Monday, June 9, 2008

FACTA Development: The “Credit and Debit Card Receipt Clarification Act of 2007” Signed into Law.

The FACTA class action litigation saga has taken a new twist. Congress has passed and the President has signed the Credit and Debit Card Receipt Clarification Act of 2007 (the “Act”) into law. The Act will likely provide a large set of FACTA class action defendants with the ability to escape expensive litigation and liability.

As previously reported, plaintiffs have filed FACTA class action lawsuits based not on the printing of the payment card number on an electronically printed receipt, but simply based on the printing of the expiration date on a receipt (see for example the StubHub case referenced in this post). In fact, the relevant FACTA section establishes an “either/or” scenario:

Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

15 U.S.C. 1681c(g) (emphasis supplied). If a plaintiff is able to establish a willful violation of FACTA, a court could award statutory damages ranging from $100 to $1,000 without the having to establish that he or she suffered actual harm.

Unfortunately dozens of companies that had made the effort to truncate the payment card numbers nonetheless were sued in FACTA class actions alleging a failure to remove the expiration date from payment card receipts (see e.g. Troy v. Home Run Inn, No. 07CV4331 (N.D. Ill 2008)); Cicilline v. Jewell Food Stores, No. 07CV2333 (N.D. Ill 2007)).

Congress passed the Act in light of these “expiration date only” FACTA lawsuits. The relevant part of the Act states:

(d) Clarification of Willful Noncompliance- For the purposes of this section, any person who printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment of this subsection but otherwise complied with the requirements of section 605(g) for such receipt shall not be in willful noncompliance with section 605(g) by reason of printing such expiration date on the receipt.

(emphasis supplied). In essence this language appears to block plaintiffs from going after statutory damages under FACTA. Since those statutory damages are the only reason these cases are attractive to plaintiffs attorneys, it is likely that class actions on this basis will not be pursued.

Significantly, the Act applies retroactively: it would apply to FACTA lawsuits already filed on the basis of printing the expiration date on the receipt.

This is obviously good news for defendants. However, the way Congress went about this raises some questions. Rather than “clarifying” the law by stating that printing just the expiration date is not a violation of FACTA, Congress left the door open for plaintiffs that suffer “actual harm” based on the “non-willful” printing of the expiration date. Admittedly, few if any plaintiffs will be able to establish actual harm in this context.. However, there is a certain logic gap at play here.

Congress has said unequivocally, regardless of the actual facts of the case, that printing the expiration date shall not be “willful noncompliance.” What if, in an (extreme) hypothetical, a defendant wrote an email stating:

I, President of ABC company, understand that FACTA prohibits the printing of a credit card expiration date on the receipt, but for financial reasons I intend to not follow that legal requirement.
Based on the Act, there would still be no willful violation even though under this hypo there was one in laymen’s terms. Of course in “real life” this email likely does not exist, but there could be lesser evidence establishing “willfulness” that could be in play. In short, Congress took an awkward somewhat Alice-In-Wonderland approach to rectify the situation, and hopefully it does not give plaintiffs a hook to keep these cases in court (clearly more research would be needed as to how legislative intent is factored in these scenarios). Regardless, at the minimum, this gives the FACTA defendants great litigation leverage on this issue.

Another “Victory” on the Issue of “Damages” in a Security Breach Negligence Case

As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to “damages” for purposes of a negligence claim. some chinks, however, have begun to develop in the “damages” armor used by defendants in security breach negligence cases. A recent decision sets forth another possible theory of liability to get a plaintiff at least beyond a motion to dismiss.

In Ruiz v. Gap, 07-5739 (N.D. Cal. 2008), a class of plaintiffs sued the Gap alleging that their unencrypted personal information resided on one of two laptops stolen from one of the Gap’s vendor (the personal information of approximately 800,000 Gap job applicants was stored on the laptops). The Gap offered the plaintiffs 12 months of credit monitoring services and fraud assistance without charge, as well as access to $50,000 worth of identity theft insurance.

The Ruiz court analyzed the plaintiffs’ complaint to determine whether the plaintiff properly alleged an “injury in fact” for purposes of standing and the issue of damages with respect to the plaintiffs’ negligence claim. In particular, the court noted that the plaintiffs had merely alleged that they were at “an increased risk of identity theft” and did not allege that their identity had been stolen.

The court noted that the plaintiffs’ allegations seemed “conjectural or hypothetical, rather than actual or imminent,” and that there was nothing else to allow the court to determine that the risk was actual, imminent or credible. Nonetheless, the court presumed that the general allegations embraced the specific facts supporting them and denied the motion to dismiss. The court did, however, issue a warning to the plaintiffs indicating that if it became apparent that their allegation of injury was too speculative or hypothetical the plaintiffs’ case may be dismissed later in the proceeding. In addition, the court noted that the extent of recoverable damages was unclear even if the plaintiffs were to prevail on a negligence claim.

Unfortunately, as with other negligent security cases allowing plaintiffs to proceed past a motion to dismiss, the court did not provide a highly developed legal rationale to support its decision. In this case it appears that the court simply accepted on its face that the alleged “increased risk of identity theft” constituted an injury. It went further and allowed the negligence claim to proceed even though no specific facts were alleged supporting that the plaintiffs were at increased risk. For the time being at least, it appears to be another small chip off the damages security breach defense rationale.