Schnuck Markets, Inc. v. First Data Merchant Data Services Corp. et al
Filing
98
MEMORANDUM AND ORDER - IT IS HEREBY ORDERED that Defendants Motion for Partial Reconsideration or, in the Alternative, Motion for Leave to Amend Pleading [ #84 ] is DENIED. IT IS FURTHER ORDERED that Defendants Request for Oral Argument [ #87 ] is DENIED. Signed by District Judge John A. Ross on 7/31/15. (KJS)
UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF MISSOURI
EASTERN DIVISION
SCHNUCK MARKETS, INC.,
Plaintiff,
vs.
FIRST DATA MERCHANT DATA
SERVICES CORPORATION and
CITICORP PAYMENT SERVICES, INC.,
Defendants.
)
)
)
)
)
)
)
)
)
)
)
Case No. 4:13-CV-2226-JAR
MEMORANDUM AND ORDER
This matter is before the Court on Defendants’ Motion for Partial Reconsideration of the
Court’s January 15, 2015 Order granting Plaintiff’s partial cross-motion for judgment on the
pleadings, filed pursuant to Fed.R.Civ.P. 54(b). (Doc. No. 84) Alternatively, Defendants move
for leave to amend their pleadings pursuant to Fed.R.Civ.P. 15(a)(2). The motion is fully briefed
and ready for disposition.1
Background
The background of this case is set out in detail in the Court’s January 15, 2015 Order.
(Doc. No. 69 at 1-4) Briefly, the parties’ dispute arises from a cyber attack and data breach of
Schnucks’ payment and card processing systems in late 2012 through early 2013. The parties’
relationship is governed by a Master Services Agreement (“MSA”) between Schnucks and First
Data, a Bankcard Addendum to Master Services Agreement (“Bankcard Addendum”) between
1
Defendants have requested oral argument. (Doc. No. 87) Finding that the issues have been extensively
briefed and that oral argument would not assist the Court, the request is denied.
1
Schnucks, First Data, and Citicorp, and First Data’s Program Terms and Conditions (“Operating
Procedures”) (collectively referred to as “the Agreement”). The Agreement obligates Schnucks
to indemnify Defendants for “all losses, liabilities, damages and expenses” under certain
circumstances, but also limits Schnucks’ liability to $500,000, with two exceptions. For
noncompliance with an industry-imposed network security framework known as Payment Card
Industry Data Security Standards (“PCI DSS”), the limit is higher ($3,000,000), while for
“chargebacks, servicers’ fees, third party fees, and fees, fines or penalties” assessed by Visa and
MasterCard (“the Associations”), the limit does not apply at all.2 The Agreement authorizes
Defendants to establish and fund a reserve account from Schnucks’ payment card transactions to
offset its indemnity obligations in an amount not to exceed current and anticipated Association
fees or fines.
Schnucks alleged Defendants breached the Agreement by wrongfully withholding funds
owed to Schnucks in an amount that was substantially more than the liability limitation of
$500,000. Schnucks also sought a declaration that its obligation to indemnify Defendants for
2
Section 5.4 of the MSA provides, in pertinent part:
Limitation of Liability. NOTWITHSTANDING ANYTHING IN THIS MSA AND ANY ADDENDA
TO THE CONTRARY, CUSTOMER [Schnucks], FDMS [First Data] AND ITS AFFILIATES'
CUMULATIVE LIABILITY, IN THE AGGREGATE … FOR ALL LOSSES, CLAIMS, SUITS,
CONTROVERSIES, BREACHES, OR DAMAGES FOR ANY CAUSE WHATSOEVER
(INCLUDING, BUT NOT LIMITED TO, THOSE ARISING OUT OF OR RELATED TO THIS MSA
AND ANY ADDENDA) AND REGARDLESS OF THE FORM OF ACTION OR LEGAL THEORY
SHALL NOT EXCEED $500,000. NOTWITHSTANDING THE FOREGOING, CUSTOMER, FDMS
AND ITS AFFILIATES' CUMULATIVE LIABILTY [sic] FOR ITS BREACH UNDER SECTION 25
(DATA SECURITY) SHALL NOT EXCEED $3,000,000 … THIS SECTION 5.4 LIMITATION OF
LIABILITY SHALL NOT APPLY TO CUSTOMER'S LIABILITY FOR CHARGEBACKS,
SERVICERS' FEES, THIRD PARTY FEES, AND FEES, FINES OR PENALITIES [sic] BY THE
ASSOCIATION OR ANY OTHER CARD OR DEBIT CARD PROVIDED UNDER THIS MSA OR
ANY ADDENDA.
2
losses incurred by issuing banks was limited to $500,000 under the terms of the parties’
Agreement and that Defendants must return to Schnucks the amount of Schnucks’ funds placed
in a Reserve Account that exceeded the amount of the Visa fine and MasterCard case
management fee. Defendants asserted a counterclaim against Schnucks for a declaration that the
limitation of liability in the Agreement did not apply to: (i) fees charged by MasterCard or Visa
to Defendants including, but not limited to, servicers’ fees, third-party fees, fees related to fraud
reimbursement and recovery, and/or (ii) fees, fines or penalties charged by Visa or MasterCard
for failure to comply with the PCI DSS requirements.
Both sides asserted the contract language was unambiguous. Neither side undertook any
discovery and proceeded on cross-motions for judgment on the pleadings. The issue presented
by the parties’ competing motions was whether the exception for “third party fees” or “fees,
fines or penalties” applied to liability for issuer losses. The Court denied Defendants’ motion and
granted Schnucks’ motion, ruling that Schnucks’ maximum liability under the terms of the
Agreement for issuing bank losses assigned by the Associations for monitoring and/or card
replacement and counterfeit fraud losses as a result of the data security breach was $500,000.00,
and that Defendants must return to Schnucks any funds held in excess of that amount plus the
Visa fine and MasterCard case management fee.
Defendants make three arguments in favor of reconsideration. First, Defendants argue the
Court misapplied the standard for ruling on a motion for judgment on the pleadings by failing to
accept as true their allegations of Schnucks’ negligence and PCI DSS non-compliance and draw
all reasonable inferences from the pleadings in their favor. As a result, the Court failed to
consider the circumstances in which the $3 million limitation of liability applied. (Doc. No. 85 at
3
4-6) Second, Defendants assert the Court considered documents outside the pleadings, namely
the Association Rules, thereby converting Schnucks’ motion into a motion for summary
judgment without permitting Defendants to present competing evidence. (Id. at 6-10) Third,
Defendants argue these errors led to a commercially unreasonable result, i.e., making Defendants
an insurer for Schnucks’ data breaches. (Id. at 10-14)
Legal standard
Under Rule 54(b), the Court may amend or reconsider any ruling to correct any “clearly
or manifestly erroneous findings of facts or conclusions of law.” Prosser v. Nagaldinne, 2013
WL 308770 at *1 (E.D.Mo. Jan. 25, 2013) (quoting Jones v. Casey's Gen. Stores, 551 F.Supp.2d
848, 854 (S.D.Iowa 2008)). A motion to reconsider under Rule 54(b) cannot be used to identify
facts or legal arguments which could have been, but were not, raised in the original motion. Id.
Discussion
Defendants first argue the Court overlooked their explicit allegations concerning
Schnucks’ negligence in connection with the data breach, as well as allegations within the
pleadings concerning Schnucks’ PCI DSS noncompliance. According to Defendants, if the Court
had applied the proper Rule 12 (c) standard,3 it would have had to decide whether Schnucks’
negligence and PCI DSS noncompliance, both of which constitute breaches of § 25 of the
Bankcard Addendum (Data Security), rendered the $3 million, rather than the $500,000,
limitation of liability provision applicable to Defendants’ assessment against Schnucks through
3
A motion for judgment on the pleadings under Fed.R.Civ.P. 12(c) is governed by the same standards as
a motion to dismiss under Fed.R.Civ.P. 12(b)(6). Courts must accept the nonmovant’s allegations as true,
viewing the facts in the light most favorable to the nonmoving party. Bowen Eng'g Corp. v. Pac. Indem.
Co., 2015 WL 4111830, at *5 (E.D. Mo. July 7, 2015).
4
the Reserve Account. Although Defendants now point to their ninth and tenth affirmative
defenses wherein they raised Schnucks’ negligence and its own actions or inactions as the cause
of their damages, neither side addressed this in their prior briefing. Even accepting Defendants’
allegations of negligence or non-compliance resulting in fines as true, their argument fails.
Section 25 (Data Security) of the Bankcard Addendum authorizes the Associations to
impose “restrictions, fines, or prohibit CUSTOMER [Schnucks] from participating in
Association programs if it is determined CUSTOMER is non-compliant with such programs.”
The $3 million limitation of liability provision applies as a limit to those fines imposed by the
Associations for PCI DSS non-compliance. The parties acknowledged that virtually all of the
actual and projected assessments (“approximately 97 %”) imposed by the Associations were for
reimbursement of losses claimed by issuing banks.4 The Court rejected Defendants’ argument
that “Third Party Fees,” as defined in the Bankcard Addendum, includes both “issuer
reimbursement fees” and “assessment fees,” and that “fees” as used in the exception
encompasses “reimbursements and assessments.” In so doing, the Court found the exception for
“Third Party Fees” and “fees, fines and penalties” was not intended to apply to liability for issuer
losses assessed by the Association. Thus, this exception does not apply to liability to reimburse
issuers for their losses. Defendants’ counterclaim and Rule 12(c) briefs never asserted that the $3
million limitation applied to liability for issuer losses.
4
In its complaint Schnucks alleged that “approximately 97% of the actual and projected amount of the
assessments imposed by [the Associations] was for reimbursement of losses claimed by issuing banks.”
(Compl., Doc. No. 9 at ¶ 30) Defendants denied this allegation “as stated” (Answer, Doc. No. 20 at ¶ 30),
but in their briefing they never contested it, and in fact used it to support their argument that because
“Third Party Fees” includes both issuer reimbursement and assessment fees, Schnucks was essentially
conceding the assessments imposed by the Associations fall almost exclusively within this definition.
(See Doc. No. 37 at ¶ 23; Doc. No. 38 at 2-3, 14; Doc. No. 49 at 4-5)
5
Because assessments for the purpose of reimbursing issuing banks are not fines for
noncompliance with § 25 of the Bankcard Addendum, the $3 million exception would only apply
if the remaining 3% was a “fine” or “fee.” The general allegation in the affirmative defenses of
Schnucks’ negligence is conclusory and certainly insufficient to even suggest a fine or fee for
PCI DSS noncompliance. Neither side addressed the remainder of the assessments imposed by
the Associations in the earlier arguments and pleadings and the Court will not do so at this
juncture.
Next, Defendants assert the Court erred in considering and relying on the Association
Rules, which they now contend were neither part of the pleadings nor the Agreement. The Court
finds no basis for finding it improperly considered the Association Rules in light of the
information presented to the Court on the parties’ motions for judgment on the pleadings. The
parties agreed the MSA, Bankcard Addendum, and Operating Procedures, all attached to the
pleadings, constitute the entire agreement between the parties. The Operating Procedures are
essentially a summary of common Association Rules paired with a caveat that the merchant
should “consult the Card Organization Rules for complete information and to ensure full
compliance with them.” (Doc. No. 37-3 at 3)
The Bankcard Addendum incorporates the terms of the MSA and First Data’s Operating
Procedures. Both the MSA and Bankcard Addendum incorporate the rules and regulations of
Visa and MasterCard (“the Associations”). The Bankcard Addendum obligates Schnucks to
comply with the Association Rules as they may be amended from time to time and states that the
respective rights and obligations of Defendants shall be governed by, inter alia, the Bankcard
Association Rules. The Bankcard Addendum further states Defendant Citicorp’s obligations
6
“shall be limited to the sponsorship and settlement of certain Card transactions submitted in
accordance with the terms and conditions of this Bankcard Addendum and the Bankcard
Association Rules.” (See Doc. No. 37-2) It also provides: “SERVICERS [Defendants] represent
and warrant that SERVICERS will provide the services in accordance with the applicable
association rules and applicable law.” (Id. at § 15.2)
Clearly this is an argument that Defendants could have asserted in prior briefing. A
motion to reconsider under Rule 54(b) cannot be used to identify facts or legal arguments which
could have been, but were not, raised in the original motion.
As for the Court’s alleged errors in construing the Agreement, Defendants are merely
reasserting arguments previously rejected by the Court. Defendants assert the Court did not give
effect to the terms “all” or “without limitation” in the definition of “Third Party Fees” and “did
not even attempt to ascribe meaning to the term ‘charges.’” (Doc. No. 85 at 11) The Court
considered this argument presented by Defendants in their prior briefing in support of their
interpretation of “Third Party Fees” to encompass “issuer reimbursements” (see Doc. No. 49 at
8-9) and again now for reconsideration. The Court rejected Defendants’ interpretation, ruling that
“[t]he term ‘Third Party Fees’, as defined in the Bankcard Addendum, refers to fees charged by
third parties in connection with Defendants’ processing services, such as ‘interchange fees’ and
‘access fees’ (see Doc. No. 44-1), as opposed to liability for actual issuer losses.” (Doc. No. 69 at
16)
Defendants also argue the term “fee” was susceptible to more than one meaning, thereby
necessitating denial of Schnucks’ motion. Defendants could certainly have raised this argument
in response to the underlying motion, but failed to do so, and may not now use it to argue for
7
reconsideration. See Prosser, 2013 WL 308770, at *1.
Lastly, Defendants argue the Court’s construction of the Agreement leads to a
commercially unreasonable result by effectively making them an insurer of Schnucks for any
damage done, regardless of cause, resulting from Schnucks’ PCI DSS non-compliance and data
breaches.” This argument is without merit. The Court is simply giving effect to terms in an
agreement between sophisticated parties where each side argues the agreement is unambiguous.
Schnucks’ obligation to indemnify Defendants for losses incurred by issuing banks up to
$500,000 is a commercially reasonable result. Indeed, the Court rejected Defendants’
interpretation that the terms “Third Party Fees” and “fees, fines or penalties” apply to liability for
issuer losses because it would have resulted in holding Schnucks responsible for all financial
liability imposed on Defendants by the Associations relating to the data breach, thereby
rendering the limitation of liability clause meaningless. (Doc. No. 69 at 17) Because none of
Defendants’ arguments for reconsideration are deemed sufficient by the Court, Defendants’
motion to reconsider will be denied.
Defendants move in the alternative for leave to amend their pleadings. Although leave to
amend “shall be freely given when justice so requires,” see Fed.R.Civ.P. 15(a)(2), there is no
absolute or automatic right to amend. Moreover, where a party seeks leave to amend after the
deadline in the applicable scheduling order has passed, the good cause standard of Rule 16(b)
applies, not the liberal standard of Rule 15(a). Sherman v. Winco Fireworks, Inc., 532 F.3d 709,
716 (8th Cir. 2008). “The primary measure of good cause is the movant's diligence in attempting
to meet the order's requirements.” Rahn v. Hawkins, 464 F.3d 813, 822 (8th Cir.2006).
Defendants’ motion to amend comes over eight months after the deadline in the Case
8
Management Order. Defendants assert the need to amend was brought to light by the Order’s
conclusion that Defendants “did not allege that Schnucks was either negligent or PCI DSS noncompliant” or “the proper application of the $3 million limitation of liability provision.”
Defendants are responsible for pleading their case without the Court’s assistance. Defendants do
not assert a change in the law or discovery of new facts. Instead, it appears Defendants’ proposed
amendments could have been asserted within the time allowed for amending the pleadings.
Accordingly, the Court finds no good cause has been shown.
Further, district courts in this circuit have considerable discretion to deny a postjudgment motion for leave to amend because such motions are disfavored. U.S. ex rel. Roop v.
Hypoguard USA, Inc., 559 F.3d 818, 822-23 (8th Cir.2009) (“[I]nterests of finality dictate that
leave to amend should be less freely available after a final order has been entered.”) (quoting
Briehl v. General Motors Corp., 172 F.3d 623, 629 (8th Cir.1999)); see also Bills v. United
States Steel LLC, 267 F.3d 785, 788 (8th Cir.2001); Parnes v. Gateway 2000, Inc., 122 F.3d 539,
550–51 (8th Cir.1997); Humphreys v. Roche Biomedical Lab., Inc., 990 F.2d 1078, 1082 (8th
Cir.1993). Here the parties chose to proceed with their case on motions for judgment on the
pleadings. The grant of a motion for judgment on the pleadings constitutes final judgment on the
merits of the controversy within the meaning of Rule 54. Weger v. City of Ladue, 2004 WL
3651669, at *1-2 (E.D.Mo. Dec. 30, 2004) (citing 5A Charles A. Wright & Arthur R. Miller,
Federal Practice and Procedure, § 1372 (1990)). The Court will, therefore, in the exercise of its
discretion, deny Defendants’ motion for leave to amend.
Conclusion
9
After careful review of the parties’ legal memoranda and the applicable law, the Court
concludes that Defendants have failed to establish a basis for finding any “clearly or manifestly
erroneous findings of facts or conclusions of law.”
Accordingly,
IT IS HEREBY ORDERED that Defendants’ Motion for Partial Reconsideration or, in
the Alternative, Motion for Leave to Amend Pleading [84] is DENIED.
IT IS FURTHER ORDERED that Defendants’ Request for Oral Argument [87] is
DENIED.
Dated this 31st day of July, 2015.
____________________________________
JOHN A. ROSS
UNITED STATES DISTRICT JUDGE
10
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?