The Merrick Bank v. Savvis lawsuit has the potential to change the liability dynamic of the PCI regulatory system. The Savvis case is one of the first known instances of a payment card security assessor being sued by a merchant bank ( the merchant bank is a third party relative to the Savvis-CardSystems relationship). The Merrick Bank compliant alleges that it relied on Savvis’ certification of CardSystems as Visa CISP compliant (this matter pre-dated the PCI standard), and that certification was false. After CardSystems suffered a breach exposing up to 40 million payment card records, Merrick allegedly incurred $16 million in payments to the card brands (which was ultimately transferred to issuing banks who suffered losses arising out of the CardSystem breach).
If Savvis is held liable (or even if this case makes it past motion to dismiss or a motion for summary judgment) it has the potential to significantly modify the relative risk of PCI qualified security assessors, and in turn modify the PCI regulatory scheme. This post discusses the two theories of liability alleged by Merrick: (1) negligence; and (2) negligent misrepresentation.
Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The law related to this case is complex and varies from jurisdiction to jurisdiction, and over time. If you are interested in a full legal analysis of potential security assessor liability in a particular jurisdiction, please contact me directly at firstname.lastname@example.org
One further note, the basic rules and general information in this document was derived from various legal research sources. However, one book in particular provided excellent information on the liability of service providers to third parties. Please check it out, and purchase it: Professional Liability to Third Parties (Jay M. Feinman).
UPDATE: Other bloggers/mags are putting together some nice analysis of this case as well: here, here
In order to understand the theories of liability alleged by Merrick, it is important to spot the specific allegations that will ultimately support those allegations. The key allegations, which are repeated throughout the complaint, include:
- Merrick would not allow CardSystems to process Card Transactions until it was certified as CISP compliant
- Savvis was specifically retained to certify CardSystems as CISP compliant, and did so pursuant to a Report on Compliance issued to VISA
- Upon learning of the results of Savvis’s Report on Compliance (after CardSystems was listed by Visa as CISP compliant) Merrick allowed CardSystems to serve as its processor
- According to a post-incident forensic analysis, at the time Savvis issued the ROC, CardSystems had been improperly and continuously storing unencrypted cardholder data
- Savvis provided the ROC to VISA for the express purpose and with knowledge that Visa would publish the ROC, and that merchant banks would rely on it to determine whether CardSystems met the CISP standard
- It was reasonably foreseeable to Savvis that merchant banks would rely on its report
- Savvis knew or should have reasonably known that its certification of CardSystems was directly for the benefit and guidance of merchant banks
The key threshold issue in this case is whether Savvis owed any duty of care to Merrick with respect to the security assessment it provided to CardSystems, and if so the extent of those duties. Note that the typical method for establishing a duty in a professional services context is via a contract (and when two parties are bound contractually they are said to be in “contractual privity”). In this case, Savvis likely had a contract with CardSystems to perform an assessment, but did not have a direct contractual relationship with Merrick. The lack of contractual privity is main legal obstacle faced by Merrick. Are there other non-contractual theories of liability that apply to Savvis in this context? Merrick Bank has alleged negligence and negligent misrepresentation against Savvis.
In the professional service provider/client relationship, negligence is typically a valid theory of liability. For example, it is the basis for many malpractice claims against lawyers, doctors, accountants and architects. The validity of a negligence claim is trickier when it is a third party alleges it. The key analysis is whether the service provider owed any duty to a third party to perform its services in a reasonable and competent manner. Unfortunately, this is not an easy question to answer under the law. There are several different tests courts consider to make this determination, and different jurisdictions may apply different tests or apply the same test in a divergent manner. In addition, whether a duty exists will also rest heavily on the particular facts of the case at hand. That said, in general, some Courts are wary of circumstances that will result in unlimited liability down the line for service providers. The following represents a brief description of some of two of the main tests:
- Foreseeability. In the most basic approach to determining whether a duty exists, the Court asks whether the defendant’s actions create a foreseeable risk of harm to the third party plaintiff. Typically both the plaintiff and the risk of harm must be foreseeable. This approach is criticized by some on the basis that the concept of ”forseeability” is unbounded and can extend extremely far.
- Balance of Factors Test. This test considers foreseeabilty of harm to the plaintiff as only one of several factors to determine whether a duty exists. Other potential factors include: the extent to which the transaction was intended to affect the plaintiff; the degree of certainty that the plaintiff suffered injury; the closeness of the connection between the defendant’s conduct and the injury suffered; the moral blame attached to the defendant’s conduct; and the policy of preventing future harm. After argument by the parties, all of these factors are weighed by the Court which then determines whether a duty exists.
Other jurisdictions employ variations of these tests. In Wisconsin state courts, for example, if it is foreseeable that the service provider’s actions could harm a third party, then a duty will not exist only if there are overriding public policy considerations. Some courts employing the balance of factor test focus on the relationship between the parties, and specifically if there was any indication that a third party was the intended beneficiary of the professional services rendered.
One more important factor with respect to negligence: even if a duty is found to exist as to a third party, the “economic loss doctrine” may bar recovery of any “economic loss” (loss that is not a personal injury or property damage). This doctrine is also complex and applied differently depending on the jurisdiction. In some jurisdictions it does not apply when services are at issue (as opposed to products). In other jurisdictions, “professional services” such as those provided by lawyers or accountants are not protected by the rule. However, if the rule does apply, it can wholly eliminate the type of damages being claimed by banks like Merrick (and in fact has been used to dismiss negligence claims by issuing banks for security breaches in the TJX case and BJ Wholesalers cases).
Similar to the accountancy field, the payment card security assessment field involves an act of attestation. That is, an opinion/representation as to the status of a company’s financial statements (for accountants) or security status against a particular standard (for security assessors). If these “representations” are purposely false or simply incorrect because of mistakes, plaintiffs may have an action for fraud or “negligent misrepresentation.” Merrick alleged in this case that Savvis’s certification of CardSystems was a negligent misrepresentation because in reality CardSystems was not CISP compliant. Similar to negligence claims (which often overlap with negligent misrepresentation claims because they require proof of a failure to meet the standard of due care), the approaches employed with respect to this theory varies by jurisdiction.
The original position adopted by most courts concerning negligent misrepresentation was that third parties not in privity of contract (or “near privity”) could not utilize this theory of liability (see Ultramares v. Touche, 1931). The sixty year reign of the Ultramares case began to erode in the 1960s based on new case law and the eventual adoption of Section 552 of the Restatement (Second) of Torts, which represents the modern approach to service provider negligent misrepresentations to third parties. Section 552 states in relevant part:
(1) One who, in the course of his business, profession, or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or confidence in obtaining or communicating the information.
(2) * * * liability in Subsection (1) is limited to loss suffered (a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and (b) through reliance upon it in a transaction that he intends the information to influence or knows the recipient so intends or in a substantially similar transaction.
Interestingly, if you read the Merrick complaint (or the relevant facts laid out above) you will see that many of the words used in section 552 are copied verbatim.
In the typical situation, many of elements in subsection (1) are satisfied in a typical attestation situation. In this case it is not a stretch to say that security assessors supply information that is relied upon by third parties. However, plaintiffs may have to establish that their reliance was justified – the more direct the reliance the better their chances. So if there were other factors that impacted Merrick’s decision to hire CardSystems and CISP certification was secondary, the issue of reliance may be more difficult to establish.
In addition, in some cases it may be difficult to establish that the information was “false” (especially when there are gray interpretative areas involved). Likewise, in some cases it may be a challenge to establish that the security assessor violated his or her duty of care. If a security assessor’s opinion was reasonable the plaintiff may not be able to establish this element. Of course, if there are obvious (“black and white”) mistakes, such as the failure to encrypt cardholder data or the storage of track data, this element will be less difficult to establish.
The elements in subsection (2) of section 552 require both that the service provider have knowledge of the person or group of persons that will be receiving benefit or guidance from the opinion, and that the service provider (or recipient of the information, e.g. CardSystems of VISA) intends the information to influence the plaintiff with respect to a transaction. These knowledge and intent issues often ultimately impact the failure or success of plaintiff’s case.
The application of these knowledge and intent requirements may vary by jurisdiction. Some may take a narrow view and require that the service provider specifically intended to induce the plaintiff’s reliance for a particular transaction (e.g. the service provider would have had to have known of the transaction, and known that their opinion was the key information that was inducing the plaintiff to go through with the transaction). In some cases, the plaintiff may only need to know of the potential users of the information and the potential use of the information. In addition, some courts may require actual knowledge of the potential users of the information, while others may allow this element to be satisfied if the service provider has reason to know of potential users/uses of the information.
One item to note again with respect to the economic loss doctrine. While it often blocks plaintiffs from recovering under negligence theories, in some jurisdictions the doctrine is inapplicable to fraud and negligent misrepresentation claims. So if plaintiff can establish a negligent misrepresentation claim, it may have a good route to recovery.
Lastly, it must be noted that the negligent misrepresentation claim, in general, has been utilized by issuing banks against merchants already in the TJX case. Although the context is different (TJX involves a merchant’s misrepresentation as opposed to a security assessor’s misrepresentation), an appellate court refused to dismiss a negligent misrepresentation claim based on indirect representations of CISP compliance. Thus, it may be that the negligent misrepresentation claim against Savvis could have some legs.
Conclusion – Observations of the Merrick Case
The Merrick case represents a potential watershed moment for the payment card security assessor industry (and security auditors in general). If liability is found in this case, and especially if case law is created that goes against Savvis, security assessors will be entering the world of lawyers, doctors, accountants and architects. This world will involve much higher potential for liability, more need to purchase professional liability insurance, increased costs for merchants employee assessors, more rigorous ethical obligations and potentially a higher level of skill and scrutiny applied to security assessment engagements. Over time, this world could start to look more like the world of accountants.
Unfortunately for security assessors, since there is no ability to gain contractual protection through limitations of liability or consequential damages disclaimers, it may be difficult to deflect liability. Significantly, as one can ascertain above, whether plaintiff’s claims are valid in this context may involve a fairly fact intensive inquiry. In many instances, legal matters that are highly fact intensive are allowed to proceed past a motion to dismiss or motion for summary judgment — factual disputes are for juries to decide typically. What this means is litigation leverage for the plaintiffs – with good fact patterns the pressure to settle these cases may be great since victory may come down to who has the better facts and who can argue those facts the best. Moreover, regardless of the facts, arguing in front of a jury always poses a risk.
Based on the foregoing it is very difficult to make any predictions concerning the Merrick Bank case. However, the fact pattern in this case appears favorable to Merrick based on alleged severe violations of CISP and the magnitude of the breach. Merrick has gone out of its way to tailor its allegations to match the legal elements discussed above. Whether those allegations are substantially true remains to be seen. For instance, was the CISP compliance truly the make or break factor that Merrick relied on to enter into a transaction with CardSystems? The complaint mentions MasterCard’s security program. Was it justifiable and reasonable for Merrick to rely on CardSystems CISP certification as a proxy for compliance with Mastercard’s security rules? Will the court require that Savvis have actual knowledge and intent to induce the particular transaction at issue?
Please note that a potential analogue for security assessors are lawsuits by investors against accountants. Both engage in attestation services that are known to some degree to be relied upon by third parties. There are numerous cases going both ways (some finding liability/some not) with respect to accountant liability to investors who relied on inaccurate financial statements.
Finally, one thing to be aware of with respect to negligent misrepresentation. If a security assessor is made aware that its assessment will be relied upon by a particular third party as the key factor in it deciding to engage in a transaction, the more likely a negligent misrepresentation claim will be valid. QSAs brought into an engagement for this purpose should pause and consider the implications of making a mistake.
Regardless of the outcome, this case will be very interesting to watch and it will surely wake the QSA community up. Once we have more information we will put it up on the blog. In the meantime, feel free to contact me with any questions on this matter.