By Drew M. Smith
Over the last year, the U.S. has painstakingly moved towards a system of using EMV chip readers. These are supposed to be more protected against breaches and easier to use, but it has proven to be the opposite. When it comes to actual breaches, the financial institutions aren’t the ones being sued. Rather it’s companies like Visa and MasterCard that are going after the institutions and companies that are using these devices on the grounds that they were the ones that let breach in.
This stems from the rules set upon the credit card companies. The EMV chip change came about as a result of a need for the U.S to catch up with the rest of the world. However, they didn’t set a mandate of when those chips and the machines had to come online, like many other countries had done. Instead, they set up a guideline of when they were supposed to switch over which was October of 2015. In doing so, the credit card companies adapted a policy of liability shift. In basic terms, it means if a breach were to occur, the liability falls to the retailers for supposedly allowing the breach if they don’t buy the very expensive chip readers. If they have it, then it could fall to the bank. The theory was it would be an incentive for retailers to switch to the new readers.1
What this has done however is allowed banks and card companies to sue the retailers or front end users. The argument is that since the retailers failed to update to the most current security protocols, then they should compensate the banks if a breach were to occur. But the laws have not caught up to the technology. As such, they are tricky to bring to court. In one case in Illinois, Cmty bank of Trenton v. Schunck Mkts., the banks, who were the plaintiffs, traced the breach to the defendants and wanted compensation for the loss. Their thirteen counts were thrown out without prejudice on the grounds that the charges didn’t meet the RICO definition, did not prove misrepresentation or was not gross misconduct on the part of the retailer. The court reasoned that “the parties are charting relatively new territory in the data breach context by presenting a case between financial institutions and a merchant (as opposed to customers and a merchant), . . . the Court notes that the generality made it difficult to assess the plausibility of such claims.” Id. at *8-9.2