All with the Swipe of a Plastic Card . . . .
When a bank issues a credit card it enters into a vastnetwork of commercial transactions and relationships, and many of the partiesin that network are unknown to the bank. These numerous relationships are each governed by their owncontracts. For example, Visa is a “membershipassociation” owned and controlled by its members. To become a member of the Visa association, afinancial institution must agree to abide by Visa’s operating regulations. Visa has “issuing members,” which arefinancial institutions that issue Visa cards to cardholders pursuant to acontract. There also “acquiring members,”which are financial institutions that enter into contracts with merchants toprocess card transactions at the retail end. Just as Visa members, merchants must agree to comply with Visa’soperating regulations. Within this vast network,who should be liable for losses when a cardholder’s data is stolen? On what legal theory?
In a recent case in the Middle District of Pennsylvania,Sovereign (an issuing bank) sued Fifth Third Bank (an acquiring bank) and BJ’sWholesale Club (a merchant) for losses incurred when data was stolen from Sovereign’scardholders. The cardholders madepurchases at BJ’s when, with a swipe of their cards, a machine accessed accountdata from their magnetic stripes. Afteraccessing the account data, BJ’s did not erase the cardholders’ informationfrom its computers. BJ’s computer systemwas hacked, and the cardholders’ account numbers were stolen. As a consequence, Sovereign had to reissuethe cards and reimburse cardholders for unauthorized charges. Sovereign sued Fifth Third and BJ’s torecover these losses. Visa’s operatingregulations prohibit a merchant from storing or retaining cardholder data.
Sovereign asserted claims of breach of contract and promissoryestoppel against Fifth Third. Amongothers, Sovereign asserted claims of promissory estoppel and breach offiduciary duty against BJ’s. BJ’s andFifth Third moved to dismiss these claims. (The breach of contract claim against Fifth Third was not a subject of thecourt’s decision on the motions to dismiss).
The court dismissed both of the promissory estoppel claims.
The court held that Sovereign could not allegea valid promissory estoppel claim against Fifth Third because Sovereign’sdecision to provide BJ’s with cardholders’ information was not made in relianceon Fifth Third’s promise to insure that BJ’s would not store or retain thatinformation. The court determined thatSovereign’s claim, in a much broader sense, was based on its decision toparticipate in the Visa network, and Sovereign could not reasonably argue thatit joined the network in reliance on the promise of unknown acquiring banks tokeep tabs on merchants’ handling of cardholder data. Further, the court held that, even ifSovereign had relied on Fifth Third’s promise to guard cardholders’ data,Sovereign’s reliance would not have been reasonable because Fifth Third did notmake any promises directly to Sovereign.
Likewise, Sovereign’s promissory estoppel claim against BJ’sfailed because BJ’s expressly excluded third parties from benefiting from itsmerchant agreements with Fifth Third. Given this express disclaimer of any intention to benefit third parties,the court held that BJ’s could not have reasonably expected that Sovereign – a thirdparty to BJ’s agreements with Fifth Third – would rely on BJ’s promises inthose agreements.
Sovereign’s breach of fiduciary duty claim against FifthThird was also dismissed. The court heldthat no fiduciary duty was imposed on Fifth Third because Sovereign had notturned over substantial control of its affairs to Fifth Third – Sovereign’ssurrender of cardholder information to complete a transaction was not thesubstantial surrender of control that imposed a fiduciary duty upon FifthThird. Sovereign’s surrender of thecardholder’s information was simply part of the business transaction betweenthe cardholder and BJ’s.
Thus, at least based upon these legal theories, Sovereignwas stuck with its losses from the cardholders’ stolen account numbers.
Bank v. BJ’s Wholesale Club, Inc., ___ F. Supp.2d ___, 2006WL 1000058 (M.D.
[Meredith R. Miller]