In 2007, Minnesota was the first state to pass an act that allows financial institutions (e.g., banks and credit unions) with the ability to sue organizations/merchants that expose payment card data due to a security breach.
Minnesota passed the Plastic Card Security Act (“PCSA”) in the wake of the TJX Companies breach, wherein 45 million cards where allegedly exposed. The exposure meant that the financial institutions were expected to pick up the almost $900 million dollar bill of re-issuing cards to customers ($20-$50 per credit card for re-issuance). For smaller financial institutions, having to absorb this kind of cost could cripple it.
This law applies to “any person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards or similar cards issued by financial institutions.
Some Important Definitions
“Financial institution” means any office of a bank, bank and trust, trust company with banking powers, savings bank, industrial loan company, savings association, credit union, or regulated lender.
“Access device” means a card issued by financial institution that contains a magnetic strip, microprocessor chip, or other means for storage of information which includes, but is not limited to, a credit card, debit card, or stored value card.
Retention Prohibition – “48 Hour Rule”
Minnesota Statute Section 325E.64, subdivision 2, states, in relevant part, “[n]o person or entity conducting business in Minnesota that accepts an access device in connection with the transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic strip data, subsequent to the authorization of the transaction or in the case of a pin debit transaction, subsequent to 48 hours after authorization of the transaction.”
Failure to Comply
If a merchant or business fails to comply with the PCSA, it could result in that merchant or business reimbursing the financial institution for having to re-issue credit cards or debit cards. Reimbursements includes “costs of reasonable actions,” which can include costs related to the notification, cancellation and reissuance, closing and reopening of accounts, stop payments, and refunds for unauthorized transactions. The PCSA uses the 48 hour rule as the trigger for financial institutions to recover when there is a security breach.
If the financial institution is also required to pay damages to cardholders it can bring an action for recovery of those damages from the breaching merchant.
The PCSA and Target’s 2014 Data Breach
Most people recall the large Target data breach that occurred in 2013. A number of consumers that were affected brought a cause of action against Target alleging, among other things, that Target had violated the PCSA. Target argued that this state law “applies only to transactions that occur in Minnesota, making the [PCSA] inapplicable to the majority of transactions about which Plaintiffs complain.” The judge presiding over the case did not buy Target’s argument. The judge ruled that the PCSA does not only apply to business transactions that take place in Minnesota, and by its very terms it applies to the data retention practices of any person or entity conducting business in Minnesota. In other words, the PCSA does not discriminate between in-state and out-of-state transactions or economic interests.
Target ultimately reached a settlement in March 2014, in which it paid $10 million as damages.