Q: I have been told that if a thief breaks into our office and steals or copies the hard-copy profiles with client credit card information, we are legally required to notify the clients that someone may have taken their personal information. Is that correct? Do we have to report the theft to the police? What if a computer hacker accesses the GDS using an employee's login and copies profiles or issues a bunch of tickets using our client's credit card numbers?
A: Since 2002, 46 states and the District of Columbia have adopted "security breach notification laws" requiring that you notify the cardholders and law enforcement authorities of theft of personally identifiable information, including names and credit card numbers. At present, only Alabama, Kentucky, New Mexico and South Dakota have no such laws.
California was the first state to adopt such a law, and its statute has served as a model for many other states. However, under California's law, none of the scenarios that you describe would trigger the notification requirements of the law, so what you have been told is not correct.
First, the law applies only to computerized databases. So if someone steals hard-copy profiles, the law does not require you to notify clients, although it might be a good business practice to do so. As an aside, the ARC Agent Reporting Agreement requires that an agency treat credit card data "in a secure and confidential manner, disclosing it only to those to whom it is contractually bound to do so," so you would be violating the ARC agreement if you did not at least keep your profiles locked up.
Second, if your client's information is taken out of the GDS or used to issue tickets, the California law would not apply because credit card information in the GDS is, as far as I know, "encrypted," and the law applies only to unencrypted data. The word "encrypted" means unreadable unless you have a separate program or password that enables your computer to render the data readable by a human.
On the other hand, if you keep your profiles in an unencrypted database on your computers, such as an Excel or PDF file, you would need to follow the notification requirements of the statutes such as California's law, if a hacker or former employee acquired the credit card numbers, expiration dates and security codes. Those laws require that you send a very detailed paper or email notice to each client whose data was accessed and to report any large-scale theft to law enforcement authorities.
Because such a notice would undoubtedly be embarrassing to you and generate ill will, it is a good idea to take steps to prevent unauthorized access in the first place by refraining from storing credit card data in any unencrypted computer file. If you have your own merchant account, your agreement with your bank probably prohibits such storage anyway.
Of course, not all of the 47 statutes are identical, so it is possible that your state's law does not contain the exemptions covered here and that the notification requirements would apply. For example, the laws of Texas and New York apply to encrypted data, as well, and Massachusetts' statute covers paper records, too.
One good place to start finding the requirements of your state is at www.perkinscoie.com/statebreachchart.
Mark Pestronk is a Washington-based lawyer specializing in travel law. To submit a question for Legal Briefs, email him at [email protected].