Spec’s Liquor Not Responsible For Data Breach


Cybersecurity is something that is top of mind for many businesses in today’s technology-centric world. Without proper security measures in place, the private information of many consumers, employees, and even employers can be put at risk. When data breaches like this do occur, it’s important to know who could be held responsible.

Texas-based liquor retailer Spec’s has been involved in a legal battle over a data breach that occurred in 2012 and 2013. The breach resulted in Spec’s suing its acquirer, First Data’s First Data Merchant Services unit, after malware was found on Spec’s payment system that compromised about 550,000 cards, according to court filings and press reports. Now, the United States Court of Appeals for the Sixth Circuit has found Spec’s cannot be held responsible for the breach.

In Spec’s Family Partners Ltd. v. First Data Merchant Services LLC, Case Numbers 17-5884 and 17-5950, in the U.S. Court of Appeals for the Sixth Circuit, the Sixth Circuit unanimously affirmed the lower court’s summary judgment in favor of Spec’s. This came after a three-judge appellate panel rejected First Data Merchant Services LLC’s argument that two provisions of the parties’ Merchant Agreement left Spec’s liable for the costs major credit card brands and their associated banks passed on to First Data after the cyber-attacks that hit the liquor retailer several years ago.

U.S. Circuit Judge Deborah L. Cook wrote for the panel, “[T]he dispute between the parties boils down to whether the card brand assessments passed down to First Data constituted consequential damages, thus exempting Spec’s from liability.”

Spec’s sued First Data after the payment
 processor began to withhold the proceeds of routine payment card transactions, placing them in a reserve account. This was after the merchant refused to reimburse First Data for the millions of dollars Visa and MasterCard paid to compensate defrauded cardholders and replace cards impacted by the Spec’s breaches.

First Data had argued that Spec’s retained liability for the assessments under the Merchant Agreement’s indemnification clause as well as under the portion of the contract that covered third-party fees and charges.

Texas Cybersecurity Attorneys

At MehaffyWeber, our cybersecurity attorneys understand how information flows through the businesses of our clients. Our lawyers have extensive underlying subject matter experience in technology, banking and finance, healthcare, and all facets of civil litigation. In addition, many of our lawyers have hands-on business experience that informs our strategic advice on topics including privacy, cybersecurity, data breach, and records management. If your business needs assistance with a cybersecurity claim, we can help. Contact us today for more information.