June 16, 2017 - Earlier this year an ecommerce hosting company by the name of Aptos suffered a data breach in which consumer credit card numbers and names were made public. But the security codes, commonly referred to as CVVs, for the credit cards were not exposed. Because of this, Aptos publically stated that data breach notifications to affected consumers weren't necessary. But yesterday Attorneys General in 15 states issued a letter warning the company that consumers in their states did need to be notified even in cases where CVV information wasn't compromised. The warning is likely to impact the way that companies experiencing a data breach handle consumer notifications nationwide.

Tweet

For years, many companies have taken the position that breaches which include a credit card number but not the CVV don't require notification. The reason for this is that most online retailers require a CVV to complete a purchase. But the letter issued on Thursday states very clearly that this isn't the case for all online retailers.

The joint letter was issued by state AGs in Arkansas, Connecticut, Colorado, Illinois, Iowa, Kentucky, Maryland, Minnesota, Mississippi, Pennsylvania, New York, North Carolina, Oregon, Virginia and Washington.

The new position by these states means that online retailers now need to take extra precautions when storing consumer credit card data. Simply because they may store CVV data separately, or not at all, will no longer protect them from data breach notification laws in these states. And it is quite likely that other state will take the same position.

byJim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Follow me on Twitter:

Follow ACCESS