A Law Businesses, Banks and Consumers Should Know:
In 2007, Minnesota became the first state to enact legislation shifting, in certain circumstances, the costs of consumer data breaches from financial institutions to the persons or businesses that directly transacted with consumers whose data was exposed. Under the Plastic Card Security Act (“PCSA”), set out at Minnesota Statutes section 325E.64, any “person or entity conducting business in Minnesota” is prohibited from storing security codes, PIN numbers, or the full contents of any track of magnetic stripe data from customers’ debit or credit cards (collectively, “Protected Customer Data”) for more than 48 hours after authorization of a transaction. A business is also responsible under the PCSA if its payment card “service provider” (i.e., a third party that stores, processes or transmits customers’ payment card data on behalf the business) stores Protected Consumer Data beyond the 48-hour limit. Thus, the PCSA imposes greater responsibilities than data breach notification laws previously adopted in many states, including Minnesota Statutes section 325E.61, which merely require businesses to notify customers whose personal data the business reasonably believes has been obtained by a third party.
Businesses conducting payment card transactions, as well as banks, credit unions and other financial institutions, should be familiar with the PCSA and its application.
The PCSA is based on a portion of the Payment Card Industry Data Security Standard (“PCI DSS”)—a set of technical and business process requirements developed by the credit card industry and enforced by individual card brands (such as Visa and MasterCard) against anyone who processes, handles or stores credit card information. The PCI DSS prohibits the storage of Protected Customer Data following authorization of a payment card transaction. Unlike the PCSA, which allows a 48-hour window before destruction or deletion of Protected Customer Data is required, the PCI DSS provides no window for data retention, and may be read as mandating immediate destruction or deletion of Protected Customer Data following authorization of a transaction. Thus, compliance with the PCI DSS may effectively serve as a “safe harbor” from PCSA liability.
Liability under the PCSA is triggered when a person or business (or its service provider) that has violated the 48-hour rule suffers a security breach that exposes customers’ “personal information.” For purposes of the PCSA, “personal information” includes cardholders’ first name or first initial and last name in combination with other data such as social security number, driver’s license or Minnesota identification number, or account, credit or debit card number and accompanying security code or password. A financial institution that issued payment cards affected by the breach is entitled to reimbursement of the costs of “reasonable actions undertaken . . . as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.” In other words, businesses (or their service providers) holding Protected Customer Data for more than 48 hours that suffer a customer data security breach must reimburse “issuing” financial institutions for the reasonable costs of protecting cardholder information and continuing service to cardholders. Such costs include, but are not limited to, costs incurred in connection with:
- cancelling existing debit or credit cards and replacing such cards;
- closing any financial accounts affected by the breach, as well as acting to stop payments or block transactions with respect to the accounts;
- opening or reopening any financial accounts affected by the security breach;
- issuing refunds or credits to cardholders to cover the costs of unauthorized transactions related to the breach; and
- notifying cardholders affected by the breach.
Financial institutions are also entitled to recover any damages paid by them to cardholders injured by a customer data security breach. This is essentially a right to indemnification should the financial institution be sued or settle with a cardholder because of a breach.
Since Minnesota’s enactment of the PCSA, Nevada, Washington and Massachusetts have passed similar, though not identical laws or regulations relating to protection of payment card data. These new laws may signal a trend favorable to financial institutions, which had been largely unsuccessful in attempts to sue retailers under common law theories for payment card data breaches. The PCSA removes that hurdle by prescribing financial institutions specific statutory rights to reimbursement and indemnity, as well as a private right of enforcement.
To summarize, a financial institution is entitled to recovery under the PCSA if:
1. a person or business (or its service provider) violates the 48-hour rule for storing of Protected Customer Data;
2. the person or business (or its service provider) suffers a security breach exposing customers’ personal information; and
3. the financial institution that issued a payment card affected by the breach incurs costs of reasonable actions to protect or continue servicing cardholders.
There is no requirement that the person, business or service provider have acted intentionally, willfully, negligently, or recklessly in allowing Protected Customer Data to be stored more than 48 hours after authorization of a transaction, or in failing to adequately protect against security breaches. Moreover, issuing financial institutions need not establish that the costs it incurs are necessary—only that they arise out of “reasonable” actions.
Given the relatively low threshold financial institutions must satisfy to recover under the PCSA, businesses should work to ensure strict PCSA compliance. For example, businesses should review their policies and procedures for payment card data retention and deletion, and may wish to consult with technology professionals to ensure proper functioning of data systems. Businesses should also make certain that their service providers take measures to comply with the 48-hour retention limit. Businesses may wish to retain an attorney to examine written agreements with service providers for PCSA compliance provisions. If such provisions are absent from existing agreements, business should suggest amendments and reopen negotiations if necessary. Businesses should also draft language into new agreements to shift the risk of loss for breaches that are the service provider’s fault. Finally, businesses should review their liability insurance policies to determine whether coverage exists for PCSA-related occurrences and consider adding such coverage if none exists.
Unfortunately, identity theft has remained a common occurrence even as consumer data protection technology has advanced. This is likely one reason for the PSCA, which spurs businesses to ensure stronger security for their customers’ sensitive information. Greater security is likely to breed consumer confidence, which in turn will benefit businesses. Greater consumer security may also lead to increased payment card relationships between consumers and financial institutions.
In short, although the PCSA may be perceived as pitting financial institutions and other business against one another, mutual awareness and compliance with PCSA provisions should provide a more secure, economically beneficial environment for them and consumers alike.
By: Eric Johnson
Published in Business North, June 2011.