TABLE OF CONTENTS I. OVERVIEW II. OPPs and the data security regulation landscape A. Online Payment Processors and Cross-Border Data Transfers B. Territorial-Based Regulation Models 1. United States Regulation of OPPs 2. International Regulation C. Industry-Based Self-Regulation Models 1. The Fair Information Practice Principles (FIPPs) 2. Network Advertising Initiative 3. The PCI Data Security Standard and Security Standards Council III. DATA SECURITY REGULATION, OF OPPS NEEDS TO SHIFT AWAY FROM TERRITORIAL-BASED REGULATION AND TOWARDS INDUSTRY-BASED REGULATION A. Government Regulation is Ineffective Because it is Limited by its Territorial Jurisdiction, Which is Contrary to the Structure and Boundaries of the Internet Commerce Facilitated by OPPs. An Industry-Based Code of Conduct is the Solution to Today's Interconnected World B. OPPs Should Merge and Adapt Self-Regulation Models Employed by Other Industries to Construct an Industry Code of Conduct. 1. An OPP code of conduct should have clearly defined principles specific to the OPP industry. 2. An OPP code of conduct should be flexible enough to take advantage of advancements in technology. 3. An OPP code of conduct should be enforceable. IV.CONCLUSION I. OVERVIEW
News of a data breach (1) during the last shopping days of the year can be devastating for a company. Target announced a massive data breach on December 19, 2013 that compromised up to 40 million customers' payment information from purchases made between November 27 and December 15, 2013. (2) Reports of similar data breaches at other U.S. retailers, such as at Neiman Marcus and Michaels Stores, continued to make headlines into the New Year. (3) Breaches like these are not easy to recover from, financially and otherwise, costing banks the credit and debit card replacements, costing consumers their personal information, and costing the breached businesses the resulting damages, including their customers' trust. It is no wonder Target offered 20% off at their brick-and-mortar stores to salvage what holiday sales they could in the wake of their breach.
When only one company suffers a breach it may be because that company somehow failed to follow industry best practices for data security. (4) However when large U.S. retailers are falling victim to breaches one after the other it signals a greater problem within the industry: that the current standards employed by businesses to prevent breaches are not working. (5)
While abstinence from data collection is the only absolute protection currently (6)--if there is no data there is nothing to breach--eliminating all data collection is not a realistic option for retailers in today's information age. (7) The data businesses collect feed essential operations, such as processing payments and providing customer service. (8) Liability can be minimized in some industries, such as the advertising industry, by limiting the data collected to less sensitive types of information. (9) Retailers, however, often use third-party payment processors to serve as middlemen in a transaction to collect and process financial information so the retailers do not have to face the liability associated with collecting that information. (10) The payment processors bear the liability (11) for the sensitive data they need to collect to operate effectively. (12)
During the sales process the collected information is used to verify the identity of the purchaser, verify that the payment method is authentic, and verify the necessary funds are available for the purchase. (13) Collecting that information, however, makes payment processors a target for hackers. Akin to the Target breach, Heartland Payment Services, Inc., a payment processor, suffered a breach in 2009 that compromised as many as 100 million payment card records. (14) Similarly, online payment processors (OPPs), such as PayPal, collect financial information, such as a credit card number, expiration date, and verification code, to process purchases and authorize sales online. (15) E-commerce is valued at an estimated $8 trillion per year (16) which equates to more than ten-percent of the Gross World Product. (17) While commerce is increasingly conducted online via cross-border data flows, (18) "merchants, financial institutions, and consumers all still have substantial concerns about the security of online payments ... and the privacy of personal information." (19)
Data protection standards should aim to limit possible data breaches, the resulting damages from any breaches, and simultaneously to limit the liability of companies when they are the non-offending party. Under current data-breach regulations, financial institutions--including banks, payment processors, and OPPs--bear the liability for a breach of any information they collect, even when they are not the offending party. (20) Data breach notification laws vary by state, but they all assign liability through an indirect liability regime. (21) This indirect liability regime punishes the OPP or payment intermediary, which are already victims of the data breach, instead of punishing the actions of the actual bad actor: the hacker. (22)
Hackers can be difficult to punish because technology can obscure the hacker's identity and true location. (23) An IP address is regarded as a weak identifier to serve as evidence in a criminal case that a particular individual carried out an activity, such as illegal downloading, because an IP address merely identifies the location where a certain activity occurred. (24) A hacker's true location though can sometimes be found through online geo-location tools that can collect more information than just a hacker's location. (25) That collected data can be aggregated at times to sufficiently identify an individual. (26) OPPs, however, should not be liable just because the true criminal may be difficult to find; instead OPPs should be held to high standards that if met limit their liability in the case of a data breach.
The current data protection regime is not effective at limiting possible data breaches or OPP industry liability when a hacker gains unauthorized access to data. (27) In contrast, other legal regimes such as copyright law give OPPs a safe-harbor when third parties use OPPs to commit illegal acts. (28) For example, when distributors use an OPP to sell copyright infringing work, OPPs are not liable for those sales because OPPs do not make a material contribution to infringement by processing those sales. (29) Similarly, if OPPs meet sufficiently high data protection standards they should not be liable for unauthorized access by a hacker.
Data management compliance for OPPs is complex, costly, and ineffective because the laws are constantly evolving and still do not alleviate the concerns of merchants, financial institutions, or consumers. (30) OPPs are currently regulated under a traditional territorial-based approach, with regulations applying at the state, national, and international levels. (31) At the state level, each state has its own data breach notification law, at the national level there is no national standard for data breach notification, (32) and at the international level, multiple countries have laws specific to data security practices within their borders. (33) Outside of formal regulations, countries and international organizations promulgate general guidelines. (34) These guidelines consist mainly of lists of basic information practice principles that are too broad to apply to specific industries, are unenforceable, and lack consensus. This traditional approach has proven to be an ineffective approach to cyber regulation because it fails to adapt to online, globally connected networks. (35)
Data security regulation, especially for the OPP industry, needs to shift away from territorial-based regulation and towards industry-based regulation. This shift is best achieved for OPPs through an industry-specific code of conduct, because it encourages active participation by industry members to develop industry standards and best practices; it can be implemented more quickly than regulation; it is flexible enough to be applied internationally and nationally; it is flexible enough to adapt to changing technologies; and it takes into account the business and technological capabilities of OPPs.
First, this note provides more in-depth information on OPPs, the current territorial-based regulatory landscape for OPPs, and models of industry-based regulatory systems from other industries that should be used to create an industry code of conduct for OPPs. Second, this note analyzes the reasons behind the need for a shift away from territorial-based regulation and towards industry-based systems. Lastly, this note constructs the basics of an OPP industry code of conduct from a combination of self-regulation industry models.
OPPS AND THE DATA SECURITY REGULATION LANDSCAPE
The OPP regulatory landscape is challenging for several reasons. First, OPPs are unique because of the sensitive information they need to collect to run their business. Without information identifying the individual initiating a transaction and the relevant financial information, an OPP would be unable to process a payment. Second, the current regulation surrounding OPPs is territorial-based which does not reflect the global nature of online commerce. Third, self-regulation industry-based models used by other industries could be used by OPPs to address the data security challenges of their industry and to construct a code of conduct for the OPP industry.
Online Payment Processors and Cross-Border Data Transfers
OPPs process online payments using information provided by the purchaser(s) to validate financial information. For example, OPPs based in the United States collect credit card information to authorize a transaction such as the credit card number, cardholder name, expiration date, billing address, and the Card Verification Value (CVV) number...