American Medical News reported today (Feb 1, 2010) that the first lawsuit has been filed by a state Attorney General for a personal medical information privacy violation under the HITECH Act. The HITECH Act, part of the 2009 stimulus bill, was designed to strengthen HIPAA, which until then had limited penalties for violations.
If the HITECH Act itself was not enough of a wake up call, this lawsuit surely ought to be.
In mid-December, the Massachusetts Supreme Court affirmed the earlier dismissal of the case against BJ's Wholesale Club and its acquiring bank filed by credit card issuing credit unions and their insurance company for expenses incurred as a result of BJ's 2004 breach. Articles here, here, and here review the details.
The key to the dismissal of the lawsuit was the clause in the contract between BJ's and Fifth Third Bank, BJ's acquiring bank, which said, “This agreement is for the benefit of, and may be enforced only by,
(Fifth Third) and (BJ’s) … and is not for the benefit of, and may not
be enforced by, any third party.”
The court is saying that an agreement, in this case, between two parties (merchant and acquiring bank) that is well understood by the court to be part of an overall process (credit card transactions) that includes two other specific third parties (credit card issuing banks and their customers, the credit card holders) can simply agree that the benefit of their agreement does not include these other two third parties.
The opinion goes on to say (page 17) that the plaintiffs could have filed claims against Visa and MasterCard. The implication is that they did not. Why not? Perhaps the issuing banks were concerned that Visa and MasterCard would revoke their contracts to issue credit cards, a far greater loss of fees than the expenses they incurred as a result of the breach.
Or perhaps there is an understanding by issuing banks that in the case of a breach at a merchant, they are liable for their own breach-related expenses. In fact, CUMIS Insurance Society, a plaintiff in the lawsuit, insured these credit unions against losses to due fraudulent transactions.
Clearly these issuing banks bought insurance because they understood their risk and shifted it to the insurance company. Unfortunately for them, they only insured against fraudulent transactions, not the replacement of cards of customers whose credit card information was breached.
Furthermore, page 23 of the opinion states, "they [plaintiffs] continue to participate as issuers in the Visa and MasterCard system and to rely on the regulations [Visa's and MasterCard's] because the system is 99.94 per cent effective." And of course, they buy insurance to cover fraudulent transactions.
In summary, it appears that this judgment and the other similar judgments in similar cases make sense because the losses to credit card issuers and insurance companies are just part of the cost of doing business. Of course the banks and credit unions could get out of the credit card business if their losses become too high. Regarding CUMIS, if it feels its losses are too high, it can either raise its rates or exit the fraudulent credit card transaction insurance market. The bottom line is that the system is working.