Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

(1)

Bank Claims for Target-Type Breaches: Leveraging

Litigation Theories, Assessing and Pleading Damages

Recovering Losses Due to Third-Party Data Breaches and

Response Planning to Protect Customers' Financial Information

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

THURSDAY, MAY 15, 2014

Presenting a live 90-minute webinar with interactive Q&A

Kenneth C. Johnston, Director, Kane Russell Coleman & Logan, Dallas R. Andrew Patty, II, Member, McGlinchey Stafford, Baton Rouge, La. Robert W. Gifford, Kane Russell Coleman & Logan, Dallas

(2)

Sound Quality

If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection.

If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-869-6667 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

(3)

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form).

You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner. If you'd like to purchase CLE credit processing, it is available for a fee. For

additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

(4)

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

(5)

Robert W. Gifford

Kane Russell Coleman & Logan

(6)

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card Processing

(7)

Credit/Debit Card Processing

The Primary and Secondary Players and their Role in Payment Card

(8)

The cardholder requests a purchase from the merchant.

(9)

The merchant submits the request to the acquirer.

Credit/Debit Card Processing

(10)

The acquirer sends a request to the issuer to authorize

the transaction.

(11)

the transaction.

Credit/Debit Card Processing

Processing _{Authorization}Step 1 - _BatchingStep 2 - _ClearingStep 3 - _FundingStep 4 -

An authorization code is sent to the acquirer if there is valid credit available.

(12)

the transaction.

Credit/Debit Card Processing

Processing _{Authorization}Step 1 - _BatchingStep 2 - _ClearingStep 3 - _FundingStep 4 -

An authorization code is sent to the acquirer if there is valid credit available.

7963826

The acquirer authorizes the transaction.

(13)

the transaction. An authorization code is sent to the acquirer if there is valid credit available. The acquirer authorizes

the transaction. The cardholder receives

the product.

7963826

Credit/Debit Card Processing

(14)

Processing Step 4 - Funding Step 3 - Clearing Step 2 - Batching Step 1 - Authorization

(15)

The merchant stores all of the day’s authorized sales

in a batch.

Credit/Debit Card Processing

(16)

The merchant stores all of the day’s authorized sales

in a batch.

The merchant sends the batch to the acquirer at the end of the day

to receive payment.

Credit/Debit Card Processing

(17)

(18)

The batch is sent through the card network to request payment

from the issuer.

Credit/Debit Card Processing

(19)

from the issuer.

The card network distributes each transaction to the

(20)

from the issuer.

Credit/Debit Card Processing

appropriate issuer. The issuer subtracts its

interchange fees, which are shared with the card network

(21)

from the issuer.

Credit/Debit Card Processing

appropriate issuer. The issuer subtracts its

interchange fees, which are shared with the card network

and transfers the amount. The network routes the

(22)

Credit/Debit Card Processing

(23)

The acquirer subtracts its discount rate

and pays the merchant the remainder.

(24)

Credit/Debit Card Processing

(25)

The cardholder is billed.

(26)

Best Practices and Proactive Response Issues

When Faced with Data Breach

Proactive response plan required under regulator-issued guidelines; failure to follow guidelines can = unsafe banking practices.

Regulatory Compliance

Maximum recovery against third parties for future damages may depend upon adequate mitigation.

Damage Mitigation

Underwriters look at your networks and business practices before they underwrite.

Cyber Insurance Coverage

(27)

Best Practices and Proactive Response Issues

Key steps for regulatory compliance and best practices



Risk Assessment and Awareness



Risk Mitigation Techniques



Response plan



Related policies and procedures



Testing and Training

(28)

Best Practices and Proactive Response Issues

When Faced with Data Breach

Risk Awareness

•

Financial Services Information Sharing and Analysis Center

(FS-ISAC;

https://www.fsisac.com

)

•

Financial services industry entity formed after the 1998 Presidential

Directive 63, as updated by 2003’s Homeland Security Presidential

Directive 7.

•

In 2013, it expanded to share information with all Financial Service

sector participants, not just global institutions.

(29)

Key Regulatory Resources

Interagency Guidance on Response Programs for Unauthorized

Access to Customer Information and Customer Notice. 77 FR

15736 (March 29, 2005).

Interpretive guidance and OTS final rule on Gramm-Leach-Bliley

Act (GLBA) and Interagency Guidelines Establishing Information

Security Standards (the Security Guidelines) from the OCC,

Board, FDIC and OTS.

Establishes specific guidance for Fraud Incidence Response Plan,

as outlined on following slide.

(30)

Key Regulatory Resources (cont’d)

Fraud Incidence Response Program Minimum Requirements:

Assessment

of nature and scope of incident and types of

customer info accessed or misused

Notification to primary Regulators

as soon as possible when

incident involves “sensitive customer information”

SAR reporting

, where necessary, to law enforcement

Contain and control

steps, to prevent further access or use of

the information (e.g., monitoring, freezing or closing accounts

while preserving evidence)

Notification to Customers

, when warranted (i.e., when misuse

(31)

Key Regulatory Resources (cont’d)

Federal Financial Institutions Examination Council

(FFIEC;

http://www.ffiec.gov

)

Formal interagency body formed in 1979 and empowered to

prescribe uniform standards for examination of financial

institutions by FRB, FDIC, NCUA, OCC and CFPB.

Publishes

IT Examination Handbook

(online at

http://ithandbook.ffiec.gov

)

Handbooks (e.g., “Retail Payment Systems” and

“Wholesale Payment Systems”) address best practices

Catalogs most applicable rules, regulations and guidance

from the various key financial regulatory agencies, to date.

(32)

Key Regulatory Resources (cont’d)

•

From the

FFIEC IT Handbook>Retail Payment Systems>Risk

Management>Retail Payment Instrument Specific Risk Management

Controls>Merchant Acquiring

booklet (accessed 14 April 2014)

:

• Acquiring banks are ultimately responsible for any risks posed to the payment system by their sponsored merchants and third-party service providers. Management and the board of directors of all participants, including the acquiring banks, must have a clear understanding of the risk associated with acquiring activities and must understand their obligations under credit card association rules.

• The credit card associations require acquiring banks to ensure that their merchants and third-party service providers comply with the Payment Card Industry Data Security Standards (PCI DSS). For third-party service providers and large merchants, PCI DSS compliance validation must be performed annually by a Qualified Security Assessor that has been approved by the PCI Security Standards Council. Smaller merchants must validate compliance annually through completion of a

self-assessment questionnaire. It is not uncommon within the industry for a large number of merchants, and even some third-party service providers, to be in noncompliance with PCI DSS, potentially exposing their acquiring bank to reputation risk and financial loss from fraud, lawsuits, and fines. Additionally, issuing banks that use third-party service providers for transaction processing are required by the card associations to ensure that their providers are in compliance with PCI DSS.

(33)

Theories of Recovery Against Retailers and Other

Targets of Data Breaches

Statutory Theories

Strict Liability: The Minnesota “Plastic Card Act”

Merchant liability: "No person or entity conducting business in Minnesota that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after

(34)

Theories of Recovery Against Retailers and Other

Liability for conduct of service provider: "A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.”

Statutory Theories

(35)

Theories of Recovery Against Retailers and Other

Targets of Data Breaches

Damages:

"Whenever there is a breach of the security of the system of a person or entity that has violated this section, or that person's or entity's service provider…”

that person or entity shall reimburse the financial institution that issued any access devices affected by the breach

For the cost of reasonable actions undertaken by the financial institution as a result of the breach

in order to protect the information of its cardholders or to continue to provide services to cardholders.”

Statutory Theories

(36)

Unfair trade practices (e.g. Minn. Stat. § 325F.68)

False advertising (e.g. Minn. Stat. § 325F.67)

Some states, like Minnesota, require a showing that the action is in furtherance of a "public interest" in order to trigger private attorney general rights. Seek parallel injunctive relief.

Statutory Theories

(37)

In theory, easy to prove:

Data breach was on merchant’s “watch” and was preventable Issuing bank is a foreseeably damaged victim

Merchant’s failure is proximate cause of bank’s need to take expensive precautions

Issuing bank suffered damage

Common Law Theories

(38)

The most difficult issue is the economic loss rule, which varies by jurisdiction:

TJ Maxx: economic loss rule bars recovery

In the TJ Maxx case, the federal district court ruled that Massachusetts law precluded the financial institutions from recovering on the negligence claim.

Massachusetts law provides that “purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage.” "This Court . . . holds that the alleged 'physical' destruction of the credit cards, debit cards, and security codes should instead be considered economic losses."

Common Law Theories

(39)

TJ Maxx: economic loss rule bars recovery (cont.)

The court's rationale was that although cards are physical property and rendered unusable by the data breach, the damage itself was not physical in nature.

The Massachusetts court noted that its law mirrored Pennsylvania law.

Common Law Theories

(40)

Target: Economic loss may not bar recovery

In the Target case, the Minnesota economic loss doctrine should not bar the negligence claim.

MINN. STAT. § 604.101: the economic loss doctrine applies to "any claim by a buyer

against a seller for harm caused by a defect in the good sold or leased, or for a misrepresentation relating to the goods sold or leased."

Ptacek v. Earthsoils, Inc. (Mar. 31, 2014): Section §604.101 "exhaustively states the economic-loss doctrine and abrogates the common-law economic-loss doctrine…."

Common Law Theories

(41)

Target: Economic loss may not bar recovery

In Ptacek, the appellate court ruled that the economic loss doctrine did not bar a claim damage to crops caused by defendant's delivery of inadequate fertilizer because the claim did not seek compensation for a defective product.

Likewise, in the Target case, damages do not flow from a defect in any product or service the financial institutions purchased from Target.

Common Law Theories

(42)

The issuing banks may have claims for negligent misrepresentation based on Target's assurances – or the assurances of third-party security auditors – that Target adequately protected consumer data.

However, in the TJ Maxx case, the court found that reliance is a claim that requires an individual determination of liability and is therefore not appropriate for a class action. Accordingly, the district court concluded that the class was not appropriate, and

therefore the court lacked jurisdiction. The court did not dismiss the negligent misrepresentation claim outright.

Equitable Theories

Unjust enrichment, Good faith and fair dealing, prima facie tort, etc.

Common Law Theories

(43)

Theories of Damages

The obvious stuff:

How many MasterCard cards has the bank had to reissue since the data security breach? How many Visa cards?

How much did the bank pay per card to do so?

These costs range from $1.50 to $3.50 per card or more

How much has the bank had to pay to refund its customers for fraudulent purchases associated with the data security breach?

(44)

Theories of Damages

The not-so obvious:

How much has the bank had to spend—per customer—in order to communicate with customers regarding the data security breach?

Call center loads? Creating alerts?

Has the bank engaged in card buy-backs through the black market?

Mitigation: has the bank had recoveries through chargeback and/or Visa dispute resolution process, etc. relating to the data security breach?

What security alerts (e.g. CAMS alerts) did the bank receive from MasterCard, Visa, or Target?

(45)

Theories of Damages

The Target litigation: Plastic Card Act may permit recoveries

Canceling existing debit or credit cards and replacing such cards.

Closing any financial accounts affected by the breach, as well as acting to stop payments or block transactions with respect to the accounts.

Opening or reopening any financial accounts affected by the security breach. Issuing refunds or credits to cardholders to cover the costs of unauthorized transactions related to the breach.

Notifying cardholders affected by the breach.

(46)

Third Party Data Vendor Liability

• In case of

Target

, third party data vendor is a Qualified

Security Assessor (QSA), Trustwave Holdings Inc., providing

compliance assessment services to merchants, but may or

may not also provide data monitoring and other related data

security services to the merchant. Trustwave dismissed in

some cases, still sued in others.

• Claims (e.g., tort negligence) by banks and others suffering

losses. Issues:

• Will economic loss doctrine apply?

• Was data breach was due to Payment Card Industry Data

Security Standard (PCI DSS) non-compliance or other

breach of a contract between vendor and merchant?

(47)

Third Party Data Vendor Liability

• Claims (e.g., tort negligence) by banks and others suffering

losses. Issues: (cont’d)

• Does PCI DSS compliance insulate such vendors, merely

because a breach occurred notwithstanding compliance?

•

Cf. Heartland Payments

. Heartland was data custodian

which was breached, in contrast to Trustwave and similar

(48)

Lone Star National Bank NA et al. vs. Heartland

Payment Systems

Issuer banks filed suit after hackers stole payment card

information from Heartland’s data systems in 2009

MDL consolidated nationwide suits. Litigation then

proceeded in 2 paths: consumer plaintiffs and financial

institution plaintiffs

Claims asserted and dismissal by district court 834 F.Supp.2d

566 (S.D. Tx. 2011).

(49)

Lone Star National Bank NA et al. vs. Heartland

Payment Systems

Claim 12(b)(6)

Negligence Granted with prejudice and without leave to amend

Consumer protection laws of NY, JN, and WA Granted with prejudice and without leave to amend

Breach of contract Granted without prejudice and with leave to amend

Breach of implied contract Granted without prejudice and with leave to amend

Express misrepresentation Granted without prejudice and with leave to amend

Negligent misrepresentation based on nondisclosure Granted without prejudice and with leave to amend

Consumer protection laws of CA, CO, IL and TX Granted without prejudice and with leave to amend

(50)

Lone Star National Bank NA et al. vs. Heartland

Payment Systems

Fifth Circuit Treatment (729 F.3d 421 (5th Cir. 2013)):

Reversed dismissal of negligence claim. Economic loss

doctrine does not bar the issuer banks’ negligence claim at

the motion to dismiss stage of the litigation.

Why?

Issuer banks were an identifiable class (Heartland sent payment card information to these banks) and Heartland had reason to foresee the issuer would suffer economic losses by its negligence.

In absence of tort remedy, issuer banks would have no recourse, therefore defying notions of fairness, common sense and morality.

(51)

Lone Star National Bank NA et al. vs. Heartland

Payment Systems

(52)

In re: Target Corporation Customer Data Security

Breach Litigation

(MDL 2522)

Pending in the District of Minnesota

Three tranches:

Bank Cases

Consumer Cases

Shareholder Cases

(53)

Breach Litigation

(MDL 2522)

Plaintiffs include at least 30 banks and credit unions

Defendants include Target Corporation, Target.com, and

Target Corporate Services

(54)

Breach Litigation

(MDL 2522)

Claims

Negligence

Violations of the Minnesota Plastic Card Act

Deceptive Practices

False Advertising

Unjust Enrichment

Negligence Per Se

(55)

Breach Litigation

(MDL 2522)

C;

C; http://www.ffiec.gov

t http://ithandbook.ffiec.gov