• State Attorneys General Write About CVV Numbers
  • August 10, 2017 | Authors: Christopher R. Rahl; Marjorie A. Corwin
  • Law Firm: Gordon Feinblatt LLC - Baltimore Office
  • A group of 15 state Attorneys General (including Maryland’s Attorney General) sent a letter to an online hosting company in response to that company’s online “frequently asked question” (FAQ) responses for online retailers. The company’s FAQs advised retailers that no customer notification would be required in specified states for data breach situations where a credit card number was accessed unless the associated card verification value (CVV) number was accessed as well. The letter, sent on behalf of all 15 state Attorneys General by the New York Attorney General’s office, pointed out that the data breach laws of New York and the other signatory states (including Maryland) require notice when there is unauthorized access to certain personal information of a consumer plus a credit card account number “in combination with any required security code” that would permit access to a consumer’s account. The letter noted that, because some online retailers permit purchases using only a credit card number (without a CVV number), a CVV number is not “a required security code” under these states’ data breach laws, and a data breach of certain personal information plus credit card account number without a CVV number would still require breach notification in the specified 15 states. Maryland’s data breach law (the Maryland Personal Information Protection Act) includes a definition of “personal information” that is substantially similar to the New York definition cited by the New York Attorney General, so Maryland businesses should be mindful of the Maryland Attorney General’s position concerning this issue. We also note that the Maryland Personal Information Protection Act was recently amended to impose additional duties on Maryland businesses (see our Maryland Laws Update 2017), but there continues to be an exemption for businesses subject to and in compliance with Section 501(b) of the federal Gramm-Leach-Bliley Act and various identified federal guidelines and guidance (e.g., depository financial institutions and their affiliates), as well as businesses in compliance with requirements established by a primary or functional federal or Maryland regulator.