Print

Last August, Schnuck Markets, Inc. (Schnucks) settled lawsuits resulting from a 2013 data breach, agreeing to pay customers for “documented lost time,” fraudulent charges and “extraordinary unreimbursed monetary losses” likely resulting from the breach.

Recently, in its Memorandum and Order filed in Schnuck Markets, Inc. v. First Data Merchant Data Serv. Corp. et al., the federal district court for the Eastern District of Missouri held that Schnucks was obligated to indemnify its credit card processors, First Data and Citicorp Payment Services, only up to the indemnity cap of $500,000 under the parties’ agreement rather than the full amount of their data breach losses. Per the agreement, the card processors provided credit and debit card processing services to Schnucks. Schnucks was obligated to indemnify the card processors up to $500,000 for any losses, liabilities and damages. However, Schnucks was obligated to fully indemnify the card processors the total amount of any third-party fees and fees, fines and penalties, among other charges, assessed by the credit card companies. The court ultimately found that the fraud reimbursement and recovery and fees arising from Schnucks’ data breach assessed by the credit card companies against the card processors were not fees, fines or penalties as the court interpreted those terms. Based on a reading of the parties’ complete agreement, the court found that the fee language in the indemnity provision related to routine credit card processing service fees, not data breach related losses. Further, the fact that data breach losses were referenced and defined elsewhere in the agreement but not in the indemnity provision bolstered the court’s reasoning that the parties did not intend to include these losses in the indemnity provision.

In this case, the court underwent a rigorous analysis of the parties’ agreement in order to determine the parties’ intent as to whether data breach losses were subject to the $500,000 indemnity cap. As instances of data breaches become more prevalent, business of all sizes that contract with parties for services that may implicate data privacy concerns should strongly consider expressly including losses or fees associated with a data breach in the agreement’s indemnity or limitation of liability provisions in order to clarify the allocation of each party’s risk.

Additionally, this data breach resulted in litigation involving Schnucks’ insurer, Liberty Mutual Insurance Company. In the resulting declaratory judgment action, Liberty took the position that this breach was not covered under the CGL policy issued to Schnucks.