Wednesday, December 16, 2009

Is it really a security breach if it’s insured?

A blog post at http://www.courthousenews.com/2009/12/15/BJ_s_Bank_Not_Liable_for_Credit_Card_Fraud.htm notes a decision in CUMIS INSURANCE SOCIETY, INC., & others vs.  BJ'S WHOLESALE CLUB, INC. found at http://www.courthousenews.com/AppellateOpinions/10400.doc.  As a result of the breach, "[t]he credit unions wanted to be compensated for having to issue millions of new credit cards to replace the ones that were compromised."  However, the trial court and the Massachusetts Supreme Court side with defendant in granting a motion for summary judgment in not letting the credit unions act as third party beneficiaries.  "The court also tossed fraud and negligence claims against BJ's and Fifth Third Bank, saying they never misled the credit unions and Cumis about their compliance with Visa and MasterCard regulations."
 
To me, more interesting was the following statement at the end of the decision:
 
"As the second judge determined, no rational jury could have found reasonable reliance on the regulations prohibiting storage of magnetic stripe data in the circumstances here.  First, as the judge observed, Visa and MasterCard compliance regulations explicitly provide for fines for breach of regulations such as storage of magnetic stripe data.  This indicates that the system is designed with the expectation that breaches will occur.  In addition, the plaintiff credit unions anticipated and insured themselves through plaintiff Cumis against fraudulent losses arising from such storage."

The logical extension of that is that no one should be liable for anything because our laws anticipate bad behavior by punishing and therefore it is to be expected.  And of course if you have insurance, what are you complaining about; you've been compensated.  That's a great argument unless you’re the insurance company or your policy doesn't cover all your damages.

No comments: