Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

According to the terms of the settlement, MasterCard issuers that filed timely claims for accounts that were affected by the breach will be eligible to receive a specified dollar amount at some point during the third quarter of 2010, provided that MasterCard issuing financial institutions that represent at least 80% of the claimed-upon accounts accept the settlement agreement by June 25, 2010. In addition, the claimed-upon accounts must waive rights to any other recovery from Heartland arising from the breach. 

With the dust from the breach beginning to settle, the financial damage to Heartland is becoming evident. Should the MasterCard settlement be approved, Heartland could, in total, be on the hook for well over $100 million in breach-related settlement payments. 

According to the FTC’s complaint, an unauthorized individual was able to gain access to Dave and Buster’s networks between the dates of April 30, 2007 and August 28, 2007 and intercept credit card and debit card information (and other personal information) from approximately 130,000 consumers. In addition, according to the FTC, the affected issuing banks have collectively claimed several hundred thousand dollars in fraudulent charges on some of these compromised consumer accounts.

The FTC’s complaint states that, upon its discovery of the data security breach, Dave and Buster’s notified law enforcement officials and credit card companies, and took remedial steps to prevent further unauthorized access by the intruder. However, the FTC’s complaint also alleges that it was Dave and Buster’s “failure to employ reasonable and appropriate security measures to protect personal information” that enabled the unauthorized access that caused the data breach. Among the failures cited by the FTC, Dave and Buster’s allegedly failed to employ an intrusion detection system, failed to monitor system logs, failed to use firewalls to limit access between in-store networks, failed to isolate the payment card system from the rest of the corporate network and failed to use other readily available security measures, such as limiting access to its computer networks through wireless access points on such networks.

The settlement agreement entered into between the FTC and Dave and Buster’s requires Dave and Buster’s, among other things, to establish, implement and maintain a comprehensive, written data security program that contains administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of personal consumer information. In additional Dave and Buster’s is required to obtain and endure an initial and biennial assessments (for a period of 10 years from the date of the order) from a qualified third-party regarding its implementation and maintenance of its program and safeguards in compliance with the settlement agreement.

The FTC’s news release announcing the settlement, along with the FTC’s complaint and the settlement agreement containing the consent order, can be accessed by clicking here.

FACTA’s truncation requirements, 15 U.S.C. § 1681c(g), prohibit the “electronic printing” of any receipt at “the point of the sale or transaction” that contains the expiration date of a consumer’s credit or debit card or more than the last five digits of the credit or debit card account number. It is clear that this prohibition applies to hard copy receipts provided to consumers, but reported decisions regarding the applicability of FACTA to electronically displayed receipts are inconsistent in their holdings. Compare Grabein v. 1-800-Flowers.com, Inc., No. 07-22235 (S.D. Fla. Jan. 29, 2008) with Meehan v. Buffalo Wild Wings Inc., No. 07C4562 (N.D. Ill. Feb. 26, 2008). Nonetheless, many judges have held that FACTA does not apply to online receipts (see, for example, the Smith v. Zazzle.com case reported here). On December 2, Judge Darrah joined them.

In Shlahtichman, an electronic order confirmation containing plaintiff’s credit card expiration date was e-mailed to plaintiff after he placed an order through defendant’s website. The plaintiff alleged that this “receipt” violated FACTA’s truncation requirements. Judge Darrah, in coming to his conclusion, relied on the plain meaning of the word “print” and determined that under FACTA, an e-mail order confirmation is not an “electronically printed” receipt because “‘print’ is not commonly understood as a display on a computer screen.” Shlahtichman, 2009 U.S. Dist. LEXIS 112379, at *7 (citing Grabein v. Jupiterimages, 2008 WL 2704451, at *6 (S.D. Fla. 2008)). Judge Darrah also held that an e-mail order confirmation is not subject to FACTA because an e-mail is not provided “at the point of sale or transaction” due to the fact that an e-mail can be accessed from anywhere in the world. Id.

Users must establish reasonable policies to enable the user to form a reasonable belief as to whether the consumer report received actually relates to the customer in question. Users must evaluate the address discrepancy regardless of whether a new account with the customer will be opened. Policies and procedures designed to confirm whether a consumer report relates to the consumer about whom the report was requested include:

o         Comparing information in the consumer report with information that the user

o         obtains and uses to verify the consumer’s identity pursuant to Customer Identification Program rules,

o         maintains in its own records, such as applications or change of address requests, or

o         obtains from third parties;

o         Verifying the information provided by the CRA with the consumer by requesting a copy of the applicant’s driver’s license or other proof of current address; and

o         Other reasonable means.

In the event that a user reasonably confirms, through the policies and procedures established, that the report received belongs to the user’s customer, the user may be obligated to report the consumer’s address to the CRA that provided the notice of discrepancy. Such obligation arises if the user establishes a continuing business relationship with the customer and regularly furnishes information, regardless of the type or comprehensiveness, to that particular CRA.

While the Address Discrepancy Rule is designed to identify instances where a user has not received the correct consumer report for the customer inquired upon, a notice of address discrepancy may signal identity theft. Notices of address discrepancy therefore may implicate the Red Flags Rules for users that are financial institutions or creditors.

Also included in the Rule are special provisions regarding change-of-address notices for debit and credit card issuers. If a card issuer receives a change-of-address notice, and within 30 days, receives a request for an additional or replacement card, the card issuer must verify the address before issuing the card. The card issuer may validate the address either when receiving the change-of-address notice or shortly after receiving the request for a card. To validate the address, the issuer must either notify the cardholder at the last known address and provide the cardholder with a means of reporting any incorrect address change, or otherwise asses the validity of the change of address in accordance with its written policies and procedures established to comply with the Rule. 

For the complete text of the “Address Discrepancy Rule”, please see http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf, and for more information on the Red Flags Rule: http://ftc.gov./redflagsrule. Also check out our prior discussions of the Red Flags and Address Discrepancy Rules. 

Proskauer summer associate Rebecca Guttman contributed to this post.     

Judge King’s opinion focused on the meaning of the word "print" in the following FACTA provision: "no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." 15 U.S.C. § 1681c(g)(1). Judge King found, based on the ordinary meaning of the word "print," that Congress intended "print" to mean the "imprinting of something on paper or another tangible surface." Zazzle.com, 2008 U.S. Dist. LEXIS 101050 at **7-8.

In Party City, the plaintiff claimed that Party City’s request for a zip code in conjunction with a credit card purchase violated the Act. The trial court agreed, granting the plaintiff summary judgment. The Court of Appeal granted a writ of mandate and overturned the trial court concluding that summary judgment should be entered for Party City. The Court of Appeal found that zip codes are not personal identification information based on the plain language of the statute. In applying a plain reading, the court first examined postal regulations to understand what zip codes encompass. The court determined that zip codes as defined by the postal service are not individualized identification criteria. Rather they are used to "provide identification of a relatively large group." Because "tens of thousands of people have the same zip code" the court concluded a zip code standing alone is not the same as an individual’s address or telephone number. The court found its interpretation bolstered by the principle that statutes that create mandatory civil liabilities should be construed in favor of the "persons sought to be subject to their operation."

This is the third California appellate decision this year taking a narrow interpretation of the Act. See here and here for blog posts on earlier appellate court decisions holding that the Act does not apply in the merchandise returns context.

On June 26, 2008, in Absher v. Autozone, Inc. et al. (2008), the California Court of Appeal in the Second Appellate District, confirmed that California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08 (hereinafter, the “Act”) does not apply to a refund for the return of merchandise purchased by credit card.

Under the Act, merchants who accept credit cards as a form of payment may not request or require as a condition to accepting payment by credit card the personal information of a cardholder, which information the merchant causes to be recorded upon a credit card transaction form or otherwise (such as a receipt, etc.). 

In the Absher case, plaintiff Dave Absher (who, when returning merchandise purchased from Autozone, was required to put his name and telephone number on a voucher in order to process the refund), claimed that Autozone’s practices violated the Act. In the trial court, Autozone moved for summary judgment arguing that the statute does not apply to return transactions. The trial court granted Autozone’s motion and the Court of Appeal affirmed the dismissal of plaintiff’s cause of action, holding that the Act’s restrictions are limited to initial purchase transactions and not return transactions. In particular, the court held that the legislative history behind the Act, as well as a policy interest in providing retailers with a reasonable means to safeguard against potential abuses in connection with the return of merchandise, weighed in favor of its interpretation that the Act does not apply where a merchant’s request for personal information is in connection with a refund for the return of merchandise purchased by credit card.

The outcome in this most recent case is not surprising given the court’s other recent decision, on May 22, 2008, which case involved The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc. and Marmaxx (collectively, “TJX”), and in which case the California Court of Appeal also narrowed the scope of claims available under the Act in ruling that the statute does not apply to merchandise returns.

Kathryn Conroy, a Summer Associated in Proskauer’s Los Angeles office, contributed to this post.

As discussed here last year , the Supreme Court ruled in Safeco Insurance Co. of America, et al. v. Burr, et al that reckless disregard of the requirements of FCRA can constitute willful violation.  The court left open the question of whether it was objectively reasonable for merchants to continue to print expiration dates on customer receipts after the date for compliance with FACTA had passed. 

In response to the widespread FACTA litigation, Congress amended FCRA to prevent certain putative consumer class actions. The “Credit and Debit Card Receipt Clarification Act of 2007” (“the Act”), signed by President Bush on June 3, amends FCRA to specify that printing expiration dates on receipts where the account number is otherwise properly truncated does not in and of itself constitute willful noncompliance.  Consumers will not be entitled to pursue suits claiming willful violation, and thus not be entitled to seek statutory damages, merely because an expiration date is printed on an otherwise compliant receipt.  The Act does not affect negligence suits filed by consumers who can show actual harm as a result of the printing of the expiration date, or suits against merchants who are otherwise not in compliance with FACTA’s requirements.  The Act applies to any company that printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment. 

Proskauer summer associate Nicole Ross contributed to this post.

California Civil Code § 1747.08 prohibits a retailer that accepts credit cards from, among other things, requesting, or requiring as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the retailer writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise. Subdivision (e) of the statute provides that "[a]ny person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred."

The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc., and Marmaxx (collectively, TJX) sought a writ of mandate compelling the trial court to grant their motion to strike portions of the complaint that defined the class as users of credit cards "within the last three . . . years." The court found that the penalty imposed in subdivision (e) of the statute, using the language "shall be subject to" is mandatory and therefore is "[a]n action upon a statute for a penalty" subject to the one-year statute of limitation of California Code of Civil Procedure section 340.

The court also held that the plain language of section 1747.08 does not apply to returned merchandise and directed the court to vacate its order overruling TJX’s demurrer to the complaint. Among other things, the court noted that "there are substantial opportunities for fraud" in connection with merchandise returns and "it behooves the merchant to identify the person who returns merchandise, which subsequent examination may disclose to have been used, damaged, or even stolen."

The Governor’s veto was based on concerns that AB 779 would potentially conflict with private sector data security standards such as the Payment Card Industry Data Security Standard and would increase the costs of compliance.

In his veto message, available here, the Governor stated that, while he is "committed to strong laws that safeguard every individual’s privacy and prevent identity theft, . . . this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards." The Governor also noted that the bill "fails to provide clear definition of which business or agency ‘owns’ or ‘licenses’ data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses." The Governor encouraged "the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above."

It remains to be seen whether Governor Schwarzenegger's veto effectively puts to an end efforts in other states to pass such legislation.