Financial Privacy : Privacy Law Blog

Seventh Circuit Affirms District Court Decision that "Electronically Printed" Receipts Under FACTA Does Not Include Receipts Emailed to Consumers

Posted on August 24, 2010 by Charley Lozada

On August 10, 2010, the U.S. Court of Appeals for the Seventh Circuit upheld an earlier ruling by the Northern District of Illinois Eastern Division that email order confirmations are not “electronically printed” receipts under the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act. Shlahtichman v.1-800 Contacts Inc., Case No. 09-4073 (7th Cir.; Aug. 10, 2010) is available here. The court affirmed the dismissal of Shlahtichman’s complaint against 1-800 Contacts Inc. that involved an electronic order confirmation containing Shlahtichman’s credit card expiration date.

Tags: Card, FACTA, Financial, Financial Privacy, credit, privacy, truncation

No job? Bad credit? No problem! (In Illinois.)

Posted on August 23, 2010 by Andrew Hoffman

Illinois recently enacted legislation that broadly restricts a private employer from using credit reports regarding job applicants or current employees. Subject to certain exceptions, an employer may not inquire about, order, or obtain a job applicant’s credit report, or fail or refuse to hire or recruit an individual based on the individual’s credit report or history. With respect to current employees, an employer may not discharge or otherwise discriminate against an employee because of the employee’s credit history or credit report. The law also prevents an employer from requiring an applicant or employee to waive any rights under the new law and prohibits retaliatory and discriminatory acts by the employer. Importantly, the law creates a private right of action for an individual to seek injunctive relief and damages and provides for prevailing-party attorneys’ fees.

Tags: Financial Privacy, Illinois, Workplace Privacy, credit check, credit report, employee, employer, hiring

If You Let Them Build It, They Will Come: Regulatory Agencies Release Model Privacy Notice Online Form Builder

Posted on May 6, 2010 by Kevin Khurana

More than five months ago, eight federal regulatory agencies released their final model privacy notice form (“Model Form”) (which we blogged about here) to help financial institutions satisfy the disclosure requirements established by the Gramm-Leach-Bliley Act (“GLBA”) and help consumers understand how these institutions collect and share their information. On April 15, 2010, those same agencies attempted to ease the burden of completing the Model Form by releasing an Online Form Builder.

Tags: Financial Privacy, GLBA, Gramm-Leach-Bliley Act, financial institution, model form, privacy disclosure, privacy notice

Bellwether or Bust? Washington Governor Signs Payment Card Data Breach Liability Provisions Into Law

Posted on April 13, 2010 by Brendon Tavelli

On March 22, 2010, Washington Governor Christine Gregoire signed H.B. 1149 into law, making her state the second behind Minnesota (see our post here) to hold businesses and governmental entities responsible to financial institutions for certain costs arising from payment card information breaches. As of July 1, entities that process more than 6 million credit or debit card transactions annually (referred to in PCI parlance as “level 1” merchants) who fail to reasonably safeguard card information can be required to reimburse financial institutions for the costs related to the re-issuance of cards as well as attorneys fees and costs in the event that a security breach involving payment card information is a proximate result. H.B. 1149 also includes a provision to make vendors of card processing software and equipment liable to financial institutions for these costs to the extent such damages are proximately caused by the vendor’s negligence. The amount of such damages, of course, will depend on the particular breach.

Tags: Financial Privacy, PCI DSS, Washington, financial institution, merchant, security breach

We'll Give You (and Your Friends) a Hoodie to Go Away: Class Settlement in FACTA Truncation Lawsuit Receives Preliminary Approval

Posted on March 1, 2010 by Brendon Tavelli

On February 3, 2010, Chief Judge Gary L. Lancaster of the U.S. District Court for the Western District of Pennsylvania preliminarily approved a class action settlement between Aramark Sports, LLC and a class of approximately 5,000 customers who made credit or debit card purchases from stores at PNC Park in Pittsburgh, Pennsylvania between March 24, 2009 and April 23, 2009. If approved at a final class action fairness hearing scheduled for April 5, 2010, the proposed settlement filed in Hanlon v. Aramark Sports, LLC, No. 09-cv-465 (W.D. Pa. Feb. 3, 2010), would resolve allegations made by the plaintiffs that Aramark violated the Fair and Accurate Credit Transactions Act’s (“FACTA”) truncation requirements by electronically printing receipts that contained (a) more than the last 5 digits of the plaintiffs’ credit or debit card numbers and/or (b) the expiration date of such cards. See our posts here and here for information about cases alleging similar violations of FACTA’s truncation requirements.

Tags: FACTA, Fair and Accurate Credit Transactions Act, Financial Privacy, class action, settlement, truncation

District Court Rules E-mail Order Confirmations Not Subject to FACTA

Posted on January 13, 2010 by Kevin Khurana

We have written several times about courts (and Congress) helping to define the scope and applicability of certain provisions of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act. One provision that has been frequently litigated, 15 U.S.C. § 1681c(g), involves FACTA’s so-called truncation requirements for printed transaction receipts. On December 2, 2009, in Shlahtichman v. 1-800 Contacts, Inc., 2009 U.S. Dist. LEXIS 112379 (N.D. Ill. Dec. 2, 2009), Judge John W. Darrah of the Northern District of Illinois Eastern Division held that FACTA’s prohibition against the electronic printing of a debit or credit card’s expiration date on receipts was inapplicable to e-mail order confirmations (decision available here).

Tags: FACTA, Financial Privacy, credit card, truncation

Innocent Mall Shoppers, You're Off the Hook: Federal Agencies Release Model GLBA Privacy Notice Form

Posted on November 20, 2009 by Brendon Tavelli

On November 17, 2009, eight federal regulatory agencies released their final model privacy notice form that is intended to make it easier for consumers to understand how financial institutions collect and share information about them. The model privacy notice form, which features a version that offers consumers an opt-out and one with no opt-out, represents the culmination of extensive research and testing by the various agencies, which included a nationwide mall-intercept study (see our previous post here), and their analysis of public comments on the model form first proposed on March 29, 2007. The agencies’ efforts in this regard were spurned by the Financial Services Regulatory Relief Act of 2006, which amended the Gramm-Leach-Bliley Act (“GLBA”) and called upon the federal financial services agencies to jointly propose a succinct and comprehensible format for GLBA privacy notices.

Tags: Financial Privacy, GLBA, Gramm-Leach-Bliley Act, financial institution, model form, privacy disclosure, privacy notice

Red Flags and Address Discrepancies FAQs

Posted on June 15, 2009 by Proskauer Rose LLP

On Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of Frequently Asked Questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA. Among the answers to the FAQs:

Although there is no specific record retention requirement under the Rules, covered entities must be able to demonstrate that they have complied with the requirements of the Rules;

All banks, savings associations, and credit unions are covered by the Red Flags Rules as “financial institutions,” whether or not they hold a transaction account belonging to a consumer;

The Red Flags Rules do not apply to the foreign branches of U.S. banks but, as a matter of safety and soundness, financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws;

“Covered accounts” include accounts established in the U.S. by non-U.S. residents;

A broker, dealer, investment advisor, or investment or insurance company that is a “financial institution” or “creditor” under the FCRA is covered by the Red Flags Rules, including any such entity that is a subsidiary of a bank or savings association;

Corporate credit unions are covered by the Red Flags Rules;

If a consumer loan is purchased by another financial institution or creditor, then that entity becomes responsible for applying its Identity Theft Prevention Program to the loan as an existing covered account;

The Address Discrepancy Rules only apply to notices of address discrepancy received from an NCRA (Experian, Equifax, and TransUnion). However, a notification of address discrepancy received from an entity that is not an NCRA may be a red flag for purposes of the Red Flags Rules;

If a consumer withdraws his or her application to open a new account, a user of a consumer report that receives a notice of address discrepancy need not take steps to establish a reasonable belief that the consumer report relates to the consumer.

For more, check out the FAQs here, and our prior discussions of the Red Flags and Address Discrepancy Rules here.

FINRA Fines Member Firm $175,000 for Failure to Protect Confidential Customer Information

Posted on May 18, 2009 by S. Montaye Sigmon

The Financial Industry Regulatory Authority (FINRA) announced on April 28, 2009 that it had fined Centaurus Financial, Inc., of Anaheim, California, $175,000 for Centaurus’s failure to protect confidential customer information. FINRA also required Centaurus to send notifications to affected customers and their brokers, provide one year of credit monitoring at no cost to the affected customers, and certify to FINRA that its procedures and systems are in compliance with privacy requirements. See FINRA News Release (April 28, 2009).

Tags: FINRA, Financial Privacy, Regulation S-P, credit monitoring, fines, firewall, phishing, privacy notice

Feud of the Forms -- The Battle of The GLBA Notices

Posted on April 22, 2009 by Brendon Tavelli

The U.S. Securities and Exchange Commission ("SEC”) announced on April 15, 2009 that it is reopening the period for public comment on proposed amendments to Regulation S-P, the SEC’s Gramm-Leach-Bliley Act (“GLBA”) implementing regulations. The SEC’s announcement follows the release of a report detailing the results of the second phase of the Interagency Notice Project (“INP”). The report by Drs. Alan Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, uses the results of a mall-intercept study to compare the performance of a prototype financial privacy notice developed by the Kleimann Communication Group (“KCG”) during the first phase of the INP against three alternative notices. The Levy-Hastak report, among other things, confirms what proponents of the INP suspected – some GLBA privacy notices are largely ineffective in conveying information to consumers that allows them to make rational decisions about the sharing of their personal financial information.

Tags: Financial Privacy, GLBA, Gramm-Leach-Bliley, Kleimann Communication Group, Levy-Hastak, Regulation S-P, SEC, interagency, model form, privacy notice

Florida Cases Remind Retailers that Printing Expiration Dates after Enactment of the Receipt Clarification Act Violates FACTA

Posted on February 6, 2009 by Brendon Tavelli

The Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act prohibit, among other things, the printing of expiration dates on receipts presented to credit or debit card holders. Two recent cases from the U.S. District Court for the Southern District of Florida, Smith v. Zazzle.com, Inc. (see our blog post here) and Smith v. Under Armour, Inc., reject prior holdings that the term “print” is broad enough to encompass the information included when a seller electronically transmits a receipt. These cases also make clear, as we stated in our June 18, 2008 post, that businesses printing expiration dates after the June 3, 2008 enactment of the Credit and Debit Card Receipt Clarification Act of 2007 (“Clarification Act”) are violating FACTA’s truncation requirements. In fact, the Zazzle.com case specifically mentions that the Clarification Act does not apply because the conduct complained of occurred after the Act’s enactment.

The Clarification Act, which shielded from a finding of willful noncompliance with FACTA any business that printed an expiration date on a cardholder receipt between December 4, 2004 and the enactment of the Clarification Act, did not completely eliminate the statutory requirement to not print expiration dates on cardholder receipts. Accordingly, businesses that print expiration dates on such receipts after June 3, 2008, even when card numbers are properly truncated, may incur liability under FACTA.

Tags: Credit and Debit Card Receipt Clarification Act, FACTA, FCRA, Fair and Accurate Credit Transactions Act, Financial Privacy, credit card, debit card, expiration date, print, receipt, truncation

District Court Rules FACTA Inapplicable to Online Receipts

Posted on January 21, 2009 by

On December 8, 2008, in Smith v. Zazzle.com Inc., No. 08-22371-CIV-KING, 2008 U.S. Dist. LEXIS 101050 (S.D. Fla. Dec. 9, 2008) Judge James Lawrence King of the Southern District of Florida held FACTA’s credit card number truncation requirement inapplicable to receipts displayed on-screen or printed by online customers. Judge King dismissed the case on this basis (the order is available here). The order contradicts one last year in the same district, Grabein v. 1-800 Flowers Inc., No. 07–22235 (S.D. Fla. Jan. 29, 2008) (reported here), but is consistent with three other Southern District of Florida cases: Grabein v. Jupiterimages Corp., No. 07-22288 (S.D. Fla. July 7, 2008), Haslam v. Federated Dep't Stores Inc., No. 07-61871 (S.D. Fla. May 16, 2008) and Edwin King v. Movietickets.com, No. 07-22119 (S.D. Fla. Feb. 13, 2008).

Tags: FACTA, Financial Privacy, credit card, truncation

Red Flag Alert -- Compliance Deadline is November 1, 2008

Posted on August 7, 2008 by Proskauer Rose LLP

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft. Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs. The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008. You can read more about Red Flags in this Client Alert.

Tags: FACTA, FCRA, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Financial Privacy, Identity Theft, red flag, red flag rule, red flags, red flags rule

Expiration Date Imminent for Many FACTA Class Actions

Posted on June 18, 2008 by Proskauer Rose LLP

New amendments to the Fair and Accurate Transactions Act (“FACTA”) (itself an amendment to the Fair Credit Reporting Act (“FCRA”)) bar consumers from alleging willful violation and seeking statutory damages based on the printing of credit card expiration dates on receipts where the account number is otherwise properly truncated in accordance with FACTA. This development means the end is near for scores of class action lawsuits filed last year.

FACTA prohibits the printing of more than five digits of a credit or debit card number or the expiration date on receipts provided to a customer. Since December 4, 2006, consumers have filed hundreds of suits against merchants who allegedly printed a truncated account number and the expiration dates on receipts, arguing that those merchants “willfully” violated FACTA, and seeking $100 to $1,000 for each violation. At least one court has interpreted FACTA to apply to electronic receipts as well as printed ones.

Tags: FACTA, FCRA, Fair Credit Reporting Act, Fair and Accurate Transactions Act, Financial Privacy, credit card, debit card, expiration date, receipt

SEC Seeks to Better Protect Investors' Privacy With Proposed Amendments to Regulation S-P

Posted on March 17, 2008 by Scott J. Carpenter

In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities. Continue Reading...

Tags: Data Privacy Laws, Financial Privacy, Gramm-Leach-Bliley Act, Regulation S-P, SEC, broker-dealers, investment companies

Seller Beware: Florida district court rules that FACTA applies to electronic receipts and receipts printed in stores

Posted on March 3, 2008 by

The Southern District of Florida has held that the Fair Credit Reporting Act (FACTA), applies to both electronic receipts from online purchases and receipts printed in stores. In Grabein v. 1-800-Flowers.com, Inc., 07-22235-CIV, 2008 WL 343179 (S.D. Fla. Jan. 29, 2008), Plaintiff filed a class action lawsuit after he used a credit card to purchase flowers through Defendant’s website and received a receipt that contained both Plaintiff's truncated credit card number and the card’s expiration date. Plaintiff alleged that printing both pieces of information violated FACTA, which provides:

No person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction. 15 U.S.C. § 1681c(g).

Tags: FACTA, Financial Privacy

Court Rules that Legitimate Privacy Concerns Do Not Outweigh SEC's Interest in Discovering Relevant Financial Records in Backdating Matter

Posted on July 13, 2007 by Proskauer Rose LLP

Balancing privacy and evidentiary interests in a stock option backdating matter, the Northern District of California held on June 11, 2007 that the SEC’s interest in obtaining banking account information of defendant Gregory Reyes, ex-CEO of Brocade Communications, outweighs Reyes’ financial history privacy interests. SEC v. Reyes, No. C 06-04435 CRB (N.D. Cal. 2007).

In discovery, Reyes produced "highly redacted" information relating to his transactions. The SEC then issued subpoenas duces tecum to Merrill Lynch and Deutsche Bank, seeking information about Reyes’ accounts. Reyes responded with a motion to quash the subpoenas, arguing that he had already disclosed all information relating to his transactions in Brocade, and that his privacy interest outweighed the SEC’s interest in obtaining additional non-Brocade information.

Tags: Financial Privacy, SEC, backdating, privacy interests

When Reckless Means Willful - High Court Issues Landmark Decision Under the Fair Credit Reporting Act

Posted on June 12, 2007 by Proskauer Rose LLP

Since December 4, 2006, consumers have filed dozens of class actions against retailers and other businesses across the country alleging “willful” violations of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”), prohibiting the printing of more than five digits, or the expiration date, of a credit card on receipts provided to the customer. Defendants in those cases have been waiting anxiously for the Supreme Court to rule in Safeco Insurance Co. of America, et al. v. Burr, et al. 551 U.S. _____ (2007), a factually inapposite matter in which the Court granted certiorari to determine whether “reckless disregard” suffices for willfulness under the statute. In a decision that raises as many questions as it answers, the Supreme Court held on June 4, 2007 that “reckless” failure to comply with FCRA can be considered willful. The Court’s opinion begs the question whether it was objectively reasonable for retailers to continue the printing of expiration dates on customer receipts after FACTA took full effect.

Tags: FACTA, FCRA, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Financial Privacy, consumer report, credit card, expiration date, truncation

SEC Ratchets Up Privacy Enforcement Under Regulation S-P

Posted on March 29, 2007 by Proskauer Rose LLP

Broker-dealer firms are well advised to review and update their privacy policies, in light of the Securities and Exchange Commission’s (“SEC”) recent enforcement and investigation activities arising from Regulation S-P.

According to trade press, recently the SEC informed one independent broker-dealer firm, Next Financial Group, Inc. of Houston, Texas, that it may file a “privacy” suit under Regulation S-P. The suit would be based on the practice, which Next maintains is common among independent broker-dealer firms, of requiring broker recruits from other firms to provide Next with customer information in anticipation of the move. According to the press, the SEC contends that before the brokers left their firms to join Next, they should have asked clients for their consent to use any information at the new firm. Alternatively, Next should have only required brokers to provide this information if the brokers’ prior firms had stated in their privacy policies that departing brokers may take certain customer information to competing firms (and the particular consumers had not opted-out of this policy). The SEC is reportedly considering suing Next for violations of Regulation S-P, as well as for aiding and abetting the violations by the brokers it recruited.

Tags: Financial Privacy, Gramm-Leach-Blilely Act, Regulation S-P, SEC, broker-dealers, investment companies

Federal Regulators Propose Federal Privacy Notice and Seek Comments

Posted on March 21, 2007 by Proskauer Rose LLP

On March 21, 2007, eight federal regulatory agencies (“Joint Agencies”) with jurisdiction over Gramm-Leach-Bliley Act (“GLBA”) regulated “financial institutions” issued an interagency proposal for a new model privacy form. The proposal is the result of a lengthy process the Joint Agencies began in 2001 to improve the format of GLBA privacy notices to make them more comprehensible to consumers. In addition to a lack of clarity, the Joint Agencies and consumer and privacy advocates have been concerned about the length of notices and the overuse of legal terms.

Section 503 of the GLBA, 15 U.S.C. § 1603 and current rules, require financial institutions to provide their customers with a notice that describes, among other things, how they protect nonpublic personal information, the categories of nonpublic personal information collected, the affiliates and the nonaffiliated third parties to whom such information is disclosed, and a description of the customer’s right to prevent certain disclosures to nonaffiliated third parties. These notices must be provided at the outset of the institution’s relationship with a customer and, in the case of long-standing relationships, on an annual basis. Current rules do not mandate a standard format or particular wording for the notices, however, they provide sample clauses that financial institutions can use to satisfy the notice requirements.

Tags: Financial, Financial Privacy, Gramm-Leach-Bliley, Institution, Notice, opt-out, privacy