Comments on: New Law on Paying the Price for Identity Theft http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-identity-theft/ Information, Law, and the Law of Information Fri, 04 Dec 2009 21:55:50 -0500 http://wordpress.org/?v=2.8.5.2 hourly 1 By: Jenny http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-identity-theft/comment-page-1/#comment-73070 Jenny Tue, 23 Dec 2008 10:33:29 +0000 http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-ident#comment-73070 <a href="http://www.sourcearticle.info/?id=NTY1NSxIYXJ2YXJkIEZvb3NiYWxsIFRhYmxlLDU=" rel="nofollow">sourcearticle.info</a> has some more information sourcearticle.info has some more information

]]> By: Jenny http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-identity-theft/comment-page-1/#comment-73069 Jenny Tue, 23 Dec 2008 10:32:59 +0000 http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-ident#comment-73069 I found more <a href="http://www.sourcearticle.info/?id=NTY1NSxIYXJ2YXJkIEZvb3NiYWxsIFRhYmxlLDM=" rel="nofollow">here</a> if anyone's interested I found more here if anyone’s interested

]]> By: balloon head http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-identity-theft/comment-page-1/#comment-13650 balloon head Thu, 14 Jun 2007 00:57:07 +0000 http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-ident#comment-13650 hello, my name is Mr. Burns i believe you have a letter for me hello,
my name is Mr. Burns
i believe you have a letter for me

]]> By: Jim Graves http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-identity-theft/comment-page-1/#comment-13350 Jim Graves Fri, 25 May 2007 03:49:27 +0000 http://blogs.law.harvard.edu/infolaw/2007/05/24/new-law-on-paying-the-price-for-ident#comment-13350 Interesting. The other problem with arguments that the law isn't needed is that there's nothing in the common law to protect banks that have to spend lots of money reissuing cards. The only precedent I know of is <a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001391" rel="nofollow">this case</a>, where a credit union spent $100,000 to cancel and reissue credit cards, then sued the bank that handled transactions for the merchant who lost the data. That case was dismissed partly because the credit union had no contractual standing to sue the bank or the merchant. Negligence claims for data breaches haven't done well either. So, if you have to reissue credit cards because someone else is sloppy with their customer data, you're supposed to eat that loss? Everything in the common law seems to say "yes" so far. So this law is a good thing. It's also interesting because it seems directly pulled from Visa and Mastercard's Payment Card Industry Data Security Standard (PCI DSS). Storing full-stripe, PIN, or CVV data is a big PCI DSS no-no. The law turns an existing private contractual obligation into a statutory one. Excellent. Interesting. The other problem with arguments that the law isn’t needed is that there’s nothing in the common law to protect banks that have to spend lots of money reissuing cards. The only precedent I know of is this case, where a credit union spent $100,000 to cancel and reissue credit cards, then sued the bank that handled transactions for the merchant who lost the data. That case was dismissed partly because the credit union had no contractual standing to sue the bank or the merchant. Negligence claims for data breaches haven’t done well either.

So, if you have to reissue credit cards because someone else is sloppy with their customer data, you’re supposed to eat that loss? Everything in the common law seems to say “yes” so far. So this law is a good thing.

It’s also interesting because it seems directly pulled from Visa and Mastercard’s Payment Card Industry Data Security Standard (PCI DSS). Storing full-stripe, PIN, or CVV data is a big PCI DSS no-no. The law turns an existing private contractual obligation into a statutory one. Excellent.

]]>