September 23, 2005 1:32 PM PDT

Judge holds off disclosure in credit card heist

SAN FRANCISCO--Visa and MasterCard won't have to inform customers that their personal details were exposed in a high-profile data security breach--at least for now, a judge ruled Friday.

San Francisco Superior Court Judge Richard Kramer denied a request for a preliminary injunction that would require the credit card companies to tell individual California credit card holders that their accounts are at risk of fraud after a widely publicized digital break-in at CardSystems Solutions. Payment processor CardSystems and Merrick Bank are also defendants in the case.

"I don't see the emergency," Kramer said. "There is no basis for involving the injunctive power of this court against a litany of defendants, some of whom might or might not be involved."

The case, filed in June on behalf of California credit card holders and card-accepting merchants, seeks to test a state law that requires consumer notification after personal information stored on computers is lost, stolen or breached. The plaintiffs had sought a preliminary injunction to force consumer notification in the CardSystems case.

The security breach at CardSystems was disclosed publicly on June 17 by MasterCard. In the break-in, intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Visa and MasterCard maintain that notification responsibility falls with the banks that issue credit cards and that have direct relationships with the affected customers.

Kramer denied the request for a preliminary injunction without prejudice, indicating that the notification issue is at the heart of the case and is too complex for that. "The scope of what might be adequate notice is what this case is--basically, what this whole lawsuit is about--and needs to be addressed in a more organized way," he said.

After hearing further arguments on Friday afternoon, Kramer stuck to his earlier tentative ruling against the preliminary injunction. "There is no showing of an immediate threat," he said.

"Visa is pleased that the court denied the request for a preliminary injunction," Randall Edwards, an attorney for the San Francisco-based credit card association, said after the hearing Friday.

In the next stages, Kramer said he wants to discuss the details of the case and the "relatively new statute that has been untested." The statute is California cival code section 1798.82.

"I think there are serious questions as to who is covered by the statute and what is covered by it," Kramer said. The next hearing in the case is set for Tuesday.

The security breach at CardSystems was disclosed publicly on June 17 by MasterCard. In the break-in, intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Visa and MasterCard maintain that notification responsibility falls with the banks that issue credit cards and that have direct relationships with the affected customers.

Kramer on Friday also ruled that merchants can't be a party in the case, because the complaint does not demonstrate any damages. His ruling, however, leaves room for the complaint to be amended, which plaintiff attorney Rothken said he would do.

Retailers may have more to lose than consumers by the lack of notification. If a criminal makes an unauthorized purchase on an individual's card, the cardholder is typically protected by the credit card company through "zero liability" programs. Businesses, especially online businesses, however, in many cases have to cover the loss.

10 comments

Join the conversation!
Add your comment
Businesses Have to Cover the Loss?
So businesses have to cover the loss? Technically perhaps up front, but you can bet they will pass that loss on to the consumer. As will be the case for any fines levied against the businesses whose lack of security caused this loss of personal data in the first place.
Posted by jameszane (14 comments )
Reply Link Flag
Businesses Have to Cover the Loss?
So businesses have to cover the loss? Technically perhaps up front, but you can bet they will pass that loss on to the consumer. As will be the case for any fines levied against the businesses whose lack of security caused this loss of personal data in the first place.
Posted by jameszane (14 comments )
Reply Link Flag
AS ALWAYS THE CUSTOMER PAYS !
As always, the customer pays for all, including interest all fees and charges and his/her time lost to sort out the mess caused bny inherent corporate security laxness, and is the last to be informed. Oh well, nice to be customer last, welcome to the new business model shoot the customer, to maximise returns, minimise costs and only offer insecurity!
Posted by heystoopid (691 comments )
Reply Link Flag
AS ALWAYS THE CUSTOMER PAYS !
As always, the customer pays for all, including interest all fees and charges and his/her time lost to sort out the mess caused bny inherent corporate security laxness, and is the last to be informed. Oh well, nice to be customer last, welcome to the new business model shoot the customer, to maximise returns, minimise costs and only offer insecurity!
Posted by heystoopid (691 comments )
Reply Link Flag
This tells me there must be LOTS of breaches and
...poor security. As usual the power holders want to stay in the dark and spin it in their favor.
Posted by ordaj (338 comments )
Reply Link Flag
This tells me there must be LOTS of breaches and
...poor security. As usual the power holders want to stay in the dark and spin it in their favor.
Posted by ordaj (338 comments )
Reply Link Flag
The New America
Government for big busines, champions of the rich, protectors of those who would destroy the American People for their own greed.

You expect otherwise.
Posted by EdShaffer (19 comments )
Reply Link Flag
The New America
Government for big busines, champions of the rich, protectors of those who would destroy the American People for their own greed.

You expect otherwise.
Posted by EdShaffer (19 comments )
Reply Link Flag
judge holds off disclosure?????
WHAT THE &*%$#@(**&^. WHO'S THE GUILTY ONE HERE???
THE JUDGE SOUNDS LIKE HE NEEDS TIME TO GET OUT OF THE COUNTRY. WHO PAID OFF THE F...N JUDGE?
Posted by djcomdoc (5 comments )
Reply Link Flag
judge holds off disclosure?????
WHAT THE &*%$#@(**&^. WHO'S THE GUILTY ONE HERE???
THE JUDGE SOUNDS LIKE HE NEEDS TIME TO GET OUT OF THE COUNTRY. WHO PAID OFF THE F...N JUDGE?
Posted by djcomdoc (5 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.