Schnuck Markets, Inc. v. First Data Merchant Services Corp.
852 F.3d 732
8th Cir.
2017
Check Treatment
Docket

SCHNUCK MARKETS, INC., Plаintiff-Appellee v. FIRST DATA MERCHANT SERVICES CORP.; Citicorp Payment Services, Inc., Defendants-Appellants

No. 15-3804

United States Court of Appeals, Eighth Circuit

January 13, 2017

843 F.3d 732

WOLLMAN, Circuit Judge.

Submitted: September 21, 2016

Counsel who presented argument on behalf of the appellant was Gregory Silbert, of New York, NY. The following attorney(s) appeared on the appellant brief; Lucy T. Unger, of Saint Louis, MO., Lisa Larkin, of Saint Louis, MO., Edward Soto, of Miami, FL., Jonathan Polkes, of New York, NY.

Counsel who presented argument on behalf of the appеllee was Daniel R. Warren, of Cleveland, OH. The following attorney(s) appeared on the appellee brief; Kevin F. Hormuth, of Saint Louis, MO., David Paul Niemeier, of Saint Louis, MO., Craig A Hoffman, of Cincinnati, OH.

Before WOLLMAN, ARNOLD, and KELLY, Circuit Judges.

WOLLMAN, Circuit Judge.

Grocery store chain Schnuck Markets, Inc. (Schnucks) sued its credit card processor, First Data Merchant Services Corporation (First Data), and the acquiring bank for its credit transactions, Citicorp Payment Sеrvices, Inc. (Citicorp). Schnucks alleges that First Data and Citicorp (collectively, Defendants) withheld more money from Schnucks following a data breach at Schnucks than their contract allowed. Schnucks brought declaratory judgment and breach of contract claims, and Defendants brought a declaratory judgment counterclaim. Both parties moved for judgment on the pleadings. Defendants аppeal from the district court‘s1 order denying their motion for judgment on the pleadings and granting Schnucks‘s motion for judgment on the pleadings. Defendants also appeal from the district court‘s order denying their motion for reconsideration, or in the alternative for leave to amend their pleadings. We affirm.

I.

First Data served as Schnucks‘s credit card processor. Citicorp served as its acquiring bank. When a merchant such as Schnucks makes a credit card transaction, the acquiring bank pays the merchant and is reimbursed by the bank that issued the credit card (the issuing bank). The acquiring bank sponsors the merchant into credit card association networks, in this case Visa and MasterCard (the Associations), and vouches for the merchant‘s compliance with the Associations’ rules. The Associations’ rules provide that the Associations may issue fines against the acquiring bank in the event of a cardholder data breach and assess against the acquiring bank the costs of monitoring or cancelling at-risk cards and the amount of fraudulent charges on the at-risk cards.

The contract between the parties consists of a Master Services Agreement (MSA) between Schnucks and First Data and a Bankcard Addendum executed by Schnucks, First Data, and Citicorp. The Bankcard Addendum incorporates First Data‘s Operating Procedures, and the Bankcard Addendum and First Data‘s Operating Procedures incorporate the rules and regulations of the Associations.2 The contract imposes upon Schnucks a broad duty to indemnify Defendants for Schnucks‘s breach of contract. Under § 4.9 of First Data‘s Operating Procedures, a dеtermination by the Associations that Schnucks is responsible for a data breach requires Schnucks to pay Defendants for “Data Compromise Losses,” defined as “all related expenses, claims, assessments, fines, losses, costs, and penalties and Issuer reimbursements” that the Associations impose on Defendants.

Under § 5.4 of the MSA, however, Schnucks‘s liability is limited to $500,000, with certain exceptions:

Limitation of Liability. Notwithstanding anything in this MSA and any addenda to the contrary, Customer [Schnucks], FDMS [First Data] and its affiliates’ cumulative liability for all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever (including, but not limited to, those arising out of or related to this MSA and any addenda) ‍‌‌‌‌​​​‌​​​​‌‌​​‌​‌​‌‌‌‌​‌‌‌​‌‌‌​​‌​​‌​​​​​‌‌‌​‌‍and regardless of the form of action or legal theory shall not exceed $500,000. Notwithstanding the foregoing, [Schnucks], [First Data] and its affiliates’ cumulative liability for its breach under Section 25 (Data Security) shall not exceed $3,000,000.... This Section 5.4 limitation of liability shall not apply to [Schnucks‘s] liability for chargebacks, servicers’ fees, third party fees, and fees, fines or penalities [sic] by the Association or any other card or debit card, provided under this MSA or any addenda.

Section 13.3 of the Bankcard Addendum defines “third party fees” as “all fees and charges ... without limitation, of any Credit Card Association, Network, card-issuing organization, telecommunications provider, federal, state, or local governmental authority (each a ‘Third Party‘) including, without limitation any switch fee, issuer[] reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee[] (collectively, [‘]Third Party Fees‘).” The contract also permits Defendants to retain in a reserve account funds that Schnucks owes them.

In March 2013, a cyber-attack against Schnucks compromised cardholder data. MasterCard assessed a case-management fee against Citicorp, as well as costs to reimburse issuing banks for card monitoring and replacement and for fraudulent charges. Citicorp projected the total amount of Visa‘s assessmеnt based on MasterCard‘s assessment. Based on these assessments and projections, First Data established a reserve account, and Defendants have withheld more than $500,000 from Schnucks‘s credit transactions.

Schnucks‘s breach of contract and declaratory judgment action alleges that the limitation of liability provision establishes a $500,000 cap on its liability for the assessments against Citicorp. Defеndants’ counterclaim seeks a declaration that the limitation of liability provision does not apply to fees charged by the Associations as a result of a cyber-attack, or fees, fines, or penalties charged by the Associations for a merchant‘s non-compliance with Payment Card Industry Data Security Standards. Defendants moved for judgment on the pleadings. Schnucks filed a cross-motion for partial judgment on the pleadings, seeking judgment on Schnucks‘s and Defendants’ declaratory judgment claims but not on Schnucks‘s breach of contract claim.

The district court granted Schnucks‘s motion and denied Defendants’ motion, holding that the assessments for issuing banks’ losses were not “third party fees” or “fees, fines or penalties,” and thus did not fall within the exception to limitation of liability set forth in the last sentence of § 5.4 of the MSA. The court reasoned that Defendants would have used the term “Data Compromise Losses” (or similar language) in § 5.4 had they intended to exclude these losses from the limitation of liability. The court explained that the plain meaning of the term “fee” is a payment for a service, not reimbursement for another‘s losses; furthermore, the court noted that the portions of the contract сoncerning fees do not mention reimbursement for data compromise events and that the portions concerning data compromise events do not refer to fees. The court ruled that the terms “fine” and “penalty” describe sums imposed as a punishment and do not include within their purview data compromise losses. The court concluded that it would be unreasonable to impose liability on Schnucks for all of Defendants’ losses, for to do so would render the limitation of liability provision meaningless.

The court also determined that the parties had not raised as an issue the Bankcard Addendum‘s § 25 $3,000,000 limit regarding breaches of data-security standards. Accordingly, the district court entered a declaratory judgment that Schnucks‘s liability for the issuing banks’ losses is capped at $500,000, and that Defendants must return the funds that they rеtained in excess of $500,000, plus the amount of the Visa fine and MasterCard case management fee. Defendants moved for reconsideration, or in the alternative for leave to amend their pleadings, arguing in part that the district court had erred in holding that Defendants had failed to raise the issue of the $3,000,000 limitation of liability. As stated earlier, Defendants now appeal from the grant of Schnucks‘s motion for judgment on the pleadings and the denial of their motion for reconsideration or leave to amend.

II.

A. Jurisdiction

We have jurisdiction over final decisions of the district courts. 28 U.S.C. § 1291. Schnucks‘s breach of contract claim is still pending before the district court and has been stayed during this appeal, but the district court certified its order granting Schnucks‘s motion for judgment on the pleadings as a final judgment under Federal Rule of Civil Procedure 54(b). We concludе that it did not abuse its discretion in ruling that the ‍‌‌‌‌​​​‌​​​​‌‌​​‌​‌​‌‌‌‌​‌‌‌​‌‌‌​​‌​​‌​​​​​‌‌‌​‌‍order was final and that there was no just reason for delay. See (“We review a district court‘s decision to grant Rule 54(b) certification for abuse of discretion.“).

Defendants’ motion for certification requested certification of the January 15 order regarding judgment on the pleadings, not the July 31 order denying their motion for reconsideration or leave to amend. Althоugh the district court‘s judgment granting certification mentions only the January 15 order, its memorandum and order preceding the judgment stated: “Defendants now move for certification of the Court‘s January 15, 2015 Order ... allowing them to file an interlocutory appeal of both the January 15 and July 31, 2015 Orders in the Eighth Circuit.” D. Ct. Order of Nov. 6, 2015, at 2. Defendants’ notice of appeal states that they appeal from both orders. We conсlude that the district court intended to certify both the January 15 order and the July 31 order and that we thus have jurisdiction to review both orders.

B. Judgment on the Pleadings

“We review de novo the district court‘s entry of judgment on the pleadings.” . A motion for judgment on the pleadings should be granted when, accepting all facts pled by the nonmoving party as true and drawing all reasonable inferences from the facts in favor of the nonmoving party, the movant has clearly established that no material issue of faсt remains and that the movant is entitled to judgment as a matter of law. We apply Missouri substantive law in light of the parties’ agreement that the MSA provides that Missouri law shall govern the MSA and any addenda.

At the outset, we reject Defendants’ argument that the limitation of liability does not apply to Schnucks‘s indemnity obligation for assessments against Defendants by the Associations. Defendants forfeited this argument because they did not raise it in the district court, but it would fail even if it had been preserved. Under § 5.4 of the MSA, the limitation of liability applies to “all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever (including, but not limited to, those arising out of or related to this MSA and any addenda) and regardless of the form of action or legal theory.” The assessments in this case not only fit within this broad provisiоn, but would also qualify as “arising out of or related to this MSA and any addenda,” because Schnucks‘s indemnity obligation to Defendants for the assessments arises from the contract.

Defendants argue that the MSA does not limit Schnuck‘s liability for the assessments for issuing banks’ losses. As recounted above, § 4.9 of First Data‘s Operating Procedures requires Schnucks to indemnify Defendants for “Data Compromise Losses.” Section 5.4 of the MSA limits Sсhnucks‘s liability to $500,000, but carves out liability for “third party fees” and “fees, fines or penalties” imposed by the Associations. Defendants argue that the assessments for issuing banks’ losses fall within one or both of these carve-outs.

“The interpretation of a contract, including whether it is ambiguous, is a question of law.” (citing ). “When a contract uses plain and unequivocal ‍‌‌‌‌​​​‌​​​​‌‌​​‌​‌​‌‌‌‌​‌‌‌​‌‌‌​​‌​​‌​​​​​‌‌‌​‌‍language, it must be enforced as written.” (quoting ). “To dеtermine whether a contract is ambiguous, we consider the instrument as a whole, giving the words contained therein their ordinary meaning. A contract is not ambiguous merely because the parties dispute its meaning.” (citations omitted). Because the contract at issue is unambiguous, it must be enforced as written.3

Defendants argue that the term “third party fees” includes the issuing banks’ losses because § 13.3 of the Bankcard Addendum expansively defines “third party fees” as “all fees and charges ... without limitation” imposed by a third party. Defendants contend that the assessments for issuer losses are thus carved out of Schnucks‘s limitation of liability. The Missouri Court of Appeals has defined the term “fee” as “a sum paid or charged for a service.” . Defendants argue that the terms “fees and charges” may be defined more broadly as an аmount of money that must be paid. Reading the contract as a whole, however, it is apparent that the parties intended the narrower definition. Section 13 of the Bankcard Addendum refers to “fees for Services.” The list of specific fees and charges in § 13.3—“any switch fee, issuer[] reimbursement fee, adjustment fee, interchange fee, assessment fee or access fee“—militates in favor of сonstruing “fees and charges” as payments for services. The assessments imposed by the Associations here do not qualify as payments for services, because they are imposed to compensate issuing banks for losses they sustained as a result of a data breach, not as compensation for performing services. Moreover, the assessments do not fall within the enumerated fees аnd charges set forth in § 13.3 of the Bankcard Addendum, including “issuer reimbursement fees.”4 Accordingly, the assessments are not carved out from Schnucks‘s limitation of liability as “third party fees.”

Defendants also argue that the assessments for issuer losses are carved out from the limitation of liability because they constitute “fees, fines or penalties” imposed by the Associations. We disagree. Having already concluded that the assessments for issuer losses are not “fees,” we conclude that they also do not qualify as “fines or penalties.” “The ordinary meaning of a ‘fine’ or ‘penalty’ is not compensation or reparation for an injury; rather, it is a sum imposed as punishment.” (en banc). The assessments for issuer losses are more accurately defined as “compensation or reparation for an injury” and not as “a sum imposed as punishment.” In addition to the plain meaning of the terms “fines” and “penalties,” the Associations’ rules also indicate that the assessments for issuer losses are not “fines” or “penalties.” The rules allow the Associations to impose fines for violations of data-security standards, but describe their programs to compensate issuing banks for data compromise event losses as methods of reimbursement, not fines or рenalties. Thus, in reading the contract as a whole and in light of the plain meaning of the terms “fine” and “penalty,” the district court did not err in holding that the assessments for issuing banks’ losses do not constitute “fines or penalties.”

Even if the text of the carve-outs in § 5.4 of the MSA did not decide the matter, the use of broader language elsewhere in the contract would indicate that the carve-outs should be read narrowly. For example, as set forth in § 4.9 of First Data‘s Operating Procedures, Schnucks must indemnify Defendants for “Data Compromise Losses,” which includes “all related expenses, claims, assessments, fines, losses, costs, and penalties and Issuer reimbursements.” Similarly, § 5.4 of the MSA limits liability “for all losses, claims, suits, controversies, breaches, or damages for any cause whatsoever.” Had the parties intended to include reimbursements to issuing banks within the carve-outs from Schnucks‘s limitation of liability, they would have used more expansive language than simply “fees, fines or penalties.”

Defendants argue that the contract is ambiguous because Schnucks‘s interpretation leads to the commercially unreasonable result of requiring Defendants to act as Schnucks‘s insurer. The parties disagree whether a commercially unreasоnable result renders a contract ambiguous or whether commercial unreasonableness becomes relevant only after the court determines that the contract is ambiguous. We need not decide this question, because the underlying business arrangement, which represents Defendants’ choice to vouch for Schnucks‘s compliance with data-security standards, is not rendered commercially unreasonable merely because the limitation on Schnucks‘s liability is broader than Defendants now wish it to be.

We further hold that the district court did not misapply the standard for judgment on the pleadings in concluding that Defendants had not raised the issue of the separate $3,000,000 limitation of liability. Defendants’ briefing on the cross-motions for judgment on the pleadings did ‍‌‌‌‌​​​‌​​​​‌‌​​‌​‌​‌‌‌‌​‌‌‌​‌‌‌​​‌​​‌​​​​​‌‌‌​‌‍not argue that the $3,000,000 limitation of liability for breach of § 25 of the Bankcard Addendum applied. In any event, § 25 of the Bankcard Addendum concerns “fines” for violations of data security standards and, as discussed above, the assessments in question were not “fines.”

C. Reconsideration or Leave to Amend Pleadings

We review for abuse of discretion a district court‘s decision on a motion for reconsideration or leave to amend under Rule 54(b). See . A party that moves for leave to amend after the deadline in a scheduling order has passed must show good cause under Rule 16(b), the primary measure of which is the movant‘s diligence in attempting to comply with the scheduling order. . District courts “have considerable discretion to deny a post-judgment motion for leave to amend because such motions are disfavored.” .

We conclude that the district court did not abuse its discretion in denying Defendants’ motion for reconsideration or leave to amend, which essentially restated their assertions of error regarding judgment on the pleadings. Further, Defendants have not shown good cause for leave to amend. Defendants argue that “the need to amend was only brought to light by the District Court‘s conclusion that, notwithstanding the allegations in Defendants’ Answer and Counterclaim, Defendants ‘did not allege that Schnucks was either negligent or PCI DSS noncompliant.‘” Appellants’ Br. 47. As the district court stated, “Defendants are responsible for pleading their case without the Court‘s assistance.” D. Ct. Order of July 31, 2015, at 9.

III.

Neither carve-out from the limitation of liability applies to the assessments that the Associations imposed on Defendants. The district court did not misapply the standard for judgment on the pleadings and did not abuse its discretion in denying Defendants’ motion for reconsideration or leave to amend.

The judgment is affirmed.

ROGER L. WOLLMAN

UNITED STATES CIRCUIT JUDGE

Notes

1
The Honorablе John A. Ross, United States District Judge for the Eastern District of Missouri.
2
Defendants argue that the Associations’ rules are not incorporated into the agreement, or that only the rules applicable to the relationship between the parties are incorporated. We disagree. Although § 4 of the Bankcard Addendum merely requires Schnucks to comply with “all applicable Association Rules,” § 25 requirеs Schnucks to “follow the Operating Procedures and comply with Association Rules as they may each be amended from time to time.” And § A of First Data‘s Operating Procedures states that Schnucks “should consult the Card Organization Rules for complete information and to ensure full compliance with them.” Moreover, ¶ 17 of Schnucks‘s Complaint alleged that “[t]he operating regulations of Visa and MasterCаrd are expressly incorporated by reference as part of the Agreement,” which Defendants admitted in ¶ 17 of their Answer. The Associations’ rules are thus incorporated into the agreement, even to the extent that they do not directly govern the relationship between Schnucks and Defendants.
3
Defendants argue that the district court erroneously adopted the parties’ agreement that the contract was unambiguous, rather than making this determination for itself. See (holding that Missouri law requires that “the court must first determine as a matter of law whether a contract is ambiguous“). We disagree. The district court determined that the plain language of the contract decided the questions presented in this case, which to us indicates that the court had determined for itself that the contract was unаmbiguous and had not relied solely on the parties’ agreement to that effect.
4
The district court noted that the term “issuer reimbursement fees” appears in MasterCard‘s rules, but only in the limited context of an excessive chargeback. Defendants argue that the district court “cherry picked” from ‍‌‌‌‌​​​‌​​​​‌‌​​‌​‌​‌‌‌‌​‌‌‌​‌‌‌​​‌​​‌​​​​​‌‌‌​‌‍MasterCard‘s rules in considering the use of the term “issuer reimbursement fees” and did not look at Visa‘s rules. Defendants do not point to any use of this term in Visa‘s rules, however, and we have found none.
Read the detailed case summary