2017 GNYADA Membership Directory

“deleted”by the user. The FTC has advised that consumer information should be retained only for the period during which it is actually needed, and then securely destroyed. Adopt and follow a strict consumer records retention and destruction policy at your dealership. Also, the Disposal Rule requires due diligence and supervision of your records disposal company as well. Records destruction procedures should be included as a part of a dealership’s Information Security Program and followed systematically. Additionally, the Fair Credit Reporting Act (“FCRA”) prohibits printing more than the last five digits of a credit or debit card number or the card’s expiration date on any electronically printed card transaction receipt. Damages for doing so are $100 - $1,000 per receipt for willful violations (generally a knowing or reckless violation) with no cap on damages in a class action. MasterCard and Visa can also assess fines starting at $5,000 for the first violation and going up from there. Make sure your card processing machines are set up to not print any more than the last five numbers and do not print the card’s expiration date as this has been a source of many class actions. States are also enacting strict data security laws that apply to all organizations that maintain information about their residents. For example, some states: • Require the development of a comprehensive written information security program, and the encryption of all personal information stored on laptops and portable devices or transmitted wirelessly or across public networks. Employee access must be limited and paper records must be locked up. • Require compliance with the Payment Card Institute Data Security Standard (“PCI-DSS”) for credit and debit card information and transactions. Credit and Debit Cards Card issuers have sued merchants who are breached to recover their cost of paying losses on stolen cards as well as the cost of notice and reissuance of new cards. These costs will increase as, effective October 1, 2015, cards with computer chips will begin replacing magnetic stripe cards – and the cost of producing a chip card well exceeds the cost of producing a magnetic stripe card. The use of chip cards also requires more sophisticated card readers that can read a random code generated by the device. If you do not have and use such a chip card reader after October 1, 2015, you face the risk of being liable for a fraudulent transaction committed using a chip card. Plaintiffs in data breach cases have also been more successful recently in avoiding having class actions dismissed at the outset. In one case in the federal Seventh Circuit, a merchant compromise of 350,000 cards was followed by 9,200 customers having incurred fraudulent charges to their accounts. The court indicated “there are identifiable costs associated with the process of sorting things out”– the aggravation and loss of value of the time needed to set things straight (get replacement cards, etc.), to reset payment associations after card numbers are changed, and to pursue relief for unauthorized charges. With respect to the plaintiffs who have not yet seen fraudulent charges on their accounts, the Seventh Circuit said those plaintiffs had standing because there was a “substantial risk”of future harm. This alleged actual injury was enough to let the class action against the merchant go forward. The remaining victims were also required to spend time and money replacing cards, fighting off fraudulent charges, and monitoring their credit scores. This too was considered sufficient for the class action to proceed. STATE DATA SECURITY LAWS

HOT TOPICS

2017

MEMBERSHIP DIRECTORY 123

Made with FlippingBook - Online catalogs