Network News

X My Profile
View More Activity

CardSystems Hit With Class Action Lawsuit

CardSystems Solutions, the credit card processor that disclosed earlier this month that a digital intrusion had compromised roughly 40 million Visa and MasterCard credit card accounts, today was hit with a class action lawsuit charging that the company failed to alert victims to the breach in a timely manner.

The lawsuit, filed in a California state court on behalf of affected California residents and merchants, also targets Visa and MasterCard, which the suit claims were negligent in notifying credit card holders and in enforcing their own security standards.

The lawsuit charges that the "defendants unduly delayed or failed to inform in a timely fashion the appropriate entities and consumers whose data was compromised of their vulnerabilities and potential exposure to credit card (or other) fraud such that consumers could make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions."

Under a financial data privacy law on the books in California, companies are required to notify customers if a security breach results in the theft of their personal or financial information. While the law only requires companies to issue breach notifications to customers living in California, it has been widely credited with forcing dozens of companies to disclose the theft or loss of customer data.

Tucson-based CardSystems has acknowledged that of the 40 million credit card accounts exposed, roughly 200,000 were transferred out of the company's network. The credit card companies have said they only need to notify people whose accounts show signs of unauthorized activity.

But Ira Rothken, the San Rafael lawyer who filed the suit, said all 40 million of the exposed account holders should be notified, and that the companies also should foot the bill for credit-monitoring services for those affected.

"These companies can't just sit there and play Russian roulette over whether something bad is going to happen to their customers. People should be afforded the chance to get control over their privacy," he said.

Rothken was one of the first attorneys to file a class action suit in 2000 against Internet advertising giant DoubleClick for deceptive advertising practices. Lawyers in nearly a dozen other states later joined the suit, and two years later DoubleClick settled the cases, paying $450,000 and agreeing to a series of changes in its notification policies and business practices.

Federal law prohibits banks from charging victims of credit card theft more than $50, and most banks have adopted so-called "zero liability" policies that absolve the card holder of any charges resulting from credit card theft. But the companies that suffer most from credit card fraud are the merchants who must accept "chargebacks" from customers who dispute charges for items fraudulently purchased with their credit card numbers. The rates that merchants pay to process credit card transactions is determined in part by the percentage of their business that results in a chargeback.

To assist merchants affected by the CardSystems breach, the lawsuit seeks a waiver of chargeback fees and penalties for affected merchants. The suit also seeks attorney fees.

Visa said in a statement that it soundly rejects the allegations made in the suit, and noted that by its own admission, CardSystems violated Visa's security standards for storing customer information. Officials from MasterCard declined to comment, saying the company is still reviewing the lawsuit. CardSystems did not return calls seeking comment.

By Brian Krebs  |  June 28, 2005; 5:30 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Adobe Issues Mac Fixes
Next: Microsoft Unveils New Security Service


I'm not in California but am frustrated that my card may have been compromised even though I have not been contacted about it. I'm glad to see someone taking action.

Posted by: Alison | June 29, 2005 11:11 AM | Report abuse

I'm not in California but I am very disappointed that my card may have been compromised and I have not been contacted about it. I'm glad to see someone taking action. They should be held totally responsible and the guilty parties caught and placed in State Prisons for 30 years and 1 day with no possible parole. Make the time not worth the crime.

Posted by: Charles | July 3, 2005 5:02 PM | Report abuse

When are Californians going to stop suing the credit companies for every thing and anything? Be it the currency conversion rate lawsuit, the merchant law suit, the drug stores law suit, the interchange law suit and now this? Obviously there are people in that state that don't hesitate to jump at the slightest opportunity to make money. Wake up, data compromises happen every day, not only on-line but also off-line, not only in this country but all over the world. If you go to a restaurant and your card gets cloned what would you do? Sue the restaurant or sue the credit card company? If a thieve goes dumpster diving and gets a hold of your bank or credit card statement who would you sue? It looks like Californians believe all evils are caused by the credit card companies. This lawsuit should be dismissed, just like the interchange lawsuit recently has.

Posted by: Carlos | August 15, 2005 2:11 PM | Report abuse

I am a merchant and am very upset to hear this especially as our company has seen fraudulent charges on Visa and MasterCard accounts. On these orders all information was verbally AND electronically verified with the bank plus the goods were shipped to the billing address. Never-the-less, we are still faced with chargebacks that we have to absorb because even though we performed every level of verification possible on the merchant end Visa and MasterCard refuse to accept it no matter how much documentation we have to prove that their systems provided us with bad data. We are already considering drumming up support for a class action lawsuit on the East Coast regarding this.

Posted by: Josh | January 7, 2006 6:18 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company