An interesting new angle emerged in the arena of data breach fallout last week, as the issue of just who should be forced to repay banks and other card issuers when incidents force them to distribute new cards to their customers took an interesting legal turn.
Banks, credit unions and card companies themselves typically bear the brunt of expenses in the aftermath of breaches these days, quickly cancelling accounts and re-issuing cards to affected consumers when it appears that those customers' data has been stolen from some other business -- and absorbing overhead costs.
But last week, the U.S. Third Circuit Court in Philadelphia ruled in the favor of the Pennsylvania State Employees Credit Union in an appeal that the credit union had submitted against wholesale chain BJ's and Fifth Third Bank, which provided card processing services to BJ's at the time of its massive customer data breach in 2004.
Under the ruling, PSECU, which was forced to issue new cards to over 235,000 of its members at the time of the BJ's incident, which involved a total of 8 million exposed customer records, will be allowed to continue its suit seeking damages against both BJ's and Fifth Third Bank. The credit union's claim was previously denied in the district court almost two years ago.
According to PSECU's claim, Fifth Third is responsible for paying part of the remittance based on its inability to properly train BJ's on how to sufficiently protect its sensitive card data, or to ensure that the retailer was doing so.
The big takeaway here is that card issuers are, at least in this case, being told by the courts that they are within the rights to pursue the business partners of companies that can't keep a lid on their sensitive financial data.
This is pretty ground-breaking, as not even the PCI Data Security Standard, created and backed by the largest credit card companies in the world to force card handlers to protect their account records, would appear to spell out such a stringent chain of culpability in terms of making business partners like Fifth Third responsible for the shortcomings of their own customers.
PCI DSS -- compliance with which is required of every company that handles credit card transactions, at least in the U.S. -- does include requirements for companies to ensure that their partners are doing their best to lock down account data. However, even the Pennsylvania case would seem like a strong interpretation of those DSS requirements, were it that the court were basing its ruling on the standard.
In. Oct. 2007, Calif. Gov. Arnold Schwarzenegger shot down a bill that would have placed liability on merchants to repay card issuers for expenses accrued a result of any data breaches they experience.
Citing the fact that merchants are already beholden to PCI DSS, and that the bill, (CA AB 779) could have proven too hard on smaller businesses that experience incidents, the Governator bowed to the outcry of California's business community over the stricter legal requirements. However, based on this week's ruling in Pennsylvania, it would appear that this discussion of who foots the bill for breach fallout is far from said and done.
For the record, PSECU claims in its suit that the BJ's incident cost it over $100,000 in overhead expenses to cancel accounts and re-issue Visa cards to its 235,000-plus affected members.
At one time, the PSECU case had also sought to bring charges against IBM, whom the credit union blamed for failing to disable a point-of-sale system feature at BJ's which retained the card magnetic strip data that was eventually stolen from the retailer. BJ's maintains that it had indeed requested that IBM turn off the system, which is one type of technology banned under PCI. However, IBM was dismissed from the case in 2005.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.