State Data Security Breach Notice Legislation
More than half the states in the Union, including California, have enacted laws requiring companies to notify consumers about
breaches of security in which certain personal information relating to those consumers was, or is reasonably believed to have
been, acquired by an unauthorized person. Although these laws are widely understood to be modeled on the California notification law requiring notice to consumers,
the particular details of these state notification requirements vary widely. For example, a few states have enacted laws that apply to paper records, as well as to computerized data. In addition, some state notice laws also require specified state authorities to be notified about a security breach. And others prescribe certain information to be included in a notice sent to consumers.
For more information, contact Tom Scanlon at tscanlon@mofo.com.
New Visa Data Compromise Standards
With thousands of merchants out of compliance with the standards set forth in the Payment Card Industry ("PCI") security standards,
and with untold numbers of retailers improperly storing customer account number information and other personal data, Visa
issued new "Account Data Compromise Recovery" rules in August that apply specifically to mass compromises of magnetic-stripe
(POS-90) data storage events. The rules establish a new method of allocating losses as between card issuers and acquirers for these events. The change was prompted by a 500% increase in fraud claims by card issuers since 2004.
The new rules impose a cap on card issuers’ recovery and, hence, acquirers’ liability. Under the process, Visa will calculate the acquirer’s magnetic-stripe (POS-90) counterfeit fraud liability by examining a
13-month "event window" (defined as 12 months prior to and one month after a CAMS alert). The formula excludes issuer recovery for "business as usual" fraud by subtracting the amount of magnetic-stripe (POS-90)
counterfeit fraud that would have been expected on the event population during the event window if the mass compromise event
had not occurred. That is referred to as "baseline fraud" for which the acquirer is not responsible. Any fraud over and above that baseline level is "incremental," for which the acquirer is responsible.
Card issuers may recover from the acquirer $1 per eligible account number involved in the compromise. This is to partially cover operating expenses such as card reissuance and increased customer service calls. But any account number that was in a prior magnetic-stripe compromise event within the prior 12 months is excluded. Acquirers are only liable for up to 80% of the card numbers at risk. Visa reckons that 20%, on average, represents accounts that expired or were closed, reissued, or blocked prior to the time
they appeared on a CAMS alert.
Issuers have until September 30, 2006, to enroll in order to become eligible for recovery of operating expenses for CAMS alerts
that occur on or after October 1, 2006, but going forward enrollment must occur prior to a given CAMS alert for which recovery
is sought.
For more information, contact Roland Brandel at rbrandel@mofo.com or check out Visa’s Web site at http://usa.visa.com/.
Breach Notification CLE Seminar
Has your company ever: Lost a laptop? Discovered a rogue employee stealing customer data? Had its Web site hacked? More than 30 states now have laws requiring companies to provide notice to individuals—and, in some states, to regulators—in
the event of a data security breach. In addition, if your business is international, so is your data. At least three other countries are contemplating breach notification laws.
Join us for a short, 1 1/2 –hour excursion into the fascinating world of breach notification.
Thursday, September 26, 2006
Morrison & Foerster LLP
1290 Avenue of the Americas, 39th Floor
New York, New York
Registration: Noon – 12:30 p.m.
Program: 12:30 p.m. – 2:00 p.m.
For more information, contact Elite Rubin at (212) 336-4198 or erubin@mofo.com.
