Court orders CardSystems to retain breach information

Evidence needed in case of 40M exposed credit card numbers

A California state court has ordered CardSystems Solutions Inc. and three other defendants in a class-action lawsuit to preserve evidence related to a major breach of the Atlanta credit-card processor's computer systems.

The court also has set a date for CardSystems, along with MasterCard International Inc., Visa U.S.A. Inc. and Merrick Bank Corp., to argue over who bears ultimate responsibility for informing customers of the breach (see "Security breach may have exposed 40M credit cards").

The court order, issued on Tuesday by the Superior Court in San Francisco, is the latest development in what may prove to be a long-running class-action lawsuit over the highly publicized theft of credit card information at CardSystems' Tucson, Ariz., operations center. The breach was first disclosed in June.

The suit, filed shortly after the theft was revealed, claims that CardSystems was negligent in the way it maintained consumer credit data. In addition to monetary damages, the suit seeks to force CardSystems and the credit card companies to notify the California consumers whose data was compromised.

The order will make it more likely that the defendants are able to inform consumers, should the court side with the plaintiffs, according to Ira Rothken, managing partner of San Rafael, Calif.-based The Rothken Law Firm, which filed the suit.

"We don't want any Enron shredding going on," said Rothken, referring to the much-publicized fraud case at the Texas energy giant. "Any documents arising out of the security vulnerability and breach investigation at CardSystems we want preserved."

A second court order, also issued Tuesday, requires that the defendants prove that they are not responsible for notifying California residents whose information was exposed in the attack, Rothken said. CardSystems and the other companies in the case have argued that their member banks bear this responsibility, he said.

Representatives for CardSystems, MasterCard and Visa did not immediately return calls seeking comment.

Arguments will be heard on the matter on Aug. 17, and should the court rule in Rothken's favor, the four companies will "have to work together to ensure to get proper notice [to California consumers] about whether their credit card data was hacked."

CardSystems, a major credit-card transaction processor, has been roiled by revelations of the attack, which exposed as many as 40 million credit card accounts. Last month, two of its major customers, Visa and American Express Co., announced that they were terminating their CardSystems contracts because of the security lapse (see "Visa, Amex cut ties with processing firm hit by security breach").

Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon