We'll Give You (and Your Friends) a Hoodie to Go Away: Class Settlement in FACTA Truncation Lawsuit Receives Preliminary Approval

Posted on March 1, 2010 by Brendon Tavelli

On February 3, 2010, Chief Judge Gary L. Lancaster of the U.S. District Court for the Western District of Pennsylvania preliminarily approved a class action settlement between Aramark Sports, LLC and a class of approximately 5,000 customers who made credit or debit card purchases from stores at PNC Park in Pittsburgh, Pennsylvania between March 24, 2009 and April 23, 2009. If approved at a final class action fairness hearing scheduled for April 5, 2010, the proposed settlement filed in Hanlon v. Aramark Sports, LLC, No. 09-cv-465 (W.D. Pa. Feb. 3, 2010), would resolve allegations made by the plaintiffs that Aramark violated the Fair and Accurate Credit Transactions Act’s (“FACTA”) truncation requirements by electronically printing receipts that contained (a) more than the last 5 digits of the plaintiffs’ credit or debit card numbers and/or (b) the expiration date of such cards. See our posts here and here for information about cases alleging similar violations of FACTA’s truncation requirements.

Under the terms of the proposed settlement, each class member will be offered a settlement relief voucher good for any one of the following: (a) $50 off a purchase of $100 or more, (b) a “classy” tee shirt with a suggested retail value of up to $40 or (c) a hooded sweatshirt (“hoodie”) with a suggested retail value of approximately $55. The voucher will be redeemable at any store in PNC Park, the home of Major League Baseball’s Pittsburgh Pirates. Aramark has agreed that, if the settlement is approved, it will distribute not just those settlement relief vouchers claimed by members of the class, but a total of 4,773 vouchers – one for each electronically printed receipt alleged to have violated FACTA. To effectuate this requirement, beginning fifteen days after in-store notices to class members are removed, Aramark will distribute unclaimed vouchers to every customer who makes a purchase using a credit or debit card at PNC Park. Aramark will also be responsible for the costs of notifying class members regarding the settlement and paying class counsel’s fees of $105,000.

While coupon or voucher settlements are generally frowned upon by courts, Judge Lancaster acknowledged that such relief “appears well suited to the [FACTA] violations alleged, especially in light of the lack of actual damages.” The court’s acknowledgement lends credence to the denial of class certification, in, for example, Soualian v. International Coffee & Tea LLC, No. 07-cv-502 (RGK) (C.D. Cal. June 11, 2007), on account of the damages sought being disproportionate to the actual harm suffered by the class.
Tags: , , , , ,

Doesn't Alice Live Here Anymore? FACTA and the Address Discrepancy Rule

Posted on June 24, 2009 by Jennifer Roche

Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially differs” from the address the CRA has on file for that consumer. The Address Discrepancy Rule then requires users of consumer reports to develop and implement written policies and procedures to respond to receipt of a discrepancy notice. There are two components to the policies required by the Rule: the first relates to the user’s evaluation of the address discrepancy; the second relates to the user’s potential obligation to report the consumer’s address to the CRA.

Users must establish reasonable policies to enable the user to form a reasonable belief as to whether the consumer report received actually relates to the customer in question. Users must evaluate the address discrepancy regardless of whether a new account with the customer will be opened. Policies and procedures designed to confirm whether a consumer report relates to the consumer about whom the report was requested include:

o         Comparing information in the consumer report with information that the user

o         obtains and uses to verify the consumer’s identity pursuant to Customer Identification Program rules,

o         maintains in its own records, such as applications or change of address requests, or

o         obtains from third parties;

o         Verifying the information provided by the CRA with the consumer by requesting a copy of the applicant’s driver’s license or other proof of current address; and

o         Other reasonable means.

 

In the event that a user reasonably confirms, through the policies and procedures established, that the report received belongs to the user’s customer, the user may be obligated to report the consumer’s address to the CRA that provided the notice of discrepancy. Such obligation arises if the user establishes a continuing business relationship with the customer and regularly furnishes information, regardless of the type or comprehensiveness, to that particular CRA.

           

While the Address Discrepancy Rule is designed to identify instances where a user has not received the correct consumer report for the customer inquired upon, a notice of address discrepancy may signal identity theft. Notices of address discrepancy therefore may implicate the Red Flags Rules for users that are financial institutions or creditors.

           

Also included in the Rule are special provisions regarding change-of-address notices for debit and credit card issuers. If a card issuer receives a change-of-address notice, and within 30 days, receives a request for an additional or replacement card, the card issuer must verify the address before issuing the card. The card issuer may validate the address either when receiving the change-of-address notice or shortly after receiving the request for a card. To validate the address, the issuer must either notify the cardholder at the last known address and provide the cardholder with a means of reporting any incorrect address change, or otherwise asses the validity of the change of address in accordance with its written policies and procedures established to comply with the Rule. 

           

For the complete text of the “Address Discrepancy Rule”, please see http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf, and for more information on the Red Flags Rule: http://ftc.gov./redflagsrule. Also check out our prior discussions of the Red Flags and Address Discrepancy Rules. 

 

Proskauer summer associate Rebecca Guttman contributed to this post.     
Tags: , , , , , , , , , , ,

Florida Cases Remind Retailers that Printing Expiration Dates after Enactment of the Receipt Clarification Act Violates FACTA

Posted on February 6, 2009 by Brendon Tavelli

The Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act prohibit, among other things, the printing of expiration dates on receipts presented to credit or debit card holders.  Two recent cases from the U.S. District Court for the Southern District of Florida, Smith v. Zazzle.com, Inc. (see our blog post here) and Smith v. Under Armour, Inc., reject prior holdings that the term “print” is broad enough to encompass the information included when a seller electronically transmits a receipt.  These cases also make clear, as we stated in our June 18, 2008 post, that businesses printing expiration dates after the June 3, 2008 enactment of the Credit and Debit Card Receipt Clarification Act of 2007 (“Clarification Act”) are violating FACTA’s truncation requirements. In fact, the Zazzle.com case specifically mentions that the Clarification Act does not apply because the conduct complained of occurred after the Act’s enactment.

The Clarification Act, which shielded from a finding of willful noncompliance with FACTA any business that printed an expiration date on a cardholder receipt between December 4, 2004 and the enactment of the Clarification Act, did not completely eliminate the statutory requirement to not print expiration dates on cardholder receipts.  Accordingly, businesses that print expiration dates on such receipts after June 3, 2008, even when card numbers are properly truncated, may incur liability under FACTA.

Tags: , , , , , , , , , ,

Affiliate Marketing Rule Alert: Compliance Deadline is October 1, 2008

Posted on September 5, 2008 by Natalie Newman

Section 214 of Fair and Accurate Credit Transactions Act (“FACTA") was enacted to amend the Fair Credit Reporting Act (the “Act”) to give consumers the right to restrict certain entities from using certain information received from their affiliates to make solicitations to that consumer unless the consumer has been provided (1) “clear and conspicuous” notice that the consumer’s information will be shared for such purposes, and (2) an opportunity to opt out of having such information shared for such purposes.   

On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes. 

The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.

Summary of the Final Rule’s Requirements

In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:  

  • the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
  • the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
  • the consumer has not opted out thereof. 

Opt-Out Requirements

The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice. 

Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.

Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.

Key Definitions

Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”) 

“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers. 

Exceptions

The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:

o       to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;

o       to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;

o       to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;

o       in response to a communication initiated by the consumer;

o       in response to a consumer’s authorization or request to receive a solicitation; and

o       if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.

As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).
Tags: , , , , , ,

Red Flag Alert -- Compliance Deadline is November 1, 2008

Posted on August 7, 2008 by Proskauer Rose LLP

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft.  Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs.  The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.  You can read more about Red Flags in this Client Alert.

Tags: , , , , , , , , ,

First FACTA Disposal Rule FTC Settlement Leaves American United Down in the Dumps

Posted on January 4, 2008 by Proskauer Rose LLP

On December 18, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices.

American United is the first FTC action taken pursuant to the Disposal Rule, promulgated in 2005, of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. The complaint filed in the Northern District of Illinois in mid-December, asserted that the Northbrook, Illinois-based mortgage company disposed of several dozen consumers’ personally identifying information by leaving intact hundreds of documents in a nearby unsecured dumpster, in some cases in open trash bags. Indeed, even after the FTC provided written notice to American United that disposal of documents containing consumers’ personal information in this manner created a risk of unauthorized access, "on at least two occasions, additional intact American United documents containing consumers’ personal information were found in and around the same dumpster adjacent to American United’s office."

In addition to the fine, the stipulated judgment and order requires American United to obtain an immediate third-party audit of its privacy safeguards and ongoing audits every two years for a decade. American United is also permanently enjoined from further violations of the FACTA Safeguards, Disposal, and Privacy rules.

The Disposal Rule, 16 C.F.R. 682, requires that any company collecting consumer information for a business purpose must dispose of that information in a way that prevents unauthorized access and misuse of the data. "Disposal" includes any discarding, abandonment, sale, donation or transfer of information.
Tags: , , , , , , , ,

When Reckless Means Willful - High Court Issues Landmark Decision Under the Fair Credit Reporting Act

Posted on June 12, 2007 by Proskauer Rose LLP

Since December 4, 2006, consumers have filed dozens of class actions against retailers and other businesses across the country alleging “willful” violations of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”), prohibiting the printing of more than five digits, or the expiration date, of a credit card on receipts provided to the customer. Defendants in those cases have been waiting anxiously for the Supreme Court to rule in Safeco Insurance Co. of America, et al. v. Burr, et al. 551 U.S. _____ (2007), a factually inapposite matter in which the Court granted certiorari to determine whether “reckless disregard” suffices for willfulness under the statute. In a decision that raises as many questions as it answers, the Supreme Court held on June 4, 2007 that “reckless” failure to comply with FCRA can be considered willful. The Court’s opinion begs the question whether it was objectively reasonable for retailers to continue the printing of expiration dates on customer receipts after FACTA took full effect.

Defendants who "willfully" violate FCRA are subject to significant statutory damages of $100 to $1,000 for every instance of violation, as well as punitive damages. Safeco involved notice obligations to consumers regarding adverse action based on consumer reports, but the relevant provision of FCRA - §1681n(a) - imposes penalties for violation of other provisions of the statute, including the FACTA amendments mandating credit card truncation. Unfortunately, after Safeco, the boundaries of what constitutes "willful" remain unclear.

Safeco Insurance Co. and GEICO were involved in separate suits, both in the Ninth Circuit, that were consolidated to resolve a Circuit split as to whether Section 1681n(a) reaches "reckless disregard." The Ninth Circuit held that a defendant "willfully" fails to comply with FCRA if it acts with "reckless disregard" of a consumer’s rights.

The high Court was quick to point out that "willfully" is a "‘word of many meanings whose construction is often dependent on the context in which it appears’" (quoting Bryan v. United States, 524 U.S. 184, 191 (1998) (internal quotation marks omitted)). Although the Court did not furnish a clear-cut definition, it confirmed that reckless disregard - or "action entailing ‘an unjustifiably high risk of harm that is either known or so obvious that it should be known’" - can be considered willful. The defendant’s actions must be objectively unreasonable. "[A] company subject to FCRA does not act in reckless disregard of it unless the action is not only a violation under a reasonable reading of the statute’s terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless." The Court did not find it necessary to identify the "negligence/recklessness line." However, it is clear that a defendant need not have actual knowledge of a violation to be found to have willfully violated the statute.

Both the Safeco and GEICO cases stemmed from an insurance company’s notice obligations to certain customers under Section 1681m. Under that provision, companies must inform a customer if "adverse action" is taken based in whole or in part on information contained in the customer’s consumer report. Since the initial rate offered by GEICO to the plaintiff/respondent was the one he would have received if his credit score had not been taken into account, the Court determined that GEICO had not violated the statute at all, let alone willfully. The Court found that Safeco Insurance Co. did violate FCRA by failing to notify certain individuals based on its erroneous determination that the statute did not apply to initial insurance applications.

However, the Court ruled that Safeco’s conduct fell short of action with "unjustifiably high risk" of violating the statute. Its interpretation of the statute, while "erroneous, was not objectively unreasonable," because Safeco’s position had a "foundation in the statutory text." Invoking authority holding that the determination of reasonableness for qualified immunity purposes is guided by legal rules that were "clearly established" at the time, the Court also acknowledged that, "[b]efore these cases, no court of appeals had spoken on the issue, and no authoritative guidance has yet come from" the Federal Trade Commission. The Court did not address the question of whether good-faith reliance on legal advice should render companies immune to claims under Section 1681n(a), but did "not foreclose the possibility."

Safeco’s Implications

The impact of this decision extends far beyond notification of adverse actions taken by insurance companies. Currently pending are the dozens of FACTA class action lawsuits alleging willful violations of FACTA’S prohibition on printing more than five digits, or the expiration date, of a credit card on receipts provided to the customer. It remains to be seen how those courts will apply the rule enunciated in Safeco. However, given (a) the dearth of legal authority or guidance on the proper interpretation of the FACTA provision at issue in those cases, Section 1681c(g) - a provision that did not even go into full effect until December 4, 2006; (b) the lack of any apparent connection between the printing of an expiration date and the risk of identity theft; and (c) the large number of businesses that plaintiffs have accused of violating the language of the statute, there exists ample ground for a court to find that a retailer’s decision to continue printing expiration dates on receipts after FACTA was not objectively unreasonable.
Tags: , , , , , , , ,