First Data Merchant Services Corp. v. SecurityMetrics, Inc., No. RDB–12–2568, 2014 WL 6871581 (D. Md. Dec. 3, 2014)
This is a motion to exclude in a false advertising/antitrust case. “This origins of this contentious case lie in a soured business relationship and the settlement of earlier litigation in the United States District Court for the District of Utah.” Plaintiffs (First Data) sued SecurityMetrics over alleged post-settlement misconduct, and SecurityMetrics asserted 15 counterclaims.
PCI is an acronym for Payment Card Industry. The PCI Security Standards Council (PCI Council) was formed in 2006 by the major credit card brands and developed the PCI Data Security Standard, which has been adopted by the major credit card brands as their data security compliance requirement for all merchants. The PCI Standard’s requirements vary based on merchant size; at issue here are merchants with the lowest transaction volume (but because there are so many of them, they have the highest number of transactions collectively). There are a number of different types of certified PCI standard compliance service vendors, with certifications recognized by the card brands; SecurityMetrics has a number of these PCI Council certifications while First Data allegedly does not.
First Data processes credit and debit card transactions for merchants and independent sales organizations. SecurityMetrics provided PCI compliance services to some merchants for whom First Data provides processing services. The parties worked together until the relationship deteriorated, ending with SecurityMetrics’ allegation of a material breach of their contract by First Data. SecurityMetrics also alleged that at that point First Data began offering a service called PCI Rapid Comply, which competes with the services offered by SecurityMetrics. First Data allegedly allowed its fees for PCI Rapid Comply to count toward the required billing minimums for customers, but not fees paid to other PCI compliance services; and First Data allegedly told merchants they’d have to pay for PCI Rapid Comply even if they used a different security compliance vendor. The parties settled their first suit, and then First Data sued.
I’m only going to discuss advertising-relevant issues. One SecurityMetrics expert was a marketing professor at San Diego State, Michael Belch. He surveyed consumer perceptions of the name PCI Rapid Comply, and opined that consumers would be deceived if the service wasn’t in fact approved or certified by the PCI Council. But his survey didn’t use a control to test for whether it was the name, PCI Rapid Comply, creating confusion. SecurityMetrics didn’t adequately explain how Belch reached his conclusions linking confusion to the use of PCI in the name. This was a “significant flaw,” and justified exclusion when combined with several other “troubling” aspects of the survey. First, the survey tested the name alone, divorced from typical marketing materials. Second, the original, online version of the survey was not preserved and was never turned over to First Data. Third, the survey questions repeatedly mentioned the name PCI Rapid Comply, creating a possible bias that wasn’t addressed because there was no control. Thus, Belch’s testimony could confuse a jury.
SecurityMetrics’ proffered expert Clark Nelson was a CPA, CGMA, and CFF with an MBA from Wharton, who opined that First Data generated $190,951,243 in PCI-related revenues, which SecurityMetrics sought to disgorge under its two Lanham Act claims. Challenges to Nelson’s calculations could be addressed on cross-examination. Though First Data argued that he failed to consider alternative reasons for SecurityMetrics’ lost profits, his report “reflect[ed] a complex analysis that included calculation and consideration of SecurityMetrics’ natural attrition and penetration rates and a variety of other factors,” and wasn’t so methodologically flawed as to warrant exclusion.
SecurityMetrics, however, was bound by the fact that its Rule 30(b)(6) deponent was only able to identify a few specific instances of merchant customers lost due to First Data’s alleged conduct. It later created a more detailed chart and argued that, since it had already disclosed the recordings on which the chart was based, the chart should come in. Whether intentional or not, this reflected an end run around Rule 30(6)(b), so SecurityMetrics’ evidence of damages would have to be tied to specific testimony from the deposition or evidence in exhibits from that deposition.