On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information. More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder… Continue Reading
The California Supreme Court held on February 4, 2013 that the provision of the Song-Beverly Credit Card Act of 1971 (the “Act”) prohibiting retailers from requesting personally identifying information as a condition to processing credit card transactions does not apply to online purchases of electronically downloadable items. (Apple v. Super. Ct., S199384, Case No. B238097.)… Continue Reading
Earlier this month, the Securities and Exchange Commission (“SEC”) instituted public administrative and cease and desist proceedings against eBX, LLC (“eBX”), a broker-dealer registered with the SEC. eBX operates LeveL ATS, an alternative trading system (“ATS”) known as a “black pool,” which is a proprietary market where traders may exchange large blocks of stock with… Continue Reading
‘Patco Construction Co., Inc. v. People’s United Bank’ ‘online banking’ authentication
On April 7, 2011, the SEC announced that it had imposed fines of $20,000 each against the former president of a broker-dealer and a former broker for their actions in transferring customer information to a new firm as the defunct firm wound down. The SEC also fined the brokerage firm’s former chief compliance officer $15,000 for compliance failures and security breaches that took place at the defunct firm, some dating back to 2005. Visit our blog to learn more.
On Thursday, October 28, 2010, the PCI SSC promulgated version 2.0 of its Data Security Standard and its Payment Application Data Security Standard (“PA DSS”).
In a decision filed September 27, 2010, the U.S. Court of Appeals for the Ninth Circuit reversed a California district court’s refusal to certify a class action alleging violations of the Fair and Accurate Credit Transactions Act (“FACTA”). The Ninth Circuit ruled that none of the three grounds advanced below – the disproportionality between the potential liability and the actual harm suffered, the enormity of the potential damages, or the defendant’s good faith compliance with FACTA after being sued – justified denying class certification on superiority grounds. The Ninth Circuit’s decision narrows, if not eliminates, the potential for disagreement among district courts on an issue that has for some time been a fly in the ointment for class action plaintiffs (and their attorneys) hoping for big paydays on account of harmless technical violations of FACTA.
On August 10, 2010, the U.S. Court of Appeals for the Seventh Circuit upheld an earlier ruling by the Northern District of Illinois Eastern Division that email order confirmations are not “electronically printed” receipts under the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act. Shlahtichman v.1-800 Contacts Inc., Case… Continue Reading
Illinois recently enacted legislation that broadly restricts a private employer from using credit reports regarding job applicants or current employees.
The eight regulatory agencies that released the final model privacy notice form that satisfies the disclosure requirements under the Gramm-Leach-Bliley Act have released an Online Form Builder to assist financial institutions in meeting their obligations under the act.
On March 22, 2010, Washington Governor Christine Gregoire signed H.B. 1149 into law, making her state the second behind Minnesota to hold businesses and governmental entities responsible to financial institutions for certain costs arising from payment card information breaches. As of July 1, entities that process more than 6 million credit or debit card transactions annually who fail to reasonably safeguard card information can be required to reimburse financial institutions for the costs related to the re-issuance of cards as well as attorneys fees and costs in the event that a security breach involving payment card information is a proximate result.
On February 3, 2010, the U.S. District Court for the Western District of Pennsylvania preliminarily approved a class action settlement between Aramark Sports, LLC and a class of approximately 5,000 customers who made credit or debit card purchases from stores at PNC Park in Pittsburgh, Pennsylvania. If approved, the proposed settlement would resolve allegations made by the plaintiffs that Aramark violated the Fair and Accurate Credit Transactions Act’s (“FACTA”) truncation requirements by electronically printing receipts that contained (a) more than the last 5 digits of the plaintiffs’ credit or debit card numbers and/or (b) the expiration date of such cards.
Judge John W. Darrah of the Northern District of Illinois Eastern Division held that FACTA’s prohibition against the electronic printing of a debit or credit card’s expiration date on receipts was inapplicable to e-mail order confirmations.
On November 17, 2009, eight federal regulatory agencies released their final model privacy notice form that is intended to make it easier for consumers to understand how financial institutions collect and share information about them.
On Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of FAQs to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA.
The Financial Industry Regulatory Authority (FINRA) announced on April 28, 2009 that it had fined Centaurus Financial, Inc., of Anaheim, California, $175,000 for Centaurus’s failure to protect confidential customer information. FINRA also required Centaurus to send notifications to affected customers and their brokers, provide one year of credit monitoring at no cost to the affected customers,… Continue Reading
The report by Drs. Alan Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, uses the results of a mall-intercept study to compare the performance of a prototype financial privacy notice developed by the Kleimann Communication Group (“KCG”) during the first phase of the INP against three alternative notices. The Levy-Hastak report, among other things, confirms what proponents of the INP suspected – some GLBA privacy notices are largely ineffective in conveying information to consumers that allows them to make rational decisions about the sharing of their personal financial information.
The Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act prohibit, among other things, the printing of expiration dates on receipts presented to credit or debit card holders. Two recent cases from the U.S. District Court for the Southern District of Florida, Smith v. Zazzle.com, Inc. (see our blog post… Continue Reading
On December 8, 2008, in Smith v. Zazzle.com Inc., No. 08-22371-CIV-KING, 2008 U.S. Dist. LEXIS 101050 (S.D. Fla. Dec. 9, 2008) Judge James Lawrence King of the Southern District of Florida held FACTA’s credit card number truncation requirement inapplicable to receipts displayed on-screen or printed by online customers. Judge King dismissed the case on this… Continue Reading
According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft. Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs. The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.
New amendments to the Fair and Accurate Transactions Act (“FACTA”) (itself an amendment to the Fair Credit Reporting Act (“FCRA”)) bar consumers from alleging willful violation and seeking statutory damages based on the printing of credit card expiration dates on receipts where the account number is otherwise properly truncated in accordance with FACTA. This development means the end is near for scores of class action lawsuits filed last year.
The Southern District of Florida has held that the Fair Credit Reporting Act (FACTA), applies to both electronic receipts from online purchases and receipts printed in stores. In Grabein v. 1-800-Flowers.com, Inc., 07-22235-CIV, 2008 WL 343179 (S.D. Fla. Jan. 29, 2008), Plaintiff filed a class action lawsuit after he used a credit card to purchase flowers… Continue Reading
Balancing privacy and evidentiary interests in a stock option backdating matter, the Northern District of California held on June 11, 2007 that the SEC’s interest in obtaining banking account information of defendant Gregory Reyes, ex-CEO of Brocade Communications, outweighs Reyes’ financial history privacy interests. SEC v. Reyes, No. C 06-04435 CRB (N.D. Cal. 2007).
Since December 4, 2006, consumers have filed dozens of class actions against retailers and other businesses across the country alleging “willful” violations of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”), prohibiting the printing of more than five digits, or the expiration date, of a credit card on receipts provided to the customer. Defendants in those cases have been waiting anxiously for the Supreme Court to rule in Safeco Insurance Co. of America, et al. v. Burr, et al., 551 U.S. _____ (2007), a factually inapposite matter in which the Court granted certiorari to determine whether “reckless disregard” suffices for willfulness under the statute. In a decision that raises as many questions as it answers, the Supreme Court held on June 4, 2007 that “reckless” failure to comply with FCRA can be considered willful. The Court’s opinion begs the question whether it was objectively reasonable for retailers to continue the printing of expiration dates on customer receipts after FACTA took full effect.