CardSystems Hit With Class Action Lawsuit
CardSystems Solutions, the credit card processor that disclosed earlier this month that a digital intrusion had compromised roughly 40 million Visa and MasterCard credit card accounts, today was hit with a class action lawsuit charging that the company failed to alert victims to the breach in a timely manner.
The lawsuit, filed in a California state court on behalf of affected California residents and merchants, also targets Visa and MasterCard, which the suit claims were negligent in notifying credit card holders and in enforcing their own security standards.
The lawsuit charges that the "defendants unduly delayed or failed to inform in a timely fashion the appropriate entities and consumers whose data was compromised of their vulnerabilities and potential exposure to credit card (or other) fraud such that consumers could make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions."
Under a financial data privacy law on the books in California, companies are required to notify customers if a security breach results in the theft of their personal or financial information. While the law only requires companies to issue breach notifications to customers living in California, it has been widely credited with forcing dozens of companies to disclose the theft or loss of customer data.
Tucson-based CardSystems has acknowledged that of the 40 million credit card accounts exposed, roughly 200,000 were transferred out of the company's network. The credit card companies have said they only need to notify people whose accounts show signs of unauthorized activity.
But Ira Rothken, the San Rafael lawyer who filed the suit, said all 40 million of the exposed account holders should be notified, and that the companies also should foot the bill for credit-monitoring services for those affected.
"These companies can't just sit there and play Russian roulette over whether something bad is going to happen to their customers. People should be afforded the chance to get control over their privacy," he said.
Rothken was one of the first attorneys to file a class action suit in 2000 against Internet advertising giant DoubleClick for deceptive advertising practices. Lawyers in nearly a dozen other states later joined the suit, and two years later DoubleClick settled the cases, paying $450,000 and agreeing to a series of changes in its notification policies and business practices.
Federal law prohibits banks from charging victims of credit card theft more than $50, and most banks have adopted so-called "zero liability" policies that absolve the card holder of any charges resulting from credit card theft. But the companies that suffer most from credit card fraud are the merchants who must accept "chargebacks" from customers who dispute charges for items fraudulently purchased with their credit card numbers. The rates that merchants pay to process credit card transactions is determined in part by the percentage of their business that results in a chargeback.
To assist merchants affected by the CardSystems breach, the lawsuit seeks a waiver of chargeback fees and penalties for affected merchants. The suit also seeks attorney fees.
Visa said in a statement that it soundly rejects the allegations made in the suit, and noted that by its own admission, CardSystems violated Visa's security standards for storing customer information. Officials from MasterCard declined to comment, saying the company is still reviewing the lawsuit. CardSystems did not return calls seeking comment.
Posted by: Alison | June 29, 2005 11:11 AM | Report abuse
Posted by: Charles | July 3, 2005 5:02 PM | Report abuse
Posted by: Carlos | August 15, 2005 2:11 PM | Report abuse
Posted by: Josh | January 7, 2006 6:18 PM | Report abuse
The comments to this entry are closed.