Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

H.B. 1149’s safe harbors and exemptions, however, help to minimize the scope and potential impact of the new law. For example, the new law exempts businesses that are certified as compliant with the Payment Card Industry Data Security Standards (“PCI DSS”) at the time of a breach. Most large merchants and card processors are well-acquainted with PCI DSS requirements and have already implemented safeguards aimed at PCI DSS compliance. So the new law should not require Herculean efforts or wholesale changes to covered entities’ cardholder information security programs. However, their liability exposure for losses arising from non-compliance is increased as a result of H.B. 1149.

Entities also are not liable if the payment card information was encrypted at the time of the breach.

The bill signed by Governor Gregoire does not include provisions from earlier versions of the bill that would have, among other things, prohibited covered entities from retaining cardholder data without the express consent of customers and held such entities liable in the event of a breach involving unencrypted cardholder data about more than 5,000 individuals. Likewise, a provision that would have allowed merchants to charge an extra two cents for each payment card transaction in order to cover the cost of insurance against potential liabilities under the law did not survive in the enacted version of the legislation.

With the enactment of H.B. 1149, Washington joins Minnesota as the only state to statutorily impose liability for breach-related costs on negligent merchants, payment card processors and vendors. It also distinguishes itself from the handful of other states in which attempts to enact such laws have failed; states like California, where Governor Schwarzenegger vetoed a similar measure in 2007. Additionally, with the adoption of H.B. 1149, Washington joins Nevada in its quest to incorporate parts of the PCI DSS into its state law. As we previously wrote, Nevada exempts certain entities that are PCI DSS compliant from some of the state’s encryption requirements.

On June 26, 2008, in Absher v. Autozone, Inc. et al. (2008), the California Court of Appeal in the Second Appellate District, confirmed that California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08 (hereinafter, the “Act”) does not apply to a refund for the return of merchandise purchased by credit card.

Under the Act, merchants who accept credit cards as a form of payment may not request or require as a condition to accepting payment by credit card the personal information of a cardholder, which information the merchant causes to be recorded upon a credit card transaction form or otherwise (such as a receipt, etc.). 

In the Absher case, plaintiff Dave Absher (who, when returning merchandise purchased from Autozone, was required to put his name and telephone number on a voucher in order to process the refund), claimed that Autozone’s practices violated the Act. In the trial court, Autozone moved for summary judgment arguing that the statute does not apply to return transactions. The trial court granted Autozone’s motion and the Court of Appeal affirmed the dismissal of plaintiff’s cause of action, holding that the Act’s restrictions are limited to initial purchase transactions and not return transactions. In particular, the court held that the legislative history behind the Act, as well as a policy interest in providing retailers with a reasonable means to safeguard against potential abuses in connection with the return of merchandise, weighed in favor of its interpretation that the Act does not apply where a merchant’s request for personal information is in connection with a refund for the return of merchandise purchased by credit card.

The outcome in this most recent case is not surprising given the court’s other recent decision, on May 22, 2008, which case involved The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc. and Marmaxx (collectively, “TJX”), and in which case the California Court of Appeal also narrowed the scope of claims available under the Act in ruling that the statute does not apply to merchandise returns.

Kathryn Conroy, a Summer Associated in Proskauer’s Los Angeles office, contributed to this post.

California Civil Code § 1747.08 prohibits a retailer that accepts credit cards from, among other things, requesting, or requiring as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the retailer writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise. Subdivision (e) of the statute provides that "[a]ny person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred."

The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc., and Marmaxx (collectively, TJX) sought a writ of mandate compelling the trial court to grant their motion to strike portions of the complaint that defined the class as users of credit cards "within the last three . . . years." The court found that the penalty imposed in subdivision (e) of the statute, using the language "shall be subject to" is mandatory and therefore is "[a]n action upon a statute for a penalty" subject to the one-year statute of limitation of California Code of Civil Procedure section 340.

The court also held that the plain language of section 1747.08 does not apply to returned merchandise and directed the court to vacate its order overruling TJX’s demurrer to the complaint. Among other things, the court noted that "there are substantial opportunities for fraud" in connection with merchandise returns and "it behooves the merchant to identify the person who returns merchandise, which subsequent examination may disclose to have been used, damaged, or even stolen."