Law Times

PAGE 12 FOCUS past. Instead, debit cards, credit cards, and gift cards are clearly the payment method of choice, with point-of-sale terminals and card swipers humming continu- ously during store hours. And if you're trying on an e-commerce transaction, payment card is almost the only option — and certainly the most expeditious. "With so much payment tand in line to make a purchase and it seems like cash is a thing of the card-handling activity, busi- nesses large and small, espe- cially retailers, have to pay care- ful attention to ever-changing data-security standards imposed by payment card companies, payment card issuers, and other parties in the payments eco- system," says Peter Nguyen of Fraser Milner Casgrain LLP's Toronto office. regulated by government, Al- berta's privacy commissioner, for one, has referred to the Payment Card Industry Data Security Standard, formulated and accepted by major credit card companies and banks, as the "gold standard." Non-compliance, then, could come with significant costs and could ultimately shut down a business' entire transaction pro- cessing capability. If there's any doubt about that, Canadian businesses ac- cepting payment cards and their lawyers need only look southward to the TJX debacle, which featured America's big While the standards are not Keep an eye on ever-changing data-security standards S Non-compliance could come with significant costs BY JULIUS MELNITZER For Law Times banks at the courthouse win- dow shouting, "I just won't take it any more." It all started after hack- Kyer I.•Outsourcing Transactions-A Practical Guide 4/30/08 10:46 AM Page 1 ers broke into the computer systems of TJX Companies Inc., the Massachusetts-based operator of T.J. Maxx, Mar- shalls, and other retail chains, in July 2005. During the next 17 months the hackers ac- cessed data on at least 45.7 million customer credit and debit cards — and perhaps as many as 100 million — many of which were issued by the financial institutions that back the ubiquitous Visa and MasterCard brands. For years, retailers have been able to dodge the pri- vacy bullet by relying on issuing banks to make up losses to their customers from fraud-induced credit and debit card losses. Still, it's hard to dodge bullets when some 45.7 million of them are ricocheting in your direction. This time the banks decided they'd had enough. They sued TJX, alleging the retailer's security practices were deficient. "This litigation indicates that the major banks and credit card companies have drawn a line in the sand that says they won't take the loss when al- leged deficiencies in retailers' security causes or contributes to fraud this massive," says Steve Schneider, a partner at Mitchell Silberberg & Knupp LLP in Los Angeles. In re TJX Companies Retail Security Breach Litigation wasn't the first case in which credit tailers to secure cardholder information, and Fifth Third Bank had contracts with Visa and MasterCard that required Fifth Third to comply with these regulations. In turn, Fifth Third had a contract with TJX requiring it to comply. Between July 2005 and Peter Nguyen says businesses must pay attention to data-security standards im- posed by payment card companies and others in the 'payments ecosystem.' card issuers sued retailers. But on Oct. 12, 2007, it became the first case on the federal level to survive a motion to dismiss. By April, TJX had ponied up approximately US$75 mil- lion to settle with the major banks, though some claims remained unresolved. When a customer presented his or her card, TJX electroni- cally sent the customer account information to its own bank, Fifth Third, which then used credit card networks Visa and MasterCard operated to trans- mit the information for autho- rization to the bank that issued the credit card. Visa's and MasterCard's op- erating regulations require re- Top expert guidance, tips, techniques and sample agreements to help you guide your clients on all aspects of outsourcing arrangements ment didn't pacify the issuing banks, however, which had suf- fered financially as a result of the fraudulent transactions and the need to replace the compro- mised cards. They filed their own suit, alleging that TJX and Fifth Third failed to take appro- priate steps to safeguard card- holder information. The plain- tiffs' filings indicated that fraud losses from Visa cards alone ap- proached US$83 million. The defendants moved to dismiss, and Judge Wil- liam Young of the U.S. Dis- trict Court for the District of Massachusetts followed prec- edent in dismissing the claims based on breach of contract. He ruled that the contractual agreements ensuring the safety of customer data were between the retailers and the credit card associations, to which the issu- ing banks were not parties. But that wasn't the end of December 2006, computer hackers captured card data from transactions passing through TJX computers us- ing a data-capturing program known as a "sniffer," and used the stolen information to make fraudulent purchas- es. The issuing banks say as many as 100 million cards were affected. TJX put the number at 47.5 million. Millions of affected con- sumers banded together in a class action against TJX and Fifth Third. The case has settled "in principle," but details of the settlement are unknown. The settle- it. Young noted that although they had no "direct contact with the issuing banks, TJX and Fifth Third knew that the Written by 30 experts on the subject With a special emphasis on technology, Outsourcing Transactions: A Practical Guide provides you with a variety of useful precedent agreements designed to help you navigate and draft better outsourcing agreements. Updated regularly, this book deals with each stage of the outsourcing process: planning, negotiation and implementation. The authors rely on their years of experience to ensure that the book meets the needs of today's outsourcing practitioner. Inside find valuable information on: Outsourcing involves many areas of law such as employment, pension, tax, and IT. This looseleaf service includes chapters on each of these subjects written by experts in those areas. • the RFP process • pricing and payment • benchmarking and its alternatives • implementation, governance and administration • privacy issues • exit strategies • issues in Eastern Europe, UK and Quebec • cross-border transactions and offshore outsourcing . . . and more Looseleaf & binder • $184 • Supplements invoiced separately (1-2/yr) P/C 0146030000 • ISBN 0-88804-456-9 For a 30-day, no-risk evaluation call: 1 800 263 2037 or 1 800 263 3269 www.canadalawbook.ca Canada Law Book is A Division of The Cartwright Group Ltd. • Free Shipping on pre-paid orders. Prices subject to change without notice, and to applicable taxes. LT0505 www.lawtimesnews.com Don't miss these events… ONLINE SECURITY AND PRIVACY MANAGEMENT May 29 – 30, 2008 | Vancouver CANADIAN ABS 2008 June 1 – 4, 2008 | Mont Tremblant MAJOR BUSINESS AGREEMENTS June 3 – 4, 2008 | Winnipeg LAW CLERKS LITIGATION June 4 – 5, 2008 | Vancouver CARBON MANAGEMENT FORUM June 5 – 6, 2008 | Calgary CONTAMINATED SITES June 12 – 13, 2008 | Calgary RISK MANAGEMENT FOR CREDIT UNIONS June 16 -17, 2008 | Vancouver ENROLL TODAY! 1 888 777-1707 | www.insightinfo.com Media Partner issuing banks were part of a fi- nancial network that relies on members taking appropriate security measures." This knowledge exposed the defendants to the plaintiffs' claims for negligent misrep- resentation. These claims al- lege that TJX and Fifth Third made implied representations to the issuing banks that they took the security measures required by industry practice to safeguard the personal and financial information of the customer cardholders. "The question, then, is what reliance the issuing banks actu- ally placed on the representa- tion and whether that reliance is justified," Schneider says. Young said these questions MAY 5, 2008 / LAW TIMES were matters for a jury to decide and ordered the claims for negli- gent misrepresentation to trial. What the issuing banks had going for them was that for a number of years they have been encouraging retailers to upgrade their security systems. Lawyers for TJX, however, were arguing that the operating regu- lations are confusing and only came into effect in 2005 before changing in 2006. And though the case is well on its way to final settlement, the privacy environment will never be the same. It's clear that banks are going to assume a quasi-regulatory position over enforcement of retailers' privacy policies. Still, overseeing retailers' privacy practices is a difficult undertaking, if only because data collection and privacy laws vary from jurisdiction to juris- diction. There's also the prob- lem that many retailers are not sophisticated enough to ensure data security. So for many re- tailers, less may be more from a data-collection perspective: credit card companies are urg- ing them not to keep credit card data under their control unless it is absolutely necessary to do so. Presented by LT

• Cover