On December 11, 2009, the Massachusetts SJC affirmed the dismissal of claims against BJ’s and Fifth Third Bank by plaintiff credit unions and an insurance company arising out of a data breach that exposed magnetic strip data of credit and debit cards of 9.2 million BJ’s customers.

In Cumis Insurance Society, Inc., et al. v. BJ’s Wholesale Club, Inc., et al., 107 credit unions and Cumis Insurance Society brought suit against BJ’s and Fifth Third alleging that thieves were able to obtain the card information from BJ’s computer systems because BJ’s and its acquiring bank, Fifth Third, breached their contractual obligations, both to each other and to Visa and MasterCard, by storing the magnetic strip data from the back of the cards after a card transaction had been authorized or declined. The plaintiff credit unions sought damages incurred for the cost of replacing the compromised cards. Cumis sought to recover the funds paid to the credit unions to reimburse them for the fraudulent use of the cards.

The credit unions asserted claims for breach of contract on the theory that they were intended third-party beneficiaries of BJ’s contract with Fifth Third Bank and of the Visa and MasterCard regulations that were incorporated into the contract, which specifically included a prohibition on retaining magnetic strip data after a cardholder’s transaction is completed. The SJC affirmed the dismissal of the breach of contract claims finding that plaintiffs failed to establish that there was any intention by BJ’s or Fifth Third that the credit unions were supposed to be the beneficiaries of their contract. In addition, the credit unions could not recover under Visa and MasterCard regulations (specifically, prohibiting the storage of magnetic strip data) because Visa and MasterCard retained the enforcement of their regulations for themselves.

The SJC also affirmed the dismissal of plaintiffs negligence claims on the grounds of the economic loss doctrine, which prohibits recovery under a negligence theory when the only harm sustained is economic in nature.

Finally, the SJC affirmed the dismissal of plaintiff’s fraud and negligent misrepresentation claims. Plaintiffs theory was that they relied on BJ’s required compliance with the Visa and MasterCard regulations to not store the magnetic strip data. The SJC found that plaintiffs could not show BJ’s ever made any direct representations to the plaintiffs regarding its compliance with the Visa and MasterCard regulations that would support these claims.

The discussion of the fraud and negligent misrepresentation claims in this case are the most interesting aspect of the decision. The SJC found that even if plaintiffs could establish that defendants made representations about their compliance with the Visa/MasterCard regulations to the plaintiffs, the plaintiffs could not have reasonably relied on those representations because the Visa/MasterCard regs explicitly include a fine for failing to comply. Quite simply, the system was designed with the expectation that such data breaches would occur. In addition, the SJC noted that the plaintiffs even insured themselves against such fraudulent losses, showing that plaintiffs expected such a data breach to occur. Finally, the SJC noted that the plaintiffs had ongoing knowledge of noncompliance with the magnetic strip regulation because they received notifications from Visa and MasterCard regarding compromised accounts due to improper retention of magnetic strip data.

Ultimately, there was no theory under which the credit unions could recoup their losses stemming from the data breach.

On December 17, 2009, Heartland Payment Systems announced that it would pay American Express $3.6 million to resolve charges stemming from a 2008 breach of Heartland’s payment system network the AP reported.

Heartland’s data breach was the result of hackers using installed spying software on Heartland’s computer network. These hackers also attacked 7-Eleven and Hannaford Brothers Supermarkets. The Department of Justice allege that these hackers managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford.

Heartland has still not reached resolution of its disputes with other card brands, such as Visa and MasterCard, arising out of this data breach, but clearly, such additional settlements will cost Heartland additional millions.

On December 8, 2009, the U.S. House of Representatives passed by voice vote H.R. 2221, the Data Accountability and Trust Act. This bill is similar in nature to multiple state breach notification laws that have already been passed. It includes the following:

H.R. 2221 defines personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number
(ii) Driver’s license number or other State identification number
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

Some more details of this bill include:

• The Federal Trade Commission would be the responsible enforcement agency.
• The FTC would ultimately define the proper technical procedures for protecting data.
• Organizations that have data need to establish a data security policy.
• Organizations must identify an information security officer.
• Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
• Organizations need a process for securely destroying data that is no longer required.
• Breaches need to be reported to the consumers affected, and the FTC, unless:
  • “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”, which will be defined by the FTC should the bill pass.
  • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The FTC does not have the power to enforce regulations on government, banks, savings and loan institutions, the insurance industry, and non-profits, which include colleges and universities.

The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. There is an exemption for data encryption. In addition, the FTC will define other exemptions if the bill become law. The FTC will also be tasked with posting data breaches on their website on a case-by-case basis if the FTC deems it is in the public interest.

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) has revised – for a third time – the regulatory scheme created to protect the personal information of Massachusetts residents. The deadline for compliance is now March 1, 2010.

The OCABR originally promulgated the regulations last Fall, mandating that those holding personal information about Massachusetts residents devise and implement specific, detailed policies to protect the security and integrity of that information. Virtually all Massachusetts businesses are covered, and the regulations also apply to entities outside the Commonwealth that hold Massachusetts residents’ Social Security numbers, credit card numbers, driver’s license numbers or financial account numbers.

The regulations have been controversial, particularly among members of the Massachusetts business community, who widely complained that they were inflexible, overly broad and expensive to implement.

The new version of the regulations appears aimed at addressing some of those concerns, while still adhering to the fundamental goal of requiring business practices that minimize the risk of future data breaches.

Among the more significant changes that were just announced: (1) the regulations now apply only to entities that own or lease “personal information,” and no longer extend to those who simply “store or maintain” it; (2) the regulations now adopt a more risk-based approach, addressing criticism that the former draft amounted to a one-size-fits-all mandate; and (3) the new regulations rework the language concerning third-party service providers, requiring contract language essentially obligating service providers to comply with the regulations, but grandfathering pre-existing contracts without such language during the first two years the regulations are in effect.