Let loose the lawyers

by State of Mind

by. Henry Meier

Even though I can understand why few Americans are shedding a tear for the sharp decrease in law school admissions, sometimes I think that America’s excessive hatred of lawyers has real world consequences beyond bruising the ego of the relatively small handful of lawyers I have met who are thin-skinned. I am bringing this up because Congress soon will begin holding hearings on the Target data breach. While any legislation imposing obligations on retailers to start taking the protection of consumer data more seriously would be a welcomed step in the right direction, it should not come at the expense of limiting liability for merchants whose negligence leads to data breaches. In fact, this is one area where we need more litigation, not less.

As I have discussed in previous blogs, the legal obligation of retailers to card-issuing financial institutions and consumers victimized by data breaches is entirely too narrow. First, the existing credit card network agreements place contractual limitations on the liability that retailers can face when they are sued by a card-issuer. And courts are reluctant to say that a third party processor of debit and credit transactions, based in Atlanta, for example, has a legal obligation to a card issuers in New York. The result is that even if federal legislation helps prevent data theft by making retailers more thoroughly guard against hacker activity, the true costs of such breaches, at least under existing law, will never truly be borne by the parties responsible.

Which brings us to the upcoming Congressional hearings. My concern is that advocates of data theft reform are willing to trade increased merchant monitoring to protect against data breaches for even greater merchant protection against lawsuits. For instance, Senate Judiciary Chairman Patrick Leahy’s “Personal Data Privacy and Security Act” (S.1897) includes a provision that prohibits data breach lawsuits from being based solely on “a violation of a contractual obligation or agreement such as an acceptable use policy or terms of service agreement.” (sec. 107)

Does this mean that any time a company can show that a data breach violates company policy or a third party vendor contract that the retailer is off the hook? At the very least, if and when we ever do get federal legislation, it should not preempt the right of states to impose greater liability on merchants if they choose.

continue reading »