Quickhits: Heartland Settles With Visa for $60 Million
Read all about it here. Note, analyst Avivah Litan of Gartner indicated the "this seems like a very fair settlement, and it seems like Heartland escaped the tremendous costs that TJX incurred - $139 million plus - despite the fact that Heartland's breach was more extensive." In reality TJX settled with Visa for $41 million, and the $139 million figure (wherever she got it from -- this article from June 2009 claims TJX expended $320 million) likely includes both the Visa and Mastercard settlement amounts PLUS the costs and expenses to defend the numerous actions filed against TJX. At this point I doubt that Ms. Litan (or anybody else except Heartland) knows how much Heartland has incurred in expenses to defend the numerous lawsuits and regulatory actions it is facing.
Massachusetts's Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.
Continue Reading...PCI DSS Incident Response: The Legal Perspective
The SANS Institute InfoSec Reading Room recently published an article by Christian J. Moldes entitled PCI DSS and Incident Handling: What is required before, during and after an incident. Moldes' whitepaper is a good starting point for developing an incident response plan to address payment card security breaches. The paper hits upon the key aspects of payment card security breach handling from an information security professional's point of view. The paper, however, speaks little of the legal implications of a payment card security breach, and the incident response considerations that arise out of those implications.
In today's environment, one of the most significant risks associated with a payment card breach is legal liability (whether it be contractual, regulatory or via class action lawsuits). The following legal risks may present themselves in the wake of a payment card security breach suffered by a merchant: (1) consumer class action lawsuits; (2) issuing bank class action lawsuits; (3) merchant bank lawsuits against the merchant; (4) payment card recovery processes (such as VISA Account Data Compromise Recovery process); (5) payment card fines and penalties; (6) federal regulatory actions; (7) state AG regulatory actions; and (8) shareholder lawsuits (based on misrepresentations/omissions concerning data security).
This post borrows in part from the relevant sections of Mr. Moldes framework and interjects some legal considerations and incident response planning into the fray. This article views incident response from the merchant's point of view (as opposed to a service provider's POV). Please note, as discussed further below, if there is one thing to take away from this article it is that merchants should consider hiring their own independent forensic assessor if they are forced by VISA to hire one of Visa's "Qualified Incident Response Assessors."
Continue Reading...TJX -- Banks' Motion for Class Certification Denied
This is the court's decision denying class certification by the banks suing TJX. Have not fully read through it, but interestingly it appears that the nature of the negligent misrepresentation claim (e.g. the reliance requirement) is one of the reasons that class cert. was ruled inappropriate.
TJX -- Banks File Expert Opinion
This is a very interesting read. The banks suing TJX retained an expert (former security guru for MasterCard) to opine on TJX's failure to follow security standards. In particular, PCI. You can find the expert opinion that was filed with the court here: Bank Expert Opinion
A few interesting points:
- PCI is being set up as the legal standard of due care. It does not appear that compliance was very close in this one, but for cases on the fringe, we are going to have courts deciding what compliance with PCI means; and
- the expert used reports generated by TJX's own security auditors against TJX.
On number (2), I always advise my clients to attempt to get their audits under the umbrella of attorney-client privilege (or work product). Basically, retain the security assessor as an expert to assist with legal/regulatory compliance review. This it at least gives an argument of attorney-client privilege and may allow companies like TJX to keep these extremely damaging reports out of evidence (although admittedly the privilege is often leaky). Not sure if that was done in the TJX matter (if it was, does anybody know how they lost the privilege?)
TJX Motion to Dismiss Bank's Claims
I came across this ruling in the TJX matter that dismisses some of the banks' claims against TJX: Link
Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still an effective block to general negligence actions.
However, the negligent misrepresentation claim and unfair/deceptive business act claims both survived. The negligent misrepresentation argument was very interesting. Basically, it appears that the issuing banks alleged that by participating in an a financial network that relies on members taking appropriate security measures, TJX made "implied representations" that they would take security measures required by industry practice. The court let these allegations stand, indicating that the economic loss doctrine does not apply to a negligent misrepresentation claim in Massachusetts. In addition the court ruled that the banks' reliance on such implied representations is a question of fact inappropriate for resolution at the motion to dismiss phase. These allegations also serve as the basis for the Banks' unfair and deceptive business practices claims under Chapter 93 of Massachusetts' law.
While the survival of these claims is certainly good news for the banks, TJX may still be able to stop this case from going to trial using a motion for summary judgment further down the line. It will be interesting to see if the Banks can successfully argue that the costs of preemptively reissuing credit cards constitutes "damages" for purposes of negligent misrepresentation.
Proposed Massachusetts Security Breach Notice Law Creates Additional Liability for Companies Accepting Credit Cards.
For companies that store or process credit card data, the legal landscape may be getting a little more risky.
Similar to breach notice laws passed in thirty-five other States, a proposed Massachusetts bill (H. 213) requires notice to residents of the State if, as the result of a breach of system security, "misuse of information about a Massachusetts resident has occurred or is reasonably likely to occur." The bill also requires entities that do not own or license personal information (which appears to include service providers working on behalf of the company that originally collected the information) to report to the owner or licensee of the personal information.
However, the bill goes a step further and requires organizations to reimburse banks for banks' "reasonable actions" in response to a data security breach where notice is required. Reimbursable costs include:
- the cancellation or reissuance of any credit card issued by any bank or access device;
- the closure of any deposit, transaction, share draft or other account and any action to stop payments or block transactions with respect to any such account;
- the opening or reopening of any deposit, transaction, share draft, or other account for any customer of the bank; and
- any refund or credit made to any customer of the bank as a result of unauthorized transactions.
This new remedy may be related to recent unsuccessful lawsuits by banks seeking to recover the costs of reissuing credit cards exposed as the result of a security breach.
In 2005 B.J. Wholesalers suffered a security breach and was sued by several "issuing banks" to recover costs to reissue credit cards (B.J. Wholesalers faced suits by four banks alleging millions of dollars in losses). However, the courts presiding over those cases rejected the banks' third party beneficiary, negligence, promissory estoppel and breach of fiduciary duty claims, and dismissed the cases (see e.g. B.J. Wholesaler Summary Judgment Ruling, PSECU Motion to Dismiss)
More recently, TJX Companies (holding company of such retailers as TJ Maxx, Homegoods and Marshalls and headquartered in Massachusetts) was sued by an Alabama-based AmeriFirstBank Inc. bank in the wake of a security breach. AmeriFirstBank alleges that it costs the bank approximately $20 to reissue a single card. News reports indicate that the breach may have exposed more than 40 million credit cards and approximately 60 banks have been notified of potential exposure. Some of these banks, including Chase, Citibank, the Maine Credit Union and TD Bank North, have already reportedly reissued millions of credit cards based on the TJX breach.
This Massachusett's bill may not be an isolated event -- other States and the Federal government are reportedly considering similar legislation according to this credit union source.
What might this mean in terms of managing information security risk?
For companies handling credit card information it means a fairly direct path to legal liability if a breach exposes credit card information. The legislation is not limited to a narrow definition of retailer, but applies to the "commercial entities" (broadly defined). Assuming damages of $20 for each card reissued, if a breach involves several thousands or millions of cards, the potential damages could be staggering. For smaller organizations a potential security breach could result in bankruptcy. For larger retailers with millions of credit cards stored, it could result in tens of millions of dollars in damages.
Moreover, the standard of proof for banks is arguably not very high. First, there must have been a security breach that resulted in the misuse of information about a Massachusetts resident, or such a misuse is reasonably likely to occur. Second, the banks actions must have been "reasonable actions," which includes those broad actions listed above. Therefore, a decision to report arguably guarantees that the organization will have to reimburse some bank costs. Ironically, since consumers do not have a direct remedy in the statute, the law may produce a strong incentive to avoid reporting to consumers if there is uncertainty as to whether misuse has occurred.
What should companies do to if a law like this is passed?
From a risk management perspective, organizations should conduct a risk analysis to determine how much credit card information they are handling, and whether it is subject to being stolen in large quantities. Since the potential liability for a breach could be enormous, the justification for enhanced security should be present. Regardless, companies should work hard toward at least achieving PCI compliance if handling credit card data. Since companies may be liable if their service provider suffers a breach, they should work to assess the controls of those service providers (or only work with those that are certified as PCI compliant.)
In addition, the existence of a law like this creates a very strong argument for insurance to transfer the risk of loss. Risk managers should check their insurance policies to determine if any coverage exists under their current forms, and should consider the purchase of information security and privacy policies. Some policies now provide coverage for liability arising out of a security breach and with respect to the costs of providing notice of a security breach.
From a legal perspective, it appears that legal liability could arise out of a breach related to a third party service provider. Therefore, attorneys for companies collecting credit card information and passing it on to service providers for processing must make sure that there are contractual duties to maintain adequate security, report security breaches and potentially indemnify for losses (in fact the PCI Standard actually requires the development of contract terms that mandate compliance with the PCI Standard). In addition, attorneys need to be versed in the details of such laws so they can provide good counseling when a suspected security incident occurs.
Conclusion.
It is very interesting that the liability potential for security breaches is now being pushed from the commercial side (while being pushed more slowly from the consumer side). If a bill such as H. 213 is passed it has the potential to radically change the information security risk management dynamic for companies handling credit cards. There will be strong interests on both sides (banks versus retailers) that will push for and against a scheme like this, so it is unlikely that it will be passed in its current form. Nonetheless, it will be very interesting to see if and how these laws develop further, and it is important for risk managers to pay close attention to the progress of bills of this type.
