Do Banks and Other Businesses Have a Duty to Notify Customers of Computer Security Breaches?
A Recent California Suit, and a Possible Federal Law

By ANITA RAMASASTRY
Wednesday, Jul. 13, 2005

If someone hacked into a computer database and stole your credit card number, would you want to be immediately notified? Or would you be happy to be informed only if, and when, thieves used your number to make unauthorized purchases?

These questions are especially timely right now. This May, over 40 million credit card numbers were stolen -- along with accompanying bank names, transaction information, magnetic-stripe data, and other information. The cards bore brands from MasterCard, Visa, American Express, and Discover, among others.

Social Security numbers and birth dates were not stolen, so identity theft here is unlikely. What is likely, however, is that the stolen information will be used for unauthorized purchases, for there are large networks that operate over the Internet where stolen credit card numbers are bought and sold routinely.

The breach was apparently caused by an intruder's infiltrating the network of Tucson-based CardSystems Solutions. CardSystems is one of a number of companies that, as third parties, process credit card transactions for banks and merchants. This may be the largest data security breach in history - and it has followed on the heels of other, less massive but similar breaches elsewhere.

MasterCard and Visa both say that they have notified their member banks of the specific accounts involved so the banks can take action to protect their cardholders.

But some credit-card-issuing banks - such as JP Morgan Chase, Citigroup MBNA, and possibly others -- report that they will not alert customers unless and until the cards are actually used by thieves. (At that point, the banks would close the account and issue a replacement card.) Accordingly, the companies are advising all customers to keep a close eye on both their paper and online statements.

Now, a California state court class-action lawsuit against some of these banks is challenging their decision not to notify their customers at the time of breach, as opposed to the time of theft. In this column, I will argue that, just as the plaintiffs contend, banks (as well as other businesses) should have a duty to notify all those affected as soon as they learn of a security breach involving customers' data. This duty would allow consumers to decide whether to close their accounts, or request a new card with a new number.

California's Law: Businesses Have a Duty to Tell Consumers About Security Breaches

In California, such a legal duty already exists: California's 2003 Security Breach Information Act imposes just such a duty. It also specifies that notice must be written, electronic, or via email.

The California law is one basis for the class-action suit noted above - which has been brought by both consumers and merchants. In addition to citing the Act, the San Francisco suit also cites California law privacy protections; California's Unfair Competition Law, which targets unfair, unlawful and deceptive business practices; and common law negligence.

The amended complaint alleges that CardSystems - a co-defendant, with the banks - negligently failed to keep consumers' credit card data safe. In particular, it claims CardSystems broke Visa and MasterCard's "Data Security Standards," which forbid storing certain types of consumer cardholder information - and that the credit card companies were aware of this, and aware also the CardSystems had failed security audits.

The amended complaint asked for unspecified money damages, and also asks that CardSystems, the banks Visa and MasterCard to inform consumers whose personal information was exposed -- giving special notice to those whose data has been confirmed to have been stolen.

Plaintiffs also want cardholders to get access to a credit-monitoring service that would watch card accounts for evidence of fraud; and ask that banks be compelled to waive any charge-back fees or penalties to merchants, in the case of fraudulent transactions with the card numbers compromised in the security breach.

Should There Be a Duty to Disclose Security Breaches in A Timely Fashion?

California's law is a wise one, and other states - and, indeed, the federal government - should follow suit.

At present, only a handful of other states - including Alaska, Arkansas and Washington --require companies to alert the public. No nationwide law requires businesses to disclose breaches. The Texas Breach of Computer Security Statute is set to go into effect in September.

With such statutes, damages to consumers and, especially, merchants can be avoided.

Granted, based on laws and credit card company policies, when a credit card is used for unauthorized transactions, the cardholder's liability is for $50 at most. (For debit cards, however, liability can range up to $500 or more.) But high credit balances (which might be created when a thief runs up lots of charges with a stolen credit card number) have another effect, too: They can affect the consumer's ability to get a mortgage, consumer loan or other credit.

Customers should not have to worry about such consequences. Instead, they should be able to get peace of mind by getting a new card and card number.

They should also be able to avoid the inconvenience and hassle of dealing with fraudulent charges, by simply preventing those charges from occurring in the first place, by getting a new card. If their credit balance has been incorrectly altered, and their credit rating affected, correcting that misinformation will only be an additional hassle.

Moreover, merchants, in many cases, do have to cover the loss from fraud, according to their agreements with the major credit card networks. And in the CardSystems case, this is a potentially heavy burden, given the large number of accounts exposed. It is also a burden that will likely fall disproportionately on Internet merchants, as an Internet transaction does not involve a signature verification or photo ID check. Nor does it carry with it the in-person risk of apprehension that might deter the crime.

Fraud, for this reason, can be very costly. Now, it's true that issuing new cards is costly too: According to news reports, re-issuing a credit card costs around $30; thus, replacing 40 million cards could cost over $1.2 billion.

But it makes sense for the credit card processor, and possibly also the issuing companies to foot the bill: After all, the breach happened on their watch. In contrast, consumers are utterly free from fault here, as are online merchants, who have no way to check photo ID or a signature. And brick-and-mortar merchants who have imperfect ID and signature checks are less at fault than the companies that could have prevented the fraud before it happened by canceling cards.

The Need For A Federal Security Breach Notification Law

Especially since state law protection in this area is so spotty, a federal law makes sense. And fortunately, in the wake of the serious recent breaches, there are several pending bills that would mandate that credit card issuers and other businesses notify all affected customers when a security breach leads to data theft.

It's possible the states' common law of negligence, or contract law, would allow suits to be brought for late or nonexistent notification. After all, there is contractual "privity" here: A relationship, by agreement, among the relevant parties. In addition, banks hold themselves out as providing secure and safe systems upon which their customers may rely. And finally, when a breach occurs, it would seem natural that you would warn those who have been put in peril - and, conversely, negligent not to do so.

But rather than waiting for all fifty states' courts to sort this issue out, it is better for Congress to simply make this simple duty quickly applicable nationwide.

Remember, as bad as the CardSystems case is, it isn't even the worst-case scenario: Social Security numbers and birth dates were not stolen.

Congress should act quickly and decisively to make sure that, as soon as issuers or processors know card numbers have been stolen, they are under a legal duty to tell consumers and merchants - online and brick-and-mortar -- the bad news, and to send out replacement cards.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology.

Ads by FindLaw