Unfairness in Minnesota's Credit Card Security Legislation

Retailer Liability to Banks for Credit Card Data Breach

Minnesota's pioneering PCI legislation, HF 1758 (Plastic Card Security Act) requires payment card merchants to reimburse the costs of financial institutions when they replace compromised cards. A colleague of mine at the SANS Institute, Joshua Wright (wireless security instructor), sent me a question. Here's Joshua's question, and my reply:

[begin quote from Joshua]
[Concerning an essay published by SANS]: in the section "Altering the Ecosystem", you stated:

"H.F. 1758 bluntly states that a merchant may not retain certain card data, such as a card,s security code and the full data from the card's magnetic stripe. It further provides that if a merchant does retain such credit card data, and that leads to a breach of a card's security, then the merchant must reimburse the financial institution that issued the card for the reasonable costs incurred to avoid damage."

My question is surrounding the wording "... and that leads to a breach of a card's security". Is it stated in H.F. 1758 that the storage of the data has to be a contributing factor that leads to the breach of the security of the system? I read this as stating that vulnerabilities in the organization's security are directly caused by the storage of this data, and that furthermore, it implies that the motive of the attacker compromising the resource was to retrieve this stored information.

IANAL, but I think this would give a defense attorney an easy-out for their customer, simply by showing that the attack was opportunistic, or that the attacker could not have known that the protected data was stored in the organization's network.

Consider the case of the Lowe's attack with Timmins and Botbyl. They used a weak wireless configuration to access the Lowe's network, and eventually planted packet sniffers to collect CC information. This could be argued as being an opportunistic attack, and that Lowe's is not responsible for any bank charges since the storage of the credit card information did not directly lead to the breach in security.

I may be bending words here, but I'm hoping you can clarify your perspective. Note that I am not asking for legal advice, just your interpretation of the bill so I can communicate this to my students.
[end quote from Joshua]

[Ben's reply:]
Joshua:

Thanks for your good question. HF 1758 is poorly written, and my summary of it does not precisely reflect the ill-chosen words of the legislation.

Subdivision 2 of HF 1758 basically says a merchant is forbidden from retaining a credit card security code or credit card mag stripe data. Next, subdivision 3 says that if a merchant does retain the forbidden data, then, in essence, the merchant is in the class of what I'll call dis-favored merchants under the legislation. Further, subdivision 3 says that if a merchant in the dis-favored class suffers a breach of security that compromises personal info, then that merchant must reimburse the costs incurred by a bank to protect the information of its cardholders.

Notice that the legislation does not say the breach of security has to compromise the forbidden data (card security code or mag stripe data) in order to trigger the special obligation to reimburse banks. One might reasonably interpret the legislation as requiring the breach to affect the forbidden data, but the legislation does not explicitly so require.

Hence, the direct answer to your question is no, the storage of the forbidden data does not have to be a contributing factor to the breach in order for the bank to achieve extra-ordinary rights of reimbursement.

Here is why I think HF 1758 is poorly written. Suppose Wal-Mart has a single malfunctioning point of sale device in a store in Mexico that mistakenly stores the forbidden data from a single card. The implication is that, due to this single faux pas, Wal-Mart as an entire entity is a dis-favored merchant under HF 1758. Then, suppose Wal-Mart suffers a breach of security in a regional data center servicing the upper Mid-West (including Minnesota). The breach of security affects personal information of credit card holders. The result is that Wal-Mart (a member of the class of dis-favored merchants) must reimburse the costs of banks that cancel cards as a result of the breach -- even though reimbursement is not required under the contracts and standards negotiated among players in the credit card industry. And Wal-Mart's special requirement to reimburse arises because of a single, insignificant blunder in Mexico that has nothing to do with the breach of security in the Mid-West data center. Thus the punishment to Wal-Mart seems to be disconnected from and out of proportion to the mistake (storing forbidden data from a single card in Mexico).

--Benjamin Wright

Update: HF 1758 was an over-reaction to the TJX break-in. See more of my analysis of that over-reaction.

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law

Unfairness in Minnesota's Credit Card Security Legislation

Retailer Liability to Banks for Credit Card Data Breach

No comments:

Post a Comment

SANS Quote

How to Get Electronic Evidence

Government Agency & School Records