Visa and MasterCard to clear up links with data loss firm

A judge has asked MasterCard and Visa to disclose details about their relationship with CardSystems Solutions, the payment processor that was the subject of a high-profile data security breach.

The information, such as contracts between the companies, should help determine whether the credit card companies have responsibility under California law to notify consumers whose personal details were exposed in the CardSystems breach, San Francisco Superior Court Judge Richard Kramer said on Tuesday during a court hearing.

CardSystems, MasterCard, Merrick Bank and Visa were sued in June on behalf of California credit card holders and card-accepting merchants. The suit seeks to test a state law that requires consumer notification after personal information stored on computers is lost, stolen or breached.

On Friday, Kramer denied a request for a preliminary injunction that would have required the credit card companies to tell individual California credit card holders that their account information was exposed in the CardSystems breach.

The digital break-in at CardSystems was publicly disclosed by MasterCard on 17 June. Intruders got access to details on about 40 million credit cards. Records of more than 200,000 cards are thought to have been transferred out of CardSystems' network. MasterCard and Visa maintain that notification responsibility falls with the banks that issue credit cards because they have direct relationships with the affected customers.

Kramer said he wants to be clear on which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to entities that "own or license" personal information about Californians. Plaintiffs in the case say that includes MasterCard, Merrick and Visa.

Kramer said: "I believe we have to figure out whether indeed Visa, MasterCard and Merrick are covered by the statute. They don't seem to own the data but the plaintiffs' view is that they are operating with a licence." He ordered all parties to prepare for a trial on that matter and to exchange information.

Plaintiff attorney Ira Rothken said he was pleased with the outcome of Tuesday's hearing. "We're going to get to do some discovery and tee up the most important question in this case," he said. Rothken believes all defendants fall under the California law. "We believe they are all intimately intertwined," he said.

MasterCard, Merrick and Visa have argued that the statute does not apply to them.

Another hearing in the case has been scheduled for 24 October.

Joris Evers writes for CNET News.com