X

Squabble continues over credit card breach

Judge again instructs Visa and MasterCard to provide information on their relationship with hacked payment processor CardSystems Solutions.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
2 min read
SAN FRANCISCO--A judge in a case over a high-profile data security breach at payment processor CardSystems Solutions told parties on Monday to stop squabbling and be productive.

San Francisco Superior Court Judge Richard Kramer told the plaintiffs--who seek to represent classes of California consumers and merchants--and defendants Visa and MasterCard to exchange information about their relationship with CardSystems.

Kramer gave similar instructions a month ago, but parties in a hearing Monday said they have been unable to agree on the type of information that should be shared.

"You folks maybe can't agree on anything, except maybe on what day you should be here," Kramer said.

He told Visa and MasterCard again to disclose details about their relationship with CardSystems and instructed the plaintiffs not to ask for an overly broad release of information. Visa and MasterCard during the Monday afternoon hearing accused the plaintiffs of asking for too much information.

The information, such as contracts between the companies, should help determine whether the credit card companies have responsibility under California law to notify consumers whose personal details were exposed in the CardSystems breach.

Visa, MasterCard, Merrick Bank and CardSystems were sued in June on behalf of California credit card holders and card-accepting merchants. The suit seeks to test a state law that requires consumer notification after personal information stored on computers is lost, stolen or breached.

The digital break-in at CardSystems was publicly disclosed by MasterCard on June 17. Intruders got access to details on about 40 million credit cards. Visa and MasterCard maintain that notification responsibility falls with the banks that issue credit cards because they have direct relationships with the affected customers.

Kramer has said he wants to determine which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to entities that "own or license" personal information about Californians.

Plaintiffs in the case say the statute covers Visa, MasterCard, CardSystems and Merrick, while defendants MasterCard, Visa and Merrick have argued that the statute does not apply to them.

Another hearing in the case has been scheduled for Jan. 9.