CUMIS Insurance Society and the credit unions it insures have failed in their lawsuit against BJ’s Wholesale Club and Fifth Third Bank over a 2004 breach that affected 9.2 million cardholders.
The background of the case, as summarized in the court opinion:
In February, 2004, Visa and MasterCard determined that computer thieves had gained access to the computer systems on which BJ’s stored credit card transaction data at more than 150 stores, and that the breach had been ongoing since July, 2003. The breach provided the thieves access to the full magnetic stripe data from approximately 9.2 million cardholder accounts, allowing them access to cardholder names, account numbers, account expiration dates, and proprietary Visa and MasterCard security data. It was ultimately determined that the third-party transaction processing software used by BJ’s was permanently storing the magnetic stripe data in transaction logs. The agreements between BJ’s and Fifth Third contained a requirement that BJ’s comply with Visa and MasterCard’s regulations, including those prohibiting BJ’s from storing any magnetic stripe data after a transaction was completed; the agreements among Fifth Third and Visa and MasterCard required Fifth Third to ensure that its merchants complied with the regulations. BJ’s conceded that it was retaining the magnetic stripe data.
Visa and MasterCard notified all their member issuing banks that had issued any of the possibly compromised accounts. In response to this notification, the plaintiff credit unions closed all their potentially compromised accounts, without regard to whether fraudulent charges had been made on a particular account; advised cardholders to destroy their old plastic credit cards; and issued new account numbers and new plastic credit cards to all affected cardholders. Cumis paid the plaintiff credit unions millions of dollars for fraudulent transactions made using the compromised accounts; the plaintiff credit unions and Cumis then commenced this action.
The credit unions and their insurer, Cumis, argued that they were third-party beneficiaries of contracts between card brands and Fifth Third and between BJ’s Wholesale Club and Fifth Third. The court did not agree. Jeff Gorman reports that
The trial court sided with BJ’s, and the state high court affirmed, saying the contract was exclusively between BJ’s and Fifth Third.
The contract stated: “This agreement is for the benefit of, and may be enforced only by, (Fifth Third) and (BJ’s) … and is not for the benefit of, and may not be enforced by, any third party.”
The court also tossed fraud and negligence claims against BJ’s and Fifth Third Bank, saying they never misled the credit unions and Cumis about their compliance with Visa and MasterCard regulations.
Related: Court Opinion (pdf)
Update: Jaikumar Vijayan pf Computerworld also covers this story.