Warranting Data Security
Brooklyn Journal of Corporate, Financial & Commercial Law, Vol. 5, 2010
23 Pages Posted: 18 Nov 2010 Last revised: 12 Feb 2011
Date Written: November 17, 2010
Abstract
Massive data security breaches have grabbed headlines in the past few years. The data thieves responsible for these breaches have stolen the credit and debit card data of customers of retailers such as TJ Maxx, DSW Shoe Warehouse, BJ’s Wholesale Club, and the Hannaford grocery store chain. A thief in control of this payment card data, which can include debit and credit card numbers, expiration dates, security codes and personal identification numbers, has the ability to open new credit accounts and make charges on existing consumer accounts. These data breaches leave individuals fearful that their personal information will be used in ways that will disrupt their financial transactions and damage their credit.
Consumers affected by data breaches understandably feel exposed to serious financial harm, even in the absence of liability for fraudulent charges. A consumer’s credit score affects her ability to finance important purchases, and the events that occur in aftermath of a data breach can negatively affect that score. Because these losses are not addressed by existing privacy and payment system statutes, consumers have attempted to recover them using various common law theories, but have uniformly failed in recovering anything for these losses. In this paper, prepared for a symposium on Data Security and Data Privacy in the Payment System, I will discuss the cases in which consumers have been denied recovery for losses arising out of data breaches, and then focus on one argument made by the plaintiffs in the Hannaford case, the argument that, under Article 2 of the Uniform Commercial Code (U.C.C.), every time a retailer accepts a payment card from a buyer, it warrants that its payment system is secure.
While a warranty of data security might be a good idea, Article 2, because of its limitation to the sale of goods, is not the best place for it. Instead, courts could impose a common law warranty of data security, under which all sellers would warrant that their chosen payment system is secure. Below, I will make some arguments supporting a non-waivable common-law warranty of data security that is drawn both from the Article 2 warranties and the warranties in Articles 3 and 4 of the U.C.C., which apply to negotiable instruments and the check collection system. I will then compare the problem of ensuring safe data transactions today to the problem of ensuring the habitability of rental housing in the mid-20th century, which judges addressed by imposing an implied warranty of habitability in leases for residential real property. The story of that warranty can add to the debate about how best to ensure the safety of personal data.
Keywords: payment systems, c redit cards, debit cards, data breaches, identity theft, warranties
Suggested Citation: Suggested Citation