Cumis Insurance Society, Inc. v. BJ's Wholesale Club, Inc.

455 Mass. 458 | Mass. | 2009

Cowin, J.

This dispute arose after unauthorized parties obtained access to magnetic stripe data from approximately 9.2 million credit cards4 used by cardholders to purchase merchandise at stores of the defendant BJ’s Wholesale Club, Inc. (BJ’s). Using the stolen data, the thieves were able to engage in fraudulent credit card transactions worth millions of dollars. The plaintiff credit unions, which had issued the compromised Visa U.S.A., Inc. (Visa), and MasterCard International (MasterCard) credit cards to the cardholders, were reimbursed for some of the fraudulent charges by their insurer, plaintiff Cumis Insurance Society, Inc. *460(Cumis), but sustained additional costs to cancel the compromised credit cards and reissue new ones.5

The plaintiffs claim that the thieves were able to obtain the credit card information from BJ’s computer systems because BJ’s and its acquiring bank,6 defendant Fifth Third Bank (Fifth Third), had committed a breach of their contractual obligations, both to each other and to Visa and MasterCard, not to store the magnetic stripe data from the back of the cards after a credit card transaction had been authorized or declined. BJ’s and Fifth Third had agreements with each other that contained provisions requiring them to comply with Visa and MasterCard’s operating regulations; those regulations included a prohibition on retaining magnetic stripe data after a cardholder’s transaction was completed. Fifth Third, as an acquiring bank, also had agreements with Visa and MasterCard that similarly required compliance with Visa and MasterCard’s operating regulations.

The plaintiffs assert that they are entitled to relief under the terms of the defendants’ contracts with each other because, as issuing banks,7 the plaintiff credit unions8 are intended third-party beneficiaries of the contracts between BJ’s and Fifth Third.9 The plaintiff credit unions assert also that they are intended *461beneficiaries of the contracts between Fifth Third and Visa and MasterCard, provisions of which “includ[ed] Fifth Third’s compliance with the Card Operating Regulations.” The plaintiffs contend further that each time BJ’s submitted a credit card transaction for approval, through Fifth Third as acquiring bank to the Visa and MasterCard computer system and ultimately to the plaintiff credit unions as issuing banks, both defendants falsely represented that they were in compliance with their contractual obligations to comply with the regulations, specifically those regulations requiring them to maintain the security of the plaintiff credit unions’ cardholders’ information by not storing magnetic stripe data.

The plaintiff credit unions and Cumis commenced an action in the Superior Court claiming breach of contract as third-party beneficiaries, as well as fraud, negligence, negligent misrepresentation, violations of G. L. c. 93A, § 11, and equitable indemnification. Cumis also brought a claim for subrogation. A Superior Court judge (first judge) dismissed the third-party beneficiary breach of contract claims. She concluded, based on an explicit provision in BJ’s contract with Fifth Third, that the parties intended to exclude enforcement of the contract by third parties. The judge ruled also that the economic loss doctrine required dismissal of the negligence claims. The judge denied the defendants’ motions to dismiss the other claims.10

A different judge ordered limited discovery on the fraud and negligent misrepresentation claims. In this regard, the parties stipulated that, if summary judgment were granted in favor of the defendants on those claims, the remaining claims would be dismissed.11 After discovery was completed, the plaintiffs moved for partial summary judgment on the issue whether the defendants made representations that would support the plaintiffs’ surviving claims, and the defendants moved for summary judgment on all remaining claims. Another judge (second judge) allowed the defendants’ motion for summary judgment on the fraud and negligent misrepresentation claims and dismissed the remaining claims *462pursuant to the parties’ agreement. The plaintiffs appealed, and we transferred the case to this court on our own motion.

The plaintiffs maintain that the first judge erred in concluding that they were not intended third-party beneficiaries of the defendants’ contracts with each other because the contracts included references to Visa and MasterCard regulations that were intended to benefit the plaintiffs. The plaintiffs claim also that the first judge erred in relying on the economic loss doctrine to dismiss their negligence claims, arguing that the millions of credit cards they were required to reissue constituted harm to physical property. The plaintiffs maintain further that the second judge erred in granting summary judgment on the fraud and negligent misrepresentation claims, because the plaintiffs reasonably relied on provisions in the Visa and MasterCard regulations with which the defendants were contractually obligated to comply. The plaintiffs contend further that the G. L. c. 93A claims, and the claims for indemnification and subrogation, were wrongly dismissed since summary judgment should not have been granted on the fraud and negligent misrepresentation claims. Concluding that the motion judges’ thorough analysis of each of the plaintiffs’ claims was correct, we affirm.

Background. We recite the undisputed facts in the summary judgment record, reserving some facts for later discussion. Visa and MasterCard are membership organizations in which issuing and acquiring banks join in order to participate in point of sale transactions using the Visa and MasterCard brands. Issuing banks such as the plaintiff credit unions issue the physical plastic credit cards to cardholders, determine the amount of the authorized credit line available to each cardholder, and approve or decline each transaction when the cardholder presents the credit card to make a purchase.

When a cardholder presents a credit card to a merchant, the merchant transmits the information encoded on the back of the credit card to the acquiring bank. The acquiring bank, in turn, transmits the information to Visa or MasterCard, which submits the request to the appropriate issuer. The issuer then relays its decision to approve or decline the transaction back through the same channels to the merchant. After the transaction is approved, the acquiring bank acquires the merchant’s Visa or MasterCard receipt, pays the merchant for the amount of the transaction, and *463seeks payment from the issuing bank; the issuing bank pays the acquiring bank and debits the cardholder’s account. Approximately 16,000 issuers are members of the Visa organization and approximately 20,000 issuers are members of MasterCard. At least 20 million merchants participate in the Visa and MasterCard payment processing systems, but none are members and none contract directly with Visa or MasterCard.

Visa and MasterCard each issue extensive operating regulations that govern the payment processing system and their members’ obligations. Every financial institution that becomes a member of the Visa and MasterCard organizations must sign a contract that includes a provision that it will comply with these regulations; acquirers are also contractually obligated to ensure that their merchants comply. Both Visa and MasterCard regulations prohibit merchants and acquirers from storing magnetic stripe data from the back of credit cards, in whole or in part, after a transaction is completed.12

In February, 2004, Visa and MasterCard determined that computer thieves had gained access to the computer systems on which BJ’s stored credit card transaction data at more than 150 stores, and that the breach had been ongoing since July, 2003. The breach provided the thieves access to the full magnetic stripe data from approximately 9.2 million cardholder accounts, allowing them access to cardholder names, account numbers, account expiration dates, and proprietary Visa and MasterCard security data. It was ultimately determined that the third-party transaction processing software used by BJ’s was permanently storing the magnetic stripe data in transaction logs. The agreements between BJ’s and Fifth Third contained a requirement that BJ’s comply with Visa and MasterCard’s regulations, including those prohibiting BJ’s from storing any magnetic stripe data after a transaction was completed; the agreements among Fifth Third and Visa and MasterCard required Fifth Third to ensure that its merchants complied with the regulations. BJ’s conceded that it was retaining the magnetic stripe data.

Visa and MasterCard notified all their member issuing banks that had issued any of the possibly compromised accounts. In *464response to this notification, the plaintiff credit unions closed all their potentially compromised accounts, without regard to whether fraudulent charges had been made on a particular account; advised cardholders to destroy their old plastic credit cards; and issued new account numbers and new plastic credit cards to all affected cardholders. Cumis paid the plaintiff credit unions millions of dollars for fraudulent transactions made using the compromised accounts13; the plaintiff credit unions and Cumis then commenced this action.

Discussion. 1. Third-party beneficiary contract claims. “In order to recover as a third-party beneficiary, the plaintiffs must show that they were intended beneficiaries of the contract. . . .” Spinner v. Nutt, 417 Mass 549, 555 (1994). That the plaintiffs derive a benefit from a contract between others does not make them intended third-party beneficiaries and does not give them the right to enforce that agreement. Id. at 555-556. Where the parties have expressly and unambiguously stated an intention to exclude third-party beneficiaries, that intent is controlling. See Volpe Constr. Co. v. First Nat’l Bank, 30 Mass. App. Ct. 249, 256-257 (1991), quoting 4 Corbin, Contracts § 777, at 25 (1951) (“it is plain that, ‘if two contracting parties expressly provide that some third party who will be benefited by performance shall have no legally enforceable right, the courts should effectuate the expressed intent by denying the party any direct remedy’ ”).

The complaint states that Fifth Third, “[i]n contracting with Visa and MasterCard to serve as acquiring bank, . . . intended that the issuing credit unions, including the plaintiff credit unions, have the benefits of the contract between Fifth Third and Visa and MasterCard, including Fifth Third’s compliance with the Card Operating Regulations.” The complaint makes no factual assertions in support of its allegation concerning Fifth Third’s intent, and contains no assertions about the intent of Visa or MasterCard. Apart from this single statement in the complaint, the parties and both motion judges have proceeded as though the only agreements at issue for purposes of the third-party beneficiary claims are the agreements between BJ’s and Fifth Third. Before us, as in their complaint, the plaintiffs cite the agreements between *465Fifth Third and Visa and MasterCard only to the extent that those agreements require Fifth Third’s compliance with the operating regulations.14 The plaintiffs assert no error concerning the contracts between Fifth Third and Visa and MasterCard, and these contracts were not part of the record until the defendants filed their motions for summary judgment; the plaintiffs also asserted no such error in the trial court.15 Therefore, we consider any claims as to intended third-party beneficiary status in the contracts between Fifth Third and Visa and MasterCard to be waived. See Doe v. Superintendent of Schools of Stoughton, 437 Mass. 1, 7 (2002).

The agreements between BJ’s and Fifth Third16 provide: “This Agreement is for the benefit of, and may be enforced only by, [Fifth Third] and [BJ’s] and their respective successors and permitted transferees and assignees, and is not for the benefit *466of, and may not be enforced by, any third party.” The agreements also include a clause stating that all disputes under the agreements will be governed by the law of the State of Ohio.

Without explicitly deciding what law applied, the first judge observed that both Massachusetts and Ohio incorporate the provision on third-party beneficiaries set forth in Restatement (Second) of Contracts § 302 (1981). See Miller v. Mooney, 431 Mass. 57, 62 (2000); Hill v. Sonitrol of Southwestern Ohio, Inc., 36 Ohio St. 3d 36, 40 (1988). This provision allows intended third-party beneficiaries to enforce contracts “[ujnless otherwise agreed between promisor and promisee.” Restatement (Second) of Contracts, supra. Under Massachusetts law, a contract does not confer third-party beneficiary status unless the “language and circumstances of the contract” show that the parties to the contract “clear [ly] and definite [ly]” intended the beneficiary to benefit from the promised performance. See Anderson v. Fox Hill Village Homeowners Corp., 424 Mass. 365, 366-367 (1997). Similarly, Ohio law states that, regardless of whether a third party receives some benefit from a contract, a third party is only an incidental beneficiary unless the “intent to benefit” test establishes that the promisee intended the third party to receive the benefit of the performance. See Hill v. Sonitrol of Southwestern Ohio, Inc., supra at 40-41.

Relying on the unambiguous language in their agreements, the first judge concluded that BJ’s and Fifth Third had “otherwise agreed” not to allow their contracts to be enforced by third parties and, therefore, that there were no circumstances in which the plaintiffs could prevail on their third-party beneficiary breach of contract claims. In discussing the first judge’s decision on the third-party beneficiary claims, the second judge stated that, at most, the plaintiff credit unions were incidental beneficiaries of BJ’s and Fifth Third’s agreements. The second judge observed also that, in regard to Visa and MasterCard’s intent to allow third-party enforcement of their regulations, Visa and MasterCard expressly reserved for themselves, in their contracts with the plaintiff credit unions as issuers, and with Fifth Third as an acquirer, “the sole right to interpret and enforce” the Visa and MasterCard regulations.17

*467Notwithstanding the expressly stated exclusion of third-party beneficiaries in the defendants’ agreements, the plaintiffs contend that the judge erred and that they are intended third-party beneficiaries of the agreements between BJ’s and Fifth Third because the agreements provide that the signatories will comply with Visa and MasterCard’s regulations (including the regulation prohibiting storage of magnetic stripe data). The plaintiffs assert, despite the contrary language, that the prohibition against retention of magnetic stripe data was intended to benefit issuers such as the plaintiff credit unions. We agree with the well-reasoned decision of the first judge that the plaintiff credit unions are not intended third-party beneficiaries of the contracts between BJ’s and Fifth Third, and thus conclude that the breach of contract claims were properly dismissed. See Nader v. Citron, 372 Mass. 96, 98 (1977), quoting Conley v. Gibson, 355 U.S. 41, 45-46 (1957) (complaint sufficient “unless it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief”).18

As stated, in their complaint, the plaintiffs assert merely the conclusion that they were third-party beneficiaries to the defendants’ agreements without setting forth any factual allegations concerning the defendants’ intentions or Visa and MasterCard’s purported intention in establishing the regulation concerning magnetic stripe data. Neither the complaint on its face nor the attached agreements offer any basis to support an intention on the part of the defendants that the contract be performed for the benefit of the plaintiffs.19

The plaintiffs suggest that the provision in the defendants’ *468agreements to exclude third-party beneficiaries is a “secret disclaimer” that conflicts with the purpose of the regulation prohibiting retention of magnetic stripe data, a regulation that the plaintiffs assert is intended to protect issuers. However, nothing in the Visa and MasterCard operating regulations prohibits Fifth Third or BJ’s from entering into agreements that explicitly exclude enforcement by third parties. We agree with the reasoning in a recent decision by the United States District Court for the District of Massachusetts in a case involving the Visa and MasterCard operating regulations and agreements between Fifth Third and another merchant. In that case, a Federal District Court judge decided that the agreements excluded third-party beneficiaries and that the operating regulations did not conflict with the contracts excluding third-party beneficiaries. See In re TJX Cos. Retail Sec. Breach Litig., 524 F. Supp. 2d 83, 89-90 (D. Mass. 2007). The judge concluded that, even if the issuing banks were intended beneficiaries of the operating regulations, those regulations “make clear” that only Visa and MasterCard “can enforce their terms and thus that the issuing banks have no right to file suit to achieve that end.” Id. at 89. Therefore, the judge held, provisions denying third parties such as issuing banks the ability to enforce the terms of the contracts between an acquiring bank and a merchant did not conflict with the operating regulations. Id. at 90.

The plaintiffs emphasize that Visa and MasterCard representatives testified at deposition that the regulations prohibiting storage of magnetic stripe data were intended to ensure the security of the Visa and MasterCard network and to protect all participants in the system, including issuers.20 However, this deposition was not available when the motions to dismiss were allowed, and the plaintiffs did not later file a motion for reconsideration of the first judge’s decision. Nor would it have made a difference given the explicit and unambiguous disclaimer in the defendants’ *469agreement; whatever their intent in implementing the regulations, neither Visa nor MasterCard is a party to the defendants’ contracts.21 Moreover, as stated, the operating regulations expressly provide that Visa and MasterCard reserve the right to interpret and enforce the regulations; at least one court has held that this expressed exclusion indicates an intent to prohibit others, such as the plaintiff issuers in this case, from doing so. See In re TJX Cos. Retail Sec. Breach Litig., supra.

The plaintiffs contend further that, without the ability to recover as third-party beneficiaries, they have no alternative means to recoup damages resulting from the theft of data wrongfully stored on BJ’s computer systems. This claim is without merit. The operating regulations set forth a detailed “compliance” mechanism pursuant to which the plaintiff credit unions could have filed claims with Visa and MasterCard to recoup losses they suffered due to fraudulent use of the compromised accounts. One provision in MasterCard’s rules states that compensation for compromised data may include issuers’ costs for issuing new cards or monitoring potentially compromised accounts.

2. Negligence claims. To prevail against the defendants’ motions to dismiss their negligence claims, the plaintiffs must establish that the defendants owed them a legal duty and that the defendants’ breach of this legal duty was the cause of the plaintiffs’ injuries. Davis v. Westwood Group, 420 Mass. 739, 742-743 (1995). In addition, the economic loss doctrine bars recovery unless the plaintiffs can establish that the injuries they suffered due to the defendants’ negligence involved physical harm or property damage, and not solely economic loss. See Aldrich v. ADD Inc., 437 Mass. 213, 222 (2002), quoting FMR Corp. v. Boston Edison Co., 415 Mass. 393, 395 (1993) (“purely economic losses are unrecoverable in tort. . . actions”).

The first judge determined that the plaintiffs suffered only economic harm due to the theft of the credit card account infor*470motion, and therefore that the economic loss doctrine barred recovery on their negligence claims. See Aldrich v. ADD Inc., supra at 222. The plaintiffs assert that the judge erred and that the economic loss doctrine does not apply because the plastic credit cards are tangible personal property and their damages included physical harm to the plastic cards that had to be canceled following the thefts. However, as courts in other jurisdictions have observed, the question here is not whether the credit cards are tangible property, but rather the nature of the damages sought by the plaintiffs. See Pennsylvania State Employees Credit Union v. Fifth Third Bank, 398 F. Supp. 2d 317, 330 (M.D. Pa. 2005), aff’d in part, Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 176-178 (3d Cir. 2008). As the United States District Court judge stated, the damages sought by the plaintiffs in that case, the costs of replacing credit cards for compromised accounts, were economic losses. Id. We are persuaded that the damages the plaintiff credit unions seek in this case for the costs of reissuing credit cards for all their compromised accounts are likewise economic losses. See In re TJX Cos. Retail Sec. Breach Litig., supra at 90-91 (adopting reasoning in Pennsylvania State Employees Credit Union v. Fifth Third Bank and holding that destruction of compromised credit cards should be considered economic losses).

In affirming the Federal District Court’s decision to grant summary judgment on the plaintiffs’ negligence claims in Pennsylvania State Employees Credit Union v. Fifth Third Bank, supra, a case involving very similar circumstances with different credit union plaintiffs and BJ’s and Fifth Third as defendants, the United States Court of Appeals for the Third Circuit concluded that the credit cards themselves were not harmed and were still functional to make purchases after the information was compromised; the plaintiffs chose to cancel the accounts and issue new cards to prevent economic losses from future liability. See Sovereign Bank v. BJ’s Wholesale Club, Inc., supra at 179-180. We concur with that court’s holding, and conclude that the cards at issue here were also canceled by the plaintiff credit unions for the purpose of avoiding future economic losses. Therefore, the first judge properly dismissed the plaintiffs’ negligence claims as barred by the economic loss doctrine.

3. Fraud and negligent misrepresentation claims. The plain*471tiffs assert in their complaint that the defendants “falsely represented that [they] would comply with the Card Operating Regulations,” and that Fifth Third falsely represented that it would ensure that BJ’s complied with the regulations, “in order to induce [the plaintiff] credit unions to act as issuing credit unions.” The complaint states that the plaintiff credit unions “would not have agreed to act as issuing credit unions or would have taken additional steps to protect themselves but for the false representations/omissions made by [the defendants].” In their negligent misrepresentation claims, the plaintiffs assert that, “[i]n contracting with Fifth Third and/or Visa and MasterCard, BJ’s, in the course of its business with plaintiffs, falsely represented that . . . it was not storing magnetic stripe information” and Fifth Third “falsely represented that BJ’s was not storing magnetic stripe information.” The plaintiffs contend that they “justifiably relied upon the false representations made by [the defendants] regarding the security and confidentiality of the Visa and MasterCard credit card information” and BJ’s “failure to comply with the Card Operating Regulations,” and that the plaintiffs suffered losses from fraudulent charges and the costs incurred in canceling and reissuing compromised credit cards because of the defendants’ negligence in supplying such false information.

To recover on their fraud claims, the plaintiffs must establish that the defendants made a false representation of material fact, with knowledge of its falsity, for the purpose of inducing the plaintiffs to act on this representation, that the plaintiffs reasonably relied on the representation as true, and that they acted upon it to their damage. Masingill v. EMC Corp., 449 Mass. 532, 540 (2007). Unlike fraud, negligent misrepresentation does not require an intent to deceive or actual knowledge that a statement is false. To prevail on their negligent misrepresentation claims, the plaintiffs must establish in this context that the defendants, “in the course of [their] business, profession or employment, or in any other transaction in which [they had] a pecuniary interest, supplied] false information for the guidance of others in their business transactions” without exercising “reasonable care or competence in obtaining or communicating the information,” that those others justifiably relied on the information, and that they suffered pecuniary loss caused by their justifiable reliance upon *472the information.22 See Nycal Corp. v. KPMG Peat Marwick LLP, 426 Mass. 491, 496 (1998), quoting Restatement (Second) of Torts § 552 (1977).23

Following discovery, the plaintiff credit unions conceded that the defendants had made no direct representations to them concerning the Visa and MasterCard operating regulations or the defendants’ compliance with these regulations. The second judge determined that there was no evidence that the defendants “made any direct representations, negligent or otherwise, to the plaintiffs or supplied them with false information to induce them to issue Visa or MasterCards [szc] or to continue to participate in the credit card system.” The plaintiffs do not dispute that their claims for fraudulent and negligent misrepresentation are based only on the requirements in the Visa and MasterCard operating regulations and the defendants’ contracts with each other that require the defendants to abide by these regulations. The plaintiffs also do not dispute that, prior to this litigation, they never saw the agreements between the defendants, and were not aware of the content of these agreements, other than the knowledge that Visa and MasterCard required the agreements to include compliance with the operating regulations.24

*473Although the plaintiffs appealed from the second judge’s decision allowing summary judgment on the fraud and negligent misrepresentation claims, the focus of their brief is on the negligent misrepresentation claims; indeed, the brief presents both sets of claims as “the[] misrepresentation claims.” As to the fraud claims, the second judge observed that, notwithstanding the plaintiff credit unions’ claims that they were induced to participate as issuers for BJ’s transactions in reliance on the defendants’ misrepresentations concerning the defendants’ compliance with the operating regulations, they presented no affidavits, deposition testimony, or other evidence showing that they would have acted differently with respect to their participation in the Visa and MasterCard organizations had they been aware of the defendants’ breach of their contractual obligations to abide by the operating regulations. Indeed, the plaintiff credit unions stated at the summary judgment hearing and in their brief that they continue to participate as issuers in the Visa and MasterCard system and to rely on the regulations because the system is 99.94 per cent effective and only six cents of every one hundred dollars in transactions within the system are fraudulent. Because the plaintiff credit unions have presented no evidence that any representations by the defendants induced them to become or remain issuers in the Visa and MasterCard system, or that they have withdrawn from or altered their participation in the system after becoming aware of the defendants’ breach, the defendants’ motions for summary judgment on the fraud claims were properly allowed.25 Moreover, summary judgment was also appropriate because, as discussed infra, the plaintiffs cannot establish that any reliance on the defendants’ implied misrepresentations would have been reasonable or justifiable.

We conclude also that the judge properly granted the defendants’ motions for summary judgment on the negligent misrepresentation claims. Since the plaintiffs concede that the defendants made no direct representations to the plaintiffs concerning the defendants’ level of compliance with the Visa and Master*474Card regulations, the plaintiffs base their negligent misrepresentation claims, like their fraud claims, on the defendants’ “promises to Visa and MasterCard” and BJ’s “promises to Fifth Third” to abide by their contractual obligations to comply with Visa and MasterCard’s operating regulations.

The defendants do not contest that they failed to comply with the regulations prohibiting storage of magnetic stripe data after a transaction is completed. However, failure to perform a contractual duty does not give rise to a tort claim for negligent misrepresentation. See Anderson v. Fox Hill Village Homeowners Corp., 424 Mass. 365, 368 (1997). See also Sound Techniques, Inc. v. Hoffman, 50 Mass. App. Ct. 425, 433 (2000). Plaintiffs who are unable to prevail on their contract claims may not repackage the same claims under tort law. See Arcidi v. National Ass’n of Gov’t Employees, Inc., 447 Mass. 616, 622 (2006). Moreover, “false statements of opinion, of conditions to exist in the future,” and promises to perform an act cannot sustain a claim for negligent misrepresentation, see Yerid v. Mason, 341 Mass. 527, 530 (1960), unless the promisor had no intention to perform the promise at the time it was made. See Brewster Wallcovering Co. v. Blue Mountain Wallcoverings, Inc., 68 Mass. App. Ct. 582, 601 n.45 (2007). There was no evidence or contention by the plaintiffs that the defendants never intended to perform their contractual obligations to comply with the operating regulations at the time they entered into the contracts.

Even assuming, as the plaintiffs argue, that the submission of a proposed purchase for approval constituted a representation to the plaintiff credit unions that the defendants were in compliance with the regulations prohibiting storage of magnetic stripe data, to survive the defendants’ motion for summary judgment on both sets of misrepresentation claims the plaintiffs must show also that their reliance on any such representation was reasonable and justifiable. See Kuwaiti Danish Computer Co. v. Digital Equip. Corp., 438 Mass. 459, 467-468 (2003). Although usually a question for the jury, whether the plaintiffs’ reliance was reasonable and justifiable can be a question of law where the undisputed facts permit only one conclusion. See Fox v. F & J Gattozzi Corp., 41 Mass. App. Ct. 581, 587-588 (1996).

As the second judge determined, no rational jury could have found reasonable reliance on the regulations prohibiting storage *475of magnetic stripe data in the circumstances here.26 First, as the judge observed, Visa and MasterCard compliance regulations explicitly provide for fines for breach of regulations such as storage of magnetic stripe data. This indicates that the system is designed with the expectation that breaches will occur. In addition, the plaintiff credit unions anticipated and insured themselves through plaintiff Cumis against fraudulent losses arising from such storage.

Second, the plaintiffs concede that, prior to the theft at issue here, the plaintiff credit unions, as issuers, received numerous and repeated alerts from Visa and MasterCard concerning specific instances of improper storage of magnetic stripe data and subsequent fraudulent activities involving these compromised accounts. In 2003 alone, Visa and MasterCard issued alerts concerning over 15 million compromised accounts due to theft of improperly retained magnetic stripe data; a Visa representative testified in a deposition that account compromises resulted in approximately $1 billion in fraudulent transactions annually. Security alerts in April, 2003, involving 400,000 accounts, and September, 2003, involving approximately 3.7 million accounts, stated that the accounts were compromised through improper retention of magnetic stripe data and notified issuers of their potential eligibility for reimbursement due to the compromised accounts. The plaintiff credit unions do not dispute that they received these notifications. Accordingly, given the plaintiffs’ actual knowledge of ongoing instances of noncompliance with the magnetic stripe regulation involving millions of accounts, the plaintiffs’ *476asserted reliance on the existence of the regulation in the defendants’ agreements could not be deemed reasonable.27

Thus, the summary judgment record is “so clear as to permit only one conclusion,” Nota Constr. Corp. v. Keyes Assocs., 45 Mass. App. Ct. 15, 20 (1998), and the second judge determined correctly that the plaintiffs could not reasonably have relied on any implied representations by the defendants.

4. Dismissal of the G. L. c. 93A, § 11, equitable indemnification, and subrogation claims. As stated, the parties stipulated that, if summary judgment were entered for the defendants on the fraud and negligent misrepresentation claims, the remaining claims would be dismissed. Because the defendants’ motions for summary judgment on the fraud and negligent misrepresentation claims were properly allowed, the other claims were correctly dismissed pursuant to the terms of the parties’ agreement.

Judgments affirmed.

Although both debit and credit cards were compromised, for purposes of this litigation there is no relevant distinction between the two types of cards; we refer to all the cards as “credit cards.”

Cumis Insurance Society, Inc. (Cumis), is a plaintiff both on its own behalf and as assignee of sixty-nine credit unions.

Acquiring banks, also called merchant banks or acquirers, contract with individual merchants to process that merchant’s credit card transactions.

Issuing banks, also known as issuers, issue credit cards to individual cardholders with whom they enter into separate contractual agreements; issuing banks approve or decline transactions when the cardholder presents the credit card to make a purchase.

As issuing banks, each of the plaintiff credit unions had separate agreements with Visa U.S.A., Inc. (Visa), and MasterCard International (MasterCard); these agreements required compliance with Visa and MasterCard’s operating regulations.

In their complaint, the plaintiffs assert that, “[u]pan information and belief, BJ’s [Wholesale Club, Inc. (BJ’s),] has a contract with Fifth Third [Bank (Fifth Third)] and/or Visa and MasterCard that requires BJ’s to comply with the Card Operating Regulations.” BJ’s has no contracts with Visa or MasterCard, but is required to comply with both Visa’s and MasterCard’s regulations under the terms of its contracts with Fifth Third. As the complaint accurately states, “Fifth Third has a contract with Visa and a contract with MasterCard that requires Fifth Third to comply with the Card Operating Regulations” and that also requires Fifth Third to include a provision in its contracts with BJ’s requiring BJ’s compliance with the regulations.

Following the decision on the defendants’ motion to dismiss, eighty-five of the plaintiff credit unions dismissed their remaining claims.

The stipulation provided that resolution of the fraud and negligent misrepresentation claims in favor of the defendants would terminate the litigation in the trial court, but would not affect the plaintiffs’ right of appeal.

In order to resolve potential customer disputes, merchants are permitted to store the customer’s name, credit card number, and the card’s expiration date.

In addition, MasterCard reimbursed issuers, including the plaintiff credit unions, $2.4 million for fraudulent transactions.

Indeed, the plaintiffs claim error in the first judge’s failure to consider the operating regulations, which were not before her, but which the plaintiffs assert “comprise the remaining documents that make up the contracts at issue in this case.” Although the plaintiffs cited and relied on specific contractual and regulatory provisions in their complaint, the plaintiffs did not attach any of the contracts or regulations at issue to the complaint, and also did not attach any such documents to their opposition to the defendants’ motions to dismiss. The defendants attached copies of the agreement between BJ’s and Fifth Third to their motions to dismiss, and the first judge properly considered those agreements. See Marram v. Kobrick Offshore Fund, Ltd., 442 Mass. 43, 45 n.4 (2004). See also Cortec Indus., Inc. v. Sum Holding L.P., 949 F.2d 42, 47-48 (2d Cir. 1991), cert. denied sub nom. Cortee Indus., Inc. v. Westinghouse Credit Corp., 503 U.S. 960 (1992).

As issuers, the plaintiff credit unions signed agreements with Visa and MasterCard requiring them to comply with the Visa and MasterCard regulations; thus, the plaintiffs had access to the regulations prior to any discovery, and could have chosen to attach them to their filings. The defendants also attached copies of Fifth Third’s agreements with Visa and MasterCard, and portions of the regulations, to their motions for summary judgment, and the second judge properly considered those documents in his decision granting summary judgment to the defendants.

Fifth Third’s statement that the first judge had the regulations before her is inaccurate; the portions of the record that Fifth Third cites in support of this statement refer only to a single section of Visa’s regulations, entitled “dispute resolution,” that Fifth Third filed separately, not attached to its motion to dismiss, prior to the first judge’s decision. The other documents cited, including the provisions at issue, which appear in other sections of Visa’s full “operating regulations” and MasterCard’s “rules,” are attached to the defendants’ motions for summary judgment.

There is one agreement for credit cards and a separate agreement for debit cards; both contain identical language concerning third-party enforcement.

Visa and MasterCard did proceed against Fifth Third under the terms of *467the compliance regulations; Fifth Third paid $555,000 in fines for an “egregious” violation of the operating regulations.

The motion to dismiss standard under Nader v. Citron, 372 Mass. 96, 98 (1977), is applicable because the judge’s decision was made before the change in the standard set forth in Iannacchino v. Ford Motor Co., 451 Mass. 623, 636 (2008). The plaintiffs would fare no better under the new, more stringent standard required by the Iannacchino case.

The cases from other States cited by the plaintiffs in support of their argument that, despite the explicit disclaimer, they are intended third-party beneficiaries of the defendants’ contracts are inapposite. In these cases, notwithstanding the express disclaimer prohibiting enforcement by third-party beneficiaries, other contractual provisions indicated that performance under the contracts was specifically owed to third parties. See, e.g., Versico, Inc. v. Engineered Fabrics Corp., 238 Ga. App. 837, 840-841 (1999) (contract contained *468disclaimer but also had clause requiring defendant to assume specific product liability and warranty commitments to third parties); State v. Marion County Landfill, Inc., 276 Kan. 328, 349-350 (2003) (original contract contained disclaimer but parties later executed guaranty requiring them to pay specific third party).

Visa and MasterCard representatives also testified, however, that the operating regulations were not intended to create rights of enforcement between members.

By contrast, in the case from the United States Court of Appeals for the Third Circuit on which the plaintiffs rely, Visa was a party to the contract at issue, which was between Visa and Fifth Third as acquiring bank. That case involved the same defendants and the same security breach at issue here, but concerned whether the plaintiff issuers were intended third-party beneficiaries of the contract between Fifth Third and Visa; that contract did not expressly exclude third-party beneficiaries. See Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 168-173 (3d Cir. 2008).

In contrast to claims for negligence, where physical harm must be established, an exception to the economic loss doctrine, see part 2, supra, permits recovery for financial harm resulting from negligent misrepresentation. See Craig v. Everett M. Brooks Co., 351 Mass. 497, 499-501 (1967); Nota Constr. Corp. v. Keyes Assocs., 45 Mass. App. Ct. 15, 20 (1998).

In addition, liability for negligent representation is limited to:

“ ‘loss suffered (a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and (b) through reliance upon it in a transaction that he intends the information to influence or knows that the recipient so intends or in a substantially similar transaction.’ ”

See Nycal Corp. v. KPMG Peat Marwick LLP, 426 Mass. 491, 496 (1998), quoting Restatement (Second) of Torts § 552 (1977).

Because the plaintiffs, as issuers, had full access to the Visa and MasterCard regulations upon which the complaint depends, as well as the knowledge that Visa and MasterCard required all acquirers and merchants contractually to agree to comply with the regulations, and required acquirers to ensure that their merchants complied, the first judge properly did not convert the defendants’ motions to dismiss into motions for summary judgment, notwithstanding that the contracts were not attached to the complaint. See note 14, supra.

This aspect of the plaintiffs’ reliance applies only to the fraud claims, which allege that the plaintiffs were induced to become and remain issuers by the defendants’ actions. The negligent misrepresentation claims make no similar allegations, and allege simply financial loss due to justifiable reliance.

Plaintiffs rely on a line of cases that have established a very narrow exception of “foreseeable reliance” pursuant to which a plaintiff may assert a negligent misrepresentation claim based on representations in a third-party contract for professional services. These cases, however, are readily distinguishable from the circumstances here. The cases cited require some type of direct link (“near privity”) between the specific third party or limited group of third parties and the contracting parties, as well as actual knowledge by the contracting parties that the particular third party or limited group of third parties will be relying on the specific professional services to be provided under the contract. See, e.g., Nycal Corp. v. KPMG Peat Marwick LLP, 426 Mass. 491, 495- 498 (1998); Craig v. Everett M. Brooks Co., 351 Mass. 497, 498-499, 501 (1967). By contrast, the plaintiffs agree that the defendants had no direct communication or connection with any of the 16,000 Visa issuers or the 20,000 MasterCard issuers, and had no knowledge that any particular issuer was relying on any particular provision in the confidential merchant agreements.

In addition, Visa and MasterCard provided its members detailed information and guidance on the ongoing general issue of improper storage of magnetic stripe data. For instance, a May 20, 2003, article, available to members via the Internet, stated that full magnetic stripe data was frequently being stored at various points during transaction processing and that such retention had a negative impact on the effectiveness of Visa’s risk control procedures. The article emphasized that retention of magnetic stripe data was prohibited under the operating regulations and that duplication of transaction data was a likely result of such retention. The article offered support and educational materials to assist members in complying with the regulations, and stated that acquirers should review software systems used by their merchants to ensure that the software did not retain magnetic stripe data.