Merchants, Beware: Could You Be Liable for Credit Card Breaches?
Retail Merchandiser December 2008
If you had been following financial headlines in August of this year, you would have seen the following reports:
August 5, 2008:
The United States Department of Justice announced the largest identity theft case ever prosecuted in United States. The Department charged eleven individuals with hacking more than 40 million credit and debit card numbers, with indictments returned against 3 US citizens and foreign nationals in Estonia, Ukraine, China and Belarus. The defendants were charged with hacking into wireless computer systems of a number of major consumer retailers, including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Dave & Busters, Barnes and Noble, Sports Authority and DSW, Inc.
August 22, 2008:
The Identity Theft Resource Center of San Diego, a nonprofit group, issued a report that the 449 data security breaches reported to that date in 2008 exceeded all of the security breaches reported during 2007, and that the number was probably higher, since many of the breaches involved multiple events.
August 25, 2008:
The Daily Mail of London reported that, due to a security breach at a Best Western Hotel in Amsterdam, up to eight million people were at risk of identity theft fraud, and authorities valued the information at up to 2.8 billion pounds – more than five billion dollars.
August 28, 2008:
Bank of New York Mellon Corp announced that a security breach involving the loss of personal information affected 12.5 million people, the largest new reported data breach in the United States thus far in 2008.
Consumers have shown that they are more and more willing to engage in online and electronic transactions. Increased traffic on websites and increased internet sales show that consumers are increasingly comfortable with entrusting their names, addresses, credit card information and other sensitive information to the security steps undertaken by the companies with whom they deal. The headlines noted above make it clear that this is not necessarily wrong; the breaches included some Internet-based transactions, but the largest were based on in-store credit card sales, the transactions that consumers typically think are the safest. In these cases, thieves broke into wireless networks in stores and installed software programs to capture credit card numbers, password and account information as they were used to process purchases. They then sold credit and debit card numbers on the Internet to other criminals, who used them to make purchases.
Many of us have received notices of these breaches, and have had to change credit card and other accounts, monitor credit profiles and take other steps to prevent, or to remediate, credit card and identity theft. What is not always addressed, however, is something else: who’s responsible for this, and who will get stuck with the check? The stakes are big – the cost of issuing credit cards and otherwise remediating a breach is substantial, and banks, merchants and credit card companies have all struggled not only to create safer systems, but to allocate risk and responsibility.
This is new ground for merchants. Traditionally, merchants did not hold sensitive financial information of their customers and clients. This role was traditionally held by financial institutions, which have long been subject to significant privacy concerns and compliance regimens under state and federal law. As credit cards have become the standard of financial transactions – it is estimated that 30% of all personal consumption expenditures are made through credit cards and debit cards – more and more information has been held outside the financial institutions system. At the same time, merchants, who now have access to and hold much of this information, have borne little risk when that sensitive data is compromised. Until the development of credit card industry standards, if a merchant’s information about its customers data were compromised and used to engage in fraudulent transactions, the customers (cardholders) themselves were protected by federal law and by credit card companies’ policies, which generally provide that a cardholder does not have to pay for the fraudulent charges. If the merchant fulfilled its obligations by providing cardholder information to the bank that issued the card for authorization, received payment authorization and otherwise complied with card issuer requirements, they would receive payment for the goods they sold, whether the purchase was fraudulent or not. As a result, the party that would pay for the fraud losses and other costs of the compromise of financial data would be the bank or other financial institution that issued the card. The merchant from whom the financial data was obtained would not even enter into the equation.
Out of this new reality, a standard of care has arisen: the Payment Card Industry Data Security Standard, commonly referred to as “PCI – DSS,” and it has a significant impact on the liability of merchants who use credit card transactions, and something which lawyers should consider in helping clients structure their contractual relations.
As described by the Payment Card Industry Security Standards Council, PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
The impact of PCI DSS is not only to achieve greater protection for customer data, but has become a de facto standard of care which can result in unforeseen liability for a merchant whose data is compromised.
First, a merchant that does not fully comply with PCI DSS (and compliance is difficult and expensive) could find themselves subject to a claim of negligence, and a plaintiff could argue that under PCI DSS, a merchant has the obligation to protect customer data, and failure to comply with PCI DSS would have breached the care ordinarily required by merchants. This claim was brought by a number of banks that sued TJX for the costs to reissue credit cards in the wake of a massive security fraud referred to above, resulting in a $65 million settlement with banks, apart from legal fees and other costs.
Beyond this, a number of states are proposing or have adopted statutes which would give banks the right to reimbursement from a merchant for costs incurred in responding to a security breach. Some of these proposals go so far as to incorporate PCI DSS as the security standard in the bills. As a result, states have transformed PCI DSS from a piece of evidence in a claim of negligence to the legal standard by which negligence is measured.
Finally, as noted above, PCI DSS compliance presents a challenge to merchants. The standard is long and detailed, and even merchants with significant security infrastructures may be unable to comply with each and every facet of the standards. Commentators have noted that PCI DSS contains a number of ambiguities, and while PCI DSS is intended to be updated, those questions might not be answered.
While the future of PCI DSS and the allocation of risk among merchants, banks and credit card companies is not yet clear, attorneys can help protect their merchant clients by becoming involved in the PCI compliance process, which will require coordination with the technical security personnel and understanding the scope of PCI DSS. As attorneys are more familiar with these processes (which may be applicable to attorneys who accept credit cards for payment!), they can be in a better position to assist their clients in time-sensitive situations.
Copyright © Retail Merchandiser. December 2008. All rights reserved.