Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

ZIP Code is Personal Information
The court started its analysis with the language of § 105(a), which states that “[PII] shall include, but shall not be limited to, a credit card holder’s address or telephone number.” The plaintiff argued, as the California Supreme Court held in Pineda v Williams Sonoma, that “address” meant each and every component of an address. The Massachusetts court disagreed. Rather, the court found that § 105(a) was intended “to have a much narrower scope than the California statute.” Id. at 8-9. According to the court, when it passed § 105(a), the Massachusetts legislature focused its attention solely on the prevention of identity fraud. (By contrast, the Pineda court found that the California legislature also expressed concern about consumer privacy more generally, including merchants using PII for marketing purposes.) With this perceived legislative focus in mind, the court then considered whether a ZIP code amounted to PII under Massachusetts’ statute criminalizing identity theft. Relying on the definition of PII under Mass. Gen. Laws ch. 266, § 37E, the court concluded that a ZIP code constitutes PII because it “may be used (in conjunction with other data) to identify a specific individual.” Id. at 13. As the court further stated, “the input of a ZIP code during a credit card transaction is the equivalent to the input of a [PIN] in a debit card transaction . . . both a ZIP code and a PIN number may be used fraudulently to assume the identity of the card holder.” Id. at 13-15.

This reasoning, the court said, “is more consistent with the Massachusetts legislative intent to prevent fraud” than the Pineda court’s reasoning. Id. at 15. On the bright side, the court’s devotion to legislative history in Massachusetts may limit the opinion’s persuasiveness outside the Commonwealth. But its persuasiveness is probably limited anyway since the reasoning seemingly ignores obvious distinctions between ZIP codes and PINs, including that ZIP codes are assigned by the U.S. Postal Service to help deliver mail to potentially hundreds of people whereas PINs are typically self-selected by individuals so that they can access a specific financial account. Really, unless you’re at a gas station that requires you to enter a ZIP code to use a credit card, the ZIP code and PIN analogy doesn’t work . . . and it’s not even a close call!

Electronic Card Terminal is a Transaction Form
Michaels argued that it did not violate § 105(a)’s prohibition against writing PII “on the credit card transaction form” because § 105(a) did not encompass electronically stored transaction forms. The court rejected this argument principally because the language of § 105(a) did not distinguish between paper and electronic transaction forms in its application to “all credit card transactions.” Id. at 16. This explanation should have sufficed. But the court continued, and muddied the waters a bit, by articulating the relationship between receipts and transaction forms in a way that suggests that receipts simultaneously are and are not credit card transaction forms. Id. at 17-18, & n.7.

Lack of Harm Dooms Tyler’s Claims
Notwithstanding all the court did to explain how the plaintiff successfully stated a violation of § 105(a), the court still refused to entertain the plaintiff’s statutory claims against Michaels. According to the court, a valid claim under Chapter 93A requires a showing of “an injury or loss suffered by the consumer” as well as “a causal connection between the defendant’s deceptive act or practice and the consumer’s injury.” Id. at 19. Unfortunately for the plaintiff, the court concluded that neither the simple fact of a violation of § 105(a), nor the alleged “misappropriation” of her valuable PII (whether or not it was used to send her unwanted commercial advertising) amounted to a legally cognizable injury. Similarly, the court explained in a lengthy footnote, Tyler’s alleged injuries failed to establish her Article III standing to sue Michaels in federal court. Id. at 22, n.8. As such, the granted Michaels’ motion to dismiss as to the plaintiff’s § 105(a) claims. Out you go, David!

Unjust Enrichment Claims Fail
Like her § 105(a) claims, the court dismissed the plaintiff’s unjust enrichment claim because she failed to allege all of the essential elements of the claim. In the court’s opinion, Tyler failed to establish that any “reasonable person would expect compensation for providing a ZIP code to a merchant.” Id. at 27. This, according to the court, negated any assertion by the plaintiff that Michaels’ acceptance and retention of the “benefit” of her ZIP code was unjust. Once again, that explanation should have sufficed. But again, the court elaborated. And in doing so it undercut its prior conclusions as to whether ZIP codes are PII by stating that “[a]rguably the recording of these ZIP codes constitutes a statutory violation, because certain credit card issuers do not require Michaels to request customers’ ZIP codes to process the transaction.” Id. at 28. “Arguably?” Really? Did the court mean what it said when it held that the plaintiff sufficiently alleged a violation of § 105(a) or not? See id. at 18-19.

Plaintiff Not Entitled to Declaratory Relief
Because the Declaratory Judgment Act is not an independent grant of federal jurisdiction, the court was forced to dismiss the plaintiff’s request for declaratory relief along with her other claims.

Court Encourages Certification
Finally, as if imploring the parties to seek further review, the court announced that it would enter a judgment of dismissal “one week from the date of the issuance of this memorandum of decision” in order to give the parties adequate time to move for certification to the Massachusetts Supreme Judicial Court. Id. at 30 & n.10.

So what are we left with? Considering the court’s apparent lack of confidence in its own decision and its near insistence that the parties seek certification of the decision to the Massachusetts Supreme Court, it may be too early to say what, if anything, this decision means for other retailers even in Massachusetts. Is certification actually in order? Probably a tough call when you look at the gap between the accuracy of the result and the accompanying ZIP code reasoning. Retailers who were unhappy with the California Supreme Court’s opinion in Pineda probably will not be any more pleased with the court’s ZIP code reasoning here. But the result? You bet!

In Amato v. District Attorney, No. 10-P-354 (Mass. Ct. App. Aug. 25, 2011), see slip opinion posted here, the Appeals Court reversed the trial court’s dismissal of the plaintiff’s claims alleging violation of the Fair Information Practices Act, invasion of privacy, and breach of contract and remanded the case for further proceedings. The case, which arose out of the voluntary collection of plaintiff’s DNA in connection with a 2002 murder investigation, challenged the crime lab’s retention of private individuals’ DNA samples despite representations that any samples and related records “would be destroyed and would not become part of any State or Federal database” if they did not match DNA evidence taken at the crime scene. According to the plaintiff, notwithstanding the successful prosecution of the man responsible for the murder, the state’s crime lab refused to destroy his and other DNA samples in its possession despite his repeated requests.

The state trial dismissed each of the plaintiff’s claims, but the Appeals Court reinstated each of them after finding that “[g]iven the circumstances under which the defendants induced [the plaintiff] and the others to allow access to this intensely private information [i.e., their DNA], including the promises of limited use and retention and the concomitantly restricted scope of consent granted, we are not convinced that the defendants have acted reasonably as matter of law.” In particular, the Appeals Court concluded that (i) plaintiff’s allegations, taken as true, plausibly suggest that the defendants violated the state’s FIPA by maintaining more personal data than reasonably necessary to carry out their statutory functions; (ii) retention of highly sensitive DNA records without consent and making them available for nonconsensual use in other criminal investigations are sufficient to constitute an unreasonable, substantial, and serious interference with an individual’s privacy; and (iii) the detective who sought the plaintiff’s DNA had the authority to bind the department to the limited scope of consent granted for the search and, thus, broader use by the defendants could constitute a breach of contract.

The case is a significant win for privacy advocates and the Firm. Proskauer partner Mark Batten and former associate Sandra Badin handled the matter with assistance from the Firm’s pro bono partner, the ACLU.
 

While there is no evidence indicating that any customer's personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose, the Assurance of Discontinuance states that if actual harm to customers results, the Attorney General's Office will reopen discussions in order to determine appropriate restitution. This is the first settlement related to a violation of the Commonwealth's relatively new data security regulations. While the Attorney General's Office entered into a consent agreement with a restaurant chain in April 2011 for data security failures, that alleged breach occurred before the new data security regulations went into effect on March 1, 2010. (See our post about this consent agreement here.)

Importantly, Belmont Savings Bank did have a written information security program (WISP) in place at the time of the breach, as required by Massachusetts's data security regulations. Despite this, the Assurance of Discontinuance requires Belmont Savings Bank to comply with Massachusetts's data security regulations in all respects, including encrypting, to the extent technically feasible, all personal information stored on laptops and other portable devices, including backup tapes. In addition, the Assurance of Discontinuance requires Belmont Savings Bank to comply with the provisions of its own WISP, including (a) ensuring the proper transfer and inventory of backup tapes containing personal information; (b) storing backup tapes containing personal information in a secure location; and (c) effectively training the members of its workforce on the policies and procedures with respect to maintaining the security of personal information.

What message is the Attorney General sending? Complying with the Massachusetts data security regulations on paper alone is not enough. Day-to-day business practices must also be in compliance. Indeed, Attorney General Coakley commented: "Consumers expect businesses to not only develop policies and procedures to safeguard their sensitive personal information, but to follow these procedures as well. Our office will continue to take action against companies that fail to follow protocol to protect the information entrusted to them by customers."
 

According to the Attorney General, the Final Judgment “works to ensure that steps have been taken to protect consumer information moving forward.” Although the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) did not become effective until after the April 2009 breach, the Attorney General used the regulations as a reference point for identifying deficiencies in the company’s approach to information security. In its complaint against Briar Group, the Attorney General alleged, among other things, that the company (i) failed to change default usernames and passwords for its point-of-sale system, (ii) allowed employees to share passwords, (iii) did not appropriately limit the number of employees with administrative access to company systems, and (iv) stored payment card information in clear text on its servers. Taken together, these deficiencies allowed the breach of Briar Group’s systems to continue unabated until approximately December 2009.

In her announcement of the Final Judgment, Massachusetts Attorney General Martha Coakley explained that her office “will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.” With this in mind, and 201 CMR 17.00 now firmly entrenched, companies handling personal information about Massachusetts residents should be prepared. Hint: That means have a WISP and follow it!

This shift indicates that Undersecretary Anthony, only a few months into her new position, has listened to widespread criticism of the regulations, particularly from small business leaders, and understands their potential impact. 

Importantly, the revised regulations add a “to the extent technically feasible” qualifier to all of the regulations’ computer system security requirements, meaning that encryption of personal information in transit and stored on portable devices is only required to the extent “technically feasible.”  Although “technically feasible” is not defined in the regulations themselves, a definition is provided in the Frequently Asked Questions (FAQ) that accompanied the regulations.  In addition, the regulations are technology neutral; in particular, “encryption” now includes any transformation of data into a form in which meaning cannot be assigned “without the use of a confidential process or key.”  (Some will surely argue that this new definition of “encryption” does not necessarily require encryption at all; however, the FAQ suggests that the removal of references to specific technology from the definition was intended to allow for future encryption technologies, not necessarily earlier or less secure technologies.)

Another important change regards the required oversight of service providers.  The revised regulations still require that service providers be bound to comply with the regulations’ standards, but only future service provider agreements must include such a requirement.

Additionally, the new regulations make other changes – such as deleting some of the prior regulations’ more specific requirements.

As noted by Undersecretary Anthony, "these updated regulations feature a fair balance between consumer protections and business realities."

A press release by The Associated Industries of Massachusetts (AIM) specifically expresses AIM’s appreciation for the cooperation of Secretary Barbara Anthony and the assistance of Attorney General Martha Coakley, Representative Michael Rodrigues and Senator Michaela Morrissey over the course of the last several months to develop revised regulations that answer the concerns of the business community.

Public hearings on the revised regulations will be held on September 22, 2009.

This post was contributed to by Amy Crafts, a senior Associate in Proskauer's Boston office and a member of Proskauer's Privacy and Data Security Practice Group.

Responding to the concerns of the regulated community, the OCABR’s revised regulations, 201 CMR 17.00, do not require covered entities to obtain written certification of compliance with the regulations from third party service providers handling personal information on their behalf. Instead, covered entities need only take steps to verify that third party service providers are able to, and do, employ the kind of personal information security measures required by 201 CMR 17.00. The revised regulations are otherwise nearly identical to the OCABR’s earlier version, which is described here.

In the OCABR’s Thursday press release, Undersecretary Daniel Crane expressed the importance of the new regulations to Massachusetts consumers and the need for businesses to take steps toward compliance. As to the revised compliance timeframe, Crane said “[w]e understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

Minnesota’s New Law

The Minnesota law, H.F. 1758, amends Minnesota’s data breach notification law and contains security and liability components. The security requirements take effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.” Such companies are prohibited from retaining the following card data after authorization of a transaction:

• “the full contents of a track of magnetic stripe data” (which encompasses the “card verification value” or CVV – a unique authentication code embedded on the magnetic stripe);
•  the three to four digit security code on the back of the card by the signature block (also known as CVV2); and
• any PIN verification code number. If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction. 

The liability provision of H.F. 1758 applies to data breaches occurring after August 1, 2008. It requires companies to reimburse card-issuing financial institution for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after a breach. The reimbursement would cover costs related to providing cardholders with notification of the breach, cancellation and reissuance of cards, closing or reopening of accounts and stop payments, and cardholder refunds for unauthorized transactions charged to their accounts. A financial institution may also bring an action to recover for the costs of damages it pays to cardholders resulting from a breach.         

The Five Pending Bills

The April 27, 2007 blog entry posted here discussed in detail California’s A.B. 779 as introduced. Since that posting, A.B. 779 has been amended in various California Assembly Committees and now resides with the Appropriations Committee. The amended bill extended the scope of the bill beyond just retailers to all persons or businesses conducting business in California that own or license computerized data containing personal information. The 90-day record destruction requirement in the original bill has been deleted, but the amended bill now has a host of other restrictions on storing payment card data. Among its requirements, the bill requires:

• account numbers retained by businesses be “indecipherable” to unauthorized persons;
• that payment related data sent across a network be encrypted;
• that companies have role-based restrictions for employee access to such data; and
• the bill also adds a provision that is broader than Minnesota’s financial institution reimbursement provision, requiring vendors that maintain, but do not own or license breached personal information, to reimburse data owners and licensees for “reasonable and actual costs” of providing data breach notification.                   

In the Texas legislature, the House passed H.B. 3222, which would require companies that accept, process or maintain credit card, debit card and other financial institution-issued cards to follow the Payment Card Industry’s Data Security Standard (“PCI DSS”). The PCI DSS are extensive industry security standards designed to prevent identity theft that the major credit card issuers impose on merchants that store, process or transmit cardholder data. While H.B. 3222 excludes financial institutions from the security standards, it empowers them, subject to certain conditions, with a right of action for actual damages against other companies they believe have violated the provision.