Financial and legal fallout from breaches of consumer account information continue around the country.
Atlanta-based ChoicePoint Inc., which provides identification and credential-verification services for business and government, announced in September it was sending 9,903 consumers notices that their data may have been compromised.
Nearly half of the notices are related to the continuing investigation of a major fraud incident in California disclosed in February. The rest were discovered from the company's review of its processes after the fraud was found. The earlier breach was estimated to have compromised personal information on 145,000 consumers.
Also in September, a Miami-Dade County, Fla., police officer was suspended for stealing a glance at thousands of ChoicePoint consumer records. The officer gained unauthorized access to Social Security numbers, names, addresses and dates of some 4,689 consumers, according to a ChoicePoint statement.
ChoicePoint did not say whether fraud resulted from the incident and would not provide further details. The Miami-Dade County police department also would not comment.
The courts still were deciding this fall who was responsible for notifying individual victims of the CardSystems Solutions Inc. data-security breach disclosed in June.
A California judge in San Francisco ruled in September in Parke vs. CardSystems Solutions that Visa USA and MasterCard International did not yet have to send individual warnings to any of the 264,000 cardholders whose account information was stolen from CardSystems. Superior Court Judge Richard Kramer denied a request for a preliminary injunction that would have forced Visa and MasterCard to notify immediately individual cardholders that their account numbers had been compromised. Kramer said the notification question could wait until the suit by cardholders against CardSystems, Visa and MasterCard is tried. No trial date had been set.
The judge also ruled against a plea by CardSystems to dismiss consumer claims in the suit, which represents a test of who is responsible for notifying consumers of compromised financial information under the California Security Breach Information law.
Passed in July 2003, the law requires entities that maintain personal information about individuals to inform those individuals if the security of their information has been compromised. It stipulates that if there is a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained information.
Ira Rothken, a San Rafael, Calif.-based attorney who represents the plaintiffs, argues that, under the law, Visa and MasterCard should notify in writing at least the individual Californians whose account information was breached. Visa and MasterCard both say that they do not have direct relationships with individual cardholders, and thus are not responsible for contacting them.
That would leave individual notification up to issuers. Many banks already have reissued cards to affected accountholders.
The card associations also argue that their policies of zero liability for fraudulent transactions protect cardholders even without individual notification.
A MasterCard spokesperson said that its announcement of the breach to the media in June fulfilled its notification responsibility. "We were good corporate citizens for doing that," the spokesperson says. "We also notified all our members as to which accounts that need to be monitored."
Kramer ruled out awarding merchants damages related to chargebacks and penalties that may result from fraudulent use of account numbers compromised in the CardSystems breach. But he also gave the plaintiffs leave to plead the merchant damages claim more specifically, according to Rothken.
Meanwhile, CardSystems Solutions got a reprieve of sorts when CyberSource Corp. announced in September its intention to buy the company's assets. Visa and American Express had said they would cut ties with the processor on Oct. 31. In light of the acquisition plan, Visa said it would delay its pullout for another three months. AmEx was still evaluating its plans.
The deal fell through in October after CyberSource and CardSystems were unable to agree on terms. But Pay By Touch Solutions announced the same day that it hoped to buy CardSystems, which would give the San Francisco-based biometric payment company access to CardSystems' 120,000 merchants.
In Washington, Congress this fall is considering a number of bills related to security of financial data.
One bill expected to be introduced in October would force banks to tell accountholders whether a data breach was more likely to cause identity theft or transaction fraud. Businesses that are responsible for compromised consumer data also would have to give affected customers instructions on how to protect themselves from fraudulent use of their compromised financial information.
Lobbyists say the dual notification would help consumers distinguish whether breaches are likely to lead to identity theft. Critics say it would complicate breach investigations and notifications and that more frequent consumer notices may make them take dangerous breaches less seriously.
The dual-notification provision is part of a data-security bill that would consolidate various measures introduced by lawmakers since July.
(c) 2005 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In