In the months after the TJX Cos. data-breach revelation rocked the payments industry in January, aftershocks continue to spread throughout the U.S. legislative and legal system. And as new laws attempting to prevent and respond to data breaches proliferate, so, too, do security-related lawsuits against merchants.
In Massachusetts, Attorney General Martha Coakley is preparing a multistate class-action against TJX for the compromised payment data of millions of its customers. In Minnesota, a new state law borrows language from the Payment Card Industry Data Security Standard and says merchants will have to reimburse banks for some breach-related costs. And retailers coast to coast are being smacked with lawsuits for not truncating card numbers and expiration dates on receipts.
Such legal punishments for merchant-security lapses both real and imagined have growing support from lawmakers, consumers and even some card issuers, particularly small ones. But merchant groups maintain that they should be treated as partners in fighting data thieves, not as negligent criminals forced to cover yet another cost of accepting card payments.
Massachusetts legislators considered the first bill to require merchants to pay for breach-related costs.
On Jan. 10, Massachusetts state Rep. Michael Costello, a Democrat, filed a broad personal-data security bill that called for breached government agencies or businesses operating in the state to reimburse third parties for data breach-related costs. That included breached entities paying financial institutions for their costs of canceling and reissuing compromised payment cards and footing the bill for fees to freeze consumer accounts and credit information.
Arguments for the bill were boosted by the Jan. 29 announcement by Framingham, Mass.-based TJX that data thieves had accessed the computer network of its 2,300 stores, which operate in the U.S., Canada and England under names that include T.J. Maxx, Home Goods and Marshalls. Thieves had been stealing customer payment records for several months, leading to more than 45 million accounts being compromised.
MERCHANTS DODGE BULLET
The breach broke previous records for the number of accounts compromised. And it joined the flow of leaks of personal and payment data, from private businesses and government agencies, that a growing number of state breach-disclosure laws have made public.
In the end, Massachusetts merchants dodged the reimbursement-provision bullet, which was dropped before the bill became law on Aug. 2. The new law only mandates disclosure of breaches and low-cost, $5 fees for consumers to freeze access to their credit reports and to halt issuance of new credit.
"Considering where [the bill] started and some of the proposals that were on the table, we feel it was a pretty balanced bill," says Jon Hurst, president of the Retailers Association of Massachusetts, whose 3,000 members include TJX but mostly are store and restaurant owners with five or fewer locations. "Copycat proposals have sprung up around the country, so we're concerned about that."
MINNESOTA RETAILERS LESS LUCKY
Reimbursement legislation was more successful in Minnesota.
In March, five state legislators introduced the Plastic Card Security Act, which the governor signed into law in May. It became illegal on Aug. 1 for any individual or business in Minnesota that accepts credit or debit cards to retain card security-code data, PIN-verification code numbers or the full contents of any track of magnetic stripe data.
Sound familiar? The law echoes many provisions of the PCI Data Security Standard that Visa USA, MasterCard Worldwide, American Express Co., Discover Financial Services and JCB require of merchants accepting their cards.
The state will not hold merchants liable for infractions of the law until August 2008. After that, any person, business or government agency responsible for a breach who also violates the statute will be required to reimburse financial institutions for some breach-related costs.
The Minnesota Retailers Association opposed the law and objected to its introduction on March 7, less than two months before the last legislative committee deadline April 27. "It was given very little hearing," says Buzz Anderson, the association's president. "It has unintended consequences that no one has thought of yet."
Craig Shearman, spokesperson for the National Retail Federation, also opposed the Minnesota law.
"PCI is something that has a lot of problems that we're working with card networks to change," he says. "To have [the standard] cast in stone as a state law would preclude a lot of what's going on between the various parties involved."
The Minnesota Credit Union Network found legislators to support the bill and helped draft it, says Mark Cummins, the organization's president. He disagrees with Anderson's contention that the bill was rushed through the legislature.
"The timing of it was completely fair," Cummins says. "It went through all the required committees. Mr. Anderson himself testified."
COMPLIANCE PRESSURES MOUNT
As most PCI-compliance deadlines are long past, many merchants and merchant organizations continue to pressure card networks and the newly formed PCI Council to relax or change certain rules they find onerous. And card networks could add to or change PCI rules as new security threats are discovered.
Meanwhile, Visa reported in July that only 40% of Level 1 and 33% of Level 2 merchants (see chart, page 34) had validated their compliance with PCI rules that month.
A Visa statement said that many noncompliant merchants had submitted plans to address security flaws discovered in their initial PCI assessments.
Visa planned to enact stiffer PCI penalties, which vary by merchant size and situation, beginning Oct. 1. That is when acquirers for noncompliant merchants with one million or more annual Visa transactions could receive less-favorable interchange rates than compliant merchants. Visa also said it will begin this month to fine acquirers monthly for noncompliance of Level 1 merchants.
SOME COMPROMISES
Minnesota merchants won a few concessions from legislators. Only financial institutions, not individuals or other businesses, will be able to sue for compensation for breach-related losses, and plaintiffs will have to deduct from loss claims any breach costs that card networks reimburse. Moreover, merchants can retain debit card PINs for up to 48 hours.
"There were some compromises made, which I appreciated," Anderson says, adding, though, that merchants in the state are "very frustrated" about the law. "We're already subject to penalties [for PCI violations], and we already pay higher rates to cover the cost of fraud."
Other states have considered PCI-like legislation.
Last spring, the Texas House of Representatives passed a bill that would have required Texas businesses to "comply with payment card industry data security standards." Under the Texas bill, PCI-compliant merchants that have a card-data breach would have been protected from class-action lawsuits over the breach. But a financial institution, such as a card issuer, could have sued for reimbursement of data-breach costs.
The bill failed to reach a vote in the state Senate before the legislative session ended in May.
But that does not mean Texas merchants need not fear legal repercussions of security lapses. Texas legislators recently beefed up identity-theft prevention laws to give the state attorney general's office more power to investigate and prosecute violators, and the office is aggressively using that new authority.
Since April, Texas Attorney General Greg Abbott has announced suits against Radio Shack, CVS Pharmacy, Life Time Fitness, Check 'n Go and EZPawn for allegedly discarding unshredded documents with sensitive consumer data in dumpsters behind stores around the state.
A new team of a dozen or so investigators now check store dumpsters randomly or follow tips from consumers, a spokesperson for Abbott says.
The complaint filed in August against Eden Prairie, Minn.-based Life Time Fitness and its subsidiaries says investigators found dumpsters at six of the fitness-center chain's Dallas-area locations containing documents showing credit card numbers, expiration dates, Social Security numbers, addresses and other information useful to identity thieves.
Life Time Fitness and its subsidiaries "systematically" violated the state's 2005 Identity Theft Enforcement and Protection Act by dumping such unshredded information, according to the complaint.
TEXAS TARGETS NONCOMPLIERS
The suit also alleges that the chain violated the Texas Deceptive Trade Practices Act because Life Time Fitness had indicated to customers it would protect their private and financial information.
"That was just a flat lie because they didn't provide the care and security to their customers' private information that they promised," Abbott said in a news conference video posted on the attorney general's Web site.
Under the Identity Theft Protection Act, which was passed by the Texas legislature in 2005, violators can be fined $25,000 per violation. The Texas Deceptive Trade Practices Act allows civil penalties up to $50,000 per violation, which the attorney general will seek from Life Time Fitness.
Life Time Fitness released a statement that says the company does not comment on pending litigation but that its policy is to shred discarded documents containing sensitive information.
"We were disappointed and surprised to learn of the attorney general's allegations," the statement says. "We intend to work with the Texas Attorney General's Office to ensure that our members' sensitive personal information is properly protected."
It also was a long, hot summer for merchants across the country facing lawsuits for not truncating card numbers or expiration dates on receipts they return to customers.
A 2003 amendment to the federal Fair Credit Reporting Act says "no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." The rule does not apply to receipts that are handwritten or created by nonelectronic devices that capture carbon imprints of card faces.
To give retailers enough time to adjust their electronic payment systems and practices, the amendment did not go into effect until December 2006. But since then, retailers have been subject to civil penalties by the Federal Trade Commission or lawsuits if they do not comply.
DIFFERING INTERPRETATIONS
And the lawsuits are lining up, many of them hinging on differing interpretations of the statute. Some defense attorneys, and the National Retail Federation, argue that the act could be construed to mean that receipts can contain either full card numbers or expiration dates but not both.
But plaintiffs attorneys say the law clearly means print only truncated card numbers and no expiration date. A reminder about receipt truncation that the FTC issued in June, after many lawsuits were filed, leaves less room for debate.
"You may include no more than the last five digits of the card number, and you must delete the card's expiration date," the statement says.
In August, two Apple Inc. customers filed a class-action lawsuit in a Florida court. The plaintiffs, Angely Maria and Todd Narson, received from Apple's online store receipts intended to be printed by customers from their computers. Receipts did not show full payment card numbers, but they display the cards' expiration dates.
The receipts also show the purchaser's full name, home address, phone number and e-mail address. The suit does not allege that any actual identity theft occurred because of Cupertino, Calif.-based Apple's receipt practices, only that the company exposed its customers to greater risk.
"It's extraordinarily difficult to trace identity theft to a specific information loss," says Matthew Sarelson, the plaintiffs' attorney. "It's cheaper and easier in a million different ways to prevent identity theft than to fix it after the fact."
Apple officials did not return calls and e-mails requesting comment.
But attorney Michael Cereseto, who is representing San Diego-based women's clothing chain Charlotte Russe in another would-be class-action case, says he believes little or no harm could come to consumers from expiration dates falling into the wrong hands. "Of course, the statutory damages they were alleging were astronomical," Cereseto says. "If you can prove a willful violation, damages can be between $100 and $1,000 per transaction."
LAWSUITS CONTINUE TO MOUNT
Cereseto says he counts some 250 truncation suits around the country so far against merchants ranging from Expedia and Burger King to mom-and-pop stores. Most are filed by a handful of firms, he says, including Spiro Moss, which is representing plaintiff Frida Najarian against Charlotte Russe for printing card-expiration dates but not full card numbers on receipts.
Charlotte Russe's defense has rested mostly on willfulness.
The retail chain had at least one piece of evidence that it had tried to comply with the law. Defense attorneys showed the judge an old purchase order for payment software firm Computer Dynamics Inc. to bring store receipts into compliance with a California law that in 2001 required truncation of card numbers and suppression of expiration dates.
"When they modified the program, the [card number] truncation occurred, but when they tested it, no one tested for the expiration-data suppression, so that just fell through the cracks," Cereseto says.
The argument convinced Los Angeles District Judge Gary Klausner, who in June denied the plaintiffs' class certification and in August granted the defense its motion for summary judgment against the plaintiffs. Spiro Moss counsels say they plan to appeal the ruling.
If that happens, Charlotte Russe will maintain its countersuit against Computer Dynamics for improperly adjusting its payment systems not to suppress expiration dates on receipts.
Perhaps the most novel defense comes from the attorneys representing Jewel Food Stores Inc., a supermarket and pharmacy chain being sued for including card-expiration dates on its receipts. In July, they argued in a court filing that the restriction interferes with Jewel's First Amendment rights to communicate necessary information to its customers.
Jewel representatives did not return calls seeking comments on the case.
"I don't want to pooh-pooh anybody's claims that their constitutional rights have been violated," says Dan Lynch, an attorney representing Stephen Cicilline Jr. in the suit against Jewel. "But, ultimately, the courts will conclude that the interest in keeping these numbers confidential trumps whatever rights Jewel has to publish the full card number and expiration dates."
COSTS CAN BE SIGNIFICANT
Whether by mandated reimbursement, lawsuit, higher interchange fees or tarnished credibility with customers, merchants' breach-related costs can be significant.
In announcing its second-quarter earnings in August, TJX reported that costs stemming from its breach cut the company's second-quarter profits by more than half because of a $118 million charge. The charge includes a $107 million reserve to cover litigation and investigative expenses and $11 million for breach-related costs incurred during the quarter.
The charges dwarf the $17 million in total breach charges the company recorded in its previous two quarters.
Of course, no laws or legal challenges will stop crooks from continuing attempts to steal data they can use for payment card fraud. But fear of embarrassment and financial loss already are incentives for everyone who touches payment data to try to protect it.
(c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
http://www.cardforum.com http://www.sourcemedia.com
Data Security is Fast Becoming a Matter of Law
October 01, 2007, 7:57 p.m. EDT 13 Min Read
