Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has a good article summarizing the case. In addition, bankinfosecurity.com has a recent article on this matter (in which yours truly was quoted). In this post we take a look at the EMI Lawsuit, consider some legal questions that the case raises, and analyze how it might impact the question of what constitutes “reasonable security” under the law.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article, the issuing banks are unhappy with Heartland's proposed settlement with Visa.  This appears and to be an attempted end-run around the proposed $60 million settlement with Visa.  It also may demonstrate that issuing banks are not satisfied with the dispute resolution mechanisms under the Visa Operating Regulations (the Account Data Compromise Recovery process estimated the loss at $140 million, yet the settlement was for only $60 million), and their ability to be made whole under those mechanisms.  We will have more analysis of the complaint at a later day. In light of the relative lack of success issuing banks have had in these types of cases, it will be very interesting to analyze the legal theories employed by the issuing banks and track the progress of this matter.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Happy New Decade (2010)!  Unbelievably another decade is gone.  Information law developments continue to occur at an increasingly fast pace.  The InfoLawGroup is catching up from a very busy December, so we will start out the 2010 blogging with a couple quick hits.

Security in the Ether.  A very nice article by David Talbot on the security challenges, myths and misperceptions around Cloud computing.  The challenge for security pros and lawyers:  what is "reasonable security" in the Cloud, how do you perform your "due diligence," how do you document your due diligence process for use in the event of a breach, litigation or a regulatory action, and how do you draft and negotiate contracts for Cloud-based services?

Judge Preliminarily Approves Countrywide Data Breach Lawsuit Settlement.  Faced with 35 lawsuits (many of them class actions) arising out of a security breach exposing the records of millions of customers, Countrywide Financial Corp. has chosen to settle.  The settlement includes an offer of one year of credit monitoring for up to 17 million people.  In addition, customers that suffered identity theft may recover up to $50,000, but only if they actually lost something of value, were not reimbursed and the theft stemmed from the Countrywide breach.  Assuming a 20% redemption rate and a cost of $5-$15 per year for credit monitoring, the credit monitoring alone could cost from $17 million to $51 million (probably on the lower end of the scale -- Countrywide should be able to negotiate favorable credit monitoring rates considering the potential volume).  Additional costs that Countrywide had to incur include legal fees and breach notice expenses (assuming breach notice laws were triggered).  Does this settlement (and others I am aware of other settlements that have been less publicized) indicate a growing fear that the "damages" wall is weakening?

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

I had the pleasure of hearing an excellent presentation by Tanya Forsheit on the legal issues arising out of cloud computing during the ABA Information Security Committee's recent meeting (at the end of July) in Chicago. The presentation resulted in a spirited debate between several attorneys in the crowd. The conversation spilled over into happy hour and became even more interesting. The end result: my previous misunderstanding of cloud computing as "just outsourcing" was corrected, and now I have a better appreciation of what "the cloud" is and the legal issues cloud computing raises.

Bottom line: this is not your father's outsourcing relationship, and trying to protect clients with contracts may be very difficult or impossible unless the cloud computing community begins to build standards and processes to create trust. This post is not for my tech/security friends, it is for the attorneys out there, especially the general counsel and transactional attorneys who draft terms for tech contracts (e.g. outsourcing contracts, ASP contracts, software licenses, etc.). So tech friends, please cut me some slack as I completely mangle proper terminology in order to try to explain this in plain English (and of course if I get something wrong, shoot me a comment or email so I can correct -- we attorneys need you on this one).

One final note to the attorneys out there:  there is going to be incredible financial pressure on organizations to take advantage of the pricing and efficiency of cloud computing and if attorneys fail to understand the issues ahead of time there is a serious risk of getting "bulldozed" into cloud computing arrangements without time or resources to address some serious legal issues that are implicated.

(P.S. Special thanks to Tanya Forsheit, John Tomaszewski, Karen Worstell and Peter McLaughlin for the insight and debate).

• Email This
• Print
• Comments (9)
• Trackbacks
• Share Link

As reported previously, the CardSystems security breach has resulted in a lawsuit brought by a merchant bank (Merrick Bank) against CardSystem's security assessment company (Savvis).  The suit alleges that Savvis negligently certified CardSystem's security as compliant with Visa's Card Information Security Program ("CISP"), and negligently represented that CardSystems was compliant.  Earlier this month Savvis filed a motion to dismiss this case.  This post summarizes and explores that motion.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Merrick Bank v. Savvis lawsuit has the potential to change the liability dynamic of the PCI regulatory system.  The Savvis case is one of the first known instances of a payment card security assessor being sued by a merchant bank ( the merchant bank is a third party relative to the Savvis-CardSystems relationship).    The Merrick Bank compliant alleges that it relied on Savvis' certification of CardSystems  as Visa CISP compliant (this matter pre-dated the PCI standard), and that certification was false.  After CardSystems suffered a breach exposing up to 40 million payment card records, Merrick allegedly incurred $16 million in payments to the card brands (which was ultimately transferred to issuing banks who suffered losses arising out of the CardSystem breach).

If Savvis is held liable (or even if this case makes it past motion to dismiss or a motion for summary judgment) it has the potential to significantly modify the relative risk of PCI qualified security assessors, and in turn modify the PCI regulatory scheme.  This post discusses the two theories of liability alleged by Merrick:  (1)  negligence; and (2) negligent misrepresentation.

Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction.  The law related to this case is complex and varies from jurisdiction to jurisdiction, and over time.  If you are interested in a full legal analysis of potential security assessor liability in a particular jurisdiction, please contact me directly at djn@davidnavetta.com

One further note, the basic rules and general information in this document was derived from various legal research sources.  However, one book in particular provided excellent information on the liability of service providers to third parties.  Please check it out, and purchase it: Professional Liability to Third Parties (Jay M. Feinman).

UPDATE:  Other bloggers/mags are putting together some nice analysis of this case as well:  here, here

Relevant Allegations

In order to understand the theories of liability alleged by Merrick, it is important to spot the specific allegations that will ultimately support those allegations.  The key allegations, which are repeated throughout the complaint, include:

• Merrick would not allow CardSystems to process Card Transactions until it was certified as CISP compliant

• Savvis was specifically retained to certify CardSystems as CISP compliant, and did so pursuant to a Report on Compliance issued to VISA

• Upon learning of the results of Savvis's Report on Compliance (after CardSystems was listed by Visa as CISP compliant) Merrick allowed CardSystems to serve as its processor

• According to a post-incident forensic analysis, at the time Savvis issued the ROC, CardSystems had been improperly and continuously storing unencrypted cardholder data

• Savvis provided the ROC to VISA for the express purpose and with knowledge that Visa would publish the ROC, and that merchant banks would rely on it to determine whether CardSystems met the CISP standard

• It was reasonably foreseeable to Savvis that merchant banks would rely on its report

• Savvis knew or should have reasonably known that its certification of CardSystems was directly for the benefit and guidance of merchant banks

Analysis

The key threshold issue in this case is whether Savvis owed any duty of care to Merrick with respect to the security assessment it provided to CardSystems, and if so the extent of those duties.  Note that the typical method for establishing a duty in a professional services context is via a contract (and when two parties are bound contractually they are said to be in "contractual privity").  In this case, Savvis likely had a contract with CardSystems to perform an assessment, but did not have a direct contractual relationship with Merrick.  The lack of contractual privity is main legal obstacle faced by Merrick.  Are there other non-contractual theories of liability that apply to Savvis in this context?  Merrick Bank has alleged negligence and negligent misrepresentation against Savvis.

Negligence

In the professional service provider/client relationship, negligence is typically a valid theory of liability.  For example, it is the basis for many malpractice claims against lawyers, doctors, accountants and architects.  The validity of a negligence claim is trickier when it is a third party alleges it.  The key analysis is whether the service provider owed any duty to a third party to perform its services in a reasonable and competent manner.  Unfortunately, this is not an easy question to answer under the law.  There are several different tests courts consider to make this determination, and different jurisdictions may apply different tests or apply the same test in a divergent manner.  In addition, whether a duty exists will also rest heavily on the particular facts of the case at hand.  That said, in general, some Courts are wary of circumstances that will result in unlimited liability down the line for service providers.   The following represents a brief description of some of two of the main tests:

• Foreseeability. In the most basic approach to determining whether a duty exists, the Court asks whether the defendant's actions create a foreseeable risk of harm to the third party plaintiff.  Typically both the plaintiff and the risk of harm must be foreseeable.  This approach is criticized by some on the basis that the concept of  "forseeability" is unbounded and can extend extremely far.

• Balance of Factors Test. This test considers foreseeabilty of harm to the plaintiff as only one of several factors to determine whether a duty exists.  Other potential factors include:  the extent to which the transaction was intended to affect the plaintiff; the degree of certainty that the plaintiff suffered injury; the closeness of the connection between the defendant's conduct and the injury suffered; the moral blame attached to the defendant's conduct; and the policy of preventing future harm.  After argument by the parties,  all of these factors are weighed by the Court which then determines whether a duty exists.

Other jurisdictions employ variations of these tests.  In Wisconsin state courts, for example, if it is foreseeable that the service provider's actions could harm a third party, then a duty will not exist only if there are overriding public policy considerations.  Some courts employing the balance of factor test focus on the relationship between the parties, and specifically if there was any indication that a third party was the intended beneficiary of the professional services rendered.

One more important factor with respect to negligence: even if a duty is found to exist as to a third party, the "economic loss doctrine" may bar recovery of any "economic loss" (loss that is not a personal injury or property damage).  This doctrine is also complex and applied differently depending on the jurisdiction.  In some jurisdictions it does not apply when services are at issue (as opposed to products).  In other jurisdictions, "professional services" such as those provided by lawyers or accountants are not protected by the rule.  However, if the rule does apply, it can wholly eliminate the type of damages being claimed by banks like Merrick (and in fact has been used to dismiss negligence claims by issuing banks for security breaches in the TJX case and BJ Wholesalers cases).

Negligent Misrepresentation

Similar to the accountancy field, the payment card security assessment field involves an act of attestation.  That is, an opinion/representation as to the status of a company's financial statements (for accountants) or security status against a particular standard (for security assessors).  If these "representations" are purposely false or simply incorrect because of mistakes, plaintiffs may have an action for fraud or "negligent misrepresentation."  Merrick alleged in this case that Savvis's certification of CardSystems was a negligent misrepresentation because in reality CardSystems was not CISP compliant.  Similar to negligence claims (which often overlap with negligent misrepresentation claims because they require proof of a failure to meet the standard of due care), the approaches employed with respect to this theory varies by jurisdiction.

The original position adopted by most courts concerning negligent misrepresentation was that third parties not in privity of contract (or "near privity") could not utilize this theory of liability (see Ultramares v. Touche, 1931).  The sixty year reign of the Ultramares case began to erode in the 1960s based on new case law and the eventual adoption of Section 552 of the Restatement (Second) of Torts, which represents the modern approach to service provider negligent misrepresentations to third parties.  Section 552 states in relevant part:

(1) One who, in the course of his business, profession, or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or confidence in obtaining or communicating the information.

(2) * * * liability in Subsection (1) is limited to loss suffered (a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and (b) through reliance upon it in a transaction that he intends the information to influence or knows the recipient so intends or in a substantially similar transaction.

Interestingly, if you read the Merrick complaint (or the relevant facts laid out above) you will see that many of the words used in section 552 are copied verbatim.

In the typical situation, many of elements in subsection (1) are satisfied in a typical attestation situation.  In this case it is not a stretch to say that security assessors supply information that is relied upon by third parties.   However, plaintiffs may have to establish that their reliance was justified - the more direct the reliance the better their chances.  So if there were other factors that impacted Merrick's decision to hire CardSystems and CISP certification was secondary, the issue of reliance may be more difficult to establish.

In addition, in some cases it may be difficult to establish that the information was "false" (especially when there are gray interpretative areas involved).  Likewise, in some cases it may be a challenge to establish that the security assessor violated his or her duty of care. If a security assessor's opinion was reasonable the plaintiff may not be able to establish this element.  Of course, if there are obvious ("black and white") mistakes, such as the failure to encrypt cardholder data or the storage of track data, this element will be less difficult to establish.

The elements in subsection (2) of section 552 require both that the service provider have knowledge of the person or group of persons that will be receiving benefit or guidance from the opinion, and that the service provider (or recipient of the information, e.g. CardSystems of VISA) intends the information to influence the plaintiff with respect to a transaction.  These knowledge and intent issues often ultimately impact the failure or success of plaintiff's case.

The application of these knowledge and intent requirements may vary by jurisdiction.  Some may take a narrow view and require that the service provider specifically intended to induce the plaintiff's reliance for a particular transaction (e.g. the service provider would have had to have known of the transaction, and known that their opinion was the key information that was inducing the plaintiff to go through with the transaction).  In some cases, the plaintiff may only need to know of the potential users of the information and the potential use of the information.  In addition, some courts may require actual knowledge of the potential users of the information, while others may allow this element to be satisfied if the service provider has reason to know of potential users/uses of the information.

One item to note again with respect to the economic loss doctrine.  While it often blocks plaintiffs from recovering under negligence theories, in some jurisdictions the doctrine is inapplicable to fraud and negligent misrepresentation claims.  So if plaintiff can establish a negligent misrepresentation claim, it may have a good route to recovery.

Lastly, it must be noted that the negligent misrepresentation claim, in general, has been utilized by issuing banks against merchants already in the TJX case.  Although the context is different (TJX involves a merchant's misrepresentation as opposed to a security assessor's  misrepresentation), an appellate court refused to dismiss a negligent misrepresentation claim based on indirect representations of CISP compliance.  Thus, it may be that the negligent misrepresentation claim against Savvis could have some legs.

Conclusion - Observations of the Merrick Case

The Merrick case represents a potential watershed moment for the payment card security assessor industry (and security auditors in general).  If liability is found in this case, and especially if case law is created that goes against Savvis, security assessors will be entering the world of lawyers, doctors, accountants and architects.  This world will involve much higher potential for liability, more need to purchase professional liability insurance, increased costs for merchants employee assessors, more rigorous ethical obligations and potentially a higher level of skill and scrutiny applied to security assessment engagements.  Over time, this world could start to look more like the world of accountants.

Unfortunately for security assessors, since there is no ability to gain contractual protection through limitations of liability or consequential damages disclaimers, it may be difficult to deflect liability.  Significantly, as one can ascertain above, whether plaintiff's claims are valid in this context may involve a fairly fact intensive inquiry.  In many instances, legal matters that are highly fact intensive are allowed to proceed past a motion to dismiss or motion for summary judgment -- factual disputes are for juries to decide typically.  What this means is litigation leverage for the plaintiffs - with good fact patterns the pressure to settle these cases may be great since victory may come down to who has the better facts and who can argue those facts the best.  Moreover, regardless of the facts, arguing in front of a jury always poses a risk.

Based on the foregoing it is very difficult to make any predictions concerning the Merrick Bank case.  However, the fact pattern in this case appears favorable to Merrick based on alleged severe violations of CISP and the magnitude of the breach.  Merrick has gone out of its way to tailor its allegations to match the legal elements discussed above.  Whether those allegations are substantially true remains to be seen.  For instance, was the CISP compliance truly the make or break factor that Merrick relied on to enter into a transaction with CardSystems?  The complaint mentions MasterCard's security program.  Was it justifiable and reasonable for Merrick to rely on CardSystems CISP certification as a proxy for compliance with Mastercard's security rules?  Will the court require that Savvis have actual knowledge and intent to induce the particular transaction at issue?

Please note that a potential analogue for security assessors are lawsuits by investors against accountants.  Both engage in attestation services that are known to some degree to be relied upon by third parties.  There are numerous cases going both ways (some finding liability/some not) with respect to accountant liability to investors who relied on inaccurate financial statements.

Finally, one thing to be aware of with respect to negligent misrepresentation.  If a security assessor is made aware that its assessment will be relied upon by a particular third party as the key factor in it deciding to engage in a transaction, the more likely a negligent misrepresentation claim will be valid.  QSAs brought into an engagement for this purpose should pause and consider the implications of making a mistake.

Regardless of the outcome, this case will be very interesting to watch and it will surely wake the QSA community up.  Once we have more information we will put it up on the blog.  In the meantime, feel free to contact me with any questions on this matter.

• Email This
• Print
• Comments (6)
• Trackbacks (5)
• Share Link

Some interesting statistics from a new report from Verizon Business. The Washington Post security writer sums it up nicely in terms of the payment card data market:

[Verizon] said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of breached records from cases the company investigated from 2004 to 2007. Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year, Verizon found.

This has resulted in a huge decrease in the price per credit card in the black market:

As a result, the stolen identities and credit and debit cards for sale in the underground markets is outpacing demand for the product, said Bryan Sartin, director of investigative response at Verizon Business.  Verizon found that profit margins associated with selling stolen credit card data have dropped from $10 to $16 per record in mid-2007 to less than $0.50 per record today.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Heartland Payment Systems has been sued in multiple lawsuits by various banks or credit unions that have had to reissue payment cards in the wake of the Heartland breach.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Merchants face a potentially huge liability if they suffer a security breach exposing payment card data. Issuing banks (those banks that issue credit cards to consumers) have filed lawsuits to recover reissuiance costs allegedly ranging from $20-$50 per card (multiplied by thousands or millions of cards depending on the magnitude of the breach). A recent decision from the U.S. Court of Appeals for the Third Circuit ("3^rd Circuit" or "Appellate Court") appears to have expanded the potential liability merchants face for payment card security breaches.

In Sovereign Bank v. B.J. Wholesale Club & Fifth Third Bank, No. 06-3392/3405 (3^rd Circuit, July 13, 2008)(hereinafter the "BJW Decision"), while the Appellate Court affirmed the lower court's dismissal of most of the claims against B.J. Wholesale Club, it reversed the lower court's dismissal of Sovereign Bank's breach of contract action that was based on a third party beneficiary theory. This article explores how the Appellate Court reached its decision, how the decision could increase the legal risk faced by merchants that suffer security breaches and potential actions merchants can take to better understand and mitigate their legal risk.

Background

The BJW Decision arose out of a payment card security breach suffered by B.J. Wholesale Club ("BJW") that was first reported in March 2004. Criminals were able to steal (and commit crimes using) the magnetic stripe information from payment cards stored by BJW. In reaction to this security breach, Sovereign Bank and the Pennsylvania State Employee's Credit Union (hereinafter "Issuing Banks") incurred costs to reissue the payment cards that were the subject of the BJW breach. Litigation ensued in 2005 when the Issuing Banks separately sued BJW and BJW's merchant bank (Fifth Third Bank) to recover their reissuance costs. The federal lawsuits were eventually consolidated in the U.S. District court for the Middle District of Pennsylvania (the "Lower Court") and alleged the following causes of action: (i) negligence; (ii) breach of contract (Third Party Beneficiary Theory) and (iii) equitable indemnification; (iv) breach of fiduciary duty and (v) promissory estoppel. The Lower Court fully granted the defendants' motion to dismiss and motion for summary judgment, which lead to the plaintiff's to appeal (see Sovereign Bank v. B.J. Wholesale Club, 385 F.Supp.2^nd 183 [M.D. Pa. 2005] and Sovereign Bank v. B.J. Wholesale Club, 427 F.Supp.2d 256 [M.D. Pa. 2006]).

Relationship Between the Players in the Payment Card System

In order to understand the Appellate Court's ruling one must first be aware of the relationships (contractual or otherwise) between the players in the payment card system.

In this case, BJW was the merchant that accepted payment cards from consumers (some of whom were issued their cards by the Issuing Banks). In order to accept credit cards and become part of payment card networks such as Visa or Mastercard, merchants must work through and contract with an acquiring bank (a.k.a. "acquirer" or "merchant bank"). In this case Fifth Third acted as BJW's merchant bank and had a "Merchant Agreement" in place with BJW. In turn, moving upstream, Fifth Third had a "Member Agreement" in place with VISA. Pursuant to the Member Agreement, Fifth Third became a "member" of the VISA network and agreed that it would comply with VISA's Cardholder Information Security Program ("CISP") and VISA's Operating Regulations (note that at the time of the breach the PCI Standard was not in effect and each card brand had its own security standard).

Sovereign Bank, was one of the Issuing Banks that had issued payment cards to various consumers that were impacted by the BJW security breach. Sovereign Bank is also a member of the VISA network by virtue of its own Membership Agreement with VISA. However, the Issuing Banks had no direct contractual relationship with Fifth Third or BJW. A graphic representation of the contract chains can be found at this link: BJW Contract Relationship Chart.

Sovereign Bank's Breach of Contract Allegations

Despite not having a direct contractual relationship with Fifth Third, Sovereign Bank alleged a breach of contract claim based on Fifth Third's breach of the Membership Agreement between Fifth Third and VISA. Although it was not a party to the Membership Agreement, Sovereign alleged that it was an intended third party beneficiary of the agreement (see BJW Contract Relationship Chart).

Pursuant to the Membership Agreement, Fifth Third agreed comply with VISA's Operating Regulations (which included VISA's Cardholder Information Security Program). The version of the Operating Regulations applicable to this case provided the following:

• Fifth Third agreed to ensure that its merchants (BJW in this case) complied with the Operating Regulations

• Fifth Third agreed to enter into a Merchant Agreement with each of its merchants requiring each merchant to comply with VISA's Operating Regulations

• A prohibition against retaining or storing the data encoded on the magnetic stripe on the back of payment cards after a transaction is authorized (this is essentially the same prohibition set forth now in section 3.2 of the PCI Standard), and a duty for Fifth Third to impose this obligation on merchants like BJW

• Provisions concerning dispute resolution between members, including chargeback and representment procedures, and arbitration provisions.

Significantly the Operating Regulations in place at that time did not eliminate any other rights an issuing bank may have to pursue any legal remedy that may otherwise be available. As discussed further below, unless Visa's Operating Regulations have changed, this suggests that there is no real "safe harbor" for PCI compliance.

Sovereign Bank alleged that both BJW's failure to delete the magnetic stripe data, and Fifth Third's failure to ensure BJW's compliance with the deletion requirement constituted a breach of the Operating Regulations by Fifth Third. Sovereign Bank further contended that these contract breaches allowed the unauthorized access to, and use of, payment card data at BJW, and that Sovereign Bank was legally obligated to reimburse cardholders for fraudulent charges that resulted. Moreover, the resulting unauthorized access to payment card data also required Sovereign Bank to incur the expense to reissue the compromised payment cards. Finally, the Issuing Banks alleged that their customer goodwill was adversely impacted by the BJW breach. The Appellate Court was called upon to rule on these issues in a motion to dismiss/summary judgment context.

The Issue to Resolve: 3^rd Party Beneficiary Theory.

The Appellate Court considered the following issue:

Was Sovereign Bank an intended third party beneficiary of the Member Agreement between Fifth Third and VISA?

Although Sovereign Bank conceded that it is not an express third party beneficiary of the Member Agreement between Visa and Fifth Third, it based its argument on § 302 of the Restatement (Second) of Contracts (which had been adopted under Pennsylvania law, which governed this case):

Intended and Incidental Beneficiaries

(1) Unless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intentions of the parties and either:

(a) the performance of the promise will satisfy an obligation of the promisee to pay money to the beneficiary; or

(b) the circumstances indicate that the promise intends to give the beneficiary the benefit of the promised performance.

(2) An incidental beneficiary is a beneficiary who is not an intended beneficiary.

In the context of § 302, the court framed the issue as follows:

Under § 302, Sovereign's contract claim depends on whether "the recognition of a right to performance" in Sovereign is "appropriate to effectuate the rights of" both Visa and Fifth Third in entering into their Member Agreement and whether "the circumstances indicate that" Visa (the promisee) "intended to give Sovereign the benefit of the promised performance."

To establish whether Visa intended to give issuing banks like Sovereign the ability to rely on Fifth Third's promises in the Member Agreement, Sovereign relied on the deposition testimony of Visa's representative, Alex Miller. Miller testified that he was not aware of any intent on Visa's behalf to create a direct right to benefit third parties, and that no documents existed that allowed issuing banks to "step into [Visa's] shoes" to enforce the Membership Agreement with Fifth Third.

However, Miller also stated:

It's fair to say that the core purposes of the operating regulations is to set up the conditions for participation in the system, to set up rules and standards that apply to that ultimately for the benefit of the Visa payment system, the members that participate in it and other stakeholders such as cardholders, merchants and others who may participate in the system as well.

Miller further testified that the purpose of Visa Operating Rules (including CISP in this case) was to maximize the value of the Visa system as a whole, including "to protect issuers." Fifth Third argued that Miller's statements evidenced that Visa's Operating Regulations were intended not to benefit any individual member or class of members, but the Visa system as a whole.

Sovereign argued that Visa's Operating Rules were specifically intended to benefit issuers. In addition to Miller's testimony, it pointed to an August 1993 memo sent by Visa to its members that specifically alerted members of the (then) new requirements to delete magnetic stripe data (hereinafter referred to as "August 1993 Memo").

That memo started off with the following:

To protect the Visa system and Issuers from potential fraud exposure created by databases of magnetic-stripe information, Section 6.21 has been revised. Effective September 1, 1993, the retention or storage of magnetic stripe data subsequent to the authorization of a transaction is prohibited. Acquirers are obligated to ensure that their merchants do not store the magnetic-stripe information from Visa Cards for any subsequent use.

Sovereign also relied on a May 2003 article printed online by Visa entitled "Issuers and Acquirers Are At Risk When Magnetic-Stripe Data Is Stored," which indicated that magnetic stripe data compromises "impact[] Issuers" (hereinafter referred to as "May 1993 Memo).

The Appellate Court's Decision and Reasoning

The Appellate Court considered the arguments by both sides and ultimately held that genuine issues of material fact did exist as to whether Sovereign was an intended beneficiary of the Member Agreement between Fifth Third and Visa, and therefore the case should be remanded for further proceedings (e.g. trial) rather than decided on a summary judgment motion.

The Appellate Court rejected Sovereign's reliance on the May 2003 Memo, indicating that it simply stated the reason for the prohibition against retention of magnetic stripe data. However, the Appellate Court agreed that the August 1993 Memo and Miller's "core purpose" testimony (referenced above), raised genuine issues of fact.

The court noted that Sovereign is a Visa member and that the core purpose the Operating Regulations according to Miller was to benefit members that participate in the Visa system. Just because Miller also indicated the Operating Rules were to benefit other stakeholders (such as cardholders, merchants and others who may participate in the system), the possibility that Visa intended to benefit individual users such as Sovereign was not negated.

Moreover, the Appellate Court held that the August 1993 Memo clearly stated that acquirers (such as Fifth Third) must act to protect Issuing Banks (like Sovereign) by ensuring that merchants (like BJW) do not retain magnetic stripe data. The Appellate Court held that this piece of evidence alone was sufficient to get Sovereign past summary judgment. Based on the foregoing, the Appellate Court remanded Sovereign's breach of contract claim for further proceedings (e.g. trial in front of a judge or jury).

Analysis -- Increased Merchant PCI Liability

Similar to Minnesota's Plastic Card Protection Act (discussed at this LINK), this decision has the potential to significantly increase the liability risk faced by merchants that are not compliant with PCI and that suffer a security breach.

First, although the Appellate Court's breach of contract decision only involved the acquirer and the issuing bank, merchants such as BJW may ultimately be liable for the issuing bank's costs. The source of this liability will also be contractual. However the contract at issue in this case is the direct contract between the merchant bank and the merchant (hereinafter "Merchant Agreement" -- see BJW Contract Relationship Chart). As the court ruled, this case will now be remanded to the lower court. A judge or jury could find Fifth Third liable to Sovereign for reissuance costs, or Fifth Third and Sovereign may settle the case based on the strength of Sovereign's breach of contract claim. If Fifth Third wanted to recover the damages it paid to Sovereign, it may be able to rely on language in the Merchant Agreement between it and BJW to recover directly from BJW.

It is not atypical for a merchant to enter into a very one-sided Merchant Agreement with an acquiring bank (or the acquiring bank's processor). Such Merchant Agreements often require the merchant to comply with the card association's operating rules, security program and/or PCI. A sample of how such language may read is as follows:

Merchant agrees to comply with all security standards and guidelines that may be published from time to time by Visa or MasterCard and any other applicable industry security standards, including, without limitation, the Visa U.S.A. Cardholder Information Security Program ("CISP"), the MasterCard Site Data Protection ("SDP"), and the Payment Card Industry Data Security Standard (the "Security Requirements").

If BJW agreed to comply with Visa's Operating Rules and/or CISP, Fifth Third may have a right to recover any damages paid to Sovereign under a breach of contract theory (BJW having breached the Merchant Agreement).

In fact, merchant banks may have an explicitly contractual right to recover reissuance costs they are forced to pay issuing banks. It is likely that the Merchant Agreement requires the merchant to indemnify the merchant bank for liability it incurs because the merchant allowed a security breach. A sample of how such language might read is as follows:

Merchant agrees to indemnify Acquiring Bank, Member, the Associations, affiliates, officers, directors, employees, agents and issuing banks from any losses, expenses, costs, liabilities, and damages of any and every kind (including, without limitation, our costs, expenses, and reasonable legal fees) arising out of any claim, complaint, or chargeback caused by the merchant's noncompliance with this Agreement, any Security Requirements or the Association Rules.

If similar language exists in the Merchant Agreement between BJW and Fifth Third, Fifth Third may demand that BJW indemnify it for any issuing costs that Fifth Third is required to pay to Sovereign. Of course, if BJW refuses, Fifth Third will again need to file a claim against BJW for breach of the Merchant Agreement. In short, by allowing an issuing bank to use the Visa Member Agreement to go after the merchant bank, the Appellate Court opened a path to merchant liability for the costs incurred by the issuing bank to reissue credit cards. The path starts with the Member Agreement, goes through the Merchant Agreement and ends up at the merchant.

PCI Compliance as a Defense - Existence of "Safe Harbor?"

Despite the existence of this contractual path to liability, the question arises whether a merchant's compliance with the PCI and card association operating regulations will insulate the merchant from liability if it suffers a payment card security breach. Unfortunately, from the issuing bank's point of view the merchant's PCI compliance status is irrelevant - the issuing bank still must pay to reissue payment cards after a security breach of a PCI-compliant merchant. There are several points which may illuminate whether PCI compliance provides an automatic "safe harbor" from liability.

First, at least under the version in effect during the BJW case, according to the Appellate Court, issuing banks were not precluded by Visa Operating Rules from pursuing any available remedies at law. Thus, even if a merchant had fully complied with PCI and the applicable operating rules, an issuing bank's status as a member of Visa or Mastercard does not block it from going after merchants. In fact, even if an issuing bank had agreed with Visa to refrain from pursuing merchants that were PCI compliant, the only party that could enforce that agreement would be Visa (unless, ironically, the merchant could be argued to be a third party beneficiary of the Member Agreement between Visa and the Issuing bank). Significantly, while compliance with the industry standard for protecting cardholder information will offer merchants a strong defense, it is still possible that a merchant could be liable under other theories of liability (e.g. negligence) if a court finds that the PCI standard itself is inadequate (see e.g. T.J. Hooper case).

Second, a PCI-compliant merchant's liability will be largely contingent on the language set forth in the Member Agreement between the acquiring bank and the card association, and the Merchant Agreement between the acquiring bank and the merchant itself. If the Member Agreement makes the acquiring bank responsible for merchants' security breaches in general (regardless of PCI compliance) and the Merchant Agreement requires the merchant to indemnify the acquiring bank for any losses, then the path to liability described above could apply. In such a case, in order to "block" the path from issuing bank through the Member Agreement, the Member Agreement would have to contain specific language providing a PCI "safe harbor" (alternatively, as discussed further below, the merchant may be able to negotiate a "safe harbor" in the Merchant Agreement to block the liability path).

Significantly, gaining access to the card associations' operating rules and Membership Agreements has been notoriously difficult. Without the ability to read to those documents it may be hard to ascertain the scope of the liability risk under this theory since the merchant will not be aware of the merchant bank's obligations to the card association in the event of a merchant security breach.

Limited Applicability?

Variations in the terms and conditions of Member Agreements and card association operating rules may also impact the path to merchant liability. As such, the holding in the BJW may not apply if there have been changes in subsequent versions of these documents. For example, if the current versions of Visa's Member Agreement specifically precludes enforcement of the Merchant Agreement by third parties, then the issuing banks would not be able to use employ the 3^rd party beneficiary theory used by Sovereign. However, if the Member Agreement between the card association and acquirer bank remains silent, then the same rationale in the BJW decision could apply.

With respect to Visa's Member Agreements, where intent is unclear, issuing banks may be able to rely on Mr. Miller's deposition testimony in the BJW decision. As such, cases brought in jurisdictions that follow section 302 of the Restatement (Second) of Contracts may be prone to agree with the Appellate Court's decision. Again, unfortunately, merchants will not be able to ascertain the full extent of their risk unless they can get access to the acquiring bank's Member Agreement or be informed of whether it prohibits third party beneficiaries.

Merchant Actions to Potentially Reduce the Risk of Liability

There may be some steps that merchants can take to reduce their risk of liability for a payment card security breach. The BJW path to liability is a two step process. First the issuing bank must successfully sue the acquirer for breach of the Member Agreement between the card association and the acquirer, then the acquirer must pursue the merchant under the Merchant Agreement. Thus, merchants should consider both steps to determine the extent of their potential liability and for purposes of cutting off the path.

• Attempt to Determine Existence of 3^rd Party Beneficiary Prohibition in Member Agreement

The first step on the path to liability under the 3^rd party beneficiary theory is whether the Member Agreement between the card association and acquirer bank precludes third party enforcement of the Member Agreement. Merchants should ask their acquirer banks if they can examine their Member Agreement. It is likely, however, that the acquirer bank will be unwilling to provide the agreement itself. If not, the merchant should at least attempt seek assurances that there is a prohibition against third party beneficiaries. If the Merchant Agreement does not contain such a prohibition, then it is possible that the first step on the BJW liability path is open. Therefore, the merchant should seek to cut off the second step on the path, the Merchant Agreement.

• Negotiate a "Safe Harbor" in the Merchant Agreement

Obviously, the merchant has little control over what third party beneficiary terms its acquirer may have agreed to in the Member Agreement. However, a merchant does have some control over the terms it agrees to in its Merchant Agreement with its acquirer. It may be possible for a merchant to cut-off liability even if the issuing bank has been successful as a third party beneficiary of the Member Agreement. When entering into negotiations with acquirers (or their payment processors) merchants should attempt to negotiate a "safe harbor" into their Merchant Agreement. In essence, the safe harbor language would indicate that in the event of a security breach involving payment card information, if at the time of the breach the merchant was compliant with PCI and/or the card association's operating rules, the acquirer would have no right to indemnification or any other recourse against the merchant. Rather than relying on (mostly likely) illusory safe harbors identified by the card associations, this would provide a direct right to avoid contractual liability if the merchant has done everything it promised with respect to PCI.

The parameters of the safe harbor should be defined to protect the merchant. First, the merchant agreement should identify a truly independent third party responsible for performing a post-breach PCI/operating rules audit, and set-up a process for the audit itself (note that one issue to consider is that the auditors findings will not be protected by attorney-client privilege, so caution is warranted). This third party would be the last word on whether the merchant was PCI-compliant at the time of the breach. Currently this post-incident response is performed by auditors hand-picked by the card associations, and some believe, because of close relationships these auditors have with the card associations, they could be less than "neutral" when performing these audits. Second, the standard for compliance should not be strict compliance. Rather, the merchant should be deemed to be compliant unless it is in material non-compliance with PCI. Finding technical non-compliance with some section of PCI or card association rules, as any security expert can tell you, is not difficult. Even better would be language requiring the non-compliance with PCI to be the actual cause of the security breach at issue - if the non-compliance was not in anyway relevant to the breach the merchant would not be liable. Last, if possible, the Safe Harbor should include indemnification from the acquiring bank if the merchant is PCI-compliant at the time of the breach. This would allow the merchant to cut off direct suits from other stakeholders (consumers, issuing banks, card associations). Admittedly, however, it will likely be difficult to convince an acquiring bank to go this far.

Whether a merchant will be able to negotiation a safe harbor or any other term of the Merchant Agreement will depend a large part on negotiating leverage. Larger merchants with clout, or any merchant willing to "shop around" between multiple acquiring banks, will be in the best position to negotiate favorable terms. Some of the same negotiating leverage issues apply for this route as well.

• Limitation of Liability

In addition, merchants should consider a limitation of liability that caps the merchant's potential liability in the event of a security breach exposing credit card data. Merchants that have expended significant resources in becoming PCI compliant may be able to justify the cap more easily.

• Insure Against Payment Card Security Breaches

The insurance market has created information security and privacy liability policies which may cover liability arising out of a payment card breach. Since the risk of a security breach can never be 100% eliminated, insurance may be a good risk management tool to transfer unwanted risk. The key for utilizing insurance is to make sure the risk the merchant desires to transfer is actually transferred in light of the terms, conditions and exclusions in the insurance policy.

Conclusion

Merchants can no longer afford to treat PCI compliance as a pure security issue. Merchants should carefully analyze their PCI liability risk and determine ways to mitigate that risk. Laws like Minnesota's Plastic Card Protection Act and the BJW decision have likely increased the risk significantly. The potential for huge damage is great - issuing banks have alleged that the costs of reissuing payment cards range from $20-$50 per card (multiplied by thousands or even millions of cards). For smaller and medium companies highly reliant on payment cards, the failure to address this risk ahead of time can mean bankruptcy. For larger retailers, the prospect of spending tens of millions of dollars defending and settling lawsuits against issuing banks and merchants should spur on a careful examination of all merchant agreements, and the possible shopping around for merchant banks and payment processors that provide reasonable terms.

As such, more than ever, merchants must work with their legal counsel and risk managers to understand and mitigate the risk. Merchant lawyers must analyze their clients' current contractual relationships with acquiring banks and assist in negotiating favorable terms with payment processors and merchant banks. Since the risk is somewhat unpredictable and may be difficult to eliminate, information security and privacy risk insurance should also be considered. Lawyers should carefully analyze the scope of information security liability coverage to make sure their PCI risk is being transferred to the insurers. If the proper steps are taken, merchants may be able to avoid or mitigate significant losses in the event of a security breach.

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

While the details are still murky on the number of records impacted (somewhere between 13 and 8 million), it appears that we have a security breach of another high profile corporation claiming PCI compliance at the time of breach. SC Magazine has the story here.

Here is Best Western's statement on the breach:

"We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest's reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards."

Obviously, the facts are still murky, but it will be interesting to see what, if any, protection PCI compliance will have from a liability perspective and a "safe harbor" perspective.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This Computerworld article was some issues: Hannaford may not have to pay banks' breach costs under PCI, says Gartner

This key part of the article is problematic:

"If true, Hannaford has a safe harbor under PCI and will not be required to reimburse banks and credit unions for any breach-related costs they may incur, according to information that Gartner analyst Avivah Litan said she has previously received from Visa Inc. Typically under PCI rules, if a company is non-compliant at the time of a beach, it faces two potential costs: fines from the payment-card companies and reimbursements of breach-related costs sustained by card-issuing banks and credit unions. Those costs can include payment of fraud losses resulting from the use of compromised payment-card data as well as breach notification and the costs associated with reissuing cards.

The fines and the reimbursement costs are not collected directly from the breached entity but through the "acquiring bank" that authorizes a company such as Hannaford to accept payment-card transactions. Under PCI rules, it is these acquiring banks that are directly responsible for ensuring that their merchants are PCI-compliant.

In Hannaford's case, while its acquiring bank may still get hit with a fine, "the buck stops there," Litan said. "Under the guidance Visa gave me, the acquiring bank wouldn't be able to take it back to the retailer," she said."

It appears that Litan is referencing the VISA CISP "Safe Harbor."

Interestingly, if you go to VISA's CISP website, the reference to the Safe Harbor has been removed. Here is what it used to say (as late as August 9, 2007 according to the Internet Archives) :

Safe Harbor

Safe harbor provides members protection from Visa fines in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

1. A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
2. A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
3. It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.

Link Here.

That language has been replaced on VISA's website with this:

Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.

Link Here

A few things to say:

(1) Safe Harbor for Fines Only. According to VISA's website the Safe Harbor (whatever version is applicable) only applies to fines Therefore, unless there is information out there that says it applies to reimbursing banks, it would appear that the Safe Harbor is limited. Litan indicates that she has seen some information; it would be excellent if she shared that.

(2) Safe Harbor at Visa's Discretion? As you can see, the VISA website has gone from "to attain safe harbor status" to "Visa may waive fines." Its not clear from this language whether safe harbor is "automatic" if a company can establish PCI compliance and VISA validation requirements, or whether its at VISA's OPTION to (e.g. "may waive") to waive fines if the merchant can establish compliance and validation.

(3) PCI Compliance and Validation Required. The safe harbor requires not only a demonstration of PCI compliance, but also requires (in both versions) that the merchant meet "compliance validation requirements." So, by this language, a merchant may have been PCI compliant, but it is unclear whether or not the safe harbor would be available if the merchant it did not "validate" that compliance with VISA (basically do a bunch of paperwork: link here)

(4) Safe Harbor Limited to Visa; Not Other Card Brands. Visa's safe harbor on its face would not provide protection from the other card brands, including MasterCard, Discover, AMEX, etc. If there is a side agreement between the card brands to honor compliance with VISA's safe harbor, I have yet to see it. This article gives the impression that compliance with VISA rules will somehow protect you from other card brands.

(5) Article Misidentifies "PCI Rules." As a follow up to (4), the article refers to the contractual arrangements between banks, credit card companies and merchants as "PCI Rules." In fact, those relationships are governed by each of the card brand's security programs. VISA's program is the Cardholder Information Security Program. Mastercard's is the Site Data Protection Program. So if a merchant deals with all five card brands it must comply with not only the PCI Standard (a security standard) but also five security programs. These programs have different definitions, procedures and requirements. To avoid confusion, people need to be careful to not conflate "PCI" with the card brand security programs.

(6) No Proof that Issuing Banks Bound to Honor Safe Harbor. the article appears to suggest that attaining VISA safe harbor will somehow prevent a merchant from having liability to issuing banks for the costs to reissue credit cards. It is not clear how an issuing bank would be bound by VISA's safe harbor; (a) as discussed below the safe harbor only deals with fines; and (b) the issuing bank is not in a contractual relationship with a merchant with respect to PCI so a merchant would have no basis to enforce the safe harbor against the issuing bank. If there is a document that requires all VISA issuing banks to respect the safe harbor it should be shared publicly so everybody can assess their liability.

(7) The Buck Only Stops if the Contract Stops It. The article suggest that in terms of fines, if safe harbor is attained, "the buck stops" at the acquiring bank. I would maintain that where the buck stops between a merchant and its acquiring bank is dictated legally by the terms of their contract and you cannot make a blanket statement.

On the broader issue, claiming PCI compliance and even actually achieving it does not automatically mean immunity in a lawsuit setting by any stretch.

It is entirely possible to be PCI compliant and still have "unreasonable security" for purposes of negligence suit by consumers or banks. Its possible to state you are PCI compliant and not actually be compliant.

Moreover, it's even possible for the Standard itself to be "unreasonable" (although that is obviously a more difficult argument to make to the extent the PCI Standard is "industry standard). A case that every security professional should know about: T.J. Hooper. In short, the issues around PCI are much more complex then being presented here and I think people need to be careful since there is already enough confusion out there already.

Much, much more to come...

• Email This
• Print
• Comments
• Trackbacks
• Share Link