Shostack + Friends Blog Archive


Cardsystems Breach and Notice

On Friday, San Francisco judge Richard Kramer ruled against the idea that Cardsystems (or Visa or Mastercard) had to provide 1386 notice to people.
Some articles are “Visa, MasterCard Win Battle Over Breach” and “Credit card companies can keep data ID theft secret.” But the article worth reading is CNet’s “Judge holds off disclosure in credit card heist,” which makes clear that:

San Francisco Superior Court Judge Richard Kramer denied a request for a preliminary injunction that would require the credit card companies to tell individual California credit card holders that their accounts are at risk of fraud after a widely publicized digital break-in at CardSystems Solutions. Payment processor CardSystems and Merrick Bank are also defendants in the case. (emphasis mine.)

Its unfortunate that none of the reporters has mentioned that 1386, which the judge accurately and worryingly describes as “a relatively new statute that
has been untested,” clearly explains that notice is imperative, in both section 1(e):

According to the Attorney General, victims of identity theft
must act quickly to minimize the damage; therefore expeditious
notification of possible misuse of a person’s personal information is

and in the specifics. (For one example, 1798.82, “The
disclosure shall be made in the most expedient time possible and
without unreasonable delay..”)

In this particular case, I don’t share that sense of urgency, since its about
credit cards, not SSNs. But that’s not my determination to make, and I find
the judge’s choice to disregard the clearly reiterated intent of the legislature a bit suprising. Maybe some of my lawyer readers could comment?