Monday, June 20, 2005

Credit Card Liability Questions

I wrote this for my summer law class, but I feel strongly about it, so I'm also posting it here:

I wonder if the CardSystems/MasterCard case will shed light into this issue of liability as it's exposed. "The data security breach, possibly the largest to date, happened because intruders were able to exploit software security vulnerabilities to install a rogue program on the network of CardSystems Solutions"[1]

I am expecting to see some interesting fall out: (my predictions)
1. CardSystems Solutions will be held liable for not fixing software vulnerabilities or otherwise exercising care to protect customer data. This is a given similar to the TJ Hooper case.

2. Since none of the banks are going to do anything about the known compromised accounts except watch them for fraud and only intercede after fraud happens, I would expect there to be some action against the banks for failing to notify customers that their accounts were compromised. I'll have to do some more research to see if there is any legal precedent for this.

3. Ultimately, except with American Express the merchants are the ones who are going to suffer with the fraud related chargebacks. American express has stated that "American Express would bear the financial burden, assuming the merchant has followed all standard card acceptance procedures."[1] Does American Express's decision set another precedent that the other card companes will have to follow? or will there be another legal battle between the merchants and the card companies over the fraud related chargebacks.

4. Assuming 1, 2 and 3 happen, All the fingers are still pointing back to CardSystems Solutions. And there will be serious ramifications for that company.

While we don't know all the details yet, it seems like a clear cut liability case as CardSystems could have kept their systems patched, or better used technology such as Firewalls, IDS, and other security software (I am not doubting that there were some of these in place).

[1] http://news.zdnet.com/2100-1009_22-5754661.html

No comments: