Michaels Breach: Who's Liable?
Experts Say Incident Proves Need for More Issuer ProtectionsBrandi F. Ramundo had more than $1,300 withdrawn from her checking account, after reportedly making a debit purchase worth less than $20 at Michaels. Her five-count suit seeks class-action status, a jury trial, compensatory damages, and consequential and statutory damages. It also includes an order for Michaels to pay for card-fraud monitoring services for consumers hit by the scam, as well as compensation and punitive damages for costs associated with the suit.
Ramundo's suit raises questions about liability after a card breach fraud. What role should merchants play, when it comes to ensuring transactional security, and how should financial institutions, as card-issuers, fall into the fray?
Attorney Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP, says the liability lines are often blurred and hard to define after a breach. Despite that card fraud usually occurs outside banking institutions' control, banks and credit unions, as the card issuers, usually absorb losses and expenses associated with breach recovery.
"There is a lot of entanglement in the credit card industry," Sabett says. "It all goes back to the contract. It's often hard to pin anything down in the contract. But the way most of these contracts are written, the retailers aren't liable."
Dated contracts, which in some cases could be more than 40 years old, between merchants and banks are the problem. "I recently worked with a client that had a contract from 1968," Sabett says. "They did not even know about breaches back then. Banks can go back and try to rewrite some of these contracts," but most retailers are reluctant to change contracts that have served them well for so many years.
And because card fraud, regardless of where a compromise occurs, always comes back to the bank, U.S. banks have an obligation to address the fraud, reissue cards and reimburse consumers, according to consumer protections provided by Regulation E.
Following the Fraud Trail
In this most recent case, card issuers, through transaction monitoring and behavioral analytics, were quick to link debit incidents to Michaels. The breach affected stores in 20 states after fraudsters replaced legitimate point-of-sale PIN pads with tampered ones. [See 3 Tips to Foil POS Attacks.]
Brian Riley, senior research director of bank cards at TowerGroup, says Michaels should clearly hold the fraud-loss bag on this one, since it was the obvious point of compromise. "The issuer liability will be extremely limited on this kind of breach, but the sponsoring bank for the merchant needs to constantly be monitoring their clients," he says.
Riley admits confusion about liability surrounds most incidents of data breach. "And the issue becomes cloudier when each party cites varying regulations codified by MasterCard or Visa," he says. Further complicating the issue is the Payment Card Industry Data Security Standard, which "acts as a guideline of mandated best practices, but does not insulate parties in the event of a breach," even though non-compliance would lead to fines, Riley adds.
One financial institution affected by the Michaels breach says merchants may be liable on paper, but banks pay the price. "It is the banks holding the bag, on both the losses and reissuance costs," says a spokesman for the bank that asked to remain unnamed. "We cannot charge-back ATM transactions or transactions that occur at other locations linked back to Michaels. The only recoveries we will see is if Visa qualifies this under ADCR [account data compromise recovery], or [if] we and other banks take Michaels to court."
Limited Liability?
The Michaels breach has not yet qualified for Visa ADCR. If it does, Visa says its Data Compromise Recovery Solution will provide fraud recovery support and will help institutions recuperate losses associated with the fraud. "Through these programs, which are designed to provide faster reimbursements for issuers following a data breach incident, issuer compensation is automatically calculated and reimbursed, based on the counterfeit fraud the financial institution reports," a spokesman at Visa says. "Typically, issuers will receive financial recovery within six months."
But bankers say those reimbursements only apply to PIN transactions that flow through Visa. Most financial institutions use numerous networks, and smaller networks have, historically, not provided reimbursement protections.
Sabett says the complexity of the U.S. payments infrastructure has fed the liability beast. "You have all of these players and oftentimes have multiple contracts," he says. "I think, to the ultimate issue of who should be liable, if the stakeholders who are already participating in this ecosystem aren't comfortable with the current state of liability, then they have to amend or redraft contracts, or try to make change through legislation."
Sabett points to a 2010 amendment to the Minnesota Regulation of Trade Practices statute, which says the party responsible for a breach will reimburse financial institutions. "[The] entity shall reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders," the statute reads.
Sabett says the Minnesota law, which closely aligns with cardholder protections recommended by the Payment Card Industry Security Standards Council in PCI-DSS, "is a great example of how to proactively address this issue."
"Many view this as a first law that pulls PCI concept into a legal construct," Sabett adds.
TowerGroup's Riley agrees Minnesota's legislation sets an example for the industry. He also points to four trends that have affected how the industry responds to and handles payments-related breaches.
Riley says banking institutions should look to these trends when drafting contracts, either as card issuers or transactions acquirers:
- The cardholder carries the least liability.
- Issuers carry some liability in the compromise of individual accounts. But when substantial breaches occur, issuers are provided protections through the major card brands, Visa and MasterCard. "These programs enable issuers to quickly resolve customer issues and later recover costs from the point of compromise," he says.
- Merchants have more liability than issuers, especially when the compromise occurs at their locations. "In the case of TJX, the merchant paid card issuers more than $40 million as settlement for direct losses."
- And processors, which link the merchant's acceptance point with the payment networks, also carry liability.