Sovereign Bank and the Pennsylvania State Employees Credit Union (PSECU) appealed the dismissal of claims related to the theft of credit card information from a retailer's computer system. The appeals are consolidated under the Third Circuit's case numbers 06-3392 and 06-3405. Both banks are members of the Visa network, where they function as "Issuers," allowing them to issue Visa cards. Fifth Third Bank, another member of the Visa network, acts as an "Acquirer," establishing contracts with businesses that accept Visa cards. The court's opinion, filed on July 16, 2008, by Circuit Judge McKee, addresses the legal implications of the theft and the relationships among the parties involved. The court partially reversed and partially affirmed the lower court's orders.
Merchants, such as BJ’s Wholesale Club, Inc., engage Acquirers to process transactions on their behalf, forming a Merchant Agreement. Although Merchants use the Visa network for transactions, they do not have a direct contractual relationship with Visa, as only financial institutions can be Visa members. When a cardholder uses a Visa card, the transaction involves interaction between the Issuer, Acquirer, and Merchant. The Merchant's scanners read the Cardholder Information from the card, which is then sent to the Issuer for authorization. Upon approval, the Merchant finalizes the sale and forwards the receipt to the Acquirer for payment.
Visa's extensive Operating Regulations govern these transactions, including security protocols such as the Cardholder Information Security Program (CISP). CISP mandates that Issuers and Acquirers must not retain Cardholder Information post-transaction. Visa has enforcement powers, allowing it to impose fines and penalties for non-compliance, with provisions for appeals to its Board of Directors whose decisions are final. The Operating Regulations grant Visa exclusive rights to interpret and enforce compliance and require Issuers and Acquirers to ensure adherence by their agents and Merchants.
Dispute resolution provisions within the regulations enable members to address chargebacks—transactions returned from Issuer to Acquirer—due to customer disputes or unrecognized charges. Additionally, Compliance provisions allocate financial losses due to violations, allowing the Issuer to transfer losses to the Acquirer if the latter's non-compliance leads to losses from fraudulent activities.
All Members of the Visa network, including Issuers and Acquirers, are bound by the Operating Regulations outlined in their Membership Agreements. Acquirers must ensure that Merchants comply with these regulations before entering into Merchant Agreements, and they are responsible for ongoing compliance. Each Merchant Agreement must include specific provisions from Section 5.2 of the Operating Regulations, particularly 5.2.h.3.b, which prohibits Merchants from retaining or storing Cardholder Information after transaction authorization.
The litigation arose from a February 2004 incident where Visa identified a compromise of Cardholder Information for cards issued by Sovereign, PSECU, and others, linked to fraudulent purchases at BJ’s stores. Visa issued a CAMS alert to notify affected Issuers about the compromised cards used at BJ’s between July 2003 and February 2004. In response, Sovereign canceled and reissued cards for impacted cardholders, alleging that BJ’s improperly retained Cardholder Information, violating the Operating Regulation 5.2.h.3.b.
Sovereign claims this breach of duty by BJ’s enabled fraudulent transactions and asserts that Fifth Third also failed in its duty to ensure BJ’s compliance. Consequently, Sovereign contends it was obligated to reimburse cardholders for fraudulent charges, incurring costs and losses, including the expense of issuing replacement cards and damage to its reputation. PSECU similarly canceled approximately 20,000 cards and incurred about $98,000 in reissuance costs. Sovereign subsequently filed suit against Fifth Third and BJ’s on January 10, 2005, seeking damages for negligence, breach of contract, and equitable indemnification related to these losses.
BJ’s and Fifth Third removed the case to the U.S. District Court for the Eastern District of Pennsylvania, which was later transferred to the Middle District to consolidate with another case brought by Pennsylvania State Employees Credit Union (PSECU) against Fifth Third and BJ’s for costs incurred in replacing compromised Visa cards. BJ’s and Fifth Third filed motions to dismiss under Fed. R. Civ. P. 12(b)(6). The court denied BJ’s motion regarding the negligence claim but granted it for breach of contract and equitable indemnification claims. Fifth Third’s motions resulted in a dismissal of its negligence and equitable indemnification claims but not for the breach of contract claim.
Fifth Third sought reconsideration regarding the breach of contract claim, which hinged on whether it and Visa intended to provide enforceable rights to Sovereign Bank as a third-party beneficiary. The court converted this motion into one for summary judgment and ordered discovery on the third-party beneficiary issues. Sovereign subsequently filed an amended complaint, asserting new claims against BJ’s and restating its breach of contract claim against Fifth Third, which led to renewed motions to dismiss from both parties. The district court dismissed all claims against BJ’s and all claims against Fifth Third except for the breach of contract claim.
After conducting limited discovery, including the deposition of Visa's representative, the court granted summary judgment in favor of Fifth Third, ruling that Sovereign was not an intended beneficiary of the Visa-Fifth Third Member Agreement. Sovereign then appealed the dismissals of its claims against Fifth Third and BJ’s, focusing on the breach of contract claim against Fifth Third, which was predicated on Sovereign's claim to be a third-party beneficiary of the Member Agreement. Under Pennsylvania law, a third-party beneficiary must be intended by both contracting parties, and this intention must be clearly articulated in the contract.
Sovereign acknowledges it is not an express third-party beneficiary of the Visa-Fifth Third Member Agreement but references the Pennsylvania Supreme Court's adoption of Section 302 of the Restatement (Second) of Contracts, which allows an “intended beneficiary” to sue for breach of contract even without explicit intent from the contracting parties to benefit the third party. Under Section 302, a beneficiary is deemed intended if recognizing their right to performance aligns with the parties' intentions and if the promisee (Visa) intends to confer benefits on the beneficiary (Sovereign).
The district court converted Fifth Third’s motion to dismiss into a motion for summary judgment, allowing limited discovery. This included various documents and the deposition of Visa’s representative, Alex Miller. Miller testified that he was unaware of any intention by Visa to enable a Member to enforce the Operating Regulations directly, emphasizing that the core purpose of these regulations was to establish conditions for participation that benefit the Visa payment system and its stakeholders. He clarified that the prohibition against retaining Cardholder Information was not intended to benefit any specific member but aimed to enhance the overall value of the Visa system by protecting all participants, including cardholders, issuers, and merchants. Miller noted that while issuers are affected by the regulations, the overarching goal was not directed at any single entity but rather at maximizing systemic value and protecting cardholder data.
Fifth Third argues that Visa's CISP program is designed to benefit the entire Visa system, enhancing overall integrity, efficiency, and cardholder security through regulations applicable to all Visa members. This, they claim, justifies their entitlement to summary judgment against Sovereign's breach of contract claim, emphasizing that the prohibition on merchants retaining Cardholder Information serves the collective interests of the Visa network rather than individual issuers.
Sovereign counters that there is a genuine dispute regarding Visa's intent. They reference a 1993 memorandum titled "Retention of Magnetic-Stripe Data Prohibited," which outlined a regulation forbidding the storage of magnetic-stripe data to protect against fraud, suggesting that Visa intended for issuers like Sovereign to directly benefit from this prohibition. Sovereign cites further evidence, including a 2003 Visa article stating that the CISP aims to prevent data compromises that negatively impact issuers, acquirers, and the payment system's integrity.
Additionally, during Miller's deposition, he acknowledged that while the operating regulations are primarily for the Visa system's benefit, they may incidentally benefit other participants, including issuers. Sovereign interprets Miller's comments as indicative of an understanding that the regulations could provide direct advantages to them. This exchange is presented to support Sovereign’s position that the prohibition on storing Cardholder Information was specifically intended to protect the interests of issuers.
Sovereign contends that Visa recognized Issuers as intended beneficiaries of the Member Agreements, contrary to the assertion that they are merely incidental beneficiaries. Sovereign claims that the district court improperly acted as a fact-finder in granting summary judgment to Fifth Third, overlooking well-established standards for such judgments. The court referenced Miller’s deposition testimony as evidence of Visa's intent but concluded that it did not sufficiently support Sovereign's contract claim, noting that while Sovereign benefits from Visa's prohibition on retaining magnetic-stripe data, there is no evidence indicating that Visa intended to benefit Sovereign specifically. As a result, the court determined that Sovereign is at most an incidental beneficiary, which does not have the right to enforce the contract.
The district court’s approach to summary judgment was confirmed as aligned with legal standards, as articulated in Saldana v. Kmart Corp. The court must assess whether a genuine issue of material fact exists and if not, whether the moving party is entitled to judgment as a matter of law, viewing the facts in favor of the nonmoving party. The opposing party must provide specific facts demonstrating a genuine issue for trial; mere allegations are insufficient. The summary judgment process requires evidence that allows a reasonable jury to return a verdict for the nonmoving party, with the evidence needing to exceed a minimal threshold.
To survive a motion for summary judgment, a nonmovant must provide sufficient evidence for a reasonable jury to rule in their favor. Rule 56(c) specifies that mere factual disputes do not defeat a summary judgment motion unless there is a genuine issue of material fact, which is determined by the substantive law. The court found that while it did not err in using terms like "reasonable jury" or "substantial evidence," it did misapply the principles governing summary judgment by granting it erroneously in favor of Sovereign. Sovereign needed to show that Visa intended to provide a benefit under the Visa-Fifth Third Member Agreement, particularly regarding the prohibition against retaining Cardholder Information. The court concluded that Sovereign met this burden, particularly referencing Visa’s August 1993 memorandum and deposition testimony from Miller, which indicated an intent to benefit Issuers. Although Miller's testimony also acknowledged other stakeholders, it suggested an intent by Visa to benefit individual Issuers like Sovereign. The August 1993 memorandum reinforced this intent by stating that Acquirers must ensure merchants do not store magnetic-stripe information to protect the Visa system and Issuers from fraud exposure.
Acquirers are mandated to protect Issuers by preventing Merchants from retaining Cardholder Information, as outlined in a memorandum from August 1993. This memorandum raises a genuine issue regarding Visa's intent to extend Fifth Third’s promise to ensure BJ's compliance with the Visa-Fifth Third Member Agreement. Consequently, the district court's summary judgment in favor of Fifth Third on the breach of contract claim is reversed, and the case is remanded for further proceedings.
In a related matter, Fifth Third's counsel cited a decision from the District of Massachusetts regarding a similar case involving TJX, where Issuers brought third-party beneficiary claims against Fifth Third due to a data breach. The court dismissed these claims, referencing an updated section of the Operating Regulations that explicitly barred third-party beneficiaries. However, since this regulation was adopted after the current events, the TJX case does not inform the present analysis.
Sovereign's equitable indemnification claims against Fifth Third and BJ's were dismissed by the district court, a decision Sovereign argues was erroneous. The dismissal standard under Fed. R.Civ. P. 12(b)(6) is reviewed de novo, considering the Supreme Court's Twombly decision, which requires complaints to state factual allegations that plausibly suggest entitlement to relief, raising claims above mere speculation. This standard applies broadly, as established in Phillips v. County of Allegheny. The complaint must provide enough factual detail to raise a reasonable expectation that discovery will yield necessary evidence.
The court extended the holding from Phillips to the employment discrimination context, applying the plausibility standard from Twombly to evaluate claims of employment discrimination. It maintains that this standard is relevant for assessing the adequacy of the current complaint. Indemnity rights are grounded in the distinction between primary and secondary liability, where secondary liability arises without active fault and is based on a legal obligation to cover damages caused by another's negligence. Specifically, Sovereign claims a right to indemnification from BJ’s and Fifth Third due to their primary liability for negligently maintaining cardholder information. Sovereign asserts it is only secondarily liable under the Truth in Lending Act (TILA), which limits cardholder liability for unauthorized charges to $50. When a fraudulent purchase is made, the cardholder is charged, and upon notification of fraud, the issuer must credit the account for the excess over $50. Sovereign argues that it had to reimburse cardholders for amounts charged before fraud was reported to maintain liability under the TILA. However, the court disagrees, finding no legal support for Sovereign's claim for equitable indemnification under TILA, which is designated as a consumer protection statute and does not require issuers to cover costs from unauthorized credit card use.
Cardholders' liability for unauthorized charges is capped at $50 under certain conditions, as outlined in TILA § 1643, which solely addresses cardholder liability and does not impose obligations on issuers or other parties. Consequently, the district court rightly dismissed Sovereign's equitable indemnification claims against Fifth Third and BJ’s. Additionally, the court rejected Sovereign's negligence claim against BJ’s, citing the economic loss doctrine, which prohibits negligence claims that result only in economic damages without accompanying physical or property damage. This doctrine, first discussed in Pennsylvania courts in Aikens v. Baltimore, Ohio R.R. Co., emphasizes foreseeability and liability limitations. The Pennsylvania Superior Court has ruled that no cause of action exists for purely economic losses due to negligence, as demonstrated in the context of tortious interference with contracts. The court referenced the U.S. Supreme Court’s decision in Robins Dry Dock and Repair Co. v. Flint, asserting that negligent harm to economic interests is too remote for recovery, primarily because the negligent party is typically unaware of any contractual relationships and, thus, cannot foresee potential harm. Public policy further supports restricting recovery to injuries involving personal or property damage.
Allowing a cause of action for negligent interference with economic advantage would impose an undue burden on industrial freedom and create a disparity between the potential damages recoverable and the defendant's degree of fault. This would enable any individual or business to file claims for purely economic losses, posing a risk to the economic system. Consequently, the Superior Court concluded that no negligence claim exists for losses solely of an economic nature.
Sovereign's negligence claim against BJ’s seeks to recover costs related to replacing customers’ Visa cards and reimbursing customers for fraudulent purchases resulting from BJ’s negligence. Sovereign attempts to circumvent the economic loss doctrine by referencing the Pennsylvania Supreme Court's decision in Bilt-Rite Contractors, claiming it undermines the doctrine established in Aikens v. Baltimore & Ohio R.R. Co. Sovereign argues that the district court improperly assessed its losses as purely economic, asserting it incurred property loss—money—due to BJ’s negligence. This argument lacks merit, as it would undermine the economic loss doctrine by equating any financial loss with property loss necessary for a negligence claim.
Sovereign also contends that the economic loss doctrine applies only when the plaintiff suffers unforeseeable losses, claiming its losses were foreseeable due to BJ’s negligence. While Sovereign's losses may have been foreseeable, this does not strengthen its claim, as it did not sustain any property loss. Furthermore, Sovereign's position overlooks the public policy rationale articulated in Aikens.
Lastly, Sovereign argues that the Bilt-Rite decision weakened the economic loss doctrine by allowing negligence claims regardless of economic loss. In Bilt-Rite, a general contractor incurred cost overruns due to inaccuracies in specifications provided by an architect and sued for negligent misrepresentation to recover those losses.
The trial court upheld the architect’s preliminary objections citing the economic loss doctrine, a decision affirmed by the Pennsylvania Superior Court. However, the Pennsylvania Supreme Court ruled that the economic loss doctrine does not preclude a contractor’s claim for negligent misrepresentation. The Supreme Court indicated that since the contractor had no contractual relationship with the architect, contractual recovery was unavailable, but a viable claim for negligent misrepresentation could still proceed without privity. The Court emphasized that it would be illogical to apply the economic loss doctrine in such a way that would prevent recovery for proven damages after establishing the cause of action. Sovereign misinterprets the Supreme Court's ruling in Bilt-Rite, arguing that applying the economic loss doctrine would similarly be nonsensical in their case. However, Sovereign acknowledges that the Bilt-Rite decision primarily addressed whether a duty existed for the architect without a contractual relationship, rather than fundamentally challenging the economic loss doctrine itself. The Supreme Court did not intend to undermine the economic loss doctrine but rather created an exception for commercial plaintiffs who rely on information from an expert supplier with whom they have no contract, in cases of negligent misrepresentation. This exception does not apply in Sovereign's case. The Court referenced the Restatement (Second) of Torts, which outlines the liability of a party supplying false information in a business context and clarifies the conditions for such liability.
Liability for failing to provide information extends to individuals within the class that the duty aims to protect. However, this is limited by the economic loss doctrine, which barred Sovereign's negligence claim against BJ’s. The district court's decision to grant summary judgment to Fifth Third on Sovereign’s breach of contract claim is reversed and remanded for further proceedings. Conversely, the dismissal of Sovereign’s equitable indemnification claims against Fifth Third and BJ’s, as well as the negligence claim against BJ’s, is affirmed.
In the case of Pennsylvania State Employees Credit Union (PSECU) v. Fifth Third Bank and BJ’s Wholesale Club, following a data breach at BJ’s, PSECU incurred costs of approximately $98,000 to cancel and reissue 20,000 Visa cards. PSECU filed an amended complaint against Fifth Third and BJ’s for breach of contract, negligence, equitable indemnification, and unjust enrichment. The case, initially in state court, was removed to federal court, where BJ’s successfully moved to dismiss PSECU's claims. The district court only allowed PSECU's breach of contract claim against Fifth Third to proceed, later granting summary judgment in favor of Fifth Third, concluding PSECU was not an intended beneficiary under the Visa-Fifth Third Member Agreement.
PSECU's appeal contests this summary judgment and the dismissal of its negligence and unjust enrichment claims. PSECU argues it should be recognized as an intended beneficiary of Fifth Third’s agreement with Visa, which requires compliance from BJ’s.
PSECU's appeal relies on the same evidence and deposition testimony that supported Sovereign's third-party beneficiary claim against Fifth Third. PSECU's arguments are aligned with those previously made by Sovereign, leading to the conclusion that the analysis from case No. 06-3392 applies to PSECU’s breach of contract claim. Consequently, the district court's summary judgment in favor of Fifth Third is reversed, and the case is remanded for further proceedings.
In terms of negligence claims against BJ’s and Fifth Third, PSECU asserts that BJ’s violated Visa Operating Regulations and that Fifth Third had a duty to ensure compliance, alleging both parties negligently breached these duties. The district court dismissed these claims based on the economic loss doctrine. PSECU contends that the negligence led to physical damage to its property—specifically, the Visa cards—because unauthorized access to their magnetic stripe data rendered the cards useless, necessitating replacement. However, the court disagrees, stating that the cards were not physically damaged but merely canceled, as the magnetic stripe data was copied rather than destroyed. The cards remained usable until PSECU chose to cancel them due to potential liability from unauthorized charges.
PSECU also argues that the economic loss doctrine should not apply due to a lack of privity of contract between the parties and claims that this situation is distinct, referencing Bilt-Rite Contractors, Inc. v. The Architectural Studio as a significant change in the application of the economic loss doctrine.
The Pennsylvania Supreme Court's ruling in Bilt-Rite established that the economic loss doctrine does not bar recovery of economic losses in tort actions when there is no contractual remedy available. This precedent allows a plaintiff, like Bilt-Rite, to pursue claims for negligent representation without a contractual relationship to the defendant, as was the case with TAS. However, the court also clarified that this ruling is limited to specific circumstances involving "expert suppliers of information" and does not broadly negate the economic loss doctrine's application.
In this context, PSECU's negligence claims against BJ's and Fifth Third were dismissed by the district court, which affirmed that Bilt-Rite did not support PSECU’s position. Additionally, the elements of unjust enrichment under Pennsylvania law require showing that a defendant received benefits unjustly. PSECU argued that BJ's and Fifth Third unjustly benefited from the cancellation and replacement of Visa cards, which mitigated their potential liability. However, the district court concluded that BJ's and Fifth Third did not benefit from PSECU's actions since the card replacements were in accordance with PSECU's contractual obligations to its cardholders, referencing the case of Allegheny Gen. Hosp. v. Philip Morris, Inc.
BJ’s and Fifth Third's potential benefits were deemed incidental and insufficient for an unjust enrichment claim. In the case of Allegheny General Hospital, hospitals sought unjust enrichment from tobacco companies for unreimbursed care to nonpaying smokers, arguing they relieved the companies of their legal obligations. However, it was held that unjust enrichment claims cannot arise from fulfilling obligations owed to third parties, as the primary benefit went to the patients, not the tobacco companies. PSECU's claims against BJ's and Fifth Third mirror this failed claim. PSECU attempted to differentiate its case by asserting it did not have an independent obligation to replace Visa cards, but its amended complaint stated it replaced the cards to fulfill a contractual obligation to its customers, thus constituting a judicial admission. The court dismissed PSECU's unjust enrichment claim based on this admission. PSECU further argued that the Restatement of Restitution should apply, suggesting it discharged more than its share of a duty without prior obligations to BJ's and Fifth Third. However, the comments in the Restatement clarify that this rule applies only among parties to a single transaction or series of transactions, which does not support PSECU's position given the separate agreements involved in the Visa system.
PSECU acknowledged that it replaced its members' cards as part of its contractual obligations within the Visa system but argued that the cancellation and reissuance of cards is only one option available to an Issuer when responding to a breach of Cardholder Information by a Merchant or Acquirer. It claimed that this indicates it was not obligated to cancel and reissue the cards, but chose to do so to mitigate potential fraud losses for BJ's and Fifth Third. PSECU asserted that all three entities are involved in the Visa system, which creates mutual obligations without prior performance duties among them. PSECU argued it deserved contribution from BJ's and Fifth Third based on unjust enrichment principles, even if one of them appeared primarily responsible for the card reissuance.
However, this specific argument was not presented in the district court, and as a general rule, appellate courts do not consider issues raised for the first time unless exceptional circumstances exist, which PSECU did not demonstrate. Thus, the appellate court found the argument waived and upheld the district court's dismissal of PSECU's unjust enrichment claims against BJ's and Fifth Third. The court decided to reverse the district court's summary judgment in favor of Fifth Third concerning PSECU's breach of contract claim but affirmed the dismissal of its negligence and unjust enrichment claims against both BJ's and Fifth Third.
