Jetro Holdings, LLC v. MasterCard Intl., Inc.

2018 NY Slip Op 7418

• Court: Appellate Division of the Supreme Court of the State of New York
• Decided: November 7, 2018
• Docket: 2016-05407
• Status: Published

Opinion

Jetro Holdings, LLC v MasterCard Intl., Inc. (2018 NY Slip Op 07418)

Jetro Holdings, LLC v MasterCard Intl., Inc.

2018 NY Slip Op 07418

Decided on November 7, 2018

Appellate Division, Second Department

Published by New York State Law Reporting Bureau pursuant to Judiciary Law § 431.

This opinion is uncorrected and subject to revision before publication in the Official Reports.

Decided on November 7, 2018 SUPREME COURT OF THE STATE OF NEW YORK Appellate Division, Second Judicial Department
RUTH C. BALKIN, J.P.
SANDRA L. SGROI
ROBERT J. MILLER
FRANCESCA E. CONNOLLY, JJ.

2016-05407
(Index No. 60374/15)

[*1]Jetro Holdings, LLC, appellant,

v

MasterCard International, Inc., respondent, et al., defendant.

Bleakley Platt & Schmidt, LLP, White Plains, NY (William P. Harrington and Douglas H. Meal of counsel), for appellant.

Golenbock, Eiseman Assor Bell & Peskoe, LLP, New York, NY (Martin S. Hyman and Matthew C. Daly of counsel), for respondent.

DECISION & ORDER

In an action, inter alia, to recover damages for breach of contract, the plaintiff appeals from an order of the Supreme Court, Westchester County (Alan D. Scheinkman, J.), dated May 3, 2016. The order, insofar as appealed from, granted that branch of the motion of the defendant MasterCard International, Inc., which was pursuant to CPLR 3211(a)(7) to dismiss the complaint insofar as asserted against it.

ORDERED that the order is affirmed insofar as appealed from, with costs.

This appeal involves a dispute between the plaintiff Jetro Holdings, LLC (hereinafter Jetro), a wholesaler of products and supplies for retail grocery stores and restaurants, and MasterCard International, Inc. (hereinafter MasterCard). Jetro accepted MasterCard purchases by its customers and was a party to a contract with PNC Bank (hereinafter PNC). PNC acted as an "acquirer" that facilitated those MasterCard purchases.

Jetro did not have a direct contract with MasterCard. The complaint states that the contract between PNC and MasterCard incorporated the MasterCard "Rules," "Security Rules and Procedures," and "Account Data Compromise User Guide" (hereinafter collectively the "Standards"). The Standards provided, inter alia, that all agreements between an acquirer (such as PNC) and a merchant (such as Jetro) "must comply with the Standards," and that such contracts could not include any term that conflicted with any of the Standards. The Standards provided that an acquirer was required to ensure that the merchants with which it dealt complied with cyber-security protocols known as the Payment Card Industry Data Security Standards (hereinafter PCI DSS).

The Standards provided that, in the event of a computer data breach involving the potential exposure of MasterCard data at a merchant served by PNC, the relevant credit card issuing banks would be authorized to recover from MasterCard a portion of their losses, characterized as Account Data Compromise Fraud Recovery and Account Data Compromise Operational Reimbursement.

The Standards provided that an acquirer, such as PNC, would be potentially liable to MasterCard for a data security breach or "Account Data Compromise Event" (hereinafter ADC Event), defined as an "occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of MasterCard account data." The complaint asserts that where an ADC Event occurs, an acquirer will be liable to MasterCard only where "a violation of the PCI DSS by the acquirer allowed the ADC Event to occur."

The complaint sets forth the following allegations: In its contract with PNC, Jetro agreed to abide by the Standards. In that contract, Jetro also agreed to generally indemnify PNC for fees assessed by MasterCard for data security incidents. The contract provided that Jetro "agree[d] to pay [PNC] any fines imposed on [PNC] by any Association resulting from Chargebacks and any other fees or fines imposed by an Association with respect to acts or omissions of [Jetro]." Jetro "agree[d] to indemnify and hold [PNC] harmless from and against all losses, liabilities, damages and expenses (including attorneys' fees and collection costs) resulting from any breach of any warranty, covenant or agreement or any misrepresentation by [Jetro] under this Agreement, or arising out of any gross negligence or willful misconduct of [Jetro] or its employees, in connection with [Jetro's] Card transactions or otherwise arising from [Jetro's] provision of goods and services to Cardholders." Jetro also agreed to "indemnify and hold [PNC] harmless from and against all losses, liabilities, damages and expenses (including attorneys' fees and collection costs) resulting from [Jetro's] failure to comply with [MasterCard, Visa and other payment card association] Rules, and in particular [MasterCard] data security Rules."

The complaint further sets forth that, in 2011 and 2012, Jetro was the target of two separate computer hacking incidents, in which third parties stole or attempted to steal MasterCard credit card information from the Jetro computer systems. In connection with these two hacking incidents, MasterCard imposed upon PNC certain assessments. Those assessments were denominated as 2011 and 2012 "Case Management Fee[s]," "ADC [Account Data Compromise] Assessment[s]," and ADC "Operational Reimbursement[s]." The total assessments were approximately $3,325,614 for 2011, and $3,336,276 for 2012. The complaint further alleges that, pursuant to the MasterCard-PNC contract, MasterCard withheld those sums, totaling nearly $7 million, from payments otherwise due to PNC. In turn, pursuant to the indemnification clause in the Jetro-PNC contract, PNC withheld those sums from payments that were due to Jetro.

Jetro alleges that the imposition of the subject assessments violated the terms of the MasterCard-PNC contract. According to the complaint, the assessments violated the Standards because MasterCard had not shown that Jetro suffered a theft of cardholder data for each of the subject credit card accounts, that each of those accounts had been used to effect a transaction that qualified for reimbursement to the issuer, nor that operating expenses, as defined by the agreement, had been incurred as a result.

Jetro alleges that the subject assessments constituted unlawful penalties, as MasterCard "purport[e]d to reserve total unfettered discretion unto itself in determining, in calculating the amount of, and in deciding whether or not to collect" such assessments. The complaint further asserts that the ability to impose assessments was not necessarily related to actual losses to credit card issuers, and for that reason, the assessment provision did not constitute an enforceable liquidated damages clause.

As is relevant here, the complaint sets forth causes of action alleging breach of contract as to the 2011 case management fee (first cause of action), the 2011 ADC assessment (second cause of action), the 2012 case management fee (sixth cause of action), and the 2012 ADC assessment (seventh cause of action). The complaint also asserts causes of action for recovery under an unjust enrichment theory as to the 2011 and 2012 case management fees and ADC assessment (fourth and ninth causes of action).

MasterCard moved, inter alia, pursuant to CPLR 3211(a)(7) to dismiss the complaint insofar as asserted against it for failure to state a cause of action. The Supreme Court granted that branch of the motion, and Jetro appeals.

As the Supreme Court correctly determined, Jetro is not in privity of contract with MasterCard, and Jetro does not rely on a third-party beneficiary theory. Thus, the causes of action alleging breach of contract and breach of the implied duty of good faith and fair dealing are based on a theory of equitable subrogation.

Pursuant to the doctrine of equitable subrogation, where the " property of one person is used in discharging an obligation owed by another or a lien upon the property of another, under such circumstances that the other would be unjustly enriched by the retention of the benefit thus conferred, the former is entitled to be subrogated to the position of the obligee or lien-holder'" (King v Pelkofski, 20 NY2d 326, 333, quoting Restatement of Restitution § 162; see Lucia v Goldman, 145 AD3d 767, 769; Harris v Thompson, 117 AD3d 791, 793; Cashel v Cashel, 94 AD3d 684, 688).

Here, Jetro's indemnification obligation, set forth in its contract with PNC, was based on Jetro's own "acts or omissions" relating to a data breach incident. The indemnification clause in the PNC-Jetro contract is broader than the obligation of PNC toward MasterCard with respect to data breaches. According to the complaint, the PNC-Jetro contract obligated Jetro to indemnify PNC for any penalties imposed by MasterCard, "even in cases when MasterCard violated the Standards or otherwise violated the law by imposing the assessment[s] in question." In light of these contractual provisions, even accepting the allegations of the complaint as true (see Leon v Martinez, 84 NY2d 83, 87), in undertaking to indemnify PNC, Jetro satisfied its separate and distinct obligation to PNC, and it is not equitably subrogated to the rights of PNC as against MasterCard (see Broadway Houston Mack Dev., LLC v Kohl, 71 AD3d 937, 937-938; Dezer Props. II, LLC v Kaye Ins. Assoc., Inc., 38 AD3d 213; Federal Ins. Co. v Spectrum Ins. Brokerage Servs., 304 AD2d 316, 317; Pathe Exch., Inc. v Bray Pictures Corp., 231 App Div 465; see also Federal Ins. Co. v North Am. Specialty Ins. Co., 47 AD3d 52, 62; cf. Hamlet at Willow Cr. Dev. Co., LLC v Northeast Land Dev. Corp., 64 AD3d 85). Therefore, we agree with the Supreme Court's determination granting that branch of MasterCard's motion which was to dismiss the causes of action alleging breach of contract and breach of the implied duty of good faith and fair dealing.

We also agree with the Supreme Court's determination granting that branch of MasterCard's motion which was to dismiss the causes of action to recover based on theories of money had and received, and unjust enrichment insofar as asserted against it. "The essential elements of a cause of action for money had and received are (1) the defendant received money belonging to the plaintiff, (2) the defendant benefitted from receipt of the money, and (3) under principles of equity and good conscience, the defendant should not be permitted to keep the money" (Goel v Ramachandran, 111 AD3d 783, 790; see Litvinoff v Wright, 150 AD3d 714, 716; Lebovits v Bassman, 120 AD3d 1198). " The elements of a cause of action to recover for unjust enrichment are (1) the defendant was enriched, (2) at the plaintiff's expense, and (3) that it is against equity and good conscience to permit the defendant to retain what is sought to be recovered'" (Travelsavers Enters., Inc. v Analog Analytics, Inc., 149 AD3d 1003, 1006, quoting GFRE, Inc. v U.S. Bank, N.A., 130 AD3d 569, 570; see Wallace v BSD-M Realty, LLC, 142 AD3d 701, 704).

Here, the subject penalties were collected or retained by MasterCard pursuant to its contract with PNC, which then sought indemnification from Jetro pursuant to PNC's separate contract with Jetro. We agree with the Supreme Court that the exercise by MasterCard of its purported contractual rights against PNC was independent of the determination by PNC to enforce its indemnification rights against Jetro. Therefore, it cannot be said that MasterCard unjustly benefitted from its action, or that it would be inequitable to allow it to retain the subject funds (see IDT Corp. v Morgan Stanley Dean Witter & Co., 12 NY3d 132, 142; see also Georgia Malone & Co., Inc. v Rieder, 19 NY3d 511, 516).

BALKIN, J.P., SGROI, MILLER and CONNOLLY, JJ., concur.

ENTER: Aprilanne Agostino Clerk of the Court