Data-Breach Cases Begin to Spawn Legal and Regulatory Fallout

As the number of headlines about database breaches grows, so too does the number of lawsuits filed in response, as well as the amount of legislation aimed at better protecting consumer data. Several suits have already been filed in the wake of recent thefts of card data at Columbus, Ohio-based DSW Shoe Warehouse, Natick, Mass.-based BJ's Wholesale Club, and Tucson, Ariz.-based CardSystems Solutions Inc. The suits are aimed at not only holding those retailers and CardSystems culpable for the breaches that occurred under their watch, as well as any resulting card fraud, but also to establish precedent for new laws aimed at ensuring consumers affected by the breaches are informed that personal data about them has been stolen. The latter is the focal point of a class-action suit filed in California against CardSystems, Visa U.S.A., and Merrick Bank, CardSystems' acquirer, on behalf of California cardholders. The suit cites violation of a California law that requires consumers be notified in a timely fashion if personal data about them held by a third-party is hacked or stolen, which allegedly did not happen in the CardSystems case. “We are asking for an interpretation of this statute,” says Ira Rothken, managing partner for San Rafael, Calif.-based Rothken Law Firm. “We believe that when a company such as CardSystems handles consumer data, they have a heightened standard of care.” The lawsuit asks that CardSystems, Visa, and MasterCard notify all consumers who had their personal information exposed in the breach and that consumers whose personal information was stolen receive more detailed notification about their risk exposure. In addition, the suit asks that all affected consumers receive access to a credit-monitoring service and that the card companies waive any merchant chargeback or penalty fees for fraud committed using the stolen account information. One of the questions Rothken is likely to seek to have answered in the proceedings is why CardSystems was allowed to continue storing and handling consumer card data when the company has acknowledged it was not compliant with the card companies' Payment Card Industry (PCI) data standard at the time of the breach. Rothken has also indicated his inquiry will try to establish how extensive knowledge of CardSystems' noncompliance was among the defendants. “The very existence of Visa and MasterCard is to ensure the integrity of their transaction networks,” he adds. In June, Ohio Attorney General Jim Petro filed suit against retailer DSW in Franklin County Common Pleas Court. The suit, which is reportedly being used as a lever to spur state representatives to toughen consumer data security and protection laws, asks that DSW notify the remaining customers affected by the breach, which was disclosed in March (Digital Transactions News, March 22). DSW has reportedly notified half of the 1.4 million consumers affected. Massachusetts Attorney General Thomas F. Reilly has also sent a letter to DSW asking that the chain disclose where consumers have been affected. The move is considered precautionary, since the state has no evidence that Massachusetts cardholders have been affected, although there are eight DSW stores in the state. One high-profile consumer affected by the DSW breach, which occurred at 108 stores in 25 states between November 2004 and February 2005, is Deborah Platt Majoras, chairwoman of the Federal Trade Commission. So far, the FTC has taken no specific action in relation to the DSW the case, though it did reach a settlement in June with BJ's Wholesale Club. The FTC had charged BJ's with failure to encrypt customer data when transmitted or stored on its servers, keeping consumer data in files accessible using default passwords, and running insecure, and poorly monitored wireless networks. The settlement requires BJ's, which operates 157 warehouse stores and 83 gas stations in 16 Eastern states, to implement a comprehensive information-security program to be checked by a third-party auditing firm every other year for the next two decades. On a broader level, legislation is being crafted in the U.S. Senate, where Sen. Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.) have introduced a bill aimed at tougher data security requirements for all businesses. The move has heightened concerns that state legislators will become more aggressive in passing laws protecting consumers in the event of a data breach. At least 11 states have passed laws requiring consumers to be notified in the event of data breach. These laws, however, usually apply only if the consumer's name and account number or name and password are stolen, which renders them ineffective for a large portion of breaches that occur. If states and the feds become more aggressive in passing consumer data protection laws, they could create a compliance maze for acquirers, processors, and merchants, on top of the threat of litigation resulting from each new breach. Cautions Jim Cowing, managing director for San Mateo, Calif.-based PCI audit firm Digital Resources Group: “Our advice to clients is that PCI compliance is serious stuff and if you are caught on the short end, it will not be a pleasant process.”