Data security responsibilities are, at times,
not met with the requisite level of diligence for compliance. Standards
for compliance, for many businesses, institutions, and service entities, are
not as specified as one would be drawn to believe. The disjuncture
between responsibilities and efforts are becoming more evident with passing
days as cyber incidents leave alarming concerns with consumers and business
establishments.
Commonly prescribed is that personal data embedded
in digital record transmissions must be transferred securely.
However, the level of confidence that a service consumer, medical patient, loan
customer, or even a student at an ATM demonstrates daily with their every swipe
and approval is in the unseen information processing that the venue operates
with, in order to provide the desired service. If that confidence is
shaken with the notion that the private information is not being handled
securely, the digital transactions will experience a hick-up and the public
consumer will seek other means to transact, and back to cash and
brick-n-mortar, we go. The integrity of the secure appearance of the
merchant is held questionable and tenable.
At the point of transaction, the consumer is
left with the confidence that the banking information provided to the
institution is securely being transmitted and that the data is accurately being
recorded, especially as balances are verified. But what if the measures
are not followed by the merchant? How should a cyber incident be
considered when negligence is involved in the cyber mishap? Who is to be held
accountable for needing to demonstrate meeting the duty of care?
Negligence was an issue in In re
Hannaford Bros.[1]
This Maine District Court case involved the data security incident arising from
a third party stealing the consumer data from grocery transactions. The
question raised in the case was whether a customer can recover from the grocer
for loss resulting from the third party’s data theft? It is conceivable that
from the consumer point of view there will be the tendency to enjoy the
convenience of the digital transaction by use of credit card at a store.
Yet, with the convenience, there is also the risk of fraud and misuse of the
account information, i.e., PII.[2] The
average consumer believes that the law should address and protect their PII in
circumstances where confidential information is stolen and allow for redress
against the merchants and financial institutions. But how negligence should be
analyzed in cyber incidents is a bouncing question dealt with traditional tort
concepts of duty, breach, and causation with the ultimate tangible injury.
Long have been the treatment of analysis under Article III to settle in
each case the criteria of requisite case and controversy.
Negligence, however, seems to stand on an
island in cyber incidents. To the individuals who have been affected by a
cyber incident, the risk of fraudulent use of their account information is very
real. So, the argument goes that the law should provide some form of
protection. How that protection is conceived is still debatable. The
grocery establishment in Hannaford Bros, typically argued that the
law already provides protection to consumers by agreement. For instance,
by the provision of the Electronic Fund Transfer Act, which limits a consumer's
liability for fraudulent debit card transactions to no more than $50 (or, if
the consumer fails to notify his bank "within two business days after the
consumer learns of the loss or theft," no more than $500). 15 U.S.C §
1693g(a). Defendants usually argue that as well, the industry provides
similar limits through contractual agreements with credit vehicles and
associations such as Visa, MasterCard, etc. The store merchants will always
seek to have the courts impose responsibility on the banks that issue the cards
in order to facilitate any recourse to the consumer. So the cyber incidents
that pertain to the misappropriation of digital transaction data pivot the
consumer against the financial institutions to the liking of merchants or
against the merchants to the liking of the financial institutions.
In the Hannaford case, the plaintiffs found
themselves pivoted as such towards the merchant to determine the level care
that the merchant undertook to care for the digital data of the credit and
debit card transactions. The Plaintiffs argued that “... [they] made
use of debit cards and credit cards issued by financial institutions to access
their bank accounts or create credit relationships." Furthermore,
that the merchant “provided electronic payment services," but
failed "to maintain the security of private and confidential
financial and personal information of ... credit and debit card customers"
at supermarkets in . . .” in several states, including Florida.
Hannaford did not argue that it was not subject to a reasonable duty of
care consideration, but what was pointed out was that it believed that it was
not subject to an economic loss consideration arising out of the traditional
personal injury and property damage considerations. The court stated that
“in a grocery transaction where a customer uses a debit or credit card, a jury
could find that there is an implied contractual term that Hannaford will use
reasonable care in its custody of the consumers' card data, the same level of
care as the negligence tort . .” Hence, the conclusion was that consumers
can recover when payment data are stolen, against a merchant, if the merchant's
negligence is the direct cause of the loss in the customer’s account. In
this case, the negligence analysis was drawn to delineate breach of a duty of
care and causation of the loss of data security.
[1]In re Hannaford Bros. Co. MDL Docket No.
2:08-MD-1954. United States District Court, D. Maine. May 12, 2009.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2017, all rights reserved Lorenzo Law Firm, P.A.
No comments:
Post a Comment