In a February 23, 2023 Decision issued by the United States Court of Appeals for the Fifth Circuit, Golenbock Eiseman Assor Bell & Peskoe LLP successfully obtained an affirmance of a lower court order dismissing in its entirety the six-count Third-Party Complaint brought by Landry’s, Inc., the national hospitality, entertainment and gaming corporation, against Mastercard International Incorporated.
The case arose from a data breach at Landry’s pursuant to which, beginning in 2014, hackers compromised credit card data at multiple Landry’s businesses. Pursuant to its rules, Mastercard imposed assessments on JPMorgan Chase Bank – Landry’s’ acquiring bank – to partially reimburse the banks that issued the payments cards that were put at risk by the breach for fraud losses and operational costs. Visa, Inc. separately assessed Chase under Visa’s own data breach rules. Chase invoked an indemnification clause in its merchant agreement with Landry’s to recover the amount of the assessments, but Landry’s refused to reimburse Chase. After Chase sued Landry’s in the United States District Court of the Southern District of Texas, Landry’s asserted Third-Party Complaints against Mastercard and Visa (represented by separate counsel), arguing that the card brands breached their respective contracts and associated rules with Chase and that the card brand rules designed to promote the security of the payment networks and assign responsibility for data breach losses (pursuant to which cardholders are held harmless for fraud on their accounts) are unenforceable. The District Court granted motions to dismiss by Mastercard and Visa, and also granted summary judgment in favor of Chase, holding that Landry’s owes reimbursement to Chase for the assessments pursuant to the Landry’s-Chase merchant agreement.
The Fifth Circuit affirmed in all respects. Significantly, the Fifth Circuit rejected Landry’s’ argument that the card brand data breach assessments constitute unenforceable “penalties.” The Court held that the fact that the assessments are designed to provide partial reimbursement to issuing banks for their losses from the breach does not somehow render them invalid: “Landry’s does not provide, nor have we found, any relevant state authority barring parties in commercial contracts from tying liquidated damages to the anticipated harm to a third party. Landry’s has therefore not rebutted the assessments’ presumptive validity.” In this regard, the Court found that the data breach assessment programs “make each Payment Brand an arbiter of sorts, balancing the competing interests of acquirers and issuers in the aftermath of a data breach.” It concluded that “Landry’s and Chase are sophisticated parties familiar with the loss-shifting inherent in the GCAR and ADC programs, so [the Court] will not disturb the allocation of risk adopted by the parties themselves.”
In affirming the dismissal of the third-party claims against the card brands, the Fifth Circuit also confirmed that Landry’s does not have standing as a putative “equitable subrogee” to assert claims against the card brands – with which it has no contractual privity – challenging the contractual relationships between the card brands and the acquiring bank (Chase). The Court held that Landry’s’ indemnification agreement with Chase does not make Landry’s an equitable subrogee because “Landry’s debt is its own, not that of the Payment Brands, because the assessments stem from Landry’s own conduct – namely, its failure to abide by the PCI DSS as it promised to do in the Merchant Agreement.” The Fifth Circuit relied for this holding on another case in New York State Court in which GEABP represented Mastercard and similarly obtained the dismissal of a merchant’s claims arising from a data breach, which was unanimously affirmed by the Appellate Division, Second Department: Jetro Holdings, LLC v. Mastercard International, Inc., 166 A.D.3d 594 (2d Dep’t 2018).
The case was featured in Law360. If you have a subscription, you may read it here: https://www.law360.com/hospitality/articles/1579459/5th-circ-says-landry-s-owes-chase-20m-in-data-breach-row