Visa USA Inc. and MasterCard International Inc. don't have to send individual warnings to thousands of people whose personal account information was stolen during a data breach earlier this year, a San Francisco judge has ruled.
"I don't see the emergency," San Francisco Superior Court Judge Richard Kramer said when he turned down a request for an order against the nation's two credit card associations. "I don't think there is an immediate threat of irreparable injury" to consumers, The Associated Press (AP) quoted him as saying.
According to AP, the ruling is a setback for a consumer lawsuit targeting Visa and MasterCard for a security breach that occurred between August 2004 and May at CardSystems Solutions Inc., a company that processes payments for merchants.
The breach exposed up to 40 million credit and debit card holders to potential fraud. The hacker, who hasn't been identified, lifted enough information to victimize at least 264,000 people, investigators have said. To date, the credit card associations haven't sent warnings to customers who are most at risk. San Rafael, Calif., attorney Ira Rothken, who filed the lawsuit, argued the credit card companies should at least be required to notify Californians whose information was taken.
The AP reported that the notification request was made under a 2-year-old California law that has been widely copied across the country to help ensure consumers are alerted when their personal or financial information stored on a computer is lost, stolen or breached. Rothken argued the law will be made "ineffectual" if the most vulnerable customers affected by the CardSystems breach aren't warned about their exposure to fraud.
Visa and MasterCard argued they shouldn't be obligated to send the notices because they don't have direct relationships with the accountholders, whose cards were issued by thousands of banks that belong to the associations. San Francisco-based Visa and Purchase, N.Y.-based MasterCard provide processing and marketing services to the banks.
Rothken said California law requires that warning notices be issued as quickly as possible so customers can take steps to protect themselves. "They (shouldn't) have to sit there and pray nothing bad happens to them," the news agency quoted him as telling the judge. MasterCard attorney Gary Halling said the law's disclosure intent had already been satisfied because the mid-June press release that announced the CardSystems breach had attracted prominent media coverage throughout California and spurred a hearing in U.S. Congress. Visa and MasterCard claim there's little financial risk to even the most vulnerable accountholders because of their "zero liability" policies that reverse all fraudulent charges.
The companies also claim the chances of identity theft are small because Social Security numbers and home addresses weren't taken in the CardSystems breach. The theft involved customer names, account numbers, and security codes, providing the tools for criminals to make bogus credit and debit cards. In his oral ruling, Kramer criticized the consumer lawsuit for being too vague.
"We have a complex case with complex legal questions that got wrapped into a ball and rolled in here," Kramer said. "It's just not presented in a way that a court can rationally deal with at this time."