutions are often out millions of dollars associated with cancelling and reissuing customer credit cards and covering losses from unauthorized use of cards. No federal law directly addresses this situation, so financial institutions are left to the vagaries of state law. However, state laws create major obstacles to recovery.
Many of these obstacles are caused by the fact that the financial institution has no direct contractual relationship with the credit card processor. Credit card transactions involve four players. (1) a bank, which enters into an agreement with a corporation that operates a credit card payment system, such as Visa, that permits the bank to issue Visa credit cards to its customers, (2) the consumer, uses the credit card, (3) a credit card processor, which enters into agreements with merchants to process their Visa credit card transactions, and (4) the merchant.
In a typical purchase transaction, the merchant’s computer scanners read the cardholder information contained on the magnetic stripe on the credit card, as it is swiped through a terminal at checkout. The merchant sends this information through the Visa network to the bank. The bank reviews the card, and assuming it is valid and has sufficient credit, authorizes the transaction. The merchant completes the transaction and notifies the processor, which pays the merchant. The processor then notifies the bank, which pays the processor and charges the Consumer. See, generally, Sovereign Bank v. BJ’s Wholesale Club, Inc., 3rd Cir., No. 06-3405 (July 16, 2008).
While the processor and the bank interact, they generally have no written contractual agreement between them. The lack of a contractual relationship is the source of one of several problems when a bank seeks recovery from a processor data breach.
For example, a class action was recently filed on behalf of banks who incurred losses from the date breach at credit card processor Heartland Payment Systems, Inc. In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, S.D. Tex, No. 4:09-md-02046. The complaint attempts to recover on breach of contract, breach of implied contract, negligence, negligence per se, negligent and intentional misrepresentation, and a number of state unfair business practice statutes. However a number of these theories has faced rough sledding in previous data breach class actions by financial institutions:
Breach of contract under a third-party beneficiary theory
A person that is not a party to a contract can still sue for breach of the contract if it can show that it was the “intended beneficiary” of the contract. Some banks have attempted to recover losses under the theory that they are the third-party beneficiaries of the contracts between the processor and the credit card company. For example, in Sovereign Bank v. BJ’s Wholesale Club, the plaintiff banks claimed that they were the intended third-party beneficiaries of the contract between the processor and Visa, because a memorandum accompanying the relevant security provisions in the contract stated that their purpose was “to protect the Visa system and [the Banks] from potential fraud exposure . . . .” The 3rd Circuit held that this memo and other evidence, was sufficient for a jury to find that the banks were intended beneficiaries of the processor’s contract with Visa.
However, this theory did not work in a subsequent data breach case brought by financial institutions — In re TJX. By the time that suit was brought, Visa had changed its processor agreement to expressly exclude third-party beneficiaries. As a result, the banks were not able to recover under this theory. In re TJX Companies Security Breach Litigation, 524 F.Supp.2d 83 (D. Mass. 2007).