Spencer Fane LLP Logo

How Missouri’s Consumer Protection Laws Would Require Target to Respond to Its Data Breach

As you have no doubt heard by now, Target found itself in the cross-hairs of some hackers who managed to breach its payment systems and steal data pertaining to about 40 million credit and debit cards used by Target customers.  If you haven’t read about it, here’s the Reuters article, which has a pretty good blend of consumer outrage, government bloviating, and corporate stonewalling.

The laws governing corporate responses to various forms of data breaches are extensive, but I think it would be useful to take a look at Missouri’s consumer protection law that provides the proper response to data breaches.  It will serve as a helpful reminder to companies doing business in Missouri of their notice obligations and, perhaps by extension, their data security obligations.  If it helps persuade you that this is worth your attention, violators are subject to civil penalties of up to $150,000 per breach if they fail to notify the appropriate parties.[1]

Section 1500 of Missouri’s Merchandising Practices statute[2] was enacted in 2009, and it prescribes the steps one must take to notify someone affected by a data breach of consumer personal information.  Generally speaking, the statute imposes certain obligations on those who “own or license personal information of residents of Missouri” and those who simply “maintain possess records or data containing personal information of residents of Missouri that the person does not own or license.”  So first things first, we need some definitions.

First, the term consumer is a bit misleading, because it means “an individual who is a resident of this state.”  In other words, one need not buy or lease anything to be a “consumer” under the statute, unlike in the rest of the Merchandising Practices statute.  Go figure.

Second, “personal information” means an individual’s first name or initial and last name, plus, “if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:. . . (c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account[.]”[3]  That “encrypted …” language is a bit strange if you think about it too much.  Encrypted when?  The Target data were probably encrypted before they were stolen, but hackers hacked things, and the data were probably unencrypted and usable by the time all was said and done.  Is Target outside the scope of Missouri’s statute because of that?  Did the legislature mean to exempt from the notification requirements companies who tried to protect their information through encryption but failed?  Maybe, but that would be a silly exemption to include in a consumer protection statute, so … still maybe.

Third, “breach” means “unauthorized access to and unauthorized acquisition of personal information maintained in a computerized form that compromises the security, confidentiality, or integrity of personal information.”[4]

Fourth, “owns or licenses” – this is a good one – “includes, but is not limited to, personal information that a business retains as part of the internal customer account of the business or for the purpose of using the information in transactions with the person to whom the information relates.”  That “is not limited to” language is a killer, especially since the examples of “owns or licenses” expressly given don’t really lend themselves to establishment of meaningful boundaries.  But, anyway, that’s what we have.

Okay.  So, what does the statute require in case of a data breach?  Well, if you “own or license” the compromised personal information, you must notify the consumer without reasonable delay, in a manner consistent with the needs of law enforcement and any measures necessary “to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”  And, if you don’t “own or license” the personal information, but rather only maintain or possess records or data with the personal information?  Pretty much the same, except the “without reasonable delay” and the “determine sufficient contact information” requirements don’t apply.[5]

There are also requirements for what the notice must include – a description of the incident, a phone number for the consumer to call for further assistance,[6] things like that.  But, here’s a fun exception: the notice need not be given “if, after an appropriate investigation by the person . . . the person determines that a risk of identity theft or other fraud to the consumer is not reasonably likely to occur as a result of the breach.”  That’s very squishy.  I wouldn’t rely on it if I were Target.

The statute has some other requirements too,[7] but I won’t list them here because I want to share some good news, and I only have so much space: there is no private cause of action under the statute; only the Attorney General may enforce it.  “But,” you say, “surely some other private cause of action must lie.”  That’s what I thought too!  Maybe so, maybe not.  Here’s Magistrate Buckles:

To the extent plaintiff claims that defendant was negligent in failing to provide adequate and timely notice of the alleged security breach to its members, the undersigned notes       that the Missouri legislature recently enacted a data breach notification law[.]  A review of the statute, however, shows the Attorney General to have exclusive authority in bringing claims against data handlers for a violation of the notice requirement.  Nevertheless, at the time of the alleged breach, there existed no cause of action for the claim plaintiff now raises, in negligence or otherwise.  Nor does there currently exist a private cause of action which may be brought by a person allegedly aggrieved by such a breach.  The Court will not create a claim where one does not exist.

Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1055 (E.D. Mo. 2009) (citations omitted, emphasis added).

I’m not as confident that the statute displaces any common law causes of action that might otherwise apply (and, indeed, perhaps a cause of action lies for failure to secure the data, rather than failure to notify of the breach), but for now, maybe Target could hang their hat on this.  Better yet, though, I bet it knows its obligations and will comply with them.  And now you can do the same.

[1] Query whether the Target attack was one breach or 40 million breaches or some other number.  The statute isn’t entirely clear, but there’s some language in the last subsection that makes me think the practical answer (if not the actual answer) is that the penalty is capped at $150,000, provided all the breaches were “of a similar nature” and “discovered in a single investigation,” which it sounds like they were.
[2] Mo. Rev. Stat. § 407.1500.
[3] Other things also count as personal information, like Social Security numbers.  But, I’m assuming that Target wasn’t keeping its customers’ socials on file.
[4] Note the serial comma in that sentence.  It has always bothered me how inconsistently the serial comma is used in the Missouri statutes.  Now it can bother you too.
[5] What do you think the purpose of that distinction is?  If a hacker gets a bunch of credit card numbers, why does the notice period depend on whether the owner of the compromised system “owns or licenses” them?
[6] The phone number requirement only applies “if one exists.”  So, in the event of a data breach, it doesn’t appear that you’re required to get a phone number or, if you have one, let people call it for assistance.  Hooray?
[7] For instance, if notice must be given to more than 1,000 consumers, the person must notify the AG’s office.