NEW REMEDIES AVAILABLE TO FINANCIAL INSTITUTIONS UNDER MINNESOTA DATA RETENTION LAW
Minnesota enacted Minnesota Statutes Section 325E.64 (“Data Retention Act”) in May 2007, to regulate the retention of data related to retail transactions. Portions of this statute went into effect on August 1, 2007. As a result, merchants doing business in Minnesota may not retain credit or debit card security data after completing transactions. On August 1, 2008, financial institutions will have a new potential remedy which imposes strict liability on a noncompliant merchant to reimburse financial institutions for costs associated with protecting customers if the merchant suffers a security breach. The data retention law incorporates one aspect of the Payment Card Industry Data Security Standards (PCI DSS) developed by the major credit card providers to create uniform security standards.
Prohibited Retention of Security Information
Under existing law, merchants are in violation of the statute if they retain (i) credit card security codes, (ii) PIN verification code numbers, or (iii) the full contents of magnetic strips after the transaction has been authorized. For debit transactions requiring a PIN, however, the law allows merchants to retain the information for 48 hours after authorization. Merchants are also liable for violations caused by their third-party service providers, such as data processors.
New Remedy for Financial Institutions
Effective August 1, 2008, financial institutions may recover costs from merchants who retain prohibited information in violation of the statute and also experience a security breach. Recoverable costs include, but are not limited to, reimbursement for:
- reissuing affected cards;
- closing and reopening affected accounts, or opening new accounts;
- stopping payments or transactions;
- refunding unauthorized transactions or other damages to cardholders; and
- notifying affected cardholders.
Financial institutions may not, however, recover expenses already reimbursed by a credit card company.
Practical Effects of Minnesota’s Data Retention Act
Financial institutions can incur significant costs if a security breach results from a merchant’s failure to comply with the Data Retention Act. Fortunately these institutions now have an additional avenue to recuperate some of the expenses incurred in securing customer data. Financial institutions should ensure they retain detailed records of expenses incurred as a result of a particular security breach as well as any related reimbursements from credit card companies. Additionally, financial institutions should be active in determining whether a merchant was in violation of the statute when a security breach occurred.
If you have questions about this alert please contact a member of Oppenheimer's Financial Services Team.
This alert is a copyrighted publication produced by Oppenheimer Wolff & Donnelly LLP. The information contained in this alert is of a general nature and is subject to change. Readers should not act without further inquiry and/or consultation with legal counsel.