e-Commerce Docket Sheet

Credit-card issuing banks may seek reimbursement for losses in connection with a breach-of-data network security at a retail store on the theory that they were intended beneficiaries of the information-security agreement between the retailer's payment processor/acquiring bank and the credit-card system. Sovereign Bank v. BJ's Wholesale Club, Inc., 2008 U.S. App. LEXIS 15098 (3d Cir. July 16, 2008). In a consolidated action, the appeals court reversed the lower court's grant of summary judgment to the defendant-acquiring bank on the plaintiffs' breach-of-contract claim, but affirmed the dismissal of the plaintiffs' negligence claims against the acquiring bank and retailer based on the economic-loss doctrine. The credit-card issuing banks brought suit against the retailer and the acquiring bank that processed the retailer's credit-card transactions, claiming that a resulting security breach, which forced the issuing bank to incur expenses related to unauthorized charges and the issuance of replacement credit cards, was caused by the retailer's failure to comply with the Cardholder Information Security Program (“CISP”) required by the acquiring bank's agreement with the credit-card system. In particular, the issuing bank claimed that the retailer's transaction-processing system retained and stored full magnetic-stripe data from the credit cards after processing a transaction, in violation of the CISP. The appeals court stated that the issuing banks met the burden of producing sufficient evidence that the credit-card system intended to give it the benefit of the payment processor's promise to the credit-card system to ensure its merchants complied with the CISP, and remanded the case for further proceedings on the breach-of-contract claim.