Supermarket Chain Data Breach Loss Capped at $500,000

In what may be one of a few legal battles regarding financial liabilities of data breaches, the United States District Court ruled that supermarket chain Schnuck Markets is only liable for the first $500,000 in damages resulted from a series of data hacks between 2012 and 2013, according to Business Insurance.

Decided on Jan 15Schnuck Markets Inc. v. First Data Merchant Data Services Corp. and Citicorp Payment Services Inc centered around the defendants withholding transaction money from Schnuck in excess of an existing merchant processing agreement as a way of reimbursing banks that issue payment cards affected by the attack. The agreement also specifies that a store is only more liable if it fails to meet “an industry imposed network security framework” as a result of the breach, or if there are specific fees, fines and penalties that exist outside of the liability limitation clause.

The ruling, handed down by Judge John A. Ross, states that the court agreed with Schnuck that the exceptions did not apply in this case.

“After careful review of the parties’ agreement as a whole, and following the well-established principles of contract interpretation, the Court finds the exception for ‘third party fees’ and ‘fees, fines and penalties’ was not intended to apply to liability for issuer losses assessed (by the issuing networks),” Ross wrote in the ruling.

Citicorp and First Data were ordered to return the funds that were in excess of the $500,000 agreement, as well as the undisclosed Visa fines and MasterCard case management fees.

The debate over data liability has increased over the last year thanks to regulations that will move liability to retailers starting Oct. 15 with the former EMV rollover, as well as other cases against major retailers like Target were allowed to proceed in federal court over data breaches.