Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009), the plaintiff sued J.P. Morgan Chase, N.A. (“Chase”) after Chase issued a press release announcing that the personal information of approximately 2.6 million current and former holders of a Chase-Circuit City credit card had been mistakenly identified as trash and thrown out. The plaintiff brought eight causes of action against Chase on behalf of himself and all persons whose personal information was thrown out. These causes of action included both willful and negligent violations of the FCRA, negligence and negligence per se, breach of implied contract, breach of contract, violation of the DTPA and breach of bailment. Chase filed a motion to dismiss under Fed. R. Civ. P 12(b)(6) for failure to state a claim.

With respect to the plaintiff’s FCRA claims, the Court held that the plaintiff’s complaint fell well short under pleading standards articulated in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009), because the plaintiff failed to “make factual allegations with enough specificity to plausibly allege that Chase violated OCC regulations.” Accordingly, the Court dismissed these claims as formulaic recitations of the elements of the plaintiff’s cause of action. The Court also noted that even if the plaintiff could amend his complaint to satisfactorily plead these causes of action, they would be barred by the FCRA’s statute of limitations.

With respect to the plaintiff’s state law claims, the Court found that the FCRA preempts the claims. Specifically, the Court noted that Chase was regulated by the Office of the Comptroller of the Currency (“OCC”) and that the OCC’s Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to FCRA, touch on precisely the conduct about which the plaintiff was complaining. The Court stated that “Willey’s . . . claims boil down to a rephrasing of the allegation that Chase failed to follow the OCC Guidelines in violation of the FCRA.” As such, the Court ruled that the FCRA preempted all of the plaintiff's state law claims. In addition, relying on Pisciotta v. Old National Bancorp (see our blog post here), Shafran v. Harley Davidson and Caudle v. Towers, Perrin, Forster & Crosby, Inc., the Court found that the plaintiff failed to show any actual damages sufficient to support his claims. Consequently, the Court granted Chase’s motion to dismiss in its entirety.

H.R. 2221 provides for notification following discovery of a breach of security of a system maintained by any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information. The bill would require notification to each individual whose personal information was acquired by an unauthorized person as a result of such a breach of security, and to the Federal Trade Commission. The bill includes special notification requirements for third party agents, telecommunications carriers, cable operators, information services, and interactive services, and for a breach involving health information.

Personal information, as defined in the bill, is an individual’s first name or initial and last name, or address, or phone number, in combination with any one or more of the following: the individual’s social security number, driver’s license number or other State identification number, or a financial account number or credit card number and any security or access code needed to access the account. Breach notification would be exempted, however, where the person that owns or possesses the data determines that there is “no reasonable risk of identity theft, fraud or unlawful conduct” from the unauthorized data access. Breaches of encrypted data would presumptively be exempt.

Importantly, the bill expressly preempts state laws regarding data breach notification. Preemption of state laws, such as those in California that contain different “trigger” language governing when notification is required, was one reason the bill struggled when initially introduced in 2005.

Where notification is required, the bill specifies methods for and required content of notification. Written, or in some circumstances, email, notification is required; the notice must include a description of the information acquired, notice of the right to receive free consumer credit reports, and certain relevant telephone contact numbers. Substitute notification, allowing notification to be posted on the entity’s website and in print and broadcast media, is allowed for those persons owning or possessing the data of fewer than 1,000 individuals.

Other provisions in the bill call for regulations to be promulgated governing the establishment of policies and procedures regarding practices to protect data containing personal information by those who own or possess such information. State laws regarding information security practices on the treatment of such data also would again be subject to preemption. Additionally, the bill contains specific provisions covering information brokers – requiring that brokers supply their security policies to the FTC either in conjunction with a breach notification or upon the Commission’s request. Under the proposed Act, information brokers would be required to allow each individual whose personal information it maintains to review his or her own data for accuracy.

Rep. Boucher (D-Va), who is planning to introduce a bill addressing how information collected online is stored and used, and Rep. Rush are planning to hold a hearing this summer to discuss how their bills “intersect.”

Stay tuned.

S.B. 1 sets forth a broad restriction on the sharing of consumer information with affiliates, stating that “[a] financial institution shall not disclose to, or share a consumer’s nonpublic personal information with, an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing . . . that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed.” 

FCRA similarly restricts such affiliate sharing; however, FCRA only applies to “consumer report” information. As defined by FCRA, consumer report information is information used to determine a consumer’s eligibility for credit, insurance or employment.  In particular, consumer report information may include any information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part” for purposes of determining eligibility for credit, insurance or employment. Section 625(b)(2) of FCRA preempts states from regulating the exchange of information among affiliates.   

Accordingly, in Gould, the Ninth Circuit held that FCRA preempted S.B. 1 insofar as both laws regulated the sharing of consumer report information with affiliates. The Ninth Circuit remanded the case to determine whether S.B. 1’s restrictions on affiliate-sharing with respect to non-consumer report information were severable, and thus, could survive preemption. On remand, a federal district court held that since the court lacked the power to sever the preempted applications of S.B. 1, the statute’s affiliate-sharing restrictions were preempted entirely.  

The Ninth Circuit reversed the district court’s ruling. In Lockyer, the Ninth Circuit looked to whether California law permits the court to narrow S.B. 1’s application to avoid complete preemption. The court determined that if the Legislature’s intent “clearly would be furthered by application of the revised version rather than by the alternative of invalidation,” then the court “must revise the statute.”  From the language of the statute, the Ninth Circuit found that the California Legislature “would have preferred a narrowed version of [S.B. 1] to no version at all.” Moreover, S.B. 1 contained a severability clause in its enactment of the law – further proof that reforming S.B. 1 to sever its preempted applications would best effectuate the Legislature’s intent.  Thus, because S.B. 1 has non-preempted applications, FCRA does not preempt those provisions of S.B. 1 that do not relate to consumer report information. 

As a result, certain banks and financial institutions should be mindful that, in addition to the affiliate-sharing restrictions contained in FCRA, California law may require them to provide customers an opportunity to opt-out of data-sharing arrangements with affiliates involving non-consumer report information.

The trial court denied ConnectU’s motion to dismiss the claim under California Penal Code §502(c), holding that Facebook sufficiently alleged ConnectU "knowingly" accessed Facebook’s website and took, copied, or made use of data it found thereon "without permission."

The court also denied ConnectU’s motion to dismiss Facebook’s misappropriation claim. Rejecting ConnectU’s argument that the federal Copyright Act preempts the common law claim, the court held that the e-mail addresses at issue are not works of authorship, nor are they elements of some larger work of authorship, so they do not fall within the scope of the Copyright Act.

However, the court granted ConnectU’s motion to dismiss California Business and Professions Code §§ 17529.4 and 17538.45, holding that these California statutes are in fact preempted by the CAN-SPAM Act, 15 U.S.C. § 7701 et seq. That legislation provides as follows:

The court rejected Facebook’s argument that the California statutes fall outside the scope of preemption because they focus on the collection of email addresses, stating that both provisions still plainly regulate the "use of electronic mail to send commercial messages" within the preemptive effect of the CAN-SPAM Act. The court also held that "neither [statute]… purport[s] to regulate false or deceptive email, or require such falsity or deception as an element of the statutory violation."