As reported previously, the CardSystems security breach has resulted in a lawsuit brought by a merchant bank (Merrick Bank) against CardSystem’s security assessment company (Savvis). The suit alleges that Savvis negligently certified CardSystem’s security as compliant with Visa’s Card Information Security Program (“CISP”), and negligently represented that CardSystems was compliant. Earlier this month Savvis filed a motion to dismiss this case. This post summarizes and explores that motion.
Choice of Law
The threshold issue addressed by Savvis is which States’ law applies to this case (the choices appear to be Utah, Missouri or Arizona). This question is extremely important with respect to Savvis’ statute of limitations argument. Under Arizona law, the time limit for filing negligence and negligent misrepresentation claims is two years. It may be longer for other States, such as Utah and Missouri which will be Merrick’s counter-argument (note, Savvis contends that Merrick Bank’s filing of this lawsuit originally in Missouri was a blatant attempt to avoid Arizona’s two year statute of limitation). While this post will not go into the intricacies of the choice of law analysis, it will point out one fact that could hurt Merrick Bank. Both Merrick Bank and Savvis were sued previously by Cumis Insurance Society because of the CardSystem’s breach (Cumis represents credit unions acting as issuing banks that allegedly incurred expenses because of the breach — the Cumis case is still pending and the subject of a future post). In the Cumis case Merrick Bank previously took the position that Arizona law applied to the CardSystem’s breach, and a Federal court in California agreed with Merrick. While this circumstance is not the ultimate determining factor on this issue, it will make it more difficult for Merrick Bank to avoid the imposition of Arizona law. It will be interesting to see what Merrick Bank comes back with in its reply brief.
Statute of Limitations
Savvis’ first argument for dismissal is procedural in nature. It argues that Merrick Bank failed to file its lawsuit within Arizona’s two year statute of limitations (“SOL”). The SOL analysis involves determining when the causes of action “accrued” and calculating how much time elapsed since the accrual date. In Arizona, the SOL begins to run when the plaintiff knew or by reasonable diligence should have known of the defendant’s alleged tortious conduct. In this case, Savvis has on its face what appears to be a very favorable timeline: Savvis argues that Merrick Bank’s claims accrued no later than July 2005, and its filing of suit on May 12, 2008 was more than three years after that date.
Savvis’ contention is based on Merrick’s allegation that it knew that CardSystems was not CISP compliant “immediately” after CardSystem’s May 2005 breach. In addition, the post-incident forensic report allegedly indicated that CardSystems was not CISP compliant at the time Savvis issued its June 2004 Report on Compliance. Savvis also points to Merrick Bank’s January 20, 2006 lawsuit against CardSystems as evidence that it should have known by reasonable diligence that it had a potential claim against Savvis. In other words, if Merrick Bank knew it had a claim against CardSystems in January 2006 why didn’t it reasonably know of Savvis’ alleged tortious conduct at that time? Note, that even if the January 2006 date it the accrual date, Merrick Bank still would not make the two year SOL.
In addition to its SOL argument, in the alternative, Savvis claims that Merrick’s complaint failed to adequately allege negligence and negligent misrepresentation.
Dismissal of Negligence and Negligent Misrepresentation
Savvis argues, that even if its position on the SOL is wrong, Merrick Bank’s negligence and negligent misrepresentation allegations are flawed and should be dismissed. Savvis first addressed the negligent misrepresentation claim, citing Restatement section 552(2) which limits negligent misrepresentation liability to loss suffered:
(a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and
(b) through reliance upon it in a transaction that he intends the information to influence or knows the recipient so intends or in a substantially similar transaction.
Based on the comments associated with section 552(2) and Arizona caselaw, Savvis maintains that it can only be liable where the maker of the representation intends to reach a particular person or group known to Savvis, and distinct from the larger class who might reasonably be expected to have access to, and take action in reliance upon, such information. Savvis maintains that Merrick was not part of a defined group for whose benefit Savvis provided its representation of CardSystem’s CISP compliance. Savvis argues that Merrick’s claim should be dismissed because Savvis did not make any representation directly to Merrick intending to influence its behavior “distinct from the much larger class” of acquiring banks involved with the Visa and Mastercard systems. Rather, Savvis made its representation directly to CardSystems and the card brands. Savvis also pointed to the Court’s prior decision in the lawsuit filed by Cumis against Savvis. In that case the same Court dismissed a negligent representation claim because no representations where made to Cumis or its insureds (issuing banks) distinct from the larger class of participants in the Visa and Mastercard systems (as stated above, this blog will have more on that decision soon). Finally, from a public policy perspective, Savvis indicated that interpreting section 552 more broadly would expose it to limitless potential exposure.
In addition, Savvis made quick work of Merrick’s negligence claim. According to Savvis, under Arizona law “providers of professional information” such as Savvis may be sued only for negligent misrepresentation. Savvis contends that plaintiffs are not permitted to avoid the limitations set forth in section 552 simply by alleging a general negligence claim. Signficantly, Savvis did not directly attack the merit of negligence claims on the basis of whether it owed any duty to Merrick Bank. (UPDATE — 062409: as one reader points out, by claiming that the negligence claim is subsumed into the negligent misrepresentation claim, one could say that Savvis is indicating that they owe no duty under a pure negligence theory. I have not read the citations within the case so I don’t know if that is the case).
The procedural aspects of this case, including the previous transfer of this matter from a Missouri court, as well as the choice of law, will have a significant impact on the case moving forward. Considering Merrick Bank’s prior indication that Arizona law applies, it appears that Savvis has a solid statue of limitations argument that could kick the case out before any hearing on the merits occurs (which will keep the rest of the world in the dark on the substantive merits of this case). On this issue it will basically come down to when Merrick Bank knew, or reasonably should have known, it had a case against Savvis. Obviously Savvis is going to argue for the earliest date possible. Expect Merrick to come back with its own analysis on how it took longer for it to “discover” a valid claim against Savvis (e.g. perhaps the “necessary” facts of Savvis’ alleged culpability only came out after depositions or other discovery in the CUMIS case). To the extent there are any factual issues wrapped into this analysis the Court might passe on a motion to dismiss an allow the litigants to engage in some discovery (at least limited to this issue).
On the merits, as previously predicted, the main issue is whether Merrick Bank is a “person” or a “one of a limited group” for whose benefit Savvis supplied the CISP certification information. This is going to be a close question. Unlike issuing banks or their insurers (as referred to by Savvis in relation to the Cumis lawsuit), processors like CardSystems have a direct contractual relationship with acquiring banks. That relationship requires processors, before acquiring banks can retain them, to certify compliance with payment card standards such as CISP. It is difficult to argue that security assessors in this space do not know this. In addition, it can be argued that these assessments are intended for the direct benefit of acquirers. Not only does it give acquiring banks and indication that the risk of credit card fraud is decreased, it also allows them to avoid contractually mandated. fines, penalties and recovery costs in the event of a security breach or otherwise.
It will be interesting to see Merrick’s response on this matter. Note that even if this lawsuit does survive a motion for summary judgment there are other fact-based arguments that may allow this case to be dismissed on a different motion (e.g. motion for summary judgment). Not only will the issue of intended class of persons be attacked by Savvis, but also the matter of whether Merrick Bank relied on Savvis’ assessment (and not some other factor) will be tested. More to come in the next few weeks. Stay tuned.