Breached Merchant Sues ProcessorLegal Dispute Highlights Flaws in Contractual Liability
Family-owned Cisero's claims Elavon Inc., its former payments processor, and U.S. Bank, its former acquirer, illegally charged the Park City, Utah, restaurant fees and fines after an alleged card breach. Elavon and U.S. Bank are part of U.S. Bancorp.
Contracts between merchants, acquiring banks and processors are complicated. "The entire system is like a complex labyrinth of rules, contracts, security standards and other processes that most merchants believe is stacked against them," says David Navetta, founding partner of the Information Law Group who has represented merchants in similar situations. "It is a difficult and expensive process."
That's why most merchants don't take acquiring banks and card networks on in court. "They usually walk away and pay the fines, even if they think the fines unfair," Navetta says. [See Navetta's panel discussion preview at RSA Conference 2012: The Dark Side of a Payment Card Breach.]
The mere fact that Cisero's filed a counter suit against U.S. Bank makes its case unique. If Cisero's is successful in its legal quest to have U.S. Bank's indemnification ruled illegal, it could set a legal precedent that puts a contractual shift in motion for the ways response and liability are handled in the wake of card breaches.
Gartner analyst Avivah Litan, says the case is one to watch, though she's doubtful the legal outcome will ruffle too many feathers. "The card brands and banks are covered by their contracts with the retailers and until the Justice Department determines that the system is a monopoly and therefore must engage in different (more favorable to the retailers) business practices," she says. "As a result, the retailers' hands are essentially tied. They may win small battles, but they won't win the war."
The 2008 breach, which U.S. Bank claims resulted from Cisero's improper handling of card data, is believed to have exposed more than 8,000 debit and credit accounts. Internal investigations at Visa and MasterCard Worldwide found Cisero's to be the common link among all of the fraudulently used accounts.
As a result, MasterCard and Visa fined U.S. Bank, claiming Cisero's violated the Payment Card Industry Data Security Standard by storing customer card data on its computer. In May 2010, Elavon sued Cisero's for fines and fees totaling $80,000.
Cisero's says it later conducted an independent forensics investigation and never found evidence of a hack or breach. But Visa's and MasterCard's findings trumped Cisero's investigation - a common result in the wake of a breach.
In fact, few forensics investigations initiated by card brands favor merchants. "Most QIRAs [qualified incident response assessors] do not necessarily do a deep-dive forensic assessment," says Navetta, who co-chairs the American Bar Association's Information Security Committee. "Rather, they do something more tailored to the task of confirming PCI compliance and validating the existence of a card breach. Unfortunately for merchants, we have found that some of the assumptions made by QIRAs in this context are often not favorable to the merchant."
It's the primary reason most legal experts recommend merchants conduct their own forensic investigations. "There are almost always uncertainties as to what happened, how it happened and the scope of an incident," Navetta says. "The forensic assessment is one of the few points that merchants can have an impact on the outcome in terms of fines, penalties and recovery costs."
Because of independent findings discovered during its forensics work, Cisero's feels it has a legal leg to stand on in the case against Elavon and U.S. Bank. In June 2010, Cisero's filed a counterclaim against Elavon, claiming the bank should not have automatically withdrawn compensation for breach fees from Cisero's commercial account.
Last month, the restaurant amended its claim to include U.S. Bank as a defendant, because of the $10,172 in deductions U.S. bank withdrew in September 2008. Cisero's is asking the court to have Elavon's indemnification claim declared unenforceable and is seeking damages from Elavon and U.S. Bank for negligence and breach of contract.
"Elavon demanded indemnification from Cisero's for fines and alleged fraud losses assessed by Visa and MasterCard on U.S. Bank (Elavon's affiliate) arising from this supposed data breach," says Stephen Canon, an attorney at Constantine Cannon LLP who's representing Cisero's. "Elavon unilaterally withdrew about $10,000 from Cisero's bank account with U.S. Bank before Cisero's changed its processor."
But Navetta says U.S. Bank's contract with Cisero's is not so unique; most merchants sign similar deals with acquirers and processors. "Most agreements give processors the right to establish a reserve fund to cover potential fines and penalties," he says. "I have had clients who had hundreds of thousands of dollars taken from their accounts, to the point where it impacted their operations."