hackers

When a data breach compromises the credit and debit card information of a retailer’s consumers, who is liable for losses? Turns out, it’s not always the retailer. At least, that’s according to a Sixth Circuit appeals court ruling on Friday in a case involving a liquor retailer in Texas.

Spec’s Family Partners, which runs dozens of liquor stores in Texas, encountered data breaches in 2012 and 2013 that targeted its payment card network. The fallout highlighted a chain of liability governed by a web of contracts between the players often involved in these scenarios the retailer, credit card companies, banks and in this case, a credit card processing company called First Data Merchant Services that Spec’s had a contract with.

The contract between Spec’s and First Data was the key, which the courts scrutinized to assess whether Spec’s bore liability to First Data. The court found that the contract exempted Spec’s in this case. 

“Whenever there’s a data breach, usually it’s an all-hands-on-deck emergency, and it can be hard to be clear-sighted in that situation,” said Emily Westridge Black, a partner at Haynes and Boone, who represented Spec’s in this case. “It’s important for retailers to pause and pay attention to anything they would in a normal dispute, including the contracts, applicable statutes, and regulatory regime.”

Customers who had been affected by the Spec’s breach had been reimbursed by banks that contracted with credit card companies including Mastercard and Visa. Eventually, that liability traveled along the chain until it got to First Data, which turned to Spec’s, the retailer, for its reimbursement. First Data began withholding payments from Spec’s, to an amount that added up to $6.2 million before interest. But Spec’s hit the brakes, saying its contract with First Data is worded in such a way that it exempts Spec’s from liability for damages in this case. A lower federal court in Tennessee agreed in 2017, and on Friday, the Sixth Circuit upheld that decision.

“The district court correctly held that First Data committed the first material breach of the merchant agreement by withholding payments due to Spec’s,” the appeals court wrote in the ruling.

Attorneys for First Data did not immediately comment Monday.  

The case highlights the complex relationships between retailers and credit card companies, which often involve several intermediaries. The contracts between them effectively represent a series of interlocking agreements through which companies may try to shift and manage the risk arising from data breaches, said privacy attorneys.

“If a retailer’s cyber security protocol in-house is not in good shape, it will likely run into some headwind when it comes to collect from credit cards,” said Craig Newman, the chair of Patterson Belknap Webb & Tyler LLP’s privacy and data security group.

Data breaches can expose retailers to significant liability, from consumers, credit card companies and State Attorneys General looking to hold them accountable over their security measures. In 2017, Target agreed to pay $18.5 million to 47 states and D.C. over a 2013 breach that affected payment card and contact information of several tens of millions of customers.  

But the Spec’s case highlights at least one area in which retailers might be able to seek some relief — in the language of their contracts with credit card companies or other intermediaries.

“As a retailer, you’d want to look at your contracts, and defuse potential liability if and when a breach happens,” said Molly Arranz, who co-chairs SmithAmundsen LLC’s data privacy, security and litigation practice group. “Do you have certain indemnification clauses, and what the limitations of liability are, and who is indemnifying whom?”