In the wake of the largest credit card security breach involving TJX Companies, Inc.’s computer system, states have a renewed interest in pursuing legislation that protects consumers and punishes companies responsible for data breaches. Although more than two-thirds of states have passed various breach notifi cation statutes, until May 2007 no state had enacted any of the Payment Card Industry (“PCI”) standards, which consist of 12 data security controls developed by the major credit card associations. That fact changed, however, on May 21, 2007, when Minnesota became the fi rst state to enact one of the PCI standards into law.
Minnesota’s “Plastic Card Security Act” (the “Act”), which goes into effect after August 1, 2008, will impact companies that conduct credit or debit card transactions in Minnesota. The Act is broad in its scope, as the security breach does not have to take place in Minnesota, nor does the fi nancial institution affected need to be located there. Any company or entity conducting business in Minnesota that accepts an “access device”—a magnetic stripe data or processor chips—must guarantee that it will not retain Track II data (the information drawn from magnetic stripes) or personal identifi cation numbers (“PINs”) once a credit or debit card transaction has been completed. Minnesota’s prohibition against Track II data and PIN storage echoes the PCI standards’ commitment to protecting cardholder data.
Minnesota’s new data security law refl ects a growing desire among states to shift the responsibility for data security breaches from banks, credit unions, and other fi nancial institutions to retailers and merchants in possession of credit card information. Prior to the passing of the law, banks and credit unions were primarily responsible for dealing with the expenses linked to data breaches. Now, once a company has violated the Act’s anti-storage prohibition, it must reimburse the fi nancial institution that issued the credit or debit card for the “reasonable costs” affi liated with responding to the breach. Costs may include those associated with notifying customers about breaches, closing accounts, or reissuing cards.
Minnesota is not alone in its commitment to increased scrutiny of merchant and retailer handling of consumer data. At least fi ve other states—California, Connecticut, Illinois, Massachusetts, and Texas—are in the process of drafting legislation to curtail data security breaches. As other states follow Minnesota’s example, merchants may be held strictly liable for data breaches that arise during the course of their business operations. Yet, even if only a few states enact statutes similar to the “Plastic Card Security Act,” Minnesota may host a great deal of litigation due to the Act’s broad territorial scope. As a result, companies that accept or store credit or debit card information should remain aware of the changing climate toward merchants and begin considering strategies for risk management in the event of data security breaches.