Judge Rules in Favor of Limited Liability for Retailer in Breach | NACS Online – Media – News Archive
Sign In Help

The Association for Convenience & Fuel Retailing

Skip Navigation LinksNACS Online / Media / News Archive

Judge Rules in Favor of Limited Liability for Retailer in Breach

Maximum liability of $500,000 for grocer in 2012 data breach, with bank and payment processor directed to return merchant funds.
January 29, 2015

​ST. LOUIS – A U.S. District Court judge has ruled in favor of retail chain Schnuck Markets following its data breach, ruling that the company is only liable to pay a maximum of $500,000 in damages. The bank and payments processor, Citicorp and First Data Merchant Services Corp, respectively, will be responsible for footing the remainder of the bill stemming from a 2012 data breach at the company.

The ruling could set a precedent for future victims of cybercrimes, putting a limit on the liability of retailers.

According to the judge in the Schnuck Markets case, an agreement was in place between the retailer and its payment processors that the store would only be liable if it failed to meet “an industry-imposed network security framework.” In his ruling, U.S. District Judge John Ross declined the payment processors’ claims that some of the wording in the agreements, relating to “third parties,” would place more liability on the grocery store.

Citicorp and First Data must now return money to Schnuck Markets that they had withheld: “Schnucks’ maximum liability under the terms of the agreement for issuing bank losses assigned by the [card] associations for monitoring/card replacement and counterfeit fraud losses as a result of the data security breach is $500,000. Defendants must return to Schnucks any funds held in excess of that amount, plus the Visa fine and MasterCard case management fee,” stated the ruling.