Co-Authored by: Judy Selby

In a highly anticipated decision, a federal court in Tennessee let stand a retailer’s claims against Visa for violation of California’s Unfair Competition Law (UCL) and for common law claims for unjust enrichment and restitution arising out of fines and assessments levied by Visa in the wake of a massive data theft against the retailer.  Genesco Inc. v. Visa USA Inc., et al., case no. 3:13-cv-00202 (MD TN July 18, 2013).

The retailer, Genesco Inc. (Genesco), operates more than 2,400 retail stores throughout the US and internationally, selling hats and footwear under various names including Journeys, Lids and Johnson & Murphy.   Visa Inc. (Visa), through its principal subsidiary in the US, operates a retail electronic payments network to facilitate payment to financial institutions and businesses for consumer credit and debit card purchases.

Financial institutions that participate in Visa’s system sign licensing agreements as “issuers” and/or “acquirers” of visa credit and/or debit cards.  Wells Fargo Bank and Fifth Third Bank were Genesco’s acquiring banks.  Genesco’s agreements with those banks required Genesco to comply with Visa’s International Operating Regulations (VIOR) and the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS establish data security standards for companies that process, store, or handle card data. In its contracts with its acquiring banks, Genesco agreed to indemnify them for all fees, assessments and penalties imposed on them by Visa.

From December 2009 to December 2010, hackers accessed Genesco’s computer network, utilizing a packet-sniffing malware that captured unencrypted credit card data at the point of sale (POS) as the data was being transmitted to Wells Fargo and Fifth Third for authorization.  After the breach was discovered, Visa claimed that every card processed by Genesco over a one-year period was compromised.  Visa assessed fines of $13.3 million.  As required by its contracts, Genesco indemnified Wells Fargo and Fifth Third for that amount.  Genesco then sued Visa for recoupment under theories of breach of contract, unjust enrichment, and violation of the California UCL.  Genesco obtained an assignment from Wells Fargo of all rights/claims Wells Fargo had as to Visa.

In its complaint, Genesco claimed that it never actually violated the PCI DSS standards because the standards did not require the POS data to be encrypted when transmitted for authorization, and that Visa had not shown that the fine reflected compensation for any actual harm caused by the breach.  Genesco alleged that the forensic evidence demonstrated that no accounts had been compromised by the cyber attack.  The fine, therefore, was alleged to be contrary to VIOR and a legally unenforceable penalty.

In response to the complaint, Visa filed a partial motion to dismiss, arguing that Genesco did not adequately plead fraud in connection with the UCL and common law claims, Genesco could not rely on Visa’s contracts with the banks to assert a UCL claim, Genesco — which was not a party to the contracts with Visa — could not seek restitution pursuant to those contracts, and the contracts precluded Genesco’s common law claims for equitable relief.  Genesco countered that Visa’s breaches of its contracts with the banks can state claims under the UCL, it adequately pled fraud in connection with the UCL, and that restitution is available to Genesco, because the funds for the unlawful fines and assessments against the banks are traceable to Genesco, which was the source of the payments to Visa.

The court denied Visa’s motion in total.  The court held that “claims based on contracts of commercial entities where breaches of such contract violate public policy or harm competition or consumers” are actionable under California’s UCL.  “Here, Genesco asserts claims that Visa’s fines and assessments against the banks that Genesco actually paid, lacked a factual basis and were contrary to Visa’s agreements with the banks and were contrary to the forensic evidence about the effects  of the cyber attack on Genesco’s computer system.  Genesco asserts that these fines are also penalties that are unenforceable as a matter of California law.  Moreover, Visa’s alleged imposition of more than $13 million … in fines and assessments, without a factual basis and in violation of Visa’s standards, impacts retail transactions involving consumers, retail merchants and other banks and implicate the fairness in the credit and debit card markets.”  Therefore, “Visa’s contracts and VIOR create a structure or ‘environment’ that could be found to be harmful to competition at the merchant level and establish unfairness in the market for credit and debit transactions of which merchants and consumers are key players.”   The court also noted that a “direct relationship with the defendant is not necessary for a UCL claim so long as the Plaintiff suffered an injury or loss of funds due to the Defendant’s practice.”  The court therefore concluded that Genesco’s UCL and common law claims under California law were actionable.