Merchant Fights Back: Counter Sues Re Bank’s Claim for Payment of PCI DSS Penalties

For perhaps the first time, the enforceability of the penalty regime supporting the PCI DSS standard will be considered by the course. If the case does get to be heard it will also raise issues regarding the enforceability of a contract that allows for unilateral modification and the incorporation of provisions not disclosed to the other party.

In the U.S. Case of Elavon Inc. v. Cisero’s Inc., the owners of an Italian restaurant in Utah (Cisero’s) were charged more than $80,000 in fines for alleged security failures that led to fraudulent credit card transactions. In response to proceedings by their bank to recover the outstanding fines, the couple has counter- sued, saying they didn’t break MasterCard and Visa rules, that there was no security lapse and that no acts of fraud were specifically claimed. Once the couple became aware that the bank was debiting the fines against their account – they closed it and move their business to another bank. Elavon is suing to recover the amount of the credit card companies fines that it was not able to recover from the Cisero’s account.

In 2001 the Cisero’s entered into their contact with the bank – which incorporated by reference Visa and Mastercard’s operating rules. Those rules were not made specifically available to the Ciseros at that time – or at any time in the future including when they did become publicly available in 2008. In any case, in 2001, those rules did not at that time contain any data security requirements. Compliance with the PCI DSS did not become part of the card issuers rules until 2005.

The Cisero’s contract with their bank provided that the bank could amend the terms at any time without notice to the Cisero’s (a provision commonly appearing in cloud computing contracts) – which is the provision the bank is relying on to incorporate subsequent requirements including those relating to data security. The bank also relies on an indemnification provision in their contract with the Cisero’s to claim the amounts paid by the bank to Visa and Mastercard by way of penalties levied for fraudulent claims resulting from data security breach.

The McCombs (the owners of Cisero’s) claim that:
• They were never notified of any requirement to meet any data security standard
• Given the number of transactions they were doing at the time (less than 10,000), they were not required to be compliant. Visa later said 32,581 accounts were on Cisero’s computer, without explaining how it got that number, according to the McCombs.
• There is no proof of any failure by them to meet the data security standard which resulted in the alleged fraudulent misuse of cards
• The fines levied by the bank are not recoverable as they are unenforceable penalties (rather than a genuine estimate of the amount of loss suffered)

US Bancorp told Cissy McComb, one of the owners, in March 2008 that credit cards used at the restaurant may have been fraudulently used elsewhere. As required by Visa and MasterCard, the McCombs hired two separate examiners to investigate if an “account data compromise” event occurred. According to the McCombs they showed that no one hacked into the restaurant’s computers. Notwithstanding this, the banks proceeded to pass on fines levied by the credit card companies.

The couple denied any data was stolen from their system and “were never given a meaningful opportunity to provide evidence,” they said. “At no time has Elavon, US Bank, Visa, MasterCard or any other entity proven that a data breach occurred at Cisero’s, that card issuers actually suffered fraud losses or that any such losses were caused by a data breach at Cisero’s,” the restaurant said in court papers.

Bank’s Original Claim.
Cisero’s Counter Claim
More on the story

Information Security Law This Week - January 20, 2012

Information Security Law News this week – January 20, 2012

 In the news:

• US Merchant sues bank over PCI DSS fine
• Ontario court recognises tort of privacy
•  CERT Australia and AFP respond to string of DDOS attacks

Information Security Cases and Legislation

Ontario Court Creates Recognises Invasion of Privacy as Common Law Tort

The Ontario Court of Appeals has recognized a common law tort for invasion of privacy, which allows individuals to sue others that invade their privacy, reports The Globe and Mail. The three judge panel unanimously agreed that the case--in which a bank employee snooped on the financial records of her common-law spouse's ex-wife to find out how much child support she was receiving--was in need of a "legal remedy." Justice Robert Sharpe held “Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society."  Full Story – here and here.

CERT Australia: Don't Respond to Cyber Attackers

After a series of denial-of-service attacks on Australian businesses, including ANZ owned ETrade, CERT Australia and the Australian Federal Police (AFP) are telling companies to report cyber attacks immediately and not to respond to attackers. One company's website was shut down by millions of Web requests, and shortly afterwards, the managing director received an e-mail asking for money in order to stop the attack. It is unknown whether other companies received similar demands. CERT Australia is working with affected businesses. Full Story

Read more: Information Security Law This Week - January 20, 2012

EU Data Protection Reforms & Info Security

Proposed New EU Data Protection Regulation: What Does it Mean for Information Security?

As had been widely anticipated, the European Commission released its proposa[1]l to reform the European Union’s data protection framework on January 25, 2012.  The reform —introduced after many years of public consultations and stakeholder stakeholders – will fundamentally change many aspects of the current regulation of personal data in all of the EU member states.

The main aspects of the proposed reform which have received attention include:

• Single Regulator: The establishment of a single set of European rules valid everywhere across the EU – with the upgrading of the previous Directive into a Regulation.  Companies with operations in multiple EU member states will be subject to the jurisdiction of a single data protection authority (“DPA”), based on their main place of establishment in the EU.
• A breach notification mandate: In the event of a serious breach, organizations must notify the national supervisory authority “as soon as possible (if feasible within 24 hours).
• Increased enforcement powers for data protection authorities: DPAs will be able to fine organizations that violate the rules.  There will be three levels of fines for intentional or negligent violations of the Regulation, with the maximum penalty for certain offenses being 5% of an organization’s annual worldwide turnover.
• Explicit consent requirement: Wherever consent is required for data to be processed, it must be given explicitly, rather than assumed, according to the regulation.
•  Extra-territorial reach: The regulation applies to “personal data handled abroad by companies that are active in the EU market and offer their services to EU citizens.”  Data controllers and processors established outside the EU would be subject to EU law if they direct data processing activities at EU residents or “serve to monitor the behaviour” of such residents.

Next, the proposal will be reviewed in the European Parliament and member states, via the Council of Ministers.

The reforms fundamentally changes the way that data protection will be regulated and introduces some important new reforms - such as the mandatory data breach notification requirement.   However, one area of reform which has not received as much attention are the proposed changes to Article 17, the Security of Processing – currently covered by Article 27 -  in the new Section 2 Data Security (in place of  Section VIII Confidentiality and Security of Processing).

Read more: EU Data Protection Reforms & Info Security

Data Breach Notification in Australia - Whitepaper Available!

The first data breach notification law (DBNL) was introduced in California in 2002 (and enacted in 2003).  Since that time, similar laws have been introduced in different forms in nearly all the States in the United States and are under consideration in a number of other jurisdictions – including Australia, where mandatory data breach notification laws were recommended to be included in the Privacy Act in 2008.    

Recently, focus is back on data breach notification – with the Privacy Commissioner coming out in continued support of a legislated requirement – although the government has still not made its position clear.

In the interim, the Privacy Commissioner has updated it Guide on Data Breach Notification to assist organisations in determining how they should respond in the case of a data breach.  Although only a Guide – in announcing its release the Privacy Commissioner made it clear that notification to affected parties and, in some instances, the regulator is part of a reasonable response to certain breaches.  In other words, ignore the Guide at your own peril!

IT Security Training Australia has prepared a comprehensive review of Data Breach Notifications Laws including:

• The history and current status of DBNLs in the U.S.
• Privacy legislation in Australia and the proposed inclusion of data breach notification provisions in the Privacy Act 1988 (Cth)
• A comprehensive review of the OAIC’s new Data Breach Notification guidelines
• Tips for complianceContact us now for your copy of the whitepaper.

A copy of the Data Breach Notification Whitepaper is attached.

Attachments:

Data Breach Notification Whitepaper.pdf

[ ]

573 Kb

OAIC Launches New Data Breach Notification Guide (April 2012)

The Office of the Australian Information Commission (OAIC) has updated its August 2008 Guide to handling personal information security breaches, which included voluntary data breach guidelines, launching a new Data Breach Notification Guide in late April 2012 to coincide with Privacy Awareness Week.

According to Information Commissioner, John McMillian who launched the new Guide, it was published as a means of encouraging organisations to "voluntarily put in place reasonable measures to deal with data breaches, while legislative change is considered by the government". “The OAIC strongly encourages notification in appropriate circumstances as part of good privacy practice, and in the interest of maintaining a community in which privacy is valued” the guideline documents state.

For a full review of the new Data Breach Notification Guide - download the attached whitepaper.

Attachments:

OAIC updates data breach guidelines whitepaper.pdf

[ ]

231 Kb

Information Security Law this Week – January 13, 2012

• Another Security Issue with ANZ Online Bank Statements
• Merchant sues Bank over fines for security breaches
• Two New Privacy Commissioner Case Notes on “Reasonable Security”
• The Legal Implications of Social Networking Part Three: Data Security

Read more: Information Security Law this Week – January 13, 2012

Information Security Law This Week – December 30, 2011

ACMA finds Vodafone had poor systems in place to protect customers’ personal details, Tepid Response from Govt to Aus Parliamentary Cyber-Safety Committee, Privacy Rights Clearinghouse Publishes U.S. 2011 Breach Report

Topics
• Information Security Cases and Legislation
• Data Breaches
• Privacy
• Other News

Read more: Information Security Law This Week – December 30, 2011

Information Security Law this Week – Dec 16, 2011

Another Telstra breach and the PC is to investigate, Heartland claims dismissed, U.S. Federal Cloud Computing Security Standard Released, HP sued over security flaws in printers, Man who accessed wife’s email without permission charged with hacking

Topics
• Information Security Cases and Legislation
• Data Breaches
• Privacy
• Other News
• Information Security Cases and Legislation

Read more: Information Security Law this Week – Dec 16, 2011