Wednesday, July 25, 2007

FACTA Privacy Class Action Lawsuit Developments – Bad News and Good News for Merchants

This month’s post follows up on some developments in the FACTA credit card receipt class action suits that InfoSecCompliance explored in April 2007 newsletter (What You Don’t Know Just Might Hurt You. – April 2007). In bad news for merchants defending these FACTA suits, the U.S. Supreme Court (“USSC”) upheld a broad interpretation of “willful violation” of FACTA. However, in good news for merchants, citing potential bankruptcy-inducing damages ranging from $340 million to $3.4 billion, a U.S. District Court in California refused to certify a 3.4 million person class alleging FACTA violations.

FACTA Summary

As discussed in April, a rash of over 100 class action lawsuits have been filed alleging violation of the Fair and Accurate Transaction Act of 2003 (“FACTA”), which limits the information that can be shown on an electronically-printed credit card receipt to the last five digits of the credit card number, and specifically prohibits printing a credit card’s expiration date on the receipt. A single willful violation of FACTA could result in damages ranging from $100 to $1,000 (FACTA is incorporated into and part of the Fair Credit Reporting Act [“FCRA”]), without the plaintiff having to establish that he or she suffered actual harm. Class plaintiffs are alleging hundreds of millions of dollars in statutory damages against such household names as Urban Outfitters, IKEA, Cost Plus and Toys-R-Us.

Perhaps the key issue to date for these cases is the meaning of “willful violation.” In two separate FRCA cases in a different context (Geico v. Edo and Safeco Ins. v. Burr), the U.S. Court of Appeals for the Ninth Circuit ruled as follows:

In sum, if a company knowingly and intentionally performs an act that violates FCRA, either knowing that the action violates the rights of consumers or in reckless disregard of those rights, the company will be liable under 15 U.S.C. § 1681n for willfully violating consumers’ rights.

Both of these Ninth Circuit cases were appealed to the USSC, which was asked to rule on whether the Ninth Circuit’s interpretation of “willful violation” was valid. The general consensus among commentators was that the Ninth Circuit’s interpretation would make it less difficult to collect statutory damages for FACTA credit card receipt violations, and that a narrow interpretation had the potential to cripple these FACTA class action suits for plaintiffs.

U.S. Supreme Court’s Ruling on “Willful Violations” Under FACTA

In Geico and Safeco, the class plaintiffs alleged that the insurance company defendants violated the FCRA by failing to provide notice of insurance policy changes based on the plaintiffs’ credit scores. The plaintiffs argued that “willful violation” included not only “knowing” violations of FCRA, but also reckless disregard of FCRA statutory duties. Turning to precedent interpreting similar language in other statutes and under common law, the USSC ruled against the insurance companies and concluded that the Ninth Circuit’s ruling was correct: one can “willfully violate” FRCA by knowingly violating the statute or acting in reckless disregard of the FCRA obligations.

In short, the USSC adopted a more lenient standard of proof for plaintiffs to establish FCRA obligations. Plaintiffs will still face obstacles in proving recklessness disregard. However, a merchant’s claim that it did not know of the FACTA requirements may not serve as a complete bar; plaintiffs will likely be able to present evidence concerning the merchant’s efforts to discover its FACTA obligations and whether or not the merchant should have known about the FACTA credit card requirements.

FACTA Class Action Certification Denied

In good news for merchants, in May 2007 the U.S. District Court for the Central District of California rejected a motion to certify a class action in Spikings v. Cost Plus, Inc. The Court focused on whether a class action would be superior to other methods of adjudication as required under Rule 23(b)(3) of the Federal Rules of Civil Procedure. The Court cited other cases ruling that Rule 23(b)(3)’s “superiority requirement” was not met where the defendant’s liability “would be enormous and completely out of proportion to any harm suffered by the plaintiff.” It also listed other cases that generally denied class certification, including an FCRA case, where the damages would be “absurd” relative to harm suffered.

In this case, the Court noted that if the class was certified the potential statutory penalties ranged from $340 million to $3.4 billion (based on a penalty ranging from $100 to $1000 per violation for 3.4 million class defendants), despite the fact that the lead plaintiff testified that it did not suffer any actual damages. The court noted that the entire Cost Plus organization was worth approximately $316 million and that a judgment on a class action in this case for even the minimum fine would bankrupt it. The Court further noted that Cost Plus began truncating its credit card receipts as soon as it became aware of the technical violation of FACTA, and that it was possible for the class plaintiffs to file individual suits to recover damages. Finally, the court noted that certifying the class opened the potential for abuse by plaintiffs’ attorneys in the form solicitation of unnecessary litigation. Based on the foregoing, the Court denied the plaintiffs’ motion for class certification.


While the USSC’s decision concerning “willful violation” of FACTA may be disappointing for merchants under suit, if the Spikings decision survives appeal the “teeth” associated with these lawsuits may have been extracted. The same logic that applied in the Cost Plus matter could apply to other retailers that face insolvency if they lose a class action suit. Its hard to imagine courts desiring to put some of the top U.S. retail brands out of business when no actual harm has been shown to have occurred. Paradoxically the reason that these suits are being filed in the first place (the large number of plaintiffs and the potential for a large pay-off for plaintiffs’ attorneys through class action) is the same reason they may ultimately be unsuccessful. If plaintiffs’ lawyers cannot proceed using the class action mechanism it will not likely be cost effective to pursue individual cases.

Nonetheless, it is premature to come to any firm conclusions on the reasoning set forth in the Spikings decision since it will likely be appealed and there also may be other district courts across the country that could rule differently. If Spikings is overruled, the USSC’s decision may provide plaintiffs’ counsel with significant arguments and settlement leverage. At the bare minimum, until some of these issues are resolved by higher courts, merchant-defendants will have to incur significant legal fees to fight these matters. InfoSecCompliance will keep you updated concerning any other material developments in this matter.