Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

SOVEREIGN BANK v. BJ'S WHOLESALE CLUB

October 18, 2005.

SOVEREIGN BANK, Plaintiff
v.
BJ'S WHOLESALE CLUB, INC., FIFTH THIRD BANKCORP. Defendants.



The opinion of the court was delivered by: WILLIAM CALDWELL, Senior District Judge

MEMORANDUM

I. Introduction.

This case stems from a breach of the computer system used by defendant, BJ's Wholesale Club, Inc., a wholesale club retailer. The system was hacked and bank-card numbers were stolen, allegedly because the computer program BJ's used to process card transactions improperly retained card numbers rather than merely keep them in the system only for the seconds required to validate the transaction.

  Some of the numbers stolen belonged to customers of plaintiff, Sovereign Bank. Sovereign filed this lawsuit seeking damages, mainly for the cost of issuing new credit cards to replace the ones that had been compromised by the theft and for the cost of reimbursing those card holders who had suffered unauthorized charges to their accounts. Sovereign participates in the system operated by Visa USA Inc., so the cards were Visa cards.

  The case was filed in state court against BJ's and Fifth Third Bank Corp., an affiliate of Fifth Third Bank, the bank that processes card transactions for BJ's.*fn1 It was removed here on the basis of diversity jurisdiction. 28 U.S.C. §§ 1332(a) and 1441(a). The complaint has six counts. The two defendants have each been sued for breach of contract, negligence and indemnity.*fn2

  The defendants have filed separate motions to dismiss under Fed.R.Civ.P. 12(b)(6), arguing that none of the claims states a valid cause of action. BJ's motion argues as follows. First, Sovereign has no breach-of-contract claim against it because Sovereign is not a party to BJ's contract with Fifth Third, the contract at issue, and it is also not a third-party beneficiary of that contract either, because of a specific exclusion in the contract of third parties as beneficiaries. Second, Sovereign has no negligence claim because it bases that claim on BJ's breach of alleged contractual duties, and Pennsylvania's "gist of the action" doctrine bars a negligence claim that merely restates a breach-of-contract claim, even when that breach-of-contract claim is itself invalid. Additionally, the negligence claim fails on the causation element because any damages Sovereign incurred were caused by the criminal actions of those who broke into BJ's computer system, not BJ's negligence. Further, Sovereign has alleged only economic losses, and such losses are barred from recovery in a negligence claim by the economic loss doctrine. Third, the indemnity claim fails because Sovereign cannot show that its liability to its cardholders is secondary to BJ's liability, a necessary element of a noncontractual indemnity claim.

  In its motion, Fifth Third argues as follows. First, Sovereign has no breach-of-contract claim against it because Sovereign is not a third-party beneficiary of Fifth Third's contract with Visa, the basis of the contract claim against Fifth Third. Second, Sovereign has no negligence claim because Sovereign cannot rely upon a breach of duty arising from alleged contractual obligations to establish a breach of the duty of reasonable cause in a negligence claim. Also, under the economic loss doctrine Sovereign cannot seek recovery in negligence without physical harm to person or property. Third, the indemnity claim fails because: (1) Sovereign is entitled to indemnity only if Fifth Third committed a tort against the cardholders, and it committed no tort; (2) Sovereign is entitled to indemnity only if its cardholders suffered a loss, but they did not do so because federal law imposes the loss for the unauthorized charges on Sovereign and excuses the cardholders; (3) Sovereign cannot be secondarily liable to Fifth Third because Sovereign accuses Fifth Third of failing to detect the defect in BJ's computer system, a theory of secondary liability itself; and (4) Sovereign cannot be secondarily liable because both contractual obligations and federal law make Sovereign primarily liable for the fraudulent transactions.

  II. Standard of Review.

  In considering Defendants' motions to dismiss, we must accept as true the factual allegations in the complaint and construe any inferences to be drawn from them in Plaintiff's favor. See Mariana v. Fisher, 338 F.3d 189, 195 (3d Cir. 2003). We may dismiss a complaint under Fed.R.Civ.P. 12(b)(6) only if it is clear that no relief could be granted to Plaintiff under "any set of facts that could be proven consistent with the allegations." Ramadan v. Chase Manhattan Corp., 229 F.3d 194, 195 (3d Cir. 2000). The court is not limited to evaluating the complaint alone; it can also consider documents attached to the complaint, matters of public record, and other documents that are indisputably authentic. Pension Ben. Guar. Corp. v. White Consol. Indus., 998 F.2d 1192, 1196 (3d Cir. 1993). The court may also consider "documents whose contents are alleged in the complaint and whose authenticity no party questions," even though they "are not physically attached to the pleading. . . ." Pryor v. Nat'l Collegiate Athletic Ass'n, 288 F.3d 548, 560 (3d Cir. 2002).

  III. Background.

  The complaint alleges the following. Sovereign is a federal savings and loan association with its principal place of business in Wyomissing, Pennsylvania. (Doc. 2, Attach. 1, Compl. ¶ 1.) Visa is a "membership association" owned and controlled by its members. (Id. ¶¶ 6 and 8.) An "issuing member" issues Visa cards to cardholders; the relationship is contractual. (Id. ¶ 10.) An "acquiring member" enters into contracts with "merchants," (id. ¶ 11), to process card transactions at the retail end. For the purposes of the lawsuit, Sovereign is an issuing bank and Fifth Third an acquiring bank. (Id. ¶¶ 13 and 14.) A "merchant" allows cardholders to access the Visa payment system by using their Visa cards to pay for the goods or services the merchant offers. (Id. ¶ 12.)

  Fifth Third and BJ's have contracted by way of two merchant agreements. One governs the processing of debit-card transactions (Doc. 3, BJ's Ex. A) and the other credit-card transactions. (Id., BJ's Ex. B.) Both contain the following language, quoting in pertinent part from paragraph 16 of each agreement: "This agreement is for the benefit of, and may be enforced only by, Bank and Merchant and their respective successors and permitted transferees and assignees, and is not for the benefit of, and may not be enforced by, any third party." Both agreements also have a choice-of-law provision, requiring them to be "governed, construed and enforced" under Ohio law. (Id., Exs. A and B, ¶ 23.)

  A bank card contains account information on the cardholder in a magnetic stripe on the back of the card. (Compl. ¶¶ 19 and 20.) To complete a transaction, the merchant often runs the card through a magnetic-stripe terminal, which acquires the cardholder information and sends it to the issuing bank. (Id. ¶ 19.) The issuing bank then reviews the information and if everything is valid, approves the transaction. (Id. ¶ 20.) The merchant then completes the transaction with the cardholder. (Id. ¶ 21.)

  Visa has extensive by-laws and operating regulations. (Id. ¶ 7.) To become a member, a financial institution must agree to abide by the operating regulations. (Id. ¶ 16.) The operating regulations require an acquiring bank to compel its merchants to abide by the operating regulations. (Id. ¶ 59.) The operating regulations prohibit a merchant from storing or retaining cardholder information. (Id. ¶¶ 22, 51 and 60.)

  Sovereign cardholders used their Visa cards at BJ's, and BJ's retained the cardholders' information after Sovereign had approved the transactions, contrary to the operating regulations. (Id. ¶¶ 24 and 25.) Thereafter, third parties obtained the cardholder information to make unauthorized purchases. (Id. ¶ 27.) Sovereign paid for the fraudulent transactions and incurred other damages: the expense of issuing new cards, the loss of fees and commissions while the cards were being replaced, and loss of good will. (Id. ¶¶ 30 and 32.)

  The first two counts of the complaint are negligence claims, count I against BJ's and count II against Fifth Third. In count I, Sovereign alleges that "BJ's had a duty to exercise reasonable care in deleting or erasing cardholder information after a transaction had been approved and/or safeguard such information," (id. ¶ 34), breached that duty by failing to delete the information promptly after Sovereign had approved the transaction, (id. ¶ 37), and that as a result, the cardholder information was stolen, causing damage to Sovereign. (Id. ¶¶ 39 and 40.)

  In count II, Sovereign alleges that "Fifth Third had a duty to exercise reasonable care in monitoring how BJ's processed transactions so as to ensure that BJ's complied with its duties to delete or erase Cardholder Information after a transaction had been approved and/or safeguard such information to prevent the unauthorized possession and/or misuse of the information" (id. ¶ 42), that it breached this duty by failing to adequately monitor BJ's (id. ¶¶ 43 and 44), and that as a result, the cardholder information was stolen, causing damage to Sovereign. (Id. ¶¶ 46 and 47.)

  The next two counts are contract claims, count III against BJ's and count IV against Fifth Third. In count III, Sovereign alleges that it is a third-party beneficiary of BJ's merchant agreement with Fifth Third, that BJ's breached the agreement by failing to comply with the operating regulations requiring it not to retain or store cardholder information, and thereby damaged Sovereign. (Id. ¶¶ 50-56.)

  In count IV, Sovereign alleges that it is a third-party beneficiary of the member agreement Fifth Third has with Visa, that Fifth Third breached the agreement by failing to insure that BJ's complied with the operating regulations requiring it not to retain or store cardholder information, and thereby damaged Sovereign. (Id. ¶¶ 58-65.)

  The final two counts are for equitable indemnification, count V against BJ's and count VI against Fifth Third. In both counts, Sovereign alleges that it was "obligated to reimburse its Cardholders for losses" they suffered from the fraudulent use of their cardholder information, that "Sovereign did not actively participate in the events that led to the fraudulent use," that BJ's and Fifth Third did participate, and hence as between Sovereign and the two defendants, the defendants must indemnify Sovereign for its losses. (Id. ¶¶ 67-71 and 73-77.)

  IV. Discussion.

  A. BJ's Motion to Dismiss.

  1. Breach-of-Contract Claim.

  Acknowledging that it has no contract with BJ's, Plaintiff asserts its contract claim as a third-party beneficiary of the contracts between BJ's and Fifth Third.*fn3 BJ's credit- and debit-card contracts with Fifth Third require BJ's to comply with Visa regulations. Relevant here is the Visa regulation prohibiting a merchant from storing or retaining cardholder information, a regulation Sovereign alleges that BJ's failed to comply with when it stored and retained cardholder information.

  In moving to dismiss, BJ's argues that Sovereign has no contract claim against it because its contracts with Fifth Third specifically exclude third parties as beneficiaries of the agreements. As the relevant provisions read: "This agreement is for the benefit of, and may be enforced only by, Bank and Merchant and their respective successors and permitted transferees and assignees, and is not for the benefit of, and may not be enforced by, any third party." BJ's argues that Ohio law rejects third-party-beneficiary claims when such a contractual exclusion is present, citing Hill v. Sonitrol of Southwestern Ohio Inc., 521 N.E.2d 780 (Ohio 1988); CMC Elec. Co. v. J.D. Williamson Constr. Co., 1999 WL 1073685 (Ohio App. 1999); and Matheny v. Ohio Bancorp., 1994 WL 738734 (Ohio App. 1994).*fn4

  We agree with this argument. Hill is not directly on point but is relevant because it adopted the Restatement (Second) of Contracts § 302 (1981) as the law of Ohio for determining who qualifies as a third-party beneficiary of a contract. 521 N.E.2d at 784. While section 302 contemplates that a nonsignatory to a contract can be an intended beneficiary if certain conditions are met, it recognizes the right of the contracting parties to exclude third parties from invoking the benefits of their agreement. It begins "[u]nless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intentions of the parties and . . ." Restatement § 302(1). In the instant case, the promisor (BJ's) and the promisee (Fifth Third) "otherwise agreed." They included in their contracts a paragraph specifically providing that the contracts were not for the benefit of, and not intended to be enforced, by any third party. Hence, Plaintiff is not a third-party beneficiary of the contracts between BJ's and Fifth Third and cannot bring a breach-of-contract claim for BJ's alleged failure to follow the Visa regulations. See Matheny, supra, 1994 WL 738734, at *5 ("Section 302 of the Restatement clearly provides that one who might otherwise satisfy the definitional elements of an intended third-party beneficiary will not be treated under the law as such when it is "otherwise agreed between promisor and promisee."). In addition to Matheny and CMC Elec. Co., supra, 1999 WL 1073685, at *2, the other nonprecedential opinion from the Ohio Court of Appeals, other courts have also concluded that a third party cannot sue on a contract that affirmatively excludes third parties from the contract's benefits. See India.Com, Inc. v. Dalal, 412 F.3d 315, 321-22 (2d Cir. 2005) (New York law); Riscorp, Inc. v. Norman, ___ So.2d ___, ___, 2005 WL 628832, at *8 (Ala. 2005); Hrushka v. State, 381 A.2d 326, 327 (N.H. 1977); Cities Service Co. v. Gulf Oil Corp., 797 P.2d 1009, 1011-12 (Okla.Civ.App. 1990) (collecting cases and noting that contractual exclusion of third-party beneficiaries is the majority rule); Villanova, Ltd. v. Convergys, 2001 WL 868662, at *2 (E.D. Pa. 2001) (interpreting Pennsylvania law); In re Gulf Oil/Cities Service Tender Offer Litigation, 725 F. Supp. 712, 731 (S.D.N.Y. 1989) (Delaware law); Gannon v. Baldt Anchor and Chain, 459 F. Supp. 457, 459 (E.D. Pa. 1978) (interpreting Pennsylvania law).

  Plaintiff has cited three cases where the courts have not enforced an exclusion of third-party rights, but they are distinguishable. In State Farm Mut. Auto. Ins. Co. v. HHS Assocs., Inc., 1995 WL 739703 (E.D. Pa.), plaintiff State Farm, the buyer of real property, sued the defendant seller and a second defendant, an environmental-assessment company. The claim against the latter defendant was that it had breached a contract between itself and the seller by failing to accurately assess the environmental damage to the property. The court allowed the contract claim to proceed in the face of the exclusion, but in the circumstances of the case the only purpose the contract served was to benefit the plaintiff buyer (as also supported by deposition testimony). Additionally, as the court itself came close to acknowledging, its ruling bordered on dictum since the seller had assigned its rights under the contract to plaintiff State Farm in any event. 1995 WL 739703, at *4 n. 2. Here, in contrast, the merchant agreements had not been made for the sole benefit of Sovereign.

  In Twin City Constr. Co. v. ITT Indus. Credit Co., 358 N.W.2d 716 (Minn.App. 1984), the plaintiff construction company, at the behest of the defendant loan company, had given up significant rights as against the owner of the hotel that was being built (basically agreeing to complete construction without any recourse against the owner) so that the owner could obtain a loan from the defendant to complete the hotel. During construction, the defendant made progress payments directly to the plaintiff, but failed to make the last one, leading to the suit. The court ruled that under these circumstances the plaintiff could sue on the loan agreement, despite the exclusion of third-party rights. 358 N.E.2d at 718-19. Here, in contrast, Sovereign was not directly involved in the negotiation of the Visa merchant agreements between BJ's and Fifth Third nor did it surrender significant rights to have those agreements consummated.

  In Verisco, Inc. v. Engineered Fabrics Corp., 520 S.E.2d 505 (Ga.App. 1999), the court ruled that the plaintiff owner of a building could sue the current owner of a roofing-system business for breach of warranty on work performed by the previous owner of the business. The contract for the sale of the assets of the business provided that the buyer would honor warranty claims on roofing products sold before the transfer of the business but excluded third-party rights. The court ruled that the plaintiff could bring its warranty claim as a third-party beneficiary of that contract despite the exclusion, reasoning that the specific provision dealing with the assumption of warranty claims prevailed over the general ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.