Philip L. Gordon, Esq. and Ryan L. McClelland, Esq
Introduction
A wave of class action privacy litigation recently reached tsunami-like proportions but now appears to be losing some of its momentum. These suits allege violations of the Fair and Accurate Credit Transactions Act (the FACT Act) because a non-truncated credit or debit card number and/or an expiration date appears on a printed receipt. Since December 2006, more than 200 such class actions have targeted the gamut of national chain operations - including, for example, retailers, hoteliers and restaurateurs - which rely heavily on credit and debit card transactions with consumers.
Plaintiffs' class action lawyers have seized upon this new genre of privacy litigation because of a critical difference between the FACT Act and virtually all other privacy and data protection legislation. Plaintiffs in FACT Act cases can recover up to $1,000 in statutory damages for a willful violation even if they suffered no actual harm. In other privacy-based lawsuits, the plaintiff typically must prove that the alleged privacy breach proximately caused actual pecuniary loss, often an insurmountable hurdle to recovery.
Given the number of credit and debit card receipts printed by a national, consumer-oriented business in one day, plaintiffs' class action attorneys have been calculating their potential recoveries in the hundreds of millions or even billions of dollars. As a consequence, defense lawyers have been working furiously to forestall potentially devastating judgments against the lawsuits' targets, many bearing household names. With the outcome still in the balance, the initial thrust of these class action filings appears to be subsiding and the likelihood of success less certain in light of recent legal rulings.
Background of the FACT Act
The Fact Act, enacted in 2003, is a package of amendments to the Fair Credit Reporting Act (FCRA), intended to reduce the risk of identity theft and to assist ID theft victims. The Fact Act provision underlying the "credit card receipt litigation" prohibits a business which accepts credit or debit cards from printing, in the words of the law, "more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." The compliance deadline was January 1, 2005, for point-of-sales devices put into use after that date, and December 4, 2006, for devices put into use before January 1, 2005. Because the FACT Act itself establishes no remedies for a violation, those seeking to enforce the law's "truncation requirement" must rely upon the FCRA's enforcement provisions.
Critical to understanding this new wave of class action privacy litigation is the distinction in the FCRA's enforcement provisions between a "negligent" and a "willful" violation. Plaintiffs alleging a negligent violation can recover only the actual damages caused by a business' printing of a non-truncated card number or an expiration date on the receipt. Because such proof either is non-existent or extremely difficult to obtain, the chances of recovering any money damages for a negligent violation of the truncation requirement are remote. By contrast, FCRA provides up to $1,000 in statutory damages per violation for a "willful" violation of the truncation requirement, regardless of whether the person who receives the offending credit or debit receipt suffered any actual pecuniary loss.
The U.S. Supreme Court's June 2007 Decision Defining "Willful"
When plaintiffs' class action lawyers began filing credit card receipt class actions, there was no definitive guidance on FCRA's meaning of the term "willful." FCRA itself contains no definition; the Federal Trade Commission (the administrative agency responsible for enforcing FCRA) has issued no regulatory guidance; and the federal district and appellate courts have reached conflicting conclusions. Ironically, in mid-January 2007, just weeks after this wave of litigation began gathering force, the U.S. Supreme Court heard oral argument in Safeco Insurance Company of America v. Burr, which raised that very question (albeit in a different context).
On June 4, 2007, the Supreme Court issued its highly anticipated opinion, interpreting FCRA's willfulness requirement for statutory damages. The court held that "willful" includes a violation committed "recklessly," but also requires an action entailing "an unjustifiably high risk of harm that is either known or so obvious that it should be known." In the court's words, "a company subject to FCRA does not act in reckless disregard of [the act's requirements] unless the action is not only a violation under a reasonable reading of the statute's terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless."
The Supreme Court's ruling appears to add a powerful weapon to the defense lawyers' arsenal - at least for those companies that did truncate the card number but failed to remove the expiration date, a relatively common occurrence. To date, most defendants in FACT Act lawsuits have argued that they did not act willfully because they were unaware of the requirement to remove the expiration date. Under the Supreme Court's ruling, these defendants could be liable for $1,000 per offending receipt only if the sole appearance of an expiration date subjected the consumer to "an unjustifiably high risk of harm that is either known or so obvious that it should be known." While the issue has yet to be litigated, the standard appears to be near-fatal for lawsuits against businesses that did truncate the card number but continued to print the expiration date after the compliance deadline.
Recent Decisions Denying Class Certification
Putting aside the need to prove a willful violation, plaintiffs' class action lawyers have confronted another potentially, case-ending obstacle. In the past few months, the federal district court in Los Angeles has refused to certify FACT Act lawsuits as class actions in five different cases. These decisions mean that the claims of anywhere from thousands to millions of customers for up to $1,000 each cannot be pursued in a single lawsuit seeking a multi-million or multi-billion dollar recovery, but instead must be pursued as individual claims of up to $1,000 each plus an award of attorneys' fees, not a particularly remunerative endeavor for a plaintiff's attorney.
The federal district court's opinion in the case against Avis Rental Cars illustrates the reasoning underlying all of the decisions to deny class certification. Under the Federal Rules of Civil Procedure, a court should permit a case to proceed as a class action only if class treatment would be superior to litigating the claims of class members in numerous individual lawsuits. The Avis Court reasoned that "class treatment is not the superior method of adjudication because Avis' liability "would be enormous and completely out of proportion to any harm suffered by the plaintiff." The court noted that Avis could be subject to liability of $1.66 billion for a willful violation of the truncation requirement in the absence of any actual harm to consumers.
Interestingly, in the Avis case, the court relied on testimony from Avis' expert witnesses that the appearance of an expiration date and only a truncated card number could not possibly cause any actual injury. The Avis court also emphasized that the company promptly had begun the process of removing the expiration date after discovering non-compliance.
These significant victories for the defense bar are not quite yet nails in the coffin. In three of the cases, plaintiffs' counsel has asked the United States Court of Appeals for the Ninth Circuit to review the trial court's decision denying class certification. Those requests currently are pending.
Internet Credit Card Transactions: The Next Wave of FACT Act Litigation?
In what appears to be the next wave of FACT Act litigation, class action lawsuits have been filed against online retailers, including Apple Computer, Inc., and Expedia, Inc. On August 8, 2007, a federal lawsuit alleged that Apple included credit card expiration dates on its Apple Store online receipts. Expedia, an online travel agency (doing business as Hotels.com) recently was accused of similar conduct. However, because each business electronically generates their receipts as opposed to "electronically print[ing]" them (as required by the FACT Act), it is unclear whether the FACT Act's statutory requirements will apply to these online vendors.
Risk Management and Conclusion
Even with the pendulum swinging toward the defense side in these FACT Act lawsuits, the area remains ripe for additional court filings in light of the potentially huge damages recoveries. Despite the rash of class action filings, many businesses continue to print credit and debit card receipts that do not comply with the FACT Act's requirements.
Given these circumstances, privacy professionals at consumer-oriented businesses, whether online or offline, should investigate point-of-sale practices immediately and, if necessary, redact all but the last five digits of the credit or debit card number and the expiration date from all electronically printed customer receipts. This process may require working with third-party vendors to ensure that any updates are done properly. If the investigation reveals past violations of the truncation requirement, which have not yet been raised in a lawsuit, the business should begin developing the foundations of its litigation defense so that this newest wave of privacy-based litigation will hit the shore without causing any damage to the organization.
Philip Gordon is a shareholder in Littler Mendelson's Denver office and chairs the firm's Privacy and Data Protection Practice Group. He also authors the blog, "Workplace Privacy Counsel" (www.workplaceprivacycounsel.com). He can be reach at
pgordon@littler.com
or +303.362.2858.
Ryan McClelland is an associate in Littler Mendelson's Los Angeles office. He can be reached at
rmcclelland@littler.com
or +310.772.7263.
Comments
If you want to comment on this post, you need to login.