ST. LOUIS (2/2/15)--A U.S. District Court judge ruled in January that a certain retailer involved in a 2012-2013 data breach is only liable to pay a maximum of $500,000 in damages following the breach.
Schnuck Markets was the victim of a data breach from December 2012 to March 2013, which the St. Louis Business Journal reports exposed an estimated 2.4 million credit and debit cards.
Last June, Schnucks asked a judge to force its transaction processor, First Data Merchant Services, and Citicorp Payment Services Inc., its bank, to return money earmarked for losses related to the data breach.
First Data and Citicorp must return to Schnucks any funds held in excess of $500,000, plus a Visa fine and MasterCard case management fee. According to the ruling, "Schnucks' maximum liability under the terms of the agreement for issuing bank losses assigned by the [card] associations for monitoring/card replacement and counterfeit fraud losses as a result of the data security breach is $500,000" (NACS Daily Jan. 29).
An agreement was in place between the retailer and its payment processors that the grocery chain would only be liable if it failed to meet "an industry-imposed network security framework."
U.S. District Judge John Ross' ruling declined the payment processors' claims that some of the wording in the agreements--that related to "third parties"--would place more liability on the grocery store.
The Credit Union National Association continues to pursue with the U.S. Congress securing a strong federal law providing data breach standards for merchants and for reimbursement to card issuers in the event of a breach.