Schnuck Markets, Inc. v. First Data Merchant Data Services Corp. et al

Filing 98

MEMORANDUM AND ORDER - IT IS HEREBY ORDERED that Defendants Motion for Partial Reconsideration or, in the Alternative, Motion for Leave to Amend Pleading [ #84 ] is DENIED. IT IS FURTHER ORDERED that Defendants Request for Oral Argument [ #87 ] is DENIED. Signed by District Judge John A. Ross on 7/31/15. (KJS)

Download PDF
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MISSOURI EASTERN DIVISION SCHNUCK MARKETS, INC., Plaintiff, vs. FIRST DATA MERCHANT DATA SERVICES CORPORATION and CITICORP PAYMENT SERVICES, INC., Defendants. ) ) ) ) ) ) ) ) ) ) ) Case No. 4:13-CV-2226-JAR MEMORANDUM AND ORDER This matter is before the Court on Defendants’ Motion for Partial Reconsideration of the Court’s January 15, 2015 Order granting Plaintiff’s partial cross-motion for judgment on the pleadings, filed pursuant to Fed.R.Civ.P. 54(b). (Doc. No. 84) Alternatively, Defendants move for leave to amend their pleadings pursuant to Fed.R.Civ.P. 15(a)(2). The motion is fully briefed and ready for disposition.1 Background The background of this case is set out in detail in the Court’s January 15, 2015 Order. (Doc. No. 69 at 1-4) Briefly, the parties’ dispute arises from a cyber attack and data breach of Schnucks’ payment and card processing systems in late 2012 through early 2013. The parties’ relationship is governed by a Master Services Agreement (“MSA”) between Schnucks and First Data, a Bankcard Addendum to Master Services Agreement (“Bankcard Addendum”) between 1 Defendants have requested oral argument. (Doc. No. 87) Finding that the issues have been extensively briefed and that oral argument would not assist the Court, the request is denied. 1 Schnucks, First Data, and Citicorp, and First Data’s Program Terms and Conditions (“Operating Procedures”) (collectively referred to as “the Agreement”). The Agreement obligates Schnucks to indemnify Defendants for “all losses, liabilities, damages and expenses” under certain circumstances, but also limits Schnucks’ liability to $500,000, with two exceptions. For noncompliance with an industry-imposed network security framework known as Payment Card Industry Data Security Standards (“PCI DSS”), the limit is higher ($3,000,000), while for “chargebacks, servicers’ fees, third party fees, and fees, fines or penalties” assessed by Visa and MasterCard (“the Associations”), the limit does not apply at all.2 The Agreement authorizes Defendants to establish and fund a reserve account from Schnucks’ payment card transactions to offset its indemnity obligations in an amount not to exceed current and anticipated Association fees or fines. Schnucks alleged Defendants breached the Agreement by wrongfully withholding funds owed to Schnucks in an amount that was substantially more than the liability limitation of $500,000. Schnucks also sought a declaration that its obligation to indemnify Defendants for 2 Section 5.4 of the MSA provides, in pertinent part: Limitation of Liability. NOTWITHSTANDING ANYTHING IN THIS MSA AND ANY ADDENDA TO THE CONTRARY, CUSTOMER [Schnucks], FDMS [First Data] AND ITS AFFILIATES' CUMULATIVE LIABILITY, IN THE AGGREGATE … FOR ALL LOSSES, CLAIMS, SUITS, CONTROVERSIES, BREACHES, OR DAMAGES FOR ANY CAUSE WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, THOSE ARISING OUT OF OR RELATED TO THIS MSA AND ANY ADDENDA) AND REGARDLESS OF THE FORM OF ACTION OR LEGAL THEORY SHALL NOT EXCEED $500,000. NOTWITHSTANDING THE FOREGOING, CUSTOMER, FDMS AND ITS AFFILIATES' CUMULATIVE LIABILTY [sic] FOR ITS BREACH UNDER SECTION 25 (DATA SECURITY) SHALL NOT EXCEED $3,000,000 … THIS SECTION 5.4 LIMITATION OF LIABILITY SHALL NOT APPLY TO CUSTOMER'S LIABILITY FOR CHARGEBACKS, SERVICERS' FEES, THIRD PARTY FEES, AND FEES, FINES OR PENALITIES [sic] BY THE ASSOCIATION OR ANY OTHER CARD OR DEBIT CARD PROVIDED UNDER THIS MSA OR ANY ADDENDA. 2 losses incurred by issuing banks was limited to $500,000 under the terms of the parties’ Agreement and that Defendants must return to Schnucks the amount of Schnucks’ funds placed in a Reserve Account that exceeded the amount of the Visa fine and MasterCard case management fee. Defendants asserted a counterclaim against Schnucks for a declaration that the limitation of liability in the Agreement did not apply to: (i) fees charged by MasterCard or Visa to Defendants including, but not limited to, servicers’ fees, third-party fees, fees related to fraud reimbursement and recovery, and/or (ii) fees, fines or penalties charged by Visa or MasterCard for failure to comply with the PCI DSS requirements. Both sides asserted the contract language was unambiguous. Neither side undertook any discovery and proceeded on cross-motions for judgment on the pleadings. The issue presented by the parties’ competing motions was whether the exception for “third party fees” or “fees, fines or penalties” applied to liability for issuer losses. The Court denied Defendants’ motion and granted Schnucks’ motion, ruling that Schnucks’ maximum liability under the terms of the Agreement for issuing bank losses assigned by the Associations for monitoring and/or card replacement and counterfeit fraud losses as a result of the data security breach was $500,000.00, and that Defendants must return to Schnucks any funds held in excess of that amount plus the Visa fine and MasterCard case management fee. Defendants make three arguments in favor of reconsideration. First, Defendants argue the Court misapplied the standard for ruling on a motion for judgment on the pleadings by failing to accept as true their allegations of Schnucks’ negligence and PCI DSS non-compliance and draw all reasonable inferences from the pleadings in their favor. As a result, the Court failed to consider the circumstances in which the $3 million limitation of liability applied. (Doc. No. 85 at 3 4-6) Second, Defendants assert the Court considered documents outside the pleadings, namely the Association Rules, thereby converting Schnucks’ motion into a motion for summary judgment without permitting Defendants to present competing evidence. (Id. at 6-10) Third, Defendants argue these errors led to a commercially unreasonable result, i.e., making Defendants an insurer for Schnucks’ data breaches. (Id. at 10-14) Legal standard Under Rule 54(b), the Court may amend or reconsider any ruling to correct any “clearly or manifestly erroneous findings of facts or conclusions of law.” Prosser v. Nagaldinne, 2013 WL 308770 at *1 (E.D.Mo. Jan. 25, 2013) (quoting Jones v. Casey's Gen. Stores, 551 F.Supp.2d 848, 854 (S.D.Iowa 2008)). A motion to reconsider under Rule 54(b) cannot be used to identify facts or legal arguments which could have been, but were not, raised in the original motion. Id. Discussion Defendants first argue the Court overlooked their explicit allegations concerning Schnucks’ negligence in connection with the data breach, as well as allegations within the pleadings concerning Schnucks’ PCI DSS noncompliance. According to Defendants, if the Court had applied the proper Rule 12 (c) standard,3 it would have had to decide whether Schnucks’ negligence and PCI DSS noncompliance, both of which constitute breaches of § 25 of the Bankcard Addendum (Data Security), rendered the $3 million, rather than the $500,000, limitation of liability provision applicable to Defendants’ assessment against Schnucks through 3 A motion for judgment on the pleadings under Fed.R.Civ.P. 12(c) is governed by the same standards as a motion to dismiss under Fed.R.Civ.P. 12(b)(6). Courts must accept the nonmovant’s allegations as true, viewing the facts in the light most favorable to the nonmoving party. Bowen Eng'g Corp. v. Pac. Indem. Co., 2015 WL 4111830, at *5 (E.D. Mo. July 7, 2015). 4 the Reserve Account. Although Defendants now point to their ninth and tenth affirmative defenses wherein they raised Schnucks’ negligence and its own actions or inactions as the cause of their damages, neither side addressed this in their prior briefing. Even accepting Defendants’ allegations of negligence or non-compliance resulting in fines as true, their argument fails. Section 25 (Data Security) of the Bankcard Addendum authorizes the Associations to impose “restrictions, fines, or prohibit CUSTOMER [Schnucks] from participating in Association programs if it is determined CUSTOMER is non-compliant with such programs.” The $3 million limitation of liability provision applies as a limit to those fines imposed by the Associations for PCI DSS non-compliance. The parties acknowledged that virtually all of the actual and projected assessments (“approximately 97 %”) imposed by the Associations were for reimbursement of losses claimed by issuing banks.4 The Court rejected Defendants’ argument that “Third Party Fees,” as defined in the Bankcard Addendum, includes both “issuer reimbursement fees” and “assessment fees,” and that “fees” as used in the exception encompasses “reimbursements and assessments.” In so doing, the Court found the exception for “Third Party Fees” and “fees, fines and penalties” was not intended to apply to liability for issuer losses assessed by the Association. Thus, this exception does not apply to liability to reimburse issuers for their losses. Defendants’ counterclaim and Rule 12(c) briefs never asserted that the $3 million limitation applied to liability for issuer losses. 4 In its complaint Schnucks alleged that “approximately 97% of the actual and projected amount of the assessments imposed by [the Associations] was for reimbursement of losses claimed by issuing banks.” (Compl., Doc. No. 9 at ¶ 30) Defendants denied this allegation “as stated” (Answer, Doc. No. 20 at ¶ 30), but in their briefing they never contested it, and in fact used it to support their argument that because “Third Party Fees” includes both issuer reimbursement and assessment fees, Schnucks was essentially conceding the assessments imposed by the Associations fall almost exclusively within this definition. (See Doc. No. 37 at ¶ 23; Doc. No. 38 at 2-3, 14; Doc. No. 49 at 4-5) 5 Because assessments for the purpose of reimbursing issuing banks are not fines for noncompliance with § 25 of the Bankcard Addendum, the $3 million exception would only apply if the remaining 3% was a “fine” or “fee.” The general allegation in the affirmative defenses of Schnucks’ negligence is conclusory and certainly insufficient to even suggest a fine or fee for PCI DSS noncompliance. Neither side addressed the remainder of the assessments imposed by the Associations in the earlier arguments and pleadings and the Court will not do so at this juncture. Next, Defendants assert the Court erred in considering and relying on the Association Rules, which they now contend were neither part of the pleadings nor the Agreement. The Court finds no basis for finding it improperly considered the Association Rules in light of the information presented to the Court on the parties’ motions for judgment on the pleadings. The parties agreed the MSA, Bankcard Addendum, and Operating Procedures, all attached to the pleadings, constitute the entire agreement between the parties. The Operating Procedures are essentially a summary of common Association Rules paired with a caveat that the merchant should “consult the Card Organization Rules for complete information and to ensure full compliance with them.” (Doc. No. 37-3 at 3) The Bankcard Addendum incorporates the terms of the MSA and First Data’s Operating Procedures. Both the MSA and Bankcard Addendum incorporate the rules and regulations of Visa and MasterCard (“the Associations”). The Bankcard Addendum obligates Schnucks to comply with the Association Rules as they may be amended from time to time and states that the respective rights and obligations of Defendants shall be governed by, inter alia, the Bankcard Association Rules. The Bankcard Addendum further states Defendant Citicorp’s obligations 6 “shall be limited to the sponsorship and settlement of certain Card transactions submitted in accordance with the terms and conditions of this Bankcard Addendum and the Bankcard Association Rules.” (See Doc. No. 37-2) It also provides: “SERVICERS [Defendants] represent and warrant that SERVICERS will provide the services in accordance with the applicable association rules and applicable law.” (Id. at § 15.2) Clearly this is an argument that Defendants could have asserted in prior briefing. A motion to reconsider under Rule 54(b) cannot be used to identify facts or legal arguments which could have been, but were not, raised in the original motion. As for the Court’s alleged errors in construing the Agreement, Defendants are merely reasserting arguments previously rejected by the Court. Defendants assert the Court did not give effect to the terms “all” or “without limitation” in the definition of “Third Party Fees” and “did not even attempt to ascribe meaning to the term ‘charges.’” (Doc. No. 85 at 11) The Court considered this argument presented by Defendants in their prior briefing in support of their interpretation of “Third Party Fees” to encompass “issuer reimbursements” (see Doc. No. 49 at 8-9) and again now for reconsideration. The Court rejected Defendants’ interpretation, ruling that “[t]he term ‘Third Party Fees’, as defined in the Bankcard Addendum, refers to fees charged by third parties in connection with Defendants’ processing services, such as ‘interchange fees’ and ‘access fees’ (see Doc. No. 44-1), as opposed to liability for actual issuer losses.” (Doc. No. 69 at 16) Defendants also argue the term “fee” was susceptible to more than one meaning, thereby necessitating denial of Schnucks’ motion. Defendants could certainly have raised this argument in response to the underlying motion, but failed to do so, and may not now use it to argue for 7 reconsideration. See Prosser, 2013 WL 308770, at *1. Lastly, Defendants argue the Court’s construction of the Agreement leads to a commercially unreasonable result by effectively making them an insurer of Schnucks for any damage done, regardless of cause, resulting from Schnucks’ PCI DSS non-compliance and data breaches.” This argument is without merit. The Court is simply giving effect to terms in an agreement between sophisticated parties where each side argues the agreement is unambiguous. Schnucks’ obligation to indemnify Defendants for losses incurred by issuing banks up to $500,000 is a commercially reasonable result. Indeed, the Court rejected Defendants’ interpretation that the terms “Third Party Fees” and “fees, fines or penalties” apply to liability for issuer losses because it would have resulted in holding Schnucks responsible for all financial liability imposed on Defendants by the Associations relating to the data breach, thereby rendering the limitation of liability clause meaningless. (Doc. No. 69 at 17) Because none of Defendants’ arguments for reconsideration are deemed sufficient by the Court, Defendants’ motion to reconsider will be denied. Defendants move in the alternative for leave to amend their pleadings. Although leave to amend “shall be freely given when justice so requires,” see Fed.R.Civ.P. 15(a)(2), there is no absolute or automatic right to amend. Moreover, where a party seeks leave to amend after the deadline in the applicable scheduling order has passed, the good cause standard of Rule 16(b) applies, not the liberal standard of Rule 15(a). Sherman v. Winco Fireworks, Inc., 532 F.3d 709, 716 (8th Cir. 2008). “The primary measure of good cause is the movant's diligence in attempting to meet the order's requirements.” Rahn v. Hawkins, 464 F.3d 813, 822 (8th Cir.2006). Defendants’ motion to amend comes over eight months after the deadline in the Case 8 Management Order. Defendants assert the need to amend was brought to light by the Order’s conclusion that Defendants “did not allege that Schnucks was either negligent or PCI DSS noncompliant” or “the proper application of the $3 million limitation of liability provision.” Defendants are responsible for pleading their case without the Court’s assistance. Defendants do not assert a change in the law or discovery of new facts. Instead, it appears Defendants’ proposed amendments could have been asserted within the time allowed for amending the pleadings. Accordingly, the Court finds no good cause has been shown. Further, district courts in this circuit have considerable discretion to deny a postjudgment motion for leave to amend because such motions are disfavored. U.S. ex rel. Roop v. Hypoguard USA, Inc., 559 F.3d 818, 822-23 (8th Cir.2009) (“[I]nterests of finality dictate that leave to amend should be less freely available after a final order has been entered.”) (quoting Briehl v. General Motors Corp., 172 F.3d 623, 629 (8th Cir.1999)); see also Bills v. United States Steel LLC, 267 F.3d 785, 788 (8th Cir.2001); Parnes v. Gateway 2000, Inc., 122 F.3d 539, 550–51 (8th Cir.1997); Humphreys v. Roche Biomedical Lab., Inc., 990 F.2d 1078, 1082 (8th Cir.1993). Here the parties chose to proceed with their case on motions for judgment on the pleadings. The grant of a motion for judgment on the pleadings constitutes final judgment on the merits of the controversy within the meaning of Rule 54. Weger v. City of Ladue, 2004 WL 3651669, at *1-2 (E.D.Mo. Dec. 30, 2004) (citing 5A Charles A. Wright & Arthur R. Miller, Federal Practice and Procedure, § 1372 (1990)). The Court will, therefore, in the exercise of its discretion, deny Defendants’ motion for leave to amend. Conclusion 9 After careful review of the parties’ legal memoranda and the applicable law, the Court concludes that Defendants have failed to establish a basis for finding any “clearly or manifestly erroneous findings of facts or conclusions of law.” Accordingly, IT IS HEREBY ORDERED that Defendants’ Motion for Partial Reconsideration or, in the Alternative, Motion for Leave to Amend Pleading [84] is DENIED. IT IS FURTHER ORDERED that Defendants’ Request for Oral Argument [87] is DENIED. Dated this 31st day of July, 2015. ____________________________________ JOHN A. ROSS UNITED STATES DISTRICT JUDGE 10

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?