Bank Claims for Target-Type Breaches: Leveraging Litigation - - PowerPoint PPT Presentation

Bank Claims for Target-Type Breaches: Leveraging Litigation Theories, Assessing and Pleading Damages

Recovering Losses Due to Third-Party Data Breaches and Response Planning to Protect Customers' Financial Information Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

THURSDAY, MAY 15, 2014

Presenting a live 90-minute webinar with interactive Q&A Kenneth C. Johnston, Director, Kane Russell Coleman & Logan, Dallas

• R. Andrew Patty, II, Member, McGlinchey Stafford, Baton Rouge, La.

Robert W. Gifford, Kane Russell Coleman & Logan, Dallas

Sound Quality If you are listening via your computer speakers, please note that the quality

• f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-869-6667 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form). You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Robert W. Gifford

Kane Russell Coleman & Logan rgifford@krcl.com kjohnston@krcl.com dpatty@mcglinchey.com bthibodeaux@mcglinchey.com

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing 6

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

7

The cardholder requests a purchase from the merchant.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

8

The cardholder requests a purchase from the merchant. The merchant submits the request to the acquirer.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

9

The cardholder requests a purchase from the merchant. The merchant submits the request to the acquirer. The acquirer sends a request to the issuer to authorize the transaction.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

10

The cardholder requests a purchase from the merchant. The merchant submits the request to the acquirer. The acquirer sends a request to the issuer to authorize the transaction.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

11

An authorization code is sent to the acquirer if there is valid credit available.

7963826

The cardholder requests a purchase from the merchant. The merchant submits the request to the acquirer. The acquirer sends a request to the issuer to authorize the transaction.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

12

An authorization code is sent to the acquirer if there is valid credit available.

7963826

The acquirer authorizes the transaction.

The cardholder requests a purchase from the merchant. The merchant submits the request to the acquirer. The acquirer sends a request to the issuer to authorize the transaction. An authorization code is sent to the acquirer if there is valid credit available. The acquirer authorizes the transaction. The cardholder receives the product.

7963826

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

13

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

14

The merchant stores all of the day’s authorized sales in a batch.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing 15

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

The merchant stores all of the day’s authorized sales in a batch. The merchant sends the batch to the acquirer at the end of the day to receive payment.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing 16

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

17

The batch is sent through the card network to request payment from the issuer.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

18

The batch is sent through the card network to request payment from the issuer.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

19

The card network distributes each transaction to the appropriate issuer.

The batch is sent through the card network to request payment from the issuer.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

20

The card network distributes each transaction to the appropriate issuer. The issuer subtracts its interchange fees, which are shared with the card network and transfers the amount.

The batch is sent through the card network to request payment from the issuer.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

21

The card network distributes each transaction to the appropriate issuer. The issuer subtracts its interchange fees, which are shared with the card network and transfers the amount. The network routes the amount to the acquirer.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

22

The acquirer subtracts its discount rate and pays the merchant the remainder.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

23

The acquirer subtracts its discount rate and pays the merchant the remainder.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

24

The acquirer subtracts its discount rate and pays the merchant the remainder. The cardholder is billed.

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

25

Best Practices and Proactive Response Issues When Faced with Data Breach

Proactive response plan required under regulator-issued guidelines; failure to follow guidelines can = unsafe banking practices.

Regulatory Compliance

Maximum recovery against third parties for future damages may depend upon adequate mitigation.

Damage Mitigation

Underwriters look at your networks and business practices before they underwrite.

Cyber Insurance Coverage

Why bother?

26

Best Practices and Proactive Response Issues When Faced with Data Breach

Key steps for regulatory compliance and best practices  Risk Assessment and Awareness  Risk Mitigation Techniques  Response plan  Related policies and procedures  Testing and Training  Customer Education

27

Best Practices and Proactive Response Issues When Faced with Data Breach

Risk Awareness

• Financial Services Information Sharing and Analysis Center

(FS-ISAC; https://www.fsisac.com)

• Financial services industry entity formed after the 1998 Presidential

Directive 63, as updated by 2003’s Homeland Security Presidential Directive 7.

• In 2013, it expanded to share information with all Financial Service

sector participants, not just global institutions.

28

Best Practices and Proactive Response Issues When Faced with Data Breach

Key Regulatory Resources

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. 77 FR 15736 (March 29, 2005).

Interpretive guidance and OTS final rule on Gramm-Leach-Bliley Act (GLBA) and Interagency Guidelines Establishing Information Security Standards (the Security Guidelines) from the OCC, Board, FDIC and OTS. Establishes specific guidance for Fraud Incidence Response Plan, as outlined on following slide.

29

Best Practices and Proactive Response Issues When Faced with Data Breach

Key Regulatory Resources (cont’d)

Fraud Incidence Response Program Minimum Requirements: Assessment of nature and scope of incident and types of customer info accessed or misused Notification to primary Regulators as soon as possible when incident involves “sensitive customer information” SAR reporting, where necessary, to law enforcement Contain and control steps, to prevent further access or use of the information (e.g., monitoring, freezing or closing accounts while preserving evidence) Notification to Customers, when warranted (i.e., when misuse has occurred or is “reasonably possible”)

30

Best Practices and Proactive Response Issues When Faced with Data Breach

Key Regulatory Resources (cont’d)

Federal Financial Institutions Examination Council (FFIEC; http://www.ffiec.gov)

Formal interagency body formed in 1979 and empowered to prescribe uniform standards for examination of financial institutions by FRB, FDIC, NCUA, OCC and CFPB. Publishes IT Examination Handbook (online at http://ithandbook.ffiec.gov) Handbooks (e.g., “Retail Payment Systems” and “Wholesale Payment Systems”) address best practices Catalogs most applicable rules, regulations and guidance from the various key financial regulatory agencies, to date.

31

Best Practices and Proactive Response Issues When Faced with Data Breach

Key Regulatory Resources (cont’d)

• From the FFIEC IT Handbook>Retail Payment Systems>Risk

Management>Retail Payment Instrument Specific Risk Management Controls>Merchant Acquiring booklet (accessed 14 April 2014):

• Acquiring banks are ultimately responsible for any risks posed to the payment system by their sponsored merchants and

third-party service providers. Management and the board of directors of all participants, including the acquiring banks, must have a clear understanding of the risk associated with acquiring activities and must understand their obligations under credit card association rules.

• The credit card associations require acquiring banks to ensure that their merchants and third-party service providers comply

with the Payment Card Industry Data Security Standards (PCI DSS). For third-party service providers and large merchants, PCI DSS compliance validation must be performed annually by a Qualified Security Assessor that has been approved by the PCI Security Standards Council. Smaller merchants must validate compliance annually through completion of a self- assessment questionnaire. It is not uncommon within the industry for a large number of merchants, and even some third- party service providers, to be in noncompliance with PCI DSS, potentially exposing their acquiring bank to reputation risk and financial loss from fraud, lawsuits, and fines. Additionally, issuing banks that use third-party service providers for transaction processing are required by the card associations to ensure that their providers are in compliance with PCI DSS.

• PCI Security Standards: www.pcisecuritystandards.org.

32

Theories of Recovery Against Retailers and Other Targets of Data Breaches

Statutory Theories Strict Liability: The Minnesota “Plastic Card Act”

Merchant liability: "No person or entity conducting business in Minnesota that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction

• r in the case of a PIN debit transaction, subsequent to 48 hours after

authorization of the transaction."

33

Theories of Recovery Against Retailers and Other Targets of Data Breaches

Liability for conduct of service provider: "A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.”

Statutory Theories Strict Liability: The Minnesota “Plastic Card Act”

34

Theories of Recovery Against Retailers and Other Targets of Data Breaches

Damages: "Whenever there is a breach of the security of the system of a person or entity that has violated this section, or that person's or entity's service provider…” that person or entity shall reimburse the financial institution that issued any access devices affected by the breach For the cost of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders

• r to continue to provide services to cardholders.”

Statutory Theories Strict Liability: The Minnesota “Plastic Card Act”

35

Theories of Recovery Against Retailers and Other Targets of Data Breaches

Unfair trade practices (e.g. Minn. Stat. § 325F.68) False advertising (e.g. Minn. Stat. § 325F.67)

Some states, like Minnesota, require a showing that the action is in furtherance of a "public interest" in order to trigger private attorney general rights. Seek parallel injunctive relief.

Statutory Theories Deceptive Practices Theories

36

Theories of Recovery Against Retailers and Other Targets of Data Breaches

In theory, easy to prove: Data breach was on merchant’s “watch” and was preventable Issuing bank is a foreseeably damaged victim Merchant’s failure is proximate cause of bank’s need to take expensive precautions Issuing bank suffered damage

Common Law Theories Negligence

37

Theories of Recovery Against Retailers and Other Targets of Data Breaches

The most difficult issue is the economic loss rule, which varies by jurisdiction: TJ Maxx: economic loss rule bars recovery

In the TJ Maxx case, the federal district court ruled that Massachusetts law precluded the financial institutions from recovering on the negligence claim. Massachusetts law provides that “purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage.” "This Court . . . holds that the alleged 'physical' destruction of the credit cards, debit cards, and security codes should instead be considered economic losses."

Common Law Theories Negligence

38

Theories of Recovery Against Retailers and Other Targets of Data Breaches

TJ Maxx: economic loss rule bars recovery (cont.)

The court's rationale was that although cards are physical property and rendered unusable by the data breach, the damage itself was not physical in nature. The Massachusetts court noted that its law mirrored Pennsylvania law.

Common Law Theories Negligence

39

Theories of Recovery Against Retailers and Other Targets of Data Breaches

Target: Economic loss may not bar recovery

In the Target case, the Minnesota economic loss doctrine should not bar the negligence claim.

• MINN. STAT. § 604.101: the economic loss doctrine applies to "any claim by a buyer

against a seller for harm caused by a defect in the good sold or leased, or for a misrepresentation relating to the goods sold or leased." Ptacek v. Earthsoils, Inc. (Mar. 31, 2014): Section §604.101 "exhaustively states the economic-loss doctrine and abrogates the common-law economic-loss doctrine…."

Common Law Theories Negligence

40

Theories of Recovery Against Retailers and Other Targets of Data Breaches

Target: Economic loss may not bar recovery

In Ptacek, the appellate court ruled that the economic loss doctrine did not bar a claim damage to crops caused by defendant's delivery of inadequate fertilizer because the claim did not seek compensation for a defective product. Likewise, in the Target case, damages do not flow from a defect in any product or service the financial institutions purchased from Target.

Common Law Theories Negligence

41

Theories of Recovery Against Retailers and Other Targets of Data Breaches

The issuing banks may have claims for negligent misrepresentation based on Target's assurances – or the assurances of third-party security auditors – that Target adequately protected consumer data. However, in the TJ Maxx case, the court found that reliance is a claim that requires an individual determination of liability and is therefore not appropriate for a class action. Accordingly, the district court concluded that the class was not appropriate, and therefore the court lacked jurisdiction. The court did not dismiss the negligent misrepresentation claim outright.

Equitable Theories

Unjust enrichment, Good faith and fair dealing, prima facie tort, etc.

Common Law Theories Negligent misrepresentation

42

Theories of Damages

The obvious stuff: How many MasterCard cards has the bank had to reissue since the data security breach? How many Visa cards? How much did the bank pay per card to do so? These costs range from $1.50 to $3.50 per card or more How much has the bank had to pay to refund its customers for fraudulent purchases associated with the data security breach?

Determining Exposure

43

Theories of Damages

The not-so obvious: How much has the bank had to spend—per customer—in order to communicate with customers regarding the data security breach? Call center loads? Creating alerts? Has the bank engaged in card buy-backs through the black market? Mitigation: has the bank had recoveries through chargeback and/or Visa dispute resolution process, etc. relating to the data security breach? What security alerts (e.g. CAMS alerts) did the bank receive from MasterCard, Visa, or Target?

Determining Exposure

44

Theories of Damages

The Target litigation: Plastic Card Act may permit recoveries Canceling existing debit or credit cards and replacing such cards. Closing any financial accounts affected by the breach, as well as acting to stop payments or block transactions with respect to the accounts. Opening or reopening any financial accounts affected by the security breach. Issuing refunds or credits to cardholders to cover the costs of unauthorized transactions related to the breach. Notifying cardholders affected by the breach.

Determining Exposure

45

Third Party Data Vendor Liability

• In case of Target, third party data vendor is a Qualified

Security Assessor (QSA), Trustwave Holdings Inc., providing compliance assessment services to merchants, but may or may not also provide data monitoring and other related data security services to the merchant. Trustwave dismissed in some cases, still sued in others.

• Claims (e.g., tort negligence) by banks and others suffering
• losses. Issues:
• Will economic loss doctrine apply?
• Was data breach was due to Payment Card Industry Data

Security Standard (PCI DSS) non-compliance or other breach of a contract between vendor and merchant?

46

Third Party Data Vendor Liability

• Claims (e.g., tort negligence) by banks and others suffering
• losses. Issues: (cont’d)
• Does PCI DSS compliance insulate such vendors, merely

because a breach occurred notwithstanding compliance?

• Cf. Heartland Payments. Heartland was data custodian

which was breached, in contrast to Trustwave and similar QSAs.

47

Lone Star National Bank NA et al. vs. Heartland Payment Systems

Issuer banks filed suit after hackers stole payment card information from Heartland’s data systems in 2009 MDL consolidated nationwide suits. Litigation then proceeded in 2 paths: consumer plaintiffs and financial institution plaintiffs Claims asserted and dismissal by district court 834 F.Supp.2d 566 (S.D. Tx. 2011).

48

Lone Star National Bank NA et al. vs. Heartland Payment Systems

Claim 12(b)(6)

Negligence Granted with prejudice and without leave to amend Consumer protection laws of NY, JN, and WA Granted with prejudice and without leave to amend Breach of contract Granted without prejudice and with leave to amend Breach of implied contract Granted without prejudice and with leave to amend Express misrepresentation Granted without prejudice and with leave to amend Negligent misrepresentation based on nondisclosure Granted without prejudice and with leave to amend Consumer protection laws of CA, CO, IL and TX Granted without prejudice and with leave to amend Florida Deceptive and Unfair Trade Practices Act Denied

49

Lone Star National Bank NA et al. vs. Heartland Payment Systems

Fifth Circuit Treatment (729 F.3d 421 (5th Cir. 2013)):

Reversed dismissal of negligence claim. Economic loss doctrine does not bar the issuer banks’ negligence claim at the motion to dismiss stage of the litigation. Why?

Issuer banks were an identifiable class (Heartland sent payment card information to these banks) and Heartland had reason to foresee the issuer would suffer economic losses by its negligence. In absence of tort remedy, issuer banks would have no recourse, therefore defying notions of fairness, common sense and morality.

50

Lone Star National Bank NA et al. vs. Heartland Payment Systems

Current (April, 2014) Posture: Still Pending in District Court

51

In re: Target Corporation Customer Data Security Breach Litigation (MDL 2522)

Pending in the District of Minnesota Three tranches: Bank Cases Consumer Cases Shareholder Cases

52

In re: Target Corporation Customer Data Security Breach Litigation (MDL 2522)

Plaintiffs include at least 30 banks and credit unions Defendants include Target Corporation, Target.com, and Target Corporate Services Trustwave Holdings: not a current defendant

53

In re: Target Corporation Customer Data Security Breach Litigation (MDL 2522)

Claims Negligence Violations of the Minnesota Plastic Card Act Deceptive Practices False Advertising Unjust Enrichment Negligence Per Se

54

In re: Target Corporation Customer Data Security Breach Litigation (MDL 2522)

Case Management Conference: May 14, 2014

55