State Law Claims in an Identity Exposure Case Preempted by Federal Fair Credit Reporting Act

Posted on July 15, 2009 by Brendon Tavelli

On July 7, 2009, the U.S. District Court for the Southern District of New York ruled that the Federal Fair Credit Reporting Act (“FCRA”) preempted an identity exposure plaintiff’s state law claims for, among other things, negligence, breach of contract, and violation of the New York Deceptive Trade Practices Act (“DTPA”).

In Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009), the plaintiff sued J.P. Morgan Chase, N.A. (“Chase”) after Chase issued a press release announcing that the personal information of approximately 2.6 million current and former holders of a Chase-Circuit City credit card had been mistakenly identified as trash and thrown out. The plaintiff brought eight causes of action against Chase on behalf of himself and all persons whose personal information was thrown out. These causes of action included both willful and negligent violations of the FCRA, negligence and negligence per se, breach of implied contract, breach of contract, violation of the DTPA and breach of bailment. Chase filed a motion to dismiss under Fed. R. Civ. P 12(b)(6) for failure to state a claim.

With respect to the plaintiff’s FCRA claims, the Court held that the plaintiff’s complaint fell well short under pleading standards articulated in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009), because the plaintiff failed to “make factual allegations with enough specificity to plausibly allege that Chase violated OCC regulations.” Accordingly, the Court dismissed these claims as formulaic recitations of the elements of the plaintiff’s cause of action. The Court also noted that even if the plaintiff could amend his complaint to satisfactorily plead these causes of action, they would be barred by the FCRA’s statute of limitations.

 

With respect to the plaintiff’s state law claims, the Court found that the FCRA preempts the claims. Specifically, the Court noted that Chase was regulated by the Office of the Comptroller of the Currency (“OCC”) and that the OCC’s Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to FCRA, touch on precisely the conduct about which the plaintiff was complaining. The Court stated that “Willey’s . . . claims boil down to a rephrasing of the allegation that Chase failed to follow the OCC Guidelines in violation of the FCRA.” As such, the Court ruled that the FCRA preempted all of the plaintiff's state law claims. In addition, relying on Pisciotta v. Old National Bancorp (see our blog post here), Shafran v. Harley Davidson and Caudle v. Towers, Perrin, Forster & Crosby, Inc., the Court found that the plaintiff failed to show any actual damages sufficient to support his claims. Consequently, the Court granted Chase’s motion to dismiss in its entirety.
Tags: , , , , , , ,

California's Financial Information Privacy Act Affiliate Sharing Provisions Narrowly Survive Complete Preemption

Posted on September 17, 2008 by Scott J. Carpenter

On September 4, 2008, in American Bankers Association v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), the Ninth Circuit Court of Appeals revived part of the California Financial Information Privacy Act (“S.B. 1”), allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. Previously, in the 2005 case American Bankers Ass'n. v. Gould, 412 F.3d 1081 (9th Cir. 2005), the Ninth Circuit ruled that the state statute was preempted by provisions of the Fair Credit Reporting Act (“FCRA”) regarding affiliate sharing of “consumer report” information.  The recent 2-1 decision preserves consumers’ rights under California law to restrict affiliate data-sharing related to non-consumer report information.

S.B. 1 sets forth a broad restriction on the sharing of consumer information with affiliates, stating that “[a] financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing . . . that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed.” 

FCRA similarly restricts such affiliate sharing; however, FCRA only applies to “consumer report” information. As defined by FCRA, consumer report information is information used to determine a consumer’s eligibility for credit, insurance or employment.  In particular, consumer report information may include any information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part” for purposes of determining eligibility for credit, insurance or employment. Section 625(b)(2) of FCRA preempts states from regulating the exchange of information among affiliates.   

 

Accordingly, in Gould, the Ninth Circuit held that FCRA preempted S.B. 1 insofar as both laws regulated the sharing of consumer report information with affiliates. The Ninth Circuit remanded the case to determine whether S.B. 1’s restrictions on affiliate-sharing with respect to non-consumer report information were severable, and thus, could survive preemption. On remand, a federal district court held that since the court lacked the power to sever the preempted applications of S.B. 1, the statute’s affiliate-sharing restrictions were preempted entirely.  

 

The Ninth Circuit reversed the district court’s ruling. In Lockyer, the Ninth Circuit looked to whether California law permits the court to narrow S.B. 1’s application to avoid complete preemption. The court determined that if the Legislature’s intent “clearly would be furthered by application of the revised version rather than by the alternative of invalidation,” then the court “must revise the statute.”  From the language of the statute, the Ninth Circuit found that the California Legislature “would have preferred a narrowed version of [S.B. 1] to no version at all.” Moreover, S.B. 1 contained a severability clause in its enactment of the law – further proof that reforming S.B. 1 to sever its preempted applications would best effectuate the Legislature’s intent.  Thus, because S.B. 1 has non-preempted applications, FCRA does not preempt those provisions of S.B. 1 that do not relate to consumer report information. 

 

As a result, certain banks and financial institutions should be mindful that, in addition to the affiliate-sharing restrictions contained in FCRA, California law may require them to provide customers an opportunity to opt-out of data-sharing arrangements with affiliates involving non-consumer report information.

 
Tags: , , , , , , ,

Affiliate Marketing Rule Alert: Compliance Deadline is October 1, 2008

Posted on September 5, 2008 by Natalie Newman

Section 214 of Fair and Accurate Credit Transactions Act (“FACTA") was enacted to amend the Fair Credit Reporting Act (the “Act”) to give consumers the right to restrict certain entities from using certain information received from their affiliates to make solicitations to that consumer unless the consumer has been provided (1) “clear and conspicuous” notice that the consumer’s information will be shared for such purposes, and (2) an opportunity to opt out of having such information shared for such purposes.   

On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes. 

The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.

Summary of the Final Rule’s Requirements

In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:  

  • the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
  • the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
  • the consumer has not opted out thereof. 

Opt-Out Requirements

The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice. 

Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.

Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.

Key Definitions

Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”) 

“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers. 

Exceptions

The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:

o       to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;

o       to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;

o       to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;

o       in response to a communication initiated by the consumer;

o       in response to a consumer’s authorization or request to receive a solicitation; and

o       if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.

As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).
Tags: , , , , , ,

Red Flag Alert -- Compliance Deadline is November 1, 2008

Posted on August 7, 2008 by Proskauer Rose LLP

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft.  Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs.  The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.  You can read more about Red Flags in this Client Alert.

Tags: , , , , , , , , ,

Expiration Date Imminent for Many FACTA Class Actions

Posted on June 18, 2008 by Proskauer Rose LLP

New amendments to the Fair and Accurate Transactions Act (“FACTA”) (itself an amendment to the Fair Credit Reporting Act (“FCRA”)) bar consumers from alleging willful violation and seeking statutory damages based on the printing of credit card expiration dates on receipts where the account number is otherwise properly truncated in accordance with FACTA. This development means the end is near for scores of class action lawsuits filed last year.

FACTA prohibits the printing of more than five digits of a credit or debit card number or the expiration date on receipts provided to a customer. Since December 4, 2006, consumers have filed hundreds of suits against merchants who allegedly printed a truncated account number and the expiration dates on receipts, arguing that those merchants “willfully” violated FACTA, and seeking $100 to $1,000 for each violation. At least one court has interpreted FACTA to apply to electronic receipts as well as printed ones.

As discussed here last year , the Supreme Court ruled in Safeco Insurance Co. of America, et al. v. Burr, et al that reckless disregard of the requirements of FCRA can constitute willful violation.  The court left open the question of whether it was objectively reasonable for merchants to continue to print expiration dates on customer receipts after the date for compliance with FACTA had passed. 

In response to the widespread FACTA litigation, Congress amended FCRA to prevent certain putative consumer class actions. The “Credit and Debit Card Receipt Clarification Act of 2007” (“the Act”), signed by President Bush on June 3, amends FCRA to specify that printing expiration dates on receipts where the account number is otherwise properly truncated does not in and of itself constitute willful noncompliance.  Consumers will not be entitled to pursue suits claiming willful violation, and thus not be entitled to seek statutory damages, merely because an expiration date is printed on an otherwise compliant receipt.  The Act does not affect negligence suits filed by consumers who can show actual harm as a result of the printing of the expiration date, or suits against merchants who are otherwise not in compliance with FACTA’s requirements.  The Act applies to any company that printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment. 

Proskauer summer associate Nicole Ross contributed to this post.
Tags: , , , , , , , ,

When Reckless Means Willful - High Court Issues Landmark Decision Under the Fair Credit Reporting Act

Posted on June 12, 2007 by Proskauer Rose LLP

Since December 4, 2006, consumers have filed dozens of class actions against retailers and other businesses across the country alleging “willful” violations of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”), prohibiting the printing of more than five digits, or the expiration date, of a credit card on receipts provided to the customer. Defendants in those cases have been waiting anxiously for the Supreme Court to rule in Safeco Insurance Co. of America, et al. v. Burr, et al. 551 U.S. _____ (2007), a factually inapposite matter in which the Court granted certiorari to determine whether “reckless disregard” suffices for willfulness under the statute. In a decision that raises as many questions as it answers, the Supreme Court held on June 4, 2007 that “reckless” failure to comply with FCRA can be considered willful. The Court’s opinion begs the question whether it was objectively reasonable for retailers to continue the printing of expiration dates on customer receipts after FACTA took full effect.

Defendants who "willfully" violate FCRA are subject to significant statutory damages of $100 to $1,000 for every instance of violation, as well as punitive damages. Safeco involved notice obligations to consumers regarding adverse action based on consumer reports, but the relevant provision of FCRA - §1681n(a) - imposes penalties for violation of other provisions of the statute, including the FACTA amendments mandating credit card truncation. Unfortunately, after Safeco, the boundaries of what constitutes "willful" remain unclear.

Safeco Insurance Co. and GEICO were involved in separate suits, both in the Ninth Circuit, that were consolidated to resolve a Circuit split as to whether Section 1681n(a) reaches "reckless disregard." The Ninth Circuit held that a defendant "willfully" fails to comply with FCRA if it acts with "reckless disregard" of a consumer’s rights.

The high Court was quick to point out that "willfully" is a "‘word of many meanings whose construction is often dependent on the context in which it appears’" (quoting Bryan v. United States, 524 U.S. 184, 191 (1998) (internal quotation marks omitted)). Although the Court did not furnish a clear-cut definition, it confirmed that reckless disregard - or "action entailing ‘an unjustifiably high risk of harm that is either known or so obvious that it should be known’" - can be considered willful. The defendant’s actions must be objectively unreasonable. "[A] company subject to FCRA does not act in reckless disregard of it unless the action is not only a violation under a reasonable reading of the statute’s terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless." The Court did not find it necessary to identify the "negligence/recklessness line." However, it is clear that a defendant need not have actual knowledge of a violation to be found to have willfully violated the statute.

Both the Safeco and GEICO cases stemmed from an insurance company’s notice obligations to certain customers under Section 1681m. Under that provision, companies must inform a customer if "adverse action" is taken based in whole or in part on information contained in the customer’s consumer report. Since the initial rate offered by GEICO to the plaintiff/respondent was the one he would have received if his credit score had not been taken into account, the Court determined that GEICO had not violated the statute at all, let alone willfully. The Court found that Safeco Insurance Co. did violate FCRA by failing to notify certain individuals based on its erroneous determination that the statute did not apply to initial insurance applications.

However, the Court ruled that Safeco’s conduct fell short of action with "unjustifiably high risk" of violating the statute. Its interpretation of the statute, while "erroneous, was not objectively unreasonable," because Safeco’s position had a "foundation in the statutory text." Invoking authority holding that the determination of reasonableness for qualified immunity purposes is guided by legal rules that were "clearly established" at the time, the Court also acknowledged that, "[b]efore these cases, no court of appeals had spoken on the issue, and no authoritative guidance has yet come from" the Federal Trade Commission. The Court did not address the question of whether good-faith reliance on legal advice should render companies immune to claims under Section 1681n(a), but did "not foreclose the possibility."

Safeco’s Implications

The impact of this decision extends far beyond notification of adverse actions taken by insurance companies. Currently pending are the dozens of FACTA class action lawsuits alleging willful violations of FACTA’S prohibition on printing more than five digits, or the expiration date, of a credit card on receipts provided to the customer. It remains to be seen how those courts will apply the rule enunciated in Safeco. However, given (a) the dearth of legal authority or guidance on the proper interpretation of the FACTA provision at issue in those cases, Section 1681c(g) - a provision that did not even go into full effect until December 4, 2006; (b) the lack of any apparent connection between the printing of an expiration date and the risk of identity theft; and (c) the large number of businesses that plaintiffs have accused of violating the language of the statute, there exists ample ground for a court to find that a retailer’s decision to continue printing expiration dates on receipts after FACTA was not objectively unreasonable.
Tags: , , , , , , , ,