Cumis Insurance Society Inc.

• Decision Date: 11 January 2010
• Docket Number: Nos. Civ. 07-374-TUC-CKJ, Civ.,515-JMM.,09-180-TUC-CKJ, 4-06-bk-,s. Civ. 07-374-TUC-CKJ, Civ.
• Citation: 680 F.Supp.2d 1077
• Parties: CUMIS INSURANCE SOCIETY, INC., Plaintiff, v. MERRICK BANK CORPORATION, et al., Defendants. In re: CardSystems Solutions, Inc., Debtor.
• Court: U.S. District Court — District of Arizona

680 F.Supp.2d 1077

CUMIS INSURANCE SOCIETY, INC., Plaintiff,

v.MERRICK BANK CORPORATION, et al., Defendants. In re: CardSystems Solutions, Inc., Debtor.

Nos. Civ. 07-374-TUC-CKJ, Civ.

09-180-TUC-CKJ, 4-06-bk-

515-JMM.

United States District Court,

D. Arizona.

Decided: Jan. 11, 2010.

COPYRIGHT MATERIAL OMITTED

Susan G. Boswell, Quarles & Brady LLP, Tucson, AZ, James J. Regan, Satterlee, Stephens, Burke & Burke, LLP, New York, NY, Michael Russell Davisson, Valerie Diane Rojas, Sedgwick, Detert, Moran & Arnold, LLP, Los Angeles, CA, Nancy J. March, Deconcini, McDonald, Yetwin &amp Lacy, PC, Tucson, AZ, for Plaintiffs.

Lowell E. Rothschild, Mesch, Clark &amp Rothschild, PC, Susan G. Boswell, Quarles & Brady, LLP, Cary Sandman, Waterfall Economidis, Caldwell, Hanshaw & Villamana, PC, Tucson, AZ, Daniel G. Gurfein, Joshua M. Rubins, Mario Aieta, Pamela A. Bosswick, Satterlee, Stephens, Burke & Burke, LLP, New York, NY, Jeremiah D. Kelman, Philip M. Kelly, Steven A. Marenberg, Alison Plessman, Irell & Manella, LLP, Los Angeles, CA, for Defendants.

ORDER

CINDY K. JORGENSON, District Judge.

Pending before the Court is Defendant Merrick Bank Corp.'s Motion for Partial Summary Judgment [Doc. # 137]. A response and a reply have been filed. The parties presented oral argument to the Court on November 2, 2009.

I. Factual and Procedural Background¹

The Second Amended Complaint ("SAC"), Doc. #73, alleges that Cumis Insurance Society, Inc. ("Cumis") is an insurer that provides coverage to credit unions. This dispute involves a data secu- rity breach involving, among others, Merrick Bank Corporation ("Merrick"), Merrick's agent CardSystems Solutions, Inc. ("CardSystems" or "CSSI"), Sawis, Inc. and Sawis Communications Corporation (Sawis Defendants will be collectively referred to as "Sawis").

Merrick acted as an issuing bank, an acquiring bank, and a sponsoring bank in the Visa system. As an issuing bank, Merrick issued Visa credit and debit cards to customers. As an acquiring bank, Merrick contracted with merchants to make payments to merchants as part of the credit card transaction process. The hundreds of thousands of merchants that want to be able to accept Visa and/or MasterCard cards customarily do so through independent sales organizations ("ISOs"), which aggregate many merchants and which contract with acquirers such as Merrick and processors such as CardSystems. As a sponsoring bank, Merrick acted as a sponsor for third—party transaction processors such as CardSystems-which are not members of the Visa/MasterCard card associations ("Associations") and need to be sponsored in order to have access to the Visa/MasterCard systems. Absent such sponsorship by an Association member, a processor cannot function as a processor, or in any other capacity, with respect to Association card transactions.

As a sponsoring bank, Merrick has stated that:

All aspects of the Visa and MasterCard card transaction processes are conducted according to rules and regulations imposed by the Associations. By contractual agreements, both Merrick and CSSI are subject to these rules. Under each Association's broad rules on indemnification, a member bank that sponsors a processor such as CSSI is responsible for the processor's proper performance under the Association rules and undertakes full financial responsibility, irrespective of fault, for all losses or costs incurred by the Association or its members that are attributable to acts or omissions of the sponsored processor. The Association rules also provide for the imposition of penalties or fines on a member for violations of the Association rules by a sponsored third-party processor—whose acts and/or omissions are imputed to the sponsoring member. In addition, in the Visa system, to designate a processor such as CSSI as a sponsored entity, a member must file a signed registration document in which the member explicitly indemnifies Visa for all losses resulting by the sponsored entity's acts or omissions.

PSOF, ¶ 5.

On or about August 2005, Visa announced that an Optional Alternative Compliance Process ("OACP") to resolve claims by issuing banks for reimbursement of their counterfeit fraud losses resulting from the CardSystems security breach was available. Merrick asserts that participation in the Visa OACP was limited to account numbers identified in the specified Visa Compromised Account Management System ("CAMS") alerts.² Merrick also asserts that smaller credit unions were not given the opportunity to participate in the OACP, except through a BIN sponsor.³Instead of issuing banks processing their claims through the standard compliance process, the issuing banks could select the alternative process in which reimbursement to issuing banks would be for a claim amount calculated by Visa. In calculating each issuing banks' claim amount in the OACP, Visa only considered counterfeit fraud losses reported by issuing banks through August 31, 2005. In the OACP, Visa notified the issuing banks of the amount they were entitled to recover through the OACP—there were no negotiations between Visa and the issuing banks concerning that amount. Additionally, there were no negotiations between Visa and the issuing banks concerning the terms of the Issuer Certification and Release of Liability ("Issuer Certification") an issuing bank was required to execute before receiving payment for its losses. Merrick asserts that the Issuer Certification includes the following:

By signing this form and receiving payment from the Acquirer in the amount determined by Visa to be compensable under this claim as specified on the Issuer Claim Statement, our center hereby releases Visa and the Acquirers who appoint CardSystems Solutions Incorporate as their processors from all magnetic-stripe counterfeit claims, losses, damages and liabilities attributable to this data compromise event.

DSOF, Ex. D.⁴ Without waiving its objections to this assertion, Cumis asserts that the Issuer Certification also includes the following:

Our Center certifies that no chargeback rights exist or have been successfully exercised on any of the disputed transactions for which we are seeking reimbursement through this claim. Our Center certifies that we have not sought and will not seek compensation for any transactions included in this claim through compliance rights in respect of this or any other magnetic stripe data compromise incident.

Id.

The claim amount Visa determined each issuing bank was entitled to receive in the OACP was based upon a calculation created by Visa. This claim amount was always less than the amount of the issuing bank's actual counterfeit losses reported before the August 31, 2005 deadline. If an issuing bank agreed to accept the claim amount calculated by Visa and could support their claims, the issuing banks were required to execute an Issuer Certification. Merrick asserts that the recovery received by issuers participating in the Visa OACP was funded by acquiring banks that sponsored CardSystems; as the majority of the transactions processed by CardSystems were for Merrick, Merrick's pro rata allocation of liability was 70.0706%.⁵ Merrick also asserts that, with respect to the claims currently asserted by Cumis on behalf of its insureds for Visa related damages, at a minimum, 92 of these credit unions participated in the Visa OACP, and the claims asserted on their behalf by Cumis against Merrick, based on currently available information, totals approximately $3,229, 852.12.⁶

Shaughnessy states, inter alia, in his declaration:

... In the Issuer Certification, Visa only intended to prohibit issuing banks from attempting to recover counterfeit losses reported after August 31, 2005 deadline vis-a-vis other remedies within the Visa system (such as chargeback rights and/or appeal rights). Visa did not intend nor did it have any authority to prohibit issuing banks from pursuing recovery of their losses outside the Visa system in court against Merrick and/or CardSystems.

11. It is my understanding that in the OACP, Visa and the issuing banks did not release CardSystems from any liability within the Visa system.

12. In addition, the OACP was not intended to compensate issuing banks for all losses they might suffer as a result of the Security breach. Due to the nature of then emerging fraud patterns, some issuers might not become aware that a counterfeit loss was directly related to an account compromise until after the OACP deadline had passed.

13. Finally, it is my understanding that the amounts and calculations used in the OACP determination to assess payments to issuing banks and acquiring banks that elected to use this expedited VISA claim resolution were not intended to, and did not reflect a determination as to the true and complete amount of any Issuer's actual counterfeit losses, or any acquirer's actual total liability.

Shaughnessey Declaration, ¶¶ 10-13.

On August 24, 2009, Merrick filed a Motion for Partial Summary Judgment. A response and reply have been filed. Evidentiary objections have also been submitted.

On September 23, 2009, Cumis filed a declaration of Valerie D. Rojas ("Rojas") in Support of Cumis's Opposition to Merrick's Motion for Summary Adjudication and Request for a Continuance Pursuant to F.R.C.P. 56(f). See Doc. #144. No response has been filed. During argument, Cumis indicated that it was no longer seeking such a continuance.

II. Request for Continuance

Cumis having indicated that a continuance is no longer being requested, the Court will not continue this matter pursuant to Fed.R.Civ.P. 56(f).

III. Summary Judgment Legal Standard

Summary judgment may be granted if the movant shows "there is no genuine issue as to any material fact and that the moving party is entitled to judgment as a matter of law." Rule 56(c), Federal Rules of Civil Procedure. The moving party has the initial responsibility of informing the court of the basis for its motion, and identifying those portions of "the pleadings,...