Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has a good article summarizing the case. In addition, bankinfosecurity.com has a recent article on this matter (in which yours truly was quoted). In this post we take a look at the EMI Lawsuit, consider some legal questions that the case raises, and analyze how it might impact the question of what constitutes “reasonable security” under the law.

Under Mastercard's new rules concerning merchant level definitions, apparently companies that were previously level 4 merchants (and did not have to do a PCI assessment unless requested by their acquiring bank) have been converted to level 3 merchants (which do need to conduct at least a self assessment).   More details here.

Mastercard announces fine regime for PCI non-compliance:  details here from Branden Williams of Verisign: LINK.

On July 7, 2009, Merrick Bank filed its response to Savvis' motion to dismiss.  I have not had a time yet to analyze the brief, but will do so in the near future.  In the meantime, if any readers would like to share their insight, please submit a comment!

The TJX breach saga came a little closer to an end (excluding of course the still-pending case being pursued by a couple of issuing banks) with the announcement of a settlement with 41 State attorneys general that brought actions under their State's respective consumer fraud and deceptive practices laws (a copy of the settlement document can be found:  HERE).  This is a summary of the TJX settlement.

Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law. 

The Merrick Bank v. Savvis lawsuit has the potential to change the liability dynamic of the PCI regulatory system.  The Savvis case is one of the first known instances of a payment card security assessor being sued by a merchant bank ( the merchant bank is a third party relative to the Savvis-CardSystems relationship).    The Merrick Bank compliant alleges that it relied on Savvis' certification of CardSystems  as Visa CISP compliant (this matter pre-dated the PCI standard), and that certification was false.  After CardSystems suffered a breach exposing up to 40 million payment card records, Merrick allegedly incurred $16 million in payments to the card brands (which was ultimately transferred to issuing banks who suffered losses arising out of the CardSystem breach).

If Savvis is held liable (or even if this case makes it past motion to dismiss or a motion for summary judgment) it has the potential to significantly modify the relative risk of PCI qualified security assessors, and in turn modify the PCI regulatory scheme.  This post discusses the two theories of liability alleged by Merrick:  (1)  negligence; and (2) negligent misrepresentation.

Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction.  The law related to this case is complex and varies from jurisdiction to jurisdiction, and over time.  If you are interested in a full legal analysis of potential security assessor liability in a particular jurisdiction, please contact me directly at djn@davidnavetta.com

One further note, the basic rules and general information in this document was derived from various legal research sources.  However, one book in particular provided excellent information on the liability of service providers to third parties.  Please check it out, and purchase it: Professional Liability to Third Parties (Jay M. Feinman).

UPDATE:  Other bloggers/mags are putting together some nice analysis of this case as well:  here, here

Relevant Allegations

In order to understand the theories of liability alleged by Merrick, it is important to spot the specific allegations that will ultimately support those allegations.  The key allegations, which are repeated throughout the complaint, include:

• Merrick would not allow CardSystems to process Card Transactions until it was certified as CISP compliant

• Savvis was specifically retained to certify CardSystems as CISP compliant, and did so pursuant to a Report on Compliance issued to VISA

• Upon learning of the results of Savvis's Report on Compliance (after CardSystems was listed by Visa as CISP compliant) Merrick allowed CardSystems to serve as its processor

• According to a post-incident forensic analysis, at the time Savvis issued the ROC, CardSystems had been improperly and continuously storing unencrypted cardholder data

• Savvis provided the ROC to VISA for the express purpose and with knowledge that Visa would publish the ROC, and that merchant banks would rely on it to determine whether CardSystems met the CISP standard

• It was reasonably foreseeable to Savvis that merchant banks would rely on its report

• Savvis knew or should have reasonably known that its certification of CardSystems was directly for the benefit and guidance of merchant banks

Analysis

The key threshold issue in this case is whether Savvis owed any duty of care to Merrick with respect to the security assessment it provided to CardSystems, and if so the extent of those duties.  Note that the typical method for establishing a duty in a professional services context is via a contract (and when two parties are bound contractually they are said to be in "contractual privity").  In this case, Savvis likely had a contract with CardSystems to perform an assessment, but did not have a direct contractual relationship with Merrick.  The lack of contractual privity is main legal obstacle faced by Merrick.  Are there other non-contractual theories of liability that apply to Savvis in this context?  Merrick Bank has alleged negligence and negligent misrepresentation against Savvis.

Negligence

In the professional service provider/client relationship, negligence is typically a valid theory of liability.  For example, it is the basis for many malpractice claims against lawyers, doctors, accountants and architects.  The validity of a negligence claim is trickier when it is a third party alleges it.  The key analysis is whether the service provider owed any duty to a third party to perform its services in a reasonable and competent manner.  Unfortunately, this is not an easy question to answer under the law.  There are several different tests courts consider to make this determination, and different jurisdictions may apply different tests or apply the same test in a divergent manner.  In addition, whether a duty exists will also rest heavily on the particular facts of the case at hand.  That said, in general, some Courts are wary of circumstances that will result in unlimited liability down the line for service providers.   The following represents a brief description of some of two of the main tests:

• Foreseeability. In the most basic approach to determining whether a duty exists, the Court asks whether the defendant's actions create a foreseeable risk of harm to the third party plaintiff.  Typically both the plaintiff and the risk of harm must be foreseeable.  This approach is criticized by some on the basis that the concept of  "forseeability" is unbounded and can extend extremely far.

• Balance of Factors Test. This test considers foreseeabilty of harm to the plaintiff as only one of several factors to determine whether a duty exists.  Other potential factors include:  the extent to which the transaction was intended to affect the plaintiff; the degree of certainty that the plaintiff suffered injury; the closeness of the connection between the defendant's conduct and the injury suffered; the moral blame attached to the defendant's conduct; and the policy of preventing future harm.  After argument by the parties,  all of these factors are weighed by the Court which then determines whether a duty exists.

Other jurisdictions employ variations of these tests.  In Wisconsin state courts, for example, if it is foreseeable that the service provider's actions could harm a third party, then a duty will not exist only if there are overriding public policy considerations.  Some courts employing the balance of factor test focus on the relationship between the parties, and specifically if there was any indication that a third party was the intended beneficiary of the professional services rendered.

One more important factor with respect to negligence: even if a duty is found to exist as to a third party, the "economic loss doctrine" may bar recovery of any "economic loss" (loss that is not a personal injury or property damage).  This doctrine is also complex and applied differently depending on the jurisdiction.  In some jurisdictions it does not apply when services are at issue (as opposed to products).  In other jurisdictions, "professional services" such as those provided by lawyers or accountants are not protected by the rule.  However, if the rule does apply, it can wholly eliminate the type of damages being claimed by banks like Merrick (and in fact has been used to dismiss negligence claims by issuing banks for security breaches in the TJX case and BJ Wholesalers cases).

Negligent Misrepresentation

Similar to the accountancy field, the payment card security assessment field involves an act of attestation.  That is, an opinion/representation as to the status of a company's financial statements (for accountants) or security status against a particular standard (for security assessors).  If these "representations" are purposely false or simply incorrect because of mistakes, plaintiffs may have an action for fraud or "negligent misrepresentation."  Merrick alleged in this case that Savvis's certification of CardSystems was a negligent misrepresentation because in reality CardSystems was not CISP compliant.  Similar to negligence claims (which often overlap with negligent misrepresentation claims because they require proof of a failure to meet the standard of due care), the approaches employed with respect to this theory varies by jurisdiction.

The original position adopted by most courts concerning negligent misrepresentation was that third parties not in privity of contract (or "near privity") could not utilize this theory of liability (see Ultramares v. Touche, 1931).  The sixty year reign of the Ultramares case began to erode in the 1960s based on new case law and the eventual adoption of Section 552 of the Restatement (Second) of Torts, which represents the modern approach to service provider negligent misrepresentations to third parties.  Section 552 states in relevant part:

(1) One who, in the course of his business, profession, or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or confidence in obtaining or communicating the information.

(2) * * * liability in Subsection (1) is limited to loss suffered (a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and (b) through reliance upon it in a transaction that he intends the information to influence or knows the recipient so intends or in a substantially similar transaction.

Interestingly, if you read the Merrick complaint (or the relevant facts laid out above) you will see that many of the words used in section 552 are copied verbatim.

In the typical situation, many of elements in subsection (1) are satisfied in a typical attestation situation.  In this case it is not a stretch to say that security assessors supply information that is relied upon by third parties.   However, plaintiffs may have to establish that their reliance was justified - the more direct the reliance the better their chances.  So if there were other factors that impacted Merrick's decision to hire CardSystems and CISP certification was secondary, the issue of reliance may be more difficult to establish.

In addition, in some cases it may be difficult to establish that the information was "false" (especially when there are gray interpretative areas involved).  Likewise, in some cases it may be a challenge to establish that the security assessor violated his or her duty of care. If a security assessor's opinion was reasonable the plaintiff may not be able to establish this element.  Of course, if there are obvious ("black and white") mistakes, such as the failure to encrypt cardholder data or the storage of track data, this element will be less difficult to establish.

The elements in subsection (2) of section 552 require both that the service provider have knowledge of the person or group of persons that will be receiving benefit or guidance from the opinion, and that the service provider (or recipient of the information, e.g. CardSystems of VISA) intends the information to influence the plaintiff with respect to a transaction.  These knowledge and intent issues often ultimately impact the failure or success of plaintiff's case.

The application of these knowledge and intent requirements may vary by jurisdiction.  Some may take a narrow view and require that the service provider specifically intended to induce the plaintiff's reliance for a particular transaction (e.g. the service provider would have had to have known of the transaction, and known that their opinion was the key information that was inducing the plaintiff to go through with the transaction).  In some cases, the plaintiff may only need to know of the potential users of the information and the potential use of the information.  In addition, some courts may require actual knowledge of the potential users of the information, while others may allow this element to be satisfied if the service provider has reason to know of potential users/uses of the information.

One item to note again with respect to the economic loss doctrine.  While it often blocks plaintiffs from recovering under negligence theories, in some jurisdictions the doctrine is inapplicable to fraud and negligent misrepresentation claims.  So if plaintiff can establish a negligent misrepresentation claim, it may have a good route to recovery.

Lastly, it must be noted that the negligent misrepresentation claim, in general, has been utilized by issuing banks against merchants already in the TJX case.  Although the context is different (TJX involves a merchant's misrepresentation as opposed to a security assessor's  misrepresentation), an appellate court refused to dismiss a negligent misrepresentation claim based on indirect representations of CISP compliance.  Thus, it may be that the negligent misrepresentation claim against Savvis could have some legs.

Conclusion - Observations of the Merrick Case

The Merrick case represents a potential watershed moment for the payment card security assessor industry (and security auditors in general).  If liability is found in this case, and especially if case law is created that goes against Savvis, security assessors will be entering the world of lawyers, doctors, accountants and architects.  This world will involve much higher potential for liability, more need to purchase professional liability insurance, increased costs for merchants employee assessors, more rigorous ethical obligations and potentially a higher level of skill and scrutiny applied to security assessment engagements.  Over time, this world could start to look more like the world of accountants.

Unfortunately for security assessors, since there is no ability to gain contractual protection through limitations of liability or consequential damages disclaimers, it may be difficult to deflect liability.  Significantly, as one can ascertain above, whether plaintiff's claims are valid in this context may involve a fairly fact intensive inquiry.  In many instances, legal matters that are highly fact intensive are allowed to proceed past a motion to dismiss or motion for summary judgment -- factual disputes are for juries to decide typically.  What this means is litigation leverage for the plaintiffs - with good fact patterns the pressure to settle these cases may be great since victory may come down to who has the better facts and who can argue those facts the best.  Moreover, regardless of the facts, arguing in front of a jury always poses a risk.

Based on the foregoing it is very difficult to make any predictions concerning the Merrick Bank case.  However, the fact pattern in this case appears favorable to Merrick based on alleged severe violations of CISP and the magnitude of the breach.  Merrick has gone out of its way to tailor its allegations to match the legal elements discussed above.  Whether those allegations are substantially true remains to be seen.  For instance, was the CISP compliance truly the make or break factor that Merrick relied on to enter into a transaction with CardSystems?  The complaint mentions MasterCard's security program.  Was it justifiable and reasonable for Merrick to rely on CardSystems CISP certification as a proxy for compliance with Mastercard's security rules?  Will the court require that Savvis have actual knowledge and intent to induce the particular transaction at issue?

Please note that a potential analogue for security assessors are lawsuits by investors against accountants.  Both engage in attestation services that are known to some degree to be relied upon by third parties.  There are numerous cases going both ways (some finding liability/some not) with respect to accountant liability to investors who relied on inaccurate financial statements.

Finally, one thing to be aware of with respect to negligent misrepresentation.  If a security assessor is made aware that its assessment will be relied upon by a particular third party as the key factor in it deciding to engage in a transaction, the more likely a negligent misrepresentation claim will be valid.  QSAs brought into an engagement for this purpose should pause and consider the implications of making a mistake.

Regardless of the outcome, this case will be very interesting to watch and it will surely wake the QSA community up.  Once we have more information we will put it up on the blog.  In the meantime, feel free to contact me with any questions on this matter.

I had missed the original filing of this complaint, but have now been able to obtain a copy of it.  Essentially a lawsuit by a bank against Savvis for allegedly making a mistake in certifying CardSystems as CISP compliant.  The complaint alleges $16 milion in damages, which essentially are the amounts that Merrick (acquiring bank) paid to the various card associations to satisfy claims by issuing banks arising out of the CardSystems breach. The compliant was filed in May 2008, so it is somewhat odd that news outlets are just now reporting it.

Some interesting statistics from a new report from Verizon Business. The Washington Post security writer sums it up nicely in terms of the payment card data market:

[Verizon] said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of breached records from cases the company investigated from 2004 to 2007. Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year, Verizon found.

This has resulted in a huge decrease in the price per credit card in the black market:

As a result, the stolen identities and credit and debit cards for sale in the underground markets is outpacing demand for the product, said Bryan Sartin, director of investigative response at Verizon Business.  Verizon found that profit margins associated with selling stolen credit card data have dropped from $10 to $16 per record in mid-2007 to less than $0.50 per record today.

An article I did for the ISSA Journal:  Who is Minding the Legal Risk Around PCI?

Rumors abound that another big processor (not Heartland), may have recently suffered a security breach.

Link.

Stay tuned.

Despite the changes to PCI that went into effect in October 2008, more PCI-compliant entities are suffering security breaches.  Added to the list of Hannaford, Best Western and Forever 21 are Heartland Payment Systems and RBS Worldpay.

While the details are still murky on the number of records impacted (somewhere between 13 and 8 million), it appears that we have a security breach of another high profile corporation claiming PCI compliance at the time of breach. SC Magazine has the story here.

Here is Best Western's statement on the breach:

"We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest's reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards."

Obviously, the facts are still murky, but it will be interesting to see what, if any, protection PCI compliance will have from a liability perspective and a "safe harbor" perspective.

While I will have to defer to my tech/security-oriented friends, we have reports of exploits that may be similar to the one suffered in Hannaford: Vermont ski area reports Hannaford-like theft of payment card data.

This exploit may be more common than just Hannaford:

And Hannaford and Okemo may not be the only businesses disclosing breaches involving payment card data in transit between systems. According to McPherson, law enforcement authorities who are investigating the breach at Okemo told resort officials that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.

So what does this all mean? Do the controls required under the PCI Standard address this issue? What about encryption under 4.1 and the language concerning "networks that are easy and common for a hacker to exploit." In general, has the security community anticipated this sort of attack? Is it reasonably foreseeable that hackers would exploit the point-of-sale systems? Legally, is failure to address this type of exploit "unreasonable" for purposes of negligence claim?

This is the basic question I posed to Bob Russo, General Manager of the PCI Council, during an online PCI forum put on by SC Magazine:

Are the FAQs incorporated into and automatically made part of the PCI Standard when published? If so, is there a document or some sort of proclamation indicating that the FAQs are part of the PCI Standard?

Mr. Russo orally indicated "yes," the FAQs are intended to become part of the PCI Standard when they are published. Mr. Russo, however, was not aware of any document or proclamation that indicated that the FAQs were incorporated/made part of the PCI Standard. He indicated that he was making a note on that point to see about creating such a document.

What does this potentially mean in terms of legal liability issues? Well at least with FAQs, if they are made part of the PCI Standard, merchants and QSAs will have a stronger argument of the authoritative weight of the FAQs if ever challenged on the issues addressed in the FAQ. However, this still does not mitigate potential risk around receiving "informal" advice on ambiguities from the PCI Council, processors or merchant banks. Since this type of informal advice is not officially made part of the PCI Standard, its ability to be relied upon as interpretative authority in court or otherwise is arguably weaker. More on these issues to come.

Looks like four were filed last week (click on each to get a copy of the complaint):

Ryan v. Delhaize Am. Inc., D. Me., No. 1:08-cv-00086JAW, complaint filed 3/18/08;

Dobryniewski v. Delhaize Am. Inc., M.D. Fla., No. 2:08-cv-00235-JES-DNF, complaint filed 3/18/08;

Doherty v. Hannaford Bros. Co., D. Me., No. 2:08-cv-00089-DBH, complaint filed 3/19/08; and

Major v. Hannaford Bros. Co., D.N.H., No. 1:08-cv-00106-JL, complaint filed 3/20/08.

These pleadings may be a little sparse considering the lack of public knowledge of what happened at Hannaford. I have not read through them yet, but will try to do so later to see how the plaintiff attorneys are approaching this situation.

Interestingly, some reporters are digging deeper to explore the implications of a PCI-compliant company suffering a payment card breach: see here.

I think we don't have all the information so we everybody is engaging in various levels of speculation. However, we do know two facts: (1) compliance with PCI was represented in Hannaford's privacy policy (last visited 3-21-2008); and (2) there was a breach exposing cardholder data. In my view, here are some of the possibilities (in no particular order of likelihood, and by no means an exclusive list):

(1) the qualified security assessor (QSA) (or internal assessor) may have misinterpreted or loosely interpreted a section of the PCI standard (and the reality was there were security weaknesses);

(2) the PCI compliance may have been old or outdated (e.g. they may have been PCI compliant 9 months ago, but perhaps added new systems that were not secured consistently with PCI);

(3) Hannaford may not have provided all of the information to the QSA (assuming one was used) that it needed to validate its decision (e.g. this could include mistakes in defining which parts of Hannaford's networks were in-scope/out-of-scope);

(4) Hannaford may have been 100% PCI compliant and reasonably secure in general and just got unlucky (e.g. there is no such thing as 100% perfect security). Under this scenario, Hannaford would argue that it was not negligent because it did all the right things and that unfortunately these things just happen.

(5) Hannaford and/or its QSA may have had a security weakness or questions about an ambiguity and may have had either the PCI Council, its upstream payment processor or its merchant bank give a bad interpretation.

The interesting issue will be, assuming that some sort of negligence is shown, who was/is ultimately responsible? Hannaford? The QSA? A merchant bank that accepted Hannaford's certification?

Much more to come on this one.

Update: well that was quick. The class actions come flooding in.

(**For an easier to read version of this article click HEREto download)

While starting off as "just" an information security standard, the Payment Card Industry Data Security Standard, v. 1.1 ("PCI" or "PCI Standard") now presents serious legal challenges and risk for retailers. The PCI framework currently operates like a law without courts or regulators - there is no centralized body to resolve interpretative discrepancies in a consistent, precedental and binding manner. Moreover, in many cases PCI compliance is performed by security professionals with no attorney collaboration and little understanding of the legal risks involved. This article discusses the legal framework and implications PCI, the problems with the standard in the legal context, and actions that merchants should explore to reduce legal risk arising out of PCI.

PCI Background.

The PCI Standard is a grouping of six control objectives that a merchant, service provider or other entity subject to PCI must satisfy to secure cardholder data. The Standard has been universally adopted by the major payment card companies. However, each payment card company also has its own payment card security program ("Security Program"). The Security Programs are the definitional, procedural and enforcement rules and requirements of the payment card brands around payment card security. Examples include VISA's Cardholder Information Security Program (VISA CISP) and MasterCard's Site Data Protection. Security Programs dictate merchant level definitions, procedures, deadlines and documentation for validating PCI compliance, documentation requirements for security assessment, security incident response requirements and fines and penalties. So if a merchant deals with all the five major payment card brands, it must comply with not only the PCI Standard, but also each five separate Security Programs. All of this is enforced contractually.

The Legal Foundation of PCI - The PCI Contract Chain

Unlike security laws such as Gramm-Leach-Bliley, HIPAA and Sarbanes-Oxley, the PCI Standard and Security Program rules are not statutes or regulations enforced directly by the government. Rather, the PCI Standard and the Security Program rules are imposed and typically enforced contractually through the PCI Contract Chain.

At the top of the chain are the payment card companies. The payment card companies establish merchant relationships by working through "merchant" or "acquiring" banks. The contract between merchant banks and payment card companies is the first contractual relationship in the payment card industry chain. The merchant banks (or payment processors working with the merchant banks) process the payment card transactions for the payment card companies they partner with. If a merchant wants to be able to accept payment cards to transact business, it must be vetted by a merchant bank (or payment processor) and enter into a contractual relationship with that merchant bank (or payment processor). Finally, merchants sometimes enter into relationships with service providers for the processing, storage or transmittal of payment card data. As the final link in the chain, merchants and service providers will enter into contractual relationships.

This presents several legal issues:

1. No Direct Contractual Relationship between Merchants and Payment Card Companies. The significance of the chain is that there is typically no direct contractual relationship between payment card companies and merchants. Therefore, generally speaking, merchants cannot be directly required to legally adhere to Security Programs or the PCI Standard by payment card companies. Rather, if any contractual obligations do exist they are passed through the contract that exists immediately upstream from the merchant (e.g. the contract between the merchant and merchant bank or payment processor). Nonetheless, in practical terms, payment card companies may be able force compliance by leveraging their relationships with merchants and access to payment card processing.
2. No Direct Duty for Service Providers to Comply with PCI or Security Programs. There is typically no inherent duty for a merchant's service providers to comply with the PCI Standard Any duty for a service provider to comply with the PCI Standard will flow contractually from the merchant to the service provider (typically not from the payment card companies to the service provider). Therefore, unless merchants impose contractual obligations on their service providers, they may find themselves without leverage to force those service providers to become PCI compliant.
3. A Merchant Compliance with PCI is Directly Contingent on Contractual Obligations Imposed on its Service Providers. Section 12.8 of the PCI Standard requires merchants to do the following:

   If cardholder data is shared with service providers, then contractually the following is required:

   12.8.1 Service providers must adhere to the PCI DSS requirements

   12.8.2 Agreement that includes an acknowledgment that the service provider is responsible for the security of cardholder data the provider possesses.

   If these duties are not contractually established then the merchant may not be able to establish its own compliance with PCI.

5. Matching Upstream and Downstream Obligations and Risk. The scope of a merchant's PCI obligations (including compliance with the PCI Standard and Security Programs) is dictated by its upstream contracts with merchant banks or service providers. Merchants must protect themselves by imposing upstream PCI contractual obligations and risks downstream to their service providers. So if a merchant agrees to pay fines and penalties for failure to comply with PCI, it should also require its service providers to pay any fines and penalties imposed on the merchant because of the service provider's failure to comply.

The contractual nature of PCI makes it necessary for a merchant's legal staff to understand and become involved in the PCI compliance process. Most of the issues outlined above require legal analysis, contract drafting and negotiation. Attorneys should develop strategies for limiting liability from upstream contracts, and passing liability downstream to service providers.

One area of special difficulty is existing service provider relationships. If a merchant faces fines or the loss of processing capability because its existing service providers are not PCI compliant, it could be difficult to re-open negotiations and force service providers to invest the time and resources to become PCI compliant. As such, before fines and threats start coming in, a merchant's legal staff should be devising a strategy for addressing PCI contractually with existing service providers (as well as new providers). While these contractual issues are challenging, the transformation of PCI into a legal standard of care can pose even greater difficulties for an organization.

PCI as a Legal Standard of Care

The PCI Standard is transforming into the legal standard of care for merchants handling payment card data. As a result, merchants may find themselves liable to financial institutions and/or consumers if they fail to adhere strictly to the PCI Standard. Unfortunately, PCI compliance is often viewed purely as a security exercise without high (or any) involvement from a merchant's legal team. As PCI increasingly becomes a legal standard, attorney participation (including the use of attorney-client privilege) is a necessity in order to decrease liability risk. This section discusses how PCI is evolving into a legal standard, including: (1) under the common law in support of a "negligence" claim; and (2) explicitly in recently proposed and passed State legislation.

PCI as the Standard of Care for a Negligent Security Suit

Negligence is a legal theory of recovery that exists in "common law" - negligence claims do not involve laws passed by legislators or regulators. To prevail in a negligence suit, a plaintiff must establish the following: (1) a duty to use ordinary care; (2) breach of that duty; (3) a proximate causal connection between the negligent conduct and the resulting injury and (4) resulting damage. Negligence is a theory used to support liability actions as simple as slip-and-fall lawsuits to complex environmental disaster lawsuits.

In the PCI context, plaintiffs can allege negligence by arguing that a merchant handling payment card data has a duty to protect such data, and the failure to comply with the PCI Standard represents a breach of "ordinary care" if the merchant suffers a security breach. However, even if a breached duty can be established, plaintiffs still must prove that a security breach suffered by a merchant caused them damages. As discussed further below, while it has been difficult for consumer and financial institution plaintiffs to establish damages, recently passed and future legislation may make it easier for financial institutions to recover from merchants.

The use of the PCI Standard to support a negligence claim was recently demonstrated in the TJX matter. In that case several banks sued TJX for the costs to reissue credit cards (amongst others) in the wake of a massive security breach suffered by TJX involving millions of card numbers. To support their allegations of negligent security, the banks retained an expert to critique TJX's security posture. That expert relied on TJX's own PCI audit reports (performed by security firms hired by TJX) to argue that PCI breached its duty of ordinary care to protect payment card data. A copy of that expert opinion can be found by clicking here. The bank's expert noted that TXJ's auditors concluded that TJX satisfied only 3 of the 12 sections of PCI. In addition, the expert opinion noted specific security failures tied to the TJX breach that can also be traced back to PCI requirements. For example, TJX allegedly stored "Track 2" data which can be used to recreate the magnetic strip of a payment card, which would be a violation of section 3.2. of the PCI Standard. The end result was a $41 million settlement and tens of millions in legal fees and other costs

It is uncertain to what extent TJX's legal team was involved in the post-breach response, whether TJX took steps to try to shield its auditor's actions with attorney-client privilege, and if so, whether it asserted that privilege in court. Nonetheless, it is clear that conducting a PCI audit and taking steps to comply with PCI has significant legal repercussions -- any adverse finding of non-compliance that is not shielded by attorney-client or attorney work product privilege can be used by plaintiffs against a merchant. These admissions of non-compliance can result in merchant liability, especially when used in conjunction with a new species of laws that requires adherence to PCI.

Plastic Card Protection Laws - PCI Incorporated Into New State Laws

Even more troubling for merchants of all sizes, are new proposed bills, and at least two passed laws, that provide banks with a right to obtain reimbursement from merchants that suffer a security breach exposing payment card data. In essence, these bills allow banks to get around proving the "damages" element of a negligence claim, and arguably provide for "strict liability" in the event a merchant suffers a payment card security breach. Prior to such laws, financial institutions lost some high profile lawsuits, in part, because of an inability to prove damages (see for example the B.J. Wholesalers' lawsuit: B.J. Wholesaler Summary Judgment Ruling and PSECU Motion to Dismiss).

Some of these Plastic Card Protection bills/laws directly incorporate PCI as the requisite security standard for payment card data.

Several States have proposed bills allowing banks to seek reimbursement for security breaches, including Massachusetts, Illinois, Connecticut, Texas, Minnesota, California, Michigan, Alabama, Iowa and Washington. While many of these bills are in limbo or may not pass, they demonstrate a willingness on the part of lawmakers to seriously consider relief for banks and incorporate PCI into law (TX, CA, MI, MN, IA and AL all tie PCI compliance to their bills).

In fact, Minnesota has actually passed laws providing banks with a right to seek reimbursement after a merchant suffers a breach. This law represents a paradigm shift in terms of merchant liability and compliance. The multiplier effect of damages for a payment card security breach (e.g. $20-50 allegedly per card multiplied by thousands or tens of thousands of exposed payment card numbers) has the potential to literally wipe out small and medium organizations, and severely damage even large companies. These costs were previously unrecoverable (or at least very difficult to recover) because of the pre-emptive nature of reissuing cards to avoid potential future fraud.

Minnesota's Plastic Card Protection Act ("Act") incorporates, in part, the requirements of Section 3.2 of the PCI Standard. To comply with the Act, companies accepting payment cards must destroy or delete sensitive authentication data (including the same "Track 2" data that TJX allegedly stored) within 48 hours of authorizing a transaction with such data (the "48-hour rule"). If a merchant violates the 48-hour rule and suffers a breach exposing payment card data, banks can recover reasonable costs associated with addressing that breach (including the costs of reissuing new payment cards, opening and closing accounts, etc.). This Act also applies to entities using service providers that store, process or transmit payment card data - a merchant that provides sensitive authentication data to a service provider will be in violation of the Act if its service provider does not comply with the 48-hour rule. The reach of the Act is potentially nationwide - merchants only need to be "doing business" in Minnesota for it to apply - the Act is not limited to the exposure of payment card data of Minnesota residents. "Doing business" in the legal context could be as simple as having a commercial website accessible in Minnesota.

Section 3.2 of PCI, in fact, prohibits the storage of sensitive authentication data for any period of time. So, if an organization is strictly in compliance with section 3.2 of PCI, it should also not be in violation of the 48-hour rule. Significantly, some of the other bills incorporating PCI incorporate multiple sections of PCI, and in the case of Washington State and Texas, the entire PCI Standard.

While these Plastic Card Protection laws do provide a direct path to liability, what is the problem for companies that consider themselves PCI compliant? As discussed further below, even for PCI compliant merchants, there are several problems that arise out of the PCI standard and framework, and the use of a private security standard as a public legal standard to be ruled on by judges and juries. The next section explains the problems with PCI as a legal standard both in terms of its administration by the PCI Council and payment card companies, as well as the risk of handling PCI as solely a security matter.

PCI: A Law Without A Judge or Jury

The overarching problem with PCI is that it is a security standard that is becoming a law. Unfortunately, the PCI Standard was not necessarily drafted like law; nor is it interpreted like a law. Rather it is interpreted by non-lawyer security professionals solely as a security standard - either qualified security assessors (QSAs) or a merchant's internal security team (in the case where a self-assessment is appropriate). There often may be no awareness as how security interpretations will be viewed by a court of law, and little to no lawyer involvement. In addition, unlike laws passed by lawmakers, there is no mechanism for resolving ambiguities or exceptions to the PCI Standard. No body similar to a court or regulator exists in the PCI context to create precedent or provide official guidance that can be relied upon by the merchant community to make compliance decisions.

PCI Ambiguity

During the September 2007 PCI Council Meeting in Toronto it was revealed that there had been hundreds of questions submitted concerning the interpretative uncertainty arising out of the PCI Standard. Unfortunately, as PCI becomes a legal standard, the ambiguities inherent in the PCI Standard could lead to legal liability. The problem is compounded because there is no official body within the PCI framework to resolve those ambiguities and provide merchants with guidance on how to comply with PCI.

A good example is section 12.8 of the PCI Standard, which reads:

If cardholder data is shared with service providers, then contractually the following is required:

12.8.1 Service providers must adhere to the PCI DSS requirements

12.8.2 Agreement that includes an acknowledgment that the service provider is responsible for the security of cardholder data the provider possesses.

Although section 12.8 seems fairly straightforward, according to some QSAs and merchants this language is subject to various interpretations. The following represent the range of interpretations that may apply:

1. Narrow interpretation: contract language indicates that service provider must adhere to the PCI Standard, which means that the minute the contract is effective the service provider must be PCI-compliant and the merchant should confirm such compliance;
2. Middle-ground interpretation: contract language indicates that service provider agrees that it must adhere to the PCI Standard, which means that the minute the contract is effective the service provider must be PCI-compliant, but the merchant does not need to confirm such compliance, but rather can trust the service provider's representation that it is compliant; and
4. Loose interpretation: contract language indicates that the service provider agrees that it must adhere to the PCI Standard, but the merchant has discovered that the service provider has some controls that need to be implemented to achieve full PCI compliance and imposes a deadline after the effective date of the contract to achieve such compliance in the future. Under this interpretation, the QSA would be effectively interpreting a merchant to be in compliance with 12.8.1 as long as the service provider contractually promises to adhere to the PCI Standard during the contract term by a certain reasonable date, even if not compliant at the inception of the contract. Stated differently, it is the "magic words" in the contract that matter not whether the service provider is actually PCI compliant.

It appears that the middle-ground interpretation meets the literal requirements of the PCI Standard. However, if this was presented in a court of law, a plaintiff would argue for the narrow interpretation (e.g. is it reasonable or within the spirit of PCI to simply rely on a vendor's promises without confirming actual compliance). Herein lies the problem: unless a merchant adheres to the strictest interpretation of the various sections of PCI, plaintiffs will always have arguments (and therefore leverage in a lawsuit) that the merchant was not in compliance with PCI. Remember, these lawsuits arise because the merchant has already suffered a security breach that will likely put the merchant in a negative light in front of a judge or jury. If the breach is at all related to the failure to comply with a section of PCI (and in many cases even if its not) the merchant will have a difficult time in court.

No Centralized or Official Binding Precedent Setting Body

Unlike laws, which have courts and regulators to render opinions and issue interpretative guidance that is binding and can be relied upon for planning purposes, the current system for PCI is ad hoc, decentralized and inconsistent. It has no mechanism for rendering "binding" decisions on interpretive differences.

The following personal anecdote underscores this problem. Interpretative issues also arise under Section 12.8 with respect to new versus existing service provider relationships. For example, despite the indication that contractual language must be in place, at least one QSA has that it will pass a merchant on section 12.8 if the merchant gets a letter from its non-PCI compliant service provider indicating that the service provider intends to comply with PCI some time in the future. The QSA that asserted this position informed me that this approach had been approved by the PCI Council and/or payment card brands in some sort of writing. I attempted to get that writing from the QSA as well as a sample of a proper letter so I could advise my clients on this short-cut, but the QSA could not produce the document.

Therefore I attempted to communicate directly with the PCI Council on this issue. The PCI Council refused to answer my questions and confirm the short-cut despite the fact that this issue dealt directly with the PCI Standard (and not a payment card brand Security Program). Instead, the PCI Council told me I had to get an answer from each of the payment card companies. I followed through by sending the question to each of the five major payment card companies. Three companies simply did not reply (JCB, Discover and MasterCard). American Express replied, but indicated that it was not in a position to make that determination and that it was up to each merchant's QSA to make the decision. A representative from VISA, however, provided a partial answer to my question:

In general, the Service Provider's legal counsel may provide the assessor documentation/letter that 12.8 requirement is being addressed in existing (or future) contracts despite not having the exact 12.8 language. The main goal is to stipulate the accountability for keeping the cardholder data secure and responsibility in any compromise event

I asked for some further clarification on this answer, but there was no response to my follow-up e-mail.

There are several problems with this approach now that PCI has effectively become the law. First, its clear that there is no centralized decision-making body to render decisions on PCI ambiguities. The PCI Council passed the buck to the payment card brands, and AMEX passed the buck to the QSAs. There are hundreds of QSAs, so potentially hundreds of different interpretations. Moreover, each payment card company may have a different view of how to interpret 12.8. This does not take into account payment processors and merchant banks that are also known to take their own positions on PCI.

While VISA did provide an answer, it would likely not be binding upon any of the other card brands. In fact, since VISA's comment is outside of a contractual setting it may not even be binding against VISA itself (e.g. there is no direct contractual relationship between VISA and the merchant).

Moreover, its typically consumers, payment card processors, issuing banks and merchant banks that would sue or fine a merchant because of a security breach. How would an email from VISA be binding on those organizations?

As PCI is becoming the law a system without a centralized decision-making body to resolve interpretative differences poses significant liability risks. Under a legal system, courts resolve interpretative differences in lawsuits or regulators provide interpretative guidance (see e.g. the HHS and HIPAA and the FTC and GLB). While that system is imperfect for several reasons, at least at the end of the day legally binding precedent is created. Organizations can rely on the court's opinion or regulators' guidance to make their own decisions on various interpretations with some certainty that those decisions will be legally binding. Those decisions and guidance are available for the entire world to read and they end up creating consistency across the business community in general.

Unfortunately, the PCI system is extremely decentralized and uncertainty abounds. The PCI Council reportedly may begin addressing this issue by issuing a series of "FAQs" to address interpretive issues. However, even with FAQs, the legally binding effect is uncertain. Are FAQs rendered by the PCI Council binding on merchant banks and payment processors that have contracts with merchants?

The PCI Council should consider establishing an official centralized body that renders interpretative decrees that become part of the PCI Standard itself and that are binding on all of the participants in the PCI contract chain. In addition, merchants should take steps to have their attorneys deeply involved in PCI compliance efforts to reduce the risk of liability - the Standard needs to be viewed as a law, not merely a security standard.

Security Analysis versus Legal Analysis

The reality right now is that non-lawyer QSAs are making the essential decisions on PCI compliance for merchants. However, their interpretations of PCI are made through a security prism, not a legal prism. Moreover, some QSAs may accept looser interpretations of the PCI Standard because of economic incentives (e.g. preservation of client relationships) or pressure from their merchant clients to "pass" them. While looser interpretations may be fine in the security world in some areas, some of those interpretations may be ripped apart when scrutinized by a plaintiff's attorney and/or judge or regulator.

From a legal standpoint, merchants should assume that the narrowest interpretation of the PCI standard will be used against them in a court of law. Plaintiff's attorneys will present expert witnesses who will testify in favor of the narrow and literal interpretations of PCI, and those experts will have the actual wording of the PCI Standard to back them up. In addition, those experts will use any and all adverse security assessment findings, including those made by the merchant's own auditors, against them. If PCI is not approached through a legal prism (in addition to a security prism) the liability risk increases. Attorneys should be used to attempt to shield adverse assessment opinions as well as to scrutinize the security team or QSA's interpretation of the PCI Standard. Attorneys should also be used to assist in the development of written policies and procedures, as well as documenting compliance with the PCI standard where appropriate. As the legal risks continue to grow, relying solely on security professionals for PCI compliance will not be an option.

Action Items for Merchants

As the PCI Standard increasingly becomes the law, merchants need to adjust their practices and develop a more legally-oriented approach to PCI compliance. On the security side merchants should consider the following:

1. Choose QSA's wisely. Right now QSAs are the interpretative bodies of PCI. If a merchant uses a "fly-by-night" QSA it may be opening itself to risk. Merchants should use QSAs that are not afraid to give the merchant "bad news" and that understand how their interpretations may be viewed in a court of law.
2. Insurance. Make sure that your QSAs are fully insured for their errors and omissions, and try to get named as an additional insured on their policies if possible. In addition, the merchant should check its own policies to determine whether it is covered if one of its service providers suffers a breach or if the merchant is required to pay a fine or penalty for non-compliance with PCI.
3. Not a Rubber Stamp. Despite potential pressures to become PCI compliant quickly and at the least cost, merchants should not view their QSAs as "rubber stamps" of PCI compliance. QSAs, like all professional service providers, enjoy happy clients and will work hard to please their clients. However, if this causes them to take short cuts or apply loose interpretations, it could come back to haunt the merchant in the long run.
4. Develop Relationships with General Counsel. The merchant's security team needs to engage the general counsel (or other members of the merchant's legal team). Many attorneys are intimidated by technology and security issues and may not be aware of the legal issues surrounding PCI compliance. Internal security professionals need to act as the expert advisors to the merchant's legal team and work together to translate security practices into legally compliant practices.
5. Narrow Interpretations. To reduce risk of liability, security professionals should err on the side of interpreting the PCI Standard literally and narrowly. Of course this may conflict with other goals such as keeping expenses down and avoiding business disruptions. The security team should work with the merchant's business decision-makers and risk managers to achieve a balance that reflects the organization's risk tolerance.

The merchant's legal team also needs to get involved in the PCI compliance process, including:

1. Reaching Out to the Merchant's Security Team. Security professionals are often intimidated or uncertain about the law. Security professionals are not lawyers, and they need information to understand how the legal system scrutinizes and judges their activities and decision-making process. The merchant's legal team needs to translate legal and compliance concerns into terms that allow the merchant's security team to implement legally compliant security controls.
2. Use Attorney-Client Privilege. Any adverse PCI compliance finding or assessment can and will be used against a merchant in court. Moreover, drafts of security and privacy policies, and documents (e.g. emails) surrounding the creation of such policies and practices, can be used against an organization in court. Some of the activities and documents of a merchant's internal and external security team may be shielded using attorney-client privilege or attorney work product privilege. While such privileges are not foolproof by any means, taking steps to preserve the privilege may at least pose an obstacle in litigation. Attorneys need to get involved early on in the compliance process to make this work.
3. Analyze Upstream and Downstream PCI-Related Contracts. Much of the legal risk associated with PCI is contractual. Merchants cannot know their risk unless they know their contractual obligations and rights. Attorneys need to understand upstream contractual risk, and use their contracts to pass it on to service providers downstream.
4. Draft Strong Service Provider Contracts. Attorneys should draft strong service provider contracts that require compliance not only with the PCI Standard itself, but also the specific Security Programs of each payment card company program that is applicable. These contracts should address section 12.8 of PCI, as well as providing assessment and audit rights, breach notice and remediation obligations, indemnification clauses and insurance clauses
5. Develop a Service Provider Strategy. Service providers are likely to resist the imposition of additional PCI duties. A merchant's legal team should have contract language and a negotiation strategy developed ahead of time. The strategy should address both new service provider relationships and existing service provider relationships. For existing relationships, the merchant may be highly dependent on its service provider and may lack leverage to re-open contract negotiations. Nonetheless, an approach should be developed to persuade existing service providers to become PCI-complaint before the merchant is fined or receives threats to have its payment card processing privileges revoked because of the service provider's non-compliance.
6. Strict Compliance - Upstream Waiver. If strict compliance with PCI is not possible, try to get a written waiver from the merchant's upstream contractor (e.g. payment processor merchant bank). The best case scenario is to get a formal amendment to the upstream contract reflecting the waiver. While this may not fully protect the merchant from third party suits, it may be helpful in contract disputes with the upstream contractor.

Conclusion

As the legal ramifications of PCI continue to develop and increase, PCI compliance will become an increasingly risky endeavor for merchants. Unfortunately, because the system is run privately by the payment card companies and does not have a centralized body to provide binding guidance and rulings, the system may pose more risk than a traditional governmental regulatory scheme. Regardless, now is the time for merchants to begin engaging their legal teams to address PCI compliance, and opening the lines of communication between the lawyers and security pros. It is also the time to start pressuring the PCI Council and payment card brands to develop a centralized body to provide publicly available and binding guidance and decisions resolving ambiguities within PCI. If these actions are not taken, the PCI Standard could present significant liability challenges for the retail community.

A Direct Path to Merchant Liability for Payment Card Security Breaches

As reported in ISC's March 2007 Newsletter, States like Massachusetts and a handful of others (five in total, including: MA, IL, CT, TX and MN) are considering bills that provide financial institutions (e.g. banks and credit unions) with the ability to sue organizations that expose payment card data due to a security breach ("Payment Card Breach Laws"). These proposed Payment Card Breach Laws provide banks with the right to reimbursement from merchants for costs associated with payment card security breaches, including for the cost to reissue credit cards (allegedly $20 - $50 per card). In short, under Payment Card Breach Laws, when a merchant suffers a breach it could be liable for thousands or even millions of dollars. Taking an extreme example, in the TJX matter, 45 million cards where allegedly exposed - the cost to reissue assuming $20 per card is $900 million. For smaller or medium companies that lose thousands or tens of thousands of card numbers, the impact could jeopardize their solvency.

On May 21, 2007, Minnesota became the first State to pass such a law -- Minnesota's Plastic Card Security Act (H.F. 1758 -- the "Act") is a landmark statute that may radically increase the risk of liability and alter the security practices of retailers and service providers handling payment card data. In this issue, ISC summarizes the Act and outlines some of the issues and challenges arising out of it.

1. The Plastic Card Security Act

Subdivisions 1 and 2 of the Act, which prohibit the retention of certain payment card data for more than forty-eight (48) hours, first take effect on August 1, 2007. Subdivisions 3 and 4 of the law, which provides the right to reimbursement and allow financial institutions to file lawsuits to recover costs associated with a payment card security breach do not apply until August 1, 2008, and only apply to security breaches occurring after that date.

A. "The 48-hour Rule" -- Payment Card Retention Limitations (Subdivisions 1 and 2)

Subdivisions 1 and 2 of the Act attempt to address the problem of payment card security breaches by prohibiting companies that accept payment cards from retaining card security code data, PIN verification code numbers or the full contents of any track of magnetic stripe data ("Sensitive Authentication Data"), subsequent to forty-eight (48) hours after authorization of a transaction. Stated more simply, to comply with the Act, companies accepting payment cards must destroy or delete Sensitive Authentication Data within 48 hours of authorizing a transaction with such data (the "48-hour rule").

This Act also applies to entities using service providers that store, process or transmit payment card data - a merchant that provides Sensitive Authentication Data to a service provider will be in violation of the Act if its service provider does not comply with the 48-hour rule.

Coincidentally (or perhaps not so coincidentally) the Payment Card Industry Data Security Standard, v. 1.1 ("PCI Standard") also references and has rules surrounding Sensitive Authentication Data. Section 3.2 of the PCI Standard (as well as the Preface) prohibits the storage of Sensitive Authentication Data subsequent to authorization (even if encrypted). Unlike the Act, the PCI Standard does not specify a timeframe during which the merchant may retain Sensitive Authentication Data - by its silence, the PCI Standard arguably appears to require the destruction or deletion of Sensitive Authentication "immediately" after authentication. Therefore, as discussed below, PCI compliance (where there has been a tight interpretation of the section 3.2 requirements) may effectively act as a "quasi-safe harbor" from liability under the Act.

B. Financial Institution's Right to Reimbursement

The Act uses violation of the 48-hour rule as the trigger for financial institutions to recover when there is a security breach exposing payment card data. Subdivision 3 provides that when an entity that has violated the 48-hour rule suffers a security breach (or its service provider suffers a breach), any financial institution that issued payment cards affected by such breach is entitled to reimbursement of the costs of "reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders."

Stated more simply, merchants holding Sensitive Authentication Data for more than 48 hours that suffer a security breach must reimburse "issuing banks" reasonable costs to protect cardholder information and continue servicing cardholders. Such costs could include (but are not limited to) costs in connection with:

1. cancellation or reissuance of payment cards affected by the breach;
2. closure of accounts affected by the breach;
3. opening or reopening of accounts affected by the breach;
4. refunds or credits to cardholders to cover the costs of unauthorized transactions; and
5. notification of cardholders affected by the breach.

In addition, such financial institutions are entitled to recover costs for damages paid by them to cardholders injured by the breach (e.g. essentially an indemnification right in the event the financial institution is sued or settles with a cardholder).

Subdivision 4. of the Act (Remedies) provides financial institutions with a private right of under section 8.31 subdivision 3a. of Minnesota's laws (basically a consumer protection statute). In addition to a right to bring a suit to recover damages and equitable relief, subdivision 3a provides the financial institution with the right to seek costs of investigation and attorney fees. The Act states that the financial institution's private right of action is in the public interest and indicates that the remedies are cumulative and do not restrict any other rights or remedies available.

2. Analysis

This law presents some very interesting issues and challenges for companies accepting payment cards.

A. Direct Path to Liability -- Low Harm Threshold - "Costs of Reasonable Actions"

Where the worlds of data security and the law meet, to date and despite many lawsuits, there have been very few instances of courts finding legal liability for security breaches. In fact, issuing banks have previously tried to sue retailers for payment card data breaches, but the courts presiding over those cases rejected the banks' third party beneficiary, negligence, promissory estoppel and breach of fiduciary duty claims, and dismissed the cases (see e.g. B.J. Wholesaler Summary Judgment Ruling, PSECU Motion to Dismiss). In short, there was no legal theory that clearly provided a right for issuing banks to recover - that hurdle has been jumped by the passage of the Act.

Now issuing banks have specific statutory rights to reimbursement and indemnity, as well as a private right of action to enforce those rights. The only requirements are as follows: (1) the entity is in violation of the 48-hour rule; (2) it suffers a breach of personal information affecting payment cards; and (3) the issuing financial institution incurs costs of reasonable actions to protect or continue servicing cardholders. There is no requirement that the merchant have acted intentionally, willfully, recklessly or negligently.In fact, it does not appear that the financial institution even has to establish that Sensitive Authentication Data was exposed.

As far as reimbursable costs are concerned, the issuing financial institution need not establish that the costs it incurs are necessary, just that the costs arise out of "reasonable" actions. The issuing financial institutions are not explicitly required to show that they will suffer harm or fraud if they do not take the actions (although this would factor into what constitutes "reasonable actions"). Their actions can be completely precautionary in nature so long as they are reasonable. In addition, there is a high likelihood that a court would view the list of example provided in the statute as representing examples of "reasonable actions" and perhaps a minimum list of what financial institutions are entitled reimbursement for. With the costs to reissue cards allegedly ranging from $20-50 per card, the costs of reissuance alone could be substantial (e.g. banks, including Chase, Citibank, the Maine Credit Union and TD Bank North, have already reportedly reissued millions of payment cards based on the TJX breach).

B. Nationwide Applicability -- Scope Beyond Minnesota?

Does the Minnesota law have a nationwide applicability? The answer is "maybe" for persons or entities doing business in Minnesota and elsewhere in the United States. Unlike Minnesota's consumer-oriented breach notice law, which requires notice to Minnesota residents whose personal information may have been acquired by an unauthorized person (See H.F. 2121), the Act is not limited to Minnesota residents. Rather, it applies to "persons or entit[ies] conducting business in Minnesota" and unauthorized acquisition of computerized personal information (regardless of the residency associated with that information). Therefore, by the plain words of the statute, it may be possible that a company simply doing business in Minnesota, which suffers a breach in California, could trigger duties under the Act.Of course there may be jurisdictional issues that preclude suit in Minnesota or application of Minnesota law, but the issue is complex and far from clear.

C. Service Provider Liability

Unfortunately for merchants that use service providers to handle payment card data, the Act still applies if their service provider suffers a breach. What this means for practical purposes is that merchants must ensure that their service providers have processes in place to comply with the 48-hour retention rule. This may be problematic: if the service provider does not have those processes in place it may charge merchants to comply. Moreover, despite the August 1, 2007 start date for the Act, it may take some time to modify systems and processes to achieve compliance.

Finally, the Act will require merchants to add new contractual duties to their service provider contracts that mandate compliance with the Act and most importantly, provide for indemnification. Significantly the Act makes the merchant responsible for the breach, and does not provide a direct route for banks to go after service providers unless "accepting an access device [payment card] in connection with a transaction." Merchants will have to add indemnification language to shift the risk of loss for breaches that are the service provider's fault. For existing relationships, merchants may have to reopen contract negotiations.

D. Personal Information Requirement

One potential limitation of the Act is the definition of "personal information." The Act requires the acquisition of personal information by an unauthorized person to be triggered. In this context, personal information includes an individual's first (or first initial) and last name, in combination with account number or credit or debit card numbers, in combination with any required security code, access code or password that would permit access to an individual's financial account. Therefore, if a breach occurs that only exposes payment card data, but does not expose the combination of data listed in the definition of "personal information," the Act may not apply. It is unclear whether companies can segregate this data to avoid the combination that triggers the Act - merchants should confer with their internal or external security professionals to further explore this and other risk-reducing measures.

E. No Encryption "Safe Harbor"

Unlike Minnesota's breach notice law applying to consumers (see H.F. 2121) which only applies to breaches of "unencrypted" personal information, the Act does not provide an "encryption" safe harbor. In other words, the Act applies even if Sensitive Authentication Data stored more than 48-hours is encrypted. It appears that the drafters have decided that the only way to avoid applicability of the law is to destroy or erase Sensitive Authentication Data. Significantly, section 3.2 of the PCI Standard also discounts encryption of this data.

F. Relationship to the PCI Standard - PCI "Quasi-Safe Harbor?"

Is compliance with the Act impacted in any way if a merchant or service provider is compliant with the PCI Standard. Strict compliance with the PCI Standard may effectively create a quasi safe-harbor to avoid liability under the Act. Both the Act and the PCI Standard prohibit the retention of Sensitive Authentication Data, however the Act allows retention of such data for 48 hours, while section 3.2 of the PCI Standard prohibits storage of such data completely after authentication (some qualified security assessors have said that VISA's time limit is 24 hours - however this is not explicitly stated anywhere). Therefore, if an entity is compliant with the PCI Standard, so long as section 3.2 of the PCI Standard has been strictly interpreted and followed (e.g. immediate deletion or destruction), they should also be in compliance with the Act's 48-hour retention rule.

The problem of course is that it is possible that some entities (or their qualified security assessors) may have interpreted section 3.2 more loosely, potentially allowing Sensitive Authentication Data to be retained beyond 48 hours. Therefore, entities that are PCI Compliant should not automatically conclude that they are compliant with the Act. They should check with their internal or external security assessors to determine how long Sensitive Authentication Data is stored and how strictly they interpret rule 3.2. Moreover, for future PCI security assessments, entities should at least consider imposing a 48-hour retention limitation on Sensitive Authentication Data retention if they want to be aligned with the Act.<

3. Conclusion

The Plastic Card Security Act and similar Payment Card Breach laws are likely to significantly impact the data security risks and liability associated with handling payment card data. For one of the first times in U.S. history, a direct liability path exists for a large segment of U.S. businesses that suffer security breaches involving payment card data. The true impact will not be known until these laws are used, but, especially for small or medium companies heavily reliant on payment card transactions, a careful examination of security practices and service provider contracts is recommended to achieve compliance with the Act. In addition, for those merchants that have not yet complied with the PCI Standard, now is the time to get serious.

As with many data security-related laws and regimes, compliance and risk management is a multi-disciplinary exercise. Entities should retain an attorney to assist with interpreting the Act and modifying service provider contracts to align with the Acts 48-hour rule. Security professionals should be asked to assist with achieving the data retention requirements, as well as working toward PCI compliance (and strict compliance with section 3.2). Finally, this is an area where information security and privacy liability insurance has clear and direct value. Companies should look at their current policies to determine whether coverage exists, and should consider security and privacy policies available in the market that are directly geared toward covering such liability. Taking these steps will provide a solid foundation to begin addressing the risk associated with the Act and other Payment Card Breach Laws that get passed.