Reports of data theft appear on the front page with increasing regularity now that technology makes it easier to swipe such data. Lax security also contributes, making consumers more vulnerable to fraud and identity theft. In response to one recent theft of Visa and MasterCard account information, this is in the news:
Testing the bounds of consumer protection laws, Visa USA Inc. and MasterCard International Inc. are headed for court to determine whether they are obliged to notify 264,000 customers that a computer hacker stole their account information.
The dispute to be argued Friday in San Francisco County Superior Court revolves around a highly publicized security breakdown at CardSystems Solutions Inc., one of the nation’s largest payment processors.
Although a ruling in the class-action consumer lawsuit wouldn’t have legal standing outside the state, it would increase the pressure on Visa and MasterCard to notify all affected accountholders in this and any future breaches.
I have no specific opinion about the legal aspects, but I’m intrigued by the business implications. My first inclination is that of course they should notify all affected accountholders. If Visa and MasterCard can’t protect my data sufficiently, I should know about that. More importantly, if thieves stole my information, I want to know so that I can be aware of the potential. I expect the banks holding my accounts to notify me, which leads to this:
San Francisco-based Visa and Purchase, N.Y.-based MasterCard maintain that responsibility should fall to the myriad banks that administer the accounts because neither credit card association has direct relationships with the affected customers.
I don’t specifically care how the backroom processing happens. Someone needs to notify me. If Visa and MasterCard decide that the banks should notify me, great. Negotiate it into the contracts with those banks. Visa and MasterCard are significant brands with a reputation that banks want to latch onto. Both companies have bargaining power there. But this doesn’t count as a justification:
In their legal briefs, Visa and MasterCard have argued there’s little chance any affected customer will lose a cent because of the association’s long-standing policies to reverse all charges for fraudulent transactions. The “zero liability” policy lessens the need to alert individual customers about the fraud risks, said MasterCard spokeswoman Sharon Gamsin.
In a statement, Visa also said it is comfortable with its anti-fraud measures. But both companies worry that the opposite message might be sent if they are ordered to warn individual customers.
“Such an order would harm the banks’ goodwill because some customers would certainly be confused by the notice and believe the issuing banks were somehow to blame for the security breach,” Visa’s attorneys argued in a court brief.
I’m not too stupid to understand English. Explain what happened and I’ll understand it. I’ll probably be able to decipher who’s at fault. However, perhaps they’re right that I’ll confuse the issue and blame the wrong party. That implies that Visa and MasterCard should work smarter at protecting data. If the banks don’t want to harm their goodwill, they’ll put pressure on Visa and MasterCard to improve security. They have bargaining power, too. If they think that acting as an extra line of protection for their customers won’t help their goodwill (if for no other reason than preventing loss of goodwill in cases like this), they’re stupider than I think they are.
I don’t have the market power to spank Visa or MasterCard, or even an individual bank. But a group of customers might force that pressure on a bank. The bank might then have minimal ability to change Visa and MasterCard by itself, but a group of banks most definitely has that ability. This lawsuit is proof that no one is powerless in the free market. A lawsuit may not be the best or most appropriate way to force change, but it’s usually effective. Visa and MasterCard should remember that where business refuses to regulate itself, government is more than willing to step and do the job. Me, I’d rather see self-regulation but I guess we know where Visa and MasterCard stand.