New Law on Paying the Price for Identity Theft

Our local newspaper, the St. Paul Pioneer Press, quoted me briefly at the end of a story about a freshly-passed Minnesota law concerning credit cards and identity theft. When a security breach involving credit card data is the fault of a retailer rather than the issuer of the card, the “Plastic Card Security Act” shifts liability to the retailer to pay for associated costs like notifying affected consumers and reissuing cards. (The state already has a data breach notification law, similar to those now spreading through state legislatures like wildfire.) The statute also imposes data security requirements on retailers in their handling of payment information such as credit card numbers and PINs. The governor signed the new law Monday. Five other states have similar bills pending and Congressman Barney Frank recently said that he would introduce a federal version.

The direct benefit to the consumer here is pretty modest. The law’s data security requirements pretty much replicate those that are already embodied in the contracts retailers have with the major credit and debit card issuers. But these contractual rules are not always followed, as apparently demonstrated by the jaw-dropping theft of some 45.7 million such records from retailer TJX, the parent company of Marshall’s and TJ Maxx. So there is some virtue to having the security requirements enshrined in law and enforceable by the state attorney general. I seldom buy the argument (made by retailers opposing the new Minnesota requirements) that a law is not necessary because industry already follows it. After all, if the rule is already followed then there should be no additional compliance burden, right?

Beyond this marginally beneficial redundancy in security rules, why does this law matter? Well, it seems fair to impose the cost on the party at fault. Small credit unions were especially vigorous advocates of the new law, because they get left holding the bag when retailers screw up.

More fundamentally, though, I see this as an interesting and encouraging sign of the (slow) evolution of consumer privacy law. There was a time not long ago when no one bore the costs for identity theft except for victimized individuals (and conceivably, if you caught them, the hackers could go to jail). Before data breach notification, even a snafu as big as the one at TJX could have gone unreported. It’s comforting to see two major industries slugging it out over responsibility for privacy protection. The underlying assumption must be that someone is going to pay, and the cost is serious enough to try to pass on to somebody else. I’ll take that as progress.

4 Responses to “New Law on Paying the Price for Identity Theft”

  1. Interesting. The other problem with arguments that the law isn’t needed is that there’s nothing in the common law to protect banks that have to spend lots of money reissuing cards. The only precedent I know of is this case, where a credit union spent $100,000 to cancel and reissue credit cards, then sued the bank that handled transactions for the merchant who lost the data. That case was dismissed partly because the credit union had no contractual standing to sue the bank or the merchant. Negligence claims for data breaches haven’t done well either.

    So, if you have to reissue credit cards because someone else is sloppy with their customer data, you’re supposed to eat that loss? Everything in the common law seems to say “yes” so far. So this law is a good thing.

    It’s also interesting because it seems directly pulled from Visa and Mastercard’s Payment Card Industry Data Security Standard (PCI DSS). Storing full-stripe, PIN, or CVV data is a big PCI DSS no-no. The law turns an existing private contractual obligation into a statutory one. Excellent.

  2. hello,
    my name is Mr. Burns
    i believe you have a letter for me

  3. I found more here if anyone’s interested

  4. has some more information