Thursday, January 8, 2009

This Blog Has Moved.

Hi all, I have transitioned this blog to a new URL. You can find the new blog at: www.infoseccompliance.com I will no longer be posting here, so please update your book marks.

Thanks,

Dave

Tuesday, September 30, 2008

The New Path to PCI Liability: 3rd Party Beneficiary Theory

An easy-to-read PDF version of this article can be found here: LINK.

Merchants face a potentially huge liability if they suffer a security breach exposing payment card data. Issuing banks (those banks that issue credit cards to consumers) have filed lawsuits to recover reissuiance costs allegedly ranging from $20-$50 per card (multiplied by thousands or millions of cards depending on the magnitude of the breach). A recent decision from the U.S. Court of Appeals for the Third Circuit (“3rd Circuit” or “Appellate Court”) appears to have expanded the potential liability merchants face for payment card security breaches. In Sovereign Bank v. B.J. Wholesale Club & Fifth Third Bank, No. 06-3392/3405 (3rd Circuit, July 13, 2008)(hereinafter the “BJW Decision”), while the Appellate Court affirmed the lower court’s dismissal of most of the claims against B.J. Wholesale Club, it reversed the lower court’s dismissal of Sovereign Bank’s breach of contract action that was based on a third party beneficiary theory. This article explores how the Appellate Court reached its decision, how the decision could increase the legal risk faced by merchants that suffer security breaches and potential actions merchants can take to better understand and mitigate their legal risk.

Background

The BJW Decision arose out of a payment card security breach suffered by B.J. Wholesale Club (“BJW”) that was first reported in March 2004. Criminals were able to steal (and commit crimes using) the magnetic stripe information from payment cards stored by BJW. In reaction to this security breach, Sovereign Bank and the Pennsylvania State Employee’s Credit Union (hereinafter “Issuing Banks”) incurred costs to reissue the payment cards that were the subject of the BJW breach. Litigation ensued in 2005 when the Issuing Banks separately sued BJW and BJW’s merchant bank (Fifth Third Bank) to recover their reissuance costs. The federal lawsuits were eventually consolidated in the U.S. District court for the Middle District of Pennsylvania (the “Lower Court”) and alleged the following causes of action: (i) negligence; (ii) breach of contract (Third Party Beneficiary Theory) and (iii) equitable indemnification; (iv) breach of fiduciary duty and (v) promissory estoppel. The Lower Court fully granted the defendants’ motion to dismiss and motion for summary judgment, which lead to the plaintiff’s to appeal (see Sovereign Bank v. B.J. Wholesale Club, 385 F.Supp.2nd 183 [M.D. Pa. 2005] and Sovereign Bank v. B.J. Wholesale Club, 427 F.Supp.2d 256 [M.D. Pa. 2006]).

Relationship Between the Players in the Payment Card System

In order to understand the Appellate Court’s ruling one must first be aware of the relationships (contractual or otherwise) between the players in the payment card system.

In this case, BJW was the merchant that accepted payment cards from consumers (some of whom were issued their cards by the Issuing Banks). In order to accept credit cards and become part of payment card networks such as Visa or Mastercard, merchants must work through and contract with an acquiring bank (a.k.a. “acquirer” or “merchant bank”). In this case Fifth Third acted as BJW’s merchant bank and had a “Merchant Agreement” in place with BJW. In turn, moving upstream, Fifth Third had a “Member Agreement” in place with VISA. Pursuant to the Member Agreement, Fifth Third became a “member” of the VISA network and agreed that it would comply with VISA’s Cardholder Information Security Program (“CISP”) and VISA’s Operating Regulations (note that at the time of the breach the PCI Standard was not in effect and each card brand had its own security standard).

Sovereign Bank, was one of the Issuing Banks that had issued payment cards to various consumers that were impacted by the BJW security breach. Sovereign Bank is also a member of the VISA network by virtue of its own Membership Agreement with VISA. However, the Issuing Banks had no direct contractual relationship with Fifth Third or BJW. A graphic representation of the contract chains can be found at this link: BJW Contract Relationship Chart.

Sovereign Bank’s Breach of Contract Allegations

Despite not having a direct contractual relationship with Fifth Third, Sovereign Bank alleged a breach of contract claim based on Fifth Third’s breach of the Membership Agreement between Fifth Third and VISA. Although it was not a party to the Membership Agreement, Sovereign alleged that it was an intended third party beneficiary of the agreement (see BJW Contract Relationship Chart).

Pursuant to the Membership Agreement, Fifth Third agreed comply with VISA’s Operating Regulations (which included VISA’s Cardholder Information Security Program). The version of the Operating Regulations applicable to this case provided the following:

  • Fifth Third agreed to ensure that its merchants (BJW in this case) complied with the Operating Regulations
  • Fifth Third agreed to enter into a Merchant Agreement with each of its merchants requiring each merchant to comply with VISA’s Operating Regulations

  • A prohibition against retaining or storing the data encoded on the magnetic stripe on the back of payment cards after a transaction is authorized (this is essentially the same prohibition set forth now in section 3.2 of the PCI Standard), and a duty for Fifth Third to impose this obligation on merchants like BJW
  • Provisions concerning dispute resolution between members, including chargeback and representment procedures, and arbitration provisions.

Significantly the Operating Regulations in place at that time did not eliminate any other rights an issuing bank may have to pursue any legal remedy that may otherwise be available. As discussed further below, unless Visa’s Operating Regulations have changed, this suggests that there is no real “safe harbor” for PCI compliance.

Sovereign Bank alleged that both BJW’s failure to delete the magnetic stripe data, and Fifth Third’s failure to ensure BJW’s compliance with the deletion requirement constituted a breach of the Operating Regulations by Fifth Third. Sovereign Bank further contended that these contract breaches allowed the unauthorized access to, and use of, payment card data at BJW, and that Sovereign Bank was legally obligated to reimburse cardholders for fraudulent charges that resulted. Moreover, the resulting unauthorized access to payment card data also required Sovereign Bank to incur the expense to reissue the compromised payment cards. Finally, the Issuing Banks alleged that their customer goodwill was adversely impacted by the BJW breach. The Appellate Court was called upon to rule on these issues in a motion to dismiss/summary judgment context.

The Issue to Resolve: 3rd Party Beneficiary Theory.

The Appellate Court considered the following issue:

Was Sovereign Bank an intended third party beneficiary of the Member Agreement between Fifth Third and VISA?

Although Sovereign Bank conceded that it is not an express third party beneficiary of the Member Agreement between Visa and Fifth Third, it based its argument on § 302 of the Restatement (Second) of Contracts (which had been adopted under Pennsylvania law, which governed this case):

Intended and Incidental Beneficiaries

(1) Unless otherwise agreed between promisor and promisee, a beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intentions of the parties and either:

(a) the performance of the promise will satisfy an obligation of the promisee to pay money to the beneficiary; or

(b) the circumstances indicate that the promise intends to give the beneficiary the benefit of the promised performance.

(2) An incidental beneficiary is a beneficiary who is not an intended beneficiary.

In the context of § 302, the court framed the issue as follows:

Under § 302, Sovereign’s contract claim depends on whether “the recognition of a right to performance” in Sovereign is “appropriate to effectuate the rights of” both Visa and Fifth Third in entering into their Member Agreement and whether “the circumstances indicate that” Visa (the promisee) “intended to give Sovereign the benefit of the promised performance.”

To establish whether Visa intended to give issuing banks like Sovereign the ability to rely on Fifth Third’s promises in the Member Agreement, Sovereign relied on the deposition testimony of Visa’s representative, Alex Miller. Miller testified that he was not aware of any intent on Visa’s behalf to create a direct right to benefit third parties, and that no documents existed that allowed issuing banks to “step into [Visa’s] shoes” to enforce the Membership Agreement with Fifth Third.

However, Miller also stated:

It’s fair to say that the core purposes of the operating regulations is to set up the conditions for participation in the system, to set up rules and standards that apply to that ultimately for the benefit of the Visa payment system, the members that participate in it and other stakeholders such as cardholders, merchants and others who may participate in the system as well.

Miller further testified that the purpose of Visa Operating Rules (including CISP in this case) was to maximize the value of the Visa system as a whole, including “to protect issuers.” Fifth Third argued that Miller’s statements evidenced that Visa’s Operating Regulations were intended not to benefit any individual member or class of members, but the Visa system as a whole.

Sovereign argued that Visa’s Operating Rules were specifically intended to benefit issuers. In addition to Miller’s testimony, it pointed to an August 1993 memo sent by Visa to its members that specifically alerted members of the (then) new requirements to delete magnetic stripe data (hereinafter referred to as “August 1993 Memo”).

That memo started off with the following:

To protect the Visa system and Issuers from potential fraud exposure created by databases of magnetic-stripe information, Section 6.21 has been revised. Effective September 1, 1993, the retention or storage of magnetic stripe data subsequent to the authorization of a transaction is prohibited. Acquirers are obligated to ensure that their merchants do not store the magnetic-stripe information from Visa Cards for any subsequent use.

Sovereign also relied on a May 2003 article printed online by Visa entitled “Issuers and Acquirers Are At Risk When Magnetic-Stripe Data Is Stored,” which indicated that magnetic stripe data compromises “impact[] Issuers” (hereinafter referred to as “May 1993 Memo).

The Appellate Court’s Decision and Reasoning

The Appellate Court considered the arguments by both sides and ultimately held that genuine issues of material fact did exist as to whether Sovereign was an intended beneficiary of the Member Agreement between Fifth Third and Visa, and therefore the case should be remanded for further proceedings (e.g. trial) rather than decided on a summary judgment motion.

The Appellate Court rejected Sovereign’s reliance on the May 2003 Memo, indicating that it simply stated the reason for the prohibition against retention of magnetic stripe data. However, the Appellate Court agreed that the August 1993 Memo and Miller’s “core purpose” testimony (referenced above), raised genuine issues of fact.

The court noted that Sovereign is a Visa member and that the core purpose the Operating Regulations according to Miller was to benefit members that participate in the Visa system. Just because Miller also indicated the Operating Rules were to benefit other stakeholders (such as cardholders, merchants and others who may participate in the system), the possibility that Visa intended to benefit individual users such as Sovereign was not negated.

Moreover, the Appellate Court held that the August 1993 Memo clearly stated that acquirers (such as Fifth Third) must act to protect Issuing Banks (like Sovereign) by ensuring that merchants (like BJW) do not retain magnetic stripe data. The Appellate Court held that this piece of evidence alone was sufficient to get Sovereign past summary judgment. Based on the foregoing, the Appellate Court remanded Sovereign’s breach of contract claim for further proceedings (e.g. trial in front of a judge or jury).

Analysis -- Increased Merchant PCI Liability

Similar to Minnesota’s Plastic Card Protection Act (discussed at this LINK), this decision has the potential to significantly increase the liability risk faced by merchants that are not compliant with PCI and that suffer a security breach.

First, although the Appellate Court’s breach of contract decision only involved the acquirer and the issuing bank, merchants such as BJW may ultimately be liable for the issuing bank’s costs. The source of this liability will also be contractual. However the contract at issue in this case is the direct contract between the merchant bank and the merchant (hereinafter “Merchant Agreement” -- see BJW Contract Relationship Chart). As the court ruled, this case will now be remanded to the lower court. A judge or jury could find Fifth Third liable to Sovereign for reissuance costs, or Fifth Third and Sovereign may settle the case based on the strength of Sovereign’s breach of contract claim. If Fifth Third wanted to recover the damages it paid to Sovereign, it may be able to rely on language in the Merchant Agreement between it and BJW to recover directly from BJW.

It is not atypical for a merchant to enter into a very one-sided Merchant Agreement with an acquiring bank (or the acquiring bank’s processor). Such Merchant Agreements often require the merchant to comply with the card association’s operating rules, security program and/or PCI. A sample of how such language may read is as follows:

Merchant agrees to comply with all security standards and guidelines that may be published from time to time by Visa or MasterCard and any other applicable industry security standards, including, without limitation, the Visa U.S.A. Cardholder Information Security Program (“CISP”), the MasterCard Site Data Protection (“SDP”), and the Payment Card Industry Data Security Standard (the “Security Requirements”).

If BJW agreed to comply with Visa’s Operating Rules and/or CISP, Fifth Third may have a right to recover any damages paid to Sovereign under a breach of contract theory (BJW having breached the Merchant Agreement).

In fact, merchant banks may have an explicitly contractual right to recover reissuance costs they are forced to pay issuing banks. It is likely that the Merchant Agreement requires the merchant to indemnify the merchant bank for liability it incurs because the merchant allowed a security breach. A sample of how such language might read is as follows:

Merchant agrees to indemnify Acquiring Bank, Member, the Associations, affiliates, officers, directors, employees, agents and issuing banks from any losses, expenses, costs, liabilities, and damages of any and every kind (including, without limitation, our costs, expenses, and reasonable legal fees) arising out of any claim, complaint, or chargeback caused by the merchant’s noncompliance with this Agreement, any Security Requirements or the Association Rules.

If similar language exists in the Merchant Agreement between BJW and Fifth Third, Fifth Third may demand that BJW indemnify it for any issuing costs that Fifth Third is required to pay to Sovereign. Of course, if BJW refuses, Fifth Third will again need to file a claim against BJW for breach of the Merchant Agreement. In short, by allowing an issuing bank to use the Visa Member Agreement to go after the merchant bank, the Appellate Court opened a path to merchant liability for the costs incurred by the issuing bank to reissue credit cards. The path starts with the Member Agreement, goes through the Merchant Agreement and ends up at the merchant.

PCI Compliance as a Defense – Existence of “Safe Harbor?”

Despite the existence of this contractual path to liability, the question arises whether a merchant’s compliance with the PCI and card association operating regulations will insulate the merchant from liability if it suffers a payment card security breach. Unfortunately, from the issuing bank’s point of view the merchant’s PCI compliance status is irrelevant – the issuing bank still must pay to reissue payment cards after a security breach of a PCI-compliant merchant. There are several points which may illuminate whether PCI compliance provides an automatic “safe harbor” from liability.

First, at least under the version in effect during the BJW case, according to the Appellate Court, issuing banks were not precluded by Visa Operating Rules from pursuing any available remedies at law. Thus, even if a merchant had fully complied with PCI and the applicable operating rules, an issuing bank’s status as a member of Visa or Mastercard does not block it from going after merchants. In fact, even if an issuing bank had agreed with Visa to refrain from pursuing merchants that were PCI compliant, the only party that could enforce that agreement would be Visa (unless, ironically, the merchant could be argued to be a third party beneficiary of the Member Agreement between Visa and the Issuing bank). Significantly, while compliance with the industry standard for protecting cardholder information will offer merchants a strong defense, it is still possible that a merchant could be liable under other theories of liability (e.g. negligence) if a court finds that the PCI standard itself is inadequate (see e.g. T.J. Hooper case).

Second, a PCI-compliant merchant’s liability will be largely contingent on the language set forth in the Member Agreement between the acquiring bank and the card association, and the Merchant Agreement between the acquiring bank and the merchant itself. If the Member Agreement makes the acquiring bank responsible for merchants’ security breaches in general (regardless of PCI compliance) and the Merchant Agreement requires the merchant to indemnify the acquiring bank for any losses, then the path to liability described above could apply. In such a case, in order to “block” the path from issuing bank through the Member Agreement, the Member Agreement would have to contain specific language providing a PCI “safe harbor” (alternatively, as discussed further below, the merchant may be able to negotiate a “safe harbor” in the Merchant Agreement to block the liability path).

Significantly, gaining access to the card associations’ operating rules and Membership Agreements has been notoriously difficult. Without the ability to read to those documents it may be hard to ascertain the scope of the liability risk under this theory since the merchant will not be aware of the merchant bank’s obligations to the card association in the event of a merchant security breach.

Limited Applicability?

Variations in the terms and conditions of Member Agreements and card association operating rules may also impact the path to merchant liability. As such, the holding in the BJW may not apply if there have been changes in subsequent versions of these documents. For example, if the current versions of Visa’s Member Agreement specifically precludes enforcement of the Merchant Agreement by third parties, then the issuing banks would not be able to use employ the 3rd party beneficiary theory used by Sovereign. However, if the Member Agreement between the card association and acquirer bank remains silent, then the same rationale in the BJW decision could apply.

With respect to Visa’s Member Agreements, where intent is unclear, issuing banks may be able to rely on Mr. Miller’s deposition testimony in the BJW decision. As such, cases brought in jurisdictions that follow section 302 of the Restatement (Second) of Contracts may be prone to agree with the Appellate Court’s decision. Again, unfortunately, merchants will not be able to ascertain the full extent of their risk unless they can get access to the acquiring bank’s Member Agreement or be informed of whether it prohibits third party beneficiaries.

Merchant Actions to Potentially Reduce the Risk of Liability

There may be some steps that merchants can take to reduce their risk of liability for a payment card security breach. The BJW path to liability is a two step process. First the issuing bank must successfully sue the acquirer for breach of the Member Agreement between the card association and the acquirer, then the acquirer must pursue the merchant under the Merchant Agreement. Thus, merchants should consider both steps to determine the extent of their potential liability and for purposes of cutting off the path.

  • Attempt to Determine Existence of 3rd Party Beneficiary Prohibition in Member Agreement

The first step on the path to liability under the 3rd party beneficiary theory is whether the Member Agreement between the card association and acquirer bank precludes third party enforcement of the Member Agreement. Merchants should ask their acquirer banks if they can examine their Member Agreement. It is likely, however, that the acquirer bank will be unwilling to provide the agreement itself. If not, the merchant should at least attempt seek assurances that there is a prohibition against third party beneficiaries. If the Merchant Agreement does not contain such a prohibition, then it is possible that the first step on the BJW liability path is open. Therefore, the merchant should seek to cut off the second step on the path, the Merchant Agreement.

  • Negotiate a “Safe Harbor” in the Merchant Agreement

Obviously, the merchant has little control over what third party beneficiary terms its acquirer may have agreed to in the Member Agreement. However, a merchant does have some control over the terms it agrees to in its Merchant Agreement with its acquirer. It may be possible for a merchant to cut-off liability even if the issuing bank has been successful as a third party beneficiary of the Member Agreement. When entering into negotiations with acquirers (or their payment processors) merchants should attempt to negotiate a “safe harbor” into their Merchant Agreement. In essence, the safe harbor language would indicate that in the event of a security breach involving payment card information, if at the time of the breach the merchant was compliant with PCI and/or the card association’s operating rules, the acquirer would have no right to indemnification or any other recourse against the merchant. Rather than relying on (mostly likely) illusory safe harbors identified by the card associations, this would provide a direct right to avoid contractual liability if the merchant has done everything it promised with respect to PCI.

The parameters of the safe harbor should be defined to protect the merchant. First, the merchant agreement should identify a truly independent third party responsible for performing a post-breach PCI/operating rules audit, and set-up a process for the audit itself (note that one issue to consider is that the auditors findings will not be protected by attorney-client privilege, so caution is warranted). This third party would be the last word on whether the merchant was PCI-compliant at the time of the breach. Currently this post-incident response is performed by auditors hand-picked by the card associations, and some believe, because of close relationships these auditors have with the card associations, they could be less than “neutral” when performing these audits. Second, the standard for compliance should not be strict compliance. Rather, the merchant should be deemed to be compliant unless it is in material non-compliance with PCI. Finding technical non-compliance with some section of PCI or card association rules, as any security expert can tell you, is not difficult. Even better would be language requiring the non-compliance with PCI to be the actual cause of the security breach at issue – if the non-compliance was not in anyway relevant to the breach the merchant would not be liable. Last, if possible, the Safe Harbor should include indemnification from the acquiring bank if the merchant is PCI-compliant at the time of the breach. This would allow the merchant to cut off direct suits from other stakeholders (consumers, issuing banks, card associations). Admittedly, however, it will likely be difficult to convince an acquiring bank to go this far.

Whether a merchant will be able to negotiation a safe harbor or any other term of the Merchant Agreement will depend a large part on negotiating leverage. Larger merchants with clout, or any merchant willing to “shop around” between multiple acquiring banks, will be in the best position to negotiate favorable terms. Some of the same negotiating leverage issues apply for this route as well.

  • Limitation of Liability

In addition, merchants should consider a limitation of liability that caps the merchant’s potential liability in the event of a security breach exposing credit card data. Merchants that have expended significant resources in becoming PCI compliant may be able to justify the cap more easily.

  • Insure Against Payment Card Security Breaches

The insurance market has created information security and privacy liability policies which may cover liability arising out of a payment card breach. Since the risk of a security breach can never be 100% eliminated, insurance may be a good risk management tool to transfer unwanted risk. The key for utilizing insurance is to make sure the risk the merchant desires to transfer is actually transferred in light of the terms, conditions and exclusions in the insurance policy.

Conclusion

Merchants can no longer afford to treat PCI compliance as a pure security issue. Merchants should carefully analyze their PCI liability risk and determine ways to mitigate that risk. Laws like Minnesota’s Plastic Card Protection Act and the BJW decision have likely increased the risk significantly. The potential for huge damage is great - issuing banks have alleged that the costs of reissuing payment cards range from $20-$50 per card (multiplied by thousands or even millions of cards). For smaller and medium companies highly reliant on payment cards, the failure to address this risk ahead of time can mean bankruptcy. For larger retailers, the prospect of spending tens of millions of dollars defending and settling lawsuits against issuing banks and merchants should spur on a careful examination of all merchant agreements, and the possible shopping around for merchant banks and payment processors that provide reasonable terms.

As such, more than ever, merchants must work with their legal counsel and risk managers to understand and mitigate the risk. Merchant lawyers must analyze their clients’ current contractual relationships with acquiring banks and assist in negotiating favorable terms with payment processors and merchant banks. Since the risk is somewhat unpredictable and may be difficult to eliminate, information security and privacy risk insurance should also be considered. Lawyers should carefully analyze the scope of information security liability coverage to make sure their PCI risk is being transferred to the insurers. If the proper steps are taken, merchants may be able to avoid or mitigate significant losses in the event of a security breach.

Thursday, September 18, 2008

Forever 21 -- Breached and PCI Compliant

I anticipate we will be seeing a lot more instances of merchants suffering payment card breaches while PCI compliant. The question is, will they be held liable for those breaches. An article soon on that. For now, here is an article on Forever 21, which just reported a breach involving over 98,000 card numbers. Forever 21 claims that is has been certified as PCI compliant since 2007. However, all of the incidents happened from March 2004 to August 2007. Therefore it is possible that Forever 21 was not PCI-compliant at the time of the incidents, but became so in after August 2007.

Wednesday, August 27, 2008

Best Western: PCI Compliant and Hacked

While the details are still murky on the number of records impacted (somewhere between 13 and 8 million), it appears that we have a security breach of another high profile corporation claiming PCI compliance at the time of breach. SC Magazine has the story here.

Here is Best Western's statement on the breach:
“We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest’s reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.”
Obviously, the facts are still murky, but it will be interesting to see what, if any, protection PCI compliance will have from a liability perspective and a "safe harbor" perspective.

Monday, June 9, 2008

FACTA Development: The “Credit and Debit Card Receipt Clarification Act of 2007” Signed into Law.

The FACTA class action litigation saga has taken a new twist. Congress has passed and the President has signed the Credit and Debit Card Receipt Clarification Act of 2007 (the “Act”) into law. The Act will likely provide a large set of FACTA class action defendants with the ability to escape expensive litigation and liability.

As previously reported, plaintiffs have filed FACTA class action lawsuits based not on the printing of the payment card number on an electronically printed receipt, but simply based on the printing of the expiration date on a receipt (see for example the StubHub case referenced in this post). In fact, the relevant FACTA section establishes an “either/or” scenario:

Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

15 U.S.C. 1681c(g) (emphasis supplied). If a plaintiff is able to establish a willful violation of FACTA, a court could award statutory damages ranging from $100 to $1,000 without the having to establish that he or she suffered actual harm.

Unfortunately dozens of companies that had made the effort to truncate the payment card numbers nonetheless were sued in FACTA class actions alleging a failure to remove the expiration date from payment card receipts (see e.g. Troy v. Home Run Inn, No. 07CV4331 (N.D. Ill 2008)); Cicilline v. Jewell Food Stores, No. 07CV2333 (N.D. Ill 2007)).

Congress passed the Act in light of these “expiration date only” FACTA lawsuits. The relevant part of the Act states:

(d) Clarification of Willful Noncompliance- For the purposes of this section, any person who printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment of this subsection but otherwise complied with the requirements of section 605(g) for such receipt shall not be in willful noncompliance with section 605(g) by reason of printing such expiration date on the receipt.

(emphasis supplied). In essence this language appears to block plaintiffs from going after statutory damages under FACTA. Since those statutory damages are the only reason these cases are attractive to plaintiffs attorneys, it is likely that class actions on this basis will not be pursued.

Significantly, the Act applies retroactively: it would apply to FACTA lawsuits already filed on the basis of printing the expiration date on the receipt.

This is obviously good news for defendants. However, the way Congress went about this raises some questions. Rather than “clarifying” the law by stating that printing just the expiration date is not a violation of FACTA, Congress left the door open for plaintiffs that suffer “actual harm” based on the “non-willful” printing of the expiration date. Admittedly, few if any plaintiffs will be able to establish actual harm in this context.. However, there is a certain logic gap at play here.

Congress has said unequivocally, regardless of the actual facts of the case, that printing the expiration date shall not be “willful noncompliance.” What if, in an (extreme) hypothetical, a defendant wrote an email stating:

I, President of ABC company, understand that FACTA prohibits the printing of a credit card expiration date on the receipt, but for financial reasons I intend to not follow that legal requirement.
Based on the Act, there would still be no willful violation even though under this hypo there was one in laymen’s terms. Of course in “real life” this email likely does not exist, but there could be lesser evidence establishing “willfulness” that could be in play. In short, Congress took an awkward somewhat Alice-In-Wonderland approach to rectify the situation, and hopefully it does not give plaintiffs a hook to keep these cases in court (clearly more research would be needed as to how legislative intent is factored in these scenarios). Regardless, at the minimum, this gives the FACTA defendants great litigation leverage on this issue.

Another “Victory” on the Issue of “Damages” in a Security Breach Negligence Case

As has been reported on this blog previously (here and here), many courts that have considered the issue of damages in a security breach scenario involving personal information have concluded that taking pre-emptive actions (such as purchasing credit monitoring services) do not amount to “damages” for purposes of a negligence claim. some chinks, however, have begun to develop in the “damages” armor used by defendants in security breach negligence cases. A recent decision sets forth another possible theory of liability to get a plaintiff at least beyond a motion to dismiss.

In Ruiz v. Gap, 07-5739 (N.D. Cal. 2008), a class of plaintiffs sued the Gap alleging that their unencrypted personal information resided on one of two laptops stolen from one of the Gap’s vendor (the personal information of approximately 800,000 Gap job applicants was stored on the laptops). The Gap offered the plaintiffs 12 months of credit monitoring services and fraud assistance without charge, as well as access to $50,000 worth of identity theft insurance.

The Ruiz court analyzed the plaintiffs’ complaint to determine whether the plaintiff properly alleged an “injury in fact” for purposes of standing and the issue of damages with respect to the plaintiffs’ negligence claim. In particular, the court noted that the plaintiffs had merely alleged that they were at “an increased risk of identity theft” and did not allege that their identity had been stolen.

The court noted that the plaintiffs’ allegations seemed “conjectural or hypothetical, rather than actual or imminent,” and that there was nothing else to allow the court to determine that the risk was actual, imminent or credible. Nonetheless, the court presumed that the general allegations embraced the specific facts supporting them and denied the motion to dismiss. The court did, however, issue a warning to the plaintiffs indicating that if it became apparent that their allegation of injury was too speculative or hypothetical the plaintiffs’ case may be dismissed later in the proceeding. In addition, the court noted that the extent of recoverable damages was unclear even if the plaintiffs were to prevail on a negligence claim.

Unfortunately, as with other negligent security cases allowing plaintiffs to proceed past a motion to dismiss, the court did not provide a highly developed legal rationale to support its decision. In this case it appears that the court simply accepted on its face that the alleged “increased risk of identity theft” constituted an injury. It went further and allowed the negligence claim to proceed even though no specific facts were alleged supporting that the plaintiffs were at increased risk. For the time being at least, it appears to be another small chip off the damages security breach defense rationale.

Wednesday, April 16, 2008

"Damages" in a security breach case... er.. maybe kinda...

A recent opinion came out of the U.S. District Court for the District of Columbia that denies defendant's motion to dismiss a case against the Transportation Safety Administration arising out of the loss of hard drive containing the personal information of 100,000 TSA employees (including names, SSNs, DOBs, bank account numbers, etc.).

The plaintiff's alleged a violation of section 522a(3)(10) of the Privacy Act, which provides:
Each agency that maintains a system of records shall . . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained .
In various contexts, the defendants argued that the plaintiff's had not alleged actual damages, that damages should be construed as only encompassing "out-of-pocket" pecuniary loss, and that plaintiffs' concerns about harm were speculative and dependent on future events (e.g. criminal misuse of the plaintiff's personal information by third parties).

The court analyzed the following injury allegations by plaintiffs:
“embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm, [and] mental distress due to the possibility of security breach at airports."
In rejecting the defendant's motion to dismiss on the issue of injury/harm/damages, the Court focused on the "embarrassment... mental distress.... and concern" allegations. It held that those emotional distress allegations were not speculative nor dependent on future events.

The court also noted that the plaintiffs conceded that they were not alleging "current, actual, financial loss" or seeking out-of-pocket expenses. The court cited a case interpreting the Privacy Act that held that actual damages were not limited to "pecuniary losses" and that actions under the Privacy Act could survive the motion to dismiss phase based on pain and suffering and non-pecuniary losses. In this case the allegation of emotional distress was sufficient to surviving a motion for summary judgment.

There are several issues to address in this case:

(1) First off, since the plaintiffs did not appear to allege "out-of-pocket" expenses related to the security breach, it does not appear that the logic of this case would apply to situations where a plaintiff incurs costs (e.g. credit monitoring) to head off potential future harm that could arise out of identity theft (e.g. bad credit, cleaning up credit reports, credit monitoring, etc.). Rather, this case focused on whether "emotional distress" or "concern" was itself actual damages or an adverse impact under the Privacy Act. So I am not sure it helps support the theory that out-of-pocket expenses post breach, pre-Identity Theft are actionable.

(2) This case arose in the context of the Privacy Act, and in particular an alleged violation of a section intended to prevent "substantial harm, embarrassment, inconvenience." Since the intended harm includes "intangibles" such as embarrassment and inconvenience it seems that emotional distress can easily fall into that type of "injury."

(3) Another contextual matter: the reason the plaintiffs have to establish actual damages is to satisfy a U.S. Supreme Court case that ruled that "actual damages" were necessary for a plaintiff to recover the $1,000 statutory penalty available under the Privacy Act. More research needs to be done to determine whether "damages" in a negligence context is the same as "actual damages" in the Privacy Act coverage.

(4) It seems to me the logic employed here was a little loose. Most of the "emotional distress" and "concern" clearly ties to what might happen to the plaintiffs' personal information (e.g. concern for identity theft, concerning for damage to credit report, concern for damage to employment suitability, etc.). I suppose its possible that somebody could suffer emotional distress simply knowing their information was breached. However, its how that information might be used in the future after the breach that is actually of concern. It seems to me without some alleged facts (e.g. evidence of visits to a psychiatrist, starting anti-anxiety medication, evidence of depression) that this is fairly weak tea. I suppose courts are more lenient at the motion to dismiss phase (all you need to do is state a claim) and are likely to be more demanding on the evidentiary front if/when a motion for summary judgment is filed.

(5) In my view, since the ruling was fairly conclusory and did not dive deep into the details concerning how to define "damages," I am not sure how persuasive this reasoning will be in other contexts.