Judge looks for links in credit card case

Visa, MasterCard are asked to provide details on their relationship with payment processor CardSystems.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

Joris Evers

Sept. 27, 2005 6:13 p.m. PT

2 min read

SAN FRANCISCO--A judge has asked Visa and MasterCard to disclose details about their relationship with CardSystems Solutions, the payment processor that was the subject of a high-profile data security breach.

The information, such as contracts between the companies, should help determine whether the credit card companies have responsibility under California law to notify consumers whose personal details were exposed in the CardSystems breach, San Francisco Superior Court Judge Richard Kramer said Tuesday during a court hearing here.

Visa, MasterCard, Merrick Bank and CardSystems were sued in June on behalf of California credit card holders and card-accepting merchants. The suit seeks to test a state law that requires consumer notification after personal information stored on computers is lost, stolen or breached.

On Friday, Kramer denied a request for a preliminary injunction that would have required the credit card companies to tell individual California credit card holders that their account information was exposed in the CardSystems breach.

The digital break-in at CardSystems was publicly disclosed by MasterCard on June 17. Intruders got access to details on about 40 million credit cards. Records of more than 200,000 cards are thought to have been transferred out of CardSystems' network. Visa and MasterCard maintain that notification responsibility falls with the banks that issue credit cards because they have direct relationships with the affected customers.

Kramer said he wants to be clear on which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to entities that "own or license" personal information about Californians. Plaintiffs in the case say that includes Visa, MasterCard and Merrick.

"I believe we have to figure out whether indeed Visa, MasterCard and Merrick are covered by the statute. They don't seem to own the data, but the plaintiffs' view is that they are operating with a license," Kramer said. He ordered all parties to prepare for a trial on that matter and to exchange information.

Plaintiff attorney Ira Rothken said he was pleased with the outcome of Tuesday's hearing. "We're going to get to do some discovery and tee up the most important question in this case," he said. Rothken believes all defendants fall under the California law. "We believe they are all intimately intertwined," he said.

MasterCard, Merrick and Visa have argued that the statute does not apply to them.

Another hearing in the case has been scheduled for Oct. 24.