E-print | from Paybefore Legal | March 2012

• The industry resource for prepaid and stored value •

©2012 Paybefore. All rights reserved. Forwarding or reproduction of any kind is strictly forbidden without the prior consent of Paybefore.

In Viewpoint, prepaid and stored value professionals share their thoughts and perspectives on the industry. These are not necessarily the viewpoints of Paybefore.

Data Security Breaches: ‘Old News’ or the Latest Threat to Prepaid Payments?By Judith Rinearson and David Zetoony, Bryan Cave LLP

R emember back in 2006-2008 when data security breaches seemed to make media head-

lines almost daily? TJX, Heartland, AOL, Department of Veterans Affairs, CSS and so on? As soon as word of a new breach was announced, it was covered by the 24-hour news networks, radio and Websites. Everyone was talking about them!

Well, things have changed. We don’t hear about data security breaches as frequently, and when we do, they’re back page news, not headlines. This might lead you to believe that data breaches are old news and “non-secure” systems of the past have been updated, so the number and size of breaches don’t compare to huge data breaches of the past. If you do, you couldn’t be

more wrong. Unfortunately, data breaches are

occurring more frequently than ever. It may surprise you to learn that of the 15 largest data breaches in history, seven occurred in the last two years and four occurred during 2011.1 There were more than 850 breaches in 2011, with more than 174 million records lost; the average cost of a data breach to an organization in 2011 was estimated at $5.5 million per company.2 Just because the presidential election year (and, perhaps, boredom) has pushed data security breaches to the back page, don’t think for a second that the threat is no longer imminent. And, data security is a particular concern for the growing and evolving prepaid card industry. Here’s why:

• Thesedaysdatasecuritybreachesaren’t simply a reputational nightmare and an operational headache. They’re costly to remedy.3 In the prepaid context, the significant costs of reme-diation—including replacing cards, providing notices to consumers, implementing a systems audit, provid-ing free credit repair services and more—are often allocated by contract from the bank to the processor or program manager.

• Recentcourtdecisionshaveincreased the potential costs of data breaches because of the increased risk of being sued in a class action.4 These are costs that many smaller prepaid companies are unlikely to be able to easily absorb.

• Thepotentialriskgoesbeyond

Judith Rinearson leads the payments practice team for Bryan Cave LLP, where she is a partner in the firm’s New York City office. She is also chair of the NBPCA’s Govern-ment Relations Working Group and the association’s representative to FinCEN’s Bank Secrecy Act Advisory Group. David A. Zetoony practices law in the Washing-ton, D.C., office of Bryan Cave LLP. He specializes in defending companies in class action litigation and government investigations involving advertising and data privacy. They may be reached at judith.rinearson@bryancave.com and david.zetoony@bryancave.com. Bryan Cave is hosting a Webinar on privacy and data security on April 10.

E-print | from Paybefore Legal | March 2012

• The industry resource for prepaid and stored value •

©2012 Paybefore. All rights reserved. Forwarding or reproduction of any kind is strictly forbidden without the prior consent of Paybefore.

consumer prepaid products. In 2011, the FTC announced a series of settle-ments with companies that sold credit reports to business clients whose security systems were inadequate and were subject to hacking and viruses. The FTC took the position that the sellers were responsible not only for their own security systems but for their customers’ systems as well. This was the first time that the FTC attempted to hold a financial institution responsible for its customers’ computer systems or require that a financial institution provide security training to its custom-ers. A statement issued by four of the FTC’s five commissioners indicated that the commission may attempt to impart such a duty on all businesses (not just credit report resellers or financial institutions) “in the chain of handling consumer data.”5

• Atthesametimethatrisksandcosts are increasing, prepaid cards are frequently being recognized as a growing segment of the payments industry that is used not simply by the underbanked and underserved but more broadly by the general public as a convenient and low-cost payment method:

“The March 14th Congressional hearing on prepaid cards also proved to be highly educational about a rapidly growing financial services product that is predicted to grow exponentially in a very short time frame. The prepaid card market is mistakenly believed to be focused solely on the ‘underserved’ and ‘unbanked,’ but the low-cost business model has the potential to show legacy financial institutions that the game has fundamentally changed.”6

This growing level of attention will not only attract investors, but also criminals and hackers.

• Prepaidcardsareincreasinglybeing marketed as a safer alternative to

credit cards for online purchases, because the cards are not linked to a bank account nor can they be used above the amount loaded.7 While that may sound nice for card issuers, it also means cardholders could be encour-aged to used prepaid at riskier Websites and for less secure purchasing needs, increasing the risks for the cardholder and the prepaid program.

• Growthintheprepaidpayrollsegment has been widely reported8 and it has already attracted hacking and criminal fraud. In 2008, a data breach at RBS WorldPay led to an ATM organized criminal plot that reaped $9 million in fraudulent funds. “While RBSsaid1.5millionopen-loopgiftandpayroll card numbers were compro-mised in the breach discovered by the company in November 2008, only 100 of the card numbers—all from payroll accounts—were allegedly used in the scam. Apparently, the fraudsters cloned the card numbers onto fake cards and hit over 100 ATMs in a coordinated attack that spanned cities in the United States,Canada,RussiaandAsia.”9 These are not small-time crooks; this is massive global criminal activity.

• Lastbutnotleast,prepaidcardissuers have been quite justifiably focused on the other sweeping change hitting the industry: regulatory compliance with the new FinCEN PrepaidAccessRegulations,theDurbin Amendment, and state con-sumer protection, abandoned property and money transmitter licensing laws.

So what should you be doing if you issue, sell, market or hold prepaid card data? Here are five things to consider.

1. Know where you keep your information. The first step in prevent-ing a data security breach is making sure that you know exactly where the information you collect is stored, how

it is transmitted and who has access to it. Creating a chart or a data map of the types of information you collect and how it flows through your organization can be a useful step in understanding what you have and where it is.

2. Take every practical step to keep that information secure. It is impos-sible to ensure that a data breach will not happen. (If you don’t believe us, ask any one of the hundreds of companies that reported a data breach last year.) That said, when it comes to data breaches, the old maxim that an ounce of prevention is worth a pound of cure is definitely true. Testing and re-testing all of the systems that you have in place to keep information safe is essential.

3. Ensure you have an up-to-date written information security policy. Although almost every company that issues, sells, markets or holds prepaid card data is required to have a written policy that discusses how the company secures information, many companies still do not have such policies in place. Almost as bad, companies that have security policies often do not review and update them regularly. If a breach occurs, it will be difficult, if not impossible, to explain why you cannot produce a security policy that is up-to-date and complies with all legal requirements.

4. Have a team in place to respond to data breaches 24/7. If a breach occurs, the No. 1 thing you can do to limit the harm is to respond to the breach immediately. An immediate response can stop the breach in its infancy, and make sure that you comply with state data breach notifica-tion statutes. Have a pre-designated team on call to respond to breaches whenever they occur, realizing that many breaches occur at night, on weekends and during holidays. Make

E-print | from Paybefore Legal | March 2012

• The industry resource for prepaid and stored value •

©2012 Paybefore, 655 Boston Road, Unit 4a, Billerica, MA 01821 USA, Phone: +1 617.671.1144, Email: info@paybefore.com. All rights reserved. Copyrighted material. All material contained in Paybefore publications is the property of Paybefore. Forwarding or reproduction of any kind is strictly forbidden without the express prior written consent of Paybefore. Paybefore™, Paybefore.com™, Paybefore Update™, Paybefore Legal™, Paybefore News™, Paybefore News International™, Paybefore Magazine™, Paybefore Buyer’s Guide™ and Paybefore Awards™ are the property of Paybefore. All other product and service names may be trademarks of their respective companies.

sure that you have external resources lined up to supplement your internal “first responders” as needed.10

5. Know your contractual responsi-bilities if a breach arises. Many contracts with vendors, clients and customers now include provisions that assign responsibilities (or require indemnification) in the event that a data breach occurs. It’s important to understand any contractual obligations that you have assumed. It’s also important to make sure that you have adequately protected yourself from the costs of a data breach either through contractual protections of separate insurance.

Along with the new wave of federal and state regulations, it’s important not to lose sight of the perennial risk that still cowers behind our computer screens and databases: criminal hacking and negligent losses of confi-dential customer data.

1 These include Sony PlayStation, Epsilon, and RSA Security. See CSO article.

2 See PC World article “Will the Real Security Threat Please Stand Up?”

3 For a small company the costs can be devastating. On March 13, 2012, Impairment Resources LLC, a company that reviews workers compensation and auto casualty claims, announced that the cost of dealing with a data breach involving 14,000 consumers had caused the company to file for Chapter 7 bankruptcy protection.

4 For example, the First Circuit decision upholding class

action claims with respect to costs to obtain credit card protection insurance after the Hannaford breach in Anderson v. Hannaford Bros. Co. (Oct. 20, 2011) has widely been acknowledged as likely to increase class action litigation from such breaches and the costs arising from such breaches.

5 For details, see Bryan Cave Bulletin (February 2011).

6 Marvin Umholtz, CU Strategic Hot Topics, March 22, 2012.

7 See article “What Sony’s Security Breach Means for Prepaid Card Users.”

8 See “Insights on Global Prepaid card Usage.”

9 See The Green Sheet (February 2009)

10 For example, many companies have pre-existing relationships, or retainer agreements, with data forensic investigators who can be available to help identify the cause of a data breach, or remediate a network or IT system if it is hacked. Similarly, some law firms (including Bryan Cave) have attorneys familiar with the data security and data breach laws on call 24 hours a day in the event that their clients are victims of a data breach.