In the wake of the high-profile security breach that
occurred at TJX Companies, Inc., affecting more than 46 million
credit and debit card holders in several countries including
the US and Canada, financial institutions have been lobbying
for legislation to shift the financial risk associated with
such breaches to retailers.
The Minnesota Law
As a result of these efforts, in May 2007, Minnesota became
the first state to pass legislation making retailers and other
merchants liable to banks for costs associated with data
breaches. Under the new Minnesota law, as of August 1, 2007,
any "person or entity conducting business in
Minnesota" that accepts credit or debit card payments as
part of such activities is prohibited from retaining credit or
debit card security data of Minnesota residents after the
authorization of the transaction.
The Minnesota act defines credit or debit card security data
as the "card security code data, the PIN verification code
number, or the full contents of any track of magnetic stripe
As of August 1, 2008, a financial institution may sue a
company, if it has retained such prohibited information after
an authorization and a security breach occurs (regardless of
where the breach occurs), to recover "the cost of
reasonable actions undertaken" in response.
A security breach is defined as the unauthorized acquisition
of computerized data that compromises the security,
confidentiality or integrity of personal information maintained
by the person or business.
The legislation provides that recoverable costs include:
costs related to providing cardholders with notification
of the breach;
costs incurred in cancelling and reissuing cards;
costs associated with the closing or reopening of
accounts and with any steps taken to stop payments or block
payments on accounts;
refunds paid to cardholders in respect of unauthorized
transactions charged to their accounts; and
damages paid by the financial institution to cardholders
as a result of the security breach.
McCarthy Tétrault Notes:
The Minnesota legislation establishes a strict liability
standard on retailers. As a result, this legislation will
effectively supersede the allocation of risk arising out of
security breaches that is frequently negotiated between payment
processors and their merchants as part of the
payment-processing agreement, and that is also established
between the payment processors and credit card associations
such as Visa and MasterCard.
For example, agreements between the payment processor and
the merchant may require the merchant to comply with the
Payment Card Industry Data Security Standards (the PCI DSS),
and assign liability to the merchant for a security breach if
the merchant has failed to do so. Under the Minnesota
legislation, however, the merchant is exposed to liability even
if it has complied with the PCI DSS.
Businesses far beyond Minnesota could be affected by the
legislation, as the business does not have to be located in
Minnesota and the breach does not have to have occurred there.
As long as a person or entity conducts business in Minnesota,
retaining credit or debit card security data after
authorization of the transaction will expose it to potential
liability. Consequently, a person or entity selling to
Minnesota customers is potentially liable under the Minnesota
The Minnesota act also holds businesses responsible for
violations by their service providers. This highlights the
importance of clearly addressing legal compliance issues in
merchants' agreements with their service providers and
allocating this risk appropriately. As the legal landscape
becomes more complicated, legal compliance obligations will
become a more significant issue in these agreements.
Is This Only the Beginning?
Legislation similar to the Minnesota law was also introduced
in at least five other states: California, Connecticut,
Illinois, Massachusetts and Texas. Interestingly, in
California, Governor Schwarzenegger vetoed the legislation,
expressing concern that it "creates the potential for
California law to be in conflict with private sector data
security standards" such as the PCI DSS and would
"drive up the costs of compliance, particularly for small
In Canada, the mandated five-year review of the Personal
Information Protection and Electronic Documents Act has
commenced. While introducing a data-breach-notification
requirement is under consideration, specific data security
retention prohibitions of the sort included in the Minnesota
legislation seem unlikely. The strict liability provisions to
which merchants are subject in Minnesota are even less likely
to take root here.
Nevertheless, increased concern over data security issues in
both Canada and the US, and the legislative trends south of the
border, bear close scrutiny.
The content of this article is intended to provide a
general guide to the subject matter. Specialist advice should
be sought about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Canadian Office of the Superintendent of Financial Institutions ("OSFI") recently ruled that a bank cannot promote comprehensive credit insurance ("CCI") within its Canadian branches under the Insurance Business (Banks and Bank Holdings Companies) Regulations (the "Regulations").
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).