When hackers attack, lawyers win. The recently exposed breach at CardSystems Solutions (Phoenix, Ariz.) announced last Friday by MasterCard International (Purchase, N.Y.) could create a push for a class action bonanza. "We can expect to see plaintiff class action lawyers bringing lawsuits along the lines of the LexisNexis case, alleging violations of the Federal Fair Credit Reporting Act [FCRA] and the California Credit Reporting Act," says Thomas F. Holt Jr., Esq., a Boston-based trial lawyer with Kirkpatrick & Lockhart Nicholson Graham.
In a class action lawsuit filed against LexisNexis in April, the plaintiffs have claimed that the company's loss of personal data results in liability under FCRA. If a similar approach were taken against the card processors, associations, merchant banks or issuing banks, it could have created a serious legal wrangle for all of the companies involved.
Although Holt doesn't agree with the theories that likely are to arise from the plaintiff's bar, he paints a somber picture for the card industry about the potential avenues of legal attack. "There will clearly be a 'buffet of claims' that will appear in these complaints," he says.
The objective for the plaintiffs would be to claim damages beyond any direct financial loss suffered by a consumer, which typically is capped at $50 per person. "In terms of liability, there's been a mild obsession with the $50 liability cap," observes Holt.
Specifically, a finding that the FCRA applied in this case would allow the plaintiffs to insist upon remedies and damages beyond the out-of-pocket loss. "I'd expect that the plaintiffs bar will be looking for a per-cardholder assessment of damages that will be driven by such things as a regular credit check to be paid for by one or more of the defendants," says Holt. Thus, if the card industry were ordered to pay for periodic credit checks for a class of 40 million people at an estimated cost of $30 per report, the total cost could run into the billions of dollars easily.
"The plaintiff's bar will argue that there was a duty of care that was owed by one or more of the defendants to the individual whose identity has been stolen," explains Holt. "In many respects, it's going to come down to a first-year law school tort exam: 'Was there a duty of care that was owed? What was the standard of care? Was it breached?'"
Furthermore, the plaintiffs likely are to go after the deepest pockets, and so the card associations and member banks may not be able to escape entanglement. "There is going to be a whole host of defendants seeking to shift liabilities to one another," says Holt. "The plaintiff is largely agnostic to that type of dispute. The plaintiff will simply be claiming these damages and they don't care who pays them."
Even though press reports indicate that CardSystems violated the associations' rules by keeping copies of cardholder data beyond the necessary period, the plaintiff's bar could argue that other parties in the chain of custody of data should have found out about the violation and taken steps to correct the problem. "When did the issuer know it, and what did the issuer do about the alleged violation of the industry standard?" says Holt, describing the probable line of questioning.
Even if the plaintiff's arguments are torn apart in court, it's still a major headache for the industry. "Once these lawsuits get filed, there's an enormous transactional cost associated with them," relates Holt.
In the meantime, Holt offers a bit of free advice to banks: "They've got to take basic steps -- encryption, hashing of data -- to inoculate themselves from this liability," he advises. "Don't keep more information than you need, and don't keep it longer than you need it."