Plastic Card Security Act -- Minnesota Law Gives Financial Institutions Ability to Sue Merchants for Some Data Security Breaches
Minnesota has become the first state to enact legislation shifting the costs of data breaches from financial institutions to merchants in certain circumstances, thus holding merchants responsible for sensitive customer information. (Link) Under the Plastic Card Security Act, merchants are prohibited from storing PINs, security codes, or magnetic stripe data from customer’s credit or debit cards for more than 48 hours after authorization of the transaction. The law mirrors industry standards contractually required by credit card vendors such as Visa and Mastercard. Under the Act, If a merchant violates the statute and a breach occurs, the retailer must reimburse the financial institution for the costs of reasonable actions taken by the institution as a result of the breach. The TJX (parent of T.J. Maxx and Marshalls) data breach, which is thought to have originated at a St. Paul Marshalls, was the likely impetus of this law. A similar bill was rejected in Texas. As of yet, it is unclear whether other state legislatures will follow suit with a similar statute. See the Minneapolis-St. Paul Star Tribune for another article on the law.
For more information contact Howard O. Hagen.
Comments