Jetro Holdings, LLC v. MasterCard Inc., a New York state case decided May 3, 2016, illustrates the tangled web of potential liability companies face in data breach cases, and underscores that retailers and other companies that accept customer credit card information are increasingly held responsible for the costs of a data breach. No. 60374/2015, 2016 WL 1761971 (N.Y. Sup. Ct. May 3, 2016).
Jetro, a wholesale restaurant supplier, suffered data breaches in 2011 and 2012. To allow its customers to use MasterCards for purchases, Jetro contracted with PNC Bank to process MasterCard transactions. PNC Bank, in turn, contracted with MasterCard.
As a result of the data breaches, and pursuant to their contract, MasterCard imposed fines, penalties, and fees amounting to $7 million on PNC Bank. PNC Bank, in turn, withheld that amount from money otherwise due to Jetro in accordance with its contract with Jetro.
Jetro responded by filing suit against MasterCard, making a novel claim to recover the $7 million withheld by PNC Bank under the doctrine of equitable subrogation. Equitable subrogation is traditionally applied in insurance claims, to allow an insurer to recover money paid to its insured from the third-party who caused the loss. Jetro argued that MasterCard wrongfully imposed the fines, penalties, and fees on PNC Bank. Because Jetro effectively paid for the wrongful "loss" caused to PNC Bank by MasterCard, Jetro is entitled to recover the money from MasterCard.
The court, however, rejected Jetro's argument. The court reasoned that, in this situation, the loss was caused by the cyber criminals who breached Jetro's data, not MasterCard; Jetro was therefore entitled to recover its money from the criminals who stole the credit card information, but not MasterCard. The court therefore granted MasterCard's motion to dismiss Jetro's complaint for failure to state a claim.
The case underscores the financial risk that retailers and other companies that safeguard sensitive customer information ultimately bear in data breaches. Increasingly, banks involved in high-profile data breach cases are acting to recover their costs from the retailers. While these cases do not get as much attention in the popular press as consumer class actions, the financial liability to the retailers is typically much greater. For example, in multidistrict litigation stemming from its 2013 data breach that affected 40 million customers, Target's settlement with the affected banks ($39.4 million) was nearly four times as large as Target's settlement with its customers ($10 million). See In re Target Corp. Customer Data Sec. Breach Litig., MDL No. 14-2522 (PAM) (D. Minn.) (Compare ECF No. 653-1 with ECF No. 364).
More recently, on April 26, 2016, Wendy's was served with a punitive class action brought by financial institutions affected by its recent data breach. See Complaint, First Choice Fed. Credit Union v. The Wendy's Company, No. 2:16-cv-00506-NBF-MPK (W.D. Penn. Apr. 25, 2016) (ECF No. 1). The Complaint seeks to recover the bank's costs from being forced to "cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraud monitoring on potentially impacted accounts, and take other steps to protect themselves and their customers," damages from "lost interest and transaction fees due to reduced card usage," and the diminished value of credit card and account information. Id. at 43.
There is a clear trend for retailers to be the ones left holding the bag for the financial costs of data breaches. While consumer class actions receive greater media attention, retailers ultimately face a much larger financial risk from litigation with financial institutions affected by the data breach. Companies who may be vulnerable to data breaches should follow these ongoing cases closely.