Data breaches have become a phenomenon of late—with news seemingly breaking everyday on the latest victim and the potential harm to consumers. Often overlooked, however, is the impact that each new data breach has on banks. Banks are stuck footing the bill for reissuing credit and debit cards. In some cases, the reissue costs may be as high as $15 to $50 per card. In the case of the Target breach, banks are estimating these costs to be in the billions. The Target case represents the latest example of banks attempting to recover these costs from retailers who suffer data breaches. Banks have been unsuccessful in prior attempts to hold retailers liable for their costs in reissuing credit and debit cards following a data breach. The Target case, however, may prove to be different because it was filed in Minnesota. This is due in part to a unique Minnesota law, Minnesota’s Plastic Card Security Act. The Act places restrictions on how Minnesota businesses handle customer data. Minnesota businesses that violate the Act are liable for the costs that card issuers incur replacing compromised credit and debit cards.
Colorado Data Breach Law
Colorado does not have a law similar to Minnesota’s Plastic Card Security Act. Such a law was proposed in Colorado in 2011 but failed to pass. This means banks filing a case in Colorado to recover damages against a Colorado business that mishandles customer data may have a more difficult time finding success. Colorado law does provide for notification to consumers if a data breach “compromises the security, confidentiality, or integrity of personal information,” but this law does nothing to help shield the banks from the costs incurred in responding to a data breach.
The lack of protection for banks under Colorado law makes it even more important for banks to proactively prepare for a data breach event. Preparations should include creating a data breach response plan. The ICBA released a guide in 2014—Key Considerations for Community Banks Facing Payment Card Compromises—addressing issues that banks should consider when faced with a data breach event. First, identify procedures for assessing the scope of the breach. Depending on the assessment, new payment cards may need to be issued. Second, designate roles to employees responsible for responding to a breach. The assignment of roles helps to ensure that a clear and focused message is communicated to customers and the media. Third, communicate the breach to effected customers. Communications should describe how the breach occurred, what information was exposed, and what steps the bank is taking to protect their information, including the reissuance of cards if necessary. Additionally, the communication should reassure customers that the bank takes their security seriously and that they have zero liability for fraudulent activity (if applicable), and remind them to monitor their accounts for any unauthorized transactions.
Banks incur much of the cost to insulate consumers from the harm of data breaches despite the fact that banks are often not the direct target of a data breach. Colorado law provides little protection to banks in this respect. A proactive approach can help banks minimize these costs.