Court orders CardSystems to retain breach information

SAN FRANCISCO - A California state court has ordered CardSystems Solutions and three other defendants in a class-action lawsuit to preserve evidence relating to a major breach of the Atlanta, Ga., credit-card processor's computer systems.

The court also has set a date for CardSystems, along with MasterCard International, Visa USA and Merrick Bank Corp., to argue over who bears ultimate responsibility for informing customers of the breach.

The court order, issued on Tuesday by the Superior Court of the State of Calif. in San Francisco, is the latest development in what may prove to be a long-running class-action lawsuit over the highly publicized theft of credit-card information at CardSystems' Tucson, Ariz., operations center, which was first disclosed in June.

The suit, filed shortly after the theft was revealed, claims that CardSystems was negligent in the way it maintained consumer credit data. In addition to monetary damages, the suit seeks to force CardSystems and the credit-card companies to notify California consumers whose data has been compromised.

Tuesday's order will make it more likely that the defendants are able to inform consumers, should the court side with the plaintiffs, according to Ira Rothken, managing partner of San Rafael, California-based The Rothken Law Firm, which filed the suit.

"We don't want any Enron shredding going on," said Rothken, referring to the much-publicized fraud case at the Texas oil giant. "Any documents arising out of the security vulnerability and breach investigation at CardSystems, we want preserved."

A second court order, also issued Tuesday, requires that the defendants prove that they are not responsible for notifying California residents whose information was exposed in the attack, Rothken said. CardSystems and the other companies in the case have argued that their member banks bear this responsibility, he said.

Representatives for CardSystems, MasterCard and Visa did not immediately return calls seeking comment.

Arguments will be heard on this matter on Aug. 17, and should the court rule in Rothken's favor, the four companies will "have to work together to ensure to get proper notice (to California consumers) about whether their credit card data was hacked."

CardSystems, a major credit-card transaction processor, has been roiled by revelations of the attack, which exposed as many as 40 million credit card accounts. Last month, two of its major customers, Visa and American Express Co. announced they were terminating their CardSystems contracts because of the security lapse.

REFERENCES:
Lawsuit filed over CardSystems data breach, Jun. 28, 2005
Visa, Amex cut ties with CardSystems due to breach, Computerworld (US), Jul. 22, 2005
Stolen records in latest breach were improperly kept, Jun. 20, 2005