From Casetext: Smarter Legal Research

Schnuck Mkts., Inc. v. First Data Merch. Servs. Corp.

United States Court of Appeals, Eighth Circuit.
Jan 13, 2017
852 F.3d 732 (8th Cir. 2017)

Summary

holding that contractual limit on liability favoring Schnucks applied to limit liabilities resulting from this data breach

Summary of this case from Cmty. Bank of Trenton v. Schnuck Mkts., Inc.

Opinion

No. 15-3804

01-13-2017

SCHNUCK MARKETS, INC., Plaintiff-Appellee v. FIRST DATA MERCHANT SERVICES CORP.; Citicorp Payment Services, Inc., Defendants-Appellants

Counsel who presented argument on behalf of the appellant was Gregory Silbert, of New York, NY. The following attorney(s) appeared on the appellant brief; Lucy T. Unger, of Saint Louis, MO., Lisa Larkin, of Saint Louis, MO., Edward Soto, of Miami, FL., Jonathan Polkes, of New York, NY. Counsel who presented argument on behalf of the appellee was Daniel R. Warren, of Cleveland, OH. The following attorney(s) appeared on the appellee brief; Kevin F. Hormuth, of Saint Louis, MO., David Paul Niemeier, of Saint Louis, MO., Craig A Hoffman, of Cincinnati, OH.


Counsel who presented argument on behalf of the appellant was Gregory Silbert, of New York, NY. The following attorney(s) appeared on the appellant brief; Lucy T. Unger, of Saint Louis, MO., Lisa Larkin, of Saint Louis, MO., Edward Soto, of Miami, FL., Jonathan Polkes, of New York, NY.

Counsel who presented argument on behalf of the appellee was Daniel R. Warren, of Cleveland, OH. The following attorney(s) appeared on the appellee brief; Kevin F. Hormuth, of Saint Louis, MO., David Paul Niemeier, of Saint Louis, MO., Craig A Hoffman, of Cincinnati, OH.

Before WOLLMAN, ARNOLD, and KELLY, Circuit Judges.

WOLLMAN, Circuit Judge.

Grocery store chain Schnuck Markets, Inc. (Schnucks) sued its credit card processor, First Data Merchant Services Corporation (First Data), and the acquiring bank for its credit transactions, Citicorp Payment Services, Inc. (Citicorp). Schnucks alleges that First Data and Citicorp (collectively, Defendants) withheld more money from Schnucks following a data breach at Schnucks than their contract allowed. Schnucks brought declaratory judgment and breach of contract claims, and Defendants brought a declaratory judgment counterclaim. Both parties moved for judgment on the pleadings. Defendants appeal from the district court's order denying their motion for judgment on the pleadings and granting Schnucks's motion for judgment on the pleadings. Defendants also appeal from the district court's order denying their motion for reconsideration, or in the alternative for leave to amend their pleadings. We affirm.

The Honorable John A. Ross, United States District Judge for the Eastern District of Missouri.

I.

First Data served as Schnucks's credit card processor. Citicorp served as its acquiring bank. When a merchant such as Schnucks makes a credit card transaction, the acquiring bank pays the merchant and is reimbursed by the bank that issued the credit card (the issuing bank). The acquiring bank sponsors the merchant into credit card association networks, in this case Visa and MasterCard (the Associations), and vouches for the merchant's compliance with the Associations' rules. The Associations' rules provide that the Associations may issue fines against the acquiring bank in the event of a cardholder data breach and assess against the acquiring bank the costs of monitoring or cancelling at-risk cards and the amount of fraudulent charges on the at-risk cards.

The contract between the parties consists of a Master Services Agreement (MSA) between Schnucks and First Data and a Bankcard Addendum executed by Schnucks, First Data, and Citicorp. The Bankcard Addendum incorporates First Data's Operating Procedures, and the Bankcard Addendum and First Data's Operating Procedures incorporate the rules and regulations of the Associations. The contract imposes upon Schnucks a broad duty to indemnify Defendants for Schnucks's breach of contract. Under § 4.9 of First Data's Operating Procedures, a determination by the Associations that Schnucks is responsible for a data breach requires Schnucks to pay Defendants for "Data Compromise Losses," defined as "all related expenses, claims, assessments, fines, losses, costs, and penalties and Issuer reimbursements" that the Associations impose on Defendants.

Defendants argue that the Associations' rules are not incorporated into the agreement, or that only the rules applicable to the relationship between the parties are incorporated. We disagree. Although § 4 of the Bankcard Addendum merely requires Schnucks to comply with "all applicable Association Rules," § 25 requires Schnucks to "follow the Operating Procedures and comply with Association Rules as they may each be amended from time to time." And § A of First Data's Operating Procedures states that Schnucks "should consult the Card Organization Rules for complete information and to ensure full compliance with them." Moreover, ¶ 17 of Schnucks's Complaint alleged that "[t]he operating regulations of Visa and MasterCard are expressly incorporated by reference as part of the Agreement," which Defendants admitted in ¶ 17 of their Answer. The Associations' rules are thus incorporated into the agreement, even to the extent that they do not directly govern the relationship between Schnucks and Defendants.

Under § 5.4 of the MSA, however, Schnucks's liability is limited to $500,000, with certain exceptions:

Limitation of Liability. Notwithstanding anything in this MSA and any addenda to the contrary, Customer [Schnucks], FDMS [First Data] and its affiliates' cumulative liability ... for all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever (including, but not limited to, those arising out of or related to this MSA and any addenda) and regardless of the form of action or legal theory shall not exceed $500,000. Notwithstanding the foregoing, [Schnucks], [First Data] and its affiliates' cumulative liability for its breach under Section 25 (Data Security) shall not exceed $3,000,000.... This Section 5.4 limitation of liability shall not apply to [Schnucks's] liability for chargebacks,

servicers' fees, third party fees, and fees, fines or penalities [sic] by the Association or any other card or debit card provided under this MSA or any addenda.

Section 13.3 of the Bankcard Addendum defines "third party fees" as "all fees and charges ... without limitation, of any Credit Card Association, Network, card-issuing organization, telecommunications provider, federal, state, or local governmental authority (each a ‘Third Party’) including, without limitation any switch fee, issuer[ ] reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee[ ] (collectively, [‘]Third Party Fees')." The contract also permits Defendants to retain in a reserve account funds that Schnucks owes them.

In March 2013, a cyber-attack against Schnucks compromised cardholder data. MasterCard assessed a case-management fee against Citicorp, as well as costs to reimburse issuing banks for card monitoring and replacement and for fraudulent charges. Citicorp projected the total amount of Visa's assessment based on MasterCard's assessment. Based on these assessments and projections, First Data established a reserve account, and Defendants have withheld more than $500,000 from Schnucks's credit transactions.

Schnucks's breach of contract and declaratory judgment action alleges that the limitation of liability provision establishes a $500,000 cap on its liability for the assessments against Citicorp. Defendants' counterclaim seeks a declaration that the limitation of liability provision does not apply to fees charged by the Associations as a result of a cyber-attack, or fees, fines, or penalties charged by the Associations for a merchant's non-compliance with Payment Card Industry Data Security Standards. Defendants moved for judgment on the pleadings. Schnucks filed a cross-motion for partial judgment on the pleadings, seeking judgment on Schnucks's and Defendants' declaratory judgment claims but not on Schnucks's breach of contract claim.

The district court granted Schnucks's motion and denied Defendants' motion, holding that the assessments for issuing banks' losses were not "third party fees" or "fees, fines or penalties," and thus did not fall within the exception to limitation of liability set forth in the last sentence of § 5.4 of the MSA. The court reasoned that Defendants would have used the term "Data Compromise Losses" (or similar language) in § 5.4 had they intended to exclude these losses from the limitation of liability. The court explained that the plain meaning of the term "fee" is a payment for a service, not reimbursement for another's losses; furthermore, the court noted that the portions of the contract concerning fees do not mention reimbursement for data compromise events and that the portions concerning data compromise events do not refer to fees. The court ruled that the terms "fine" and "penalty" describe sums imposed as a punishment and do not include within their purview data compromise losses. The court concluded that it would be unreasonable to impose liability on Schnucks for all of Defendants' losses, for to do so would render the limitation of liability provision meaningless.

The court also determined that the parties had not raised as an issue the Bankcard Addendum's § 25 $3,000,000 limit regarding breaches of data-security standards. Accordingly, the district court entered a declaratory judgment that Schnucks's liability for the issuing banks' losses is capped at $500,000, and that Defendants must return the funds that they retained in excess of $500,000, plus the amount of the Visa fine and MasterCard case management fee. Defendants moved for reconsideration, or in the alternative for leave to amend their pleadings, arguing in part that the district court had erred in holding that Defendants had failed to raise the issue of the $3,000,000 limitation of liability. As stated earlier, Defendants now appeal from the grant of Schnucks's motion for judgment on the pleadings and the denial of their motion for reconsideration or leave to amend.

II.

A. Jurisdiction

We have jurisdiction over final decisions of the district courts. 28 U.S.C. § 1291. Schnucks's breach of contract claim is still pending before the district court and has been stayed during this appeal, but the district court certified its order granting Schnucks's motion for judgment on the pleadings as a final judgment under Federal Rule of Civil Procedure 54(b). We conclude that it did not abuse its discretion in ruling that the order was final and that there was no just reason for delay. See Jones v. W. Plains Bank & Tr. Co. , 813 F.3d 700, 703 (8th Cir. 2015) ("We review a district court's decision to grant Rule 54(b) certification for abuse of discretion.").

Defendants' motion for certification requested certification of the January 15 order regarding judgment on the pleadings, not the July 31 order denying their motion for reconsideration or leave to amend. Although the district court's judgment granting certification mentions only the January 15 order, its memorandum and order preceding the judgment stated: "Defendants now move for certification of the Court's January 15, 2015 Order ... allowing them to file an interlocutory appeal of both the January 15 and July 31, 2015 Orders in the Eighth Circuit." D. Ct. Order of Nov. 6, 2015, at 2. Defendants' notice of appeal states that they appeal from both orders. We conclude that the district court intended to certify both the January 15 order and the July 31 order and that we thus have jurisdiction to review both orders.

B. Judgment on the Pleadings

"We review de novo the district court's entry of judgment on the pleadings." Waldron v. Boeing Co. , 388 F.3d 591, 593 (8th Cir. 2004). A motion for judgment on the pleadings should be granted when, accepting all facts pled by the nonmoving party as true and drawing all reasonable inferences from the facts in favor of the nonmoving party, the movant has clearly established that no material issue of fact remains and that the movant is entitled to judgment as a matter of law. Id. We apply Missouri substantive law in light of the parties' agreement that the MSA provides that Missouri law shall govern the MSA and any addenda.

At the outset, we reject Defendants' argument that the limitation of liability does not apply to Schnucks's indemnity obligation for assessments against Defendants by the Associations. Defendants forfeited this argument because they did not raise it in the district court, but it would fail even if it had been preserved. Under § 5.4 of the MSA, the limitation of liability applies to "all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever (including, but not limited to, those arising out of or related to this MSA and any addenda) and regardless of the form of action or legal theory." The assessments in this case not only fit within this broad provision, but would also qualify as "arising out of or related to this MSA and any addenda," because Schnucks's indemnity obligation to Defendants for the assessments arises from the contract.

Defendants argue that the MSA does not limit Schnuck's liability for the assessments for issuing banks' losses. As recounted above, § 4.9 of First Data's Operating Procedures requires Schnucks to indemnify Defendants for "Data Compromise Losses." Section 5.4 of the MSA limits Schnucks's liability to $500,000, but carves out liability for "third party fees" and "fees, fines or penalties" imposed by the Associations. Defendants argue that the assessments for issuing banks' losses fall within one or both of these carve-outs.

"The interpretation of a contract, including whether it is ambiguous, is a question of law." Adbar Co., L.C. v. PCAA Mo., LLC , No. 4:06-CV-1689, 2008 WL 68858, at *4 (E.D. Mo. Jan. 4, 2008) (citing Helterbrand v. Five Star Mobile Home Sales, Inc. , 48 S.W.3d 649, 658 (Mo. Ct. App. 2001) ). "When a contract uses plain and unequivocal language, it must be enforced as written." Deal v. Consumer Programs, Inc. , 470 F.3d 1225, 1230 (8th Cir. 2006) (quoting Lake Cable, Inc. v. Trittler , 914 S.W.2d 431, 436 (Mo. Ct. App. 1996) ). "To determine whether a contract is ambiguous, we consider the instrument as a whole, giving the words contained therein their ordinary meaning. A contract is not ambiguous merely because the parties dispute its meaning." Id. (citations omitted). Because the contract at issue is unambiguous, it must be enforced as written.

Defendants argue that the district court erroneously adopted the parties' agreement that the contract was unambiguous, rather than making this determination for itself. See Shaw Hofstra & Assocs. v. La d co Dev., Inc. , 673 F.3d 819, 826 (8th Cir. 2012) (holding that Missouri law requires that "the court must first determine as a matter of law whether a contract is ambiguous"). We disagree. The district court determined that the plain language of the contract decided the questions presented in this case, which to us indicates that the court had determined for itself that the contract was unambiguous and had not relied solely on the parties' agreement to that effect.

Defendants argue that the term "third party fees" includes the issuing banks' losses because § 13.3 of the Bankcard Addendum expansively defines "third party fees" as "all fees and charges ... without limitation" imposed by a third party. Defendants contend that the assessments for issuer losses are thus carved out of Schnucks's limitation of liability. The Missouri Court of Appeals has defined the term "fee" as "a sum paid or charged for a service." Strader v. Progressive Ins. , 230 S.W.3d 621, 625 (Mo. Ct. App. 2007). Defendants argue that the terms "fees and charges" may be defined more broadly as an amount of money that must be paid. Reading the contract as a whole, however, it is apparent that the parties intended the narrower definition. Section 13 of the Bankcard Addendum refers to "fees for Services." The list of specific fees and charges in § 13.3—"any switch fee, issuer[ ] reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee"—militates in favor of construing "fees and charges" as payments for services. The assessments imposed by the Associations here do not qualify as payments for services, because they are imposed to compensate issuing banks for losses they sustained as a result of a data breach, not as compensation for performing services. Moreover, the assessments do not fall within the enumerated fees and charges set forth in § 13.3 of the Bankcard Addendum, including "issuer reimbursement fees." Accordingly, the assessments are not carved out from Schnucks's limitation of liability as "third party fees."

The district court noted that the term "issuer reimbursement fees" appears in MasterCard's rules, but only in the limited context of an excessive chargeback. Defendants argue that the district court "cherry picked" from MasterCard's rules in considering the use of the term "issuer reimbursement fees" and did not look at Visa's rules. Defendants do not point to any use of this term in Visa's rules, however, and we have found none.
--------

Defendants also argue that the assessments for issuer losses are carved out from the limitation of liability because they constitute "fees, fines or penalties" imposed by the Associations. We disagree. Having already concluded that the assessments for issuer losses are not "fees," we conclude that they also do not qualify as "fines or penalties." "The ordinary meaning of a ‘fine’ or ‘penalty’ is not compensation or reparation for an injury; rather, it is a sum imposed as punishment." Farmland Indus., Inc. v. Republic Ins. Co. , 941 S.W.2d 505, 511 (Mo. 1997) (en banc). The assessments for issuer losses are more accurately defined as "compensation or reparation for an injury" and not as "a sum imposed as punishment." In addition to the plain meaning of the terms "fines" and "penalties," the Associations' rules also indicate that the assessments for issuer losses are not "fines" or "penalties." The rules allow the Associations to impose fines for violations of data-security standards, but describe their programs to compensate issuing banks for data compromise event losses as methods of reimbursement, not fines or penalties. Thus, in reading the contract as a whole and in light of the plain meaning of the terms "fine" and "penalty," the district court did not err in holding that the assessments for issuing banks' losses do not constitute "fines or penalties."

Even if the text of the carve-outs in § 5.4 of the MSA did not decide the matter, the use of broader language elsewhere in the contract would indicate that the carve-outs should be read narrowly. For example, as set forth in § 4.9 of First Data's Operating Procedures, Schnucks must indemnify Defendants for "Data Compromise Losses," which includes "all related expenses, claims, assessments, fines, losses, costs, and penalties and Issuer reimbursements." Similarly, § 5.4 of the MSA limits liability "for all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever." Had the parties intended to include reimbursements to issuing banks within the carve-outs from Schnucks's limitation of liability, they would have used more expansive language than simply "fees, fines or penalties."

Defendants argue that the contract is ambiguous because Schnucks's interpretation leads to the commercially unreasonable result of requiring Defendants to act as Schnucks's insurer. The parties disagree whether a commercially unreasonable result renders a contract ambiguous or whether commercial unreasonableness becomes relevant only after the court determines that the contract is ambiguous. We need not decide this question, because the underlying business arrangement, which represents Defendants' choice to vouch for Schnucks's compliance with data-security standards, is not rendered commercially unreasonable merely because the limitation on Schnucks's liability is broader than Defendants now wish it to be.

We further hold that the district court did not misapply the standard for judgment on the pleadings in concluding that Defendants had not raised the issue of the separate $3,000,000 limitation of liability. Defendants' briefing on the cross-motions for judgment on the pleadings did not argue that the $3,000,000 limitation of liability for breach of § 25 of the Bankcard Addendum applied. In any event, § 25 of the Bankcard Addendum concerns "fines" for violations of data security standards and, as discussed above, the assessments in question were not "fines."

C. Reconsideration or Leave to Amend Pleadings

We review for abuse of discretion a district court's decision on a motion for reconsideration or leave to amend under Rule 54(b). See K.C. 1986 Ltd. P'ship v. Reade Mfg. , 472 F.3d 1009, 1017 (8th Cir. 2007). A party that moves for leave to amend after the deadline in a scheduling order has passed must show good cause under Rule 16(b), the primary measure of which is the movant's diligence in attempting to comply with the scheduling order. Sherman v. Winco Fireworks, Inc. , 532 F.3d 709, 716 (8th Cir. 2008). District courts "have considerable discretion to deny a post-judgment motion for leave to amend because such motions are disfavored." United States ex rel. Roop v. Hypoguard USA, Inc. , 559 F.3d 818, 824 (8th Cir. 2009).

We conclude that the district court did not abuse its discretion in denying Defendants' motion for reconsideration or leave to amend, which essentially restated their assertions of error regarding judgment on the pleadings. Further, Defendants have not shown good cause for leave to amend. Defendants argue that "the need to amend was only brought to light by the District Court's conclusion that, notwithstanding the allegations in Defendants' Answer and Counterclaim, Defendants ‘did not allege that Schnucks was either negligent or PCI DSS non-compliant.’ " Appellants' Br. 47. As the district court stated, "Defendants are responsible for pleading their case without the Court's assistance." D. Ct. Order of July 31, 2015, at 9.

III.

Neither carve-out from the limitation of liability applies to the assessments that the Associations imposed on Defendants. The district court did not misapply the standard for judgment on the pleadings and did not abuse its discretion in denying Defendants' motion for reconsideration or leave to amend.

The judgment is affirmed.


Summaries of

Schnuck Mkts., Inc. v. First Data Merch. Servs. Corp.

United States Court of Appeals, Eighth Circuit.
Jan 13, 2017
852 F.3d 732 (8th Cir. 2017)

holding that contractual limit on liability favoring Schnucks applied to limit liabilities resulting from this data breach

Summary of this case from Cmty. Bank of Trenton v. Schnuck Mkts., Inc.

describing card networks' expectations, assessments, and resulting litigation

Summary of this case from Cmty. Bank of Trenton v. Schnuck Mkts., Inc.

interpreting § 5.4 in light of this data breach at Schnucks

Summary of this case from Cmty. Bank of Trenton v. Schnuck Mkts., Inc.
Case details for

Schnuck Mkts., Inc. v. First Data Merch. Servs. Corp.

Case Details

Full title:SCHNUCK MARKETS, INC., Plaintiff-Appellee v. FIRST DATA MERCHANT SERVICES…

Court:United States Court of Appeals, Eighth Circuit.

Date published: Jan 13, 2017

Citations

852 F.3d 732 (8th Cir. 2017)

Citing Cases

Cmty. Bank of Trenton v. Schnuck Mkts., Inc.

In their contracts, Schnucks, its bank, and its data processor effectively agreed to share resulting…

Von Kaenel v. Armstrong Teasdale, LLP

Fed.R.Civ.P.Rule 12(c). "A motion for judgment on the pleadings should be granted when, accepting all facts…