another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Monday, July 11, 2005

Why US Cyber Laws are better

Trackback From : eplaw.us



I wrote that the development of information security depends on litigation, and litigation between private parties, specifically. The BJ's Wholesale litigation is especially interesting because it involves credit card security, the plaintiffs are large companies (specifically, banks), and it raises some novel legal issues.

Credit Cards
Litigation over credit card security is interesting because credit cards are ubiquitous in legitimate commerce and a frequent target of computer crime. Credits cards are a commodity for computer criminals, who have even automated the trade of credit card numbers. As computer intrusions continue to target credit cards, credit card security standards will play a larger role in information security litigation.

Payments over the Visa and MasterCard networks involve at least five parties. When a cardholder presents a credit card to a merchant for payment, the merchant swipes the card and transmits the information encoded on the magnetic strip on the back of the card to an acquiring bank (or, sometimes, a third party processor). This information can include card number, expiration date, cardholder name, and the card verification value. The acquiring bank transmits the information through Visa's network to the issuing bank (which gave the credit card to the consumer). The issuing bank confirms the account, verifies the transaction is within credit limits, reviews the transaction for signs of fraud, and approves (or disapproves) the transactions. Actual payment is made when the acquiring bank and the issuing bank settle their accounts by wire transfer. (Discover and American Express simplify this arrangement: they operate the network, and act as issuing bank and acquiring bank.)

All this is supported by a contractual framework. Visa (which an association of member banks) operates the authorization network. Member banks (be they acquiring or issuing banks) have a contractual relationship with Visa through its operating regulations (which govern many aspects of credit card transactions). Member banks do not, however, have a direct relationship with each other. The acquiring bank has a contractual relationship with the merchant through a merchant agreement. The operating regulations require that acquiring banks include certain requirements in their merchant agreements, and monitor their merchants' compliance. This way, Visa has some control over merchant behavior, even though most merchants do not have a direct relationship with Visa. Finally, issuing banks use low-interest teasers, cash rebates, low minimum payments, and universal default clauses in their cardholder agreements to attract and profit from cardholders. (Debit card transactions tap directly into cardholders' accounts.)

Visa and MasterCard have generated a number of procedures in their operating agreements to limit fraud. One of the center innovations is the card verification value (CVV) which is printed on the back of a credit card, not embossed onto the card. [Update: Scott Loftesness over at Payment News informs me that CVV refers to a separate three digit amount encoded on the magnetic strip, while the number printed on the signature panel on the back of a credit card is CVV2.] (This might seem like a nominal measure, although it frustrates bulk manufacturing of fake cards.) Visa and MasterCard direct merchants to collect CVV2s in transactions where the card is not present (e.g., Internet and phone sales). Visa and MasterCard have also pushed minimum standards for merchant information security, to protect against computer criminals collecting credit card numbers from insecure merchants. Visa and MasterCard apparently started this initiative after a well-publicized incident in which a computer criminal obtained 350,000 credit card numbers CD Universe and attempted to extort $100,000 from the firm. These rules have evolved over time; the most recent standard is the Payment Card Industry Data Security Standard.

The Security Breach at BJ's
Litigation has exposed some facts about BJ's credit card equipment. BJ's contracted with IBM to replace the credit card processing system at its cash registers in 1999. (BJ's now alleges that contract required IBM to ensure that its replacement system was compliant with Visa operating regulations, and BJ's alleges it specifically told IBM to prevent its system from storing magnetic strip data. IBM disputes these claims.) It was later determined that IBM's system did in fact store certain magnetic strip data in its system logs from July 1, 2003 to February 29, 2004. Fifth Third Bank was BJ's acquiring bank and managed BJ's interface with the Visa system. BJ's learned of "an alleged compromise" in February 2004, and had a computer consultant review its systems. The consultant found "no breach of BJ's centralized computer system or via the Internet and no direct evidence of a compromise at the club level," but did discover the credit card information in IBM's system's logs. Visa's Cardholder Information Security Program and Visa's operating regulations prohibited merchants from retaining information from magnetic strips on the back of the cards.

I have not seen any indication that BJ's has yet learned how the breach occurred. It seems that BJ's first learned the breach happened from credit card companies. (There is no indication of how Visa learned that BJ's was the source of the compromise. I would assume it identified compromised credit card through fraud detection algorithms and identified BJ's by working backwards from the historical purchases on those credit cards.) MasterCard and Visa's initial warning to effected issuing banks did not disclose BJ's identity, but BJ's publicized the breach in March 2004. We know that authorities have detected and located some of the individuals using and trading the cards, and some law enforcement have concluded that the attack was accomplished over the Internet (which contradicts the findings of BJ's consultant).

In any event, BJ's breach caused substantial damages to issuing banks: under 15 U.S.C. ss 1643 and 1693g, the issuing bank is liable for fraudulent charges, rather than the cardholders. In BJ's case, many of the banks cancelled the compromised cards and reissued new cards to limit their liability for fraudulent charges. Issuing banks must also absorb the costs of notifying cardholders, reissuing cards, and the interruption of business in the interim. In Note F to the Financial Statements of its last 10-K filing, B.J.'s estimates that there are approximately $10 millions in outstanding claims against it. The Pennsylvania State Employees Credit Union (PSECU) claims losses approaching $100,000, while Sovereign bank claims $500,000 in losses, and Banknorth NA filed suit claiming losses of $583,000. Meanwhile, CUNA Mutual Group (mutual insurance company for credit unions) alleges it suffered millions of dollars of losses.

PSECU's Lawsuit
PSECU filed suit in Pennsylvania state against BJ's and Fifth Third on June 18, 2004, and the case was removed to the U.S. District Court for Middle District of Pennsylvania on July 16, 2004. PSECU's complaint was filed on August 5, 2004. In essence, it states that BJ's collected magnetic strip data from its customer's credit cards from July 1, 2003 to February 29, 2004 and failed to delete it, and that Fifth Third did nothing about it. Consequently, PSECU had to reissue 20,029 cards at a total cost of $98,128.13(!). PSECU's complaint states two claims against Fifth Third and BJ's each. PSECU's breach of contract claim alleges that Visa operating regulations in effect at the time required that merchants to secure magnetic strip data while using it, to delete it as soon as it was no longer needed, and also required acquiring banks' merchant agreements to require merchants to abide by the operating regulations. PSECU's negligence claim alleges that BJ's breached its common law duty to secure the magnetic strip data and to delete the data after its use, and that Fifth Third breached its duty to ensure that BJ's did so. BJ's and Fifth Third answered PSECU's complaint on September 14, 2004.

BJ's Third Party Claim Against IBM's
BJ's filed a third party complaint against IBM, essentially seeking to shift any liability to IBM for the flaws in the credit card processing system that caused magnetic strip data to be retained. IBM moved to dismiss the complaint. BJ's response is here. The court's May 3, 2005 ruling dismissed some of BJ's claim but saved others. The court dismissed BJ's Massachussets-based unfair practices claim, its New York-based deceptive practices claim, and its declaratory judgment action, as well as certain parts of BJ's indemnity claim. The court rejected, on the other hand, IBM's argument that the complaint was deficient without an allegation that IBM's retention of magnetic strip data was connected to a security breach, noting that Federal Rule 8(e) permits BJ's to make conditional allegations: if BJ's is held liable for a security breach, then IBM is liable to BJ's for retaining magnetic strip data.

Economic Loss Doctrine and Information Security
The court also rejected IBM's arguments against BJ's negligence claims and the part of its indemnity claim related to replacement of compromised cards. Those rulings are the most significant part of the court's decision. IBM claimed the indemnity claimed was barred by disclaimers in the contract. The disclaimers had an exception for third-party claims for damages to "tangible, personal property." Citing America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003) for the proposition that computer data is not tangible property property, the court dismissed those indemnity claims arising from damage to the personal data on the cards. The court also found that money held in debit cardholder's accounts was not tangible property either, and so dismissed those parts of BJ's indemnity claim related to theft from debit cardholders' accounts. The court did not dismiss the parts of BJ's indemnity claim related to the costs involved in replacing credit cards. The court's response to IBM's argument that the card were not physically damaged is interesting; the court holds that there is no reason that the damage to tangible property need be physical. Here, the cards were not destroyed, but were made useless (or worse) after they were compromised. "IBM's liability was preserved as to the injury to these cards as physical objects, the loss of the use of these cards [for credit card transactions,] but measured by the value of the cards as blanks."

The court applied the same logic to summarily reject IBM's economic loss doctrine argument against BJ's negligence claim. The economic loss doctrine has hazy outlines. Generally speaking, the economic loss doctrine limits the recovery of economic losses (typically, disappointed commercial expectations) to parties to a contract. (Thus, breach of contract plaintiffs can seek to be put in the same position they would have been if the contract had been performed.) The economic loss doctrine applies to negligence and strict liability claims; it does not apply to personal injuries, property damage, or intentional torts. The economic loss doctrine is widespread (the Supreme Court recognized it in East River S.S. Corp. v. Transamerica Delaval Inc., 476 U.S. 858 (1986)) but there is substantial variation between different states' application of the doctrine. Because defendants can argue the economic loss doctrine eliminates liability for the disclosure of confidential or secret information, it will become a central feature in information security negligence cases.