A Q&A with Doug Meal
The brave new world of cyber liability got a lot more complicated last May. That’s when the Jetro Holdings LLC v MasterCard Inc. case held that if a card brand withholds merchant funds to satisfy the brand’s PCI fines and assessments following a data breach, the merchant has no legal recourse against the brand—even if the brand acted unlawfully in imposing the fines and assessments in the first place. I talked to attorney Doug Meal of Ropes & Gray, LLP, to explore this case and its implications for retailers and their insurers.
The trial court’s decision should be of grave concern to both merchants and the cyber insurers who insure them against liabilities they may incur in the context of cyber events. This decision, if it stands up on appeal, means that a merchant will have no recourse against MasterCard when MasterCard imposes fines, fees, and assessments by reason of data breach – even if MasterCard acts unlawfully in doing so.
Can you please provide an overview of this case and explain why both clients and their cyber liability insurers should be concerned about the ruling and overall outcome?
Jetro is a restaurant supply merchant that suffered a data security breach back in 2011 and a second one in 2012. Efforts were made by the criminals to steal payment card data from Jetro during the breaches, but the criminals were never caught and there has never been confirmation that account data was actually stolen. Nonetheless, MasterCard asserted that Jetro was liable, under its rules, for $6.5 million in fines, fees and assessments, and based on that assertion MasterCard withheld $6.5 million of funds that Jetro was due for purchases Jetro customers had made using MasterCard-branded payment cards.
Jetro believes MasterCard acted in violation of its own rules and New York law in imposing and collecting the $6.5 million. The wrinkle is that, because MasterCard doesn’t enter into contracts directly with merchants like Jetro—but instead contracts with “acquiring banks” that in turn license merchants to accept the MasterCard-branded card—MasterCard could collect the $6.5 million by withholding Jetro funds from Jetro’s acquiring bank, which funds the bank in turn withheld from Jetro. That meant the only way for Jetro to get its unlawfully withheld funds was to sue MasterCard, even though Jetro doesn’t have a contract directly with MasterCard.
Jetro sued MasterCard in New York state court, alleging that MasterCard had collected the money unlawfully and advancing two alternative theories to get that money back from MasterCard. One theory was that under the doctrine of equitable subrogation Jetro should be able to step into its acquiring bank’s shoes and assert the bank’s claim that MasterCard had violated the bank’s contract with MasterCard in imposing and collecting the $6.5 million. Theory two was that if Jetro can’t step into its acquiring bank’s shoes and assert the bank’s contract rights against MasterCard, then MasterCard had been unjustly enriched, at Jetro’s expense, by MasterCard’s unlawful actions in imposing and collecting the $6.5 million, and accordingly MasterCard was directly liable to Jetro for the $6.5 million viagra non generic.
MasterCard moved to dismiss, in essence using the absence of a contract between MasterCard and Jetro as grounds for saying “you can’t touch us Jetro, even if we violated the law in taking your $6.5 million.” The trial court agreed and granted the motion, dismissing Jetro’s suit in its entirety.
The trial court’s decision should be of grave concern to both merchants and the cyber insurers who insure them against liabilities they may incur in the context of cyber events. This decision, if it stands up on appeal, means that a merchant will have no recourse against MasterCard when MasterCard imposes fines, fees, and assessments by reason of data breach – even if MasterCard acts unlawfully in doing so. From an insurer’s point of view, to the extent a cyber policy covers PCI fines, fees, and assessments of this sort, affirmance of the trial court’s decision will mean that the insurer will essentially be at MasterCard’s mercy in regard to such fines, fees, and assessments, because no matter how high an amount MasterCard imposes, and even if MasterCard violates the law in arriving at that amount, neither the insurer nor its insured will have any recourse against MasterCard.
Was Jetro in compliance with PCI standards prior to their breach event?
One of the disputes in the case is that MasterCard says that Jetro wasn’t in compliance but Jetro says it was. The important point is that, according to the trial court’s decision, it doesn’t matter, because even if Jetro were in compliance with PCI prior to the breach, Jetro still has no recourse against MasterCard for MasterCard’s wrong finding to the contrary and for MasterCard’s having withheld $6.5 million of Jetro’s money based on that wrong finding.
To your knowledge, have any of the major card companies ever determined that a company recently breached was still in compliance with PCI post breach? Of course we know that good/compliant security is never a 100% guarantee against a breach occurring.
I can think of at least two cases where the card brands’ forensic investigator found the merchant in question to be compliant with PCI notwithstanding the fact it suffered a breach. So it’s not unheard of, and under the card brand rules if you were compliant you’re not responsible for the breach and there’s no liability. But even in those two cases the card brands disputed their own forensic investigators’ findings and put the investigators on probation for having made those findings. What happens in most cases is that a key point of dispute between the card brands and their forensic investigator on the one hand, and the merchant and its forensic investigator on the other, is whether or not the merchant was compliant with PCI at the time of the breach. Almost invariably, the card brands and their forensic investigator say the merchant was noncompliant, but frequently the merchant has a strong argument that it was in fact compliant. Again, what the Jetro trial court said was that even if MasterCard wrongly finds PCI non-compliance and takes millions of dollars of a merchant’s money based on that wrong finding, the merchant has no recourse against MasterCard for having done so.
What is MasterCard’s alleged basis for issuing the portion of the $6.5+ million assessment that is nominally for fraud, even though in this case there does not appear to be detectable theft of account data? How was the amount calculated?
For any group of payment cards that’s out in circulation at any given time, there’s a certain amount of fraud that is going to show up on that group of cards in the future. In other words, for every payment card that is in circulation on January 1 of the coming year, there is a certain risk that particular card will “go fraudulent” at some point during 2017. We all see this every time one of our cards gets canceled and we get issued a new one. So the question in the data breach context is how much of the fraud that shows up after the breach on the cards involved in the breach is the ordinary course “baseline” level of fraud that would have occurred anyway, and how much is “incremental” fraud that can fairly be said to have been caused by the breach. Each card brand has its own formula for making this determination, and the formulas all yield different results, with the one consistency being that the formulas all yield calculations favorable to the issuers of the payment cards and unfavorable to the breached merchant. In this case, the MasterCard formula came up with millions of dollars of fraud even though there’s no definitive evidence that card info was stolen. That has been another point of dispute in this case—and again, according to the trial court’s decision, even if a completely bogus formula was used by MasterCard, MasterCard is still untouchable by Jetro.
Any lessons learned for final thoughts for customers concerned about this exposure?
I think from an insured’s point of view you would have to be very concerned that under this ruling you have essentially unlimited exposure to MasterCard if you are unfortunate enough to suffer a data security breach, and therefore it should be very important to you to have cyber insurance that protects you against all that exposure. As in this case, you could be found liable to MasterCard for millions of dollars where you did nothing wrong, and left with no recourse against MasterCard when it withholds your money as payment for the liability it unlawfully imposed. On the other hand, insurers ought to be thinking about what they’re really signing up for when they agree to underwrite this exposure for clients. In our practice we’ve seen some gigantic assessments recently imposed by MasterCard, and we think this will be a wave going forward, since as long as the Jetro decision is out there, MasterCard can point to that decision and claim it can do whatever it wants, even to the point of acting unlawfully, and neither the insured nor its insurer can do anything to stop it.
We want to thank Mr. Meal for his expert insights into this critical exposure facing many retailers, especially those that might someday sustain a data breach event. We hope to stay in touch with Mr. Meal and get a later update as this case is resolved. The potential for an unknown and/or an unlimited exposure is of keen interest to risk managers, as well as their cyber liability insurers that often insure against PCI penalties.