September 25, 2005
A San Francisco judge has rejected a request that Visa and MasterCard be required to notify consumers whose personal information in a security breach at CardSystems Solutions Inc. that exposed over 40 million credit card holders to potential fraud.
"I don't see the emergency," said San Francisco Superior Court Judge Richard Kramer as he refused to issue an order requiring the credit card associations to inform customers vulnerable to identity theft because of the data theft.
Kramer said he did not see "an immedate threat of irreparable injury." The ruling was a setback in a class action suit filed on behalf of California consumers by attorney Ira Rothken of San Rafael.
Rothken based his argument on a California law that's been adopted by other states around the country. It was the first big test of the two-year-old law that requires companies to alert consumers when their personal information is lost, stolen or breeched.
The lawsuit alleges that Cardsystems Solutions, Merrick Bank, Visa and MasterCard have violated their duty to timely and properly inform consumers of the nature and degree of the alleged security breach. The suit claims that these violations constitute "unfair, unlawful and deceptive business practices" under California's Unfair Competition Law.
Visa and MasterCard have argued that since they do not have direct relationship with cardholders, they should not be obligated to notify them. Instead, they say the banks that issued the cards should be responsible for communicating with their customers.
The associations say that, in fact, consumers face little financial risk because of the cards' zero liability policy in fraud cases. Under federal law, credit card holders are liable for no more than $50 of unauthorized charges, and many card issuers will waive the $50 in circumstances such as these.
The chances of identity theft are minimal since customers' Social Security numbers and home addresses were not exposed in the CardSystems breech.
Besides, the associations argued, if customers were told their account information had been stolen, they might requrest new cards, at a cost to Visa and MasterCard of about $35 per customer.
MasterCard's attorney argued customers had already been notified by the widespread publicity given to the mid-June disclosure of the security breech.
The full text of Rothken's complaint is at www.techfirm.com/cardsystems.pdf.
