California Court Rules that Personal Notification Not Required in CardSystems Data Breach Case

Posted by K.M. Das

In one of the first tests of the notice provisions of California’s data breach statute ‚Äî Senate Bill 1386 (codified at California Civil Code ¬ß 1798.82) ‚Äî San Francisco Superior Court Judge Richard Kramer ruled that Visa and MasterCard do not have to send individual notices to thousands of their customers in California based on the CardSystems data breach that occurred between August 2004 and May of this year.

The breach of CardSystems Solutions Inc.’s computer systems exposed close to 40 million credit and debit accounts to potential abuse. While the extent of the breach has not been fully assessed, it is estimated that during this time, the personal information of approximately 264,000 acountholders was stolen. Though the general scope of this incident has been chronicled in the media, individual customers have yet to be notified that their account information may be at risk.

In response to the increasing threat of computer hackers, many states, including California, enacted legislation requiring entities such as credit card associations to cooperate to ensure that consumers are notified in the event their personal or financial information is lost, stolen or breached.

Senate Bill 1386 obligates “[a]ny person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security of the system following discovery . . . to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Cal. Civ. Code ¬ß 1798.82(a). “The disclosure shall be made in the most expedient time possible and without unreasonable delay . . . .” Id. Senate Bill 1386 also spells out the various ways in which a business can provide notice. Cal. Civ. Code ¬ß 1798.82(g). Various other states have modeled their data breach statutes on Senate Bill 1386.

The credit card associations argued that they do not fall within the purview of these laws as they do not have direct relationships with the individual accountholder. The cards are not issued by the credit card associations, but rather by banks which belong to the associations. In the alternative, the credit card associations contended that even if they were subject to such legislation, the legislation’s disclosure intent was previously satisfied by the initial press-release generally announcing the occurrence of the breach of CardSystems Solutions Inc.’s computer system.

Although Senate Bill 1386 does not require that there be “an immediate threat of irreparable injury” to customers before a business is required to provide notice, Judge Kramer ruled that Visa and MasterCard did not have to send individual notice because he did not “see the emergency” as there was not “immediate threat of irreparable injury” to the two companies’ customers in California. Judge Kramer’s ruling was despite the fact that hackers stole customers’ names, account numbers, and security codes from CardSystems. Information that is not only specifically covered by Senate Bill 1386, Cal. Civ. Code ¬ß 1798.82(e), but would allow the thieves to make counterfeit credit and debit cards.

The proposed class action lawsuit by California residents was filed on June 27, 2005. The amended complaint accuses CardSystems, Visa, MasterCard, and Merrick Bank of violating California Civil Code ¬ß¬ß 1798.81, 1798.81.5(b), 1798.81.5(c), 1798.82; Finance Code ¬ß¬ß 4050 et seq. (California Financial Information Privacy Act); and the California Credit Reporting Act among other laws. The amended complaint seeks a number of declaratory and injunctive remedies, including individual notification of Visa’s and MasterCard’s customers who are California residents.

This decision is particularly interesting because it sheds light on how courts are likely to interpret the notification requirement of data breach laws. The fact that Judge Kramer read in “an immediate threat” threshold requirement for individual notification‚Äîas opposed to the general notification that was made by MasterCard when the breach was first publicized‚Äîseems to indicate that courts may not be willing to read Senate Bill 1386’s notifications as broadly as customer groups had hoped. Judge Kramer’s ruling may have been influenced by the amount of press and publicity that the CardSystems’ breach has already received. The breadth of legal theories wrapped into the amended complaint may also have influenced this ruling. Judge Kramer criticized plaintiffs in his oral ruling, stating “[w]e have a complex case with complex legal questions that got wrapped into a ball and rolled in here.”