Paymentech v. Landry's ( 2023 )

Case: 21-20447    Document: 00516653713          Page: 1    Date Filed: 02/23/2023
United States Court of Appeals
for the Fifth Circuit                               United States Court of Appeals
Fifth Circuit
FILED
February 23, 2023
No. 21-20447                         Lyle W. Cayce
Clerk
Paymentech, L.L.C.; JPMorgan Chase Bank, N.A.,
Plaintiffs—Appellees/Cross-Appellants,
versus
Landry’s Incorporated,
Defendant—Appellant/Cross-Appellee,
versus
Visa, Incorporated; Mastercard International,
Incorporated,
Third Party Defendants—Appellees.
Appeal from the United States District Court
for the Southern District of Texas
USDC No. 4:18-CV-1622
Before Higginbotham, Duncan, and Engelhardt, Circuit Judges.
Stuart Kyle Duncan, Circuit Judge:
A major data breach compromised sensitive consumer information on
thousands of credit cards. In this appeal, we address who must pay for the
cleanup. Beginning in 2014, hackers compromised credit card data at
Case: 21-20447     Document: 00516653713          Page: 2   Date Filed: 02/23/2023
No. 21-20447
multiple businesses owned by Landry’s Inc. (“Landry’s”). Many of those
cards belonged to Visa and Mastercard. In response, Visa and Mastercard
imposed over twenty million dollars in assessments on JPMorgan Chase and
its subsidiary Paymentech (collectively, “Chase”), who were responsible for
securely processing card purchases at Landry’s properties. Chase then sued
Landry’s for indemnification, and Landry’s impleaded Visa and Mastercard.
The district court dismissed Landry’s third-party complaints against
Visa and Mastercard and granted summary judgment for Chase, finding that
Landry’s had a contractual obligation to indemnify Chase. Landry’s now
argues that it should not have to indemnify Chase because the assessments
are not an enforceable form of liquidated damages. Even if they are, Landry’s
contends that summary judgment was improper because fact disputes remain
about its contractual duty to indemnify. Finally, Landry’s argues that it
should be able to recoup any liability to Chase from Visa and Mastercard,
who wrongly imposed the assessments in the first place. We disagree on all
counts. We therefore affirm and remand solely for the district court to
determine whether Chase should receive prejudgment interest.
I.
A.
First, some background on the credit and debit card system. Sitting
atop the system are companies like Visa and Mastercard (“Payment
Brands”), which operate networks that facilitate card transactions. The
intermediaries in the system are banks, which act in two capacities. As
“issuers,” banks issue cards to consumers. As “acquirers,” banks give
merchants access to the Payment Brands’ networks by processing card
payments. See Pulse Network, L.L.C. v. Visa, Inc., 

, 484–86 (5th
Cir. 2022) (describing same structure in context of a debit network market).
2
Case: 21-20447      Document: 00516653713          Page: 3   Date Filed: 02/23/2023
No. 21-20447
The system involves various contractual relationships. The Payment
Brands contract with both issuers and acquirers. Acquirers, in turn, contract
with merchants. Importantly, the Payment Brands have no direct contractual
relationship with merchants; they contract only with a merchant’s acquirer.
Nor do acquirers and issuers contract with one another; they are connected
only indirectly via their respective contracts with the Payment Brands. This
diagram from one of the parties’ briefs helpfully sketches these relationships:
Visa and Mastercard each have rules governing this interlocking
system—the “Visa Core Rules” and the Mastercard “Standards.” (We refer
to them together as the “Rules”). The Rules are incorporated into the
Payment Brands’ contracts with acquirers and issuers and into the acquirers’
contracts with merchants. The upshot is that the Rules bind every party to
the payment processing system—merchants, acquirers, issuers, and the
Payment Brands themselves.
Three features of the Rules are important here. First, the Rules
require acquirers and merchants to follow industry-wide security protocols
to protect card data. Most prominent are the Payment Card Industry Data
Security Standards (“PCI DSS”), which require measures to protect
3
Case: 21-20447       Document: 00516653713             Page: 4      Date Filed: 02/23/2023
No. 21-20447
cardholder data and apply to “any network component, server or application
that is included in, or connected to, the cardholder data environment.” 1
Second, the Rules require responsive measures when an entity
discovers a potential data breach. For example, they provide for an industry-
approved forensic investigator to investigate any suspected breach. 2
Investigators must make findings about whether the potentially
compromised entity complied with the security protocols.
Third, and most relevant here, the Rules impose loss-shifting schemes
that effectively make acquirers compensate issuers impacted by data
breaches. Such breaches impose significant costs on issuers—they must
reimburse cardholders for fraudulent charges, notify affected customers,
replace compromised cards, and monitor at-risk accounts. The Rules allow
the Payment Brands to impose “assessments” on parties who cause such
harms by failing to comply with security protocols. The Payment Brands then
distribute the assessments to impacted issuers.
Visa and Mastercard’s loss-shifting programs—respectively, the
Global Compromised Account Recovery (“GCAR”) program and the
Account Data Compromise (“ADC”) program—operate similarly. Both
give the Payment Brand the sole right to determine whether a breach qualifies
for assessments, and, if it does, whether to impose them. Notably, both
programs hold acquirers responsible for their merchant’s conduct. But the
programs do not determine whether a merchant must indemnify an acquirer
for assessments—that risk allocation depends on the merchant-acquirer
1
The PCI DSS are promulgated by the PCI Security Standards Council, a body
created by multiple electronic payment processing companies to help bring uniformity to
the industry’s data security practices.
2
Mastercard mandates hiring a forensic investigator, while Visa has discretion to
mandate hiring one.
4
Case: 21-20447      Document: 00516653713          Page: 5   Date Filed: 02/23/2023
No. 21-20447
contract. Finally, both programs allow an internal appeal to the Payment
Brand regarding any assessments.
While these loss-shifting rules are designed to compensate issuers,
they also include some benefits for acquirers. GCAR caps acquirers’ total
liability exposure and allows Visa to impose alternatives if assessments would
prove catastrophic. ADC allows Mastercard to reduce or eliminate
assessments based on various mitigating factors. In sum, the GCAR and ADC
programs make each Payment Brand an arbiter of sorts, balancing the
competing interests of acquirers and issuers in the aftermath of a data breach.
With this background in mind, we turn to the facts.
B.
Landry’s is a multi-billion-dollar company that operates restaurants,
hotels, and casinos throughout the United States. Landry’s contracted with
JPMorgan Chase, through its subsidiary Paymentech, to be its acquirer and
process card purchases made at Landry’s properties. The contract
(“Merchant Agreement”) required Landry’s to comply with all applicable
Payment Brand rules and data security standards, including its cooperation
with any forensic investigation required by a Payment Brand in the event of a
breach. Finally, the Merchant Agreement required Landry’s to indemnify
Chase for any assessments levied on Chase due to Landry’s lack of
compliance with security protocols or the compromise of cardholder data.
From May 2014 to December 2015, Landry’s suffered a data breach.
Hackers installed malware in some of Landry’s payment processing systems
that lifted sensitive customer data from cards. Landry’s reported the breach
and hired Mandiant, a Payment Brands-approved forensic investigation firm.
Mandiant released its findings in a February 2016 report (“Mandiant
Report”), concluding that there was “evidence[] the cardholder data
environment was breached” and that approximately 180,000 Visa and
5
Case: 21-20447        Document: 00516653713              Page: 6      Date Filed: 02/23/2023
No. 21-20447
Mastercard-branded cards had been exposed. Mandiant attributed the breach
to Landry’s lack of compliance with the PCI DSS. 3
In 2017, Visa and Mastercard each determined pursuant to their
separate contracts with Chase that the breach justified imposing assessments
on Chase, as Landry’s acquirer. Visa levied approximately $12.5 million in
assessments; Mastercard approximately $10.5 million. Chase exercised its
right to appeal the assessments and presented arguments provided by
Landry’s. While Visa upheld its assessments, Mastercard reduced its levy by
approximately $3 million.
Chase then sued Landry’s, demanding indemnification against the
assessments. Landry’s impleaded the Payment Brands, challenging the
assessments’ validity and seeking to recover from them in the event it was
held liable to Chase. Landry’s third-party complaints included claims against
the Payment Brands as Chase’s equitable subrogee as well as claims in
Landry’s own right. The district court dismissed the third-party complaints
in their entirety under Federal Rule of Civil Procedure 12(b)(6), reasoning
that Landry’s lacked standing to challenge Chase’s contracts with the
Payment Brands.
Landry’s then moved for summary judgment against Chase, arguing
the assessments were legally unenforceable. The district court denied the
motion, finding the assessments reasonably compensated the harm caused by
the breach. Chase subsequently moved for partial summary judgment on its
3
Specifically, the report found that Landry’s did not require two-factor
authentication to remotely access its corporate network, thus allowing the hackers to
“move laterally” into the card data environment, and that Landry’s had used a shared local
administrator password that had not been regularly updated to access accounts connected
to card data. The hackers exploited these weaknesses to “spread malware across a
significant portion of [Landry’s] properties” and “harvest cardholder data” as it was being
processed during the transaction process.
6
Case: 21-20447      Document: 00516653713          Page: 7   Date Filed: 02/23/2023
No. 21-20447
indemnification claim, and Landry’s countered by moving to strike the
Mandiant Report. The district court denied Landry’s motion and granted
summary judgment for Chase. It reasoned that the Mandiant Report was
admissible because it was akin to an auditor’s report, not expert testimony,
and that Chase was contractually entitled to indemnification because it had
shown that Landry’s violated the data security guidelines.
Landry’s now appeals both the dismissal of its third-party complaints
against the Payment Brands and the summary judgment granted to Chase.
Chase cross-appeals, asking us to reform the judgment to include
prejudgment interest, which the district court did not grant.
II.
We review both a summary judgment and a Rule 12(b)(6) dismissal de
novo. Davidson v. Fairchild Controls Corp., 

, 184 (5th Cir. 2018);
Ruiz v. Brennan, 

, 468 (5th Cir. 2017).
III.
Landry’s raises three arguments on appeal. First, it argues summary
judgment should have been granted in its favor because the Payment Brands’
assessments on Chase were unenforceable. Second, in the alternative,
Landry’s argues summary judgment was improper because there is a fact
dispute over whether it breached any security protocols. Finally, even if it is
liable to Chase, Landry’s argues it can at least maintain its suits against the
Payment Brands to recoup what it had to pay Chase. We address each
argument in turn.
A.
Landry’s first argues the assessments on Chase were not valid
liquidated damages under applicable state laws. All agree New York law
governs Chase’s contract with Mastercard and California law governs
7
Case: 21-20447     Document: 00516653713           Page: 8   Date Filed: 02/23/2023
No. 21-20447
Chase’s contract with Visa. The premise of Landry’s argument is that
liquidated damages must estimate damages only to the nonbreaching party,
not to a third party. Landry’s claims the assessments do not estimate the
Payment Brands’ damages for two reasons. First, the assessments are meant
to compensate third-party issuers for their breach-related damages. Second,
the Payment Brands are not obligated to pay the issuers’ damages, so their
discretionary distribution of assessments to issuers cannot represent
“damages” to the Payment Brands. Because the assessments are
unenforceable, the argument continues, Chase had no obligation to pay but
did so anyway. So, any duty by Landry’s to indemnify Chase was
extinguished by the common law voluntary payment rule. See generally BMG
Direct Mktg., Inc. v. Peake, 

, 768 (Tex. 2005) (discussing
voluntary payment rule).
California and New York law treat liquidated damages similarly. Both
presume the validity of liquidated damages in commercial contracts unless
the challenging party shows otherwise. See 

(b);
JMD Holding Corp. v. Cong. Fin. Corp., 

, 609 (N.Y. 2005).
Both also maintain the traditional distinction between liquidated damages,
which are enforceable, and penalties, which are not. Under both states’ laws,
the key question is whether the amount of contractual damages is
proportionate to the harm the parties could have reasonably foreseen would
flow from a breach. See, e.g., Ridgley v. Topa Thrift & Loan Ass’n, 

, 488 (Cal. 1998); Truck Rent-A-Ctr., Inc. v. Puritan Farms 2nd, Inc., 

, 1018 (N.Y. 1977).
1.
Landry’s tries to marshal California and New York authorities to
support its argument that a liquidated damages provision may legally
compensate only the nonbreaching party to the contract. But none of the
8
Case: 21-20447        Document: 00516653713             Page: 9      Date Filed: 02/23/2023
No. 21-20447
cases Landry’s cites teaches that lesson. Landry’s thus fails to overcome the
assessments’ presumptive validity under state law.
Landry’s first relies on the California Supreme Court’s 1998 decision
in Ridgley v. Topa Thrift & Loan Association. Landry’s zeroes in on the court’s
statement that assessments are unenforceable penalties when they “bear[] no
reasonable relationship to the range of actual damages that the parties could
have anticipated would flow from a breach.” Ridgley, 953 P.2d at 488
(Landry’s emphasis). But Landry’s overreads that statement. One could just
as easily read the quoted language to allow the contracting parties to
anticipate damages to third parties. 4 More to the point, Ridgley did not
involve a third party at all and so the court had no occasion to opine on the
distinct question of third-party damages before us.
Landry’s other California authorities fare no better. For instance,
Bondanza v. Peninsula Hospital and Medical Center involved a different
standard for enforceability than the one here. 

, 25–26 (Cal. 1979).
The liquidated damages provision there was in a consumer rather than a
commercial contract, thus requiring the enforcing defendant to prove “it
would be impracticable or extremely difficult to fix the actual damage.” 

 (quoting 

). The court refused to enforce the
provision because the parties had agreed only that liquidated damages would
be “reasonable,” and the defendant did not try to show it would be hard to
fix actual damages. 

 at 25–26. The fact that the liquidated damages, if
enforced, would have ultimately flowed to a third party played no role in the
court’s analysis. See 

4
That reading of Ridgley would be consistent with the California Supreme Court’s
previous observation that liquidated damages need only reasonably estimate “fair average
compensation for any loss that may be sustained.” Garrett v. Coast & S. Fed. Sav. & Loan
Ass’n, 

, 1202 (Cal. 1973) (emphasis added).
9
Case: 21-20447     Document: 00516653713           Page: 10   Date Filed: 02/23/2023
No. 21-20447
Landry’s also fails to support its argument with any New York
authorities. For instance, in Aetna Casualty and Surety Company v. Aniero
Concrete Company, Inc., 

, 567 (2d Cir. 2005) (per curiam), the
court (applying New York law) declined to enforce the liquidated damages
provision because it held the underlying contract “was invalid due to an
unsatisfied express condition precedent.” So, all claims predicated on the
nullified contract necessarily failed. See 

 at 601–02. The involvement of a
third party was immaterial.
Finally, Landry’s cites Dyer Brothers Golden West Iron Works v. Central
Iron Works for its one-sentence explication of a 1908 New York case that
refused to enforce liquidated damages that flowed to a third party. 

,
447 (Cal. 1920) (discussing McCord v. Thompson-Starrett Co., 

(N.Y. App. Div. 1908)). But in summarizing that case, the Dyer Brothers court
highlighted the key feature that separates it from our facts: the provision was
unenforceable because “the money was not to be apportioned among the
parties to the contract . . . but was the property of the [third-party]
association created by the contract, which, as such, could suffer no pecuniary
loss from the violation of the agreement.” 

 (emphasis added). The
problem was not the involvement of a third party per se, but rather that the
third-party association was incapable of suffering damages. So, the purported
liquidated damages were “in fact given to secure penalties for non-
compliance with the [contract].” McCord, 

. Here, by
contrast, Landry’s does not deny that the issuers suffered damages
responding to the data breach.
In sum, Landry’s does not provide, nor have we found, any relevant
state authority barring parties in commercial contracts from tying liquidated
damages to the anticipated harm to a third party. Landry’s has therefore not
rebutted the assessments’ presumptive validity. See 

(b); JMD Holding Corp., 828 N.E.2d at 609.
10
Case: 21-20447      Document: 00516653713            Page: 11     Date Filed: 02/23/2023
No. 21-20447
2.
But even if Landry’s legal premise were correct, there is still a
problem: Landry’s is mistaken that the assessments do not estimate the
Payment Brands’ own losses. True, the assessments compensate issuers for
their breach-related losses. But the assessments also reflect the Payment
Brands’ damages because the Payment Brands are contractually obliged to
pay any assessments they collect to issuers. 5 That is an independent reason
why Landry’s claims must fail.
Landry’s contends the assessments cannot be liabilities because the
Payment Brands impose and distribute assessments as a matter of discretion,
not contractual obligation. A voluntary payment, Landry’s says, is not a
liability. We disagree. Landry’s conflates the Payment Brands’ front-end
discretion to impose assessments with their back-end obligation to distribute
the assessments they collect.
It is true, as Landry’s emphasizes, that the Payment Brands have
considerable discretion at the start of the assessment process. The Visa Core
Rules reserve Visa’s authority to decide whether to impose assessments and
in what amount based on the GCAR criteria. 6 Mastercard retains similar
authority under its rules. 7 This discretion cannot be second-guessed by the
issuers or the liable acquirers.
5
The Payment Brands ultimately retain no portion of the assessments except a
management fee to cover the cost of operating the GCAR and ADC programs.
6
As the Visa Core Rules put it, “Visa has authority and discretion to
determine . . . estimated Counterfeit Fraud Recovery and Operating Expense Recovery
amounts . . . in accordance with the Visa Global Compromised Account Recovery (GCAR)
Guide and the available information regarding each event.”
7
“MasterCard reserves the right to determine which ADC Events will be eligible
for ADC operation reimbursement and/or ADC fraud recovery. . . . MasterCard may
11
Case: 21-20447        Document: 00516653713               Page: 12       Date Filed: 02/23/2023
No. 21-20447
But once the Payment Brands decide to levy assessments, their
discretion ends: any assessments they collect belong to the issuers. Under the
ADC program, for instance, Mastercard “has no obligation to disburse an
amount in excess of the amount that MasterCard actually and finally collects
from the responsible Customer.” By clear implication, Mastercard must
disburse what it does collect. Similarly, Visa provides that “issuer recoveries
are limited to the amount, if any, that Visa collects from the Compromised
Entity’s acquirer(s).” Moreover, the GCAR and ADC programs include
rules governing the timing and manner of the assessments’ distribution.
Visa’s, for example, provide that “[i]ssuers are credited approximately 30
calendar days after Visa has collected the liability funds from the
acquirer(s).” These later stages of the assessment process do not include the
same discretionary language that marks the beginning. In short, contrary to
Landry’s assertions, the Payment Brands do not have free rein over the
assessments. Once assessments have been collected, they are contractually
obligated to distribute them to issuers. 8
During the litigation, the Payment Brands confirmed this is the right
way to read the contracts. Visa’s brief concedes it “must reimburse issuers
for any losses recovered through the GCAR program.” Visa Br. at 37.
Mastercard’s counsel did the same at oral argument, explaining “the
determine the responsible Customer’s financial responsibility with respect to an ADC
Event.”
8
We are not the first court to reach this conclusion. Recently, a Texas court of
appeals, applying California law, upheld Visa’s GCAR program against a similar challenge.
Visa Inc. v. Sally Beauty Holdings, Inc., 

 (Tex. App.—Fort Worth 2021, pet.
filed). The court recognized that Visa was contractually obligated to reimburse issuers for
their damages “condition[ed] . . . on Visa’s successful imposition and collection of the
GCAR assessment.” 

 at 286–87 & n.14; see also 

 at 296 n.39 (noting that “[a]lthough
Visa’s liability is contingent on Visa’s ability to collect the calculated assessment from the
responsible acquirers, it nonetheless exists” (cleaned up)).
12
Case: 21-20447          Document: 00516653713       Page: 13   Date Filed: 02/23/2023
No. 21-20447
distribution of the assessments is provided for in the rules, and that’s part of
the agreement between Mastercard and its banks.” 9 Visa’s counsel also
explained that Visa’s discretion regarding assessments is “built in on the
front end before the assessment is levied.” 10 These representations confirm
what the contracts say.
Because the Payment Brands are liable to issuers for any collected
assessments, Landry’s argument fails on its own terms: the assessments
reflect the Payment Brands’ own liabilities, not only harm to issuers. So, even
assuming state law requires liquidated damages to estimate harm to the
nonbreaching party alone, the Payment Brands’ own liability to the issuers
would satisfy that standard. Either way, the assessments are enforceable.
B.
Alternatively, Landry’s argues summary judgment for Chase was
improper because genuine disputes remain over whether Landry’s had a duty
to indemnify. The district court granted summary judgment for Chase after
finding that the Mandiant Report showed Landry’s violated security
protocols, triggering Landry’s obligation to indemnify Chase against the
resulting assessments. We agree with the district court, albeit on different
grounds.
The Merchant Agreement, which is governed by Texas law, contains
the following indemnification provision:
9
Oral Argument at 33:00, Paymentech v. Landry’s (No. 21-20447),
https://www.ca5.uscourts.gov/OralArgRecordings/21/21-20447_12-5-2022.mp3.
10
Id. at 38:35.
13
Case: 21-20447      Document: 00516653713             Page: 14    Date Filed: 02/23/2023
No. 21-20447
You [Landry’s] understand that your failure to comply with the
Payment Brand Rules,[ 11] including the Security
Guidelines,[ 12] or the compromise of any Payment Instrument
Information, may result in assessments, fines, and/or penalties
by the Payment Brands, and you agree to indemnify and
reimburse us [Chase] immediately for any such assessment,
fine, or penalty imposed on [Chase].
Landry’s argues this clause requires Chase to prove that Landry’s violated
the Security Guidelines or that card data was compromised—it is not enough
that the Payment Brands imposed assessments. Landry’s further argues that
Chase cannot show either condition occurred because the Mandiant Report
was not competent summary judgment evidence. Chase counters that
Landry’s duty arose when the Payment Brands imposed assessments after
making their own determination that Landry’s violated the Security
Guidelines. At bottom, the parties disagree over who decides whether
Landry’s violated the Security Guidelines: the Payment Brands or a court.
We favor Chase’s interpretation for several reasons. First, it comes
within the natural reading of the text. The Merchant Agreement requires
Landry’s to indemnify Chase for “any such assessment[s],” referring to
assessments “by the Payment Brands” that “result” from “failure to comply
with the Payment Brand Rules . . . or the compromise of any Payment
Instrument Information.” Here, the Payment Brands levied assessments
because they found the breach was caused by Landry’s noncompliance with
the PCI DSS. For instance, Visa’s letter to Chase announcing the
assessments documented its investigation into intrusions at 14 different
11
The Merchant Agreement defines ‘Payment Brand Rules’ as “the bylaws, rules,
and regulations, as they exist from time to time, of the Payment Brands.”
12
As relevant here, the Merchant Agreement defines ‘Security Guidelines’ to
include the PCI DSS.
14
Case: 21-20447      Document: 00516653713             Page: 15      Date Filed: 02/23/2023
No. 21-20447
Landry’s properties. For each, Visa found “conclusive evidence” of a
breach, which it attributed to Landry’s noncompliance with the PCI DSS.
Landry’s may dispute Chase’s ability to independently prove the Payment
Brands’ conclusions on this record, but it is within the text of the clause that
the assessments were imposed “by the Payment Brands” as a “result” of
Landry’s “failure to comply with the Payment Brand Rules.”
Furthermore, the Merchant Agreement incorporates the Payment
Brand Rules, which give the Payment Brands the right to determine whether
someone violated them. The agreement provides that “[t]he Payment Brand
Rules . . . are made a part of this Agreement for all purposes,” and it requires
Landry’s to “comply with . . . all Payment Brand Rules as may be applicable
to you[.]” The rules make the Payment Brands the arbiters of their
assessment programs. Mastercard “has the sole authority to interpret and
enforce the Standards,” and its “determinations with respect to the
occurrence of and responsibility for [data breaches] are conclusive.” Visa’s
Core    Rules    likewise     reserve    the   “authority      and    discretion    to
determine . . . estimated [assessment] amounts, Issuer eligibility, and
Acquirer liability under the GCAR program.” 13 Landry’s understood how
the GCAR and ADC programs worked when it entered the contract. So, it
cannot complain now that those programs give the Payment Brands the
authority to determine who violated the security protocols.
This conclusion is reinforced by two final textual clues. Landry’s duty
to indemnify arises “immediately” for covered assessments. And, elsewhere
in the Merchant Agreement, Landry’s agrees that “adjustments, fees,
charges, fines, assessments, penalties, and all other liabilities are due and
13
Because an acquirer cannot be liable under GCAR program without it or its
merchant violating required security protocols such as the PCI DSS, the Visa Core Rules
necessarily reserve the authority to make determinations about compliance.
15
Case: 21-20447        Document: 00516653713            Page: 16      Date Filed: 02/23/2023
No. 21-20447
payable by [Landry’s] when [Chase] receive[s] notice thereof from the Payment
Brands or otherwise pursuant to Section 4 herein.” 14 Tying an immediate
obligation to the Payment Brands’ mere provision of notice further supports
the conclusion that the parties intended the Payment Brands to be the
arbiters with respect to assessments. The Payment Brands, after all, oversee
an elaborate system to investigate data breaches and adjudicate the propriety
of assessments.
Accordingly, summary judgment for Chase was proper. This is so
regardless of the competency or the findings of the Mandiant Report. The
Payment Brands imposed assessments on Chase after determining that
Landry’s caused the breach through noncompliance with the PCI DSS, and
that is sufficient under the Merchant Agreement. Landry’s and Chase are
sophisticated parties familiar with the loss-shifting inherent in the GCAR and
ADC programs, so we will not disturb the allocation of risk adopted by the
parties themselves.
IV.
Because Landry’s is liable to Chase, the question becomes whether
Landry’s can pursue its third-party complaints to recoup its liability from the
Payment Brands. Landry’s brought six claims against each Payment Brand,
four as Chase’s equitable subrogee—that is, standing in Chase’s shoes and
asserting Chase’s rights—and two as “direct” claims “in its own right.” 15
The district court properly dismissed these claims, both subrogated and
direct, because Landry’s lacks standing.
14
Section 4 provides Chase with various options for collecting funds owed by
Landry’s.
15
The claims differed materially between each Payment Brand only with respect to
which state’s laws they were brought under.
16
Case: 21-20447      Document: 00516653713           Page: 17   Date Filed: 02/23/2023
No. 21-20447
A.
We begin with the subrogated claims. As a threshold matter, the
parties dispute whether Texas or New York law governs Landry’s
subrogation rights. We need not decide this question because Landry’s
claims fail under both.
Equitable subrogation is the doctrine by which a party, after having
paid the losses of another party, obtains that party’s rights and remedies
against the third party that caused the loss. See Gen. Star Indem. Co. v. Vesta
Fire Ins. Corp., 

, 949 (5th Cir. 1999) (applying Texas law);
Winkelmann v. Excelsior Ins. Co., 

, 843 (N.Y. 1995). The
doctrine’s paradigmatic application is in the insurance context. See Frymire
Eng’g Co. ex rel. Liberty Mut. Ins. Co. v. Jomar Int’l, Ltd., 

, 142
(Tex. 2008). For instance, “in the typical example of subrogation, an insurer
attempts to recoup covered medical expenses from the tortfeasor who caused
the insured’s injuries and need for treatment in the first place.” Aetna Health
Plans v. Hanover Ins. Co., 

, 218 (N.Y. 2016) (Stein, J.,
concurring). Subrogation thus allows the subrogee to “stand[] in the shoes”
of an injured party and recover from the wrongdoer who is culpable for the
loss. Cont’l Cas. Co. v. N. Am. Capacity Ins. Co., 

, 85 (5th Cir.
2012) (citation omitted); see also Millennium Holdings LLC v. Glidden Co., 

, 728 (N.Y. 2016); Fasso v. Doerr, 

, 1170 (N.Y.
2009).
Landry’s compares itself to an insurer, arguing that if it must
indemnify Chase, then it should be able “to recover the losses that Chase
sustained by reason of the wrongful conduct of the Payment Brands.” The
17
Case: 21-20447        Document: 00516653713               Page: 18       Date Filed: 02/23/2023
No. 21-20447
wrongful conduct Landry’s alleges for all its subrogated claims is the
Payment Brands’ levying of “illegal assessments” on 

Landry’s analogy falls short for one overarching reason: Landry’s paid
its own debt, not the Payment Brands’ debt. As discussed, equitable
subrogation exists to prevent an innocent party from having to bear a loss
attributable to a wrongdoing third party. See Md. Cas. Co. v. W.R. Grace &
Co., 

, 211 (2d Cir. 2000). It follows from that principle that
subrogation is a “remedy not given to one who merely pays his own debt.”
Pathe Exch. v. Bray Pictures Corp., 

, 481 (N.Y. App. Div. 1931);
Smart v. Tower Land & Inv. Co., 

, 337 (Tex. 1980) (equitable
subrogation is for “one who pays a debt owed by another”); Mid-Continent
Ins. Co., 236 S.W.3d at 776. As explained below, Landry’s debt is its own, not
that of the Payment Brands, because the assessments stem from Landry’s
own conduct—namely, its failure to abide by the PCI DSS as it promised to
do in the Merchant Agreement.
To support this conclusion, the Payment Brands correctly point to
Jetro Holdings, LLC v. MasterCard International, 

 (N.Y. App.
Div. 2018), which held that a merchant obligated to indemnify its acquirer
could not challenge Mastercard’s assessments as the acquirer’s subrogee. 

16
Landry’s first cause of action was for breach of contract, alleging the assessments
were “not authorized” by the GCAR/ADC programs and “unenforceable under
applicable law.” The second was for breach of the covenant of good faith and fair dealing,
likewise alleging that Visa’s assessments were “not authorized by the Visa Rules and GCAR
Guide or applicable law” and that Mastercard’s assessments “w[ere] not authorized by the
Standards or applicable law.” The third cause of action alleged that the Payment Brands
were “unjustly enriched” because they imposed assessments “without any contractual or
lawful basis for so doing.” The fourth and final cause of action was for deceptive business
practices. It alleged the Payment Brands deceived Chase by imposing assessments that
were “invalid under . . . applicable law.” All of Landry’s subrogated claims thus turn on
the enforceability of the assessments.
18
Case: 21-20447       Document: 00516653713              Page: 19      Date Filed: 02/23/2023
No. 21-20447
at 196. The court found that the merchant’s (Jetro) contract with PNC, its
acquirer, constituted a “separate and distinct obligation to PNC” that
precluded subrogation. 

 In other words, the contract made Jetro’s
indemnification of PNC its own debt. The court noted two pertinent aspects
of that contract. First, it noted that Jetro had agreed to indemnify PNC for
assessments that resulted from its own “acts or omissions,” such as failing
to comply with data security rules. See 

 at 195–96. Second, it observed that
Jetro was required to indemnify PNC even if Mastercard illegally imposed
assessments. Id. at 196. Thus, Jetro’s obligation to PNC was “broader” than
PNC’s obligation to Mastercard. Ibid.
As in Jetro, the Merchant Agreement tied Landry’s indemnification
obligation to Landry’s own acts or omissions, so the assessments constitute
Landry’s own debt. The agreement provided that Landry’s would indemnify
Chase for assessments resulting from “failure to comply with the Payment
Brand Rules, including the Security Guidelines.” Unlike an insurer who
passively becomes responsible for a loss caused by someone else, the
agreement made Landry’s responsible only for assessments resulting from its
own conduct. The resulting “debt” is therefore attributable to Landry’s, not
the Payment Brands. See ibid. 17
Landry’s tries to distinguish Jetro because the second contractual
feature there is not present here. Landry’s denies that it must indemnify
Chase even for illegal assessments, and thus it argues that its obligation to
Chase is not broader than Chase’s obligation to the Payment Brands, as was
the case in Jetro. But even accepting this difference, Jetro remains apposite.
17
In other words, this is not a case in which the Payment Brands as wrongdoers “in
equity and good conscience should have [] discharged” the debt. See Bank of Am. v. Babu,

, 925 (Tex. App.—Dallas 2011, pet. denied) (quoting Murray v. Cadle Co.,

, 299 (Tex. App.—Dallas 2008, pet. denied)).
19
Case: 21-20447        Document: 00516653713                Page: 20        Date Filed: 02/23/2023
No. 21-20447
We read Jetro as identifying two independently sufficient bases for finding
Jetro’s obligation separate and distinct. Both features, in other words, were
standalone reasons for making the assessments attributable to Jetro. Nothing
in the opinion suggests both features were logically necessary to the outcome.
Thus, since Landry’s indemnification obligation stems from its own acts or
omissions under the Merchant Agreement, the debt is its own. 18
B.
Landry’s direct claims for unjust enrichment and deceptive business
practices remain. Their dismissal was also proper because these claims were,
as a practical matter, also subrogated claims. They therefore fail for the same
reason given above.
We evaluate pleadings based on substance, not labels. Gaudet v.
United States, 

, 1035 (5th Cir. 1975) (per curiam); Armstrong v.
Capshaw, Goss & Bowers, LLP, 

, 936 (5th Cir. 2005). While
Landry’s styled these claims as “direct” and made “in [Landry’s] own
right,” they require litigating Chase’s contractual relationships with the
Payment Brands just as the subrogated claims do. Landry’s alleged the
Payment Brands were “unjustly enriched” by “imposing [assessments] on
[Chase] . . . without any contractual or lawful basis for doing so.” Likewise,
Landry’s alleged for its deceptive business practices claims that the
assessments were “invalid” under the Payment Brand Rules and “applicable
law” and therefore the Payment Brands’ “imposition and collection of the
[assessments] was an unlawful business practice.” Because these claims turn
18
Additionally, we note that equitable subrogation is not a matter of right but arises
through equity based on the facts and circumstances of the case. Murray, 

; Costello on Behalf of Stark v. Geiser, 

, 109 (N.Y. 1995). Since Landry’s
has already had an opportunity to litigate the validity of the assessments in its action against
Chase, it is no injustice to say that it cannot try again against new defendants.
20
Case: 21-20447       Document: 00516653713              Page: 21      Date Filed: 02/23/2023
No. 21-20447
on the assessments’ enforceability under Chase’s contracts with the
Payment Brands, they are functionally the same as the subrogated claims.
Since Landry’s cannot challenge the Payment Brands over those contracts as
Chase’s subrogee, it cannot do so through a change in labeling. 19
V.
Because we rule for Chase, we must address its cross-appeal for
prejudgment interest. The district court did not act on Chase’s request for
prejudgment interest and thus implicitly denied it. See Manuel v. Turner
Indus. Grp., L.L.C., 

, 868 (5th Cir. 2018). Chase now asks us to
reform the judgment to include prejudgment interest, while Landry’s argues
we should remand.
We decline to reform the judgment. While prejudgment interest is
usually awarded “as a matter of course” under Texas law, the district court
may exercise its discretion to reduce or deny it if “exceptional
circumstances” exist. Executone Info. Sys., Inc. v. Davis, 

, 1330
(5th Cir. 1994) (citation omitted). Because the court must explain those
circumstances, “[i]f the district court denies prejudgment interest without
explanation, our appropriate course is to remand the issue so that the court
may either explain the exceptional circumstances . . . or award interest at the
appropriate rate.” Ibid; see also Meaux Surface Prot., Inc. v. Fogleman, 

Landry’s argues that the district court did not address these claims and so we
must reverse at least as to them. Even if that were so, we may affirm for any reason
supported by the record, United States v. Gonzalez, 

, 681 (5th Cir. 2009), and
the record cleanly presents this issue.
21
Case: 21-20447        Document: 00516653713              Page: 22       Date Filed: 02/23/2023
No. 21-20447
161, 172–73 (5th Cir. 2010); Concorde Limousines, Inc. v. Moloney
Coachbuilders, Inc., 

, 549–50 (5th Cir. 1987). We do so here. 20
VI.
The district court’s judgment is AFFIRMED. The case is
REMANDED solely to allow the district court to determine whether Chase
should receive prejudgment interest.
20
Chase’s primary authority is distinguishable. See Farmland Indus., Inc. v. Andrews
Transp. Co., 

 (5th Cir. 1989). There, the district court had already awarded
prejudgment interest, but both parties agreed that it applied an incorrect interest rate. 

.
22