Security breach disclosure law faces court test

/ Source: The Associated Press

Testing the bounds of consumer protection laws, Visa USA Inc. and MasterCard International Inc. are headed for court to determine whether they are obliged to notify 264,000 customers that a computer hacker stole their account information.

The dispute to be argued Friday in San Francisco County Superior Court revolves around a highly publicized security breakdown at CardSystems Solutions Inc., one of the nation's largest payment processors.

Although a ruling in the class-action consumer lawsuit wouldn't have legal standing outside the state, it would increase the pressure on Visa and MasterCard to notify all affected accountholders in this and any future breaches.

That would compound the headaches that the CardSystems imbroglio already has caused.

The breach, initially disclosed by MasterCard three months ago, exposed up to 40 million credit and debit card accounts to potential abuse between August 2004 and May 2005.

It's the largest of more than 70 consumer information security breaches reported in the past seven months, according to the Privacy Rights Clearinghouse.

Although the scope of the CardSystems break-in has been generally outlined, the credit card associations haven't sent warnings to the most vulnerable customers.

San Francisco-based Visa and Purchase, N.Y.-based MasterCard maintain that responsibility should fall to the myriad banks that administer the accounts because neither credit card association has direct relationships with the affected customers.

Both Visa and MasterCard provide processing and marketing services to thousands of banks nationwide. It's a profitable endeavor. MasterCard's parent company earned $213.5 million on revenue of $1.4 billion during the first half of this year, according to documents filed in preparation for an initial public offering of stock. Visa doesn't disclose its profit.

Internal investigations have determined that the still-unknown thief grabbed enough sensitive details from CardSystems to defraud about 264,000 Visa and MasterCard accountholders nationwide, according to evidence gathered in the lawsuit, which was filed by San Rafael, Calif., attorney Ira Rothken.

No home addresses or Social Security numbers were stolen in the CardSystems breach, minimizing the risk for identity theft. But the hacking obtained customer names, account numbers and security codes that could be used to create bogus credit and debit cards.

The lawsuit seeks a court order requiring Visa and MasterCard to warn each Californian whose information was compromised. The order is being sought under a pioneering state law that requires consumers to be alerted whenever personal information stored on computers is lost, stolen or breached.

Since California imposed the mandate in July 2003, 35 other states have approved or proposed similar laws, according to the U.S. Public Interest Research Group. That means other states could end up addressing similar legal issues raised by this California case.

"We are trying to establish an efficient method that would hold Visa and MasterCard responsible for giving all consumers their due notices, so each customer can decide whether they want to change their card number," Rothken said.

Replacing a credit card costs an issuer about $35.

That would total $9.24 million for 264,000 cards that might have to be replaced if customers learn of the fraud risk, with the cost rising even higher to the industry if it's discovered even more of the 40 million accounts are vulnerable.

Both Visa and MasterCard have blamed CardSystems' lax security for the breach. Infuriated by the breakdown, Visa has since cut its ties with Atlanta-based CardSystems, which says it has tightened controls to comply with industry standards.

In their legal briefs, Visa and MasterCard have argued there's little chance any affected customer will lose a cent because of the association's long-standing policies to reverse all charges for fraudulent transactions. The "zero liability" policy lessens the need to alert individual customers about the fraud risks, said MasterCard spokeswoman Sharon Gamsin.

In a statement, Visa also said it is comfortable with its anti-fraud measures. But both companies worry that the opposite message might be sent if they are ordered to warn individual customers.

"Such an order would harm the banks' goodwill because some customers would certainly be confused by the notice and believe the issuing banks were somehow to blame for the security breach," Visa's attorneys argued in a court brief.

The companies' fraud-fighting assurances don't soothe Eric Parke, a Marin County resident representing consumer interests in the suit. In a sworn declaration, Parke said he has been fretting about his potential fraud exposure since news of the CardSystems theft broke.

"I do not think it's fair for ... me to have to look through cryptic credit card statements with (an) eye toward forensically determining if fraud was committed ... when Visa and MasterCard can just tell me if my data was compromised," said Parke, who has seven MasterCard and Visa accounts.