Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially differs” from the address the CRA has on file for that consumer. The Address Discrepancy Rule then requires users of consumer reports to develop and implement written policies and procedures to respond to receipt of a discrepancy notice. There are two components to the policies required by the Rule: the first relates to the user’s evaluation of the address discrepancy; the second relates to the user’s potential obligation to report the consumer’s address to the CRA.

The Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act prohibit, among other things, the printing of expiration dates on receipts presented to credit or debit card holders.  Two recent cases from the U.S. District Court for the Southern District of Florida, Smith v. Zazzle.com

On December 8, 2008, in Smith v. Zazzle.com Inc., No. 08-22371-CIV-KING, 2008 U.S. Dist. LEXIS 101050 (S.D. Fla. Dec. 9, 2008) Judge James Lawrence King of the Southern District of Florida held FACTA’s credit card number truncation requirement inapplicable to receipts displayed on-screen or printed by online customers.  Judge King dismissed the case on this basis.  The order contradicts one last year in the same district, Grabein v. 1-800 Flowers Inc., No. 0722235 (S.D. Fla. Jan. 29, 2008) (reported here), but is consistent with three other Southern District of Florida cases: Grabein v. Jupiterimages Corp., No. 07-22288 (S.D. Fla. July 7, 2008), Haslam v. Federated Dep’t Stores Inc., No. 07-61871 (S.D. Fla. May 16, 2008) and Edwin King v. Movietickets.com, No. 07-22119 (S.D. Fla. Feb. 13, 2008).

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal in the Fourth Appellate District held that zip codes are not “personal identification information” under California’s Song-Beverly Credit Card Act of 1971, California Civil Code Sec. 1747.08 (the “Act.”). The Act prohibits a retailer that accepts credit cards from, among other things, “request[ing], or require[ing] as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the [retailer] writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.” Id. at § 1748.08(a)(2). Under the Act, “personal identification information” is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b). Subdivision (e) of the statute provides that “[a]ny person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred.”

New amendments to the Fair and Accurate Transactions Act (“FACTA”) (itself an amendment to the Fair Credit Reporting Act (“FCRA”)) bar consumers from alleging willful violation and seeking statutory damages based on the printing of credit card expiration dates on receipts where the account number is otherwise properly truncated in accordance with FACTA. This development means the end is near for scores of class action lawsuits filed last year.

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.