Judge holds off disclosure in credit card heist
Ruling means Visa and MasterCard don't have to notify customers affected by a high-profile data breach--at least for now.
San Francisco Superior Court Judge Richard Kramer denied a request for a preliminary injunction that would require the credit card companies to tell individual California credit card holders that their accounts are at risk of fraud after a widely publicized digital break-in at CardSystems Solutions. Payment processor CardSystems and Merrick Bank are also defendants in the case.
"I don't see the emergency," Kramer said. "There is no basis for involving the injunctive power of this court against a litany of defendants, some of whom might or might not be involved."
The case, filed in June on behalf of California credit card holders and card-accepting merchants, seeks to test a state law that requires consumer notification after personal information stored on computers is lost, stolen or breached. The plaintiffs had sought a preliminary injunction to force consumer notification in the CardSystems case.
The security breach at CardSystems was disclosed publicly on June 17 by MasterCard. In the break-in, intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Visa and MasterCard maintain that notification responsibility falls with the banks that issue credit cards and that have direct relationships with the affected customers.
Kramer denied the request for a preliminary injunction without prejudice, indicating that the notification issue is at the heart of the case and is too complex for that. "The scope of what might be adequate notice is what this case is--basically, what this whole lawsuit is about--and needs to be addressed in a more organized way," he said.
After hearing further arguments on Friday afternoon, Kramer stuck to his earlier tentative ruling against the preliminary injunction. "There is no showing of an immediate threat," he said.
"Visa is pleased that the court denied the request for a preliminary injunction," Randall Edwards, an attorney for the San Francisco-based credit card association, said after the hearing Friday.
In the next stages, Kramer said he wants to discuss the details of the case and the "relatively new statute that has been untested." The statute is California cival code section 1798.82.
"I think there are serious questions as to who is covered by the statute and what is covered by it," Kramer said. The next hearing in the case is set for Tuesday.
The security breach at CardSystems was disclosed publicly on June 17 by MasterCard. In the break-in, intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Visa and MasterCard maintain that notification responsibility falls with the banks that issue credit cards and that have direct relationships with the affected customers.
Kramer on Friday also ruled that merchants can't be a party in the case, because the complaint does not demonstrate any damages. His ruling, however, leaves room for the complaint to be amended, which plaintiff attorney Rothken said he would do.
Retailers may have more to lose than consumers by the lack of notification. If a criminal makes an unauthorized purchase on an individual's card, the cardholder is typically protected by the credit card company through "zero liability" programs. Businesses, especially online businesses, however, in many cases have to cover the loss.