Commercial Financial Services Brief: Can My Bank Recover Costs Related to Replacing Debit or Credit Cards?


Many financial institutions are counting the costs they are incurring for replacing customer debit or credit cards as a result of recently discovered security breaches at various national retailers. These costs will be substantial for many banks. Even if a bank has not replaced and is not currently planning to replace cards, as more and more breaches come to light customer pressure will build for cards to be replaced. 

Does a bank have any options to try to recoup these costs? In 2007 Minnesota adopted a law that permits card issuers to recover their costs against retailers involved in security breaches in certain cases. Minnesota is one of three states in the country that have laws authorizing card issuers to recover some costs in the event of a breach.

Specifically, Minnesota Statutes § 325E.64 provides that a business that accepts a credit card, debit card or stored value card cannot retain the contents of the card security code, PIN verification code or the full contents of the magnetic stripe data after receiving the authorization for the transaction or, in the case of a PIN debit transaction, for more than 48 hours after receiving the authorization for the transaction.  If the business violates this restriction and a security breach occurs, the business is obligated to reimburse the financial institution that issued any card affected by the security breach for the costs of reasonable actions undertaken by the financial institution to protect cardholders’ information and continue to provide services to cardholders.  The actions of a card issuer for which reimbursement may be available include:

  • the cancellation or reissuance of any access device affected by the breach,
  • the closure of any deposit accounts affected by the breach,
  • the opening or reopening of any deposit accounts affected by the breach,
  • any action to stop payments or block transactions with respect to the deposit accounts,
  • the refunds or credits made to cardholders to cover the costs of any unauthorized transactions relating to the breach,
  • the notification of cardholders affected by the breach, and
  • the recovery of costs for damages paid by the financial institution to cardholders injured by the breach.

In addition to this law there may be other claims that might be asserted against a merchant in connection with a security breach.  If your financial institution has incurred, or anticipates incurring, costs related to any of these security breaches, whether costs of reissuance of the cards, closing accounts, refunding amounts to affected customers or providing notifications to affected consumers, you should consult legal counsel to evaluate the rights you may have, whether under this law or otherwise, to recover some or all of your costs.  If your bank decides to replace debit / credit cards as a result of this type of security breach, you will want to keep records of relevant facts involving the decision, including:

  • Documenting customer requests for card replacements,
  • Documenting the decision-making process regarding the appropriate response to such requests or the need to take a more proactive approach, such as simply replacing all cards that may have been affected,
  • Documenting the process used by the bank to respond to the breach, and
  • Documenting and tracking the costs incurred by the bank in making its response.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Gray Plant Mooty | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.