Written by Anne Kierig and Jim Halpert

In a move that affects businesses that suffer breaches of credit card data, 15 State Attorneys General took the position in a letter released Monday that a data breach of state resident name plus payment card number alone without acquisition of the card’s CVV number is “personal information” sufficient to trigger a notification obligation in their states.  This clarification by the 15 state AGs may affect the way companies secure financial account number data.

In the letter to Aptos, Inc., in response to a “FAQ” circulated by the company, the AGs of New York, Connecticut, Colorado, Pennsylvania, Virginia, Mississippi, Illinois, North Carolina, Kentucky, Oregon, Iowa, Arkansas, Washington, Maryland, and Minnesota wrote that Aptos was incorrect in its view that “there is no obligation to notify in those states – ‘the account number plus CVV’ states – if your customers’ CVV data was not exposed”. The AGs clarified unequivocally, “The CVV number does not have to be disclosed to trigger our states’ notification obligations.”

As an example, the Attorneys General cited New York data breach law, which provides for notice when personal information plus an “account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account” is acquired by a unauthorized third party.[1]  The AGs stated, “A CVV code is not ‘any required security code’ because a credit card owner, and thus an identity thief, can use a credit card without it.”  While this is typically not true of remote transactions in the U.S., the AGs provided examples of several popular websites that they say do not require a CVV to make a purchase.

Many businesses have held the view that identity theft or fraud could not occur absent acquisition of the credit card number and the CVV.  Accordingly, if the CVV was not acquired, they had thought a notification obligation would not be triggered.  Companies expend substantial resources securing personal information that could potentially cause harm if acquired by a bad actor.  The AGs’ letter may change the way companies protect payment card data elements without CCV code with regard to customers in these 15 states and elsewhere.



[1] N.Y. Gen. Bus. Law § 899-aa(1)(b)(3) (emphasis added).  The fourteen other states whose AGs signed the letter have virtually identical language in their data breach statutes.