facebook linked in twitter

Privacy & Data Security Alert

June 26, 2017

Fifteen Attorneys General Indicate Breach Notice Required in Card Breaches Without CVV Numbers Exposed

In a letter published on June 5, 2017, the New York Attorney General's Office (“AG”) signaled a significant change in its interpretation of data breach notification laws that favors increased customer notification. Commanding the support of 14 additional state’s AGs offices (including Connecticut, Colorado, Pennsylvania, Virginia, Mississippi, Illinois, North Carolina, Kentucky, Oregon, Iowa, Arkansas, Washington, Maryland, and Minnesota) the letter holds that companies who suffer a data breach still have an obligation to notify consumers under state statutes even when CVV numbers are not exposed.

The AG’s letter was a response to an FAQ provided to client retailers after a company suffered a data breach.  Essentially, the FAQ asserted that a company fallen victim to a data breach has a legal obligation to notify customers only if CVV numbers are stolen alongside account or credit card numbers; a card number alone does not trigger those requirements.

The Attorney General’s letter rejected the FAQ’s stance on the CVV notification requirement entirely, citing the FAQ and responding: “This is not correct. The CVV number does not have to be disclosed to trigger our states' notification obligations.”[1] The 15 states whose AGs were signatories all have similar breach notification laws. The nearly identical statutory language in each state requires that customers be notified when personal information is exposed along with "an account number, credit card or debit number, in combination with any required security code, access code, or password that would permit access to an individual's financial account" (emphasis in original).[2] The AG’s letter asserts that because credit cards can be used without the CVV number in certain circumstances, consumers are still harmed by the theft of credit card numbers alone. The letter points to Amazon.com, Freshdirect.com, Zappos.com, Victoriasecret.com, and HSN.com as examples of websites where credit cards can be used without the CVV number, supporting the AG's position that consumers are still in danger of identity fraud without CVV theft.

Until the Attorney General’s letter, the generally accepted view (and the one held in the FAQ) was that the CVV was the "required security code" referenced in the statute which, when exposed in conjunction with credit card or account numbers, would trigger the notice obligations. Indeed, the statutory language includes the phrase "in combination with" suggesting that an account number alone is insufficient for triggering notification. Contrastingly, the AG’s letter rejects that interpretation and asserts that limiting the notice requirement to situations where CVV numbers are also exposed is a senseless distinction. Because customers under that standard are still at risk of identity theft, the AGs conclude that the CVV limitation undermines the “clear intent of the statute,” which is to protect consumers from fraud.[3]  The letter cites the legislative history and intent, but as far as textual support the AGs are likely relying on the "that would permit access to an individual's financial account" language in the statutes. By looking to account accessibility, the AG bolsters its holding that CVV exposure is unnecessary for the statute to apply in the event of a less expansive breach. 

By bypassing a strict statutory interpretation and using the legislative intent, the AG letter's interpretation increases the notification burdens on companies who are victims of a data breach by broadening the conditions under which state notification obligations are triggered. This could have significant financial and operational impact on organizations falling victim to breaches, whose obligations to customers are dramatically expanded. Many cases which previously would have triggered no requirement to notify affected customers, will, under the AGs' interpretation in its letter, mandate expensive and time intensive programs to notify customers. According to the AG, this is necessary so that consumers "can protect themselves" from the risks after a credit-card-number-only theft.

Looking forward, this could signal that state Attorneys General will be employing a broader purview of enforcement power, looking beyond generally accepted readings of statutes to cover a wider standard of consumer safety. However, this interpretation is far from absolute. While 15 states signed on, 39 states have similar wording in their notification laws and have not signaled their support of the AGs' interpretation, nor has the interpretation received court approval through litigation.

[1] Advisory Letter from the NY Attorney General’s Office to Aptos Communications (June 5, 2017) (on file at https://dlbjbjzgnk95t.cloudfront.net/0934000/934951/hacknotice.pdf).
[2] Id.
[3] Id.

For more information, contact:

David Katz at david.katz@nelsonmullins.com or 404.322.6122
Bess Hinson at bess.hinson@nelsonmullins.com or 404.322.6606