California Court Orders Discovery To Determine Whether Visa and MasterCard Fall Under California's Data Breach Notification Statute
Posted by Min Lee
San Francisco Superior Court Judge Richard Kramer has ordered Visa and MasterCard to disclose the nature of their relationship with CardSystems, the payment processor whose computer systems were breached sometime between August 2004 and May of this year, exposing about 40 million credit and debit accounts to potential abuse. The Judge explained that the information would clarify whether the two credit card companies are subject to the individual notification requirements of California's data breach statute, California Civil Code § 1798.82, which obligates "[a]ny person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security of the system following discovery ... to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Cal. Civ. Code § 1798.82(a).
Visa and Mastercard, which were sued along with CardSystems and Merrick Bank in June, have taken the position that they are not subject to the notification statute because they do not have direct relationships with the accountholders, whose cards are issued by the banks that belong to the credit card associations, not by the associations themselves. The plaintiff credit card holders argue that Visa and MasterCard are indeed subject to the law, as it applies to entities that "own or license" personal information. Either way, details of the relationship between the credit card companies and CardSystems, particularly with respect to the ownership or licensing of personal information (e.g., licensing contracts), may help clarify this issue.
Judge Kramer's discovery order is the latest development in this case, the first to test California's notification statute. Last Friday, the Judge denied a request for a preliminary injunction that would have required Visa and MasterCard to notify individual credit card holders that their account information may be at risk, as there was not an "immediate threat of irreparable injury" to the companies' customers in California. For a description of that ruling and its effects, please refer to the September 26 posting by K.M. Das entitled "California Court Rules that Personal Notification Not Required in CardSystems Data Breach Case."
In a related development, Visa announced yesterday that it was postponing for three months its plans to sever ties with Cardystems, apparently in order to allow time for a sale of Cardsystems to electronic payment vendor CyberSource Corp.
Isn't it strange that they are not sure whether or not master or visa card fall under california's data breach?