Isn’t this illegal?
Ok, I know I’ve got a couple of lawyers that read this. Consider this an open question.
You might have heard recently that CardSystems, a third-party company hired by Visa, MasterCard, Discover, etc. to do transaction processing, was a hacker victim. Potentially 40 million credit card numbers, security codes, and names where compromised.
More recently, it has been revealed that CardSystems wasn’t just at fault for having inadequate security — they weren’t even supposed to be storing the data in the first place. Their contract with MasterCard, for instance, says that the stolen information was not to be retained after the transaction was completed. The CardSystems CEO stated that they were keeping the data for “research purposes.”
Worse, the data was stored in an unencrypted system that was accessible from outside the company’s network.
But let’s go back to the “research purposes” point. Ok, sure, MasterCard et. al. has an easy opportunity to go after CardSystems for breaching their contract. But what about the people involved? Forget, for the moment, the fact that CardSystems was hacked and millions of credit cards have potentially been sold to thieves. Isn’t the “research” itself a violation of the cardmember’s privacy rights?
Yes, I have a Visa card. Which of course means I have a contract with Visa. I’m ok with that. But I do not have a contract with CardSystems. To the best of my knowledge, I haven’t given them permission to use my information at all. Now assume that my card was one of the ones on CardSystems’ system (which it might be). The fact that CardSystems has collected my information is almost as worrisome as the possibility that the hacker has collected my information. They have no right to my information.
So the question here is, do the cardholders (as opposed to the credit card companies) have the right to any legal measures in this matter? What are the odds we’re going to see a class-action suit unfold?