More “Touchless” Transactions Will Require Greater Vigilance by Businesses to Protect Customer Data

This column has previously discussed Minnesota’s Plastic Card Security Act (PSCA), under which, in 2007, Minnesota became the first state to pass a law shifting certain costs of customer data breaches from financial institutions to the businesses to whom customers provide data – such as credit- and debit-card information – when making transactions. Now, with the onset of the COVID-19 pandemic, businesses are being forced to consider avoiding transactions in cash and physical checks and bringing more commerce online, while financial institutions are considering wider implementation of “touchless” credit and debit cards. Thus, it is likely worthwhile to revisit the PSCA, particularly in light of its construction by the court in a major data-breach lawsuit since our last review of the law: the Target Corporation data-breach case.

Under the PSCA – set out at Minnesota Statutes section 325E.64 – any “person or entity conducting business in Minnesota” is prohibited from retaining security codes, PIN numbers, or the full contents of any track of magnetic stripe data from customers’ credit or debit cards (collectively, “Protected Customer Data”) for more than 48 hours after authorization of a transaction. A business is also responsible under the PCSA if its payment card “service provider” (i.e., a third party that stores, processes, or transmits customers’ payment card data on behalf of the business) stores Protected Customer Data beyond the 48-hour limit.

Legal liability under the PCSA is triggered when a person or business (or its service provider) that has violated the 48-hour rule suffers a security breach that exposes customers’ “personal information,” such as first name or first initial and last name in combination with other identifying data including social security number, driver’s license or Minnesota identification number, or account, credit, or debit card number and accompanying security code or password.  A financial institution that issued a customer’s card affected by the breach is entitled to reimbursement of the costs of “reasonable actions undertaken … as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.”  In other words, businesses (or their service providers) that retain Protected Customer Data for more than 48 hours that suffer a customer data security breach must reimburse the customer’s financial institution/card-provider for the reasonable costs of protecting cardholder information and continuing service to cardholders. Such costs may include those relating to cancelling credit or debit cards, issuing replacement cards, refunding fraud losses, and paying for customer credit monitoring.

In short, the PSCA entitles a financial institution that issues a credit or debit card to recover money damages from a person or company conducting business in Minnesota that accepts the credit or debit card for payment if: (1) the person or company (or its service provider) violates the 48-hour rule for storing of Protected Customer Data; (2) the person or company (or its service provider) suffers a security breach exposing customers’ personal information; and (3) the financial institution incurs reasonable costs to protect or continue servicing cardholders.

In December 2013, Minnesota-based Target Corp. announced that over a three-week period during the busy holiday shopping season, hackers stole credit- and debit-card information of approximately 110 million Target customers. While it was ultimately determined that much of the data theft occurred at the moment customers “swiped” their cards at Target point-of-sale devices (both in stores and online), it was also asserted that hackers accessed additional information that was not part of “swipe” transactions, such as cards’ CVV codes, which Target allowed to be stored on its servers for up to six days after a transaction.

Not surprisingly, lawsuits ensued across the country, with all of them ultimately being consolidated into one class-action case in Minnesota federal district court. In addition to consumers’ claims, the case also involved claims against Target under the PSCA by financial institutions and credit-card companies that had issued cards whose information was stolen. Although the case did not proceed to trial (the parties settled the financial institutions’ and card companies’ claims for more than $100 million), a key juncture was the court’s denial of Target’s motion to dismiss the PSCA claims and related negligence claims. In allowing those claims to proceed, the court rejected three legal arguments advanced by Target.

First, Target argued that the PSCA only applies to transactions that occur in Minnesota, making it unavailable to reimburse financial institutions for damages stemming from theft of customer information generated by transactions outside Minnesota. The court swiftly rebuffed this argument, noting that the PSCA expressly applies to “any person or entity conducting business in Minnesota.” Thus, although Target undoubtedly processes transactions outside of Minnesota, “its data retention practices are governed by the [PSCA]” because it transacts some business in Minnesota.

Second, Target argued that because hackers stole some customer data immediately upon completion of “swipe” transactions and then stored that data on Target’s own servers for more than 48 hours, Target did not “retain” the customer data in violation of the PSCA. Target specifically argued that the word “retain,” as used in the PSCA, refers only to when a person or business “affirmatively stores data for its own future use,” rather than when the person or business merely “continues to have” data. While the court expressed skepticism with Target’s argument, it concluded that deciding which meaning of “retain” applied was unnecessary because the financial institutions alleged that regardless of whether hackers stored some stolen data on Target’s servers unbeknownst to Target, Target stored other customer card data, such as CVV codes, on its servers for more than 48 hours, allowing it to be stolen as well.

Finally, the court allowed the financial institutions’ common-law negligence claim to proceed, rejecting Target’s argument that it did not owe the financial institutions a legal duty. Specifically, the court noted that “the duty to safeguard credit- and debit-card data in Minnesota has received … legislative endorsement” in the PSCA, which expressly allows financial institutions to pursue “any other right or remedy otherwise available” concurrently with PSCA claims, such as a common-law negligence claim.

The Target case demonstrates why individuals and entities who conduct business in Minnesota must seriously safeguard customer data obtained in credit- and debit-card transactions, including by ensuring that data is not stored for longer than 48 hours after a transaction. As businesses and consumers will likely embrace “touchless” card-based transactions even more than before COVID-19, those individuals and entities should also ensure that their card-processing network and servers are secure, that network security is tested regularly, that employee access to cardholder data is properly controlled, and that a data-security policy is in place and updated regularly to keep pace with evolving standards set by the PCSA and other laws and regulations.

Eric Johnson is an attorney at Fryberger Law Firm, practicing primarily in the areas of business litigation and financial institution support. He can be reached at Fryberger’s Duluth office at (218) 722-0861.