Chain Sues Visa For Breach Fines, May Actually Get Its Day In Court
Apparel chain Genesco (NYSE:GCO) has sued Visa (NYSE:V)—yes, Visa, not the acquiring banks—over the card brand's $13 million in fines due to a 2010 breach. The 2,440-store retailer, which operates the Journeys, Lids and Johnston & Murphy stores, makes the usual arguments: Visa's fines are illegal, Visa broke its own rules, Genesco didn't violate any PCI DSS requirements. (Well, except PCI's First Commandment: Thou shalt not get breached.)
What's interesting here is why Genesco thinks it will get to sue Visa: A month before Visa notified the acquirers of the assessment, Genesco signed a separate agreement with one of the acquirers, Wells Fargo (NYSE:WFC), in which the bank actually signed over its right to sue Visa to Genesco.
If that argument holds up in front of a judge, Genesco may be the first retailer to take Visa to court over a breach assessment—and Wells Fargo may be the first acquirer to save the cost of getting sued by a breached retailer.
Genesco's lawsuit, filed March 7 in U.S. District Court in Nashville, also fills in some of the details of the 2010 breach. At the time it was discovered—by the chain, not Visa—Genesco would only say it was "possible that the credit or debit card number, expiration date and card verification code contained on the magnetic stripe of some payment cards used at stores in the affected chains may have been acquired without authorization during the intrusion."
In the lawsuit, Genesco says that the attackers tried to steal card data "by inserting into Genesco's computer network malicious software ('malware') that employed 'packet sniffer' technology custom designed to acquire account data while the data was in transit through Genesco's computer network on its way to Fifth Third or Wells Fargo for transaction approval. During the course of the Intrusion, the thieves did not target, nor did the thieves access, any stored payment card account information located on Genesco's computer network" [emphasis in the complaint itself].
The chain argues that PCI expressly allows card data to be sent to acquirers unencrypted, so it shouldn't have to pick up the tab for a PCI DSS violation, even though there was malware on its servers. Good luck with that argument, folks.
Genesco also claims Visa didn't follow its own rules, counted some card numbers as compromised when forensic evidence showed that those numbers weren't, and illegally used fines and assessments that are arbitrary and punitive. (Isn't that the definition of a Visa fine?) Those arguments echo those of a breached Utah restaurant a year ago. That case is still in court.
What may be more convincing is the chain's legal stratagem for not having to sue its acquiring banks. In April 2011—a few months after the breach was discovered but before Visa levied its $13,298,900.16 in assessments—the chain and Wells Fargo signed a "reserve agreement," in which Genesco "acknowledged that it had an obligation to indemnify Wells Fargo for the amount of any such assessments, regardless of whether or not the assessment in question was valid under the [Visa International Operating Regulations] or under relevant applicable law."
In exchange, Wells Fargo agreed that, once it had been reimbursed for any assessment, "Wells Fargo would be deemed to have assigned, transferred, and conveyed to Genesco any and all rights, claims or causes of actions that Wells Fargo may have against Visa to obtain reimbursement of any portion of such fine or assessment and that Genesco would be deemed to be fully subrogated to any and all such rights, claims or causes of actions." Rough translation from the legalese: OK, Genesco, you get to sue them instead of me.
Normally, a chain can't sue a card brand because, legally speaking, the chain never has dealings with the card brand. Visa fines Wells Fargo, which is then indemnified in its standard contract by the retailer. In theory, the acquirer could decide to swallow the assessment instead of passing it on or to even sue the card brand itself. (In an equally likely theory, card thieves might decide to turn themselves in and never use stolen card data. Sure, that'll happen.)
If it holds up in court, that agreement will change those ground rules for Genesco and Visa—and probably just for Genesco and Visa, because Visa is likely drafting language for its acquirer's agreement right now that will prevent any of them from signing away their rights in the future.
Still, for Genesco, it may turn out to be a sharp legal strategy for actually getting Visa into court. And when you're out $13 million, a sharp legal strategy is good—but not getting breached is better. End-to-end encryption, anyone?