HACKING & COMPUTER
ICT security gerelateerde Blog
››› Nihil timendum est
| W36 - Week 36 - Weekezesendertig
INFORMATION SYSTEMS SECURITY AND CYBERATTACKS 7:
Industry Information Security Standards and Private Legal Actions Under State Law
In some instances, financial institutions and private individuals bring legal actions under state law to recover damages from merchants and banks that failed to protect customer data stored in their computer systems from unauthorized access and fraudulent use by cybercriminals.
Plaintiffs, however, are unlikely to succeed unless they can show damage suffered as a direct consequence of the defendants' failure to protect the data. For example, in Banknorth, N.A. v. BJ's Wholesale Club, Inc., Banknorth, a financial institution, sued the merchant, B.J.'s
Wholesale Club ("B.J.'s"), and Fifth Third Bank, B.J.'s acquiring bank, which processed debit card payments on B.J.'s behalf, for breach of contract and negligence to recover losses suffered by Banknorth when criminals stole their customers' debit card information stored in B.J.'s
computers. The defendants retained customer debit card information in violation of the Visa Operating Regulations and failed to protect it from theft. 1 Banknorth also brought an equitable subrogation claim alleging that since it reimbursed its cardholders for the fraudulent
purchases that resulted from defendants' negligence, it should recover from the defendants in place of the cardholders. 2 The defendants moved to dismiss Banknorth's complaint. 2 The court found that each claim involved a factual dispute beyond the scope of the motion to dismiss
and denied the plaintiff's motion. Later, however, on the defendants' motion, the case was transferred to the United States District Court for the Middle District of Pennsylvania where two other cases arising from similar circumstances were already pending. 2 The district court
granted the defendants' motion to dismiss for failure to state a claim. The court held that Banknorth's contract claim failed because it was not a third-party beneficiary of the contracts between the defendants, B.J.'s and Fifth Third Bank, or between B.J.'s and Visa U.S.A.
The court also held that the economic loss rule barred Banknorth's negligence claim because Banknorth did not allege any damages and only sought to recover for its economic losses. 2 Banknorth's equitable subrogation claim also failed because the court found that Banknorth paid
its customers on its own obligation and not on its customers' obligation from B.J.'s. The court also dismissed all complaints in the other two cases against B.J.'s and Fifth Third Bank on similar grounds holding that there was no legal basis for the relief sought by the plaintiff. Written by James M. Sheehan, Special Agent in Charge, Criminal Division, FBI Los Angeles.