Opinion
No. 4:13–CV–2226–JAR.
01-15-2015
Craig A. Hoffman, Baker and Hostetler, Cincinnati, OH, Daniel R. Warren, Cleveland, OH, David P. Niemeier, Kevin F. Hormuth, Greensfelder and Hemker, PC, St. Louis, MO, for Plaintiff. Amy C. Purcell, Joshua Horn, Fox Rothchild, LLP, Philadelphia, PA, Nicholas T. Solosky, Washington, DC, Lucy H. Unger, Patrick I. Chavez, Williams and Venker, St. Louis, MO, for Defendants.
Craig A. Hoffman, Baker and Hostetler, Cincinnati, OH, Daniel R. Warren, Cleveland, OH, David P. Niemeier, Kevin F. Hormuth, Greensfelder and Hemker, PC, St. Louis, MO, for Plaintiff.
Amy C. Purcell, Joshua Horn, Fox Rothchild, LLP, Philadelphia, PA, Nicholas T. Solosky, Washington, DC, Lucy H. Unger, Patrick I. Chavez, Williams and Venker, St. Louis, MO, for Defendants.
MEMORANDUM AND ORDER
JOHN A. ROSS, District Judge.
This matter is before the Court on cross-motions for judgment on the pleadings. (Doc. Nos. 37, 43) The motions are fully briefed and ready for disposition.
Background
This action arises out of a cyber attack on grocery store chain Schnuck Markets, Inc. (“Schnucks”) in late 2012 through early 2013 which compromised certain of its customers' debit and credit card information. Schnucks asserts causes of action for breach of contract and declaratory judgment against its transaction processing servicers, First Data Merchant Services Corporation (“First Data”) and Citicorp Payment Services, Inc. (“Citicorp”) (collectively “Defendants”), claiming Defendants are withholding more transaction money than their merchant payment processing agreement permits in order to reimburse banks that issued payment cards affected by the attack.
In October 2011, Schnucks and First Data entered into a Master Services Agreement (“MSA”) under which First Data agreed to provide credit and debit card processing services for Schnucks. (Doc. No. 37–1) At the same time, Schnucks, First Data, and Citicorp entered into a Bankcard Addendum to Master Services Agreement (“Bankcard Addendum”), which set forth the terms and conditions by which Defendants agreed to provide credit and debit card processing services for Schnucks. (Doc. No. 37–2) The Bankcard Addendum incorporates the terms of the MSA and First Data's Program Terms and Conditions (“Operating Procedures”). (Doc. No. 373) Both the MSA and Bankcard Addendum incorporate the rules and regulations of the card brands Visa and MasterCard (“the Associations”). (See Visa International Operating Regulations (“VIOR”) (Doc. No. 44–2); MasterCard Security Rules and Procedures (“MasterCard Rules”) (Doc. No. 44–3), collectively “Association Rules”). The Association Rules subject Defendants to liability to the Associations in the event of data breach. If the Associations determine that a merchant was not compliant with payment card industry data security practices, they may assess a “non-compliance fine” and/or a “case management fee” against the acquiring bank, in this case, Citicorp. In addition, when the data breach involves data from the magnetic stripe of payment cards, the Association may issue assessments against the acquiring bank to reimburse banks that issued the compromised cards for two categories of losses: (1) the amount the issuing banks spent to monitor or cancel and re-issue at risk cards; and (2) the amount of fraudulent charges on the at risk cards. (See Visa Global Compromised Account Recovery (“GCAR”) program (VIOR at 802); MasterCard Account Data Compromise Recovery (“ADCR”) program (MasterCard Rules §§ 10.2.5.3; 10.2.6))
The MSA, Bankcard Addendum, and Operating Procedures (collectively referred to as the “Agreement”) constitute the entire agreement between the parties. (See, Complaint (“Compl.”), Doc. No. 9 at ¶¶ 16–17; Doc. No. 37–2 (Bankcard Addendum) at § 26.3) (“The Bankcard Addendum, along with the [MSA] ... and the Operating Procedures, constitutes the entire agreement between the parties with respect to the subject matter”).
The Agreement obligates Schnucks to indemnify Defendants for “all losses, liabilities, damages and expenses” under certain circumstances, but also limits Schnucks' liability to $500,000, with two exceptions. For noncompliance with an industry-imposed network security framework known as Payment Card Industry Data Security Standards (“PCI DSS”), the limit is higher ($3,000,000), while for “chargebacks, servicers' fees, third party fees, and fees, fines or penalties” assessed by the Associations, the limit does not apply at all. In addition, the Agreement authorizes Defendants to establish and fund a reserve account from Schnucks' payment card transactions to offset its indemnity obligations in an amount not to “exceed ... any current and anticipated Association fees or fines.” (Bankcard Addendum at § 22.1) Schnucks alleges that following the data breach, “First Data received a preliminary case management report from MasterCard outlining the case management fee and the amount of monitoring/card replacement and fraud loss reimbursement it was assessing against Citicorp.” (Compl. at ¶ 28) Based on the amount of MasterCard's assessment, First Data then projected the total amount of Visa's assessment (id. at ¶ 29), and established the reserve account by withholding a percentage each day from the funds it collected for Schnucks from its payment card transactions. (Id. at ¶¶ 30–31)
Section 4.1 of the MSA provides:
CUSTOMER [Schnucks] agrees to indemnify and hold harmless PROVIDER [Defendants] ... from and against all losses, liabilities, damages and expenses (including attorneys' fees and collection costs) resulting from any breach of any warranty, covenant, provision of this MSA or any Addenda or any material misrepresentation by CUSTOMER [Schnucks] under this MSA or any Addenda hereto.
Section 5.4 of the MSA provides, in pertinent part:
Limitation of Liability. NOTWITHSTANDING ANYTHING IN THIS MSA AND ANY ADDENDA TO THE CONTRARY, CUSTOMER [Schnucks], FDMS [First Data] AND ITS AFFILIATES' CUMULATIVE LIABILITY, IN THE AGGREGATE ... FOR ALL LOSSES, CLAIMS, SUITS, CONTROVERSIES, BREACHES, OR DAMAGES FOR ANY CAUSE WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, THOSE ARISING OUT OF OR RELATED TO THIS MSA AND ANY ADDENDA) AND REGARDLESS OF THE FORM OF ACTION OR LEGAL THEORY SHALL NOT EXCEED $500,000. NOTWITHSTANDING THE FOREGOING, CUSTOMER, FDMS AND ITS AFFILIATES' CUMULATIVE LIABILTY [sic] FOR ITS BREACH UNDER SECTION 25 (DATA SECURITY) SHALL NOT EXCEED $3,000,000 ... THIS SECTION 5.4 LIMITATION OF LIABILITY SHALL NOT APPLY TO CUSTOMER'S LIABILITY FOR CHARGEBACKS, SERVICERS' FEES, THIRD PARTY FEES, AND FEES, FINES OR PENALITIES [sic] BY THE ASSOCIATIONOR ANY OTHER CARD OR DEBIT CARD PROVIDED UNDER THIS MSA OR ANY ADDENDA. (Emphasis added).
Schnucks further alleges that Defendants have breached the Agreement by wrongfully withholding funds owed to Schnucks in an amount that is substantially more than the liability limitation of $500,000. (Id. at ¶¶ 3–4) Schnucks also seeks a declaratory judgment with respect to its maximum liability under the Agreement and the maximum amount Defendants may withhold from it to fund the reserve account. (Id. at ¶ 5)
Defendants assert a counterclaim against Schnucks for declaratory judgment that the limitation of liability in the Agreement “does not apply to: (i) fees charged by MasterCard or Visa to Defendants as a result of a cyber-attack experienced by a merchant including, but not limited to, servicers' fees, third-party fees, fees related to [fraud reimbursement and recovery]; and/or (ii) fees, fines or penalties charged by Visa or MasterCard for a merchant's failure to comply with the Payment Card Industry Data Security (PCI DSS) requirements.” (Counterclaim, Doc. No. 20 at ¶ 23)
Each side asserts that the contract language at issue is not ambiguous and can be interpreted in accordance with its plain meaning. See Murr v. Midland National Life Ins. Co., 758 F.3d 1016, 1021 (8th Cir.2014) (“Under Missouri law, unambiguous contracts are enforced according to their plain language.”). Accordingly, the parties have filed cross-motions for judgment on the pleadings.
Although Schnucks' motion is titled “Cross–Motion for Judgment on the Pleadings,” in its supporting memoranda and later filed motions, Schnucks refers to its pleading as a partial cross-motion for judgment on the pleadings (see Doc. Nos. 44, 52, 56 at ¶ 2 and 59 at ¶ 3) and the Court has considered it as such.
Legal Standard
In deciding a motion for judgment on the pleadings, the Court “accept[s] all facts pled by the nonmoving party as true and draw[s] all reasonable inferences from the facts in favor of the nonmovant.” Unite Here Local 74 v. Pinnacle Entertainment, Inc., 2011 WL 65934, at *2–3 (E.D.Mo. Jan. 10, 2011) (quoting Waldron v. Boeing Co., 388 F.3d 591, 593 (8th Cir.2004) ). This is a strict standard, as “[j]udgment on the pleadings is not properly granted unless the moving party has clearly established that no material issue of fact remains to be resolved and the party is entitled to judgment as a matter of law.”Id. (quoting United States v. Any and all Radio Station Transmission Equip., 207 F.3d 458, 462 (8th Cir.2000) ). As summarized in Federal Practice and Procedure:
[A] Rule 12(c) motion is designed to provide a means of disposing of cases
when the material facts are not in dispute between the parties and a judgment on the merits can be achieved by focusing on the content of the competing pleadings, exhibits thereto, matters incorporated by reference in the pleadings, whatever is central or integral to the claim for relief or defense, and any facts of which the district court will take judicial notice.
Id., at *3 (quoting 5C Charles Alan Wright & Arthur Miller, Federal Practice and Procedure § 1367 (3d ed.2010) ).
“In considering a Rule 12(c) motion, the Court may consider the pleadings themselves, materials embraced by the pleadings, exhibits attached to the pleadings, and matters of public record.” Nationwide Mut. Ins. Co. v. Harris Medical Associates, LLC, 973 F.Supp.2d 1045, 1051 (E.D.Mo.2013). Here, the MSA, Bankcard Addendum, and Operating Procedures are all attached to the pleadings.
Arguments of the parties
The focus of the parties' arguments is on section 5.4 of the MSA, which limits Schnucks' liability for “all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever ...” to $500,000, and the exception for “chargebacks, servicers' fees, third party fees, and fees, fines or penalties” assessed by payment card networks. The issue presented by the parties' competing motions is whether the exception for “third party fees” or “fees, fines or penalties” applies to liability for issuer losses. The application of the exception creating a separate $3,000,000 limitation for fines for PCI DSS non-compliance has not been raised by either side. (See Doc. No. 37 at ¶ 22; Doc. No. 38 at 13; Doc. No. 43 at 2 n. 1; Doc. No. 44 at 2).
Defendants do not contend that the exception for “chargebacks” and “servicer's fees” applies to liability for issuer losses. (See Doc. No. 37 at ¶ 22)
Schnucks
Schnucks argues that the plain and unambiguous language of the Agreement establishes that the exception only applies to fees charged by Defendants or third parties for a service related to processing transactions, and fees or punitive amounts (i.e., fine or penalty) charged by Visa or MasterCard. (Doc. No. 44 at 15–17) As support for its position, Schnucks examines the use of the terms “third party fee” and “fee, fine, or penalty” in the Agreement and incorporated documents.
Indeed, Schnucks acknowledges that the exception applies to the Visa “non-compliance fine ” and MasterCard “case management fee. ” (See Doc. No. 43 at 6; Doc. No. 52 at 10)
“Third party fees” is defined in Section 13.3 of the Bankcard Addendum as fees assessed by the credit card Associations against Defendants, including “any switch fee, issuer,[sic] reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee (collectively, “Third Party Fees”).” Schnucks notes the definition of “Third Party Fees” does not reference “fraud reimbursement and recovery” or fees charged “as the result of a data breach.” (Id. at 15) Nor does the definition mention that it relates to a data compromise event. (Id. ) Moreover, the section of the Bankcard Addendum in which the term is defined relates to “fees for Services,” indicating that the enumerated “Third Party Fees” are intended to be fees charged by third parties in connection with Defendants' processing services. (Id. at 16) Indeed, Schedule A to the MSA, and Attachments I and II thereto, sets out the types of fees charged by Defendants and third parties for their services; “interchange fee,” “access fee,” and “assessment fee” are all payments for a service. (Doc. No. 44–1)
Section 13.3 provides:
The fees for Servicesset forth in the Schedules may be adjusted to reflect increases or decreases by Associations in interchange, assessment or other Association. fees or to pass through increases charged by Third Parties for on-line communications. All such adjustments shall be CUSTOMER's responsibility to pay and shall become effective upon the date any such change is implemented by the applicable Association or other Third Party. CUSTOMER shall at all times be responsible for payment of all fees and charges (including increases, additions, or modification made thereto), without limitation, of any Credit Card Association, Network, card-issuing organization, telecommunications provider, federal, state, or local governmental authority (each a “Third Party”) including, without limitation any switch fee, issuer, reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee (collectively, “Third Party Fees”).(Emphasis added.)
In addition, the VIOR refer to an “interchange reimbursement fee” as “a default transfer price between acquirers and issuers within the Visa system” (VIOR at 993–94); define an “access fee” as “[a] fee that is imposed by an ATM Acquirer as part of a Cash Disbursement Transaction, to a Cardholder for use of its ATM” (id. at 1046); refer to an “annual assessment fee” that an acquirer must pay (id. at 782); and refer to “issuer fees.” (Id. at 303, 702) (Doc. No. 44 at 16) The MasterCard Rules refer to “issuer reimbursement fees” in the context of excessive chargebacks. (MasterCard Rules at §§ 8.3.3, 8.3.3.1, 8.3.4) (Id.; Doc. No. 52 at 7 n. 6) Schnucks argues these documents, when read as a whole, clearly establish that “Third Party Fees” refers to fees charged by the Association for a service related to processing transactions and not to reimburse issuer for losses. See Tuttle v. Muenks, 21 S.W.3d 6, 11 (Mo.App. W.D.2000) (noting that the terms of a written contract must be read in context and as a whole).
Schnucks argues that further support for its position can be found from the fact that neither the GCAR nor ADCR operating regulations refer to reimbursing issuing banks for their losses as a “fee, fine, or penalty.” (See, VIOR at 802–806; MasterCard Rules at § 10–1 through 10–29) (Doc. No. 44 at 9–10, 16; Doc. No. 52 at 7) In fact, the regulations do not use the term “fee” at all. Under its GCAR program, Visa may issue a monetary assessment to recover and distribute to affected issuers a portion of their incremental counterfeit fraud losses and operating expenses due to an “account data compromise event.” (See VIOR at 802) (“[A]n Issuer in Visa International or Visa Europe may recover a portion of its Incremental Counterfeit Fraud losses and operating expenses resulting from an Account Data Compromise Event involving a compromise of Magnetic–Stripe Data, and PIN data for events that also involve PIN compromise, under the Global Compromised Account Recovery (GCAR) program from an Acquirer(s) to whom liability for such loss has been assigned under the GCAR program.”). The GCAR regulations state that these assessments are an assignment of liability for loss to the acquirer for the purpose of reimbursing issuers for their losses.
Defendants argue that Schnucks' reliance on the current version of Visa's VIOR and GCAR program (effective October 15, 2012) is improper because the program did not exist at the time of contract formation. Thus, it could not have framed the parties' intent. (Doc. No. 55 at 2–3) Schnucks responds that it is not relying on the “current version” of the VIOR (dated April 15, 2014); rather, it relied on and attached to its motion the relevant provisions of the October 2012 VIOR and the February 2013 MasterCard Rules because those were the rules MasterCard used to assess Citicorp and the rules First Data relied on in setting a reserve for Visa liability. (Doc. No. 58 at 4) Schnucks further argues there are no meaningful differences between the 2011 Visa ADCR program and 2012 Visa GCAR program aside from the name change. (Id. at 5–6) Upon review, the Agreement contemplates that changes would be made to the Association Rules. See, e.g., § 25 of the Bankcard Addendum (“[Schnucks] is required to follow the Operating Procedures and comply with Association Rules as they may each be amended from time to time. ”) (Emphasis added). Accordingly, the Court is not persuaded by Defendants' arguments concerning the Visa GCAR program.
Similarly, MasterCard may levy a monetary assessment under its ADCR program to reimburse issuing banks for their losses. (See MasterCard Rules at § 10.2.5.3) (“ADC operational reimbursement enables an Issuer to partially recover costs incurred in reissuing Cards and for enhanced monitoring of compromised and/or potentially compromised accounts associated with an ADC Event. ADC fraud recovery enables an Issuer to recover partial incremental magnetic-stripe (POS 90) and/or Hybrid POS Terminal unable to process (POS 80) counterfeit fraud losses associated with an ADC Event. MasterCard determines ADC operational reimbursement and ADC fraud recovery.”) MasterCard may also assess a “case management fee” for the investigation costs and other costs incurred by MasterCard in connection with an account data compromise event. (MasterCard Rules at § 10.2.6; July 11, 2012 MasterCard Account Data Compromise User Guide (hereinafter “MasterCard ADC”) at § 7.2.5) (Doc. No. 44 at 9–10)
According to Schnucks, the plain language of these regulations, which are expressly incorporated as part of the Agreement, shows that assignment of liability for issuer losses under GCAR and ADCR are calculations of the actual losses and damages incurred by banks that issued cards targeted in the attack—they are not fees of any kind. (Doc. No. 44 at 16; Doc. No. 52 at 6–7)
As for “fees, fines or penalties,” because the term is not defined in either the Bankcard Addendum or the Operating Procedures, Schnucks argues the terms must be given their ordinary meanings. See American Family Mut. Ins. Co. v. Van Gerpen, 151 F.3d 886, 887–88 (8th Cir.1998) (when interpreting the language of a contract, the court gives a term its ordinary meaning, unless it plainly appears that a technical meaning was intended). To determine the ordinary meaning of a term, courts consult standard English language dictionaries. Farmland Indus., Inc. v. Republic Ins. Co., 941 S.W.2d 505, 508 (Mo.1997). The ordinary meaning of a “fine” or “penalty” is “a sum imposed as punishment.” Id. at 511 (citing Webster's Third New International Dictionary 852, 1668 (1961)). A “fee” means “a sum paid or charged for a service.” Strader v. Progressive Ins., 230 S.W.3d 621, 625 (Mo.Ct.App.2007) (citing Merriam Webster's Collegiate Dictionary, 459 (11th ed.2005); Webster's Third New International Dictionary 833 (1976); Black's Law Dictionary 647 (8th ed.2004)). Thus, the ordinary meaning of a “fee,” “fine,” or “penalty” does not encompass liability to reimburse issuers for their losses. (Doc. No. 44 at 17)
First Data and Citicorp
Defendants argue that read as a whole, the plain and unambiguous language of the Agreement establishes that Schnucks is liable for all of the financial responsibility—without limitation—associated with the cyber attack and resulting data breach. (Doc. No. 38 at 9) Specifically, Defendants rely on § 4.9 of the Operating Procedures (Doc. No. 37–3), which requires Schnucks to pay Defendants for “all related expenses, claims, assessments, fines, losses, costs and penalties and Issuer reimbursements” imposed by Visa and MasterCard in connection with a data compromise event (“Data Compromise Losses”). In addition, § 10.2 of the Operating Procedures authorizes Defendants to assess against Schnucks “Card Organization fees, charges, fines, penalties ... or other assessments including any fees levied against [Defendants] or any amount for which [Schnucks is] obligated to indemnify [Defendants].” Finally, §§ 13.3, 13.5 and 25 of the Bankcard Addendum establish Schnucks' liability to pay all fees, fines or penalties imposed by Visa and MasterCard against Defendants in connection with a data compromise event. (Doc. No. 38 at 11–12)
Section 4.9 provides:
Costs.If you or a Merchant Provider (or other Person used by you) are determined by any Card Organization, regardless of any forensic analysis or report, to be the likely source of any loss, disclosure, theft or compromise of Cardholder data or Card transaction information (together, “Compromised Data Events”) and regardless of your belief that you have complied with the Card Organization Rules or any other security precautions and are not responsible for the Compromised Data Event, you must promptly pay us for all related expenses, claims, assessments, fines, losses, costs, and penalties and Issuer reimbursements imposed by the Card Organizations against us (together, “Data Compromise Losses”). In addition to the foregoing, you must also pay us promptly for all expenses and claims made by Issuers against us alleging your responsibility for the Compromised Data Event, apart from any claim procedures administered by the Card Organizations.
Defendants further argue that “Third Party Fees,” as defined by the Bankcard Addendum, include both “issuer reimbursement fees” and “assessment fees,” and that the term “fees” as used in the exception encompass “reimbursements and assessments.” (Id. at 13–14; Doc. No. 49 at 5) According to Defendants, Schnucks has admitted in its Complaint that virtually all of the actual and anticipated assessments imposed by the Associations are for the reimbursement of losses claimed by issuing banks as a result of the data breach. (Compl. at ¶ 30) (“[A]pproximately 97% of the actual and projected amount of the assessments imposed by [the Associations] was for reimbursement of losses claimed by issuing banks.”) Thus, Schnucks is responsible for all Third Party Fees, and Defendants properly funded the reserve account to cover all of these assessments. (Doc. No. 39 at 14–15; Doc. No. 49 at 5)
Defendants contend the definition of “Third Party Fees” includes an “inadvertent comma” between “issuer” and “reimbursement” [issuer, reimbursement] and construe the term without it to read as “issuer reimbursement fee.” (Doc. No. 49 at 4 n. 2) Schnucks accuses Defendants of altering the Agreement without explanation for the sake of making this argument. (Doc. No. 52 at 6 n. 5) Although punctuation is not part of the English language, “the court in interpreting a contract cannot ignore either the punctuation or the grammatical construction of the language used.” Kansas City Life Ins. Co. v. Wells, 133 F.2d 224, 227 (8th Cir.1943). Here, the Court looks at the sentence structure of the definition which lists a number of different fees separated by commas: “switch fee, issuer,[ ] reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee.” Reading the definition with the comma following the word “issuer” would make no sense in the context of the whole list. A contract is not interpreted to render its terms meaningless. “A construction which attributes a reasonable meaning to all the provisions of the agreement is preferred to one which leaves some of them without function or sense.” See In re Dial Business Forms, Inc., 283 B.R. 537 (8th Cir. BAP 2002) (quoting Village of Cairo v. Bodine Contracting Co., 685 S.W.2d 253, 264 (Mo.Ct.App.1985) ). Accordingly, the Court concludes that the comma is indeed inadvertent and construes the definition of “Third Party Fees” to include an “issuer reimbursement fee.”
In addition, Defendants assert that the plain language of the Agreement makes no distinction between “fees, fines and penalties” and issuer losses; the terms “fees,” “fines,” and “penalties” are used throughout the Agreement to refer to assessments by “Third Parties,” i.e., the Associations, related to data compromise events, as well as assessments arising out of specific instances of misfeasance or Schnucks' PCI noncompliance. For instance, § 13.5 of the Bankcard Addendum addresses Schnucks' agreement to pay “any fines, fees, or penalties imposed by an Association” with respect to its negligent acts or omissions, and § 25 addresses Schnucks' responsibility “to maintain compliance with all Association PCI Data Security procedures and regulations, and to pay any and all fines levied by the applicable Association for its non-compliance ...” (Doc. No. 49 at 7) Defendants also argue that the inclusion of the words “all fees and charges ... without limitation, of [the Associations]” in the definition of “Third Party Fees” (see Bankcard Addendum at § 13.3) lends additional support for their interpretation of “Third Party Fees” to encompass “issuer reimbursements.” (Doc. No. 49 at 8–9) According to Defendants, these provisions demonstrate that the Associations' fees arise as assessments imposed on Defendants in connection with Schnucks' PCI non-compliance and resulting data breach. The same is true of “fines” and “penalties” in that issuer reimbursements are assessed by the Associations in a punitive context following a data compromise event. (Id. at 9)
Finally, Defendants point to Visa's use of the terms “fines and penalties” in a “preamble” to the applicable 2011 ADCR program. According to Defendants, Visa used the preamble to characterize its authority to impose all assessments (such as financial responsibility for a data breach) on an acquiring bank based on its merchant's conduct. (Doc. No. 55 at 3–4) This “preamble reference” to “fines and penalties” shows the parties intended that any and all assessments by the Associations in enforcing their rules and regulations, described by the Associations as “fines and penalties,” are Schnucks' responsibility without limitation. (Doc. No. 55 at 3–4) Further, Defendants contend that when read in context, the GCAR and ADCR provisions are only operating programs and procedures used by the Associations to calculate the fines and penalties levied against acquiring banks for their merchants' violations of various security rules and do not define the nature of the liability imposed. (Doc. No. 55 at 5–6) Discussion
The preamble provides:
Operating Regulations Compliance and Enforcement Fines and Penalties—General Visa Right to Fine
The Visa International Operating Regulations contain enforcement mechanisms that Visa may use for violations of the Visa International Operating Regulations. The Operating Regulations also specify the procedure for the allegation and investigation of violations and the rules and schedules for fines and penalties.
Visa may levy fines and penalties as specified in the Visa International Operating Regulations. Visa officers will enforce these fines and penalties.
These procedures and fines are in addition to enforcement rights available to Visa under other provisions of the Visa International Operating Regulations, the applicable Certificate of Incorporation and Bylaws, or through other legal or administrative procedures.
(Doc. No. 55–1 at 59)
Schnucks responds that Visa's 2011 ADCR and 2012 GCAR programs both established Visa's right to collect money from an acquirer and distribute that money to reimburse issuer for the losses incurred from a data breach. (Doc. No. 58 at 3) A review of the rules shows the key language remains unchanged:
Account Data Compromise Recovery [ADCR] Process—U.S. Region
In the U.S. Region, the Account Data Compromise Recovery (ADCR) process allows Visa to determine the monetary scope of an account compromise event, collect from the responsible Member, and reimburse Members that have incurred losses as a result of the event.
(Doc. No. 53–2 at 759) (Emphasis added).
Global Compromised Account Recovery [GCAR] Program Overview (Updated)
Effective for Qualifying CAMS Events or VAB Events in which the first or only alert is sent on or after 15 May 2012,an Issuer in Visa International or Visa Europe may recover a portion of its Incremental Counterfeit Fraud losses and operating expenses resulting from an Account Data Compromise Event involving a compromise of Magnetic–Stripe Data, and PIN data for events that also involve PIN compromise, under the Global Compromised Account Recovery (GCAR) program from an Acquirer(s) to whom liability for such loss has been assigned under the GCAR program.
GCAR allows Visa to determine the monetary scope of an Account Data Compromise Event, collect from the responsible Acquirer(s), and reimburse Issuers that have incurred losses as a result of the event.
(Doc. No. 44–2 at 802) (Emphasis added). Schnucks asserts that without the GCAR and ADCR rules, there would be no basis in the VIOR or MasterCard rules for acquirer liability for issuer losses. Moreover, Visa and MasterCard distribute the amounts they collect under those programs to affected issuers, but retain the fines and penalties for themselves. (Doc. No. 58 at 3)
--------
The interpretation of a contract is a question of law. Adbar Co., L.C. v. PCAA Missouri, LLC, 2008 WL 68858 at *4 (E.D.Mo. Jan. 4, 2008). “The cardinal principle” of contract interpretation is “to ascertain the intention of the parties and to give effect to that intent.” Monarch Fire Protection District of St. Louis County, Missouri v. Freedom Consulting & Auditing Services, Inc., 644 F.3d 633, 638 (8th Cir.2011). In interpreting a contract, the Court uses “the plain, ordinary, and usual meaning of the contract's words” and considers the “whole document.” Adbar, 2008 WL 68858, at *4 (citing Jackson County v. McClain Enters., 190 S.W.3d 633, 640 (Mo.Ct.App.2006) ). See also, Shaw Hofstra & Associates v. Ladco Development, Inc., 673 F.3d 819, 826 (8th Cir.2012). If a contract is unambiguous, the “intent of the parties will be gathered solely from the terms of the contract.” Id. (quoting State ex rel. Vincent v. Schneider, 194 S.W.3d 853, 860 (Mo.2006) ). Where, as here, the parties are sophisticated business entities who rely on experts to advise them, the language they have mutually negotiated and agreed to is the best evidence of what they intended. See, e.g., In re SRC Holding Corp., 545 F.3d 661, 668 (8th Cir.2008) ; enXco Development Corp. v. Northern States Power Co., 758 F.3d 940, 947 (8th Cir.2014).
After careful review of the parties' Agreement as a whole, and following the well-established principles of contract interpretation, the Court finds the exception for “third party fees” and “fees, fines and penalties” was not intended to apply to liability for issuer losses assessed by the Associations. This is clear for several reasons.
First, the exception lists specific fees, fines, and penalties that are excluded from the limitation of liability clause, but does not list anything equivalent to issuer losses. The exception makes no reference to the Association rules that create the liability for issuer losses (GCAR or ADCR) or any reference to liability for a data compromise event. Defendants argue that an exclusion to a limitation of liability clause does not have to list each and every source of liability it seeks to exclude in order to be effective. (Doc. No. 49 at 10–11) Whether or not this is true, Defendants' position is undermined by the omission of the term “Data Compromise Losses” (or any equivalent language) from the list of forms of liability excepted from the limitation of liability clause. Defendants were clearly aware of this category of losses and didn't include it. If Defendants had intended for the exception to have the meaning they claim it does, then inserting the term “Data Compromise Losses,” which encompasses all forms of liability for a data breach (“all related expenses, claims, assessments, fines, losses, costs and penalties and Issuer reimbursements imposed by the Card Organizations”) would have clearly manifested that intent. See New Madrid County Reorganized School Dist. No. 1 v. Continental Cas. Co., 904 F.2d 1236, 1240–41 (8th Cir.1990) (“If Continental Casualty wanted to exclude this type of liability from its policy it could and should have done so explicitly. Absent an explicit exclusion, we must apply the language as written.”).
Second, the plain reading of a “fee” is an amount paid or charged for a service. Strader, 230 S.W.3d at 625. The term “Third Party Fees,” as defined in the Bankcard Addendum, refers to fees charged by third parties in connection with Defendants' processing services, such as “interchange fees” and “access fees” (see Doc. No. 44–1), as opposed to liability for actual issuer losses. Defendants argue in conclusory fashion that the term “fees” encompasses both “reimbursements” and “assessments,” yet nowhere in the Agreement is the stand-alone term “fee” defined as including “reimbursement” or “assessment” arising out of a data compromise event. Moreover, the term “Data Compromise Losses” as defined in the Operating Procedures makes no reference to fees. Rather, liability under the GCAR and ADCR programs is referred to as “Issuer reimbursements imposed by the Card Organizations against us ...” (Operating Procedures, Doc. No. 37–3 at § 4.9) The term “issuer reimbursement fees” does appear in the MasterCard operating regulations, but solely in the context of an excessive chargeback, not an account data compromise event, and not as an assessment for the purpose of reimbursing issuing banks. (MasterCard Rules at §§ 8.3.3, 8.3.3.1, 8.3.4.)
Third, the ordinary meaning of the terms “fines” and “penalties” is a sum imposed as punishment. See Farmland Indus., 941 S.W.2d at 511. Defendants contend that issuer reimbursements are assessed by the Associations in a punitive context following a data compromise event. However, the two provisions of the Bankcard Addendum Defendants rely on in support of their contention are unrelated to a data compromise event; § 13.5 is a general indemnity obligation arising from Schnucks' “negligent acts or omissions,” and § 25 relates to an obligation to pay a fine for PCI DSS non-compliance, which can occur even in the absence of a data compromise event. Furthermore, Defendants do not allege that Schnucks was either negligent or PCI DSS non-compliant.
If the Court were to adopt Defendants' interpretation that the terms “Third Party Fees” and “fees, fines or penalties” apply to liability for issuer losses, then Schnucks would be responsible for all of the financial liability imposed on Defendants by the Associations relating to the cyber attack and data breach, and, for that matter, any loss of any kind. As a result, the limitation of liability would have no meaning. The Court rejects such an interpretation. The parties are sophisticated businesses who clearly had a purpose for including the limitation of liability exception in the Agreement. In re SRC, 545 F.3d at 668. A well established rule of contract interpretation is that an “interpretation which gives a reasonable, lawful, and effective meaning to all terms is preferred to an interpretation which leaves a part unreasonable, unlawful, or of no effect.” DeJong v. Sioux Center, Iowa, 168 F.3d 1115, 1120 (8th Cir.1999) (internal quotation omitted). See also Schoemehl v. Renaissance Elec. Co., Inc., 334 Fed.Appx. 772, 775–76 (8th Cir.2009) (quoting Beister v. John Hancock Mut. Life Ins. Co., 356 F.2d 634, 641 (8th Cir.1966) ). Conclusion
For the foregoing reasons, the Court finds and concludes that Schnucks' obligation to indemnify Defendants for liability for losses incurred by issuing banks is limited to $500,000.00. The Court will, therefore, deny Defendants' motion for judgment on the pleadings, grant Schnucks's partial cross-motion for judgment on the pleadings, and enter a declaratory judgment that Schnucks' maximum liability under the terms of the Agreement for issuing bank losses assigned by the Associations for monitoring/card replacement and counterfeit fraud losses as a result of the data security breach is $500,000.00 and that Defendants must return to Schnucks any funds held in excess of that amount plus the Visa fine and MasterCard case management fee.
Accordingly,
IT IS HEREBY ORDERED that Defendants First Data Merchant Services Corporation and Citicorp Payment Services, Inc.'s Motion for Judgment on the Pleadings [37] is DENIED. Judgment on Defendants' Counterclaim is entered in favor of Plaintiff Schnuck Markets, Inc. and against Defendants First Data Merchant Services Corporation and Citicorp Payment Services, Inc.
IT IS FURTHER ORDERED that Plaintiff Schnuck Markets, Inc.'s partial Cross–Motion for Judgment on the Pleadings [43] is GRANTED as follows:
Judgment on Count II (Declaratory Judgment) of Plaintiff's complaint is entered in favor of Plaintiff Schnuck Markets, Inc. and against Defendants First Data Merchant Services Corporation and Citicorp Payment Services, Inc. in accordance with this Memorandum and Order.
IT IS FINALLY ORDERED that this matter is set for a telephone conference with counsel on Thursday, January 22, 2015 at 2:00 p.m. to discuss scheduling regarding all remaining issues.