For companies that store or process credit card data, the legal landscape may be getting a little more risky.
Similar to breach notice laws passed in thirty-five other States, a proposed Massachusetts bill (H. 213) requires notice to residents of the State if, as the result of a breach of system security, “misuse of information about a Massachusetts resident has occurred or is reasonably likely to occur.” The bill also requires entities that do not own or license personal information (which appears to include service providers working on behalf of the company that originally collected the information) to report to the owner or licensee of the personal information.
However, the bill goes a step further and requires organizations to reimburse banks for banks’ “reasonable actions” in response to a data security breach where notice is required. Reimbursable costs include:
- the cancellation or reissuance of any credit card issued by any bank or access device;
- the closure of any deposit, transaction, share draft or other account and any action to stop payments or block transactions with respect to any such account;
- the opening or reopening of any deposit, transaction, share draft, or other account for any customer of the bank; and
- any refund or credit made to any customer of the bank as a result of unauthorized transactions.
This new remedy may be related to recent unsuccessful lawsuits by banks seeking to recover the costs of reissuing credit cards exposed as the result of a security breach.
In 2005 B.J. Wholesalers suffered a security breach and was sued by several “issuing banks” to recover costs to reissue credit cards (B.J. Wholesalers faced suits by four banks alleging millions of dollars in losses). However, the courts presiding over those cases rejected the banks’ third party beneficiary, negligence, promissory estoppel and breach of fiduciary duty claims, and dismissed the cases (see e.g. B.J. Wholesaler Summary Judgment Ruling, PSECU Motion to Dismiss)
More recently, TJX Companies (holding company of such retailers as TJ Maxx, Homegoods and Marshalls and headquartered in Massachusetts) was sued by an Alabama-based AmeriFirstBank Inc. bank in the wake of a security breach. AmeriFirstBank alleges that it costs the bank approximately $20 to reissue a single card. News reports indicate that the breach may have exposed more than 40 million credit cards and approximately 60 banks have been notified of potential exposure. Some of these banks, including Chase, Citibank, the Maine Credit Union and TD Bank North, have already reportedly reissued millions of credit cards based on the TJX breach.
This Massachusett’s bill may not be an isolated event — other States and the Federal government are reportedly considering similar legislation according to this credit union source.
What might this mean in terms of managing information security risk?
For companies handling credit card information it means a fairly direct path to legal liability if a breach exposes credit card information. The legislation is not limited to a narrow definition of retailer, but applies to the “commercial entities” (broadly defined). Assuming damages of $20 for each card reissued, if a breach involves several thousands or millions of cards, the potential damages could be staggering. For smaller organizations a potential security breach could result in bankruptcy. For larger retailers with millions of credit cards stored, it could result in tens of millions of dollars in damages.
Moreover, the standard of proof for banks is arguably not very high. First, there must have been a security breach that resulted in the misuse of information about a Massachusetts resident, or such a misuse is reasonably likely to occur. Second, the banks actions must have been “reasonable actions,” which includes those broad actions listed above. Therefore, a decision to report arguably guarantees that the organization will have to reimburse some bank costs. Ironically, since consumers do not have a direct remedy in the statute, the law may produce a strong incentive to avoid reporting to consumers if there is uncertainty as to whether misuse has occurred.
What should companies do to if a law like this is passed?
From a risk management perspective, organizations should conduct a risk analysis to determine how much credit card information they are handling, and whether it is subject to being stolen in large quantities. Since the potential liability for a breach could be enormous, the justification for enhanced security should be present. Regardless, companies should work hard toward at least achieving PCI compliance if handling credit card data. Since companies may be liable if their service provider suffers a breach, they should work to assess the controls of those service providers (or only work with those that are certified as PCI compliant.)
In addition, the existence of a law like this creates a very strong argument for insurance to transfer the risk of loss. Risk managers should check their insurance policies to determine if any coverage exists under their current forms, and should consider the purchase of information security and privacy policies. Some policies now provide coverage for liability arising out of a security breach and with respect to the costs of providing notice of a security breach.
From a legal perspective, it appears that legal liability could arise out of a breach related to a third party service provider. Therefore, attorneys for companies collecting credit card information and passing it on to service providers for processing must make sure that there are contractual duties to maintain adequate security, report security breaches and potentially indemnify for losses (in fact the PCI Standard actually requires the development of contract terms that mandate compliance with the PCI Standard). In addition, attorneys need to be versed in the details of such laws so they can provide good counseling when a suspected security incident occurs.
It is very interesting that the liability potential for security breaches is now being pushed from the commercial side (while being pushed more slowly from the consumer side). If a bill such as H. 213 is passed it has the potential to radically change the information security risk management dynamic for companies handling credit cards. There will be strong interests on both sides (banks versus retailers) that will push for and against a scheme like this, so it is unlikely that it will be passed in its current form. Nonetheless, it will be very interesting to see if and how these laws develop further, and it is important for risk managers to pay close attention to the progress of bills of this type.