PAYMENTECH, L.L.C.; JPMorgan Chase Bank, N.A., Plaintiffs—Appellees/Cross-Appellants, v.
LANDRY'S INCORPORATED, Defendant—Appellant/Cross-Appellee, v. Visa, Incorporated; Mastercard International, Incorporated, Third Party Defendants—Appellees.
A major data breach compromised sensitive consumer information on thousands of credit cards. In this appeal, we address who must pay for the cleanup. Beginning in 2014, hackers compromised credit card data at multiple businesses owned by Landry's Inc. (“Landry's”). Many of those cards belonged to Visa and Mastercard. In response, Visa and Mastercard imposed over twenty million dollars in assessments on JPMorgan Chase and its subsidiary Paymentech (collectively, “Chase”), who were responsible for securely processing card purchases at Landry's properties. Chase then sued Landry's for indemnification, and Landry's impleaded Visa and Mastercard.
The district court dismissed Landry's third-party complaints against Visa and Mastercard and granted summary judgment for Chase, finding that Landry's had a contractual obligation to indemnify Chase. Landry's now argues that it should not have to indemnify Chase because the assessments are not an enforceable form of liquidated damages. Even if they are, Landry's contends that summary judgment was improper because fact disputes remain about its contractual duty to indemnify. Finally, Landry's argues that it should be able to recoup any liability to Chase from Visa and Mastercard, who wrongly imposed the assessments in the first place. We disagree on all counts. We therefore affirm and remand solely for the district court to determine whether Chase should receive prejudgment interest.
First, some background on the credit and debit card system. Sitting atop the system are companies like Visa and Mastercard (“Payment Brands”), which operate networks that facilitate card transactions. The intermediaries in the system are banks, which act in two capacities. As “issuers,” banks issue cards to consumers. As “acquirers,” banks give merchants access to the Payment Brands' networks by processing card payments. See Pulse Network, L.L.C. v. Visa, Inc., 30 F.4th 480, 484–86 (5th Cir. 2022) (describing same structure in context of a debit network market).
The system involves various contractual relationships. The Payment Brands contract with both issuers and acquirers. Acquirers, in turn, contract with merchants. Importantly, the Payment Brands have no direct contractual relationship with merchants; they contract only with a merchant's acquirer. Nor do acquirers and issuers contract with one another; they are connected only indirectly via their respective contracts with the Payment Brands. This diagram from one of the parties' briefs helpfully sketches these relationships:
Visa and Mastercard each have rules governing this interlocking system—the “Visa Core Rules” and the Mastercard “Standards.” (We refer to them together as the “Rules”). The Rules are incorporated into the Payment Brands' contracts with acquirers and issuers and into the acquirers' contracts with merchants. The upshot is that the Rules bind every party to the payment processing system—merchants, acquirers, issuers, and the Payment Brands themselves.
Three features of the Rules are important here. First, the Rules require acquirers and merchants to follow industry-wide security protocols to protect card data. Most prominent are the Payment Card Industry Data Security Standards (“PCI DSS”), which require measures to protect cardholder data and apply to “any network component, server or application that is included in, or connected to, the cardholder data environment.”1
Second, the Rules require responsive measures when an entity discovers a potential data breach. For example, they provide for an industry-approved forensic investigator to investigate any suspected breach.2 Investigators must make findings about whether the potentially compromised entity complied with the security protocols.
Third, and most relevant here, the Rules impose loss-shifting schemes that effectively make acquirers compensate issuers impacted by data breaches. Such breaches impose significant costs on issuers—they must reimburse cardholders for fraudulent charges, notify affected customers, replace compromised cards, and monitor at-risk accounts. The Rules allow the Payment Brands to impose “assessments” on parties who cause such harms by failing to comply with security protocols. The Payment Brands then distribute the assessments to impacted issuers.
Visa and Mastercard's loss-shifting programs—respectively, the Global Compromised Account Recovery (“GCAR”) program and the Account Data Compromise (“ADC”) program—operate similarly. Both give the Payment Brand the sole right to determine whether a breach qualifies for assessments, and, if it does, whether to impose them. Notably, both programs hold acquirers responsible for their merchant's conduct. But the programs do not determine whether a merchant must indemnify an acquirer for assessments—that risk allocation depends on the merchant-acquirer contract. Finally, both programs allow an internal appeal to the Payment Brand regarding any assessments.
While these loss-shifting rules are designed to compensate issuers, they also include some benefits for acquirers. GCAR caps acquirers' total liability exposure and allows Visa to impose alternatives if assessments would prove catastrophic. ADC allows Mastercard to reduce or eliminate assessments based on various mitigating factors. In sum, the GCAR and ADC programs make each Payment Brand an arbiter of sorts, balancing the competing interests of acquirers and issuers in the aftermath of a data breach.
With this background in mind, we turn to the facts.
Landry's is a multi-billion-dollar company that operates restaurants, hotels, and casinos throughout the United States. Landry's contracted with JPMorgan Chase, through its subsidiary Paymentech, to be its acquirer and process card purchases made at Landry's properties. The contract (“Merchant Agreement”) required Landry's to comply with all applicable Payment Brand rules and data security standards, including its cooperation with any forensic investigation required by a Payment Brand in the event of a breach. Finally, the Merchant Agreement required Landry's to indemnify Chase for any assessments levied on Chase due to Landry's lack of compliance with security protocols or the compromise of cardholder data.
From May 2014 to December 2015, Landry's suffered a data breach. Hackers installed malware in some of Landry's payment processing systems that lifted sensitive customer data from cards. Landry's reported the breach and hired Mandiant, a Payment Brands-approved forensic investigation firm. Mandiant released its findings in a February 2016 report (“Mandiant Report”), concluding that there was “evidence[ ] the cardholder data environment was breached” and that approximately 180,000 Visa and Mastercard-branded cards had been exposed. Mandiant attributed the breach to Landry's lack of compliance with the PCI DSS.3
In 2017, Visa and Mastercard each determined pursuant to their separate contracts with Chase that the breach justified imposing assessments on Chase, as Landry's acquirer. Visa levied approximately $12.5 million in assessments; Mastercard approximately $10.5 million. Chase exercised its right to appeal the assessments and presented arguments provided by Landry's. While Visa upheld its assessments, Mastercard reduced its levy by approximately $3 million.
Chase then sued Landry's, demanding indemnification against the assessments. Landry's impleaded the Payment Brands, challenging the assessments' validity and seeking to recover from them in the event it was held liable to Chase. Landry's third-party complaints included claims against the Payment Brands as Chase's equitable subrogee as well as claims in Landry's own right. The district court dismissed the third-party complaints in their entirety under Federal Rule of Civil Procedure 12(b)(6), reasoning that Landry's lacked standing to challenge Chase's contracts with the Payment Brands.
Landry's then moved for summary judgment against Chase, arguing the assessments were legally unenforceable. The district court denied the motion, finding the assessments reasonably compensated the harm caused by the breach. Chase subsequently moved for partial summary judgment on its indemnification claim, and Landry's countered by moving to strike the Mandiant Report. The district court denied Landry's motion and granted summary judgment for Chase. It reasoned that the Mandiant Report was admissible because it was akin to an auditor's report, not expert testimony, and that Chase was contractually entitled to indemnification because it had shown that Landry's violated the data security guidelines.
Landry's now appeals both the dismissal of its third-party complaints against the Payment Brands and the summary judgment granted to Chase. Chase cross-appeals, asking us to reform the judgment to include prejudgment interest, which the district court did not grant.
We review both a summary judgment and a Rule 12(b)(6) dismissal de novo. Davidson v. Fairchild Controls Corp., 882 F.3d 180, 184 (5th Cir. 2018); Ruiz v. Brennan, 851 F.3d 464, 468 (5th Cir. 2017).
Landry's raises three arguments on appeal. First, it argues summary judgment should have been granted in its favor because the Payment Brands' assessments on Chase were unenforceable. Second, in the alternative, Landry's argues summary judgment was improper because there is a fact dispute over whether it breached any security protocols. Finally, even if it is liable to Chase, Landry's argues it can at least maintain its suits against the Payment Brands to recoup what it had to pay Chase. We address each argument in turn.
Landry's first argues the assessments on Chase were not valid liquidated damages under applicable state laws. All agree New York law governs Chase's contract with Mastercard and California law governs Chase's contract with Visa. The premise of Landry's argument is that liquidated damages must estimate damages only to the nonbreaching party, not to a third party. Landry's claims the assessments do not estimate the Payment Brands' damages for two reasons. First, the assessments are meant to compensate third-party issuers for their breach-related damages. Second, the Payment Brands are not obligated to pay the issuers' damages, so their discretionary distribution of assessments to issuers cannot represent “damages” to the Payment Brands. Because the assessments are unenforceable, the argument continues, Chase had no obligation to pay but did so anyway. So, any duty by Landry's to indemnify Chase was extinguished by the common law voluntary payment rule. See generally BMG Direct Mktg., Inc. v. Peake, 178 S.W.3d 763, 768 (Tex. 2005) (discussing voluntary payment rule).
California and New York law treat liquidated damages similarly. Both presume the validity of liquidated damages in commercial contracts unless the challenging party shows otherwise. See Cal. Civ. Code § 1671(b); JMD Holding Corp. v. Cong. Fin. Corp., 4 N.Y.3d 373, 795 N.Y.S.2d 502, 828 N.E.2d 604, 609 (2005). Both also maintain the traditional distinction between liquidated damages, which are enforceable, and penalties, which are not. Under both states' laws, the key question is whether the amount of contractual damages is proportionate to the harm the parties could have reasonably foreseen would flow from a breach. See, e.g., Ridgley v. Topa Thrift & Loan Ass'n, 17 Cal.4th 970, 73 Cal.Rptr.2d 378, 953 P.2d 484, 488 (1998); Truck Rent-A-Ctr., Inc. v. Puritan Farms 2nd, Inc., 41 N.Y.2d 420, 393 N.Y.S.2d 365, 361 N.E.2d 1015, 1018 (1977).
Landry's tries to marshal California and New York authorities to support its argument that a liquidated damages provision may legally compensate only the nonbreaching party to the contract. But none of the cases Landry's cites teaches that lesson. Landry's thus fails to overcome the assessments' presumptive validity under state law.
Landry's first relies on the California Supreme Court's 1998 decision in Ridgley v. Topa Thrift & Loan Association. Landry's zeroes in on the court's statement that assessments are unenforceable penalties when they “bear[ ] no reasonable relationship to the range of actual damages that the parties could have anticipated would flow from a breach.” Ridgley, 73 Cal.Rptr.2d 378, 953 P.2d at 488 (Landry's emphasis). But Landry's overreads that statement. One could just as easily read the quoted language to allow the contracting parties to anticipate damages to third parties.4 More to the point, Ridgley did not involve a third party at all and so the court had no occasion to opine on the distinct question of third-party damages before us.
Landry's other California authorities fare no better. For instance, Bondanza v. Peninsula Hospital and Medical Center involved a different standard for enforceability than the one here. 23 Cal.3d 260, 152 Cal.Rptr. 446, 590 P.2d 22, 25–26 (1979). The liquidated damages provision there was in a consumer rather than a commercial contract, thus requiring the enforcing defendant to prove “it would be impracticable or extremely difficult to fix the actual damage.” Id. 152 Cal.Rptr. 446, 590 P.2d at 25 (quoting Cal. Civ. Code § 1671). The court refused to enforce the provision because the parties had agreed only that liquidated damages would be “reasonable,” and the defendant did not try to show it would be hard to fix actual damages. Id. 152 Cal.Rptr. 446, 590 P.2d at 25–26. The fact that the liquidated damages, if enforced, would have ultimately flowed to a third party played no role in the court's analysis. See ibid.
Landry's also fails to support its argument with any New York authorities. For instance, in Aetna Casualty and Surety Company v. Aniero Concrete Company, Inc., 404 F.3d 566, 567 (2d Cir. 2005) (per curiam), the court (applying New York law) declined to enforce the liquidated damages provision because it held the underlying contract “was invalid due to an unsatisfied express condition precedent.” So, all claims predicated on the nullified contract necessarily failed. See id. at 601–02. The involvement of a third party was immaterial.
Finally, Landry's cites Dyer Brothers Golden West Iron Works v. Central Iron Works for its one-sentence explication of a 1908 New York case that refused to enforce liquidated damages that flowed to a third party. 182 Cal. 588, 189 P. 445, 447 (1920) (discussing McCord v. Thompson-Starrett Co., 129 A.D. 130, 113 N.Y.S. 385 (1908)). But in summarizing that case, the Dyer Brothers court highlighted the key feature that separates it from our facts: the provision was unenforceable because “the money was not to be apportioned among the parties to the contract ․ but was the property of the [third-party] association created by the contract, which, as such, could suffer no pecuniary loss from the violation of the agreement.” Id. at 447 (emphasis added). The problem was not the involvement of a third party per se, but rather that the third-party association was incapable of suffering damages. So, the purported liquidated damages were “in fact given to secure penalties for non-compliance with the [contract].” McCord, 113 N.Y.S. at 386. Here, by contrast, Landry's does not deny that the issuers suffered damages responding to the data breach.
In sum, Landry's does not provide, nor have we found, any relevant state authority barring parties in commercial contracts from tying liquidated damages to the anticipated harm to a third party. Landry's has therefore not rebutted the assessments' presumptive validity. See Cal. Civ. Code § 1671(b); JMD Holding Corp., 795 N.Y.S.2d 502, 828 N.E.2d at 609.
But even if Landry's legal premise were correct, there is still a problem: Landry's is mistaken that the assessments do not estimate the Payment Brands' own losses. True, the assessments compensate issuers for their breach-related losses. But the assessments also reflect the Payment Brands' damages because the Payment Brands are contractually obliged to pay any assessments they collect to issuers.5 That is an independent reason why Landry's claims must fail.
Landry's contends the assessments cannot be liabilities because the Payment Brands impose and distribute assessments as a matter of discretion, not contractual obligation. A voluntary payment, Landry's says, is not a liability. We disagree. Landry's conflates the Payment Brands' front-end discretion to impose assessments with their back-end obligation to distribute the assessments they collect.
It is true, as Landry's emphasizes, that the Payment Brands have considerable discretion at the start of the assessment process. The Visa Core Rules reserve Visa's authority to decide whether to impose assessments and in what amount based on the GCAR criteria.6 Mastercard retains similar authority under its rules.7 This discretion cannot be second-guessed by the issuers or the liable acquirers.
But once the Payment Brands decide to levy assessments, their discretion ends: any assessments they collect belong to the issuers. Under the ADC program, for instance, Mastercard “has no obligation to disburse an amount in excess of the amount that MasterCard actually and finally collects from the responsible Customer.” By clear implication, Mastercard must disburse what it does collect. Similarly, Visa provides that “issuer recoveries are limited to the amount, if any, that Visa collects from the Compromised Entity's acquirer(s).” Moreover, the GCAR and ADC programs include rules governing the timing and manner of the assessments' distribution. Visa's, for example, provide that “[i]ssuers are credited approximately 30 calendar days after Visa has collected the liability funds from the acquirer(s).” These later stages of the assessment process do not include the same discretionary language that marks the beginning. In short, contrary to Landry's assertions, the Payment Brands do not have free rein over the assessments. Once assessments have been collected, they are contractually obligated to distribute them to issuers.8
During the litigation, the Payment Brands confirmed this is the right way to read the contracts. Visa's brief concedes it “must reimburse issuers for any losses recovered through the GCAR program.” Visa Br. at 37. Mastercard's counsel did the same at oral argument, explaining “the distribution of the assessments is provided for in the rules, and that's part of the agreement between Mastercard and its banks.”9 Visa's counsel also explained that Visa's discretion regarding assessments is “built in on the front end before the assessment is levied.”10 These representations confirm what the contracts say.
Because the Payment Brands are liable to issuers for any collected assessments, Landry's argument fails on its own terms: the assessments reflect the Payment Brands' own liabilities, not only harm to issuers. So, even assuming state law requires liquidated damages to estimate harm to the nonbreaching party alone, the Payment Brands' own liability to the issuers would satisfy that standard. Either way, the assessments are enforceable.
Alternatively, Landry's argues summary judgment for Chase was improper because genuine disputes remain over whether Landry's had a duty to indemnify. The district court granted summary judgment for Chase after finding that the Mandiant Report showed Landry's violated security protocols, triggering Landry's obligation to indemnify Chase against the resulting assessments. We agree with the district court, albeit on different grounds.
The Merchant Agreement, which is governed by Texas law, contains the following indemnification provision:
You [Landry's] understand that your failure to comply with the Payment Brand Rules, including the Security Guidelines, or the compromise of any Payment Instrument Information, may result in assessments, fines, and/or penalties by the Payment Brands, and you agree to indemnify and reimburse us [Chase] immediately for any such assessment, fine, or penalty imposed on [Chase].
Landry's argues this clause requires Chase to prove that Landry's violated the Security Guidelines or that card data was compromised—it is not enough that the Payment Brands imposed assessments. Landry's further argues that Chase cannot show either condition occurred because the Mandiant Report was not competent summary judgment evidence. Chase counters that Landry's duty arose when the Payment Brands imposed assessments after making their own determination that Landry's violated the Security Guidelines. At bottom, the parties disagree over who decides whether Landry's violated the Security Guidelines: the Payment Brands or a court.
We favor Chase's interpretation for several reasons. First, it comes within the natural reading of the text. The Merchant Agreement requires Landry's to indemnify Chase for “any such assessment[s],” referring to assessments “by the Payment Brands” that “result” from “failure to comply with the Payment Brand Rules ․ or the compromise of any Payment Instrument Information.” Here, the Payment Brands levied assessments because they found the breach was caused by Landry's noncompliance with the PCI DSS. For instance, Visa's letter to Chase announcing the assessments documented its investigation into intrusions at 14 different Landry's properties. For each, Visa found “conclusive evidence” of a breach, which it attributed to Landry's noncompliance with the PCI DSS. Landry's may dispute Chase's ability to independently prove the Payment Brands' conclusions on this record, but it is within the text of the clause that the assessments were imposed “by the Payment Brands” as a “result” of Landry's “failure to comply with the Payment Brand Rules.”
Furthermore, the Merchant Agreement incorporates the Payment Brand Rules, which give the Payment Brands the right to determine whether someone violated them. The agreement provides that “[t]he Payment Brand Rules ․ are made a part of this Agreement for all purposes,” and it requires Landry's to “comply with ․ all Payment Brand Rules as may be applicable to you[.]” The rules make the Payment Brands the arbiters of their assessment programs. Mastercard “has the sole authority to interpret and enforce the Standards,” and its “determinations with respect to the occurrence of and responsibility for [data breaches] are conclusive.” Visa's Core Rules likewise reserve the “authority and discretion to determine ․ estimated [assessment] amounts, Issuer eligibility, and Acquirer liability under the GCAR program.”13 Landry's understood how the GCAR and ADC programs worked when it entered the contract. So, it cannot complain now that those programs give the Payment Brands the authority to determine who violated the security protocols.
This conclusion is reinforced by two final textual clues. Landry's duty to indemnify arises “immediately” for covered assessments. And, elsewhere in the Merchant Agreement, Landry's agrees that “adjustments, fees, charges, fines, assessments, penalties, and all other liabilities are due and payable by [Landry's] when [Chase] receive[s] notice thereof from the Payment Brands or otherwise pursuant to Section 4 herein.”14 Tying an immediate obligation to the Payment Brands' mere provision of notice further supports the conclusion that the parties intended the Payment Brands to be the arbiters with respect to assessments. The Payment Brands, after all, oversee an elaborate system to investigate data breaches and adjudicate the propriety of assessments.
Accordingly, summary judgment for Chase was proper. This is so regardless of the competency or the findings of the Mandiant Report. The Payment Brands imposed assessments on Chase after determining that Landry's caused the breach through noncompliance with the PCI DSS, and that is sufficient under the Merchant Agreement. Landry's and Chase are sophisticated parties familiar with the loss-shifting inherent in the GCAR and ADC programs, so we will not disturb the allocation of risk adopted by the parties themselves.
Because Landry's is liable to Chase, the question becomes whether Landry's can pursue its third-party complaints to recoup its liability from the Payment Brands. Landry's brought six claims against each Payment Brand, four as Chase's equitable subrogee—that is, standing in Chase's shoes and asserting Chase's rights—and two as “direct” claims “in its own right.”15 The district court properly dismissed these claims, both subrogated and direct, because Landry's lacks standing.
We begin with the subrogated claims. As a threshold matter, the parties dispute whether Texas or New York law governs Landry's subrogation rights. We need not decide this question because Landry's claims fail under both.
Equitable subrogation is the doctrine by which a party, after having paid the losses of another party, obtains that party's rights and remedies against the third party that caused the loss. See Gen. Star Indem. Co. v. Vesta Fire Ins. Corp., 173 F.3d 946, 949 (5th Cir. 1999) (applying Texas law); Winkelmann v. Excelsior Ins. Co., 85 N.Y.2d 577, 626 N.Y.S.2d 994, 650 N.E.2d 841, 843 (1995). The doctrine's paradigmatic application is in the insurance context. See Frymire Eng'g Co. ex rel. Liberty Mut. Ins. Co. v. Jomar Int'l, Ltd., 259 S.W.3d 140, 142 (Tex. 2008). For instance, “in the typical example of subrogation, an insurer attempts to recoup covered medical expenses from the tortfeasor who caused the insured's injuries and need for treatment in the first place.” Aetna Health Plans v. Hanover Ins. Co., 27 N.Y.3d 577, 36 N.Y.S.3d 431, 56 N.E.3d 213, 218 (2016) (Stein, J., concurring). Subrogation thus allows the subrogee to “stand[ ] in the shoes” of an injured party and recover from the wrongdoer who is culpable for the loss. Cont'l Cas. Co. v. N. Am. Capacity Ins. Co., 683 F.3d 79, 85 (5th Cir. 2012) (citation omitted); see also Millennium Holdings LLC v. Glidden Co., 27 N.Y.3d 406, 33 N.Y.S.3d 846, 53 N.E.3d 723, 728 (2016); Fasso v. Doerr, 12 N.Y.3d 80, 875 N.Y.S.2d 846, 903 N.E.2d 1167, 1170 (2009).
Landry's compares itself to an insurer, arguing that if it must indemnify Chase, then it should be able “to recover the losses that Chase sustained by reason of the wrongful conduct of the Payment Brands.” The wrongful conduct Landry's alleges for all its subrogated claims is the Payment Brands' levying of “illegal assessments” on Chase.16
Landry's analogy falls short for one overarching reason: Landry's paid its own debt, not the Payment Brands' debt. As discussed, equitable subrogation exists to prevent an innocent party from having to bear a loss attributable to a wrongdoing third party. See Md. Cas. Co. v. W.R. Grace & Co., 218 F.3d 204, 211 (2d Cir. 2000). It follows from that principle that subrogation is a “remedy not given to one who merely pays his own debt.” Pathe Exch. v. Bray Pictures Corp., 231 A.D. 465, 247 N.Y.S. 476, 481 (1931); Smart v. Tower Land & Inv. Co., 597 S.W.2d 333, 337 (Tex. 1980) (equitable subrogation is for “one who pays a debt owed by another”); Mid-Continent Ins. Co. v. Liberty Mut. Ins., 236 S.W.3d 765, 776 (Tex.2007). As explained below, Landry's debt is its own, not that of the Payment Brands, because the assessments stem from Landry's own conduct—namely, its failure to abide by the PCI DSS as it promised to do in the Merchant Agreement.
To support this conclusion, the Payment Brands correctly point to Jetro Holdings, LLC v. MasterCard International, 166 A.D.3d 594, 88 N.Y.S.3d 193 (2018), which held that a merchant obligated to indemnify its acquirer could not challenge Mastercard's assessments as the acquirer's subrogee. Id. at 196. The court found that the merchant's (Jetro) contract with PNC, its acquirer, constituted a “separate and distinct obligation to PNC” that precluded subrogation. Ibid. In other words, the contract made Jetro's indemnification of PNC its own debt. The court noted two pertinent aspects of that contract. First, it noted that Jetro had agreed to indemnify PNC for assessments that resulted from its own “acts or omissions,” such as failing to comply with data security rules. See id. at 195–96. Second, it observed that Jetro was required to indemnify PNC even if Mastercard illegally imposed assessments. Id. at 196. Thus, Jetro's obligation to PNC was “broader” than PNC's obligation to Mastercard. Ibid.
As in Jetro, the Merchant Agreement tied Landry's indemnification obligation to Landry's own acts or omissions, so the assessments constitute Landry's own debt. The agreement provided that Landry's would indemnify Chase for assessments resulting from “failure to comply with the Payment Brand Rules, including the Security Guidelines.” Unlike an insurer who passively becomes responsible for a loss caused by someone else, the agreement made Landry's responsible only for assessments resulting from its own conduct. The resulting “debt” is therefore attributable to Landry's, not the Payment Brands. See ibid.17
Landry's tries to distinguish Jetro because the second contractual feature there is not present here. Landry's denies that it must indemnify Chase even for illegal assessments, and thus it argues that its obligation to Chase is not broader than Chase's obligation to the Payment Brands, as was the case in Jetro. But even accepting this difference, Jetro remains apposite. We read Jetro as identifying two independently sufficient bases for finding Jetro's obligation separate and distinct. Both features, in other words, were standalone reasons for making the assessments attributable to Jetro. Nothing in the opinion suggests both features were logically necessary to the outcome. Thus, since Landry's indemnification obligation stems from its own acts or omissions under the Merchant Agreement, the debt is its own.18
Landry's direct claims for unjust enrichment and deceptive business practices remain. Their dismissal was also proper because these claims were, as a practical matter, also subrogated claims. They therefore fail for the same reason given above.
We evaluate pleadings based on substance, not labels. Gaudet v. United States, 517 F.2d 1034, 1035 (5th Cir. 1975) (per curiam); Armstrong v. Capshaw, Goss & Bowers, LLP, 404 F.3d 933, 936 (5th Cir. 2005). While Landry's styled these claims as “direct” and made “in [Landry's] own right,” they require litigating Chase's contractual relationships with the Payment Brands just as the subrogated claims do. Landry's alleged the Payment Brands were “unjustly enriched” by “imposing [assessments] on [Chase] ․ without any contractual or lawful basis for doing so.” Likewise, Landry's alleged for its deceptive business practices claims that the assessments were “invalid” under the Payment Brand Rules and “applicable law” and therefore the Payment Brands' “imposition and collection of the [assessments] was an unlawful business practice.” Because these claims turn on the assessments' enforceability under Chase's contracts with the Payment Brands, they are functionally the same as the subrogated claims. Since Landry's cannot challenge the Payment Brands over those contracts as Chase's subrogee, it cannot do so through a change in labeling.19
Because we rule for Chase, we must address its cross-appeal for prejudgment interest. The district court did not act on Chase's request for prejudgment interest and thus implicitly denied it. See Manuel v. Turner Indus. Grp., L.L.C., 905 F.3d 859, 868 (5th Cir. 2018). Chase now asks us to reform the judgment to include prejudgment interest, while Landry's argues we should remand.
We decline to reform the judgment. While prejudgment interest is usually awarded “as a matter of course” under Texas law, the district court may exercise its discretion to reduce or deny it if “exceptional circumstances” exist. Executone Info. Sys., Inc. v. Davis, 26 F.3d 1314, 1330 (5th Cir. 1994) (citation omitted). Because the court must explain those circumstances, “[i]f the district court denies prejudgment interest without explanation, our appropriate course is to remand the issue so that the court may either explain the exceptional circumstances ․ or award interest at the appropriate rate.” Ibid.; see also Meaux Surface Prot., Inc. v. Fogleman, 607 F.3d 161, 172–73 (5th Cir. 2010); Concorde Limousines, Inc. v. Moloney Coachbuilders, Inc., 835 F.2d 541, 549–50 (5th Cir. 1987). We do so here.20
The district court's judgment is AFFIRMED. The case is REMANDED solely to allow the district court to determine whether Chase should receive prejudgment interest.
1. The PCI DSS are promulgated by the PCI Security Standards Council, a body created by multiple electronic payment processing companies to help bring uniformity to the industry's data security practices.
2. Mastercard mandates hiring a forensic investigator, while Visa has discretion to mandate hiring one.
3. Specifically, the report found that Landry's did not require two-factor authentication to remotely access its corporate network, thus allowing the hackers to “move laterally” into the card data environment, and that Landry's had used a shared local administrator password that had not been regularly updated to access accounts connected to card data. The hackers exploited these weaknesses to “spread malware across a significant portion of [Landry's] properties” and “harvest cardholder data” as it was being processed during the transaction process.
4. That reading of Ridgley would be consistent with the California Supreme Court's previous observation that liquidated damages need only reasonably estimate “fair average compensation for any loss that may be sustained.” Garrett v. Coast & S. Fed. Sav. & Loan Ass'n, 9 Cal.3d 731, 108 Cal.Rptr. 845, 511 P.2d 1197, 1202 (1973) (emphasis added).
5. The Payment Brands ultimately retain no portion of the assessments except a management fee to cover the cost of operating the GCAR and ADC programs.
6. As the Visa Core Rules put it, “Visa has authority and discretion to determine ․ estimated Counterfeit Fraud Recovery and Operating Expense Recovery amounts ․ in accordance with the Visa Global Compromised Account Recovery (GCAR) Guide and the available information regarding each event.”
7. “MasterCard reserves the right to determine which ADC Events will be eligible for ADC operation reimbursement and/or ADC fraud recovery․ MasterCard may determine the responsible Customer's financial responsibility with respect to an ADC Event.”
8. We are not the first court to reach this conclusion. Recently, a Texas court of appeals, applying California law, upheld Visa's GCAR program against a similar challenge. Visa Inc. v. Sally Beauty Holdings, Inc., 651 S.W.3d 278 (Tex. App.—Fort Worth 2021, pet. filed). The court recognized that Visa was contractually obligated to reimburse issuers for their damages “condition[ed] ․ on Visa's successful imposition and collection of the GCAR assessment.” Id. at 286–87 & n.14; see also id. at 296 n.39 (noting that “[a]lthough Visa's liability is contingent on Visa's ability to collect the calculated assessment from the responsible acquirers, it nonetheless exists” (cleaned up)).
9. Oral Argument at 33:00, Paymentech v. Landry's (No. 21-20447), https://www.ca5.uscourts.gov/OralArgRecordings/21/21-20447_12-5-2022.mp3.
10. Id. at 38:35.
11. The Merchant Agreement defines ‘Payment Brand Rules’ as “the bylaws, rules, and regulations, as they exist from time to time, of the Payment Brands.”
12. As relevant here, the Merchant Agreement defines ‘Security Guidelines’ to include the PCI DSS.
13. Because an acquirer cannot be liable under GCAR program without it or its merchant violating required security protocols such as the PCI DSS, the Visa Core Rules necessarily reserve the authority to make determinations about compliance.
14. Section 4 provides Chase with various options for collecting funds owed by Landry's.
15. The claims differed materially between each Payment Brand only with respect to which state's laws they were brought under.
16. Landry's first cause of action was for breach of contract, alleging the assessments were “not authorized” by the GCAR/ADC programs and “unenforceable under applicable law.” The second was for breach of the covenant of good faith and fair dealing, likewise alleging that Visa's assessments were “not authorized by the Visa Rules and GCAR Guide or applicable law” and that Mastercard's assessments “w[ere] not authorized by the Standards or applicable law.” The third cause of action alleged that the Payment Brands were “unjustly enriched” because they imposed assessments “without any contractual or lawful basis for so doing.” The fourth and final cause of action was for deceptive business practices. It alleged the Payment Brands deceived Chase by imposing assessments that were “invalid under ․ applicable law.” All of Landry's subrogated claims thus turn on the enforceability of the assessments.
17. In other words, this is not a case in which the Payment Brands as wrongdoers “in equity and good conscience should have [ ] discharged” the debt. See Bank of Am. v. Babu, 340 S.W.3d 917, 925 (Tex. App.—Dallas 2011, pet. denied) (quoting Murray v. Cadle Co., 257 S.W.3d 291, 299 (Tex. App.—Dallas 2008, pet. denied)).
18. Additionally, we note that equitable subrogation is not a matter of right but arises through equity based on the facts and circumstances of the case. Murray, 257 S.W.3d at 300; Costello on Behalf of Stark v. Geiser, 85 N.Y.2d 103, 109, 623 N.Y.S.2d 753, 647 N.E.2d 1261 (1995). Since Landry's has already had an opportunity to litigate the validity of the assessments in its action against Chase, it is no injustice to say that it cannot try again against new defendants.
19. Landry's argues that the district court did not address these claims and so we must reverse at least as to them. Even if that were so, we may affirm for any reason supported by the record, United States v. Gonzalez, 592 F.3d 675, 681 (5th Cir. 2009), and the record cleanly presents this issue.
20. Chase's primary authority is distinguishable. See Farmland Indus., Inc. v. Andrews Transp. Co., 888 F.2d 1066 (5th Cir. 1989). There, the district court had already awarded prejudgment interest, but both parties agreed that it applied an incorrect interest rate. Id. at 1068.
Stuart Kyle Duncan, Circuit Judge:
Was this helpful?