From Casetext: Smarter Legal Research

Visa Inc. v. Sally Beauty Holdings, Inc.

Court of Appeals of Texas, Second District, Fort Worth
Dec 9, 2021
651 S.W.3d 278 (Tex. App. 2021)

Opinion

No. 02-20-00339-CV

12-09-2021

VISA INC., Appellant v. SALLY BEAUTY HOLDINGS, INC., Appellee

Allyson N. Ho, Andrew P. LeGrand Sr., Elizabeth A. Kiernan, Joseph E. Barakat, Emily A. Jorgens, Gibson, Dunn and Crutcher LLP, Dallas, for Appellant. John H. Cayce, Jr., Caitlyn E. Hubbard, Kelly Hart & Hallman LLP, Fort Worth, Douglas H. Meal, Seth Harrington, Orrick, Herrington & Sutcliffe LLP, Boston, Massachusetts, Clyde M. Siebman, Siebman Forrest Burg & Smith LLP, Sherman, for Appellee.


Allyson N. Ho, Andrew P. LeGrand Sr., Elizabeth A. Kiernan, Joseph E. Barakat, Emily A. Jorgens, Gibson, Dunn and Crutcher LLP, Dallas, for Appellant.

John H. Cayce, Jr., Caitlyn E. Hubbard, Kelly Hart & Hallman LLP, Fort Worth, Douglas H. Meal, Seth Harrington, Orrick, Herrington & Sutcliffe LLP, Boston, Massachusetts, Clyde M. Siebman, Siebman Forrest Burg & Smith LLP, Sherman, for Appellee.

Before Sudderth, C.J.; Wallach and Walker, JJ.

Opinion by Chief Justice Sudderth

Given how routine credit-card transactions have become, the average card-carrying American could easily overlook the complex system that makes such transactions possible. One key component of that complex system is its contractual structure, which indirectly links merchants like Appellee Sally Beauty Holdings, Inc. to the network of transactional services provided by companies like Appellant Visa, Inc. The enforceability of certain terms within this contractual structure, as well as the security-related representations made by merchants participating in the Visa network, are at the center of this data-breach case.

After Sally Beauty's allegedly sub-par network security enabled a credit-card network hack—Sally Beauty's second in just over a year—Visa assessed approximately $14 million in liquidated damages against the company that linked Sally Beauty to the Visa network: Fifth Third Bank. Fifth Third passed the $14 million assessment on to Sally Beauty and assigned the merchant its claims against Visa. Sally Beauty sued, arguing that Visa had breached its contract with Fifth Third by collecting the $14 million assessment because the liquidated damages provision was an unenforceable penalty under California law. Visa countersued for fraud alleging that, in the fourteen months between Sally Beauty's two hacks, Sally Beauty fraudulently misrepresented its compliance with network security protocols as well as its intent to remain in compliance.

Visa also countersued for negligence, but it does not appeal the trial court's adverse summary judgment on its negligence counterclaim.

The parties filed competing motions for summary judgment, and the trial court granted Sally Beauty's motions on both Sally Beauty's contract claim and Visa's fraud counterclaim. The court found that (1) the liquidated damages provision underlying the $14 million assessment was unenforceable under California law, and (2) Visa not only lacked standing to assert fraud but also failed to state a cognizable fraud claim under Texas law.

The fraud findings stated above are implied; the trial court indicated the basis for its breach of contract judgment, but it did not indicate the basis for its judgment on Visa's fraud counterclaim. See Provident Life & Acc. Ins. Co. v. Knott , 128 S.W.3d 211, 216 (Tex. 2003) ("Because the trial court's order does not specify the grounds for its summary judgment, we must affirm the summary judgment if any of the theories presented to the trial court and preserved for appellate review are meritorious.").

We disagree on both counts. First, because the liquidated damages provision is presumed valid under California law and because none of Sally Beauty's arguments invalidate it, we will reverse the trial court's breach of contract judgment and hold that the liquidated damages provision is enforceable. And second, because Visa has standing to raise a fraud claim, because Sally Beauty sought dismissal of the fraud claim on the pleadings, and because we take Visa's pleadings as true and construe them in its favor, we will reverse the trial court's fraud judgment and hold that Visa stated a cognizable claim for fraud under Texas law. With both summary judgments reversed, we will remand the case for further proceedings.

I. Background

Visa's credit-card network involves multiple layers of contracts.

A. Network and Contractual Framework

Generally, when a customer uses his Visa card at one of Sally Beauty's beauty-supply stores, (1) a point-of-sale system at Sally Beauty sends the card information to Sally Beauty's acquiring bank, Fifth Third; (2) Fifth Third transmits the information via Visa's network to the bank that issued the customer's credit card; (3) the card-issuing bank authorizes the transaction; and (4) the authorization message is sent back through the Visa network to Sally Beauty to complete the transaction. Visa has contracts with the card-issuing banks and with the acquiring banks (such as Fifth Third), while the acquiring banks have contracts with the individual merchants (such as Sally Beauty). Otherwise, the system participants do not have contracts with one another. Consequently, Visa has established a set of rules to govern the system: the Visa Core Rules.

See Landry's, Inc. v. Ins. Co. of Pa. , 4 F.4th 366, 367 (5th Cir. 2021) (describing parallel system).

The Visa Core Rules are incorporated into Visa's contracts with issuers and acquirers, and the acquirers in turn incorporate the Visa Core Rules into their contracts with merchants. The Visa Core Rules establish, among other things, (1) security requirements for network participants, (2) an investigation procedure for data hacks, and (3) a system of liquidated damages known as the Global Compromised Account Recovery (GCAR) program.

1. Security Requirements

First, the Visa Core Rules protect network security by requiring acquirers to ensure that any merchant the acquirer connects to the Visa network complies with industry-wide security protocols known as the Payment Card Industry Data Security Standards (PCI DSS). Merchants whose Visa transactions exceed a certain threshold are required to undergo an annual security evaluation to ensure ongoing PCI DSS compliance. Sally Beauty was one such merchant.

The PCI DSS were adopted and are maintained by the Payment Card Industry Security Standards Council, LLC.

This annual evaluation is generally conducted by a qualified security assessor (QSA), who validates the merchant's compliance with more than 200 PCI DSS requirements. The QSA then completes a three-page summary of these findings, grouping the numerous tested requirements into 12 broad categories, such as "[i]nstall[ing] and maintain[ing] a firewall configuration to protect cardholder data" and "[p]rotect[ing] stored cardholder data." The QSA marks the appropriate checkbox on the summary sheet to indicate the merchant's compliance or noncompliance with each of these 12 categories. Both the QSA and the merchant then sign the summary sheet, affirming, among other things, that,

"Independent security organizations qualified by [the Payment Card Industry Security Standards Council] to validate an entity's adherence to PCI DSS requirements are referred to as ‘Qualified Security Assessor Companies.’ " Individuals employed by these companies as QSAs are required to complete an additional qualification process to conduct PCI DSS validation tests.

The QSA's evaluation procedure includes more than 300 tests.

Rather than hiring a QSA, a merchant may elect to have its internal audit department complete the evaluation.

If the merchant is noncompliant, the checklist provides a field for the QSA or merchant to indicate "the date [the company] will be compliant with the requirement and a brief description of the actions being taken to meet the requirement."

• [a]ll information within the above-referenced [report] and in this attestation [i.e., summary sheet] fairly represents the results of the assessment in all material respects[;]

• [t]he merchant has confirmed with the payment application vendor that [its] payment application does not store sensitive authentication data after authorization[; and]

• [t]he merchant has read the PCI DSS and recognizes that [it] must maintain full PCI DSS compliance at all times.

The Visa Core Rules provide that this signed summary, known as an attestation of compliance (AOC), must be included with the QSA's report and submitted to the merchant's acquirer and, ultimately, to Visa.

2. Investigation Procedures

The PCI DSS protocols are merely one feature of the Visa Core Rules. The second relevant feature is the investigation procedures.

In the event of a network hack, the Visa Core Rules require the hacked merchant, upon request, to hire an independent PCI DSS forensic investigator to investigate the hack. The investigator follows an industry-wide PCI DSS procedure to determine, among other things, the number of customers whose financial information was exposed to the risk of unauthorized disclosure and to determine whether the hacked merchant was compliant with PCI DSS protocols at the time of the hack. If, based on this report, Visa determines that the hacked merchant was not in compliance with PCI DSS protocols, if such noncompliance could have facilitated the hack, if certain cardholder data is put at risk, if Visa has to send a certain number of breach-related issuer alerts, and if the estimated issuer expenses resulting from the hack exceed a specified threshold, then the third relevant feature of the Visa Core Rules kicks in: the GCAR program.

The Visa Core Rules give Visa the discretion to treat the investigator's report as merely "one source of information" in the GCAR analysis. But in this case, Visa relied on the investigator's final report.

3. GCAR Program

The GCAR program effectively allows issuers to recover for expenses caused by merchant hacks, despite the lack of privity between issuers and merchants. Generally, if a hack qualifies for the GCAR program, Visa calculates and imposes a liquidated assessment against the acquirer that provided the hacked merchant with access to the Visa network. The acquirer, in turn, generally passes the assessment on to the hacked merchant. Then, after Visa collects the liquidated damages, Visa distributes the funds to the affected issuers.

The Visa Core Rules also provide an appeal review process that allows acquirers to appeal the GCAR assessment within 30 days.

Whether a hacked merchant is required to indemnify its acquiring bank for a GCAR assessment is determined by the terms of the merchant–acquirer contract, not the Visa Core Rules.

Two elements comprise the GCAR's liquidated damages formula: (1) incremental counterfeit fraud liability, and (2) issuer operating-expense recovery. The incremental-counterfeit-fraud-liability portion is calculated based on the number of at-risk Visa customers and the amount of marginal fraud observed on their accounts. The issuer operating-expense recovery, in turn, is calculated by multiplying a specified operating-expense amount by the number of eligible at-risk customer accounts. As the sum of these two elements, the GCAR assessment is intended to estimate and reimburse a portion of the issuers’ hack-specific fraud-related expenses, such as increased account monitoring, card replacement, and customer reimbursements for fraudulent charges. At the same time, the GCAR program limits Visa's contractual obligation to reimburse the issuers, and it limits the acquirer's corresponding liability to Visa for issuer reimbursements.

The specified operating-expense amount ranges from approximately $2.50 to $7.00.

"Card-issuing banks and credit unions are required by federal law to indemnify their card-holding customers for losses from fraudulent activity, so ... [these banks] bore the costs of reissuing cards and indemnifying the [merchant] hackers’ fraud." Cmty. Bank of Trenton v. Schnuck Markets, Inc. , 887 F.3d 803, 807 (7th Cir. 2018) (first citing 15 U.S.C. § 1643(a) ; and then citing 12 C.F.R. § 205.6 ).

For example, the GCAR program limits the relevant time frame for reimbursable fraud to a specified "fraud window"; it caps the acquirer's liability to Visa based on a predefined percentage of the acquirer's gross annual purchase volume; it excludes consideration of certain fraudulent charges, such as fraud in excess of $3,000 per customer account; it offers acquirers a "safe harbor" from GCAR liability based on installation of chip-enabled point-of-sale terminals; and it conditions Visa's liability to issuers on Visa's successful imposition and collection of the GCAR assessment. As to the final limitation—Visa's conditional liability—the GCAR program provides,

Visa is not responsible to fund any recovery amounts under any circumstances. Any issuer recoveries are limited to the amount, if any, that Visa collects from the Compromised Entity's acquirer(s). If Visa concludes it is unable or not in the best interests of the Visa system as a whole to assess or collect an assessment under GCAR for any reason, issuers shall have no right to any GCAR recovery amounts. If the amount collected by Visa is lower than the full assessment amount, Visa will proportionally adjust all issuer recoveries, if any. Visa is not obligated to exercise its discretion to reduce any assessment.

B. Sally Beauty's Case

The current case involves a dispute over Visa's GCAR program. In 2015, Sally Beauty's payment system was hacked—for the second time in just over one year—putting Visa's customers’ data at risk. Visa required Sally Beauty to investigate the hack, and the PCI DSS investigator determined that Sally Beauty had not complied with certain PCI DSS protocols and that this noncompliance allowed third parties to hack Sally Beauty's system. Because Fifth Third was providing Sally Beauty with access to Visa's network, Visa relied on the investigator's report to impose a GCAR assessment of $14.29 million against Fifth Third. Fifth Third passed the GCAR assessment on to Sally Beauty, and Sally Beauty paid Fifth Third in exchange for an assignment of Fifth Third's claims against Visa.

The precise amount of the assessment was $14,294,740.36.

Sally Beauty then sued Visa for breach of contract, along with five other causes of action. In its breach of contract claim, Sally Beauty argued that Visa had breached its contract with Fifth Third in four different, independently sufficient ways, including by imposing the GCAR assessment. Sally Beauty alleged that Visa's imposition of this GCAR assessment was a breach because the Visa Core Rules's liquidated damages provision was an unenforceable penalty. Visa counterclaimed for, among other things, fraud. Specifically, Visa alleged that in October 2014—between Sally Beauty's first and second hacks—Sally Beauty underwent a QSA evaluation and affirmed its compliance with PCI DSS protocols in a written attestation. Visa argued that this attestation—the standard AOC discussed above—intentionally or recklessly misrepresented Sally Beauty's then-current compliance status as well as the merchant's intent to remain in compliance, and Visa alleged that it had relied on this attestation to its detriment.

Sally Beauty raised six causes of action. The first four were asserted as assignee and subrogee of Fifth Third: (1) breach of contract; (2) breach of the implied covenant of good faith and fair dealing; (3) in the alternative, "money had and received or restitution/unjust enrichment"; and (4) unlawful, unfair, and fraudulent business practices in violation of California Business and Professional Code Section 17200. [Capitalization altered.] Sally Beauty asserted its other two causes of action directly against Visa: (1) "money had and received or restitution/unjust enrichment"; and (2) unlawful, unfair and fraudulent business practices in violation of California Business and Professional Code Section 17200. [Capitalization altered.]

The breach of contract portion of Sally Beauty's live petition stated four different breaches; it alleged that (1) for at least three different, independently sufficient reasons, "[t]he GCAR Liability Assessment was not authorized by the Visa Rules," i.e., Visa failed to follow the Visa Core Rules in its calculation and imposition of the GCAR assessment; and (2) "[t]he GCAR Liability Assessment, even if it was authorized by the Visa [Core] Rules ..., is unenforceable under applicable law because it constitutes a contractual penalty."

Visa also counterclaimed for negligence, and its counterclaim for fraud could be read to encompass a third cause of action for fraudulent concealment. The trial court disposed of all Visa's counterclaims, but only the fraud claim is challenged on appeal.

Before discovery even began, both parties moved for summary judgment. Sally Beauty moved for summary judgment on its breach of contract claim, and it agreed to waive its other claims if the trial court granted its motion. It also sought summary judgment dismissing Visa's counterclaims on the pleadings.

Even if the GCAR assessment is legally unenforceable, because the Visa Core Rules authorize the GCAR assessment, it is unclear why the collection of this assessment in accordance with the contract would constitute a breach of that contract. But Visa does not make this argument.

Visa, in turn, moved for partial summary judgment on Sally Beauty's affirmative claims. Regarding the breach of contract claim in particular, Visa targeted the breach element and challenged the four breaches alleged in Sally Beauty's petition. The trial court granted summary judgment for Sally Beauty on its breach of contract claim and on Visa's counterclaims. Although the trial court did not specify the basis for its judgment on Visa's counterclaims, it elaborated on its breach of contract judgment by expressly finding in Sally Beauty's favor on each of Sally Beauty's three independently sufficient arguments: "(1) the damages Visa seeks to recover are NOT valid liquidated damages; (2) the relevant contract provision was unreasonable under the circumstances existing at the time the contract was made; and (3) the terms of the GCAR Program itself along with the VISA Core Rules establish [that] these [a]ssessments are not liquidated damages." [Cleaned up.] See Tex. R. Civ. P. 166a(a)–(c). The trial court ordered Visa to pay Sally Beauty $14.3 million in actual damages, along with interest and court costs.

Visa attached three exhibits to its summary judgment motion: (1) an excerpt from the Visa Core Rules; (2) the PCI DSS investigator's report regarding Sally Beauty's hack; and (3) a copy of Paymentech, LLC v. Landry's Inc. , No. H-18-1622, 2020 WL 1671075 (S.D. Tex. Feb. 10, 2020). Sally Beauty moved to strike the investigator's report. The trial court did not rule on the motion to strike before it granted summary judgment.

Visa's motion for partial summary judgment sought to negate Sally Beauty's four alleged breaches by conclusively disproving them with evidence or by arguing that Sally Beauty had failed to state a claim.

The judgment ordered $14,344,740.36 in actual damages. It is not clear how the trial court arrived at this figure from the $14,294,740.36 GCAR assessment. Nor is it clear why the trial court's resolution of the liquidated damages issue necessitated Visa's return of the full amount of the assessment. Generally, when a liquidated damages provision is held to be an unenforceable penalty, the nonbreaching party (here, Visa) may still recover its actual damages. See Ridgley v. Topa Thrift & Loan Ass'n , 17 Cal.4th 970, 73 Cal.Rptr.2d 378, 953 P.2d 484, 488 (1998). Sally Beauty's motion for summary judgment did not address the damages element of its breach of contract claim. But Visa did not raise the issue before the trial court, and it does not raise it on appeal.

Visa appeals. II. Discussion

Visa challenges (1) the trial court's summary judgment on Sally Beauty's breach of contract claim, i.e., its determination that the GCAR liquidated damages clause is unenforceable; and (2) the trial court's summary judgment on Visa's fraud counterclaim, i.e., its implied findings that Visa lacked standing and failed to state a claim for fraud.

A. Contract Claim: Is the GCAR Liquidated Damages Clause Enforceable?

The parties agree that the GCAR assessment is a liquidated damages provision. Thus, the first and most significant issue in this case is whether the liquidated damages provision (the GCAR assessment) is enforceable or unenforceable. Visa argues that the liquidated damages provision is presumed valid under California law and that none of Sally Beauty's arguments invalidate it. Sally Beauty argues that the provision is not presumed valid and that, regardless, it is an unenforceable penalty because (1) the provision compensates Visa for harm sustained by third parties (i.e., issuers); (2) the provision does not extinguish Fifth Third's liability for the breach; and (3) the provision did not provide a reasonably certain estimate of damages because Visa could unilaterally change the Visa Core Rules—including the liquidated damages provision—at any time.

1. Standard of Review

The parties agree that California law governs Visa's contract with Fifth Third. Therefore, we apply California law to the substantive questions. See HealthTronics, Inc. v. Lisa Laser USA, Inc. , 382 S.W.3d 567, 577 (Tex. App.—Austin 2012, no pet.). But we apply Texas law to the procedural questions, including the standard of review. See In re Lisa Laser USA, Inc. , 310 S.W.3d 880, 883 n.2 (Tex. 2010) (orig. proceeding) ; Arkoma Basin Expl. Co. v. FMF Assocs. 1990-A, Ltd. , 249 S.W.3d 380, 387 & n.17 (Tex. 2008) ; HealthTronics , 382 S.W.3d at 577 ; Billman v. Mo. Pac. R.R. Co. , 825 S.W.2d 525, 526 (Tex. App.—Fort Worth 1992, writ denied).

In our review and application of California law, we do not cite or rely upon unpublished opinions from the California courts of appeals for the precedential value of those opinions. See Cal. R. Ct. 8.1115(a) (providing that, subject to exceptions not applicable here, "an opinion of a California Court of Appeal or superior court appellate division that is not certified for publication or ordered published must not be cited or relied on by a court or a party in any other action"); cf. also Tex. R. App. P. 47.7(a) (providing that unpublished opinions in criminal cases "have no precedential value"). Instead, we refer to such opinions for guidance regarding California courts’ application of settled law. See Cal. R. Ct. 8.1105(c) (providing the standards for publication and providing for publication when the opinion, for example, "[e]stablishes a new rule of law"; "[m]odifies, explains, or criticizes with reasons given, an existing rule of law"; or "[a]ddressses or creates an apparent conflict in the law").

Under Texas law, "[w]e review summary judgments de novo." BPX Operating Co. v. Strickhausen , 629 S.W.3d 189, 195 (Tex. 2021) ; Peterson, Goldman & Villani, Inc. v. Ancor Holdings, LP , 584 S.W.3d 556, 562 (Tex. App.—Fort Worth 2019, pet. denied). We will affirm if any of the theories advanced in support of the judgment are meritorious. Dow Chem. Co. v. Francis , 46 S.W.3d 237, 242 (Tex. 2001). But "[w]hether a contractual provision is an enforceable liquidated damages provision or an unenforceable penalty is a question of law for the court to decide." Phillips v. Phillips , 820 S.W.2d 785, 788 (Tex. 1991).

2. Presumption of Validity

In California, a liquidated damages provision in a commercial contract enjoys a statutory presumption of validity: "[A] provision in a [commercial] contract liquidating the damages for the breach of the contract is valid unless the party seeking to invalidate the provision establishes that the provision was unreasonable under the circumstances existing at the time the contract was made." Cal. Civ. Code § 1671(b) ; see El Centro Mall , 94 Cal. Rptr. 3d at 46. This presumption of validity is intended to give the contracting parties "considerable leeway in determining the damages for breach"; the liquidated damages provision need only "represent the result of a reasonable endeavor ... to estimate a fair average compensation for any loss that may be sustained." Cal. Civ. Code § 1671(b) note (Law Revision Commission comments to 1977 amendment, subsection (b)); Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 488 (quoting Garrett , 108 Cal.Rptr. 845, 511 P.2d at 1202 ).

California enacted this pro-liquidated damages statute in 1977, effective July 1, 1978. See Cal. Civ. Code § 1671 note (Law Revision Commission comments to 1977 amendment). Before then, liquidated damages were generally presumed to be invalid, and the proponent of a liquidated damages clause bore the burden to prove its enforceability. El Centro Mall, LLC v. Payless ShoeSource, Inc. , 174 Cal.App.4th 58, 94 Cal. Rptr. 3d 43, 46 (2009) ; Radisson Hotels Int'l, Inc. v. Majestic Towers, Inc. , 488 F. Supp. 2d 953, 958–59 (C.D. Cal. 2007) (order); see also Micrel, LLC v. Zinn , Nos. A157136, A158069, 2021 WL 1259561, at *2–3 (Cal. Ct. App. Apr. 6, 2021) (not designated for publication); Mission Linen Supply v. Carmel Country Inn, LLC , No. H039644, 2015 WL 920450, at *6 n.8 (Cal. Ct. App. Mar. 2, 2015) (not designated for publication). This is still the case for noncommercial liquidated damages; the 1977 amendment distinguished between commercial and noncommercial liquidated damages clauses, and it applied the presumption of validity only to the former. See Cal. Civ. Code § 1671(b), (c), (d). Consequently, cases that predate the 1977 amendment are not necessarily authoritative, nor are cases involving noncommercial contracts.
However, the California Supreme Court's landmark opinion in Ridgley muddied the analysis a bit by invalidating a commercial liquidated damages clause based on pre-1977 case law. See 73 Cal.Rptr.2d 378, 953 P.2d at 491 & n.5 (stating that "[n]othing in the 1977 legislation indicates an intent to abrogate Garrett ’s [pre-amendment] analysis"). But this retention of the old analysis may be partially due to the court's reliance on Civil Code Section 3275—a statute providing relief from contractual forfeitures—which the Ridgley court noted was "unchanged since 1872." Id. , 73 Cal.Rptr.2d 378, 953 P.2d at 487 (recognizing that "[t]he breaching party may raise section 3275 as an equitable defense to enforcement of the contractual provision or as grounds for relief in an action for restitution of the property forfeited"); see Cal. Civ. Code § 3275. Sally Beauty does not cite or rely upon Section 3275.

Originally, the reasonable-endeavor standard referenced a "reasonable endeavor by the parties." Garrett v. Coast & S. Fed. Sav. & Loan Ass'n , 9 Cal.3d 731, 108 Cal.Rptr. 845, 511 P.2d 1197, 1202 (1973) ; see Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 488 (quoting Garrett ). But the Law Revision Commission's report "did not state that the parties must make a reasonable endeavor to estimate actual damages. Instead, its report said that the liquidated damages provision ‘must reflect’ a reasonable endeavor to do so." Util. Consumers’ Action Network, Inc. v. AT&T Broadband of S. Cal., Inc. , 135 Cal.App.4th 1023, 37 Cal. Rptr. 3d 827, 832–33 (2006). The California Legislature adopted this report without change when it amended Section 1671 in 1977. Id. at 832. California courts have thus clarified that "the reasonable endeavor test does not require both parties to a form contract to expressly negotiate the amount of liquidated damages." Id. at 832–33, 837.

The Law Revision Commission prepared a 1976 report recommending a change to California's liquidated damages statute, and when the California Legislature amended Section 1671 in 1977, it adopted the Commission's report without change. Util. Consumers’ Action Network , 37 Cal. Rptr. 3d at 832 ; Guthman v. Moss , 150 Cal.App.3d 501, 198 Cal. Rptr. 54, 59 (1984). The Commission's comments are thus given "substantial weight" in interpreting Section 1671(b). See Util. Consumers’ Action Network , 37 Cal. Rptr. 3d at 832 ; Guthman , 198 Cal. Rptr. at 58–59.

The party seeking to invalidate the liquidated damages provision must prove that it is an unreasonable penalty, i.e., that it "bears no reasonable relationship to the range of actual damages that the parties could have anticipated would flow from a breach." Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 488. The California Supreme Court has described a penalty as a provision that "operates to compel performance of an act" by requiring a forfeiture upon default "without regard to the damages sustained by the party aggrieved by the breach." Id. In short, "[a]n amount disproportionate to the anticipated damages is termed a ‘penalty.’ " Id. (alteration in original) (quoting Perdue v. Crocker Nat'l Bank , 38 Cal.3d 913, 216 Cal.Rptr. 345, 702 P.2d 503, 515 (1985) ).

Generally, California cases invalidating commercial liquidated damages clauses as penalties have done so because the amount of liquidated damages—often a single flat rate for any of a number of breaches—is significantly larger than the damages the parties anticipated would flow from the precise breach at issue. See, e.g., Grand Prospect Partners, L.P. v. Ross Dress for Less, Inc. , 232 Cal.App.4th 1332, 182 Cal. Rptr. 3d 235, 261 (2015) (relying on factfinding that "no harm was anticipated" and holding that "there was no reasonable relationship" between the liquidated damages and the anticipated harm); Purcell v. Schweitzer , 224 Cal.App.4th 969, 169 Cal. Rptr. 3d 90, 95–96 (2014) (holding that liquidated damages "bore no reasonable relationship to the damages that ... could be expected"); Dollar Tree Stores Inc. v. Toyama Partners LLC , 875 F. Supp. 2d 1058, 1072–73 (N.D. Cal. 2012) (order) (holding liquidated damages clause unenforceable because "it impose[d] the same $2,500 penalty for at least nine different types of breach of varying degrees of magnitude, and because it impose[d] that penalty indefinitely"); see also Marinakis v. Dias , No. A146458, 2016 WL 5940911, at *3 (Cal. Ct. App. Oct. 13, 2016) (not designated for publication) (holding liquidated damages "bore no reasonable relationship" to the amount at issue); Smith v. Royal Mfg. Co. , 185 Cal.App.2d 315, 8 Cal. Rptr. 417, 423 (1960) (stating, in pre-amendment case, that "[w]here a fixed sum is agreed upon as liquidated damages for one of several breaches of varying degree, it is to be inferred that a penalty was intended"); Genesco, Inc. v. Visa U.S.A. Inc. , No. 3:13CV202, 2013 WL 3790647, at *21–23 (M.D. Tenn. July 18, 2013) (mem. op.) (applying California law and citing Dollar Tree for the rule that liquidated damages are unenforceable "where a commercial contract sets the same fixed sums for various types of breaches of the contract for delivery of good[s] under a contract").

"The validity of the liquidated damages provision depends upon its reasonableness at the time the contract was made and not as it appears in retrospect"; consequently, "the amount of damages actually suffered has no bearing on the validity of the liquidated damages provision." Cal. Civ. Code § 1671 note (Law Revision Commission comments to 1977 amendment, subsection (b)); see Krechuniak v. Noorzoy , 11 Cal.App.5th 713, 217 Cal. Rptr. 3d 740, 747 (2017) (quoting Commission's comments and recognizing that they are "entitled to great weight"); Util. Consumers’ Action Network , 37 Cal. Rptr. 3d at 832 (similar); Guthman , 198 Cal. Rptr. at 58–59 (similar); see also El Centro Mall , 94 Cal. Rptr. 3d at 46–47 (quoting Commission's comments as part of applicable law).

When determining if a liquidated damages clause is a penalty, some California courts cite the following list of nonexhaustive factors: (1) the relative equality of the bargaining power, (2) whether the parties were represented by lawyers at the time the contract was made, (3) the anticipation of the parties that proof of actual damages would be costly or inconvenient, (4) the difficulty of proving causation and foreseeability, and (5) whether the liquidated damages provision is included in a form contract. El Centro Mall , 94 Cal. Rptr. 3d at 46–47. These factors are contained in the statutory comments to Section 1671. Cal. Civ. Code § 1671 note (Law Revision Commission comments to 1977 amendment, subsection (b)). However, some California courts ignore these factors. Cf., e.g., Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 491 n.5 (rejecting argument that "a different set of rules must apply because this was an ‘arms-length commercial transaction’ "). Regardless, neither Visa nor Sally Beauty list or rely upon this set of factors, apart from Visa's references to the "sophisticated" nature of the parties.

Here then, we presume that the GCAR assessment is valid and enforceable unless Sally Beauty proves otherwise. Cf. Cal. Civ. Code § 1643 ("A contract must receive such an interpretation as will make it lawful, operative, definite, reasonable, and capable of being carried into effect, if it can be done without violating the intention of the parties.").

3. Sally Beauty's Arguments

Sally Beauty argues that the GCAR assessment is an unenforceable penalty for three reasons: (1) it compensates Visa for losses incurred by third parties—namely, the issuers—and thus bears no reasonable relationship to Visa's recoverable damages; (2) it fails to extinguish Fifth Third's liability for the breach; and (3) it does not provide a reasonably certain estimate of damages because Visa retained the discretion to unilaterally alter the GCAR program. There is no on-point, controlling California precedent addressing these three arguments in the credit-card context. But based on analogous case law, Sally Beauty's arguments are unpersuasive.

Notably, none of Sally Beauty's arguments implicate California's traditional penalty analysis, i.e., determining whether the amount of liquidated damages "bears [a] reasonable relationship to the range of actual damages that the parties could have anticipated would flow from a breach." See Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 488. Although Sally Beauty attempts to frame its first argument in terms of the traditional penalty analysis—claiming that the GCAR assessment is disproportionate to Visa's anticipated damages—Sally Beauty's argument does not actually turn on proportionality; it turns on whether Visa could recover for the issuers’ damages at all.

Although each party points to a specific case that it claims is on point—Visa to Paymentech v. Landry's and Sally Beauty to Genesco, Inc. v. Visa U.S.A. Inc. —these cases are distinguishable.
In Paymentech , Chase Bank sued Landry's to recover the assessments it had paid to Visa and Mastercard for Landry's hack. 2020 WL 1671075, at *1. Landry's was required to indemnify Chase under the parties’ contract, but Landry's claimed that indemnification was not warranted because the payment brands’ assessments were invalid penalties. Id. The Southern District of Texas held that the assessments were valid. Id. Visa claims that Sally Beauty's three arguments were raised by Landry's in the motions that led to the summary judgment order, but Sally Beauty disputes this. Either way, the Paymentech court did not address the arguments in its opinion. Id. And it is unclear whether the court relied on California law for its analysis. Id. This precedent is not on point.
And the other Paymentech decisions are even less relevant to the three arguments presented here. See Paymentech, LLC v. Landry's Inc. , No. H-18-1622, 2021 WL 1856553, at *1–2 (S.D. Tex. May 10, 2021) (discussing admissibility of expert report and whether Landry's breached its contract with Chase), appeal dismissed sub nom. Paymentech, L.L.C. v. Landry's Inc. , No. 21-20259, 2021 WL 5544928 (5th Cir. June 25, 2021) (per curiam); Paymentech, LLC v. Landry's Inc. , No. H-I8-I622, 2021 WL 5154788, at *1 (S.D. Tex. Feb. 12, 2021) (dismissing Landry's breach of contract claims against Visa and Mastercard due to lack of standing); see also Landry's , 4 F.4th at 368–72 (addressing Landry's insurer's duty to defend).
Sally Beauty, in turn, highlights Genesco in its brief. 2013 WL 3790647, at *1–23. In that case, Genesco experienced a data hack, and it indemnified Wells Fargo and Fifth Third for Visa's hack-related noncompliance fees and GCAR assessments. Id. at *1. Genesco then sued Visa as indemnitee and subrogee of Fifth Third and Wells Fargo, pleading many of the same claims Sally Beauty had pleaded below—including a violation of California Business and Professional Code Section 17200 and common law claims of unjust enrichment and restitution. Id. Visa moved to dismiss Genesco's Section 17200 claim and its common law claims, but the trial court denied the motion, holding that "Genesco's complaint state[d] viable and plausible [statutory] and common law claims under California law." Id. at *1–2, *23. None of the reasons the court gave for its decision are relevant to the three liquidated damages arguments presented here. Id. at *17–23 Genesco thus did not involve the same questions, standards of review, or causes of action.

a. Compensation for Damages to Third Parties

First, Sally Beauty argues that the GCAR assessment is a penalty because it is not proportional to Visa's own damages but instead compensates Visa for the issuers’ damages. In its motion for summary judgment, Sally Beauty claimed that under "basic" contract law, a party cannot recover for the losses of another, and "[a] provision that compensates a party to a contract for alleged damages to a stranger to the contract resulting from a breach could never be a reasonable estimate of the nonbreaching party's damages." But this creative framing of the issue hides the ball.

Sally Beauty does not argue that the GCAR assessment is disproportionate to the issuers’ anticipated injuries stemming from a hack.

In its motion for summary judgment, Sally Beauty emphasized that the issuing banks were not third-party beneficiaries (something Visa does not dispute). See In re TJX Cos. Retail Sec. Breach Litig. , 564 F.3d 489, 499 (1st Cir. 2009) (op. on reh'g) (holding issuer was not a third-party beneficiary to Visa's contract with Fifth Third). But the fact that the issuers are not third-party beneficiaries means that they cannot enforce the contract—which they are not attempting to do in the case before us. Sally Beauty has not cited any case law indicating that a party to a contract can recover consequential damages paid to nonparties only if those nonparties are third-party beneficiaries. And on appeal, Sally Beauty does not discuss the relevance of third-party beneficiary status at all; it merely references third-party beneficiaries in the headings of its brief.

A nonbreaching party can recover for foreseeable third-party damages resulting from a breach if the nonbreaching party is liable for the third party's damages and if the breaching party knew of the liability at the time the contract was executed. See Lewis Jorge Constr. Mgmt., Inc. v. Pomona Unified Sch. Dist. , 34 Cal.4th 960, 22 Cal.Rptr.3d 340, 102 P.3d 257, 261–62 (2004) (discussing recovery of special damages); D. A. Parrish & Sons v. Cnty. Sanitation Dist. No. 4 of Santa Clara Cnty. , 174 Cal.App.2d 406, 344 P.2d 883, 888 (1959) ("[Respondent] claimed damages against appellant on the theory that appellant's breach of contract resulted in [respondent] incurring liability to its subcontractors.... [So] to the extent respondent was liable to them, appellant was liable to respondent."). In fact, recovery for damages paid to a third party is common—particularly when, as here, the parties are participants in a multi-layered project or system, such as in "large construction projects with layers of contractors, subcontractors, sub-subcontractors, and so on." Cmty. Bank of Trenton , 887 F.3d at 815 (recognizing that the payment-card network is analogous to a large construction project). Such recovery can take the form of an indemnity agreement, see, e.g. , Cal. Civ. Code § 2772 ; Prince v. Pac. Gas & Elec. Co. , 45 Cal.4th 1151, 90 Cal.Rptr.3d 732, 202 P.3d 1115, 1119 (2009) (discussing contractual indemnity and equitable indemnity), it can appear as a pass-through claim in the public-works context, see, e.g., Howard Contracting, Inc. v. G.A. MacDonald Constr. Co. , 71 Cal.App.4th 38, 83 Cal. Rptr. 2d 590, 602 (1998), as modified (Jan. 20, 1999), or it can appear as an element of special damages recoverable under the traditional Hadley v. Baxendale rule—the rule that governs contract damages in the absence of an agreement to the contrary. See Lewis Jorge Constr. Mgmt. , 22 Cal.Rptr.3d 340, 102 P.3d at 261–62 ; Hadley v. Baxendale (1854) 9 Exch. 341, 354–55, 156 Eng. Rep. 145, 151.

Sally Beauty cites numerous cases, claiming that a party cannot recover for damages to nonparties, but these cases hold no such thing. See Bondanza v. Peninsula Hosp. & Med. Ctr. , 23 Cal.3d 260, 152 Cal.Rptr. 446, 590 P.2d 22, 25–27 (1979) (discussing pre-amendment consumer contract and holding that debt-collection charge was penalty where the patient–consumers agreed only to an unspecified "reasonable" fee and the hospital and debt-collecting organizations did not attempt to carry their burden to show that fixing the actual collection cost was impracticable); Dyer Bros. Golden W. Iron Works v. Cent. Iron Works , 182 Cal. 588, 189 P. 445, 446–47 (1920) (reversing trial court order that had sustained defendants’ demurrers where plaintiff sought to enforce liquidated damages provision and pleaded that it had been impracticable to fix the parties’ damages, undermining defendants’ demurrer argument that the provision was an unenforceable penalty); Grand Prospect Partners , 182 Cal. Rptr. 3d at 259–61 (holding that contractual provision was a penalty based on factfinding that merchant anticipated no damages from breach with no mention of third-party liability).

Visa cites cases involving governmental entities (recovering for harm to the public) and cooperative marketing associations (recovering for harm to their members) as examples of the courts’ willingness to award damages for harm to third parties. But these entities were awarded damages for harm inflicted on those they represented. Visa does not represent the public or the issuing banks; as Sally Beauty points out, Visa is a publicly traded company that represents its shareholders. The cases involving governmental entities and marketing associations are thus distinguishable.

In the publicworks context, California law not only authorizes third-party damages but also allows a general contractor to assert a subcontractor's claims against the owner on a pass-through basis. Sehulster Tunnels/Pre-Con v. Traylor Bros., Inc./Obayashi Corp. , 111 Cal.App.4th 1328, 4 Cal. Rptr. 3d 655, 672–73 (2003) ; see Howard Contracting , 83 Cal. Rptr. 2d at 602. But it is unclear whether pass-through claims are available when the government is not involved. Compare Glass Strand Inc. v. Vincula Int'l, Ltd. , No. E051433, 2011 WL 4501043, at *4 (Cal. Ct. App. Sept. 29, 2011) (not designated for publication) (distinguishing public-works context), and Superior Gunite v. Ralph Mitzel Inc. , 117 Cal.App.4th 301, 12 Cal. Rptr. 3d 423, 433 n.8 (2004) (declining to address whether pass-through claims could be asserted against a private party), with Hathaway Dinwiddie Constr. Co. v. United Air Lines, Inc. , 50 F. App'x 817, 820–21, 823–24 (9th Cir. 2002) (allowing pass-through claims against private party), and Preston Pipelines, Inc. v. JCW-Cypress Home Grp. , No. C046055, 2006 WL 1119161, at *14 (Cal. Ct. App. Apr. 28, 2006) (not designated for publication) (citing Howard and implying that general contractor could pursue subcontractor's claims against private owner on a pass-through basis).

Under the Hadley rule—which, again, governs when a party seeks to prove its actual breach of contract damages in court—the nonbreaching party can recover breach of contract damages for "all the detriment proximately caused [by the breach], or which, in the ordinary course of things, would be likely to result therefrom." Cal. Civ. Code § 3300 ; see Lewis Jorge Constr. Mgmt. , 22 Cal.Rptr.3d 340, 102 P.3d at 262 (noting that the Hadley rule has been incorporated into Section 3300 ). The California Supreme Court has recognized that the Hadley rule authorizes not only general, direct damages but also special, consequential damages "for unusual losses arising from special circumstances" of which the nonbreaching party was aware. Lewis Jorge Constr. Mgmt. , 22 Cal.Rptr.3d 340, 102 P.3d at 261–62. In other words, if the breaching party knew that its breach would "resul[t] in claims by third persons against the injured party," then the breaching party "is liable for the amount of any judgment against the injured party"—even if the judgment "is based on a liquidated damage clause in the injured party's contract with the third party." Restatement (Second) of Contracts § 351 cmt. c (Am. L. Inst. 1981). The Hadley rule dates back to 1854, and it is as widespread as it is longstanding; Texas follows the same rule, as does the Restatement (Second) of Contracts. See Basic Cap. Mgmt., Inc. v. Dynex Com., Inc. , 348 S.W.3d 894, 901–02 (Tex. 2011) (recognizing Restatement (Second) of Contracts Section 351 as a reiteration of the Hadley rule); Lewis Jorge Constr. Mgmt. , 22 Cal.Rptr.3d 340, 102 P.3d at 262 ; Restatement (Second) of Contracts § 351 ; see also 25 C.J.S. Damages § 33 (2021).

Indeed, when there are layers of liability—such as in the construction context—the Texas Supreme Court has encouraged the parties to incorporate third-party damages into their contracts with one another rather than resorting to tort claims:

[W]e think the contractor's principal reliance must be on the presentation of the plans by the owner, with whom the contractor is to reach an agreement, not the architect, a contractual stranger.

....

.... [I]f the architect is contractually liable to the owner for defects in the plans, and the owner in turn has the same liability to the contractor, the contractor is protected.

LAN/STV v. Martin K. Eby Constr. Co. , 435 S.W.3d 234, 237–50 (Tex. 2014) (applying economic loss rule and holding that contractor could not recover from architect in tort when contractor was unsatisfied with the contract damages he recovered indirectly through the owner). The GCAR program's layered-liability approach is precisely what the supreme court recommended.

Generally, when analyzing whether special third-party damages are recoverable under Hadley , California courts have focused on foreseeability and timing; the fact that the special damages will indirectly compensate a third party is a non-issue. See, e.g., Pac. Pine Lumber Co. v. W.U. Tel. Co. , 123 Cal. 428, 56 P. 103, 105 (1898) (focusing on premature timing and holding that plaintiff could recover only for third-party liability caused by defendant's actions after plaintiff paid the claim); Green Wood Indus. Co. v. Forceman Int'l. Dev. Grp., Inc. , 156 Cal.App.4th 766, 67 Cal. Rptr. 3d 624, 632–34 (2007) (focusing on premature timing and holding that the plaintiff had not shown with sufficient certainty that it would be forced to pay the third-party damages at issue); Morgan v. Tzung , 228 Cal.App.3d 47, 278 Cal. Rptr. 221, 224–26 (1991) (not designated for publication) (recognizing that nonbreaching party's tax liability qualified as special damages under Civil Code Section 3300, Restatement (Second) of Contracts Section 351, and the Hadley rule, but prohibiting recovery because breaching party was not aware of circumstances making special damages foreseeable); see also Ely v. Bottini , 179 Cal.App.2d 287, 3 Cal. Rptr. 756, 761–63 (1960) (holding that subcontractor who caused delay was liable for delay-related damages that general contractor was contractually obligated to pay the owner).

Here, the Visa Core Rules govern both foreseeability and timing. The Visa Core Rules demonstrate that Fifth Third knew that PCI DSS noncompliance could facilitate a hack, it knew that a hack would cause fraud-related issuer expenses, and it knew that Visa would be contractually obligated to reimburse a portion of those issuer expenses based on the GCAR formula. With this knowledge, Fifth Third contractually agreed to compensate Visa for the issuer reimbursements, and Fifth Third contractually agreed to the timing of this compensation. Although the GCAR assessment arguably liquidated Visa's liability before it could have recovered in the absence of such a provision, Sally Beauty does not raise that argument. Rather, Sally Beauty argues that, as a matter of law, Visa could never recover for the issuers’ injuries because the issuers are third parties, and thus the GCAR assessment "does not even purport to calculate any [hack]-related injury incurred by Visa." This is simply not the case.

The issuers are required to pay a predefined percentage of their GCAR recovery to Visa for GCAR program-administration costs. However, Sally Beauty overlooks the administration fee entirely and alleges that the GCAR assessment "does not even purport to calculate any [i]ntrusion-related injury incurred by Visa."

The GCAR assessment is designed to compensate Visa for the issuer reimbursements before Visa actually pays the reimbursements. But some California courts have required actual payment of a third-party liability as a prerequisite to recovery. See Pac. Pine Lumber , 56 P. at 105 ; Green Wood Indus. , 67 Cal. Rptr. 3d at 632–34 ; see also Shahram Holdings, Inc. v. Env't. Geotech. Lab., Inc. , No. B220201, 2011 WL 1368542, at *3–5 (Cal. Ct. App. Apr. 12, 2011) (not designated for publication); O.E.I. Int'l, Inc. v. Yong Ming Int'l Grp., Inc. , No. B201960, 2008 WL 2908077, at *2 (Cal. Ct. App. July 30, 2008) (not designated for publication); 23 Cal. Jur. 3d Damages § 24 (2021). "This is because the fact of damage is inherently uncertain in such circumstances"; "the existence of a mere liability is not necessarily the equivalent of actual damage." Green Wood Indus. , 67 Cal. Rptr. 3d at 633 ; see also Walker v. Pac. Indem. Co. , 183 Cal.App.2d 513, 6 Cal. Rptr. 924, 927 (1960). Here though, Sally Beauty does not argue that Visa's recovery was premature. Cf. Kelley v. Upshaw , 39 Cal.2d 179, 246 P.2d 23, 27 (1952) ("The rule has long been settled that the defense that an action is premature is in the nature of a dilatory plea not favored in the law, and that such defense must be seasonably urged in the trial court or it is waived."). And Visa has indicated that it "already fulfilled its obligation to pass along the [a]ssessment to issuers," rendering the issue moot.
More to the point, the actual-payment requirement governs damage awards in the absence of a contractual provision to the contrary. Nothing prevents a private party from agreeing to compensate (and effectively indemnify) another for the latter's liability to a third party. See Cal. Civ. Code § 2772 (defining indemnity), § 2778 (providing rules of interpretation for indemnity contracts).

In a single sentence in its brief, Sally Beauty notes that "[i]f Visa concludes it is unable or not in the best interests of the Visa system as a whole to assess or collect an assessment under GCAR for any reason, issuers shall have no right to any GCAR recovery amounts." But this provision merely relieves Visa of liability for the GCAR assessment if it is unable or unwilling to recover the assessment from the acquirer. Although Visa's liability is "contingent on Visa's ability to collect the calculated assessment from the responsible [a]cquirer(s)," it nonetheless exists. Cf., e.g., Hathaway Dinwiddie Const. , 50 F. App'x at 820–21 (recognizing that general contractor could pursue claims against appellee on behalf of subcontractors based on contingent obligation to bring subcontractors’ claims if general contractor brought its own); Interstate Contracting Corp. v. City of Dall. , 135 S.W.3d 605, 619 (Tex. 2004) (recognizing pass-through claims in construction context and stating that "[c]onditional liability as expressed in a subcontract ... is sufficient to prove liability, even when the agreement provides that the contractor has no obligation to pay the subcontractor unless and until it recovers from the owner"). Sally Beauty has not explained why this contingency would relieve Fifth Third (and thus Sally Beauty) of liability to Visa.

Sally Beauty claims that Visa "admits it suffered no harm." This is not accurate. Nonetheless, it is undisputed that the GCAR assessment is intended to remedy the issuers’ harm rather than Visa's.

While California's liquidated damages statute prohibits unreasonable penalties that have "no reasonable relationship to the range of actual damages that the parties could have anticipated," Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 488, it does not prohibit the parties from liquidating the special damages that one of them owes to a third party. See Cal. Civ. Code § 1671(b) (Law Revision Commission comments to 1977 amendment, subsection (b)). Sally Beauty does not appear to dispute that the GCAR assessment bears a reasonable relationship to the damages that Visa anticipated paying to the issuers as a result of Fifth Third's breach. See Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 488. We therefore reject Sally Beauty's first argument.

b. Failure to Extinguish Liability

In its second argument, Sally Beauty claims that the GCAR assessment is a penalty because it does not extinguish all of Fifth Third's liability for the breach—either to the issuers or to Visa. Regarding the issuers, Sally Beauty argues that the assessment does not limit an issuer's right to sue for the same breach. And as to Visa, Sally Beauty points to two other liquidated damages provisions in the Visa Core Rules—a noncooperation fee and a noncompliance fee—which Sally Beauty claims Visa could use to seek duplicative compensation for the same breach. Although Visa claims that these provisions address different injuries, Sally Beauty argues that California law prohibits multiple recoveries for a single breach, even if the recoveries compensate for distinct injuries. Sally Beauty thus argues that a liquidated damages clause is required to "represent the total extent of liability for a contract breach" and that because the GCAR assessment does not do so, the assessment is unreasonable. But Sally Beauty's argument was not fully preserved, it is entirely hypothetical, and it is based on an incorrect understanding of California law.

Under the Visa Core Rules, the noncompliance assessments are "in addition to enforcement rights available to Visa under other provisions of the Visa [Core] Rules, or through other legal or administrative procedures."

First, Sally Beauty did not preserve this ground as to the issuers. Sally Beauty's motion for summary judgment claimed that the GCAR assessment was required to extinguish Fifth Third's liability to Visa ; it did not mention Fifth Third's liability to the issuers. See Rex Performance Prods., LLC v. Tate , No. 02-20-00009-CV, 2020 WL 7776795, at *10 (Tex. App.—Fort Worth Dec. 31, 2020, pet. denied) (mem. op.) ("It is fundamental that a motion for summary judgment must stand or fall on the grounds it specifically and expressly sets forth.").

Second, even if it had fully preserved its argument, Sally Beauty's double-recovery argument is hypothetical—both as to the issuers and as to Visa. Sally Beauty does not claim that Visa used the GCAR assessment to compensate issuers that had previously recovered from Fifth Third, nor does Sally Beauty argue that any issuers have successfully recovered from Fifth Third in the time since. If, at some point in the future, the issuers seek compensation from Fifth Third for the same damages covered by the GCAR assessment, the relevant court can consider the issuers’ legal claims and determine whether any double-recovery principles should be applied (e.g., whether Fifth Third is entitled to a credit). Cf. Patterson v. Planned Parenthood of Hous. & Se. Tex., Inc. , 971 S.W.2d 439, 443 (Tex. 1998) ("[W]aiting for cases’ timely factual development is also essential to the proper development of the state's jurisprudence. Litigation based upon hypothetical possibility rather than concrete fact is apt to be poor litigation." (internal citations and quotation marks omitted)). Right now, Sally Beauty asks us to prohibit the issuers from recovering anything based on the hypothetical risk that they might seek impermissibly duplicative damages in the future. There is no legal or logical support for this request. See Fein v. Permanente Med. Grp. , 38 Cal.3d 137, 211 Cal.Rptr. 368, 695 P.2d 665, 676–77 (1985) ("Contrary to defendant's contention, plaintiff's recovery of such future lost wages will not inevitably subject defendant to a ‘double payment’ in the event plaintiff's heirs bring a wrongful death action at some point in the future.... [Rather,] an appropriate set-off may be made in the later wrongful death action."); Overly v. Ingalls Shipbuilding, Inc. , 74 Cal.App.4th 164, 87 Cal. Rptr. 2d 626, 631 (1999) (relying on Fein and rejecting argument "that permitting the [plaintiffs] to recover future economic damages in this case will result in a double recovery because the same damages are currently being sought in a [third-party] wrongful death case"); Monster Film Ltd. v. Martinen , No. 2:16-CV-01414-ODW, 2017 WL 8220213, at *3 (C.D. Cal. Mar. 3, 2017) (order denying defendant's motion to dismiss) (rejecting argument that future breach of contract damages might duplicate conversion damages at issue because "the bar against double recovery for the same harm is settled law" and the future court could "account for any recovery that [plaintiff] obtains in this action").

It seems unlikely that the issuers will sue Fifth Third in the future given the applicable statute of limitations, the economic loss rule, and the fact that the issuers are not third-party beneficiaries of Visa's contract with Fifth Third. See, e.g. , Cal. Civ. Proc. Code § 337 (providing four-year statute of limitations for breach of contract); Tex. Civ. Prac. & Rem. Code Ann. § 16.051 (providing four-year residual statute of limitations applicable to most breaches of contract); see Cmty. Bank of Trenton , 887 F.3d at 811–21, 826 (declining to recognize issuing banks’ tort claims against hacked merchant because "the claimed conduct and losses are subject to [Visa's and MasterCard's] networks of contracts," and recognizing that the First and Third Circuits had held similarly); TJX , 564 F.3d at 498–99 (applying economic loss rule to bar issuers’ negligence claim against hacked merchant and Fifth Third). Amici have highlighted several additional obstacles to such a lawsuit, including the difficulty of determining and proving—on an account-by-account basis—that a specific data breach resulted in the actual theft of a given customer's exposed credit-card information. Although such considerations do nothing to change the terms of the contract at issue, they nonetheless diminish the likelihood of the hypothetical double recovery that Sally Beauty anticipates.

Similarly, Sally Beauty's arguments regarding Visa are purely hypothetical. Sally Beauty does not claim that Visa actually imposed the allegedly duplicative noncooperation and noncompliance fees. Again, if at some point in the future Visa seeks duplicative damages from Fifth Third, any relevant double-recovery principles may be considered at that time. But Visa is not prohibited from recovering its issuer reimbursements based on a hypothetical risk that Visa might impose impermissible fees in the future. See Keshbaf Knitting, Inc. v. Shoshani , No. B204935, 2008 WL 5394985, at *5 (Cal. Ct. App. Nov. 24, 2008) (not designated for publication) (holding liquidated damages clause was not a penalty and rejecting hypothetical: "[appellant] poses an interesting hypothetical, but it is nothing more.... [appellant] cites no authority that compels us to ignore the actual circumstances of the case, as opposed to a hypothetical, in determining whether there has been an unlawful forfeiture"); see also Bose Corp. v. Ejaz , 732 F.3d 17, 25 (1st Cir. 2013) ("[A] hypothetical larger range, separated from the actual facts and the amount sought, does not make a clause unreasonable. Rather, courts examine for reasonableness the amount of liquidated damages actually sought."); In re Premier Golf Props., LP , 564 B.R. 660, 696–700 (Bankr. S.D. Cal. 2016) (holding that liquidated damages clause was not a penalty and rejecting hypothetical: "[T]he court need not decide what remedies Claimant hypothetically possessed for, say, Debtor's removing a bar stool. The relevant default here is the failure to pay the delinquent property taxes.").

The parties’ briefs reference the $25,000 noncompliance fee that Visa imposed on Vantiv—Fifth Third's payment processer. Visa's contract with Vantiv is not before this court, nor are we asked to determine the validity of this assessment.

Third, Sally Beauty is wrong on the law. Sally Beauty argues that "if a contract purports to allow multiple recoveries for the same contract breach , then the liquidated damages provision is an unenforceable penalty regardless of whether the recoveries address different injuries. " But the California Supreme Court has explained that the rule against double recovery distinguishes between injuries rather than causes of action:

Regardless of the nature or number of legal theories advanced by the plaintiff, he is not entitled to more than a single recovery for each distinct item of compensable damage supported by the evidence....

....

In contrast, where separate items of compensable damage are shown by distinct and independent evidence, the plaintiff is entitled to recover the entire amount of his damages, whether that amount is expressed by the jury in a single verdict or multiple verdicts referring to different claims or legal theories.

Tavaglione v. Billings , 4 Cal.4th 1150, 17 Cal.Rptr.2d 608, 847 P.2d 574, 580 (1993). This is consistent with the law elsewhere in the nation; generally, "[a] provision for liquidated damages does not prevent the recovery of actual damages caused by events that are not covered by the liquidated damages clause unless the contract expressly precludes the recovery of damages other than those enumerated." 22 Am. Jur. 2d Damages § 539 ; see Palmco Corp. v. Am. Airlines, Inc. , 983 F.2d 681, 687 (5th Cir. 1993) (applying Texas law and holding that "[b]ecause [appellant's] liquidated and cover damages redressed different injuries, and thus were not duplicative, the magistrate judge erred in concluding that [appellant] was not entitled to receive both damage remedies").

Here, the two allegedly duplicative liquidated damage clauses that Sally Beauty points to—the noncooperation fee and the noncompliance fee—do not compensate Visa for its obligation to reimburse the issuers for fraud-related damages resulting from a hack. The noncooperation fee (1) compensates Visa for its own damage (rather than its obligation to pay the issuers), and (2) redresses a compromised entity's "refus[al] to allow a forensic investigation." And the noncompliance fee (1) compensates Visa for its own damage, and (2) redresses any breach of the Visa Core Rules, "regardless of the criminal attack, thus distinguishing it from the assessmen[t]." See Spec's Fam. Partners, Ltd. v. First Data Merch. Servs. LLC , 777 F. App'x 785, 789 (6th Cir. 2019) (rejecting argument that merchant's payment of noncompliance fee made it liable to indemnify acquirer for Visa's issuer-reimbursement assessment).

Moreover, to the extent that Sally Beauty condemns the GCAR program based on Visa's hypothetical ability to impose the allegedly overlapping noncompliance and noncooperation fees, its argument is undermined by one of its own cited cases: El Centro Mall, 94 Cal. Rptr. 3d at 44–48. In that case, Payless stopped operating before the end of its lease, and its landlord—El Centro Mall—assessed liquidated damages of 10 cents per square foot per day, totaling approximately $98,000. Id. at 44–46. The parties’ contract described the liquidated damages as "the minimum damages ... suffered ... including damages as a result of Landlord's failure to receive Percentage Rental [i.e., a percentage of Payless's monthly sales]." Id. at 45, 47. But the contract expressly authorized El Centro to recover these liquidated damages in addition to Payless's percentage-rental payments. Id. at 45. Plus, the contract included a separate formula to determine the amount of percentage rental due when the landlord terminated the lease based on the tenant's default. Id. at 47.

The court of appeals recognized that the percentage-rental formula rendered the liquidated damages provision an "unnecessary" and duplicative penalty "to the extent considered only as a basis for estimating percentage[-]rental damages." Id. But the challenged provision encompassed other damages as well; it included "the anticipated loss of the synergy, goodwill, and patronage Payless [would have] provide[d] by continuing to operate in the retail center." Id. at 47–48. Because the liquidated damages provision encompassed these other injuries and because Payless failed to carry its burden to prove that 10 cents per square foot "did not represent a reasonable estimate of the actual damages a retail center would suffer if a tenant like Payless ceased operations," the liquidated damages provision was enforceable. Id. at 48.

El Centro did not seek additional percentage-rental payments; it sought only the $98,000. El Centro Mall , 94 Cal. Rptr. 3d at 44–45. Thus, as here, the allegedly duplicative nature of the liquidated damages clause was purely hypothetical.

El Centro thus demonstrates that a liquidated damages provision is not invalidated by the mere existence of a second, partially overlapping damages provision. So even if the GCAR assessment did partially overlap with the noncompliance fee or the noncooperation fee by compensating for some of the same injuries, the mere existence of such overlap would not invalidate the assessment. This is particularly applicable where, as here, Visa did not impose the noncompliance fee or the noncooperation fee on Fifth Third anyway. See also id. at 45 (noting that El Centro did not seek separate percentage-rental recovery).

Although Visa theoretically could have assessed this noncompliance fee against Fifth Third, it did not do so.

In sum, the GCAR assessment was intended to capture the damages that Visa was obligated to pay to issuing banks, and the assessment was not required to extinguish Fifth Third's liability for other items of compensable damages. We need not consider what hypothetically impermissible amounts Visa or the issuers might pursue in the future. Sally Beauty's second argument is unconvincing.

c. Visa's Discretion to Modify the Visa Core Rules

In Sally Beauty's third and final liquidated damages argument, it claims that the GCAR assessment is a penalty because Visa retained the discretion to unilaterally change the GCAR program—or anything else in the Visa Core Rules. Therefore, Sally Beauty contends that the assessment did not provide a reasonably certain estimate of the anticipated damages.

Sally Beauty does not claim that Visa actually exercised this discretion. And it is unclear why the mere existence of Visa's unexercised discretion to alter the liquidated damages provision would render the agreed-upon provision disproportional to the "range of actual damages that the parties could have anticipated would flow from a breach." See Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 488.

To the extent that Sally Beauty urges us to consider what the liquidated damages would have been if Visa had exercised its discretion, the argument is entirely hypothetical. Cf. Patterson , 971 S.W.2d at 443.

Contributing to this confusion, Sally Beauty claims that a liquidated damages provision constitutes a disproportionate penalty if it is not "fixed and certain." But the "fixed and certain" language that Sally Beauty quotes comes into play when a court is determining whether a contractual provision qualifies as liquidated damages subject to Section 1671 at all—something Sally Beauty has already conceded. Ruwe v. Cellco P'ship , 613 F. Supp. 2d 1191, 1196–99 (N.D. Cal. 2009) (order denying defendant's motion to dismiss) (holding that plaintiffs pleaded facts showing that the contract provision was sufficiently "fixed and certain" to constitute a liquidated damages clause, thus subjecting the provision to Section 1671 and allowing plaintiffs’ penalty claim to escape a motion to dismiss); see also Free Range Content, Inc. v. Google Inc. , No. 14-CV-02329-BLF, 2016 WL 2902332, at *10–11 (N.D. Cal. May 13, 2016) (order granting in part and denying in part motion to dismiss) (analyzing whether "the withheld sum is insufficiently certain for the Challenged Terms to constitute a liquidated damages provision," then after concluding that it was sufficiently certain, holding that whether the liquidated damages provision was a penalty under Section 1671(b) was a fact issue for the jury); ABI, Inc. v. City of Los Angeles , 153 Cal.App.3d 669, 200 Cal. Rptr. 563, 573 (1984) (using "reasonable certainty" language and analyzing whether a contract provision constituted liquidated damages and thus qualified for Section 1671 ’s "favorable treatment"). The parties agree that the GCAR program is a liquidated damages provision governed by Section 1671 ; they disagree regarding whether those liquidated damages constitute a penalty. So Sally Beauty has already implicitly conceded that the GCAR program is sufficiently "fixed and certain" to qualify as liquidated damages.

Instead, Sally Beauty appears to muddy the penalty issue with illusoriness—the general principle that provides that when a contract grants one party unbridled discretion, it is illusory because "the party having such discretion makes no real promise to pay or to perform." See Automatic Vending Co. v. Wisdom , 182 Cal.App.2d 354, 6 Cal. Rptr. 31, 33 (1960). An illusory contract lacks consideration or mutuality, but it is not necessarily a penalty as Sally Beauty contends. See Mattei v. Hopper , 51 Cal.2d 119, 330 P.2d 625, 626–29 (1958) (discussing enforceability of contract that conditioned one party's performance on its "satisfaction" and recognizing that "[w]hether these problems are couched in terms of mutuality of obligation or the illusory nature of a promise, the underlying issue is the same[:] consideration"); 24 Hour Fitness, Inc. v. Superior Ct. , 66 Cal.App.4th 1199, 78 Cal. Rptr. 2d 533, 541–42 (1998) (orig. proceeding) (rejecting former employee's argument that contract and arbitration clause lacked consideration or mutuality because former employer maintained the unilateral right to modify); Automatic Vending , 6 Cal. Rptr. at 33 (recognizing that a contract truly granting one party unbridled discretion lacks consideration).

Regardless, under California law, negating contracts through findings of illusoriness is not favored. So "[w]hen a party is given absolute discretion by express contract language, the courts will imply a covenant of good faith and fair dealing to limit that discretion in order to create a binding contract and avoid a finding that the promise is illusory." Hester v. Pub. Storage , 49 Cal.App.5th 668, 263 Cal. Rptr. 3d 299, 309 n.3 (2020) (quoting Storek & Storek, Inc. v. Citicorp Real Estate, Inc. , 100 Cal.App.4th 44, 122 Cal. Rptr. 2d 267, 278 (2002), and recognizing that a contract provision giving a defendant the "unqualified right to void the sale" is not facially invalid); see Casas v. Carmax Auto Superstores Cal. LLC , 224 Cal.App.4th 1233, 169 Cal. Rptr. 3d 96, 99 (2014) (holding that, "[u]nder California law, ... even a modification clause not providing for advance notice does not render an agreement illusory, because the agreement also contains an implied covenant of good faith and fair dealing"); Serpa v. Cal. Sur. Investigations, Inc. , 215 Cal.App.4th 695, 155 Cal. Rptr. 3d 506, 516 (2013) (holding that "the implied covenant of good faith and fair dealing limits the employer's authority to unilaterally modify the arbitration agreement and saves that agreement from being illusory and thus unconscionable"); 24 Hour Fitness , 78 Cal. Rptr. 2d at 541–42 (holding that former employer's "discretionary power to modify the terms of the personnel handbook in writing indisputably carrie[d] with it the duty to exercise that right fairly and in good faith," and, "[s]o construed, the modification provision does not render the contract illusory"). "The implied covenant of good faith prevents one contracting party from ‘unfairly frustrating the other party's right to receive the benefits of the agreement actually made.’ " Serpa , 155 Cal. Rptr. 3d at 514 (quoting Guz v. Bechtel Nat'l Inc. , 24 Cal.4th 317, 100 Cal.Rptr.2d 352, 8 P.3d 1089, 1110 (2000) ); see Storek & Storek , 122 Cal. Rptr. 2d at 276 (similar, recognizing that the covenant of good faith and fair dealing is implied in every contract). In other words, the implied good-faith-and-fair-dealing covenant sufficiently confines the promised performance to make it valid consideration. See Mattei , 330 P.2d at 627 (recognizing "that the promisor's duty to exercise his judgment in good faith is an adequate consideration to support the contract"); Storek & Storek , 122 Cal. Rptr. 2d at 281 ("The covenant of good faith is implied in order to set a limit on the promisor's ability to express dissatisfaction and thereby supply adequate consideration to support the contract.").

See also Ashbey v. Archstone Prop. Mgmt., Inc. , 612 F. App'x 430, 432 (9th Cir. 2015) (mem. op.) (applying California law and holding that "unilateral modification provisions ... are not substantively unconscionable because they are always subject to the limits ‘imposed by the covenant of good faith and fair dealing implied in every contract’ " (quoting Serpa , 155 Cal. Rptr.3d at 514 )); Apex Compounding Pharm., LLC v. eFax Corp. , No. LA CV16-05165 JAK (JPRX), 2018 WL 2589096, at *12 (C.D. Cal. Apr. 26, 2018) (order) (similar, quoting Ashbey ).

This implied covenant applies not only to save the contract as a whole but also to cabin individual provisions within the contract—such as conditions precedent, arbitration provisions, or provisions that give one party unfettered discretion to void a sale. See Mattei , 330 P.2d at 627 (citing cases in which discretion "dealt with performances to be received as parts of the agreed exchanges," and holding that the same good-faith covenant applied to conditions precedent; "the fact that ... [the discretionary aspect] w[as] not part of the performance to be rendered [wa]s not material"); Hester , 263 Cal. Rptr. 3d at 307, 309 n.3 (recognizing that contract provision giving seller unqualified right to void sale was not facially invalid and could be saved by implied covenant); 24 Hour Fitness , 78 Cal. Rptr. 2d at 541–42 (holding that former employer's discretion to modify terms of personnel handbook "carrie[d] with it the [implied] duty to exercise that right fairly and in good faith" and thus did not render illusory the arbitration clause within the handbook).

Here then, Visa's discretion to unilaterally modify the Visa Core Rules was restrained by the implied covenant of good faith and fair dealing; the discretion did not render Visa's contract with Fifth Third illusory. And to the extent that Sally Beauty argues that Visa could have used its discretion to impose a disproportionately high GCAR assessment, Sally Beauty's argument is again undermined by Visa's implied covenant of good faith and fair dealing. Visa—implicitly limited by this covenant—could not have exercised its discretion to impose a disproportionately high, penal GCAR assessment. Sally Beauty's third argument is invalid.

4. Conclusion

In sum, the GCAR assessment is presumed to be valid and enforceable, and Sally Beauty has not advanced any arguments that overcome this presumption by demonstrating that the assessment is a penalty. The assessment is not invalid because it estimates Visa's payments to the issuers, nor is it invalid because it captures only one aspect of Fifth Third's liability for the breach, nor because Visa had the discretion to unilaterally alter the contract. Sally Beauty has not shown that the GCAR assessment "b[ore] no reasonable relationship to the range of actual damages that the parties could have anticipated would flow from a breach." See Ridgley , 73 Cal.Rptr.2d 378, 953 P.2d at 488.

Because the GCAR assessment is presumed to be valid and enforceable, and because Sally Beauty has not advanced any arguments that overcome this presumption by demonstrating that the assessment is a penalty, the liquidated damages clause is enforceable. See Cal. Civ. Code § 1671(b). We sustain Visa's first issue and reverse the trial court's breach of contract judgment.

B. Fraud Counterclaim: Does Visa Have Standing, and Did It State a Claim?

In addition to granting summary judgment on Sally Beauty's breach of contract claim, the trial court also granted Sally Beauty's motion for summary judgment on Visa's fraud counterclaim. See Tex. R. Civ. P. 166a(b). Sally Beauty argued below, as it argues here, that Visa does not have standing to bring the fraud counterclaim and that even if it did, four of the six elements of Visa's pleaded fraud counterclaim fail as a matter of Texas law. See Tex. R. Civ. P. 166a(c).

It is unclear from the record whether Sally Beauty challenged Visa's standing in the trial court or whether Sally Beauty merely challenged Visa's satisfaction of the damages element of Visa's fraud counterclaim. But either way, "[s]ubject matter jurisdiction is an issue that may be raised for the first time on appeal; it may not be waived by the parties." Tex. Ass'n of Bus. v. Tex. Air Control Bd. , 852 S.W.2d 440, 445 (Tex. 1993).

We begin with the standing issue because it implicates our subject matter jurisdiction. Heckman v. Williamson Cnty. , 369 S.W.3d 137, 150–51 (Tex. 2012) ; Tex. Ass'n of Bus. v. Tex. Air Control Bd. , 852 S.W.2d 440, 443–45 (Tex. 1993).

1. Standing

Standing is a constitutional prerequisite to a court's subject matter jurisdiction over a plaintiff's claim. Heckman , 369 S.W.3d at 150 ; Tex. Ass'n of Bus. , 852 S.W.2d at 443–45 ; see Tex. Const. art. I, § 13 (requiring due course of law for "every person for an injury done him"). "In Texas, the standing doctrine requires a concrete injury to the plaintiff and a real controversy between the parties that will be resolved by the court." Meyers v. JDC/Firethorne, Ltd. , 548 S.W.3d 477, 484 (Tex. 2018) (quoting Heckman , 369 S.W.3d at 154 ).

Texas's standing doctrine parallels the federal doctrine for Article III standing. Heckman , 369 S.W.3d at 154.

The parties agree that Texas law governs Visa's fraud counterclaim.

Sally Beauty challenges the concrete-injury requirement. This portion of the standing doctrine requires the plaintiff to "plead facts demonstrating that he, himself (rather than a third party or the public at large), suffered the injury." Meyers , 548 S.W.3d at 485 (quoting Heckman , 369 S.W.3d at 155 ). Sally Beauty alleges that Visa lacks standing to bring its fraud claim because Visa's " ‘injury’ consists solely of costs [that] Visa voluntarily incurred to address a purported risk of harm to third parties"; according to Sally Beauty, Visa has admitted that it sustained no damage itself.

But this argument is unavailing. Visa pleaded multiple injuries that it directly sustained as a result of Sally Beauty's alleged fraud, and Sally Beauty admitted as much in its motion for summary judgment. Visa pleaded that it had "incurred costs and expenses while investigating the [d]ata [b]reach and taking steps necessary to protect the Visa Network" and that the breach "compromis[ed] the integrity of the payment card ecosystem upon which payment transactions using Visa-branded payment cards rely, damaging Visa." See Frost Nat'l Bank v. Fernandez , 315 S.W.3d 494, 502–03 (Tex. 2010) (recognizing that "a plaintiff's good faith allegations are used to determine the trial court's jurisdiction" and that "[a] court may presume the truth of allegations supportive of standing to determine standing"). Although Sally Beauty accurately observes that Visa's investigation and mitigation of the hack benefitted third-party network participants, such indirect benefits to Visa's customers merely reflect the nature of its business.

Sally Beauty's motion for summary judgment acknowledged that Visa sought to recover, among other things (1) costs Visa incurred "to prevent future harm," and (2) "damage to the ‘integrity of the payment card ecosystem.’ "

Sally Beauty can and does dispute whether Visa can prove such injuries, but "[a] plaintiff does not lack standing simply because he cannot prevail on the merits of his claim; he lacks standing because his claim of injury is too slight for a court to afford redress." Meyers , 548 S.W.3d at 484–85.

Visa is in the business of providing secure financial transactions, and "the value of the services that ... [the Visa] platform provides increases as the number of participants on both sides of the platform increase." Ohio v. Am. Express Co. , ––– U.S. ––––, 138 S. Ct. 2274, 2280–81, 201 L.Ed.2d 678 (2018) (describing credit-card platform and discussing two-sided platforms generally). Visa alleged that Sally Beauty's fraud caused a Visa network hack that compromised the security of Visa's transactions—decreasing the value of Visa's services and spooking (while also separately harming) Visa network participants, such as issuing banks. Visa thus claimed that the fraud caused direct harm to the value of its services, and it pleaded fraud-related damages for expenses it had incurred to investigate and repair the security of its compromised network, i.e., expenses required to restore the value of the secure transactional services that constitute Visa's bread and butter. Such pleadings were sufficient to show that the company itself, rather than a third party or the public at large, suffered injury. Cf. M.D. Anderson Cancer Ctr. v. Novak , 52 S.W.3d 704, 707–08 (Tex. 2001) (holding that plaintiff lacked standing when plaintiff received an allegedly fraudulent mailer seeking donations, but plaintiff did not believe the fraudulent claims and did not donate).

As the United States Supreme Court has recognized, Visa "sell[s] its services only if a merchant and cardholder [or here, issuing bank] both simultaneously choose to use the network[;] ... whenever [Visa's] credit-card network sells one transaction's worth of card-acceptance services to a merchant it also must sell one transaction's worth of ... services to a cardholder [or here, an issuing bank]." Ohio v. Am. Express Co. , ––– U.S. ––––, 138 S. Ct. 2274, 2286, 201 L.Ed.2d 678 (2018) (describing credit-card network as a two-sided transaction platform and focusing on the roles of merchants and cardholders); see also Pulse Network, LLC v. Visa, Inc. , No. CV H-14-3391, 2018 WL 9850158, at *1 (S.D. Tex. Aug. 31, 2018) ("The market for debit routing is two-sided—issuers and merchants."); Joshua D. Wright, Mastercard's Single Entity Strategy , 12 Harv. Negot. L. Rev. 225, 227 (2007) (explaining that, in two-sided markets, "two different groups of customers are connected by an intermediary, and that the value to each group depends on the size of the other group").

Visa has pleaded a concrete injury and has standing to maintain its fraud action.

2. Failure to State a Claim

Sally Beauty contends that, even if Visa has standing, Visa's live counterpetition fails to state a claim for fraud because four of the six elements of Visa's pleaded claim fail as a matter of Texas law. See Tex. R. Civ. P. 166a(c). Sally Beauty moved for summary judgment on this basis, arguing that Visa's fraud pleadings failed to state a claim.

In its summary judgment motion, Sally Beauty clarified that it was not asking the trial court to "decid[e] whether there [wa]s enough factual evidence for the issues in question to be presented to a jury," rather, Sally Beauty claimed that the issues presented were matters of law that could resolve the case before the parties and the court expended unnecessary time and expense litigating it. And in contemporaneous filings—responding to Visa's competing motion for summary judgment—Sally Beauty objected to the trial court's deciding fact-related issues "prior to the parties[’] having engaged in any discovery."

a. Standard of Review

A defendant may obtain summary judgment by conclusively negating at least one element of the plaintiff's claim. Murphy Expl. & Prod. Co.–USA v. Adams , 560 S.W.3d 105, 108 (Tex. 2018) ; Frost Nat'l Bank , 315 S.W.3d at 508–09 ; see Tex. R. Civ. P. 166a(b)–(c). Although the defendant typically accomplishes this task by offering conclusive summary judgment evidence disproving the challenged element or elements, Sally Beauty sought to conclusively negate elements of Visa's fraud counterclaim on the pleadings alone.

Generally, it is improper to grant summary judgment on a deficient pleading's failure to state an essential element of a cause of action when the deficiency can be attacked through a special exception and cured by amendment. In re B.I.V. , 870 S.W.2d 12, 13–14 (Tex. 1994) ; Tex. Dep't of Corr. v. Herring , 513 S.W.2d 6, 9–10 (Tex. 1974) ; Slaven v. Livingston , No. 02-17-00266-CV, 2019 WL 983693, at *5 (Tex. App.—Fort Worth Feb. 28, 2019, no pet.) (mem. op.) ; Heil Co. v. Polar Corp. , 191 S.W.3d 805, 817 (Tex. App.—Fort Worth 2006, pet. denied). But if the pleading deficiency cannot be cured by amendment, summary judgment on the pleadings may be proper. See Friesenhahn v. Ryan , 960 S.W.2d 656, 658 (Tex. 1998) ; Slaven , 2019 WL 983693, at *5 ; Heil , 191 S.W.3d at 817.

Visa did not argue that any pleading deficiency could be cured, nor did it seek leave to amend its petition. "[A] nonmovant waives a complaint that summary judgment was improperly granted [on the pleadings] by failing to raise it in the summary judgment proceeding at trial." Conyer v. Reyes , No. 02-12-00440-CV, 2014 WL 1704216, at *1 (Tex. App.—Fort Worth Apr. 30, 2014, no pet.) (mem. op.). Thus, to the extent that Visa could have cured any pleading deficiencies by amendment, Visa waived the issue. See Slaven , 2019 WL 983693, at *5.

When reviewing a pleading-deficiency summary judgment, we consider the pleadings de novo, "taking all allegations, facts, and inferences in the pleadings as true and viewing them in a light most favorable to the pleader." Natividad v. Alexsis, Inc. , 875 S.W.2d 695, 699 (Tex. 1994) ; Slaven , 2019 WL 983693, at *5. We will affirm only if, even assuming the plaintiff can prove all the allegations contained in its petition, the petition is legally insufficient to state a cause of action. Natividad , 875 S.W.2d at 699 ; Carter v. Abbyad , 299 S.W.3d 892, 895 (Tex. App.—Austin 2009, no pet.) ; Hall v. Stephenson , 919 S.W.2d 454, 467 (Tex. App.—Fort Worth 1996, writ denied).

b. Elements

A valid fraud claim includes six elements: (1) the defendant made a material, actionable representation; (2) the representation was false; (3) the defendant knew the representation was false or made it recklessly without any knowledge of its truth; (4) the defendant intended to induce the plaintiff to act upon the representation; (5) the plaintiff actually and justifiably relied upon the false representation; and (6) the plaintiff thereby suffered injury. See JPMorgan Chase Bank, N.A. v. Orca Assets G.P., L.L.C. , 546 S.W.3d 648, 653 (Tex. 2018) (listing in four elements); Aquaplex, Inc. v. Rancho La Valencia, Inc. , 297 S.W.3d 768, 774 (Tex. 2009) (listing in six elements); Hannon, Inc. v. Scott , No. 02-10-00012-CV, 2011 WL 1833106, at *6 (Tex. App.—Fort Worth May 12, 2011, pet. denied) (mem. op.) (listing in five elements); O'Connor’s Texas Causes of Action ch. 12-A, § 1.1 (2021) (listing in seven elements).

To satisfy these elements, Visa's live counterpetition alleged that (1) in Sally Beauty's 2014 AOC and other AOCs, Sally Beauty represented that it was in compliance with PCI DSS protocols and that it would remain in compliance; (2) Sally Beauty was not in compliance with the PCI DSS protocols at the time of the 2014 AOC, and Sally Beauty did not intend to comply; (3) Sally Beauty knew that it was not in compliance and had no intention of complying; (4) Sally Beauty submitted the AOC to Visa and intended for Visa to rely on it; (5) justifiably relying on the AOC, Visa did not assess noncompliance fees, and it allowed Sally Beauty to continue accessing the Visa network; and (6) as a result of such reliance, when Sally Beauty's noncompliance facilitated a hack, Visa was forced to spend money investigating, mitigating, and repairing the harm to its network.

Sally Beauty's motion for summary judgment challenged four of these six elements. Sally Beauty argued below, as it does here, that (1) two of the statements in its 2014 AOC—the two statements upon which Sally Beauty alleges Visa's fraud claim relies—were not actionable representations; (2) "as Sally Beauty did not make either statement to Visa, Sally Beauty could not have intended Visa to rely on the statements"; (3) "Visa did not act in reliance," and "[a]ny reliance [wa]s unjustified"; and (4) "Visa has pleaded no cognizable damages." [Emphasis altered.] (1) Actionable Representation

Sally Beauty's brief also disputes a fifth element: falsity. Sally Beauty argues that Visa has "neither alleged nor shown any evidence" that the statement was untrue at the time it was made. But Sally Beauty did not raise this argument below, so it cannot serve as a basis for the trial court's summary judgment. See Tex. R. Civ. P. 166a(c) (providing for summary judgment if "the moving party is entitled to judgment as a matter of law on the issues expressly set out in the motion or in an answer or any other response"); Black v. Victoria Lloyds Ins. Co. , 797 S.W.2d 20, 27 (Tex. 1990) ("A summary judgment movant may not be granted judgment as a matter of law on a cause of action not addressed in a summary judgment proceeding.").

First, Sally Beauty argues that Visa cannot base its fraud claim on the 2014 AOC because the relied-upon statements within the AOC are not actionable, factual representations. Sally Beauty targets two statements from the AOC in particular: (1) that Sally Beauty is "in full compliance with the PCI DSS"; and (2) that Sally Beauty has "read the PCI DSS and recognizes that they must maintain full PCI DSS compliance at all times." Sally Beauty argues that the first statement "was not even a statement by Sally Beauty"; that the second was "at most, a statement of future intent"; and that both statements "represent opinions and legal conclusions, not facts."

Sally Beauty's brief frames this as a challenge to Visa’ reliance on the AOC's statement that Sally Beauty was in "compliance with the Data Security Standard." But that phrase is not actually a quotation from the AOC at all; Sally Beauty is quoting Visa's counterpetition. The quoted portion of Visa's counterpetition appears to be summarizing and implicitly referencing the AOC's statement that Sally Beauty is "in full compliance with the PCI DSS."

As a threshold matter, Visa's fraud claim was not limited to the two statements that Sally Beauty targets. Visa's live counterpetition alleged the following:

29. Sally Beauty has continuously acknowledged its duty to comply with PCI DSS. Indeed, on October 29, 2014 Sally Beauty submitted an Attestation of Compliance ("AOC") to Visa that affirmatively represented that Sally Beauty was in compliance with the Data Security Standard.

30. In the AOC, Sally Beauty affirmatively and expressly represented that it ha[d] "read the PCI DSS" and acknowledge[d] its responsibility to "maintain full PCI DSS compliance at all times." Visa relied upon this and other attestations of compliance that Sally Beauty provided to permit Sally Beauty to continue participating in the Visa Network. If Sally Beauty had disclosed that it was not in compliance, and did not intend to comply, with the Data Security Standard, Sally Beauty would not have been allowed to accept Visa-branded payment cards.[ ]

....

48. In submitting the AOC to Visa , Sally Beauty made a false representation or fraudulently concealed a material fact, with knowledge of its falsity or without sufficient knowledge on the subject to warrant a representation, and with the intent to induce Visa to rely upon it.

A copy of the AOC was attached to Visa's counterpetition.

[Emphases added.] These pleadings, taken as true and viewed in Visa's favor, see Natividad , 875 S.W.2d at 699, alleged that Visa relied to its detriment upon the entirety of the 2014 AOC. Thus, even if we were to hold that the two targeted statements could not support a fraud claim, such a holding would not entirely negate the actionable-representation element of fraud so as to support the trial court's summary judgment. Cf., e.g., Sci. Spectrum, Inc. v. Martinez , 941 S.W.2d 910, 911 (Tex. 1997) ("[S]ummary judgment for a defendant is proper only when the defendant negates at least one element of each of the plaintiff's theories of recovery, Gibbs v. General Motors Corp. , 450 S.W.2d 827, 828 (Tex. 1970), or pleads and conclusively establishes each element of an affirmative defense." (emphasis added)). But because Visa implicitly concedes that its fraud counterclaim relies, at least in part, on the targeted statements, and because Sally Beauty's challenges to these two statements could logically extend to other statements in the AOC as well, we address Sally Beauty's arguments that the statements were (1) made by the QSA; (2) at most, statements of future intent; (3) expert opinions; and (4) legal conclusions.

(a) Representations by QSA

Sally Beauty first argues that Visa cannot premise its fraud counterclaim on the AOC's statement that Sally Beauty was "in full compliance with the PCI DSS" because this "was not even a statement by Sally Beauty"—it was made by the QSA. But these two options are not mutually exclusive. Sally Beauty could and did endorse the QSA's findings thereby implicitly representing the accuracy of the factual basis for those findings.

The AOC is a three-page document, with page one dominated by basic company information, and page three containing the 12-category checklist that summarizes the QSA's report. The second page is the source of the challenged representation; it provides, in relevant part,

Part 3. PCI DSS Validation

Based on the results noted in the [QSA's report,] ... [QSA] asserts the following compliance status for the entity ...:

? Compliant: All requirements in the [report] are marked "in place," and a passing scan has been completed ... thereby Sally Beauty Holdings has demonstrated full compliance with the PCI DSS version 2.0.

....

Part 3a. Confirmation of Compliant Status

QSA/Merchant confirms:

.....

? All information within the above-referenced [report] and in this attestation fairly represents the results of the assessment in all material respects.

? The merchant has confirmed ... that their payment application does not store sensitive authentication data after authorization.

? The merchant has read the PCI DSS and recognizes that they must maintain full PCI DSS compliance at all times.

Directly below the "confirm[ations]" in Part 3a, both Sally Beauty and the QSA signed the document.

Although Sally Beauty is correct that the QSA completed portions of the AOC, such as the "PCI DSS Validation" above and the 12-category checklist previously discussed, Visa's counterpetition can be understood to allege that when Sally Beauty "confirm[ed]" the QSA's statements as "fai[r] represent[ations]," it effectively endorsed the representations as an accurate description of the factual bases behind them, e.g., Sally Beauty's "maintenance of firewall protections," which Visa alleges were lacking. By signing and submitting the AOC then, Visa alleges that Sally Beauty misrepresented its "full compliance with the PCI DSS." This was a representation by Sally Beauty itself; it was based on but distinct from the QSA's representations. Visa's counterpetition thus states an actionable representation by Sally Beauty.

Page one of the AOC provides that the document "must be completed by a [QSA] or merchant (if merchant internal audit performs validation) as a declaration of the merchant's compliance status." Sally Beauty argues that this instruction proves as a matter of law that the QSA made the challenged representation in the AOC. But Sally Beauty acknowledges that this instruction does not apply to the entirety of the AOC because Sally Beauty itself made the statements in Part 3a, excerpted above. And, as we explain below, Sally Beauty's statements in Part 3a effectively endorse the factual basis for the QSA's representations in the remainder of the AOC.

Even if Sally Beauty had not expressly endorsed the QSA's representations, the mere fact that a statement is uttered by a third party does not necessarily render it incapable of supporting a fraud claim. See Parex Res., Inc. v. ERG Res., LLC , 427 S.W.3d 407, 439–40 (Tex. App.—Houston [14th Dist.] 2014) ("[A] defendant's liability for a fraudulent misrepresentation does not always require that the defendant affirmatively make the misrepresentation."), aff'd sub nom. Searcy v. Parex Res., Inc. , 496 S.W.3d 58 (Tex. 2016). "[A] third party can be held liable for the misrepresentation of another if the third party benefits from the fraudulent transaction and had knowledge of the fraud." Source 4 Value v. Hoelzer , No. 07-18-00338-CV, 2020 WL 4249744, at *3 (Tex. App.—Amarillo July 21, 2020, pet. denied) (mem. op.) ; see Corpus Christi Area Tchrs. Credit Union v. Hernandez , 814 S.W.2d 195, 202 (Tex. App.—San Antonio 1991, no writ) ; O'Connor’s Texas Causes of Action ch. 12-A, § 2.1 (2021); cf. also Bransom v. Standard Hardware, Inc. , 874 S.W.2d 919, 924 (Tex. App.—Fort Worth 1994, writ denied) ("A party in interest may become liable by mere silent acquiescence and partaking of the benefits of the fraud.").

To the extent that Sally Beauty contends that it was required to expressly reiterate each of the QSA's findings to make them actionable representations, we disagree. See Ten-Cate v. First Nat'l Bank , 52 S.W.2d 323, 326–27 (Tex. Civ. App.—Fort Worth 1932, no writ) (holding that appellee fraudulently misrepresented terms of advertising agreement and recognizing that "a representation need not be a direct lie in order to constitute remedial fraud; the false representation may consist in a deceptive answer, or any other indirect but misleading language" (quoting 25 C.J.S. Fraud at 1066)); see Baribeau v. Gustafson , 107 S.W.3d 52, 59 (Tex. App.—San Antonio 2003, pet. denied) ("Fraud is deducible from artifice ... as well as from affirmative conduct of a character to deceive."); O'Connor’s Texas Causes of Action ch. 12-A, § 2.3.4 (2021) (stating that "[d]eceptive conduct is equivalent to a false statement of fact").

(b) Promise of Performance

Next, Sally Beauty targets its affirmation in the AOC that Sally Beauty has "read the PCI DSS and recognizes that they must maintain full PCI DSS compliance at all times." Sally Beauty claims that this is not a promise to remain PCI DSS compliant; it is "nothing more than a confirmation by Sally Beauty that it has ‘read’ and that it ‘acknowledges.’ " And regardless, Sally Beauty argues, statements of future intent cannot constitute actionable fraud. We disagree on both counts.

First, Sally Beauty's acknowledgment could be reasonably understood as a promise to perform. Although the acknowledgement does not use the word promise , it communicates a comparable level of certainty by using the word must.

Must is an affirmation that something will happen. See Must , Webster's Third New International Dictionary 1492 (2002) (defining must as, among other things, "is compelled by physical necessity to ... [;] is required by immediate or future need or purpose to"). Implicit in this word is the recognition that there is no discretion to do or endure otherwise. Cf., e.g., Helena Chem. Co. v. Wilkins , 47 S.W.3d 486, 493 (Tex. 2001) (interpreting must in statute and recognizing that "[w]hile Texas courts have not interpreted ‘must’ as often as ‘shall,’ both terms are generally recognized as mandatory, creating a duty or obligation"). In the context of the AOC, must conveys that Sally Beauty will comply with the PCI DSS security protocols—as opposed to merely aspiring to comply—because Sally Beauty has no discretion to do otherwise. Sally Beauty's "recogni[tion] that they must maintain full PCI DSS compliance at all times" is a sufficiently definite commitment to support Visa's fraud counterclaim. [Emphasis added.] And, contrary to Sally Beauty's contentions, a statement of future intent can support a fraud claim. Specifically, "[a] promise of future performance constitutes an actionable misrepresentation if the promise was made with no intention of performing at the time it was made." Aquaplex , 297 S.W.3d at 774–75 ; Formosa Plastics Corp. USA v. Presidio Engineers and Contractors, Inc. , 960 S.W.2d 41, 48 (Tex. 1998). Visa's counterpetition alleged that when Sally Beauty signed the AOC "recogniz[ing] that [it] must maintain PCI DSS compliance at all times," Sally Beauty had no intention of complying with the PCI DSS protocols. This is sufficient to state an actionable representation for purposes of fraud.

(c) Expert Opinions

Sally Beauty next attacks both of the AOC statements discussed above by alleging that "[w]hether or not Sally Beauty is PCI DSS compliant ... is the province of expert opinion, and an expert's opinion is not a ‘material fact’ upon which fraud can be based."

Although Sally Beauty argued below that the challenged misrepresentations required legal expertise, its brief implies that such representations required a QSA's expertise. Whatever the qualifications that Sally Beauty believes were required to comment on its compliance status, our analysis regarding the factual nature of Sally Beauty's representations remains the same.

While it is true that an expression of pure opinion is not generally considered an actionable representation, "[w]hether a statement is an actionable statement of ‘fact’ or merely one of ‘opinion’ often depends on the circumstances in which a statement is made." Italian Cowboy Partners, Ltd. v. Prudential Ins. Co. of Am. , 341 S.W.3d 323, 337–39 (Tex. 2011) (holding that defendant's statements that prior tenant experienced "[n]o problems" and that the building was a "perfect restaurant site" were actionable statements of fact); see O'Connor’s Texas Causes of Action ch. 12-A, § 2.3 (2021).

Here, Sally Beauty's representations in the AOC can best be understood as statements of fact. Even assuming arguendo that PCI DSS compliance is a matter of expert QSA opinion, Sally Beauty's representations were in addition to those of the QSA and as an endorsement of the factual basis for the QSA's conclusions.

First, as discussed above, both Sally Beauty and the QSA signed the AOC, and Sally Beauty made its representations in addition to the QSA's. And some of the statements that Sally Beauty attested to in the AOC were factual statements regarding its actions:

? The merchant has confirmed ... that their payment application does not store sensitive authentication data after authorization.

? The merchant has read the PCI DSS and recognizes that they must maintain full PCI DSS compliance at all times.

The AOC is clear on its face that Sally Beauty is not making its representations as a QSA; it is making its representations in addition to those of the QSA and as the entity with factual knowledge of its own actions, procedures, and security precautions—upon which the QSA's analysis is based. Although Sally Beauty claims that it lacked the expertise to determine "whether or not any one of the over 200 PCI DSS requirements and sub-requirements [was] ‘in place,’ " the entity cannot deny that it possessed the facts necessary to make this determination; it knew what security precautions it had or had not taken.

Indeed, Sally Beauty's "one-sided knowledge of past facts" was a significant reason why its representations in the AOC had value. See Italian Cowboy Partners, Ltd. , 341 S.W.3d at 339 ("Prudential's one-sided knowledge of past facts makes these particular representations actionable under the circumstances."). Visa alleged that it "did not have independent access to Sally Beauty's network and relied on Sally Beauty's attestation affirming its compliance with data-security standards[,] .... [and] Sally Beauty was aware that Visa would rely on Sally Beauty's misrepresentation of its compliance." Visa further alleged that "Sally Beauty knew that it was not in compliance with the Data Security Standard," i.e., that Sally Beauty had one-sided knowledge of past or then-current facts regarding its sub-par security practices and protocols.

Visa's counterpetition alleged that Sally Beauty had "failed to take the steps it knew were necessary to adequately safeguard its network and maintain [PCI DSS] compliance," such as "implement[ing] appropriate policies and procedures ... [for] the maintenance of firewall protections, appropriate user logins and passwords, and monitoring of access to network resources and cardholder data." Such allegations identify concrete steps that Sally Beauty knew were necessary to comply with the PCI DSS but that, according to Visa, Sally Beauty knew that it had failed to take. Sally Beauty's representations in the AOC can be properly understood as factual representations regarding these and other merchant actions upon which the QSA's compliance report was based.

Therefore, even assuming Sally Beauty's official compliance status was a matter of expert QSA opinion, Visa's pleadings state an actionable representation.

(d) Legal Conclusions

Sally Beauty also argues that, to the extent that it represented it was and would remain fully PCI DSS compliant, "whether Sally Beauty has fulfilled its contractual obligations under its Bank Card Management Agreement with Fifth Third as a result of its PCI DSS compliance status is a legal opinion, not a ‘material fact’ upon which fraud can be based." See Fina Supply, Inc. v. Abilene Nat'l Bank , 726 S.W.2d 537, 540 (Tex. 1987) ("A representation as to the legal effect of a document is regarded as a statement of opinion rather than of fact and will not ordinarily support an action for fraud."); Taub v. Hous. Pipeline Co. , 75 S.W.3d 606, 621 (Tex. App.—Texarkana 2002, pet. denied) ("Generally, claims of fraud cannot arise from legal opinions.").

But Visa's fraud claim does not rely upon the Bank Card Management Agreement; it relies on Sally Beauty's AOC. Visa's counterpetition referenced the Bank Card Management Agreement as support for a separate counterclaim: negligence. Specifically, Visa alleged that Sally Beauty had a duty to comply with the PCI DSS protocols in part because it agreed to do so under the terms of its contract with Fifth Third. But unlike negligence, common law fraud does not require the plaintiff to establish a duty element. See, e.g., Haase v. Gim Res., Inc. , No. 01-09-00696-CV, 2010 WL 3294247, at *1 (Tex. App.—Houston [1st Dist.] Aug. 19, 2010, no pet.) (mem. op. on reh'g) (affirming summary judgment dismissing negligence claim because "[appellant] did not raise any evidence showing that [appellee] owes him a legal duty," but reversing summary judgment on fraud claim "because legal duty is not an element of fraud and [appellee] did not present additional summary judgment grounds"). But cf. Bradford v. Vento , 48 S.W.3d 749, 755 (Tex. 2001) ("As a general rule, a failure to disclose information does not constitute fraud unless there is a duty to disclose the information."). To state a claim for fraud, Visa was required to identify a fraudulent, material misrepresentation. And Visa did so by pointing to the AOC, with no mention of the Bank Card Member Agreement. Whether Sally Beauty breached the terms of its agreement with Fifth Third is a separate matter.

The fraud-related portion of Visa's live counterpetition alleged that "[i]n submitting the AOC to Visa, Sally Beauty made a false representation or fraudulently concealed a material fact[ ] with knowledge of its falsity or without sufficient knowledge on the subject to warrant a representation[ ] and with the intent to induce Visa to rely upon it" and that Visa had "acted in justifiable reliance on Sally Beauty's representations and was thereby damaged."

Even if Visa's fraud claim had referenced Sally Beauty's compliance with the agreement though, contractual compliance is not a question of law where, as here, the parties dispute the relevant factual conduct. Cf. Lafarge Corp. v. Wolff, Inc. , 977 S.W.2d 181, 186 (Tex. App.—Austin 1998, pet. denied) (recognizing that breach is a question of law "[w]here the evidence is undisputed regarding a person's conduct under a contract"). As discussed previously, Visa and Sally Beauty hotly contest whether Sally Beauty "t[ook] the steps it knew were necessary to adequately safeguard its network and maintain compliance," and Sally Beauty's statements in the AOC could fairly be understood as representations of the underlying facts. See supra Section II.B.2.b.(1).(c); see also Fina Supply , 726 S.W.2d at 540 ("[M]isrepresentations involving a point of law will be considered misrepresentations of fact if they were intended and understood as such."); Affordable Power, L.P. v. Buckeye Ventures, Inc. , 347 S.W.3d 825, 831 (Tex. App.—Dallas 2011, no pet.) (holding representation regarding contract-termination fee was intended and understood as a representation of fact).

Sally Beauty's claim that the two targeted representations are legal conclusions is thus untenable.

(2) Intent to Induce Reliance

Next, Sally Beauty argues that it did not make either of the targeted statements to Visa, so "logically and as a matter of law" it could not have intended for Visa to rely on the statements. Although we again note that Visa's counterpetition was not limited to the two targeted statement, see supra Section II.B.2.b.(1), Sally Beauty's challenge logically extends to the 2014 AOC as a whole. Sally Beauty claims that it did not submit its AOC directly to Visa, rather Sally Beauty submitted the document to Fifth Third, which may or may not have submitted the document to Visa.

But Visa's amended petition alleges that Sally Beauty "submit[ed] the AOC to Visa" and that Sally Beauty knew and intended that Visa would rely upon its representations in the AOC. Visa doubled down on this argument in its response to Sally Beauty's motion for summary judgment, reiterating that "Sally Beauty submitted [the 2014 AOC] to Visa . " Taking Visa's counterpetition as true and construing it in Visa's favor, see Natividad , 875 S.W.2d at 699, Visa's pleadings were sufficient to allege the intent-to-induce-reliance element of fraud.

On appeal, Visa argues that Sally Beauty made the representation to Visa "through its acquirer Fifth Third." Even if we construe this as a concession, though, it does not necessarily settle the issue; Visa still claims that Sally Beauty knew and intended to make the representation to Visa. A plaintiff can pursue a fraud claim based on an indirectly received representation if the plaintiff can show that the defendant had reason to expect the plaintiff's reliance on the statement, that is, if the plaintiff can show that the defendant possessed information that would lead a reasonable man to conclude that there was "an especial likelihood" that the defendant's representation would reach the specific plaintiff and influence its conduct. Ernst & Young, L.L.P. v. Pac. Mut. Life Ins. Co. , 51 S.W.3d 573, 581 (Tex. 2001) (quoting Restatement (Second) of Torts § 531 cmt. d (1977)); see also O'Connor’s Texas Causes of Action ch. 12-A, §§ 2.1.2, 2.5 (2021).

(3) Reliance

Sally Beauty further argues that "Visa admits it does not rely on statements in the AOC" and that even if it did, "Visa was not justified in relying on the AOC as a guarantee of future PCI DSS compliance."

(a) Actual Reliance

To plead reliance, Visa was required to allege that it had actually relied upon Sally Beauty's misrepresentations to its detriment. See JPMorgan Chase Bank , 546 S.W.3d at 653 ("[T]he plaintiff must show that it actually relied on the defendant's representation[.]"). In its live counterpetition, Visa pleaded reliance on Sally Beauty's "affirmativ[e] and expres[s]" representation that Sally Beauty had "read the PCI DSS," as well as Sally Beauty's commitment to "maintain full PCI DSS compliance at all times." Visa alleged that it had "relied upon this [i.e., the 2014 AOC] and other attestations of compliance that Sally Beauty provided to permit Sally Beauty to continue participating in the Visa Network." Again, taking these pleadings as true and viewing them in a light most favorable to Visa, Visa's counterpetition sufficiently alleged actual reliance.

Additionally, in response to Sally Beauty's motion for summary judgment, a Visa representative averred that

[i]n the event that Visa becomes aware that a participating merchant has fabricated validation documentation to Visa, including the submission of an [AOC] ... Visa has the discretion to take corrective action, and has taken such corrective action[ ] such as imposing an assessment or suspending a particular merchant's ability to accept or process Visa cardholder transactions.

(b) Justifiable Reliance

Sally Beauty further claims that, even if Visa actually relied upon the representations in its AOC, "[a]ny reliance [wa]s unjustified" because the AOC was "only a statement of a merchant's compliance as of the time the AOC [wa]s completed, and thus, cannot be a guarantee of continuing compliance upon which Visa could justifiably rely."

First, Visa's fraud counterclaim alleged that, when Sally Beauty signed and submitted the AOC, it was fraudulently misrepresenting its compliance status at that point in time : "Sally Beauty knew that it was not in compliance with the Data Security Standard," or "[a]t the very least, Sally Beauty was reckless in representing to Visa that it was in compliance with the Data Security Standard." Sally Beauty has not addressed this aspect of the pleadings or identified any reason why Visa could not justifiably rely on such a point-in-time representation.

And second, Sally Beauty's argument ignores its express "recogni[tion]" in the AOC "that they must maintain full PCI DSS compliance at all times." As explained above, this statement is a promise to perform in the future, not merely a representation of Sally Beauty's compliance at the time the AOC was completed. See supra Section II.B.2.b.(1).(b).

Therefore, the justifiable-reliance element of Visa's fraud claim does not fail as a matter of law. (4) Cognizable Damages

Furthermore, "[w]hether a party's actual reliance is also justifiable is ordinarily a fact question." Mercedes-Benz USA, LLC v. Carduco, Inc. , 583 S.W.3d 553, 558 (Tex. 2019).

Finally, Sally Beauty argues that Visa cannot satisfy the damages element of fraud because it experienced "no existing cognizable harm" itself and cannot seek to recover for damages to third parties. But these arguments are based on faulty premises: (1) that Visa has suffered no harm itself, and (2) that Visa is using its fraud claim to recover for damages to third parties or actions taken to protect third parties. We have already addressed and rejected these premises; Visa pleaded cognizable, direct damages that it had incurred to protect and restore its services. See supra Section II.B.1.

Sally Beauty's motion for summary judgment acknowledged that Visa sought to recover "(1) costs Visa incurred as a result of its own actions, (2) harm suffered by third-party ‘members of the Visa Network’, and (3) damage to the ‘integrity of the payment card ecosystem.’ " Sally Beauty argued below that none of these damages were cognizable; the costs were "purely voluntary steps .... to prevent future harm"; Visa lacked standing to recover for damages to third parties; and the damage to the ecosystem was not "concrete and particularized," "actual or imminent," or fairly traceable to the challenged action of the defendant rather than the independent action of some third party.
But Sally Beauty's argument on appeal is slightly different. Now, Sally Beauty staunchly asserts that Visa itself has experienced no harm; Sally Beauty argues that Visa seeks only to recover for damages to third parties or costs incurred to protect those third parties and that, even if Visa had incurred costs to prevent future harm to itself, it could not recover those costs without existing cognizable harm. Sally Beauty presents this argument in a single, combined challenge to Visa's standing and Visa's ability to state a claim for the damages element of fraud.

c. Conclusion

After examining all of the arguments that Sally Beauty advanced in support of its motion for summary judgment on Visa's fraud counterclaim, none of these arguments are meritorious. See Dow Chem. , 46 S.W.3d at 242. The question here is not whether Visa can ultimately prove that Sally Beauty committed all of the elements of fraud; the question is whether Visa's pleadings—taken as true and viewed in its favor—are legally sufficient to state a claim as a matter of law. See Natividad , 875 S.W.2d at 699. For the reasons discussed above, Visa stated a claim for fraud. We sustain Visa's second issue and reverse the trial court's summary judgment on fraud. Tex. R. App. P. 43.2(d).

C. Remand or Partial Rendition?

Although we reverse both Sally Beauty's breach of contract judgment and the judgment on Visa's fraud counterclaim, the parties dispute whether we should remand the case to the trial court or render partial judgment in Visa's favor on the breach of contract claim. See Tex. R. App. P. 43.2(c), (d). In fact, the parties even dispute the standard of review.

1. Standard of Review

Generally, an order denying summary judgment is interlocutory and is not subject to appellate review. See Lancer Ins. Co. v. Garcia Holiday Tours , 345 S.W.3d 50, 59 (Tex. 2011) ; Bowman v. Lumberton Indep. Sch. Dist. , 801 S.W.2d 883, 889 (Tex. 1990) (op. on reh'g). But there is an exception: when both parties move for summary judgment and the trial court grants one motion and denies the other, "the reviewing court considers the summary judgment evidence presented by both sides, determines all questions presented, and if the reviewing court determines that the trial court erred, renders the judgment the trial court should have rendered." Fed. Deposit Ins. Corp. v. Lenk , 361 S.W.3d 602, 611 (Tex. 2012) (quoting Valence Operating Co. v. Dorsett , 164 S.W.3d 656, 661 (Tex. 2005) ). For this exception to apply though, both parties must have either (1) moved for final summary judgment, see CU Lloyd's of Tex. v. Feldman , 977 S.W.2d 568, 569 (Tex. 1998), or (2) moved for summary judgment on the same issues. See Tri-Cnty. Elec. Coop., Inc. v. GTE Sw. Inc. , 490 S.W.3d 530, 537 (Tex. App.—Fort Worth 2016, no pet.) ; see also Fed. Deposit Ins. , 361 S.W.3d at 611–12.

Sally Beauty disputes the existence of the second option; it argues that, because Visa only sought partial summary judgment, we cannot review the denial of Visa's summary judgment motion or render judgment in Visa's favor. But Visa accurately observes that this court has held otherwise. See Tri-Cnty. Elec. Coop. , 490 S.W.3d at 537.

As we recognized in Tri-County —and as our sister courts have recognized as well—when the issues raised in the appellant's motion for partial summary judgment overlap with the issues raised in the appellee's motion for final summary judgment, we may review the overlapping issues and render judgment for the appellant as to those matters raised in common. See id. ("[B]ecause [appellant] Tri-County moved only for a partial summary judgment, we may render only as to those matters that Tri-County raised in common with [appellee] Verizon."); see also Waller v. Waller , No. 12-19-00326-CV, 2020 WL 5406246, at *5 (Tex. App.—Tyler Sept. 9, 2020, no pet.) (mem. op.) (recognizing that "when the moving parties in both motions seek summary judgment on the same issue, the court of appeals may review a cross-motion that does not address all claims"); Houle v. Casillas , 594 S.W.3d 524, 542 (Tex. App.—El Paso 2019, no pet.) (recognizing that denial of partial summary judgment may be reviewed if the parties "have filed competing motions for summary judgment on the same issue"); United Auto. Ins. Servs. v. Rhymes , No. 05-16-01125-CV, 2018 WL 2077561, at *2 n.4 (Tex. App.—Dallas May 4, 2018, no pet.) (mem. op.) (recognizing that "the appellate court can address the [denial of a] motion for partial summary judgment if it addresses the same issues as the opposing party's [final] summary judgment motion"); Gastar Expl. Ltd. v. U.S. Specialty Ins. Co. , 412 S.W.3d 577, 582 (Tex. App.—Houston [14th Dist.] 2013, pet. denied) (recognizing that denial of partial summary judgment may be reviewed on appeal when "both parties ... sought final judgment relief in their cross-motions for summary judgment or moved for summary judgment on the same issue"). We decline Sally Beauty's invitation to overrule this precedent. 2. Breach of Contract

Sally Beauty contends that our holding in Tri-Cnty. Elec. Coop conflicts with Texas Supreme Court precedent—specifically, Feldman . See Feldman , 977 S.W.2d at 568–69. We disagree.
In Feldman , CU Lloyd's moved for final summary judgment on Feldman's breach of contract claims, arguing that no duty to defend existed. Id. at 568–69. Feldman filed a competing motion for partial summary judgment on the same issue—the existence of a duty to defend—as well as a second issue: breach. Id. at 569. The trial court granted CU Lloyd's motion, and the court of appeals reversed and rendered judgment for Feldman as to liability. Id. The Texas Supreme Court held that the court of appeals could not render judgment for Feldman because Feldman did not demonstrate damages. Id. The Texas Supreme Court did not explain the precise rationale for its holding—e.g., whether the court of appeals erred by considering the denial of Feldman's partial summary judgment motion (as Sally Beauty argues), erred by "dispos[ing] of issues not addressed or disposed of in the trial court," see Evergreen Nat'l Indem. Co. v. Tan It All, Inc. , 111 S.W.3d 669, 679 (Tex. App.—Austin 2003, no pet.) (distinguishing Feldman ), or erred by rendering judgment on breach of contract liability alone. See Intercont'l Grp. P'ship v. KB Home Lone Star L.P. , 295 S.W.3d 650, 660 (Tex. 2009) ("Feldman was a summary-judgment case ... but the common thread is plain: Absent tangible relief, either monetary or equitable, a judgment on liability alone is improper."). Although Sally Beauty urges us to adopt its interpretation of Feldman —thereby overruling our own case law and contradicting the case law of our sister courts—Sally Beauty does not explain why its interpretation is allegedly necessary.

Even with the standard of review settled, the parties dispute its application to the breach of contract claim. Both parties sought summary judgment on the breach element of this claim, but because Sally Beauty alleged four alternative theories of breach, the parties’ motions differed in scope: Visa's summary judgment motion challenged all four of Sally Beauty's alternative theories of breach, while Sally Beauty sought—and secured—summary judgment only on the theory that the GCAR program's liquidated damages provision was an unenforceable penalty. Sally Beauty thus claims that this court cannot address its alternative theories of breach because such theories were not raised in common; the sole issue raised in common was the liquidated damages penalty issue. Visa, meanwhile, argues that the overarching question of breach was raised in common and presented for the trial court's evaluation. We agree with Sally Beauty.

The breach of contract portion of Sally Beauty's live petition stated four different breaches; it alleged (1) that for at least three different, independently sufficient reasons, "[t]he GCAR Liability Assessment was not authorized by the Visa [Core] Rules"—i.e., Visa failed to follow the Visa Core Rules in its calculation and imposition of the GCAR assessment; and (2) "[t]he GCAR Liability Assessment, even if it was authorized by the Visa [Core] Rules ..., is unenforceable under applicable law because it constitutes a contractual penalty."

For unexplained reasons, Visa agreed that, if the liquidated damages provision was an unenforceable penalty, Sally Beauty was entitled to judgment on the entirety of the breach of contract claim. See supra note 22.

Sally Beauty's motion for summary judgment did not address its alternative theories of breach; it addressed only the liquidated damages penalty theory. And because the trial court resolved the penalty issue in Sally Beauty's favor, it was not required to reach the merits of Visa's challenges to Sally Beauty's alternative theories of breach. The issues were thus not raised in common. See Waller , 2020 WL 5406246, at *5 (declining to review denial of partial summary judgment because appellee secured summary judgment on affirmative defense of res judicata and trial court did not reach appellant's request for judgment on the merits of the claim); Star Elec., Inc. v. Northpark Office Tower, LP , No. 01-17-00364-CV, 2020 WL 3969588, at *24 (Tex. App.—Houston [1st Dist.] July 14, 2020, no pet.) (mem. op. on reh'g) (declining to review denial of partial summary judgment because appellee secured summary judgment on affirmative defense of statute of repose and trial court did not reach appellant's request for judgment on the merits of the claim); Fairfield Indus., Inc. v. EP Energy E&P Co., L.P. , 531 S.W.3d 234, 251 (Tex. App.—Houston [14th Dist.] 2017, pet. denied) (declining to review denial of partial summary judgment because appellee secured judgment on different bases than those raised in appellants’ motion); Coreslab Structures (Tex.), Inc. v. Scottsdale Ins. Co. , 496 S.W.3d 884, 891 (Tex. App.—Houston [14th Dist.] 2016, no pet.) (similar). We therefore remand these issues for the trial court's consideration. See Tex. R. App. P. 43.2(d) ; cf. Sosa v. Williams , 936 S.W.2d 708, 711 n.1 (Tex. App.—Waco 1996, writ denied) ("Because in this case [appellant's] motion for summary judgment and [appellees’] motions for summary judgment are premised differently, we remand for trial.").

3. Fraud

The disposition of Visa's fraud counterclaim is much simpler. Sally Beauty was the only party seeking summary judgment on Visa's fraud counterclaim; thus, Visa acknowledges that the fraud counterclaim must be remanded to the trial court for further proceedings. We agree and remand the claim accordingly. See Tex. R. App. P. 43.2(d).

III. Conclusion

Because the GCAR program is an enforceable liquidated damages provision, we reverse the trial court's summary judgment on Sally Beauty's breach of contract claim. And because Visa's live counterpetition pleaded a cognizable claim for fraud along with facts to support its standing, we reverse the trial court's summary judgment on Visa's fraud counterclaim. We remand this case to the trial court for further proceedings consistent with this opinion. See Tex. R. App. P. 43.2(d).


Summaries of

Visa Inc. v. Sally Beauty Holdings, Inc.

Court of Appeals of Texas, Second District, Fort Worth
Dec 9, 2021
651 S.W.3d 278 (Tex. App. 2021)
Case details for

Visa Inc. v. Sally Beauty Holdings, Inc.

Case Details

Full title:Visa Inc., Appellant v. Sally Beauty Holdings, Inc., Appellee

Court:Court of Appeals of Texas, Second District, Fort Worth

Date published: Dec 9, 2021

Citations

651 S.W.3d 278 (Tex. App. 2021)

Citing Cases

Sally Beauty Holdings, Inc. v. Visa Inc.

SALLY BEAUTY HOLDINGS, INC. v. VISA INC.; From Denton County; 2nd Court of Appeals District (02-20-00339-CV,…

Paymentech, LLC v. Landry's Inc.

Recently, a Texas court of appeals, applying California law, upheld Visa's GCAR program against a similar…