Minnesota's "Plastic Card Security Act"
A Direct Path to Merchant Liability for Payment Card Security Breaches
As reported in ISC's March 2007 Newsletter, States like Massachusetts and a handful of others (five in total, including: MA, IL, CT, TX and MN) are considering bills that provide financial institutions (e.g. banks and credit unions) with the ability to sue organizations that expose payment card data due to a security breach ("Payment Card Breach Laws"). These proposed Payment Card Breach Laws provide banks with the right to reimbursement from merchants for costs associated with payment card security breaches, including for the cost to reissue credit cards (allegedly $20 - $50 per card). In short, under Payment Card Breach Laws, when a merchant suffers a breach it could be liable for thousands or even millions of dollars. Taking an extreme example, in the TJX matter, 45 million cards where allegedly exposed - the cost to reissue assuming $20 per card is $900 million. For smaller or medium companies that lose thousands or tens of thousands of card numbers, the impact could jeopardize their solvency. On May 21, 2007, Minnesota became the first State to pass such a law -- Minnesota's Plastic Card Security Act (H.F. 1758 -- the "Act") is a landmark statute that may radically increase the risk of liability and alter the security practices of retailers and service providers handling payment card data. In this issue, ISC summarizes the Act and outlines some of the issues and challenges arising out of it.
1. The Plastic Card Security Act
Subdivisions 1 and 2 of the Act, which prohibit the retention of certain payment card data for more than forty-eight (48) hours, first take effect on August 1, 2007. Subdivisions 3 and 4 of the law, which provides the right to reimbursement and allow financial institutions to file lawsuits to recover costs associated with a payment card security breach do not apply until August 1, 2008, and only apply to security breaches occurring after that date.
A. "The 48-hour Rule" -- Payment Card Retention Limitations (Subdivisions 1 and 2)
Subdivisions 1 and 2 of the Act attempt to address the problem of payment card security breaches by prohibiting companies that accept payment cards from retaining card security code data, PIN verification code numbers or the full contents of any track of magnetic stripe data ("Sensitive Authentication Data"), subsequent to forty-eight (48) hours after authorization of a transaction. Stated more simply, to comply with the Act, companies accepting payment cards must destroy or delete Sensitive Authentication Data within 48 hours of authorizing a transaction with such data (the "48-hour rule"). This Act also applies to entities using service providers that store, process or transmit payment card data - a merchant that provides Sensitive Authentication Data to a service provider will be in violation of the Act if its service provider does not comply with the 48-hour rule. Coincidentally (or perhaps not so coincidentally) the Payment Card Industry Data Security Standard, v. 1.1 ("PCI Standard") also references and has rules surrounding Sensitive Authentication Data. Section 3.2 of the PCI Standard (as well as the Preface) prohibits the storage of Sensitive Authentication Data subsequent to authorization (even if encrypted). Unlike the Act, the PCI Standard does not specify a timeframe during which the merchant may retain Sensitive Authentication Data - by its silence, the PCI Standard arguably appears to require the destruction or deletion of Sensitive Authentication "immediately" after authentication. Therefore, as discussed below, PCI compliance (where there has been a tight interpretation of the section 3.2 requirements) may effectively act as a "quasi-safe harbor" from liability under the Act.
B. Financial Institution's Right to Reimbursement
The Act uses violation of the 48-hour rule as the trigger for financial institutions to recover when there is a security breach exposing payment card data. Subdivision 3 provides that when an entity that has violated the 48-hour rule suffers a security breach (or its service provider suffers a breach), any financial institution that issued payment cards affected by such breach is entitled to reimbursement of the costs of "reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders." Stated more simply, merchants holding Sensitive Authentication Data for more than 48 hours that suffer a security breach must reimburse "issuing banks" reasonable costs to protect cardholder information and continue servicing cardholders. Such costs could include (but are not limited to) costs in connection with:
- cancellation or reissuance of payment cards affected by the breach;
- closure of accounts affected by the breach;
- opening or reopening of accounts affected by the breach;
- refunds or credits to cardholders to cover the costs of unauthorized transactions; and
- notification of cardholders affected by the breach.
In addition, such financial institutions are entitled to recover costs for damages paid by them to cardholders injured by the breach (e.g. essentially an indemnification right in the event the financial institution is sued or settles with a cardholder). Subdivision 4. of the Act (Remedies) provides financial institutions with a private right of under section 8.31 subdivision 3a. of Minnesota's laws (basically a consumer protection statute). In addition to a right to bring a suit to recover damages and equitable relief, subdivision 3a provides the financial institution with the right to seek costs of investigation and attorney fees. The Act states that the financial institution's private right of action is in the public interest and indicates that the remedies are cumulative and do not restrict any other rights or remedies available.
This law presents some very interesting issues and challenges for companies accepting payment cards.
A. Direct Path to Liability -- Low Harm Threshold - "Costs of Reasonable Actions"
Where the worlds of data security and the law meet, to date and despite many lawsuits, there have been very few instances of courts finding legal liability for security breaches. In fact, issuing banks have previously tried to sue retailers for payment card data breaches, but the courts presiding over those cases rejected the banks' third party beneficiary, negligence, promissory estoppel and breach of fiduciary duty claims, and dismissed the cases (see e.g. B.J. Wholesaler Summary Judgment Ruling, PSECU Motion to Dismiss). In short, there was no legal theory that clearly provided a right for issuing banks to recover - that hurdle has been jumped by the passage of the Act. Now issuing banks have specific statutory rights to reimbursement and indemnity, as well as a private right of action to enforce those rights. The only requirements are as follows: (1) the entity is in violation of the 48-hour rule; (2) it suffers a breach of personal information affecting payment cards; and (3) the issuing financial institution incurs costs of reasonable actions to protect or continue servicing cardholders. There is no requirement that the merchant have acted intentionally, willfully, recklessly or negligently.In fact, it does not appear that the financial institution even has to establish that Sensitive Authentication Data was exposed. As far as reimbursable costs are concerned, the issuing financial institution need not establish that the costs it incurs are necessary, just that the costs arise out of "reasonable" actions. The issuing financial institutions are not explicitly required to show that they will suffer harm or fraud if they do not take the actions (although this would factor into what constitutes "reasonable actions"). Their actions can be completely precautionary in nature so long as they are reasonable. In addition, there is a high likelihood that a court would view the list of example provided in the statute as representing examples of "reasonable actions" and perhaps a minimum list of what financial institutions are entitled reimbursement for. With the costs to reissue cards allegedly ranging from $20-50 per card, the costs of reissuance alone could be substantial (e.g. banks, including Chase, Citibank, the Maine Credit Union and TD Bank North, have already reportedly reissued millions of payment cards based on the TJX breach).
B. Nationwide Applicability -- Scope Beyond Minnesota?
Does the Minnesota law have a nationwide applicability? The answer is "maybe" for persons or entities doing business in Minnesota and elsewhere in the United States. Unlike Minnesota's consumer-oriented breach notice law, which requires notice to Minnesota residents whose personal information may have been acquired by an unauthorized person (See H.F. 2121), the Act is not limited to Minnesota residents. Rather, it applies to "persons or entit[ies] conducting business in Minnesota" and unauthorized acquisition of computerized personal information (regardless of the residency associated with that information). Therefore, by the plain words of the statute, it may be possible that a company simply doing business in Minnesota, which suffers a breach in California, could trigger duties under the Act.Of course there may be jurisdictional issues that preclude suit in Minnesota or application of Minnesota law, but the issue is complex and far from clear.
C. Service Provider Liability
Unfortunately for merchants that use service providers to handle payment card data, the Act still applies if their service provider suffers a breach. What this means for practical purposes is that merchants must ensure that their service providers have processes in place to comply with the 48-hour retention rule. This may be problematic: if the service provider does not have those processes in place it may charge merchants to comply. Moreover, despite the August 1, 2007 start date for the Act, it may take some time to modify systems and processes to achieve compliance. Finally, the Act will require merchants to add new contractual duties to their service provider contracts that mandate compliance with the Act and most importantly, provide for indemnification. Significantly the Act makes the merchant responsible for the breach, and does not provide a direct route for banks to go after service providers unless "accepting an access device [payment card] in connection with a transaction." Merchants will have to add indemnification language to shift the risk of loss for breaches that are the service provider's fault. For existing relationships, merchants may have to reopen contract negotiations.
D. Personal Information Requirement
One potential limitation of the Act is the definition of "personal information." The Act requires the acquisition of personal information by an unauthorized person to be triggered. In this context, personal information includes an individual's first (or first initial) and last name, in combination with account number or credit or debit card numbers, in combination with any required security code, access code or password that would permit access to an individual's financial account. Therefore, if a breach occurs that only exposes payment card data, but does not expose the combination of data listed in the definition of "personal information," the Act may not apply. It is unclear whether companies can segregate this data to avoid the combination that triggers the Act - merchants should confer with their internal or external security professionals to further explore this and other risk-reducing measures.
E. No Encryption "Safe Harbor"
Unlike Minnesota's breach notice law applying to consumers (see H.F. 2121) which only applies to breaches of "unencrypted" personal information, the Act does not provide an "encryption" safe harbor. In other words, the Act applies even if Sensitive Authentication Data stored more than 48-hours is encrypted. It appears that the drafters have decided that the only way to avoid applicability of the law is to destroy or erase Sensitive Authentication Data. Significantly, section 3.2 of the PCI Standard also discounts encryption of this data.
F. Relationship to the PCI Standard - PCI "Quasi-Safe Harbor?"
Is compliance with the Act impacted in any way if a merchant or service provider is compliant with the PCI Standard. Strict compliance with the PCI Standard may effectively create a quasi safe-harbor to avoid liability under the Act. Both the Act and the PCI Standard prohibit the retention of Sensitive Authentication Data, however the Act allows retention of such data for 48 hours, while section 3.2 of the PCI Standard prohibits storage of such data completely after authentication (some qualified security assessors have said that VISA's time limit is 24 hours - however this is not explicitly stated anywhere). Therefore, if an entity is compliant with the PCI Standard, so long as section 3.2 of the PCI Standard has been strictly interpreted and followed (e.g. immediate deletion or destruction), they should also be in compliance with the Act's 48-hour retention rule. The problem of course is that it is possible that some entities (or their qualified security assessors) may have interpreted section 3.2 more loosely, potentially allowing Sensitive Authentication Data to be retained beyond 48 hours. Therefore, entities that are PCI Compliant should not automatically conclude that they are compliant with the Act. They should check with their internal or external security assessors to determine how long Sensitive Authentication Data is stored and how strictly they interpret rule 3.2. Moreover, for future PCI security assessments, entities should at least consider imposing a 48-hour retention limitation on Sensitive Authentication Data retention if they want to be aligned with the Act.<
The Plastic Card Security Act and similar Payment Card Breach laws are likely to significantly impact the data security risks and liability associated with handling payment card data. For one of the first times in U.S. history, a direct liability path exists for a large segment of U.S. businesses that suffer security breaches involving payment card data. The true impact will not be known until these laws are used, but, especially for small or medium companies heavily reliant on payment card transactions, a careful examination of security practices and service provider contracts is recommended to achieve compliance with the Act. In addition, for those merchants that have not yet complied with the PCI Standard, now is the time to get serious. As with many data security-related laws and regimes, compliance and risk management is a multi-disciplinary exercise. Entities should retain an attorney to assist with interpreting the Act and modifying service provider contracts to align with the Acts 48-hour rule. Security professionals should be asked to assist with achieving the data retention requirements, as well as working toward PCI compliance (and strict compliance with section 3.2). Finally, this is an area where information security and privacy liability insurance has clear and direct value. Companies should look at their current policies to determine whether coverage exists, and should consider security and privacy policies available in the market that are directly geared toward covering such liability. Taking these steps will provide a solid foundation to begin addressing the risk associated with the Act and other Payment Card Breach Laws that get passed.