InfoSecCompliance Blog

This Blog Has Moved.

2009-01-08T13:33:00.002-07:00

Hi all, I have transitioned this blog to a new URL. You can find the new blog at: www.infoseccompliance.com I will no longer be posting here, so please update your book marks.

Thanks,

Dave

The New Path to PCI Liability: 3rd Party Beneficiary Theory

2008-09-30T22:14:00.004-06:00

An easy-to-read PDF version of this article can be found here: LINK.

Merchants face a potentially huge liability if they suffer a security breach exposing payment card data. Issuing banks (those banks that issue credit cards to consumers) have filed lawsuits to recover reissuiance costs allegedly ranging from $20-$50 per card (multiplied by thousands or millions of cards depending on the magnitude of the breach). A recent decision from the U.S. Court of Appeals for the Third Circuit (“3^rd Circuit” or “Appellate Court”) appears to have expanded the potential liability merchants face for payment card security breaches. In Sovereign Bank v. B.J. Wholesale Club & Fifth Third Bank, No. 06-3392/3405 (3^rd Circuit, July 13, 2008)(hereinafter the “BJW Decision”), while the Appellate Court affirmed the lower court’s dismissal of most of the claims against B.J. Wholesale Club, it reversed the lower court’s dismissal of Sovereign Bank’s breach of contract action that was based on a third party beneficiary theory. This article explores how the Appellate Court reached its decision, how the decision could increase the legal risk faced by merchants that suffer security breaches and potential actions merchants can take to better understand and mitigate their legal risk.

Background

The BJW Decision arose out of a payment card security breach suffered by B.J. Wholesale Club (“BJW”) that was first reported in March 2004. Criminals were able to steal (and commit crimes using) the magnetic stripe information from payment cards stored by BJW. In reaction to this security breach, Sovereign Bank and the Pennsylvania State Employee’s Credit Union (hereinafter “Issuing Banks”) incurred costs to reissue the payment cards that were the subject of the BJW breach. Litigation ensued in 2005 when the Issuing Banks separately sued BJW and BJW’s merchant bank (Fifth Third Bank) to recover their reissuance costs. The federal lawsuits were eventually consolidated in the U.S. District court for the Middle District of Pennsylvania (the “Lower Court”) and alleged the following causes of action: (i) negligence; (ii) breach of contract (Third Party Beneficiary Theory) and (iii) equitable indemnification; (iv) breach of fiduciary duty and (v) promissory estoppel. The Lower Court fully granted the defendants’ motion to dismiss and motion for summary judgment, which lead to the plaintiff’s to appeal (see Sovereign Bank v. B.J. Wholesale Club, 385 F.Supp.2^nd 183 [M.D. Pa. 2005] and Sovereign Bank v. B.J. Wholesale Club, 427 F.Supp.2d 256 [M.D. Pa. 2006]).

Relationship Between the Players in the Payment Card System

In order to understand the Appellate Court’s ruling one must first be aware of the relationships (contractual or otherwise) between the players in the payment card system.

In this case, BJW was the merchant that accepted payment cards from consumers (some of whom were issued their cards by the Issuing Banks). In order to accept credit cards and become part of payment card networks such as Visa or Mastercard, merchants must work through and contract with an acquiring bank (a.k.a. “acquirer” or “merchant bank”). In this case Fifth Third acted as BJW’s merchant bank and had a “Merchant Agreement” in place with BJW. In turn, moving upstream, Fifth Third had a “Member Agreement” in place with VISA. Pursuant to the Member Agreement, Fifth Third became a “member” of the VISA network and agreed that it would comply with VISA’s Cardholder Information Security Program (“CISP”) and VISA’s Operating Regulations (note that at the time of the breach the PCI Standard was not in effect and each card brand had its own security standard).

Sovereign Bank, was one of the Issuing Banks that had issued payment cards to various consumers that were impacted by the BJW security breach. Sovereign Bank is also a member of the VISA network by virtue of its own Membership Agreement with VISA. However, the Issuing Banks had no direct contractual relationship with Fifth Third or BJW. A graphic representation of the contract chains can be found at this link: BJW Contract Relationship Chart.

Sovereign Bank’s Breach of Contract Allegations

Despite not having a direct contractual relationship with Fifth Third, Sovereign Bank alleged a breach of contract claim based on Fifth Third’s breach of the Membership Agreement between Fifth Third and VISA. Although it was not a party to the Membership Agreement, Sovereign alleged that it was an intended third party beneficiary of the agreement (see BJW Contract Relationship Chart).

Pursuant to the Membership Agreement, Fifth Third agreed comply with VISA’s Operating Regulations (which included VISA’s Cardholder Information Security Program). The version of the Operating Regulations applicable to this case provided the following:

Fifth Third agreed to ensure that its merchants (BJW in this case) complied with the Operating Regulations

Fifth Third agreed to enter into a Merchant Agreement with each of its merchants requiring each merchant to comply with VISA’s Operating Regulations

A prohibition against retaining or storing the data encoded on the magnetic stripe on the back of payment cards after a transaction is authorized (this is essentially the same prohibition set forth now in section 3.2 of the PCI Standard), and a duty for Fifth Third to impose this obligation on merchants like BJW

Provisions concerning dispute resolution between members, including chargeback and representment procedures, and arbitration provisions.

Significantly the Operating Regulations in place at that time did not eliminate any other rights an issuing bank may have to pursue any legal remedy that may otherwise be available. As discussed further below, unless Visa’s Operating Regulations have changed, this suggests that there is no real “safe harbor” for PCI compliance.

Sovereign Bank alleged that both BJW’s failure to delete the magnetic stripe data, and Fifth Third’s failure to ensure BJW’s compliance with the deletion requirement constituted a breach of the Operating Regulations by Fifth Third. Sovereign Bank further contended that these contract breaches allowed the unauthorized access to, and use of, payment card data at BJW, and that Sovereign Bank was legally obligated to reimburse cardholders for fraudulent charges that resulted. Moreover, the resulting unauthorized access to payment card data also required Sovereign Bank to incur the expense to reissue the compromised payment cards. Finally, the Issuing Banks alleged that their customer goodwill was adversely impacted by the BJW breach. The Appellate Court was called upon to rule on these issues in a motion to dismiss/summary judgment context.

The Issue to Resolve: 3^rd Party Beneficiary Theory.

The Appellate Court considered the following issue:

Was Sovereign Bank an intended third party beneficiary of the Member Agreement between Fifth Third and VISA?

Although Sovereign Bank conceded that it is not an express third party beneficiary of the Member Agreement between Visa and Fifth Third, it based its argument on § 302 of the Restatement (Second) of Contracts (which had been adopted under Pennsylvania law, which governed this case):

Intended and Incidental Beneficiaries

(1) Unless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intentions of the parties and either:

(a) the performance of the promise will satisfy an obligation of the promisee to pay money to the beneficiary; or

(b) the circumstances indicate that the promise intends to give the beneficiary the benefit of the promised performance.

(2) An incidental beneficiary is a beneficiary who is not an intended beneficiary.

In the context of § 302, the court framed the issue as follows:

Under § 302, Sovereign’s contract claim depends on whether “the recognition of a right to performance” in Sovereign is “appropriate to effectuate the rights of” both Visa and Fifth Third in entering into their Member Agreement and whether “the circumstances indicate that” Visa (the promisee) “intended to give Sovereign the benefit of the promised performance.”

To establish whether Visa intended to give issuing banks like Sovereign the ability to rely on Fifth Third’s promises in the Member Agreement, Sovereign relied on the deposition testimony of Visa’s representative, Alex Miller. Miller testified that he was not aware of any intent on Visa’s behalf to create a direct right to benefit third parties, and that no documents existed that allowed issuing banks to “step into [Visa’s] shoes” to enforce the Membership Agreement with Fifth Third.

However, Miller also stated:

It’s fair to say that the core purposes of the operating regulations is to set up the conditions for participation in the system, to set up rules and standards that apply to that ultimately for the benefit of the Visa payment system, the members that participate in it and other stakeholders such as cardholders, merchants and others who may participate in the system as well.

Miller further testified that the purpose of Visa Operating Rules (including CISP in this case) was to maximize the value of the Visa system as a whole, including “to protect issuers.” Fifth Third argued that Miller’s statements evidenced that Visa’s Operating Regulations were intended not to benefit any individual member or class of members, but the Visa system as a whole.

Sovereign argued that Visa’s Operating Rules were specifically intended to benefit issuers. In addition to Miller’s testimony, it pointed to an August 1993 memo sent by Visa to its members that specifically alerted members of the (then) new requirements to delete magnetic stripe data (hereinafter referred to as “August 1993 Memo”).

That memo started off with the following:

To protect the Visa system and Issuers from potential fraud exposure created by databases of magnetic-stripe information, Section 6.21 has been revised. Effective September 1, 1993, the retention or storage of magnetic stripe data subsequent to the authorization of a transaction is prohibited. Acquirers are obligated to ensure that their merchants do not store the magnetic-stripe information from Visa Cards for any subsequent use.

Sovereign also relied on a May 2003 article printed online by Visa entitled “Issuers and Acquirers Are At Risk When Magnetic-Stripe Data Is Stored,” which indicated that magnetic stripe data compromises “impact[] Issuers” (hereinafter referred to as “May 1993 Memo).

The Appellate Court’s Decision and Reasoning

The Appellate Court considered the arguments by both sides and ultimately held that genuine issues of material fact did exist as to whether Sovereign was an intended beneficiary of the Member Agreement between Fifth Third and Visa, and therefore the case should be remanded for further proceedings (e.g. trial) rather than decided on a summary judgment motion.

The Appellate Court rejected Sovereign’s reliance on the May 2003 Memo, indicating that it simply stated the reason for the prohibition against retention of magnetic stripe data. However, the Appellate Court agreed that the August 1993 Memo and Miller’s “core purpose” testimony (referenced above), raised genuine issues of fact.

The court noted that Sovereign is a Visa member and that the core purpose the Operating Regulations according to Miller was to benefit members that participate in the Visa system. Just because Miller also indicated the Operating Rules were to benefit other stakeholders (such as cardholders, merchants and others who may participate in the system), the possibility that Visa intended to benefit individual users such as Sovereign was not negated.

Moreover, the Appellate Court held that the August 1993 Memo clearly stated that acquirers (such as Fifth Third) must act to protect Issuing Banks (like Sovereign) by ensuring that merchants (like BJW) do not retain magnetic stripe data. The Appellate Court held that this piece of evidence alone was sufficient to get Sovereign past summary judgment. Based on the foregoing, the Appellate Court remanded Sovereign’s breach of contract claim for further proceedings (e.g. trial in front of a judge or jury).

Analysis -- Increased Merchant PCI Liability

Similar to Minnesota’s Plastic Card Protection Act (discussed at this LINK), this decision has the potential to significantly increase the liability risk faced by merchants that are not compliant with PCI and that suffer a security breach.

First, although the Appellate Court’s breach of contract decision only involved the acquirer and the issuing bank, merchants such as BJW may ultimately be liable for the issuing bank’s costs. The source of this liability will also be contractual. However the contract at issue in this case is the direct contract between the merchant bank and the merchant (hereinafter “Merchant Agreement” -- see BJW Contract Relationship Chart). As the court ruled, this case will now be remanded to the lower court. A judge or jury could find Fifth Third liable to Sovereign for reissuance costs, or Fifth Third and Sovereign may settle the case based on the strength of Sovereign’s breach of contract claim. If Fifth Third wanted to recover the damages it paid to Sovereign, it may be able to rely on language in the Merchant Agreement between it and BJW to recover directly from BJW.

It is not atypical for a merchant to enter into a very one-sided Merchant Agreement with an acquiring bank (or the acquiring bank’s processor). Such Merchant Agreements often require the merchant to comply with the card association’s operating rules, security program and/or PCI. A sample of how such language may read is as follows:

Merchant agrees to comply with all security standards and guidelines that may be published from time to time by Visa or MasterCard and any other applicable industry security standards, including, without limitation, the Visa U.S.A. Cardholder Information Security Program (“CISP”), the MasterCard Site Data Protection (“SDP”), and the Payment Card Industry Data Security Standard (the “Security Requirements”).

If BJW agreed to comply with Visa’s Operating Rules and/or CISP, Fifth Third may have a right to recover any damages paid to Sovereign under a breach of contract theory (BJW having breached the Merchant Agreement).

In fact, merchant banks may have an explicitly contractual right to recover reissuance costs they are forced to pay issuing banks. It is likely that the Merchant Agreement requires the merchant to indemnify the merchant bank for liability it incurs because the merchant allowed a security breach. A sample of how such language might read is as follows:

Merchant agrees to indemnify Acquiring Bank, Member, the Associations, affiliates, officers, directors, employees, agents and issuing banks from any losses, expenses, costs, liabilities, and damages of any and every kind (including, without limitation, our costs, expenses, and reasonable legal fees) arising out of any claim, complaint, or chargeback caused by the merchant’s noncompliance with this Agreement, any Security Requirements or the Association Rules.

If similar language exists in the Merchant Agreement between BJW and Fifth Third, Fifth Third may demand that BJW indemnify it for any issuing costs that Fifth Third is required to pay to Sovereign. Of course, if BJW refuses, Fifth Third will again need to file a claim against BJW for breach of the Merchant Agreement. In short, by allowing an issuing bank to use the Visa Member Agreement to go after the merchant bank, the Appellate Court opened a path to merchant liability for the costs incurred by the issuing bank to reissue credit cards. The path starts with the Member Agreement, goes through the Merchant Agreement and ends up at the merchant.

PCI Compliance as a Defense – Existence of “Safe Harbor?”

Despite the existence of this contractual path to liability, the question arises whether a merchant’s compliance with the PCI and card association operating regulations will insulate the merchant from liability if it suffers a payment card security breach. Unfortunately, from the issuing bank’s point of view the merchant’s PCI compliance status is irrelevant – the issuing bank still must pay to reissue payment cards after a security breach of a PCI-compliant merchant. There are several points which may illuminate whether PCI compliance provides an automatic “safe harbor” from liability.

First, at least under the version in effect during the BJW case, according to the Appellate Court, issuing banks were not precluded by Visa Operating Rules from pursuing any available remedies at law. Thus, even if a merchant had fully complied with PCI and the applicable operating rules, an issuing bank’s status as a member of Visa or Mastercard does not block it from going after merchants. In fact, even if an issuing bank had agreed with Visa to refrain from pursuing merchants that were PCI compliant, the only party that could enforce that agreement would be Visa (unless, ironically, the merchant could be argued to be a third party beneficiary of the Member Agreement between Visa and the Issuing bank). Significantly, while compliance with the industry standard for protecting cardholder information will offer merchants a strong defense, it is still possible that a merchant could be liable under other theories of liability (e.g. negligence) if a court finds that the PCI standard itself is inadequate (see e.g. T.J. Hooper case).

Second, a PCI-compliant merchant’s liability will be largely contingent on the language set forth in the Member Agreement between the acquiring bank and the card association, and the Merchant Agreement between the acquiring bank and the merchant itself. If the Member Agreement makes the acquiring bank responsible for merchants’ security breaches in general (regardless of PCI compliance) and the Merchant Agreement requires the merchant to indemnify the acquiring bank for any losses, then the path to liability described above could apply. In such a case, in order to “block” the path from issuing bank through the Member Agreement, the Member Agreement would have to contain specific language providing a PCI “safe harbor” (alternatively, as discussed further below, the merchant may be able to negotiate a “safe harbor” in the Merchant Agreement to block the liability path).

Significantly, gaining access to the card associations’ operating rules and Membership Agreements has been notoriously difficult. Without the ability to read to those documents it may be hard to ascertain the scope of the liability risk under this theory since the merchant will not be aware of the merchant bank’s obligations to the card association in the event of a merchant security breach.

Limited Applicability?

Variations in the terms and conditions of Member Agreements and card association operating rules may also impact the path to merchant liability. As such, the holding in the BJW may not apply if there have been changes in subsequent versions of these documents. For example, if the current versions of Visa’s Member Agreement specifically precludes enforcement of the Merchant Agreement by third parties, then the issuing banks would not be able to use employ the 3^rd party beneficiary theory used by Sovereign. However, if the Member Agreement between the card association and acquirer bank remains silent, then the same rationale in the BJW decision could apply.

With respect to Visa’s Member Agreements, where intent is unclear, issuing banks may be able to rely on Mr. Miller’s deposition testimony in the BJW decision. As such, cases brought in jurisdictions that follow section 302 of the Restatement (Second) of Contracts may be prone to agree with the Appellate Court’s decision. Again, unfortunately, merchants will not be able to ascertain the full extent of their risk unless they can get access to the acquiring bank’s Member Agreement or be informed of whether it prohibits third party beneficiaries.

Merchant Actions to Potentially Reduce the Risk of Liability

There may be some steps that merchants can take to reduce their risk of liability for a payment card security breach. The BJW path to liability is a two step process. First the issuing bank must successfully sue the acquirer for breach of the Member Agreement between the card association and the acquirer, then the acquirer must pursue the merchant under the Merchant Agreement. Thus, merchants should consider both steps to determine the extent of their potential liability and for purposes of cutting off the path.

Attempt to Determine Existence of 3^rd Party Beneficiary Prohibition in Member Agreement

The first step on the path to liability under the 3^rd party beneficiary theory is whether the Member Agreement between the card association and acquirer bank precludes third party enforcement of the Member Agreement. Merchants should ask their acquirer banks if they can examine their Member Agreement. It is likely, however, that the acquirer bank will be unwilling to provide the agreement itself. If not, the merchant should at least attempt seek assurances that there is a prohibition against third party beneficiaries. If the Merchant Agreement does not contain such a prohibition, then it is possible that the first step on the BJW liability path is open. Therefore, the merchant should seek to cut off the second step on the path, the Merchant Agreement.

Negotiate a “Safe Harbor” in the Merchant Agreement

Obviously, the merchant has little control over what third party beneficiary terms its acquirer may have agreed to in the Member Agreement. However, a merchant does have some control over the terms it agrees to in its Merchant Agreement with its acquirer. It may be possible for a merchant to cut-off liability even if the issuing bank has been successful as a third party beneficiary of the Member Agreement. When entering into negotiations with acquirers (or their payment processors) merchants should attempt to negotiate a “safe harbor” into their Merchant Agreement. In essence, the safe harbor language would indicate that in the event of a security breach involving payment card information, if at the time of the breach the merchant was compliant with PCI and/or the card association’s operating rules, the acquirer would have no right to indemnification or any other recourse against the merchant. Rather than relying on (mostly likely) illusory safe harbors identified by the card associations, this would provide a direct right to avoid contractual liability if the merchant has done everything it promised with respect to PCI.

The parameters of the safe harbor should be defined to protect the merchant. First, the merchant agreement should identify a truly independent third party responsible for performing a post-breach PCI/operating rules audit, and set-up a process for the audit itself (note that one issue to consider is that the auditors findings will not be protected by attorney-client privilege, so caution is warranted). This third party would be the last word on whether the merchant was PCI-compliant at the time of the breach. Currently this post-incident response is performed by auditors hand-picked by the card associations, and some believe, because of close relationships these auditors have with the card associations, they could be less than “neutral” when performing these audits. Second, the standard for compliance should not be strict compliance. Rather, the merchant should be deemed to be compliant unless it is in material non-compliance with PCI. Finding technical non-compliance with some section of PCI or card association rules, as any security expert can tell you, is not difficult. Even better would be language requiring the non-compliance with PCI to be the actual cause of the security breach at issue – if the non-compliance was not in anyway relevant to the breach the merchant would not be liable. Last, if possible, the Safe Harbor should include indemnification from the acquiring bank if the merchant is PCI-compliant at the time of the breach. This would allow the merchant to cut off direct suits from other stakeholders (consumers, issuing banks, card associations). Admittedly, however, it will likely be difficult to convince an acquiring bank to go this far.

Whether a merchant will be able to negotiation a safe harbor or any other term of the Merchant Agreement will depend a large part on negotiating leverage. Larger merchants with clout, or any merchant willing to “shop around” between multiple acquiring banks, will be in the best position to negotiate favorable terms. Some of the same negotiating leverage issues apply for this route as well.

Limitation of Liability

In addition, merchants should consider a limitation of liability that caps the merchant’s potential liability in the event of a security breach exposing credit card data. Merchants that have expended significant resources in becoming PCI compliant may be able to justify the cap more easily.

Insure Against Payment Card Security Breaches

The insurance market has created information security and privacy liability policies which may cover liability arising out of a payment card breach. Since the risk of a security breach can never be 100% eliminated, insurance may be a good risk management tool to transfer unwanted risk. The key for utilizing insurance is to make sure the risk the merchant desires to transfer is actually transferred in light of the terms, conditions and exclusions in the insurance policy.

Conclusion

Merchants can no longer afford to treat PCI compliance as a pure security issue. Merchants should carefully analyze their PCI liability risk and determine ways to mitigate that risk. Laws like Minnesota’s Plastic Card Protection Act and the BJW decision have likely increased the risk significantly. The potential for huge damage is great - issuing banks have alleged that the costs of reissuing payment cards range from $20-$50 per card (multiplied by thousands or even millions of cards). For smaller and medium companies highly reliant on payment cards, the failure to address this risk ahead of time can mean bankruptcy. For larger retailers, the prospect of spending tens of millions of dollars defending and settling lawsuits against issuing banks and merchants should spur on a careful examination of all merchant agreements, and the possible shopping around for merchant banks and payment processors that provide reasonable terms.

As such, more than ever, merchants must work with their legal counsel and risk managers to understand and mitigate the risk. Merchant lawyers must analyze their clients’ current contractual relationships with acquiring banks and assist in negotiating favorable terms with payment processors and merchant banks. Since the risk is somewhat unpredictable and may be difficult to eliminate, information security and privacy risk insurance should also be considered. Lawyers should carefully analyze the scope of information security liability coverage to make sure their PCI risk is being transferred to the insurers. If the proper steps are taken, merchants may be able to avoid or mitigate significant losses in the event of a security breach.

Forever 21 -- Breached and PCI Compliant

2008-09-18T07:55:00.003-06:00

I anticipate we will be seeing a lot more instances of merchants suffering payment card breaches while PCI compliant. The question is, will they be held liable for those breaches. An article soon on that. For now, here is an article on Forever 21, which just reported a breach involving over 98,000 card numbers. Forever 21 claims that is has been certified as PCI compliant since 2007. However, all of the incidents happened from March 2004 to August 2007. Therefore it is possible that Forever 21 was not PCI-compliant at the time of the incidents, but became so in after August 2007.

Best Western: PCI Compliant and Hacked

2008-08-27T09:28:00.002-06:00

While the details are still murky on the number of records impacted (somewhere between 13 and 8 million), it appears that we have a security breach of another high profile corporation claiming PCI compliance at the time of breach. SC Magazine has the story here.

Here is Best Western's statement on the breach:

“We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest’s reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.”

Obviously, the facts are still murky, but it will be interesting to see what, if any, protection PCI compliance will have from a liability perspective and a "safe harbor" perspective.

FACTA Development: The “Credit and Debit Card Receipt Clarification Act of 2007” Signed into Law.

2008-06-09T15:19:00.004-06:00

The FACTA class action litigation saga has taken a new twist. Congress has passed and the President has signed the Credit and Debit Card Receipt Clarification Act of 2007 (the “Act”) into law. The Act will likely provide a large set of FACTA class action defendants with the ability to escape expensive litigation and liability.

As previously reported, plaintiffs have filed FACTA class action lawsuits based not on the printing of the payment card number on an electronically printed receipt, but simply based on the printing of the expiration date on a receipt (see for example the StubHub case referenced in this post). In fact, the relevant FACTA section establishes an “either/or” scenario:

Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

15 U.S.C. 1681c(g) (emphasis supplied). If a plaintiff is able to establish a willful violation of FACTA, a court could award statutory damages ranging from $100 to $1,000 without the having to establish that he or she suffered actual harm.

Unfortunately dozens of companies that had made the effort to truncate the payment card numbers nonetheless were sued in FACTA class actions alleging a failure to remove the expiration date from payment card receipts (see e.g. Troy v. Home Run Inn, No. 07CV4331 (N.D. Ill 2008)); Cicilline v. Jewell Food Stores, No. 07CV2333 (N.D. Ill 2007)).

Congress passed the Act in light of these “expiration date only” FACTA lawsuits. The relevant part of the Act states:

(d) Clarification of Willful Noncompliance- For the purposes of this section, any person who printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment of this subsection but otherwise complied with the requirements of section 605(g) for such receipt shall not be in willful noncompliance with section 605(g) by reason of printing such expiration date on the receipt.

(emphasis supplied). In essence this language appears to block plaintiffs from going after statutory damages under FACTA. Since those statutory damages are the only reason these cases are attractive to plaintiffs attorneys, it is likely that class actions on this basis will not be pursued.

Significantly, the Act applies retroactively: it would apply to FACTA lawsuits already filed on the basis of printing the expiration date on the receipt.

This is obviously good news for defendants. However, the way Congress went about this raises some questions. Rather than “clarifying” the law by stating that printing just the expiration date is not a violation of FACTA, Congress left the door open for plaintiffs that suffer “actual harm” based on the “non-willful” printing of the expiration date. Admittedly, few if any plaintiffs will be able to establish actual harm in this context.. However, there is a certain logic gap at play here.

Congress has said unequivocally, regardless of the actual facts of the case, that printing the expiration date shall not be “willful noncompliance.” What if, in an (extreme) hypothetical, a defendant wrote an email stating:

I, President of ABC company, understand that FACTA prohibits the printing of a credit card expiration date on the receipt, but for financial reasons I intend to not follow that legal requirement.

Based on the Act, there would still be no willful violation even though under this hypo there was one in laymen’s terms. Of course in “real life” this email likely does not exist, but there could be lesser evidence establishing “willfulness” that could be in play. In short, Congress took an awkward somewhat Alice-In-Wonderland approach to rectify the situation, and hopefully it does not give plaintiffs a hook to keep these cases in court (clearly more research would be needed as to how legislative intent is factored in these scenarios). Regardless, at the minimum, this gives the FACTA defendants great litigation leverage on this issue.

Another “Victory” on the Issue of “Damages” in a Security Breach Negligence Case

2008-06-09T15:00:00.002-06:00

As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to “damages” for purposes of a negligence claim. some chinks, however, have begun to develop in the “damages” armor used by defendants in security breach negligence cases. A recent decision sets forth another possible theory of liability to get a plaintiff at least beyond a motion to dismiss.

In Ruiz v. Gap, 07-5739 (N.D. Cal. 2008), a class of plaintiffs sued the Gap alleging that their unencrypted personal information resided on one of two laptops stolen from one of the Gap’s vendor (the personal information of approximately 800,000 Gap job applicants was stored on the laptops). The Gap offered the plaintiffs 12 months of credit monitoring services and fraud assistance without charge, as well as access to $50,000 worth of identity theft insurance.

The Ruiz court analyzed the plaintiffs’ complaint to determine whether the plaintiff properly alleged an “injury in fact” for purposes of standing and the issue of damages with respect to the plaintiffs’ negligence claim. In particular, the court noted that the plaintiffs had merely alleged that they were at “an increased risk of identity theft” and did not allege that their identity had been stolen.

The court noted that the plaintiffs’ allegations seemed “conjectural or hypothetical, rather than actual or imminent,” and that there was nothing else to allow the court to determine that the risk was actual, imminent or credible. Nonetheless, the court presumed that the general allegations embraced the specific facts supporting them and denied the motion to dismiss. The court did, however, issue a warning to the plaintiffs indicating that if it became apparent that their allegation of injury was too speculative or hypothetical the plaintiffs’ case may be dismissed later in the proceeding. In addition, the court noted that the extent of recoverable damages was unclear even if the plaintiffs were to prevail on a negligence claim.

Unfortunately, as with other negligent security cases allowing plaintiffs to proceed past a motion to dismiss, the court did not provide a highly developed legal rationale to support its decision. In this case it appears that the court simply accepted on its face that the alleged “increased risk of identity theft” constituted an injury. It went further and allowed the negligence claim to proceed even though no specific facts were alleged supporting that the plaintiffs were at increased risk. For the time being at least, it appears to be another small chip off the damages security breach defense rationale.

"Damages" in a security breach case... er.. maybe kinda...

2008-04-16T14:51:00.003-06:00

A recent opinion came out of the U.S. District Court for the District of Columbia that denies defendant's motion to dismiss a case against the Transportation Safety Administration arising out of the loss of hard drive containing the personal information of 100,000 TSA employees (including names, SSNs, DOBs, bank account numbers, etc.).

The plaintiff's alleged a violation of section 522a(3)(10) of the Privacy Act, which provides:

Each agency that maintains a system of records shall . . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained .

In various contexts, the defendants argued that the plaintiff's had not alleged actual damages, that damages should be construed as only encompassing "out-of-pocket" pecuniary loss, and that plaintiffs' concerns about harm were speculative and dependent on future events (e.g. criminal misuse of the plaintiff's personal information by third parties).

The court analyzed the following injury allegations by plaintiffs:

“embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm, [and] mental distress due to the possibility of security breach at airports."

In rejecting the defendant's motion to dismiss on the issue of injury/harm/damages, the Court focused on the "embarrassment... mental distress.... and concern" allegations. It held that those emotional distress allegations were not speculative nor dependent on future events.

The court also noted that the plaintiffs conceded that they were not alleging "current, actual, financial loss" or seeking out-of-pocket expenses. The court cited a case interpreting the Privacy Act that held that actual damages were not limited to "pecuniary losses" and that actions under the Privacy Act could survive the motion to dismiss phase based on pain and suffering and non-pecuniary losses. In this case the allegation of emotional distress was sufficient to surviving a motion for summary judgment.

There are several issues to address in this case:

(1) First off, since the plaintiffs did not appear to allege "out-of-pocket" expenses related to the security breach, it does not appear that the logic of this case would apply to situations where a plaintiff incurs costs (e.g. credit monitoring) to head off potential future harm that could arise out of identity theft (e.g. bad credit, cleaning up credit reports, credit monitoring, etc.). Rather, this case focused on whether "emotional distress" or "concern" was itself actual damages or an adverse impact under the Privacy Act. So I am not sure it helps support the theory that out-of-pocket expenses post breach, pre-Identity Theft are actionable.

(2) This case arose in the context of the Privacy Act, and in particular an alleged violation of a section intended to prevent "substantial harm, embarrassment, inconvenience." Since the intended harm includes "intangibles" such as embarrassment and inconvenience it seems that emotional distress can easily fall into that type of "injury."

(3) Another contextual matter: the reason the plaintiffs have to establish actual damages is to satisfy a U.S. Supreme Court case that ruled that "actual damages" were necessary for a plaintiff to recover the $1,000 statutory penalty available under the Privacy Act. More research needs to be done to determine whether "damages" in a negligence context is the same as "actual damages" in the Privacy Act coverage.

(4) It seems to me the logic employed here was a little loose. Most of the "emotional distress" and "concern" clearly ties to what might happen to the plaintiffs' personal information (e.g. concern for identity theft, concerning for damage to credit report, concern for damage to employment suitability, etc.). I suppose its possible that somebody could suffer emotional distress simply knowing their information was breached. However, its how that information might be used in the future after the breach that is actually of concern. It seems to me without some alleged facts (e.g. evidence of visits to a psychiatrist, starting anti-anxiety medication, evidence of depression) that this is fairly weak tea. I suppose courts are more lenient at the motion to dismiss phase (all you need to do is state a claim) and are likely to be more demanding on the evidentiary front if/when a motion for summary judgment is filed.

(5) In my view, since the ruling was fairly conclusory and did not dive deep into the details concerning how to define "damages," I am not sure how persuasive this reasoning will be in other contexts.

PCI: "Follow the Standards to the Letter"

2008-04-10T19:14:00.004-06:00

An interesting quote from Bob Russo on how the PCI standard should be followed:

Bob Russo, the general manager for the PCI Security Standards, a group that devises data security measures for the five major credit card companies, said almost all data breaches are the fault of the merchant.
"Everybody that has been breached has been noncompliant with the standard," he said, noting that the circumstances of the Hannaford breach are still too murky for him to render a judgment about. "If you follow the standards to the letter, it puts enough of a hard shell around the data that it is hard to get to."

Full story here.

My question, what about all those emails from the PCI Council, the card brands, acquiring banks and payment processors that purport to resolve ambiguities and which may not be "to the letter" of the PCI Standard? And that question reveals the potential problem from a legal standpoint.

More Evidence of Hannaford-like Exploits?

2008-04-03T08:56:00.004-06:00

While I will have to defer to my tech/security-oriented friends, we have reports of exploits that may be similar to the one suffered in Hannaford: Vermont ski area reports Hannaford-like theft of payment card data.

This exploit may be more common than just Hannaford:

And Hannaford and Okemo may not be the only businesses disclosing breaches involving payment card data in transit between systems. According to McPherson, law enforcement authorities who are investigating the breach at Okemo told resort officials that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.

So what does this all mean? Do the controls required under the PCI Standard address this issue? What about encryption under 4.1 and the language concerning "networks that are easy and common for a hacker to exploit." In general, has the security community anticipated this sort of attack? Is it reasonably foreseeable that hackers would exploit the point-of-sale systems? Legally, is failure to address this type of exploit "unreasonable" for purposes of negligence claim?

PCI, "Safe Harbor" and Hannaford

2008-03-28T12:57:00.009-06:00

This Computerworld article was some issues: Hannaford may not have to pay banks' breach costs under PCI, says Gartner

This key part of the article is problematic:

“If true, Hannaford has a safe harbor under PCI and will not be required to reimburse banks and credit unions for any breach-related costs they may incur, according to information that Gartner analyst Avivah Litan said she has previously received from Visa Inc. Typically under PCI rules, if a company is noncompliant at the time of a beach, it faces two potential costs: fines from the payment-card companies and reimbursements of breach-related costs sustained by card-issuing banks and credit unions. Those costs can include payment of fraud losses resulting from the use of compromised payment-card data as well as breach notification and the costs associated with reissuing cards.

The fines and the reimbursement costs are not collected directly from the breached entity but through the "acquiring bank" that authorizes a company such as Hannaford to accept payment-card transactions. Under PCI rules, it is these acquiring banks that are directly responsible for ensuring that their merchants are PCI-compliant.

In Hannaford's case, while its acquiring bank may still get hit with a fine, "the buck stops there," Litan said. "Under the guidance Visa gave me, the acquiring bank wouldn't be able to take it back to the retailer," she said.”

It appears that Litan is referencing the VISA CISP “Safe Harbor.” Interestingly, if you go to VISA’s CISP website, the reference to the Safe Harbor has been removed. Here is what it used to say (as late as August 9, 2007 according to the Internet Archives) :

Safe Harbor

Safe harbor provides members protection from Visa fines in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.

Link Here.

That language has been replaced on VISA’s website with this:

Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.

Link Here

A few things to say:

(1) Safe Harbor for Fines Only. According to VISA’s website the Safe Harbor (whatever version is applicable) only applies to fines. Therefore, unless there is information out there that says it applies to reimbursing banks, it would appear that the Safe Harbor is limited. Litan indicates that she has seen some information; it would be excellent if she shared that.

(2) Safe Harbor at Visa's Discretion? As you can see, the VISA website has gone from “to attain safe harbor status” to “Visa may waive fines.” Its not clear from this language whether safe harbor is “automatic” if a company can establish PCI compliance and VISA validation requirements, or whether its at VISA’s OPTION to (e.g. “may waive”) to waive fines if the merchant can establish compliance and validation.

(3) PCI Compliance and Validation Required. The safe harbor requires not only a demonstration of PCI compliance, but also requires (in both versions) that the merchant meet “compliance validation requirements.” So, by this language, a merchant may have been PCI compliant, but it is unclear whether or not the safe harbor would be available if the merchant it did not “validate” that compliance with VISA (basically do a bunch of paperwork: link here)

(4) Safe Harbor Limited to Visa; Not Other Card Brands. Visa’s safe harbor on its face would not provide protection from the other card brands, including MasterCard, Discover, AMEX, etc. If there is a side agreement between the card brands to honor compliance with VISA’s safe harbor, I have yet to see it. This article gives the impression that compliance with VISA rules will somehow protect you from other card brands.

(5) Article Misidentifies "PCI Rules." As a follow up to (4), the article refers to the contractual arrangements between banks, credit card companies and merchants as “PCI Rules.” In fact, those relationships are governed by each of the card brand’s security programs. VISA’s program is the Cardholder Information Security Program. Mastercard’s is the Site Data Protection Program. So if a merchant deals with all five card brands it must comply with not only the PCI Standard (a security standard) but also five security programs. These programs have different definitions, procedures and requirements. To avoid confusion, people need to be careful to not conflate “PCI” with the card brand security programs.

(6) No Proof that Issuing Banks Bound to Honor Safe Harbor. the article appears to suggest that attaining VISA safe harbor will somehow prevent a merchant from having liability to issuing banks for the costs to reissue credit cards. It is not clear how an issuing bank would be bound by VISA’s safe harbor; (a) as discussed below the safe harbor only deals with fines; and (b) the issuing bank is not in a contractual relationship with a merchant with respect to PCI so a merchant would have no basis to enforce the safe harbor against the issuing bank. If there is a document that requires all VISA issuing banks to respect the safe harbor it should be shared publicly so everybody can assess their liability.

(7) The Buck Only Stops if the Contract Stops It. The article suggest that in terms of fines, if safe harbor is attained, “the buck stops” at the acquiring bank. I would maintain that where the buck stops between a merchant and its acquiring bank is dictated legally by the terms of their contract and you cannot make a blanket statement.

On the broader issue, claiming PCI compliance and even actually achieving it does not automatically mean immunity in a lawsuit setting by any stretch

It is entirely possible to be PCI compliant and still have “unreasonable security” for purposes of negligence suit by consumers or banks. Its possible to state you are PCI compliant and not actually be compliant. Moreover, it’s even possible for the PCI Standard itself to be “unreasonable” (although that is obviously a more difficult argument to make to the extent the PCI Standard is “industry standard). A case that every security professional should know about: T.J. Hooper In short, the issues around PCI are much more complex then being presented here and I think people need to be careful since there is already enough confusion out there already.

Much, much more to come...

Are the PCI Council's FAQs Incorporated and Part of the PCI Standard?

2008-03-25T11:34:00.005-06:00

This is the basic question I posed to Bob Russo, General Manager of the PCI Council, during an online PCI forum put on by SC Magazine:

Are the FAQs incorporated into and automatically made part of the PCI Standard when published? If so, is there a document or some sort of proclamation indicating that the FAQs are part of the PCI Standard?

Mr. Russo orally indicated "yes," the FAQs are intended to become part of the PCI Standard when they are published. Mr. Russo, however, was not aware of any document or proclamation that indicated that the FAQs were incorporated/made part of the PCI Standard. He indicated that he was making a note on that point to see about creating such a document.

What does this potentially mean in terms of legal liability issues? Well at least with FAQs, if they are made part of the PCI Standard, merchants and QSAs will have a stronger argument of the authoritative weight of the FAQs if ever challenged on the issues addressed in the FAQ. However, this still does not mitigate potential risk around receiving "informal" advice on ambiguities from the PCI Council, processors or merchant banks. Since this type of informal advice is not officially made part of the PCI Standard, its ability to be relied upon as interpretative authority in court or otherwise is arguably weaker. More on these issues to come.

Correction Re: Connecticut Retailer Liability Law

2008-03-25T11:09:00.000-06:00

All, I have to issue a correction concerning my reference to a Connecticut law in the article entitled "The Legal Implications of PCI." In that article I indicated that Connecticut had passed a law allowing banks to sue retailers. I received information from a source that turned out to be erroneous. In fact, Connecticut considered a bill with retailer liability in it, but ultimately the provisions providing for retailer liability were stricken. The only State with a specific law providing relief to financial institutions for a security breach involving cardholder data is Minnesota. The updated/corrected article is here: Legal Implications of PCI. I apologize for the mistake.

Hannaford Class Action Update

2008-03-24T08:58:00.005-06:00

Looks like four were filed last week (click on each to get a copy of the complaint):

Ryan v. Delhaize Am. Inc., D. Me., No. 1:08-cv-00086JAW, complaint filed 3/18/08;

Dobryniewski v. Delhaize Am. Inc., M.D. Fla., No. 2:08-cv-00235-JES-DNF, complaint filed 3/18/08;

Doherty v. Hannaford Bros. Co., D. Me., No. 2:08-cv-00089-DBH, complaint filed 3/19/08 ; and

Major v. Hannaford Bros. Co., D.N.H., No. 1:08-cv-00106-JL, complaint filed 3/20/08.

These pleadings may be a little sparse considering the lack of public knowledge of what happened at Hannaford. I have not read through them yet, but will try to do so later to see how the plaintiff attorneys are approaching this situation.

The "Circle of Blame"

2008-03-22T14:35:00.002-06:00

I prefer the "Chain of Blame" because of the better rhyme scheme... all kidding aside, Andrew Conry-Murray has done some good reporting on this story.

One money quote:

While PCI provides more concrete guidelines than, say, Sarbanes-Oxley, merchants are quick to complain that it's both too specific and too vague. For instance, the standard requires use of stateful packet inspection firewalls. "What if I choose to use another technology that I believe is equivalent?" says Michael Barrett, chief information security officer of PayPal, a Level 1 merchant. "You have a whole big fight with your auditors or you hold your nose and do it."

Level 1 merchants also clash with QSAs over issues such as "compensating controls"--technologies or processes used in place of specific requirements on the PCI checklist. "We believe our controls are adequate, but they are different from how the standard is written," Barrett says. "So you argue with auditors. Those kinds of things make you want to tear your hair out."

There's also a level of subjectivity in PCI that many find disturbing. The training for QSAs provides few guidelines for resolving this subjectivity. One PCI expert, who requested anonymity, says of the training: "When you ask if X or Y would be acceptable, or how to apply X in situation Y, they always answer 'Use your best judgment.'" He says that when others in the class pointed out how wildly their opinions could differ in a given situation, the instructor "had no answer other than to say 'do your best.'"

"It's a question of interpretation of the auditor, and the sophistication and skill set of the auditor," says Jay White, global information protection architect at Chevron, also a Level 1 merchant. "PCI was more painful than it had to be, but we've learned we have to help the auditors understand how we meet their objectives, even if they don't at first see it."

This lack of guidance can lead to significantly different approaches to compliance, even among auditors at the same Qualified Security Assessor. In one case, a company brought in a PCI expert to monitor a QSA's recommendations. The expert says the QSA had insisted the company deploy a million-dollar technical control when a simple change in operational procedure would have addressed the issue. "The assessment company then sent out someone completely different," the expert says, "and he disagreed with the recommendations of the prior QSA from his own company!"

This inconsistency can have significant repercussions for Level 1 merchants. If a merchant exposes card data, Visa dispatches a team of forensics security consultants to determine if the merchant was compliant with PCI at the time of the breach. "If a 'compliant' merchant gets compromised, I can guarantee you I can find at least one thing in the compliance report I could argue about," says the PCI expert. "This provides just enough wiggle room for the brands to point at the merchant or QSA and argue the standard was interpreted wrong."

Being judged noncompliant can result in substantial fines for the merchant and its acquiring bank, including higher per-transaction card processing fees. A judgment of noncompliance would also be useful to law firms contemplating action against the merchant.

More interesting points:

One major clothing retailer we spoke with said auditors examined four out of 1,000 stores, a sample size of just 0.4%. The retailer says all its stores share the same configuration and are centrally managed, but it's all too easy for security problems to go undiscovered with such small samples. "I could hide a multitude of sins from a QSA," says the PCI expert.
And while some retailers complain that auditors are too strict, the current system lets retailers seek out QSAs who may apply the standard less rigorously than others. "I've read several compliance reports that have been provided to us after the fact, and I wouldn't consider them appropriate," says the PCI expert. "They passed, but I don't know how." When asked if merchants are shopping for QSAs that provide an easy assessment, he says: "I can guarantee you that. Why wouldn't they?" Even the PCI Security Standards Council, which trains and certifies QSAs, admits that quality levels may not be consistent among the more than 100 active QSAs.

"It's a competitive game," says Bob Russo, general manager of the council. "One QSA might do an on-site assessment for X number of dollars, and another QSA will do the exact same assessment for less. A merchant thinks, 'If this guy is charging me $50K and this guy charges me $10K, there's a question there.'"

In response, the council is introducing a quality assurance program, due later this quarter, to ensure that all QSAs are performing assessments with the same rigor. "The goal is to make sure it's a level playing field so we don't have accusations from QSAs or merchants that some people are rubber-stamping," Russo says.

The question of rubber-stamping ties to the issue of liability. If a compliant merchant is breached, does the QSA bear any responsibility? It's a question that makes QSAs uncomfortable.

"Who's to say a retailer doesn't take what we say and toss it into the garbage?" says Barbara Mitchell, manager of security product marketing at Verizon. Along with Internet Security Systems and TrustWave, Verizon wins much of the assessment business for Level 1 merchants. "We should have some skin in the game, but if a retailer decides to not listen to our recommendations, it's a murky area," Mitchell says. "If we assume liability, we want to review all the stores, all the servers. That shoots the cost up to a prohibitive degree."

Retailers we spoke with were unclear about the liability question. "I think it would depend on whether our controls were deficient and on the audit process," says the network architect at the major clothing retailer. "I think there would be some level of liability, but we've not dug into that. There may be language in the contract I'm unaware of, but my focus has been on controls to prevent a breach rather than where we will point a finger." Unfortunately, finger-pointing is inevitable if credit card data gets stolen. "When a breach happens, if they see something out of whack, they will go back to the auditor, like Enron and Arthur Andersen," says Teri Quinn-Andry, product marketing manager for Cisco Security Solutions.

Then there's the problem of depending on what is, essentially, an honor system for Level 2, 3, and 4 merchants. There is no outside validation of a company's responses to the self-assessment questionnaire. "The reality is, you don't have to be compliant, if your business wants to take that risk," says the IT director of a Level 2 cruise ship operator.

"A lot with PCI is left to your interpretation," agrees Alan Stukalsky, CIO of Church's Chicken restaurant chain, also a Level 2 merchant.

So what does it all mean. I think it means a very volatile system with a lot of liability risk and uncertainty. I think it means that taking shortcuts could get both merchants that self-assess and QSAs into hot water (including hot water of the "going out of business" type for smaller merchants and QSAs). I think it means probably more comprehensive and expensive assessments when QSAs start getting hit with lawsuits.

So what can be done to smooth out the risk? More on that later from me... any thoughts from others?

Article Exploring PCI-related Risks in the Hannaford Breach

2008-03-21T09:17:00.004-06:00

Interestingly, some reporters are digging deeper to explore the implications of a PCI-compliant company suffering a payment card breach: see here.

I think we don't have all the information so we everybody is engaging in various levels of speculation. However, we do know two facts: (1) compliance with PCI was represented in Hannaford's privacy policy (last visited 3-21-2008); and (2) there was a breach exposing cardholder data. In my view, here are some of the possibilities (in no particular order of likelihood, and by no means an exclusive ilst):

(1) the qualified security assessor (QSA) (or internal assessor) may have misinterpreted or loosely interpreted a section of the PCI standard (and the reality was there were security weaknesses);

(2) the PCI compliance may have been old or outdated (e.g. they may have been PCI compliant 9 months ago, but perhaps added new systems that were not secured consistently with PCI);

(3) Hannaford may not have provided all of the information to the QSA (assuming one was used) that it needed to validate its decision (e.g. this could include mistakes in defining which parts of Hannaford's networks were in-scope/out-of-scope);

(4) Hannaford may have been 100% PCI compliant and reasonably secure in general and just got unlucky (e.g. there is no such thing as 100% perfect security). Under this scenario, Hannaford would argue that it was not negligent because it did all the right things and that unfortunately these things just happen.

(5) Hannaford and/or its QSA may have had a security weakness or questions about an ambiguity and may have had either the PCI Council, its upstream payment processor or its merchant bank give a bad interpretation.

The interesting issue will be, assuming that some sort of negligence is shown, who was/is ultimately responsible? Hannaford? The QSA? A merchant bank that accepted Hannaford's certification?

Much more to come on this one.

Update: well that was quick. The class actions come flooding in.

The Hannaford Breach and PCI Compliance

2008-03-18T14:31:00.005-06:00

More on this yet to come, but the Hannaford breach may be the perfect illustration of where false reliance on "PCI Certification" could get a company in big trouble. See my previous post on the Legal Implications of PCI here.

More to come, but long story short, the company's chief executive said the data "was illegally accessed from our computer systems during transmission of card authorization." This means the data was likely not encrypted in transit.

In this case the ambiguity appears to be in section 4.1 of the PCI Standard, which requires "Encrypt transmission of cardholder data across open, public networks" and also states "Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit"

Section 4.1. provides examples where encryption is required, including, the Internet, WiFI, global systems for mobile communications and GPRS.

So the question is, does the encryption requirement include open "internal" networks of a merchant that may be "easy and common" for a hacker to intercept. Or did Hannaford get a rubber stamp of approval without actually complying with 4.1. or only partially complying with 4.1?

If all of the supposition is true, it appears that Hannaford (or its Qualified Security Assessor) interpreted 4.1 to mean that only transmission across "public" networks like the Internet required encryption of data before transmission.. and perhaps not its internal networks that may have been vulnerable...

More details here, here and here.

FACTA Class Action Certified (N.D. Illinois)

2008-03-17T09:49:00.000-06:00

All, a link to a recent case that certified a class action under FACTA based on credit card receipts with more than the last five digits and expiration date: (Meehan v. Buffalo Wild Wings Inc., N.D. Ill., No. 07 C 4562)

Interestingly this case goes against rulings in the 9th, 10th and 11th Circuits, which ruled that the "superiority" requirement of Rule 23(b) had not been met because of the potentially staggering statutory damages available under FACTA ($100 to $1000 per violation).

In this case, the court followed 7th Circuit precedent that held that classes could be certified despite staggering damage potential. In this Circuit the issue of staggering damages, however, can still be challenged as a violation of due process rights after the certification.

In short, the certification provides the plaintiffs with more leverage because the class has been established and plaintiff's attorneys will have a large economic incentive to argue all the way through the due process arguments. Companies operating in the jurisdiction of the 7th Circuit should be very careful with their credit card receipts.

Legislative Update: 2 New Plastic Card Protection Bills Pending (Alabama and Iowa)

2008-03-05T11:42:00.005-07:00

Plastic Card Protection laws continue to be proposed in state legislatures. This time its Alabama and Iowa that are jumping into the fray with bills that incorporate the Payment Card Industry (“PCI”) Data Security Standard and/or provide financial institutions with the legal right to seek reimbursement for costs associated with payment card security breaches. However, the Iowa and Alabama bill provide some new wrinkles.

Alabama SB 382. Here are some of the wrinkles in the Alabama bill:

(1) Personal Information Deletion Requirement. Requires the deletion/destruction of personal information that is “longer necessary to be retained.”

(2) PCI Tie-In – PCI Section 3.2.. The bill prohibits the storage “in either encrypted or unencrypted form, subsequent to authorization, the card security code data, the PIN verification code data, the full contents of any track of a magnetic stripe or data chip, card-validation code, or value, or any other security information in a manner that permits access to an individual financial account.” This is essentially the same duty as section 3.2 of the PCI Standard. Note this language appears to go beyond payment card security since it relates to “any other security information that permits access to an individual financial account.” This language could possibly include passwords for online banking sites, online payment sites and other access codes tied to financial accounts (beyond credit card accounts).

(3) Financial Institutions Recovery of Reasonable Costs. Like other Plastic Card Protection laws, in the event the of a violation of the law and a security breach exposing personal information, the Alabama bill provides bank with the right to reimbursement for the reasonable costs of actions taken “to protect the personal information and account information of the customer or to continue to provide financial services to the customer,” including the costs to reissue cards, open/close accounts, contacting cardholders and refunds or credits made to customers.

(4) Private Cause of Action. In a new twist the bill specifically provides a private cause of action for financial institutions against those that “are responsible for the security breach.” The financial institution may receive not only actual damages, but also incidental and consequential damages, as well as court costs and reasonable attorney fees. Significantly, this language may help financial institutions recover damage elements that would be very difficult to recover under a traditional negligence claim.

Iowa S.S.B 3183. Here are some of the wrinkles in the Iowa bill:

(1) PCI Tie-In – Entire PCI Standard. The Iowa bill requires compliance with the entire PCI Standard by any entity that accepts a payment card in connection with transactions in the ordinary course of business. However, the bill also indicates that the Iowa attorney general must adopt rules necessary to implement the bill, including identifying the payment card industry standards to be applied.

(2) PCI Certification. Financial institutions initiating an action must request a certification of compliance from the party that suffered the security breach. The certification must be made by a payment card industry approved independent auditor. It appears that an action cannot be commenced against an entity that has not been found in violation of the PCI Standard.

(3) Financial Institutions Recovery of Reasonable Costs. The bill provides for the right to recover similar damage components as those in the Alabama bill.

(4) Attorney Fees for Prevailing Party. The bill provides that the prevailing party in an action will be entitled to recover attorney fees. However, if the prevailing party is an entity that has refused to certify PCI compliance it cannot recover attorney fees.

BOTTOMLINE: the legal liability will change radically if these bills get passed (like the Minnesota and Connecticut laws, as well as the bill in Washington State that has passed one house).

The Legal Implications, Risks and Problems of the PCI Data Security Standard

2008-02-21T21:26:00.007-07:00

(**For an easier to read version of this article click HERE to download)

While starting off as “just” an information security standard, the Payment Card Industry Data Security Standard, v. 1.1 (“PCI” or “PCI Standard”) now presents serious legal challenges and risk for retailers. The PCI framework currently operates like a law without courts or regulators – there is no centralized body to resolve interpretative discrepancies in a consistent, precedental and binding manner. Moreover, in many cases PCI compliance is performed by security professionals with no attorney collaboration and little understanding of the legal risks involved. This article discusses the legal framework and implications PCI, the problems with the standard in the legal context, and actions that merchants should explore to reduce legal risk arising out of PCI.

PCI Background.

The PCI Standard is a grouping of six control objectives that a merchant, service provider or other entity subject to PCI must satisfy to secure cardholder data. The Standard has been universally adopted by the major payment card companies. However, each payment card company also has its own payment card security program (“Security Program”). The Security Programs are the definitional, procedural and enforcement rules and requirements of the payment card brands around payment card security. Examples include VISA’s Cardholder Information Security Program (VISA CISP) and MasterCard’s Site Data Protection. Security Programs dictate merchant level definitions, procedures, deadlines and documentation for validating PCI compliance, documentation requirements for security assessment, security incident response requirements and fines and penalties. So if a merchant deals with all the five major payment card brands, it must comply with not only the PCI Standard, but also each five separate Security Programs. All of this is enforced contractually.

The Legal Foundation of PCI – The PCI Contract Chain

Unlike security laws such as Gramm-Leach-Bliley, HIPAA and Sarbanes-Oxley, the PCI Standard and Security Program rules are not statutes or regulations enforced directly by the government. Rather, the PCI Standard and the Security Program rules are imposed and typically enforced contractually through the PCI Contract Chain.

At the top of the chain are the payment card companies. The payment card companies establish merchant relationships by working through “merchant” or “acquiring” banks. The contract between merchant banks and payment card companies is the first contractual relationship in the payment card industry chain. The merchant banks (or payment processors working with the merchant banks) process the payment card transactions for the payment card companies they partner with. If a merchant wants to be able to accept payment cards to transact business, it must be vetted by a merchant bank (or payment processor) and enter into a contractual relationship with that merchant bank (or payment processor). Finally, merchants sometimes enter into relationships with service providers for the processing, storage or transmittal of payment card data. As the final link in the chain, merchants and service providers will enter into contractual relationships.

This presents several legal issues:

(1) No Direct Contractual Relationship between Merchants and Payment Card Companies. The significance of the chain is that there is typically no direct contractual relationship between payment card companies and merchants. Therefore, generally speaking, merchants cannot be directly required to legally adhere to Security Programs or the PCI Standard by payment card companies. Rather, if any contractual obligations do exist they are passed through the contract that exists immediately upstream from the merchant (e.g. the contract between the merchant and merchant bank or payment processor). Nonetheless, in practical terms, payment card companies may be able force compliance by leveraging their relationships with merchants and access to payment card processing.

(2) No Direct Duty for Service Providers to Comply with PCI or Security Programs. There is typically no inherent duty for a merchant’s service providers to comply with the PCI Standard. Any duty for a service provider to comply with the PCI Standard will flow contractually from the merchant to the service provider (typically not from the payment card companies to the service provider). Therefore, unless merchants impose contractual obligations on their service providers, they may find themselves without leverage to force those service providers to become PCI compliant.

(3)A Merchant Compliance with PCI is Directly Contingent on Contractual Obligations Imposed on its Service Providers. Section 12.8 of the PCI Standard requires merchants to do the following:

If cardholder data is shared with service providers, then contractually the following is required:

12.8.1 Service providers must adhere to the PCI DSS requirements

12.8.2 Agreement that includes an acknowledgment that the service provider is responsible for the security of cardholder data the provider possesses.

If these duties are not contractually established then the merchant may not be able to establish its own compliance with PCI.

(4) Matching Upstream and Downstream Obligations and Risk. The scope of a merchant’s PCI obligations (including compliance with the PCI Standard and Security Programs) is dictated by its upstream contracts with merchant banks or service providers. Merchants must protect themselves by imposing upstream PCI contractual obligations and risks downstream to their service providers. So if a merchant agrees to pay fines and penalties for failure to comply with PCI, it should also require its service providers to pay any fines and penalties imposed on the merchant because of the service provider’s failure to comply.

The contractual nature of PCI makes it necessary for a merchant’s legal staff to understand and become involved in the PCI compliance process. Most of the issues outlined above require legal analysis, contract drafting and negotiation. Attorneys should develop strategies for limiting liability from upstream contracts, and passing liability downstream to service providers.

One area of special difficulty is existing service provider relationships. If a merchant faces fines or the loss of processing capability because its existing service providers are not PCI compliant, it could be difficult to re-open negotiations and force service providers to invest the time and resources to become PCI compliant. As such, before fines and threats start coming in, a merchant’s legal staff should be devising a strategy for addressing PCI contractually with existing service providers (as well as new providers). While these contractual issues are challenging, the transformation of PCI into a legal standard of care can pose even greater difficulties for an organization.

PCI as a Legal Standard of Care

The PCI Standard is transforming into the legal standard of care for merchants handling payment card data. As a result, merchants may find themselves liable to financial institutions and/or consumers if they fail to adhere strictly to the PCI Standard. Unfortunately, PCI compliance is often viewed purely as a security exercise without high (or any) involvement from a merchant’s legal team. As PCI increasingly becomes a legal standard, attorney participation (including the use of attorney-client privilege) is a necessity in order to decrease liability risk. This section discusses how PCI is evolving into a legal standard, including: (1) under the common law in support of a “negligence” claim; and (2) explicitly in recently proposed and passed State legislation.

PCI as the Standard of Care for a Negligent Security Suit

Negligence is a legal theory of recovery that exists in “common law” – negligence claims do not involve laws passed by legislators or regulators. To prevail in a negligence suit, a plaintiff must establish the following: (1) a duty to use ordinary care; (2) breach of that duty; (3) a proximate causal connection between the negligent conduct and the resulting injury and (4) resulting damage. Negligence is a theory used to support liability actions as simple as slip-and-fall lawsuits to complex environmental disaster lawsuits.

In the PCI context, plaintiffs can allege negligence by arguing that a merchant handling payment card data has a duty to protect such data, and the failure to comply with the PCI Standard represents a breach of “ordinary care” if the merchant suffers a security breach. However, even if a breached duty can be established, plaintiffs still must prove that a security breach suffered by a merchant caused them damages. As discussed further below, while it has been difficult for consumer and financial institution plaintiffs to establish damages, recently passed and future legislation may make it easier for financial institutions to recover from merchants.

The use of the PCI Standard to support a negligence claim was recently demonstrated in the TJX matter. In that case several banks sued TJX for the costs to reissue credit cards (amongst others) in the wake of a massive security breach suffered by TJX involving millions of card numbers. To support their allegations of negligent security, the banks retained an expert to critique TJX’s security posture. That expert relied on TJX’s own PCI audit reports (performed by security firms hired by TJX) to argue that PCI breached its duty of ordinary care to protect payment card data. A copy of that expert opinion can be found by clicking here. The bank’s expert noted that TXJ’s auditors concluded that TJX satisfied only 3 of the 12 sections of PCI. In addition, the expert opinion noted specific security failures tied to the TJX breach that can also be traced back to PCI requirements. For example, TJX allegedly stored “Track 2” data which can be used to recreate the magnetic strip of a payment card, which would be a violation of section 3.2. of the PCI Standard. The end result was a $41 million settlement and tens of millions in legal fees and other costs.

It is uncertain to what extent TJX’s legal team was involved in the post-breach response, whether TJX took steps to try to shield its auditor’s actions with attorney-client privilege, and if so, whether it asserted that privilege in court. Nonetheless, it is clear that conducting a PCI audit and taking steps to comply with PCI has significant legal repercussions -- any adverse finding of non-compliance that is not shielded by attorney-client or attorney work product privilege can be used by plaintiffs against a merchant. These admissions of non-compliance can result in merchant liability, especially when used in conjunction with a new species of laws that requires adherence to PCI.

Plastic Card Protection Laws – PCI Incorporated Into New State Laws

Even more troubling for merchants of all sizes, are new proposed bills, and at least two passed laws, that provide banks with a right to obtain reimbursement from merchants that suffer a security breach exposing payment card data. In essence, these bills allow banks to get around proving the “damages” element of a negligence claim, and arguably provide for “strict liability” in the event a merchant suffers a payment card security breach. Prior to such laws, financial institutions lost some high profile lawsuits, in part, because of an inability to prove damages (see for example the B.J. Wholesalers’ lawsuit: B.J. Wholesaler Summary Judgment Ruling and PSECU Motion to Dismiss).

Some of these Plastic Card Protection bills/laws directly incorporate PCI as the requisite security standard for payment card data.

Several States have proposed bills allowing banks to seek reimbursement for security breaches, including Massachusetts, Illinois, Connecticut, Texas, Minnesota, California, Michigan, Alabama, Iowa and Washington. While many of these bills are in limbo or may not pass, they demonstrate a willingness on the part of lawmakers to seriously consider relief for banks and incorporate PCI into law (TX, CA, MI, MN, IA and AL all tie PCI compliance to their bills).

In fact, Minnesota has actually passed laws providing banks with a right to seek reimbursement after a merchant suffers a breach. This law represents a paradigm shift in terms of merchant liability and compliance. The multiplier effect of damages for a payment card security breach (e.g. $20-50 allegedly per card multiplied by thousands or tens of thousands of exposed payment card numbers) has the potential to literally wipe out small and medium organizations, and severely damage even large companies. These costs were previously unrecoverable (or at least very difficult to recover) because of the pre-emptive nature of reissuing cards to avoid potential future fraud.

Minnesota’s Plastic Card Protection Act (“Act”) incorporates, in part, the requirements of Section 3.2 of the PCI Standard. To comply with the Act, companies accepting payment cards must destroy or delete sensitive authentication data (including the same “Track 2” data that TJX allegedly stored) within 48 hours of authorizing a transaction with such data (the “48-hour rule”). If a merchant violates the 48-hour rule and suffers a breach exposing payment card data, banks can recover reasonable costs associated with addressing that breach (including the costs of reissuing new payment cards, opening and closing accounts, etc.). This Act also applies to entities using service providers that store, process or transmit payment card data – a merchant that provides sensitive authentication data to a service provider will be in violation of the Act if its service provider does not comply with the 48-hour rule. The reach of the Act is potentially nationwide – merchants only need to be “doing business” in Minnesota for it to apply – the Act is not limited to the exposure of payment card data of Minnesota residents. “Doing business” in the legal context could be as simple as having a commercial website accessible in Minnesota.

Section 3.2 of PCI, in fact, prohibits the storage of sensitive authentication data for any period of time. So, if an organization is strictly in compliance with section 3.2 of PCI, it should also not be in violation of the 48-hour rule. Significantly, some of the other bills incorporating PCI incorporate multiple sections of PCI, and in the case of Washington State and Texas, the entire PCI Standard.

While these Plastic Card Protection laws do provide a direct path to liability, what is the problem for companies that consider themselves PCI compliant? As discussed further below, even for PCI compliant merchants, there are several problems that arise out of the PCI standard and framework, and the use of a private security standard as a public legal standard to be ruled on by judges and juries.

The next section explains the problems with PCI as a legal standard both in terms of its administration by the PCI Council and payment card companies, as well as the risk of handling PCI as solely a security matter.

PCI: A Law Without A Judge or Jury

The overarching problem with PCI is that it is a security standard that is becoming a law. Unfortunately, the PCI Standard was not necessarily drafted like law; nor is it interpreted like a law. Rather it is interpreted by non-lawyer security professionals solely as a security standard – either qualified security assessors (QSAs) or a merchant’s internal security team (in the case where a self-assessment is appropriate). There often may be no awareness as how security interpretations will be viewed by a court of law, and little to no lawyer involvement. In addition, unlike laws passed by lawmakers, there is no mechanism for resolving ambiguities or exceptions to the PCI Standard. No body similar to a court or regulator exists in the PCI context to create precedent or provide official guidance that can be relied upon by the merchant community to make compliance decisions.

PCI Ambiguity

During the September 2007 PCI Council Meeting in Toronto it was revealed that there had been hundreds of questions submitted concerning the interpretative uncertainty arising out of the PCI Standard. Unfortunately, as PCI becomes a legal standard, the ambiguities inherent in the PCI Standard could lead to legal liability. The problem is compounded because there is no official body within the PCI framework to resolve those ambiguities and provide merchants with guidance on how to comply with PCI.

A good example is section 12.8 of the PCI Standard, which reads:

If cardholder data is shared with service providers, then contractually the following is required:

12.8.1 Service providers must adhere to the PCI DSS requirements

12.8.2 Agreement that includes an acknowledgment that the service provider is responsible for the security of cardholder data the provider possesses.

Although section 12.8 seems fairly straightforward, according to some QSAs and merchants this language is subject to various interpretations. The following represent the range of interpretations that may apply:

(1) Narrow interpretation: contract language indicates that service provider must adhere to the PCI Standard, which means that the minute the contract is effective the service provider must be PCI-compliant and the merchant should confirm such compliance;

(2) Middle-ground interpretation: contract language indicates that service provider agrees that it must adhere to the PCI Standard, which means that the minute the contract is effective the service provider must be PCI-compliant, but the merchant does not need to confirm such compliance, but rather can trust the service provider’s representation that it is compliant; and

(3) Loose interpretation: contract language indicates that the service provider agrees that it must adhere to the PCI Standard, but the merchant has discovered that the service provider has some controls that need to be implemented to achieve full PCI compliance and imposes a deadline after the effective date of the contract to achieve such compliance in the future. Under this interpretation, the QSA would be effectively interpreting a merchant to be in compliance with 12.8.1 as long as the service provider contractually promises to adhere to the PCI Standard during the contract term by a certain reasonable date, even if not compliant at the inception of the contract. Stated differently, it is the “magic words” in the contract that matter not whether the service provider is actually PCI compliant.

It appears that the middle-ground interpretation meets the literal requirements of the PCI Standard. However, if this was presented in a court of law, a plaintiff would argue for the narrow interpretation (e.g. is it reasonable or within the spirit of PCI to simply rely on a vendor’s promises without confirming actual compliance). Herein lies the problem: unless a merchant adheres to the strictest interpretation of the various sections of PCI, plaintiffs will always have arguments (and therefore leverage in a lawsuit) that the merchant was not in compliance with PCI. Remember, these lawsuits arise because the merchant has already suffered a security breach that will likely put the merchant in a negative light in front of a judge or jury. If the breach is at all related to the failure to comply with a section of PCI (and in many cases even if its not) the merchant will have a difficult time in court.

No Centralized or Official Binding Precedent Setting Body

Unlike laws, which have courts and regulators to render opinions and issue interpretative guidance that is binding and can be relied upon for planning purposes, the current system for PCI is ad hoc, decentralized and inconsistent. It has no mechanism for rendering “binding” decisions on interpretive differences.

The following personal anecdote underscores this problem. Interpretative issues also arise under Section 12.8 with respect to new versus existing service provider relationships. For example, despite the indication that contractual language must be in place, at least one QSA has that it will pass a merchant on section 12.8 if the merchant gets a letter from its non-PCI compliant service provider indicating that the service provider intends to comply with PCI some time in the future. The QSA that asserted this position informed me that this approach had been approved by the PCI Council and/or payment card brands in some sort of writing. I attempted to get that writing from the QSA as well as a sample of a proper letter so I could advise my clients on this short-cut, but the QSA could not produce the document.

Therefore I attempted to communicate directly with the PCI Council on this issue. The PCI Council refused to answer my questions and confirm the short-cut despite the fact that this issue dealt directly with the PCI Standard (and not a payment card brand Security Program). Instead, the PCI Council told me I had to get an answer from each of the payment card companies. I followed through by sending the question to each of the five major payment card companies. Three companies simply did not reply (JCB, Discover and MasterCard). American Express replied, but indicated that it was not in a position to make that determination and that it was up to each merchant’s QSA to make the decision. A representative from VISA, however, provided a partial answer to my question:

In general, the Service Provider's legal counsel may provide the assessor documentation/letter that 12.8 requirement is being addressed in existing (or future) contracts despite not having the exact 12.8 language. The main goal is to stipulate the accountability for keeping the cardholder data secure and responsibility in any compromise event.

I asked for some further clarification on this answer, but there was no response to my follow-up e-mail.

There are several problems with this approach now that PCI has effectively become the law. First, its clear that there is no centralized decision-making body to render decisions on PCI ambiguities. The PCI Council passed the buck to the payment card brands, and AMEX passed the buck to the QSAs. There are hundreds of QSAs, so potentially hundreds of different interpretations. Moreover, each payment card company may have a different view of how to interpret 12.8. This does not take into account payment processors and merchant banks that are also known to take their own positions on PCI.

While VISA did provide an answer, it would likely not be binding upon any of the other card brands. In fact, since VISA’s comment is outside of a contractual setting it may not even be binding against VISA itself (e.g. there is no direct contractual relationship between VISA and the merchant).

Moreover, its typically consumers, payment card processors, issuing banks and merchant banks that would sue or fine a merchant because of a security breach. How would an email from VISA be binding on those organizations?

As PCI is becoming the law a system without a centralized decision-making body to resolve interpretative differences poses significant liability risks. Under a legal system, courts resolve interpretative differences in lawsuits or regulators provide interpretative guidance (see e.g. the HHS and HIPAA and the FTC and GLB). While that system is imperfect for several reasons, at least at the end of the day legally binding precedent is created. Organizations can rely on the court’s opinion or regulators’ guidance to make their own decisions on various interpretations with some certainty that those decisions will be legally binding. Those decisions and guidance are available for the entire world to read and they end up creating consistency across the business community in general.

Unfortunately, the PCI system is extremely decentralized and uncertainty abounds. The PCI Council reportedly may begin addressing this issue by issuing a series of “FAQs” to address interpretive issues. However, even with FAQs, the legally binding effect is uncertain. Are FAQs rendered by the PCI Council binding on merchant banks and payment processors that have contracts with merchants?

The PCI Council should consider establishing an official centralized body that renders interpretative decrees that become part of the PCI Standard itself and that are binding on all of the participants in the PCI contract chain. In addition, merchants should take steps to have their attorneys deeply involved in PCI compliance efforts to reduce the risk of liability – the Standard needs to be viewed as a law, not merely a security standard.

Security Analysis versus Legal Analysis

The reality right now is that non-lawyer QSAs are making the essential decisions on PCI compliance for merchants. However, their interpretations of PCI are made through a security prism, not a legal prism. Moreover, some QSAs may accept looser interpretations of the PCI Standard because of economic incentives (e.g. preservation of client relationships) or pressure from their merchant clients to “pass” them.. While looser interpretations may be fine in the security world in some areas, some of those interpretations may be ripped apart when scrutinized by a plaintiff’s attorney and/or judge or regulator.

From a legal standpoint, merchants should assume that the narrowest interpretation of the PCI standard will be used against them in a court of law. Plaintiff’s attorneys will present expert witnesses who will testify in favor of the narrow and literal interpretations of PCI, and those experts will have the actual wording of the PCI Standard to back them up. In addition, those experts will use any and all adverse security assessment findings, including those made by the merchant’s own auditors, against them. If PCI is not approached through a legal prism (in addition to a security prism) the liability risk increases. Attorneys should be used to attempt to shield adverse assessment opinions as well as to scrutinize the security team or QSA’s interpretation of the PCI Standard. Attorneys should also be used to assist in the development of written policies and procedures, as well as documenting compliance with the PCI standard where appropriate. As the legal risks continue to grow, relying solely on security professionals for PCI compliance will not be an option.

Action Items for Merchants

As the PCI Standard increasingly becomes the law, merchants need to adjust their practices and develop a more legally-oriented approach to PCI compliance. On the security side merchants should consider the following:

(1) Choose QSA’s wisely. Right now QSAs are the interpretative bodies of PCI. If a merchant uses a “fly-by-night” QSA it may be opening itself to risk. Merchants should use QSAs that are not afraid to give the merchant “bad news” and that understand how their interpretations may be viewed in a court of law.

(2) Insurance. Make sure that your QSAs are fully insured for their errors and omissions, and try to get named as an additional insured on their policies if possible. In addition, the merchant should check its own policies to determine whether it is covered if one of its service providers suffers a breach or if the merchant is required to pay a fine or penalty for non-compliance with PCI.

(3) Not a Rubber Stamp. Despite potential pressures to become PCI compliant quickly and at the least cost, merchants should not view their QSAs as “rubber stamps” of PCI compliance. QSAs, like all professional service providers, enjoy happy clients and will work hard to please their clients. However, if this causes them to take short cuts or apply loose interpretations, it could come back to haunt the merchant in the long run.

(4) Develop Relationships with General Counsel. The merchant’s security team needs to engage the general counsel (or other members of the merchant’s legal team). Many attorneys are intimidated by technology and security issues and may not be aware of the legal issues surrounding PCI compliance. Internal security professionals need to act as the expert advisors to the merchant’s legal team and work together to translate security practices into legally compliant practices.

(5) Narrow Interpretations. To reduce risk of liability, security professionals should err on the side of interpreting the PCI Standard literally and narrowly. Of course this may conflict with other goals such as keeping expenses down and avoiding business disruptions. The security team should work with the merchant’s business decision-makers and risk managers to achieve a balance that reflects the organization’s risk tolerance.

The merchant’s legal team also needs to get involved in the PCI compliance process, including:

(1) Reaching Out to the Merchant’s Security Team. Security professionals are often intimidated or uncertain about the law. Security professionals are not lawyers, and they need information to understand how the legal system scrutinizes and judges their activities and decision-making process. The merchant’s legal team needs to translate legal and compliance concerns into terms that allow the merchant’s security team to implement legally compliant security controls.

(2) Use Attorney-Client Privilege. Any adverse PCI compliance finding or assessment can and will be used against a merchant in court. Moreover, drafts of security and privacy policies, and documents (e.g. emails) surrounding the creation of such policies and practices, can be used against an organization in court. Some of the activities and documents of a merchant’s internal and external security team may be shielded using attorney-client privilege or attorney work product privilege. While such privileges are not foolproof by any means, taking steps to preserve the privilege may at least pose an obstacle in litigation. Attorneys need to get involved early on in the compliance process to make this work.

(3) Analyze Upstream and Downstream PCI-Related Contracts. Much of the legal risk associated with PCI is contractual. Merchants cannot know their risk unless they know their contractual obligations and rights. Attorneys need to understand upstream contractual risk, and use their contracts to pass it on to service providers downstream.

(4) Draft Strong Service Provider Contracts. Attorneys should draft strong service provider contracts that require compliance not only with the PCI Standard itself, but also the specific Security Programs of each payment card company program that is applicable. These contracts should address section 12.8 of PCI, as well as providing assessment and audit rights, breach notice and remediation obligations, indemnification clauses and insurance clauses

(5) Develop a Service Provider Strategy. Service providers are likely to resist the imposition of additional PCI duties. A merchant’s legal team should have contract language and a negotiation strategy developed ahead of time. The strategy should address both new service provider relationships and existing service provider relationships. For existing relationships, the merchant may be highly dependent on its service provider and may lack leverage to re-open contract negotiations. Nonetheless, an approach should be developed to persuade existing service providers to become PCI-complaint before the merchant is fined or receives threats to have its payment card processing privileges revoked because of the service provider’s non-compliance.

(6) Strict Compliance – Upstream Waiver. If strict compliance with PCI is not possible, try to get a written waiver from the merchant’s upstream contractor (e.g. payment processor merchant bank). The best case scenario is to get a formal amendment to the upstream contract reflecting the waiver. While this may not fully protect the merchant from third party suits, it may be helpful in contract disputes with the upstream contractor.

Conclusion

As the legal ramifications of PCI continue to develop and increase, PCI compliance will become an increasingly risky endeavor for merchants. Unfortunately, because the system is run privately by the payment card companies and does not have a centralized body to provide binding guidance and rulings, the system may pose more risk than a traditional governmental regulatory scheme. Regardless, now is the time for merchants to begin engaging their legal teams to address PCI compliance, and opening the lines of communication between the lawyers and security pros. It is also the time to start pressuring the PCI Council and payment card brands to develop a centralized body to provide publicly available and binding guidance and decisions resolving ambiguities within PCI. If these actions are not taken, the PCI Standard could present significant liability challenges for the retail community.

New Bills Concerning Encryption and Retail Liability

2008-01-28T16:20:00.000-07:00

The New Year is bringing renewed attempts to legislate data security. Michigan and Washington both have bills pending that would make retailers liable for payment card data security breaches (Michigan bill – Washington bill). The Washington bill explicitly requires compliance with the Payment Card Industry Data Security Standard to avoid liability.

Both States also have bills that require encryption of personal data (Michigan bill – Washington bill). Both bills require encryption of stored personal data consistent with generally accepted industry standards (undefined). The Michigan bill sets forth criminal penalties for non-compliance, including imprisonment for up to 30 days and a fine of up to $1,000, or both.

New Jersey Security Requirements (including encryption of personal information)

2008-01-09T10:37:00.001-07:00

A proposed New Jersey regulation that may be come law in 2008. It has very specific requirements around encryption of personal information at rest and in transit. In particular, if these rules pass organizations would be required to encrypt according to the Federal Information Processing Standard (FIPS) recommended standard, which is the Advanced Encryption Standard (AES) 128-bit to 256-bit. This law also has 20 other fairly specific security requirements.

How will these specific requirements related to other State, Federal, International security requirements? Do the specifics in this regulation harken a movement away from a "technology neutral" approach to information security regulation?

Blogged with Flock

Sears Privacy/Security Double Whammy.

2008-01-08T09:34:00.000-07:00

After the resolution of some aspects of the TJX matter in 2007, it looks like another huge retailer has stepped on the privacy/security porcupine for 2008.

Privacy: Sears is suffering some bad press for allegedly placing "spyware" on its customer's computers that allows Sears (and Kmart) to track their Internet usage, including websites visited, searches engaged in and the headings of emails (click here for story)

Security: In addition, Sears has been sued in a $5 million class action for an alleged security breach related to its managemyhome.com website. Apparently, the website allowed any user to type in a customer's name, addresss and phone number (or some combination thereof) and get a complete history of that customer's purchasing history at Sears (click here for story)

So, question to my readers, in the ever-increasing world of e-commerce, how much tracking of customer behavior/Internet usage is too much? And when should it be permissible (if ever) to engage in the type of activity Sears was engaged in?

P.S. Copy of the complaint can be found here.

Stollenwerk v. Tri-West Health – Rise of the Phoenix?

2008-01-04T10:42:00.001-07:00

Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case

One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the “damages” element for a negligence claim. Several courts have dismissed such suits ruling that plaintiffs could not provide sufficient evidence that they suffered an injury as the result of a data breach. Ironically one of landmark cases against establishing damages, Stollenwerk v. Tri-West Health Care Alliance (D. Ariz. 2005), may give plaintiffs’ attorneys some additional ammunition. The United States Court of Appeals for the Ninth Circuit (“Appellate Court”) recently ruled on the Stollenwerk appeal and provided the plaintiffs with a partial victory on the issue of proving damages that could clarify the liability landscape for data breach lawsuits (see Stollenwerk v. Tri-West Health Care Alliance (9^th Cir. November 20, 2007). The ruling may allow more data breach suits involving victims of actual identity theft to get in front of a jury and achieve more favorable settlements.

Stollenwerk Background & District Court’s Ruling

In December 2002, Tri-West Healthcare Alliance (“Tri-West”), a contractor managing a large government health insurance program, suffered a burglary that resulted in the theft of computer hard drives containing the personal information of the program’s members (mainly military personnel). Three individuals brought a class action lawsuit against Tri-West in the U.S. District Court of Arizona (“District Court”) alleging numerous claims, including common law negligence. One of the plaintiffs (William Brandt – hereinafter “ID Theft Plaintiff”) alleged that unknown individuals used his personal information after the burglary to open (or attempt to open) unauthorized credit accounts in his name (e.g. identity theft). The two other plaintiffs (Michael Stollenwerk and Andrea DeGatica – hereinafter “Credit Monitoring Plaintiffs”), while not alleging they suffered identity theft, alleged that they needed to purchase credit monitoring services and identity theft insurance to prevent potential future identity theft.

In its September 2005 opinion, the District Court dismissed all of the plaintiffs’ claims on the grounds that they could not establish that they suffered any injury as a result of the Tri-West data breach. The Credit Monitoring Plaintiffs attempted to analogize financial credit monitoring expenses to medical monitoring expenses in “toxic tort” cases (e.g. asbestos lawsuits where otherwise healthy individuals exposed to asbestos paid doctors to monitor their health prior to any adverse affects manifesting). The District Court indicated that enhanced risk of future injury is generally insufficient to establish a negligence claim, but in the case of toxic tort lawsuits an exception was justified because of the importance of preserving public health. In addition, since the plaintiffs could not establish that the target of the burglary was their personal information (as opposed to the physical hard drives themselves), the court ruled that the Credit Monitoring Plaintiffs failed to provide evidence that such information was significantly exposed or that plaintiffs were at significantly increased risk of suffering identity fraud.

The District Court also dismissed the negligence claim of the ID Theft Plaintiff. Although the plaintiff suffered identity theft on several occasions six weeks after the burglary, the Court held that the circumstantial timing of the burglary and identity theft was insufficient evidence that the burglary was the cause of such theft.

The Appellate Court’s Decision

In November 2007, the Appellate Court reversed the District Court’s decision concerning the ID Theft Plaintiff, but upheld the lower court’s ruling on the Credit Monitoring Plaintiffs.

The Credit Monitoring Plaintiffs

With respect to the Credit Monitoring Plaintiffs, the 9^th Circuit agreed that the analogy to toxic tort cases was not justified because credit monitoring does not directly involve health and human safety. However, the court did not reject the analogy entirely, noting that:

“In both circumstances the individual may manifest more obvious injury, such as identity fraud or disease, after some period of time, and in neither instance is the later manifestation of patent injury guaranteed, although the certainty with which such a development may be anticipated may be greater for toxic torts.”

The Appellate Court also noted that under the facts of this case, even if the toxic tort analogy were apt, the Credit Monitoring Plaintiffs had not established the requisite elements to support their claim, including: (1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; and (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud. The Court held that the plaintiffs did not provide sufficient evidence that their personal data was targeted or accessed. Moreover, the Court indicated that the plaintiffs’ expert failed to objectively quantify the reduction of risk that would result from credit monitoring.

The ID Theft Plaintiff

The Appellate Court’s opinion was much more forgiving for the ID Theft Plaintiff. In this case, the ID Theft Plaintiff allegedly was the victim of identity theft on six occasions after the burglary of Tri-West’s hard drives. The Court did not make a distinction between “attempts” to open accounts and successful account openings – the Court appeared to conclude that both constituted identity theft. Significantly, the Court’s opinion appears to simply accept that “identity theft” constitutes an injury, and instead focused on whether the ID Theft Plaintiff established that the burglary was the proximate cause of the identity theft.

On the issue of causation, to survive a motion for summary judgment, the plaintiff needed provide evidence from which a reasonable jury could conclude that ID Theft Plaintiff’s injuries were the result of the burglary rather than other causes. Direct or circumstantial evidence is permitted, but this plaintiff was only able to offer circumstantial evidence, including:

(1) Possession: the ID Theft Plaintiff provided Tri-West with his information; (2) Type of Information: the personal information stored on the Tri-West hard drives is the type of information that can be used to open credit card accounts;

(3) Timing -- Identity Theft Incidents: the six alleged identity theft incidents all occurred after burglary, and the first began about six weeks after the burglary (the last happened about 3 – 4 months after the burglary);

(4) Timing – Prior Incidents: the plaintiff had never suffered identity theft prior to the burglary (despite having his wallet stolen five years earlier); and

(5) Limited Opportunities for Other Causes: the plaintiff testified that he had never transmitted his personal information over the Internet and that he shreds all mail in the form of credit card applications, approvals and pre-approvals.

The 9^th Circuit ruled that this circumstantial evidence on the issue of causation was sufficient for purposes of summary judgment and reversed the District Court’s grant of summary judgment to the Defendants.

Conclusion

The Stollenwerk decision is largely a mixed bag for both plaintiffs and defendants. The 9^th Circuit’s decision is good for defendants because it largely validates that the purchase of credit monitoring services or insurance to decrease the likelihood of potential future identity theft is not sufficient to establish damages for purposes of a negligence lawsuit. This ruling most likely decreases the risk of successful class action lawsuits involving massive numbers of plaintiffs whose personal information is exposed in a data breach. However, because its decision was based mainly on public policy grounds, and because it noted some similarities between toxic tort injuries and data breach injuries, the Court appeared to leave the door open a little for plaintiffs to make the toxic tort analogy in other jurisdictions.

The Court’s ruling was favorable for plaintiffs that actually suffer identity theft after a data breach situation. The Court was lenient in its acceptance of purely circumstantial evidence -- most of the evidence provided was very loosely tied to the actual burglary. As a result of this ruling, plaintiffs that were the victims of identity theft will have a better chance to get their case in front of a jury in the 9^th On the flip side, since it appears that most data breaches never actually result in identity theft (see GAO Report (June 2007)), plaintiffs’ lawyers may find it difficult to establish large classes that make these suits financially attractive to pursue. In all, this decision and other cases dismissing breach data cases seem to indicate that successful and severe consumer litigation (e.g. large successful class action suits) is still elusive for the plaintiffs’ bar Circuit, which increases both the likelihood of success in litigation and the leverage plaintiffs will have to force a settlement.

TJX -- Banks' Motion for Class Certification Denied

2007-12-04T11:39:00.001-07:00

This is the court's decision denying class certification by the banks suing TJX. Have not fully read through it, but interestingly it appears that the nature of the negligent misrepresentation claim (e.g. the reliance requirement) is one of the reasons that class cert. was ruled inappropriate.

TJX Denial of Motion for Class Certification

TJX -- Banks File Expert Opinion

2007-11-05T10:04:00.000-07:00

This is a very interesting read. The banks suing TJX retained an expert (former security guru for MasterCard) to opine on TJX's failure to follow security standards. In particular, PCI. You can find the expert opinion that was filed with the court here: Bank Expert Opinion

A few interesting points:

(1) PCI is being set up as the legal standard of due care. It does not appear that compliance was very close in this one, but for cases on the fringe, we are going to have courts deciding what compliance with PCI means; and

(2) the expert used reports generated by TJX's own security auditors against TJX.

On number (2), I always advise my clients to attempt to get their audits under the umbrella of attorney-client privilege (or work product). Basically, retain the security assessor as an expert to assist with legal/regulatory compliance review. This it at least gives an argument of attorney-client privilege and may allow companies like TJX to keep these extremely damaging reports out of evidence (although admittedly the privilege is often leaky). Not sure if that was done in the TJX matter (if it was, does anybody know how they lost the privilege?)

TJX Motion to Dismiss Bank's Claims

2007-11-02T10:12:00.000-06:00

I came across this ruling in the TJX matter that dismisses some of the banks' claims against TJX: Link

Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still an effective block to general negligence actions.

However, the negligent misrepresentation claim and unfair/deceptive business act claims both survived. The negligent misrepresentation argument was very interesting. Basically, it appears that the issuing banks alleged that by participating in an a financial network that relies on members taking appropriate security measures, TJX made "implied representations" that they would take security measures required by industry practice. The court let these allegations stand, indicating that the economic loss doctrine does not apply to a negligent misrepresentation claim in Massachusetts. In addition the court ruled that the banks' reliance on such implied representations is a question of fact inappropriate for resolution at the motion to dismiss phase. These allegations also serve as the basis for the Banks' unfair and deceptive business practices claims under Chapter 93 of Massachusetts' law.

While the survival of these claims is certainly good news for the banks, TJX may still be able to stop this case from going to trial using a motion for summary judgment further down the line. It will be interesting to see if the Banks can successfully argue that the costs of preemptively reissuing credit cards constitutes "damages" for purposes of negligent misrepresentation.

2007-10-03T10:32:00.000-06:00

FACTA Privacy Lawsuit Developments – Companies Sued for Online Credit Card Receipts

This month’s newsletter follows up on some developments in the FACTA credit card receipt class action suits that InfoSecCompliance LLC (“ISC”) explored in its April and June 2007 newsletters (What You Don’t Know Just Might Hurt You. – April 2007 ; FACTA Privacy Class Action Lawsuit Developments – Bad News and Good News for Merchants). Recently plaintiffs have filed lawsuits against companies displaying credit card receipts on the consumer’s computer screen (not printed on a paper receipt), and at least one court has denied a merchant’s motion to dismiss a case based on online credit card receipts. In other words, the FACTA credit card receipt prohibitions may not be limited to paper receipts.

FACTA Summary

As discussed previously by ISC, a rash of over 100 class action lawsuits have been filed alleging violation of the Fair and Accurate Transaction Act of 2003 (“FACTA”), which limits the information that can be shown on an electronically-printed credit card receipt to the last five digits of the credit card number, and prohibits printing a credit card’s expiration date on the receipt. FACTA specifically provides:

Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

* * *

(2) LIMITATION.—This subsection shall apply only to receipts that are electronically printed, and shall not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.

15 U.S.C. 1681c(g) (emphasis supplied). A single willful violation of FACTA could result in damages ranging from $100 to $1,000 without the plaintiff having to establish that he or she suffered actual harm. Class plaintiffs are alleging hundreds of millions of dollars in statutory damages against such household names as Urban Outfitters, IKEA, Cost Plus and Toys-R-Us.

Recent Suits Filed Against Online Companies

In a complaint filed August 8, 2007 in the U.S. District Court for the Southern District of Florida, plaintiffs alleged that after they purchased iPods and other electronic equipment from Apple Computer Inc. online, the company provided receipts that included the full credit or debit card number used to make the purchase (Maria v. Apple Computer Inc., S.D. Fla., 1:07-cv-22040-AJ, complaint filed 8/8/07).

In addition, in a complaint filed in the U.S. District Court for the Southern District of Illinois, plaintiffs alleged they received receipts with their full payment card number information after they paid for hotel reservations and services online through a subsidiary of Expedia Inc. (Sutton v. Expedia Inc., S.D. Ill., No. 3:07-cv-00547-GPM-DGW, complaint filed 7/31/07).

These lawsuits may have been initiated because of a recent ruling against Stubhub Inc. in a FACTA lawsuit.

Stubhub Ruling: On-Screen Credit Card Receipt Qualifies as “Printed”

Stubhub, Inc., an online ticket broker, was sued for a violation of FACTA based on an electronically generated credit card receipt, and the plaintiff in that case survived a motion to dismiss the case. In July 2007, the U.S. District Court for the Central District of California ruled that a credit card expiration date appearing on an electronically generated receipt qualifies as “printed” for purposes of FACTA (Vasquez-Torres v. Stubhub Inc., C.D. Cal., No. CV 07-1328, motion to dismiss denied 7/2/07).

Since the term “print” was not defined in FACTA, Stubhub and the court looked to common dictionary usage for guidance on the definition. Stubhub cited Webster's Third New International Dictionary, which defines "print" in part as "to make an impression in or upon." The court held that even under Stubhub’s definition, Stubhub had “made an impression upon” a computer screen when it displayed the credit card expiration date. The court also cited Merriam-Webster's Collegiate Dictionary (10th ed. 2002, p. 924), which defined "print" as "to display on a surface (as a computer screen) for viewing."

In addition, the court held that its ruling was consistent with the purposes of FACTA: to prevent identity theft in all its forms. The court reasoned that a narrow interpretation limited to paper-printed records did not comport with the broad goals of FACTA in combating identity theft. The court stated that if Congress intended to exclude receipts printed on a computer screen, it could have explicitly done so as it did for the exclusion of “transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.”

Conclusion

While some of the recent rulings on class certification may have slowed down the FACTA lawsuits for plaintiffs, the potential for lawsuits with respect to online credit card receipts poses considerable challenges to organizations. Just getting sued and having to incur substantial fees to defend the suit could be an expensive and distracting proposition. Companies, working with attorneys and IT professionals, should conduct an inventory of their online consumer systems to determine whether any of their websites or portals displays credit card confirmations or receipts with expiration dates or credit card numbers in excess of the last five digits. If such information is displayed, organizations should seek to technologically disable that display. In addition, service providers (e.g. ecommerce payment processors, hosters, application service providers) that may be working with companies displaying credit card information using the service provider’s systems, should consider informing their customers of FACTA and adding contract terms to protect themselves from FACTA liability.

FACTA Privacy Class Action Lawsuit Developments – Bad News and Good News for Merchants

2007-07-25T15:00:00.001-06:00

This month’s post follows up on some developments in the FACTA credit card receipt class action suits that InfoSecCompliance explored in April 2007 newsletter (What You Don’t Know Just Might Hurt You. – April 2007). In bad news for merchants defending these FACTA suits, the U.S. Supreme Court (“USSC”) upheld a broad interpretation of “willful violation” of FACTA. However, in good news for merchants, citing potential bankruptcy-inducing damages ranging from $340 million to $3.4 billion, a U.S. District Court in California refused to certify a 3.4 million person class alleging FACTA violations.

FACTA Summary

As discussed in April, a rash of over 100 class action lawsuits have been filed alleging violation of the Fair and Accurate Transaction Act of 2003 (“FACTA”), which limits the information that can be shown on an electronically-printed credit card receipt to the last five digits of the credit card number, and specifically prohibits printing a credit card’s expiration date on the receipt. A single willful violation of FACTA could result in damages ranging from $100 to $1,000 (FACTA is incorporated into and part of the Fair Credit Reporting Act [“FCRA”]), without the plaintiff having to establish that he or she suffered actual harm. Class plaintiffs are alleging hundreds of millions of dollars in statutory damages against such household names as Urban Outfitters, IKEA, Cost Plus and Toys-R-Us.

Perhaps the key issue to date for these cases is the meaning of “willful violation.” In two separate FRCA cases in a different context (Geico v. Edo and Safeco Ins. v. Burr), the U.S. Court of Appeals for the Ninth Circuit ruled as follows:

Both of these Ninth Circuit cases were appealed to the USSC, which was asked to rule on whether the Ninth Circuit’s interpretation of “willful violation” was valid. The general consensus among commentators was that the Ninth Circuit’s interpretation would make it less difficult to collect statutory damages for FACTA credit card receipt violations, and that a narrow interpretation had the potential to cripple these FACTA class action suits for plaintiffs.

U.S. Supreme Court’s Ruling on “Willful Violations” Under FACTA

In Geico and Safeco, the class plaintiffs alleged that the insurance company defendants violated the FCRA by failing to provide notice of insurance policy changes based on the plaintiffs’ credit scores. The plaintiffs argued that “willful violation” included not only “knowing” violations of FCRA, but also reckless disregard of FCRA statutory duties. Turning to precedent interpreting similar language in other statutes and under common law, the USSC ruled against the insurance companies and concluded that the Ninth Circuit’s ruling was correct: one can “willfully violate” FRCA by knowingly violating the statute or acting in reckless disregard of the FCRA obligations.

In short, the USSC adopted a more lenient standard of proof for plaintiffs to establish FCRA obligations. Plaintiffs will still face obstacles in proving recklessness disregard. However, a merchant’s claim that it did not know of the FACTA requirements may not serve as a complete bar; plaintiffs will likely be able to present evidence concerning the merchant’s efforts to discover its FACTA obligations and whether or not the merchant should have known about the FACTA credit card requirements.

FACTA Class Action Certification Denied

In good news for merchants, in May 2007 the U.S. District Court for the Central District of California rejected a motion to certify a class action in Spikings v. Cost Plus, Inc. The Court focused on whether a class action would be superior to other methods of adjudication as required under Rule 23(b)(3) of the Federal Rules of Civil Procedure. The Court cited other cases ruling that Rule 23(b)(3)’s “superiority requirement” was not met where the defendant’s liability “would be enormous and completely out of proportion to any harm suffered by the plaintiff.” It also listed other cases that generally denied class certification, including an FCRA case, where the damages would be “absurd” relative to harm suffered.

In this case, the Court noted that if the class was certified the potential statutory penalties ranged from $340 million to $3.4 billion (based on a penalty ranging from $100 to $1000 per violation for 3.4 million class defendants), despite the fact that the lead plaintiff testified that it did not suffer any actual damages. The court noted that the entire Cost Plus organization was worth approximately $316 million and that a judgment on a class action in this case for even the minimum fine would bankrupt it. The Court further noted that Cost Plus began truncating its credit card receipts as soon as it became aware of the technical violation of FACTA, and that it was possible for the class plaintiffs to file individual suits to recover damages. Finally, the court noted that certifying the class opened the potential for abuse by plaintiffs’ attorneys in the form solicitation of unnecessary litigation. Based on the foregoing, the Court denied the plaintiffs’ motion for class certification.

Conclusion

While the USSC’s decision concerning “willful violation” of FACTA may be disappointing for merchants under suit, if the Spikings decision survives appeal the “teeth” associated with these lawsuits may have been extracted. The same logic that applied in the Cost Plus matter could apply to other retailers that face insolvency if they lose a class action suit. Its hard to imagine courts desiring to put some of the top U.S. retail brands out of business when no actual harm has been shown to have occurred. Paradoxically the reason that these suits are being filed in the first place (the large number of plaintiffs and the potential for a large pay-off for plaintiffs’ attorneys through class action) is the same reason they may ultimately be unsuccessful. If plaintiffs’ lawyers cannot proceed using the class action mechanism it will not likely be cost effective to pursue individual cases.

Nonetheless, it is premature to come to any firm conclusions on the reasoning set forth in the Spikings decision since it will likely be appealed and there also may be other district courts across the country that could rule differently. If Spikings is overruled, the USSC’s decision may provide plaintiffs’ counsel with significant arguments and settlement leverage. At the bare minimum, until some of these issues are resolved by higher courts, merchant-defendants will have to incur significant legal fees to fight these matters. InfoSecCompliance will keep you updated concerning any other material developments in this matter.

Minnesota’s “Plastic Card Security Act”

2007-06-06T23:05:00.001-06:00

A Direct Path to Merchant Liability for Payment Card Security Breaches

As reported in ISC’s March 2007 Newsletter, States like Massachusetts and a handful of others (five in total, including: MA, IL, CT, TX and MN) are considering bills that provide financial institutions (e.g. banks and credit unions) with the ability to sue organizations that expose payment card data due to a security breach (“Payment Card Breach Laws”). These proposed Payment Card Breach Laws provide banks with the right to reimbursement from merchants for costs associated with payment card security breaches, including for the cost to reissue credit cards (allegedly $20 - $50 per card). In short, under Payment Card Breach Laws, when a merchant suffers a breach it could be liable for thousands or even millions of dollars. Taking an extreme example, in the TJX matter, 45 million cards where allegedly exposed – the cost to reissue assuming $20 per card is $900 million. For smaller or medium companies that lose thousands or tens of thousands of card numbers, the impact could jeopardize their solvency.

On May 21, 2007, Minnesota became the first State to pass such a law -- Minnesota’s Plastic Card Security Act (H.F. 1758 -- the “Act”) is a landmark statute that may radically increase the risk of liability and alter the security practices of retailers and service providers handling payment card data. In this issue, ISC summarizes the Act and outlines some of the issues and challenges arising out of it.

1. The Plastic Card Security Act.

Subdivisions 1 and 2 of the Act, which prohibit the retention of certain payment card data for more than forty-eight (48) hours, first take effect on August 1, 2007. Subdivisions 3 and 4 of the law, which provides the right to reimbursement and allow financial institutions to file lawsuits to recover costs associated with a payment card security breach do not apply until August 1, 2008, and only apply to security breaches occurring after that date.

A. “The 48-hour Rule” -- Payment Card Retention Limitations (Subdivisions 1 and 2)

Subdivisions 1 and 2 of the Act attempt to address the problem of payment card security breaches by prohibiting companies that accept payment cards from retaining card security code data, PIN verification code numbers or the full contents of any track of magnetic stripe data (“Sensitive Authentication Data”), subsequent to forty-eight (48) hours after authorization of a transaction. Stated more simply, to comply with the Act, companies accepting payment cards must destroy or delete Sensitive Authentication Data within 48 hours of authorizing a transaction with such data (the “48-hour rule”).

This Act also applies to entities using service providers that store, process or transmit payment card data – a merchant that provides Sensitive Authentication Data to a service provider will be in violation of the Act if its service provider does not comply with the 48-hour rule

Coincidentally (or perhaps not so coincidentally) the Payment Card Industry Data Security Standard, v. 1.1 (“PCI Standard”) also references and has rules surrounding Sensitive Authentication Data. Section 3.2 of the PCI Standard (as well as the Preface) prohibits the storage of Sensitive Authentication Data subsequent to authorization (even if encrypted). Unlike the Act, the PCI Standard does not specify a timeframe during which the merchant may retain Sensitive Authentication Data – by its silence, the PCI Standard arguably appears to require the destruction or deletion of Sensitive Authentication “immediately” after authentication. Therefore, as discussed below, PCI compliance (where there has been a tight interpretation of the section 3.2 requirements) may effectively act as a “quasi-safe harbor” from liability under the Act.

B. Financial Institution’s Right to Reimbursement

The Act uses violation of the 48-hour rule as the trigger for financial institutions to recover when there is a security breach exposing payment card data. Subdivision 3 provides that when an entity that has violated the 48-hour rule suffers a security breach (or its service provider suffers a breach), any financial institution that issued payment cards affected by such breach is entitled to reimbursement of the costs of “reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.”

Stated more simply, merchants holding Sensitive Authentication Data for more than 48 hours that suffer a security breach must reimburse “issuing banks” reasonable costs to protect cardholder information and continue servicing cardholders. Such costs could include (but are not limited to) costs in connection with:

(1) cancellation or reissuance of payment cards affected by the breach;

(2) closure of accounts affected by the breach;

(3) opening or reopening of accounts affected by the breach;

(4) refunds or credits to cardholders to cover the costs of unauthorized transactions; and

(5) notification of cardholders affected by the breach.

In addition, such financial institutions are entitled to recover costs for damages paid by them to cardholders injured by the breach (e.g. essentially an indemnification right in the event the financial institution is sued or settles with a cardholder).

Subdivision 4. of the Act (Remedies) provides financial institutions with a private right of under section 8.31 subdivision 3a. of Minnesota’s laws (basically a consumer protection statute). In addition to a right to bring a suit to recover damages and equitable relief, subdivision 3a provides the financial institution with the right to seek costs of investigation and attorney fees. The Act states that the financial institution’s private right of action is in the public interest and indicates that the remedies are cumulative and do not restrict any other rights or remedies available.

2. Analysis

This law presents some very interesting issues and challenges for companies accepting payment cards.

A. Direct Path to Liability -- Low Harm Threshold – “Costs of Reasonable Actions”

Where the worlds of data security and the law meet, to date and despite many lawsuits, there have been very few instances of courts finding legal liability for security breaches. In fact, issuing banks have previously tried to sue retailers for payment card data breaches, but the courts presiding over those cases rejected the banks’ third party beneficiary, negligence, promissory estoppel and breach of fiduciary duty claims, and dismissed the cases (see e.g. B.J. Wholesaler Summary Judgment Ruling, PSECU Motion to Dismiss). In short, there was no legal theory that clearly provided a right for issuing banks to recover – that hurdle has been jumped by the passage of the Act.

Now issuing banks have specific statutory rights to reimbursement and indemnity, as well as a private right of action to enforce those rights. The only requirements are as follows: (1) the entity is in violation of the 48-hour rule; (2) it suffers a breach of personal information affecting payment cards; and (3) the issuing financial institution incurs costs of reasonable actions to protect or continue servicing cardholders. There is no requirement that the merchant have acted intentionally, willfully, recklessly or negligently. In fact, it does not appear that the financial institution even has to establish that Sensitive Authentication Data was exposed.

As far as reimbursable costs are concerned, the issuing financial institution need not establish that the costs it incurs are necessary, just that the costs arise out of “reasonable” actions. The issuing financial institutions are not explicitly required to show that they will suffer harm or fraud if they do not take the actions (although this would factor into what constitutes “reasonable actions”). Their actions can be completely precautionary in nature so long as they are reasonable. In addition, there is a high likelihood that a court would view the list of example provided in the statute as representing examples of “reasonable actions” and perhaps a minimum list of what financial institutions are entitled reimbursement for. With the costs to reissue cards allegedly ranging from $20-50 per card, the costs of reissuance alone could be substantial (e.g. banks, including Chase, Citibank, the Maine Credit Union and TD Bank North, have already reportedly reissued millions of payment cards based on the TJX breach).

B. Nationwide Applicability -- Scope Beyond Minnesota?

Does the Minnesota law have a nationwide applicability? The answer is “maybe” for persons or entities doing business in Minnesota and elsewhere in the United States. Unlike Minnesota’s consumer-oriented breach notice law, which requires notice to Minnesota residents whose personal information may have been acquired by an unauthorized person (See H.F. 2121), the Act is not limited to Minnesota residents. Rather, it applies to “persons or entit[ies] conducting business in Minnesota” and unauthorized acquisition of computerized personal information (regardless of the residency associated with that information). Therefore, by the plain words of the statute, it may be possible that a company simply doing business in Minnesota, which suffers a breach in California, could trigger duties under the Act. Of course there may be jurisdictional issues that preclude suit in Minnesota or application of Minnesota law, but the issue is complex and far from clear.

C. Service Provider Liability.

Unfortunately for merchants that use service providers to handle payment card data, the Act still applies if their service provider suffers a breach. What this means for practical purposes is that merchants must ensure that their service providers have processes in place to comply with the 48-hour retention rule. This may be problematic: if the service provider does not have those processes in place it may charge merchants to comply. Moreover, despite the August 1, 2007 start date for the Act, it may take some time to modify systems and processes to achieve compliance.

Finally, the Act will require merchants to add new contractual duties to their service provider contracts that mandate compliance with the Act and most importantly, provide for indemnification. Significantly the Act makes the merchant responsible for the breach, and does not provide a direct route for banks to go after service providers unless “accepting an access device [payment card] in connection with a transaction.” Merchants will have to add indemnification language to shift the risk of loss for breaches that are the service provider’s fault. For existing relationships, merchants may have to reopen contract negotiations.

D. Personal Information Requirement

One potential limitation of the Act is the definition of “personal information.” The Act requires the acquisition of personal information by an unauthorized person to be triggered. In this context, personal information includes an individual’s first (or first initial) and last name, in combination with account number or credit or debit card numbers, in combination with any required security code, access code or password that would permit access to an individual’s financial account. Therefore, if a breach occurs that only exposes payment card data, but does not expose the combination of data listed in the definition of “personal information,” the Act may not apply. It is unclear whether companies can segregate this data to avoid the combination that triggers the Act – merchants should confer with their internal or external security professionals to further explore this and other risk-reducing measures.

E. No Encryption “Safe Harbor”

Unlike Minnesota’s breach notice law applying to consumers (see H.F. 2121) which only applies to breaches of “unencrypted” personal information, the Act does not provide an “encryption” safe harbor. In other words, the Act applies even if Sensitive Authentication Data stored more than 48-hours is encrypted.. It appears that the drafters have decided that the only way to avoid applicability of the law is to destroy or erase Sensitive Authentication Data. Significantly, section 3.2 of the PCI Standard also discounts encryption of this data.

F. Relationship to the PCI Standard – PCI “Quasi-Safe Harbor?”

Is compliance with the Act impacted in any way if a merchant or service provider is compliant with the PCI Standard. Strict compliance with the PCI Standard may effectively create a quasi safe-harbor to avoid liability under the Act. Both the Act and the PCI Standard prohibit the retention of Sensitive Authentication Data, however the Act allows retention of such data for 48 hours, while section 3.2 of the PCI Standard prohibits storage of such data completely after authentication (some qualified security assessors have said that VISA’s time limit is 24 hours – however this is not explicitly stated anywhere). Therefore, if an entity is compliant with the PCI Standard, so long as section 3.2 of the PCI Standard has been strictly interpreted and followed (e.g. immediate deletion or destruction), they should also be in compliance with the Act’s 48-hour retention rule.

The problem of course is that it is possible that some entities (or their qualified security assessors) may have interpreted section 3.2 more loosely, potentially allowing Sensitive Authentication Data to be retained beyond 48 hours. Therefore, entities that are PCI Compliant should not automatically conclude that they are compliant with the Act. They should check with their internal or external security assessors to determine how long Sensitive Authentication Data is stored and how strictly they interpret rule 3.2. Moreover, for future PCI security assessments, entities should at least consider imposing a 48-hour retention limitation on Sensitive Authentication Data retention if they want to be aligned with the Act.

3. Conclusion

The Plastic Card Security Act and similar Payment Card Breach laws are likely to significantly impact the data security risks and liability associated with handling payment card data. For one of the first times in U.S. history, a direct liability path exists for a large segment of U.S. businesses that suffer security breaches involving payment card data. The true impact will not be known until these laws are used, but, especially for small or medium companies heavily reliant on payment card transactions, a careful examination of security practices and service provider contracts is recommended to achieve compliance with the Act. In addition, for those merchants that have not yet complied with the PCI Standard, now is the time to get serious.

As with many data security-related laws and regimes, compliance and risk management is a multi-disciplinary exercise. Entities should retain an attorney to assist with interpreting the Act and modifying service provider contracts to align with the Acts 48-hour rule. Security professionals should be asked to assist with achieving the data retention requirements, as well as working toward PCI compliance (and strict compliance with section 3.2). Finally, this is an area where information security and privacy liability insurance has clear and direct value. Companies should look at their current policies to determine whether coverage exists, and should consider security and privacy policies available in the market that are directly geared toward covering such liability. Taking these steps will provide a solid foundation to begin addressing the risk associated with the Act and other Payment Card Breach Laws that get passed.

What You Don’t Know Just Might Hurt You.

2007-04-30T18:23:00.000-06:00

“As we know, there are known knowns. There are things we know we know. We also know there are known unknowns. That is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.”

—Donald Rumsfeld, Feb. 12, 2002

Regardless of what one thinks of Donald Rumsfeld’s tenure as Secretary of Defense, these words hold a pearl of wisdom that applies to organizations struggling to comply with privacy and security laws. One of the major difficulties for modern organizations working with private personal information is simply knowing what privacy and security laws apply to their operations. This problem is exacerbated by the fact that, even for smaller- and medium-sized organizations, modern commerce often involves transacting with consumers in multiple legal jurisdictions (e.g. local, State, Federal and international). In short, since privacy and security laws from several jurisdictions may apply, it is highly likely that a lot of “unknown unknowns” exist, which can cause adverse impacts. This month’s newsletter explores an instance where unknown unknowns may have come into play in the privacy context, and how organizations can begin to address the problem.

Too Much Information?

FACTA Credit Card Receipt Class Action Suits a Cause for Serious Concern.

In what appears to be a classic case of “unknown unknowns,” a rash of over 100 class action lawsuits have been filed in California alleging violation of the Fair and Accurate Transaction Act of 2003 (“FACTA”). Section 15 U.S.C. § 1681c(g) of FACTA limits the information that can be printed on an electronically printed credit card receipt to the last five digits of the credit card number, and specifically prohibits printing a credit card’s expiration date on the receipt. Organizations were provided with a three-year grace period to comply with this Federal law (December 4, 2006 was the first date that compliance was required).

A single willful violation of FACTA (which is incorporated into and part of the Fair Credit Reporting Act [“FCRA”]) could result in damages ranging from $100 to $1,000. Plaintiffs are also entitled to actual damages if they can prove a negligent violation of the FACTA. With companies processing millions of credit card transactions each year the damage potential for these lawsuits is staggering.

These class action suits have been filed against companies such as: Urban Outfitters; IKEA; Chanel Inc.; Toys-R-Us Delaware Inc.; Oakley, Inc.; Rite Aid Corp.; Costco Wholesale Inc.; The Walt Disney Parks and Resorts; California Pizza Kitchen Inc.; El Pollo Loco; Levy Restaurants; United Artists Theatre Circuit Inc.; FedEx Kinkos Office and Print Services Inc.; Valero Energy Corp.; and Avis Rent-A-Car Systems Inc. Lawsuits are also spreading outside of California – two lawsuits were filed on March 14, 2007 in the Western District of Pennsylvania.

Thus far, many of the cases have survived motions to dismiss. Defendants have argued that dismissal is warranted because, while section 1681c(g) of FACTA applies to “cardholders,” private rights of action are only available to “consumers” under section 1681n of FCRA. This argument was rejected by California courts when raised by Oakley, Inc. and IKEA.

The success of these cases could ultimately hinge on the meaning of “willfully fails to comply” under section 1681n of FCRA. Two 9^th Circuit cases (the Federal Appellate Court for California and other western States) have ruled on the meaning of “willfully.” In Geico v. Edo, the court alluded to a “recklessness” standard:

In sum, if a company knowingly and intentionally performs an act that violates FCRA, either knowing that the action violates the rights of consumers or in reckless disregard of those rights, the company will be liable under 15 U.S.C. § 1681n for willfully violating consumers’ rights. A company will not have acted in reckless disregard of a consumers’ rights if it has diligently and in good faith attempted to fulfill its statutory obligations and to determine the correct legal meaning of the statute and has thereby come to a tenable, albeit erroneous, interpretation of the statute. In contrast, neither a deliberate failure to determine the extent of its obligations nor reliance on creative lawyering that provides indefensible answers will ordinarily be sufficient to avoid a conclusion that a company acted with willful disregard of FCRA’s requirement. Reliance on such implausible interpretations may constitute reckless disregard for the law and therefore amount to a willful violation of the law (emphasis added).

This interpretation differs from interpretations in other Federal Appellate Districts, and this issue has now been argued before the U.S. Supreme Court (additional Supreme Court briefs and other information can be found here). If the Supreme Court disagrees with the 9^th Circuit’s (and the 3^rd Circuit’s) interpretation of “willfully,” then these class actions may be difficult for plaintiffs to win (it is doubtful that plaintiffs will be able to establish actual damages to recover for “negligent” failure to comply with FCRA).

Many corporate defendants reported that they were “surprised” by the FACTA credit card receipt requirements despite the three-year grace period to achieve compliance. That seems like a plausible explanation considering that most rational companies, had they known of this requirement, would most likely have chosen to limit the information on their credit card receipts rather than face a potential fine of up to $1000 per violation and expensive attorney fees to defend class action lawsuits. Nonetheless, these companies are now experiencing the risks and expense associated with unknown privacy laws.

What should companies do to address “unknown unknowns” when it comes to privacy laws?

Organizations are not omnipotent – they cannot possibly know all things at all times at all places. However, they can take action to minimize their risk of unknown privacy and security laws, including: (1) designing their privacy programs consistent with Fair Information Practice Principles; (2) acquiring resources to stay on top of privacy and security regulations and case law; and (3) insuring against the unknown.

Fair Information Practice Principles. While the legal requirement to limit credit card receipt data may not be intuitive to all companies, there are certain general activities that rational actors know could get them into trouble when it comes to handling customer information. For example, selling or collecting personal information without notice or consent can obviously be problematic, and as a result there are laws that address those general categories of privacy violations. Addressing general privacy activities and principles can decrease risk even if specific regulatory requirements are unknown.

In fact many, if not most, privacy and security-related laws reflect the principles and framework set forth in the Fair Information Practice Principles (“FIPP”). FIPP includes: notice/awareness, choice/consent, access/participation, security/integrity and enforcement/redress. If FIPP is the goal and the organization strives to meet that goal with due diligence, that organization will likely have reduced its regulatory privacy risks (relative to organizations that do not consider FIPP).

The problem, of course, is that FIPP does not address every single detail of every privacy law. Some organizations that follow FIPP may have missed the specific requirements of FACTA or may not be aware of the specific notices (and fines) required under the CAN-SPAM Act, HIPAA, GLB and other more obscure laws. These class action lawsuits demonstrate how compliance to FIPP can help. Those companies diligently concerned about the security/integrity prong of FIPP, even without knowledge of FACTA’s specific legal requirement, may have made an independent determination that truncating credit card numbers on receipts is a good practice to secure credit card information from identity theft. In fact, some organizations likely adopted this practice prior to the FACTA law as the result of due diligence with general privacy principles.

Due Diligence Investigation. Legal violations arising out of privacy or security incidents increasingly threaten organizations in terms of reputation damage, legal fees and damage awards. In fact, more and more companies are dedicating specific resources toward addressing privacy and security legal compliance. The first step is establishing accountability within the organization by creating a manager solely responsible for privacy compliance (a C-level executive with direct reporting to the CEO is a best case), and providing he or she with a budget. The lead privacy compliance officer should hire or work with attorneys to develop a formal process for inventorying the personal information the company handles, tracking the flow of that information across jurisdictions from collection to storage/disposal and determining the laws that apply to the organization.

Companies should attempt to address the lowest hanging fruit first. In certain industries, such as finance and healthcare, comprehensive privacy laws exist such as GLB and HIPAA. If the personal information of European or Canadian companies is at issue, the national privacy law of those countries should be considered.

Determining the applicability of privacy and security laws requires a continuous effort that considers changes in both the organization’s internal privacy practices and the law. Those responsible for privacy compliance should engage in frequent and comprehensive communications with business managers whose units collect and handle personal information. Companies should track laws and legislation, and subscribe to privacy and security reporters and websites (feel free to contact me for a list of sources). A person who can make the link between organizational practices and changes in privacy laws, and how those practices laws might impact the organization, should be dedicated to tracking internal practices and privacy laws.

Privacy and Security Liability Insurance – Risk Transfer. Insurance is a very important tool for managing the “unknown unknowns.” For companies that operate across multiple jurisdictions, it is virtually impossible to know every law and how every part of an organization is reacting or failing to react to that law. This means that residual risk exists that must either be tolerated by the organization or transferred to a third party.

Privacy and security liability insurance is an excellent tool for decreasing a company’s risk load under these circumstances. While the uncertainty inherent in complying with every security or privacy law still exists for insurers, insurers can spread their risk across thousands of organizations. Moreover, even if aggregated events occur, as long as the insurer has a good financial rating, they should be able to absorb the loss. Even insurance companies without the highest financial ratings are typically reinsured by large reinsurers who are able to weather adverse situations.

The ability of insurers to underwrite privacy and security liability risks in a world where such risks are sometimes “unknown” addresses the main problem of modern organizations. Instead of expending huge amounts of resources to achieve an unattainable level of “perfect security,” or researching, discovering and analyzing every possible privacy law that applies to them, insurers can take the risk and help their insureds avoids those expenses.

That is not to say that insurers will insure companies with bad privacy practices or poor information security. To be insurable, at a minimum, “reasonable” security and privacy practices must be present (and what is reasonable can vary from insurer to insurer). Nonetheless, most companies that can establish “due diligence,” and have practices and policies adhering to FIPP and generally accepted security standards such as ISO 17799, will likely be insurable.

There are two key challenges for companies that want to use insurance as a risk management tool in this context. First is implementing security and privacy practices that meet a level of reasonableness at the lowest price. As long as insurance is available, spending more to achieve “more than reasonable” privacy/security may not be cost-effective. Moreover, large security and privacy overhauls can be disruptive to business. The risk avoided by implementing costly controls can be transferred for the price of an insurance policy which typically costs less than the controls.

Second, and perhaps most important for an organization that wants to manage risk through insurance, is ensuring that the privacy and security insurance policy it chooses actually covers the risks the organization desires to transfer. If it does not, the organization will be left handling the costs of that risk on its own. It takes a concerted effort by risk managers and key business stakeholders to understand not only the potential risks, but also how they might impact the organization if the risk is realized.

On the other side of the equation, since the current crop of security and privacy policies vary in their approach and coverage scope, it is not always easy to get a clear picture of what is covered. Organizations should make sure they have good brokers or insurance consultants who understand the specific risks of their company and the insurance products available to cover such risks. In all, if some time and effort is taken to understand the range of security and privacy insurance options, insurance can be a very cost-effective and efficient tool for dealing with “unknown unknowns.”

Conclusion

While the risks and problems associated with unknown privacy or security regulations may never be fully solved, the awareness of organizations and the skill and talent available to address the problem are probably at their highest. Companies simply need to acknowledge the fact that unknown unknowns exist in the privacy world, and dedicate time and resources toward at least converting them into “known unknowns.” Even unaddressed privacy laws are better than unknown laws because at least the organization is aware of some risk and presumably has factored it into their overall risk management scheme. Organizations that are serious about understanding the full scope of their risk need to engage in a due diligence investigation, and need to at least try to adhere to common industry privacy practices and security standards. Companies should also seriously consider transferring their residual risk rather than engaging in potentially never-ending and expensive attempts to “eliminate” their risk. When these steps are taken, organizations can decrease the risk and loss associated with unknown security and privacy laws.

Proposed Massachusetts Security Breach Notice Law Creates Additional Liability for Companies Accepting Credit Cards.

2007-04-27T17:07:00.000-06:00

Proposed Massachusetts Security Breach Notice Law Creates Additional Liability for Companies Accepting Credit Cards.

For companies that store or process credit card data, the legal landscape may be getting a little more risky.

Similar to breach notice laws passed in thirty-five other States, a proposed Massachusetts bill (H. 213) requires notice to residents of the State if, as the result of a breach of system security, “misuse of information about a Massachusetts resident has occurred or is reasonably likely to occur.” The bill also requires entities that do not own or license personal information (which appears to include service providers working on behalf of the company that originally collected the information) to report to the owner or licensee of the personal information.

However, the bill goes a step further and requires organizations to reimburse banks for banks’ “reasonable actions” in response to a data security breach where notice is required. Reimbursable costs include:

(a) the cancellation or reissuance of any credit card issued by any bank or access device;

(b) the closure of any deposit, transaction, share draft or other account and any action to stop payments or block transactions with respect to any such account;

(c) the opening or reopening of any deposit, transaction, share draft, or other account for any customer of the bank; and

(d) any refund or credit made to any customer of the bank as a result of unauthorized transactions.

This new remedy may be related to recent unsuccessful lawsuits by banks seeking to recover the costs of reissuing credit cards exposed as the result of a security breach.

In 2005 B.J. Wholesalers suffered a security breach and was sued by several “issuing banks” to recover costs to reissue credit cards (B.J. Wholesalers faced suits by four banks alleging millions of dollars in losses). However, the courts presiding over those cases rejected the banks’ third party beneficiary, negligence, promissory estoppel and breach of fiduciary duty claims, and dismissed the cases (see e.g. B.J. Wholesaler Summary Judgment Ruling, PSECU Motion to Dismiss).

More recently, TJX Companies (holding company of such retailers as TJ Maxx, Homegoods and Marshalls and headquartered in Massachusetts) was sued by an Alabama-based AmeriFirstBank Inc. bank in the wake of a security breach. AmeriFirstBank alleges that it costs the bank approximately $20 to reissue a single card. News reports indicate that the breach may have exposed more than 40 million credit cards and approximately 60 banks have been notified of potential exposure. Some of these banks, including Chase, Citibank, the Maine Credit Union and TD Bank North, have already reportedly reissued millions of credit cards based on the TJX breach.

This Massachusett’s bill may not be an isolated event -- other States and the Federal government are reportedly considering similar legislation according to this credit union source.

What might this mean in terms of managing information security risk?

For companies handling credit card information it means a fairly direct path to legal liability if a breach exposes credit card information. The legislation is not limited to a narrow definition of retailer, but applies to the “commercial entities” (broadly defined). Assuming damages of $20 for each card reissued, if a breach involves several thousands or millions of cards, the potential damages could be staggering. For smaller organizations a potential security breach could result in bankruptcy. For larger retailers with millions of credit cards stored, it could result in tens of millions of dollars in damages.

Moreover, the standard of proof for banks is arguably not very high. First, there must have been a security breach that resulted in the misuse of information about a Massachusetts resident, or such a misuse is reasonably likely to occur. Second, the banks actions must have been “reasonable actions,” which includes those broad actions listed above. Therefore, a decision to report arguably guarantees that the organization will have to reimburse some bank costs. Ironically, since consumers do not have a direct remedy in the statute, the law may produce a strong incentive to avoid reporting to consumers if there is uncertainty as to whether misuse has occurred.

What should companies do to if a law like this is passed?

From a risk management perspective, organizations should conduct a risk analysis to determine how much credit card information they are handling, and whether it is subject to being stolen in large quantities. Since the potential liability for a breach could be enormous, the justification for enhanced security should be present. Regardless, companies should work hard toward at least achieving PCI compliance if handling credit card data. Since companies may be liable if their service provider suffers a breach, they should work to assess the controls of those service providers (or only work with those that are certified as PCI compliant)

In addition, the existence of a law like this creates a very strong argument for insurance to transfer the risk of loss. Risk managers should check their insurance policies to determine if any coverage exists under their current forms, and should consider the purchase of information security and privacy policies. Some policies now provide coverage for liability arising out of a security breach and with respect to the costs of providing notice of a security breach.

From a legal perspective, it appears that legal liability could arise out of a breach related to a third party service provider. Therefore, attorneys for companies collecting credit card information and passing it on to service providers for processing must make sure that there are contractual duties to maintain adequate security, report security breaches and potentially indemnify for losses (in fact the PCI Standard actually requires the development of contract terms that mandate compliance with the PCI Standard). In addition, attorneys need to be versed in the details of such laws so they can provide good counseling when a suspected security incident occurs.

Conclusion.

It is very interesting that the liability potential for security breaches is now being pushed from the commercial side (while being pushed more slowly from the consumer side). If a bill such as H. 213 is passed it has the potential to radically change the information security risk management dynamic for companies handling credit cards. There will be strong interests on both sides (banks versus retailers) that will push for and against a scheme like this, so it is unlikely that it will be passed in its current form. Nonetheless, it will be very interesting to see if and how these laws develop further, and it is important for risk managers to pay close attention to the progress of bills of this type.