Many financial institutions are counting the costs they are incurring for replacing customer debit or credit cards as a result of recently discovered security breaches at various national retailers. These costs will be substantial for many banks. Even if a bank has not replaced and is not currently planning to replace cards, as more and more breaches come to light customer pressure will build for cards to be replaced.
Does a bank have any options to try to recoup these costs? In 2007 Minnesota adopted a law that permits card issuers to recover their costs against retailers involved in security breaches in certain cases. Minnesota is one of three states in the country that have laws authorizing card issuers to recover some costs in the event of a breach.
Specifically, Minnesota Statutes § 325E.64 provides that a business that accepts a credit card, debit card or stored value card cannot retain the contents of the card security code, PIN verification code or the full contents of the magnetic stripe data after receiving the authorization for the transaction or, in the case of a PIN debit transaction, for more than 48 hours after receiving the authorization for the transaction. If the business violates this restriction and a security breach occurs, the business is obligated to reimburse the financial institution that issued any card affected by the security breach for the costs of reasonable actions undertaken by the financial institution to protect cardholders’ information and continue to provide services to cardholders. The actions of a card issuer for which reimbursement may be available include:
In addition to this law there may be other claims that might be asserted against a merchant in connection with a security breach. If your financial institution has incurred, or anticipates incurring, costs related to any of these security breaches, whether costs of reissuance of the cards, closing accounts, refunding amounts to affected customers or providing notifications to affected consumers, you should consult legal counsel to evaluate the rights you may have, whether under this law or otherwise, to recover some or all of your costs. If your bank decides to replace debit / credit cards as a result of this type of security breach, you will want to keep records of relevant facts involving the decision, including:
For further information contact George Meinz at 320.252.4414 or Phil Bohl at 612.632.3019.
This article is provided for general informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You are urged to consult a lawyer concerning any specific legal questions you may have.
Gray Plant Mooty is recognized as one of the leading corporate law firms in Minnesota and one of the top franchise firms in the world. Our roots go back to 1866. Today, we are a 180-plus attorney, full-service firm with offices in Minneapolis and St. Cloud, Minnesota; Washington, D.C.; and Fargo, North Dakota.