Northern District of Illinois Foreshadows Tough Row[e] to Hoe for Identity Exposure Plaintiff, but Denies Motion to Dismiss

Posted on January 15, 2010 by Brendon Tavelli

On January 5, 2010, Judge William Hibbler of the U.S. District Court for the Northern District of Illinois became the latest federal district judge to share his views about whether an increased risk of future harm based on the inadvertent exposure of personal information is a legally cognizable harm. In Rowe v. UniCare Life & Health Insurance Co., No. 1:09-cv-2286 (N.D. Ill. Jan. 5, 2010), Judge Hibbler denied the defendant’s motion to dismiss for failure to state a claim because, in his view, after drawing all reasonable inferences in the plaintiff’s favor, the plaintiff’s complaint satisfied the minimal pleading standard required to survive a motion to dismiss. Nevertheless, in his written opinion, Judge Hibbler hinted that the plaintiff’s claims for violations of the Fair Credit Reporting Act (“FCRA”) and the Illinois Insurance Information and Privacy Act, as well as his common law claims of invasion of privacy, negligence and breach of implied contract, may ultimately be dismissed if the plaintiff failed to show a basis for damages other than his alleged increased risk of future harm, such as identity theft.

In April 2008, UniCare informed some members of its health insurance plans that some of their personal information was temporarily accessible to the public on the Internet. In response to UniCare’s notice, the plaintiff sued alleging that UniCare’s inadvertent disclosure of his personal information harmed him in the following ways: created anxiety and emotional distress, increased his risk of identity theft, forced him to spend time and money monitoring his credit, compromised his possessory rights in his information and invaded his privacy. UniCare then filed a motion to dismiss the complaint which focused chiefly on the plaintiff’s failure to allege that any unauthorized person actually viewed the inadvertently exposed information.

At the outset of the opinion, noting that at the motion to dismiss stage disclosure to a third party could be inferred from the plaintiff’s complaint, the court ruled that UniCare’s inadvertent disclosure might constitute a “communication” of consumer report information and thus refused to dismiss the plaintiff’s FCRA claims. The court then examined the plaintiff’s remaining claims – all of which, according to UniCare, required a showing of damages to state a valid cause of action – in relation to the various harms plaintiff claimed to have suffered due to the disclosure of his information. In each instance, the court found that even though the evidence might ultimately not support the plaintiff’s theories of damage, drawing all inferences in the plaintiff’s favor as the court must on a motion to dismiss, his complaint satisfied the liberal pleading standard set forth in the Federal Rules of Civil Procedure.

But Judge Hibbler did make clear that the Illinois Supreme Court’s decision in Williams v. Manchester, 229 Ill. 2d 404 (2008), ruled out the possibility that “the exposure of personal information might be the present injury providing the basis for recovery of damages for increased risk of future harm.” Rather, as Judge Hibbler stated, “Rowe may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.” Moreover, while the court did not find the Seventh Circuit’s reasoning in Pisciotta v. Old National Bancorp (see our blog post here) entirely persuasive, the court held that “the costs of credit monitoring services are not a present harm in and of themselves.”

Though some might view this decision as a victory for plaintiffs and their lawyers, it also further illustrates the level of judicial skepticism toward “identity theft exposure” claims and makes it even more difficult for plaintiffs to argue that an increased risk of harm based on the exposure of personal information, without more, is a harm that the law should recognize.
 
Tags: , , , , , , ,

Red Flags and Address Discrepancies FAQs

Posted on June 15, 2009 by Proskauer Rose LLP

On Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of Frequently Asked Questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA.  Among the answers to the FAQs:

  • Although there is no specific record retention requirement under the Rules, covered entities must be able to demonstrate that they have complied with the requirements of the Rules;
  • All banks, savings associations, and credit unions are covered by the Red Flags Rules as “financial institutions,” whether or not they hold a transaction account belonging to a consumer;
  • The Red Flags Rules do not apply to the foreign branches of U.S. banks but, as a matter of safety and soundness, financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws;
  • “Covered accounts” include accounts established in the U.S. by non-U.S. residents;
  • A broker, dealer, investment advisor, or investment or insurance company that is a “financial institution” or “creditor” under the FCRA is covered by the Red Flags Rules, including any such entity that is a subsidiary of a bank or savings association;
  • Corporate credit unions are covered by the Red Flags Rules;
  • If a consumer loan is purchased by another financial institution or creditor, then that entity becomes responsible for applying its Identity Theft Prevention Program to the loan as an existing covered account;
  • The Address Discrepancy Rules only apply to notices of address discrepancy received from an NCRA (Experian, Equifax, and TransUnion).  However,  a notification of address discrepancy received from an entity that is not an NCRA may be a red flag for purposes of the Red Flags Rules;
  • If a consumer withdraws his or her application to open a new account, a user of a consumer report that receives a notice of address discrepancy need not take steps to establish a reasonable belief that the consumer report relates to the consumer.

For more, check out the FAQs here, and our prior discussions of the Red Flags and Address Discrepancy Rules here.

Tags: , , , , , , , , , , , , , , , , , , , , ,

Florida Cases Remind Retailers that Printing Expiration Dates after Enactment of the Receipt Clarification Act Violates FACTA

Posted on February 6, 2009 by Brendon Tavelli

The Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act prohibit, among other things, the printing of expiration dates on receipts presented to credit or debit card holders.  Two recent cases from the U.S. District Court for the Southern District of Florida, Smith v. Zazzle.com, Inc. (see our blog post here) and Smith v. Under Armour, Inc., reject prior holdings that the term “print” is broad enough to encompass the information included when a seller electronically transmits a receipt.  These cases also make clear, as we stated in our June 18, 2008 post, that businesses printing expiration dates after the June 3, 2008 enactment of the Credit and Debit Card Receipt Clarification Act of 2007 (“Clarification Act”) are violating FACTA’s truncation requirements. In fact, the Zazzle.com case specifically mentions that the Clarification Act does not apply because the conduct complained of occurred after the Act’s enactment.

The Clarification Act, which shielded from a finding of willful noncompliance with FACTA any business that printed an expiration date on a cardholder receipt between December 4, 2004 and the enactment of the Clarification Act, did not completely eliminate the statutory requirement to not print expiration dates on cardholder receipts.  Accordingly, businesses that print expiration dates on such receipts after June 3, 2008, even when card numbers are properly truncated, may incur liability under FACTA.

Tags: , , , , , , , , , ,

California's Financial Information Privacy Act Affiliate Sharing Provisions Narrowly Survive Complete Preemption

Posted on September 17, 2008 by Scott J. Carpenter

On September 4, 2008, in American Bankers Association v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), the Ninth Circuit Court of Appeals revived part of the California Financial Information Privacy Act (“S.B. 1”), allowing consumers to opt-out of certain information-sharing activities between financial institutions and their affiliates. Previously, in the 2005 case American Bankers Ass'n. v. Gould, 412 F.3d 1081 (9th Cir. 2005), the Ninth Circuit ruled that the state statute was preempted by provisions of the Fair Credit Reporting Act (“FCRA”) regarding affiliate sharing of “consumer report” information.  The recent 2-1 decision preserves consumers’ rights under California law to restrict affiliate data-sharing related to non-consumer report information.

S.B. 1 sets forth a broad restriction on the sharing of consumer information with affiliates, stating that “[a] financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing . . . that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed.” 

FCRA similarly restricts such affiliate sharing; however, FCRA only applies to “consumer report” information. As defined by FCRA, consumer report information is information used to determine a consumer’s eligibility for credit, insurance or employment.  In particular, consumer report information may include any information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part” for purposes of determining eligibility for credit, insurance or employment. Section 625(b)(2) of FCRA preempts states from regulating the exchange of information among affiliates.   

 

Accordingly, in Gould, the Ninth Circuit held that FCRA preempted S.B. 1 insofar as both laws regulated the sharing of consumer report information with affiliates. The Ninth Circuit remanded the case to determine whether S.B. 1’s restrictions on affiliate-sharing with respect to non-consumer report information were severable, and thus, could survive preemption. On remand, a federal district court held that since the court lacked the power to sever the preempted applications of S.B. 1, the statute’s affiliate-sharing restrictions were preempted entirely.  

 

The Ninth Circuit reversed the district court’s ruling. In Lockyer, the Ninth Circuit looked to whether California law permits the court to narrow S.B. 1’s application to avoid complete preemption. The court determined that if the Legislature’s intent “clearly would be furthered by application of the revised version rather than by the alternative of invalidation,” then the court “must revise the statute.”  From the language of the statute, the Ninth Circuit found that the California Legislature “would have preferred a narrowed version of [S.B. 1] to no version at all.” Moreover, S.B. 1 contained a severability clause in its enactment of the law – further proof that reforming S.B. 1 to sever its preempted applications would best effectuate the Legislature’s intent.  Thus, because S.B. 1 has non-preempted applications, FCRA does not preempt those provisions of S.B. 1 that do not relate to consumer report information. 

 

As a result, certain banks and financial institutions should be mindful that, in addition to the affiliate-sharing restrictions contained in FCRA, California law may require them to provide customers an opportunity to opt-out of data-sharing arrangements with affiliates involving non-consumer report information.

 
Tags: , , , , , , ,

Affiliate Marketing Rule Alert: Compliance Deadline is October 1, 2008

Posted on September 5, 2008 by Natalie Newman

Section 214 of Fair and Accurate Credit Transactions Act (“FACTA") was enacted to amend the Fair Credit Reporting Act (the “Act”) to give consumers the right to restrict certain entities from using certain information received from their affiliates to make solicitations to that consumer unless the consumer has been provided (1) “clear and conspicuous” notice that the consumer’s information will be shared for such purposes, and (2) an opportunity to opt out of having such information shared for such purposes.   

On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes. 

The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.

Summary of the Final Rule’s Requirements

In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:  

  • the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
  • the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
  • the consumer has not opted out thereof. 

Opt-Out Requirements

The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice. 

Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.

Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.

Key Definitions

Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”) 

“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers. 

Exceptions

The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:

o       to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;

o       to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;

o       to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;

o       in response to a communication initiated by the consumer;

o       in response to a consumer’s authorization or request to receive a solicitation; and

o       if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.

As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).
Tags: , , , , , ,

Red Flag Alert -- Compliance Deadline is November 1, 2008

Posted on August 7, 2008 by Proskauer Rose LLP

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft.  Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs.  The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.  You can read more about Red Flags in this Client Alert.

Tags: , , , , , , , , ,

Expiration Date Imminent for Many FACTA Class Actions

Posted on June 18, 2008 by Proskauer Rose LLP

New amendments to the Fair and Accurate Transactions Act (“FACTA”) (itself an amendment to the Fair Credit Reporting Act (“FCRA”)) bar consumers from alleging willful violation and seeking statutory damages based on the printing of credit card expiration dates on receipts where the account number is otherwise properly truncated in accordance with FACTA. This development means the end is near for scores of class action lawsuits filed last year.

FACTA prohibits the printing of more than five digits of a credit or debit card number or the expiration date on receipts provided to a customer. Since December 4, 2006, consumers have filed hundreds of suits against merchants who allegedly printed a truncated account number and the expiration dates on receipts, arguing that those merchants “willfully” violated FACTA, and seeking $100 to $1,000 for each violation. At least one court has interpreted FACTA to apply to electronic receipts as well as printed ones.

As discussed here last year , the Supreme Court ruled in Safeco Insurance Co. of America, et al. v. Burr, et al that reckless disregard of the requirements of FCRA can constitute willful violation.  The court left open the question of whether it was objectively reasonable for merchants to continue to print expiration dates on customer receipts after the date for compliance with FACTA had passed. 

In response to the widespread FACTA litigation, Congress amended FCRA to prevent certain putative consumer class actions. The “Credit and Debit Card Receipt Clarification Act of 2007” (“the Act”), signed by President Bush on June 3, amends FCRA to specify that printing expiration dates on receipts where the account number is otherwise properly truncated does not in and of itself constitute willful noncompliance.  Consumers will not be entitled to pursue suits claiming willful violation, and thus not be entitled to seek statutory damages, merely because an expiration date is printed on an otherwise compliant receipt.  The Act does not affect negligence suits filed by consumers who can show actual harm as a result of the printing of the expiration date, or suits against merchants who are otherwise not in compliance with FACTA’s requirements.  The Act applies to any company that printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment. 

Proskauer summer associate Nicole Ross contributed to this post.
Tags: , , , , , , , ,

When Reckless Means Willful - High Court Issues Landmark Decision Under the Fair Credit Reporting Act

Posted on June 12, 2007 by Proskauer Rose LLP

Since December 4, 2006, consumers have filed dozens of class actions against retailers and other businesses across the country alleging “willful” violations of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”), prohibiting the printing of more than five digits, or the expiration date, of a credit card on receipts provided to the customer. Defendants in those cases have been waiting anxiously for the Supreme Court to rule in Safeco Insurance Co. of America, et al. v. Burr, et al. 551 U.S. _____ (2007), a factually inapposite matter in which the Court granted certiorari to determine whether “reckless disregard” suffices for willfulness under the statute. In a decision that raises as many questions as it answers, the Supreme Court held on June 4, 2007 that “reckless” failure to comply with FCRA can be considered willful. The Court’s opinion begs the question whether it was objectively reasonable for retailers to continue the printing of expiration dates on customer receipts after FACTA took full effect.

Defendants who "willfully" violate FCRA are subject to significant statutory damages of $100 to $1,000 for every instance of violation, as well as punitive damages. Safeco involved notice obligations to consumers regarding adverse action based on consumer reports, but the relevant provision of FCRA - §1681n(a) - imposes penalties for violation of other provisions of the statute, including the FACTA amendments mandating credit card truncation. Unfortunately, after Safeco, the boundaries of what constitutes "willful" remain unclear.

Safeco Insurance Co. and GEICO were involved in separate suits, both in the Ninth Circuit, that were consolidated to resolve a Circuit split as to whether Section 1681n(a) reaches "reckless disregard." The Ninth Circuit held that a defendant "willfully" fails to comply with FCRA if it acts with "reckless disregard" of a consumer’s rights.

The high Court was quick to point out that "willfully" is a "‘word of many meanings whose construction is often dependent on the context in which it appears’" (quoting Bryan v. United States, 524 U.S. 184, 191 (1998) (internal quotation marks omitted)). Although the Court did not furnish a clear-cut definition, it confirmed that reckless disregard - or "action entailing ‘an unjustifiably high risk of harm that is either known or so obvious that it should be known’" - can be considered willful. The defendant’s actions must be objectively unreasonable. "[A] company subject to FCRA does not act in reckless disregard of it unless the action is not only a violation under a reasonable reading of the statute’s terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless." The Court did not find it necessary to identify the "negligence/recklessness line." However, it is clear that a defendant need not have actual knowledge of a violation to be found to have willfully violated the statute.

Both the Safeco and GEICO cases stemmed from an insurance company’s notice obligations to certain customers under Section 1681m. Under that provision, companies must inform a customer if "adverse action" is taken based in whole or in part on information contained in the customer’s consumer report. Since the initial rate offered by GEICO to the plaintiff/respondent was the one he would have received if his credit score had not been taken into account, the Court determined that GEICO had not violated the statute at all, let alone willfully. The Court found that Safeco Insurance Co. did violate FCRA by failing to notify certain individuals based on its erroneous determination that the statute did not apply to initial insurance applications.

However, the Court ruled that Safeco’s conduct fell short of action with "unjustifiably high risk" of violating the statute. Its interpretation of the statute, while "erroneous, was not objectively unreasonable," because Safeco’s position had a "foundation in the statutory text." Invoking authority holding that the determination of reasonableness for qualified immunity purposes is guided by legal rules that were "clearly established" at the time, the Court also acknowledged that, "[b]efore these cases, no court of appeals had spoken on the issue, and no authoritative guidance has yet come from" the Federal Trade Commission. The Court did not address the question of whether good-faith reliance on legal advice should render companies immune to claims under Section 1681n(a), but did "not foreclose the possibility."

Safeco’s Implications

The impact of this decision extends far beyond notification of adverse actions taken by insurance companies. Currently pending are the dozens of FACTA class action lawsuits alleging willful violations of FACTA’S prohibition on printing more than five digits, or the expiration date, of a credit card on receipts provided to the customer. It remains to be seen how those courts will apply the rule enunciated in Safeco. However, given (a) the dearth of legal authority or guidance on the proper interpretation of the FACTA provision at issue in those cases, Section 1681c(g) - a provision that did not even go into full effect until December 4, 2006; (b) the lack of any apparent connection between the printing of an expiration date and the risk of identity theft; and (c) the large number of businesses that plaintiffs have accused of violating the language of the statute, there exists ample ground for a court to find that a retailer’s decision to continue printing expiration dates on receipts after FACTA was not objectively unreasonable.
Tags: , , , , , , , ,