replacing credit cards compromised in a security breach. As a result, any business that is breached and is found to have been storing “prohibited” cardholder data (e.g., magnetic stripe, CCV codes, tracking data, etc.) are required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up the business to the potential of private lawsuits. This law applies to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards, or similar cards issued by financial institutions. Failure to comply with the law may result in the reimbursement to the card-issuing financial institutions for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after the breach. Costs may be related to the notification, cancellation and reissuance, closing and reopening of accounts, stop payments, and refunds for unauthorized transactions. The financial institution may also bring an action itself to recover the costs of damages it pays to cardholders resulting from the breach. Target and other businesses hit with massive data security breach incidents are likely to see this law used by credit card companies trying to recover the costs incurred to replace credit cards of affected customers. The full text of the Plastic Card Security Act appears below. 325E.64 ACCESS DEVICES; BREACH OF SECURITY. Subdivision 1. Definitions. (a) For purposes of this section, the terms defined in this subdivision have the meanings given them. (b) “Access device” means a card issued by a financial institution that contains a magnetic stripe, microprocessor chip, or other means for storage of information which includes, but is not limited to, a credit card, debit card, or stored value card. (c) “Breach of the security of the system” has the meaning given in Minn. Stat. § 325E.61, subdivision 1, paragraph (d).
100
Made with FlippingBook - Online Brochure Maker