Posted by Randy Gainer
As of May 25, 2007, one state has adopted and five are considering important new data breach laws. The laws will require businesses that fail to implement adequate security to pay some of the costs that others incur if the first business’s failure to implement security measures contributes to the theft of consumers’ personal information. Although the state laws are not uniform, they each address the failure of current federal and state data security statutes to permit businesses to recover such costs. The laws also respond to court decisions that refused to shift costs to businesses whose security contributed to data thefts.
Minnesota’s governor signed the first such law to be adopted in the U.S., Minn. Stat. 365E.64. Effective August 1, 2007, § 2 of the law prohibits persons and entities conducting business in Minnesota from retaining data from the magnetic strips on payment cards, as well as security codes and PINs from such cards, for more than 48 hours after a card transaction is approved. Effective August 1, 2008, §§ 3 and 4 of the statute authorize financial institutions to recover reasonable costs they incur to respond the theft of cardholder data, including but not limited to costs incurred: to cancel and reissue cards, to close and reopen accounts, to refund or credit accounts to cardholders for unauthorized charges, and to notify cardholders of the data theft. Although the prohibition against retaining the three types of data are among the requirements of the Payment Card Industry Data Security Standards (“PCI DSS”), the PCI DSS require many additional safeguards not addressed by the Minnesota law. The PCI DSS are enforced by payment card associations, which can and have fined members tens of thousands of dollars per month if they fail to implement the standards. See, e.g., Larry Greenemeier, “Payment Card Data Security Costs, But Not As Much As A Data Breach,” Techweb, May 22, 2007.
On May 11, 2007, the Texas House of Representatives unanimously passed HB 3222, which would mandate that businesses that accept payment cards comply with all PCI DSS requirements, effective January 1, 2009. The Texas bill would also permit financial institutions to recover the same costs described in the Minnesota statute, plus attorneys’ fees, unless a business that suffers a data breach provides certification from a PCI-approved auditor, within 30 days after receiving notice from an affected financial institution, that the business has corrected its failure to comply with the PCI DSS.
Three other pending state bills are similar to the recently enacted Minnesota law. Illinois SB 1675 would permit financial institutions to recover the same list of damages specified in the Minnesota statute if such damages are incurred due to unauthorized payment card charges that occur following “the breach of the security of system data” by a data collector. Connecticut Substitute AB 1089, effective October 1, 2007, would permit banks to recover the same damages, plus costs for “any assistance provided to customers to help mitigate loss or inconvenience or to prevent loss or further inconvenience.” Such additional costs would presumably include costs for credit monitoring, which is often provided to potentially affected victims of data breaches. Massachusetts H. 213, a data breach notice bill, would also permit banks to recover the same list of damages as the Minnesota statute but the Massachusetts House and Senate have passed other data breach notice bills that do not include the cost-shifting measure.
California, which adopted the first data breach notice law in the U.S., is considering AB 779, which would amend the part of California’s data breach statute that applies to private businesses, Cal. Civ. Code § 1798.82. AB 779 would permit any “owner or licensee of personal information” to recover the costs of providing notice to consumers of a breach of security that requires notice to be given under § 1798.82. Although the type of damages that such a person or entity could recover is narrower than that provided by the Minnesota statute (notice costs only), a broader group of entities (not just banks but also individuals and businesses whose data were stolen from another business) would be entitled to recover the damages.
The Minnesota statute reverses, at least regarding potential claims by Minnesota banks, and the other proposed cost-shifting bills would reverse for the entities in the states addressed by those bills, the effect of judicial decisions that followed the BJ’s Warehouse data theft in 2005. As discussed in an earlier posting on this blog, a federal district court in Pennsylvania initially dismissed most but not all claims against BJ’s acquiring bank by a credit union and by another card-issuing bank that had to replace payment cards following the theft of card data from BJ’s. The court later, however, dismissed the remaining claims on summary judgment. See Pennsylvania State Employees Credit Union v. Fifth Third Bank, 2006 WL 1724574 (M.D. Pa., June 16, 2006), and Sovereign Bank v. BJ's Wholesale Club, Inc., 2006 WL 1722398 (M.D. Pa., June 16, 2006). Those cases, if followed by other courts, would generally prevent banks from recovering costs they incur due, in part, to a hacked business’s failure to use reasonable security measures.
The legislative victory won by financial institutions in Minnesota and, if they are adopted, the bills pending in Texas, Illinois, Connecticut, and Massachusetts, and the cost-shifting measure available to a broader group of persons and businesses in California, may all be short-lived. Data security bills pending in the federal Congress may preempt these laws. See, e.g., S. 495, § 319, “Effect on Federal and State Law” (“The provisions of this subtitle shall supersede any other provision of Federal law or any provision of law of any State relating to notification of a security breach . . . .”); and S. 239, § 10 (similar).