The latest example is a U.S. District Court's decision late last week to throw out a lawsuit filed by the Pennsylvania State Employees Credit Union (PSECU) against Fifth Third Bancorp. of Cincinnati.
The Harrisburg-based PSECU hoped to recover US$100,000 it spent on cancelling and reissuing 235,000 Visa credit cards compromised in a security breach at BJ's Wholesale Club of Natick, Mass. in 2004.
PSECU had argued that Fifth Third was liable for the costs because it was the bank responsible for processing card transactions for BJs and should have ensured the merchant was complying with Visa's security requirements.
PSECU's original lawsuit for breach of contract and negligence also included BJ's. But all of PSECU's claims against BJ's and three of its claims against Fifth Third bank were dismissed last October by the court in Harrisburg.
The same court threw out the one remaining claim against Fifth Third last Friday, saying that PSECU wasn't a third-party beneficiary to the contract between Fifth Third and Visa and was therefore not entitled to seek any card reissuance costs.
"PSECU is at most an incidental beneficiary of the member agreement between Visa and Fifth Third, but an incidental beneficiary has no right to enforce a contract," District Judge William Caldwell wrote in his opinion. "Needless to say, I'm disappointed with the court's ruling," PSECU president Greg Smith said in an e-mailed comment. "It's a little frustrating to know that PSECU was the one party in this situation that kept its word [and] honored its contracts, but when someone else didn't, we're still the one to pay," he said.
As a result of the BJ's breach, Fifth Third has paid close to $900,000 in fraud-related charges to several credit card issuers, according to court documents.
"The court seems to be saying that the Visa system provides relief for issuers who suffered fraud losses but Visa won't cover the costs of reissuing cards, which is the best defense against fraudulent charges," Smith said.
Stephanie Hagen, a spokeswoman for Fifth Third, said the bank does not comment on litigation issues.
The PSECU is one of several institutions that have filed claims over the BJ's breach. Others include the CUNA Mutual Group, Sovereign Bank and Banknorth NA.
The case highlights how "there really is a high barrier for plaintiffs to bring these kind of lawsuits," said Ethan Preston, an attorney with Kamber & Associates LLC in New York.
"It's unfortunate because there is a lot of harm that can be caused because of negligent security," he said. "But if you look at the legal basis behind the decision it is not entirely unexpected."
In fact, there are at least two other cases where similar claims have been rejected by courts, he said.
In February, a U.S. District Court in Minnesota dismissed a lawsuit brought by an individual whose personal data -- and that of over 550,000 individuals -- had been compromised when a laptop containing the information was stolen from an employee at Brazos Higher Education Service Corp. of Austin, Texas. The individual claimed that Brazos was negligent in securing the data because it was been encrypted. The court dismissed the claim, saying that Brazos had not violated any of its security obligations under Gramm-Leach Bliley Act.
Similarly, last September, a federal court dismissed a class action lawsuit against TriWest Healthcare Alliance of Phoenix. The class action members claimed that they were harmed because Triwest was negligent in allowing several hard disks containing personal information to be stolen from one of its facilities in 2002. The incident exposed personal information on over 500,000 military personnel.
The court threw out the case, saying it was unclear whether any of the personal data had actually been accessed by the criminals who stole the disks.
The cases show the need for an updating of existing liability laws, Preston said. "We don't quite have the laws yet that make people liable for security as a matter of statutory law," he said.