In a closely watched case involving data breaches and the ensuing fines that the card associations often impose, clothing company Genesco has prevailed against Visa’s motion to dismiss Genesco’s claims related to California’s Unfair Competition Law (UCL) and unjust enrichment/restitution. Perhaps most significantly, the court agreed that Visa’s actions in imposing $13M in fines could be a violation of public policy.
Genesco’s initial suit resulted from a breach that it had discovered in late 2010. The intrusion involved installation by hackers of packet-sniffing software to acquire unencrypted credit card data as it transited the network. The PCI standard at the time, according to Genesco, permitted such cleartext transmissions of credit card numbers. Following the breach and investigation, Visa assessed fines of $13M against Genesco under the credit card association rules. Unwilling to simply pay the fines, Genesco instead filed suit against Visa alleging tort claims of breach of contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment, and a separate claim under California’s UCL.
The arguments being raised by Visa in its motion to dismiss are that (1) Genesco cannot rely on Visa’s contracts with the banks (and the express provisions authorizing the fines and assessments) for an actionable claim under the California’s UCL; (2) Genesco has not adequately pled fraud for its claim under the UCL; (3) restitution is unavailable to Genesco since it was not a party to Visa’s agreements with the banks under which the fines and assessment were imposed; and (4) the express provisions of Visa’s contracts with the banks preclude Genesco’s common law claims for equitable relief. Genesco refutes each one of these, stating that its UCL claims are actionable and it has properly pled fraud.
In its decision, that court found that UCL claims may proceed if based upon contracts of commercial entities where breaches of such contracts would violate public policy or harm competition or consumers. Here, Genesco asserted claims that Visa’s fines and assessments against the banks (which Genesco actually paid) had no factual basis and were contrary to Visa’s agreements with the banks. Further, Genesco argued that the fines and assessments were contrary to the forensic evidence from the cyberattack on Genesco’s computer system.
The court concluded by stating that “Visa’s alleged imposition of more than $13 million dollars in fines and assessments, without a factual basis and in violation of Visa’s standards, impacts retail transactions involving consumers, retail merchants and other banks and implicate fairness in the credit and debit card markets. Thus, the Court concludes that Genesco’s UCL and common claims under California law are actionable.”
Are the fines that Visa and other card associations assess in data breach cases illegal and against public policy? While many affected retailers might immediately say “yes”, this case will be interesting to watch as it continues to proceed through the courts trying to answer that question.