Clothing Retailer Genesco Sues Visa Over $13.3 Million in Data Breach Levies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Clothing marketer Genesco Inc. followed through on its promises to shareholders and March 7 filed a federal court complaint against Visa Inc. over its assessment of nearly $13.3 million in data security noncompliance fines and costs related to a 2010 hacking data breach of the company (Genesco Inc. v. Visa Inc., M.D. Tenn., No. 3:13-cv-00202, complaint filed 3/7/13).

The complaint filed in the U.S. District Court for the Middle District of Tennessee asserted breach of contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment tort claims, as well as a California unfair business practices statutory claim, Cal. Bus. & Prof. Code § 17200, against Visa over what it alleges are the “invalid” imposition of fines and fraud recovery costs on the banks it used to process transactions. The banks in turn passed in the assessments to Genesco pursuant to its contracts with the banks.

The fines were assessed over Genesco's alleged failure to comply with the Payment Card Industry Data Security Standard (PCI DSS). The self-regulatory PCI DSS, which was established by Visa, MasterCard Inc., and American Express Inc., requires companies handling card transactions to maintain certain data security measures or face fines and/or the cut-off of their ability to process cards.

Genesco's extensive public complaint detailed--at least from the company plaintiff's perspective--the largely hidden process by which the card companies assess and collect fines.

Genesco Hacking Breach

On Dec. 10, 2010, Genesco, a Nashville, Tenn.-based marketer of footwear, headwear, and accessories, notified customers in a letter and filed a Form 8-K with the Securities and Exchange Commission stating that it had discovered “a criminal intrusion into the portion of its computer network that processes payment card transactions.” The company said it had notified law enforcement authorities and the major card brands of the breach.

Form 8-K filings are required when publicly traded companies face “unscheduled material events or corporate changes,” according to the SEC.

In a Jan. 15, Form 8-K filing with the SEC, Genesco said that it intended to sue major credit card companies over the fines and assessments (12 PVLR 140, 1/28/13).

According to the complaint, Genesco was in compliance with PCI DSS but the hackers that captured payment card data exploited a weakness in the standard.

PCI DSS at the time of the breach allowed companies to transmit unencrypted customer payment card data during the payment authorization process, the complaint said. The hackers captured the data during that authorization process, Genesco asserted.

Douglas Meal, Matthew P. Thomas, and Seth Harrington of Ropes & Gray in Boston, and Overton Thompson III and Wendee M. Hilderbrand of Bass, Berry & Sims, in Nashville, Tenn., filed the complaint on behalf of Genesco.

Full text of the 49-page complaint is available at