Hospitality Law: Credit Card Data Breach Fines

Restaurant’s Litigation Challenges Card Network Data Breach Fines
Cisero’s, a small family restaurant in Park City, Utah, has filed a counterclaim against U.S. Bank and Elavon, Inc., Cisero’s former acquiring bank and payment card processor. They are challenging the lawfulness of Elavon’s demand for indemnification from Cisero’s for fines assessed by Visa and MasterCard on U.S. Bank arising out of an alleged data breach at Cisero’s.

The Cisero’s lawsuit has drawn the attention of Wired, Bloomberg, and The Rolling Stone.

The Facts
In 2008, Elavon informed Cisero’s that there may have been a data breach of Cisero’s point-of-sale system that resulted in a compromise of Cisero’s customers’ credit and debit card data. Despite the fact that a forensic investigation yielded no evidence of a data breach, Elavon demanded indemnification from Cisero’s for fines and alleged fraud losses assessed by Visa and MasterCard on U.S. Bank (Elavon’s affiliate) arising from this supposed data breach. Elavon unilaterally withdrew about $10,000 from Cisero’s bank account with U.S. Bank before Cisero’s changed its processor.

In May 2010, Elavon sued Cisero’s for the balance of the fines, approximately $80,000.

Cisero’s filed a counterclaim against Elavon in June 2010, and has recently amended its counterclaim to include U.S. Bank as a counterclaim defendant. The amended counterclaim seeks to have the indemnification claim declared unenforceable against Cisero’s, and also seeks damages from Elavon and U.S. Bank, including for negligence and breach of contract.

The Claims
Merchants, like Cisero’s, are forced to enter into adhesion contracts that purport to incorporate by reference the networks’ data security rules and enforcement procedures despite the fact:

(i) those rules are agreements between the networks and their card-processing banks,

(ii) merchants have no input with respect to those rules,

(iii) those rules can change at any time, and

(iv) merchants are bound by those changes even if nobody notifies the merchants of the changes.

With respect to enforcing these rules, the networks have unbridled discretion to serve as judge, jury and executioner.  Networks can impose staggering fines and penalties without having to prove there was any data breach at all, let alone any resulting fraud loss.  Further, the rules do not permit merchants to present their side of the story to the networks.

Among its claims in this case, Cisero’s asserts that U.S. Bank and Elavon are not entitled to indemnification because of their improper conduct, the unconscionable nature of the contract, and the punitive nature of the fines and penalties.

Learn More at the Hospitality Law Conference
I will be discussing the litigation at the 2012 Hospitality Law Conference, where I will review Cisero’s counterclaims and defenses and the litigation’s current status. My presentation will also address the litigation’s broader implications for the hospitality industry.  
February 8-10
Houston, Texas
Register Now

Steve Cannon is chairman of Constantine Cannon LLP and the managing partner of Constantine Cannon’s Washington, DC office. He is speaking at the Hospitality Law Conference on February 8 at 10 a.m.

Editor’s note: Keep in mind that the same outcome may not be reached in every state due to different statutes and court decisions.

You May Also Like

About the Author: Contributor