Our local newspaper, the St. Paul Pioneer Press, quoted me briefly at the end of a story about a freshly-passed Minnesota law concerning credit cards and identity theft. When a security breach involving credit card data is the fault of a retailer rather than the issuer of the card, the “Plastic Card Security Act” shifts liability to the retailer to pay for associated costs like notifying affected consumers and reissuing cards. (The state already has a data breach notification law, similar to those now spreading through state legislatures like wildfire.) The statute also imposes data security requirements on retailers in their handling of payment information such as credit card numbers and PINs. The governor signed the new law Monday. Five other states have similar bills pending and Congressman Barney Frank recently said that he would introduce a federal version.
The direct benefit to the consumer here is pretty modest. The law’s data security requirements pretty much replicate those that are already embodied in the contracts retailers have with the major credit and debit card issuers. But these contractual rules are not always followed, as apparently demonstrated by the jaw-dropping theft of some 45.7 million such records from retailer TJX, the parent company of Marshall’s and TJ Maxx. So there is some virtue to having the security requirements enshrined in law and enforceable by the state attorney general. I seldom buy the argument (made by retailers opposing the new Minnesota requirements) that a law is not necessary because industry already follows it. After all, if the rule is already followed then there should be no additional compliance burden, right?
Beyond this marginally beneficial redundancy in security rules, why does this law matter? Well, it seems fair to impose the cost on the party at fault. Small credit unions were especially vigorous advocates of the new law, because they get left holding the bag when retailers screw up.
More fundamentally, though, I see this as an interesting and encouraging sign of the (slow) evolution of consumer privacy law. There was a time not long ago when no one bore the costs for identity theft except for victimized individuals (and conceivably, if you caught them, the hackers could go to jail). Before data breach notification, even a snafu as big as the one at TJX could have gone unreported. It’s comforting to see two major industries slugging it out over responsibility for privacy protection. The underlying assumption must be that someone is going to pay, and the cost is serious enough to try to pass on to somebody else. I’ll take that as progress.