PCI DSSEarlier this week, the FTC issued orders to nine credit card and payment security auditors in an effort to gain insight into data security compliance auditing and its role in protecting consumers’ information and privacy.

The orders contain detailed questions concerning the assessment process for Payment Card Industry Data Security Standard (“PCI DSS”) compliance, including the policies and procedures in place to govern the assessment, and the percentage of clients that have been found to be non-compliant.  In addition, the orders request information on whether the auditors provide any data security forensic audit services, and the processes and procedures in place for doing so.  The Commission is also requesting information on whether the auditors have been the subject of any government or regulatory inquiry, private action, arbitration, or mediation related to any of its PCI DSS services.

So What Does This Mean? The Commission has not specified exactly what it plans to do with the data collected, other than to say that it “will be used to study the state of PCI DSS assessments.”  As a general matter, all merchants are bound to comply with PCI DSS through a merchant agreement executed between the merchant and its merchant bank.  Some states have also codified portions of the PCI DSS to require certain protections for PCI.  Nonetheless, a significant amount of data breaches still involve the compromise of payment card information, and some of these breaches have occurred by merchants that are certified as PCI-compliant at the time of the attack.

The auditors have been ordered to respond by mid-April, so be sure to stay tuned for next steps from the FTC.

Last week the BNA Privacy & Security Law Report published an article discussing in detail California’s Song-Beverly Credit Card Act (the “Act”). The aim of the article is to provide those persons and businesses that regularly engage in credit card transactions in California, most notably retail merchants, with a meaningful primer on some critical current and developing aspects of the Act.  The article provides an overview of the Act’s provisions, and discusses the important legal issues surrounding the Act, including several that California courts have resolved, several that are currently pending before those courts, and one that may be resolved in the near future.

On a related note, the California Court of Appeals, Fourth Appellate Division, recently issued a decision in Carson v. Michaels Stores, Inc., which addressed several issues under the Act. See id. at No. 37-2008-00089773-CU-BT-CTL, 2010 WL 2862077 (Cal. App. Ct. July 22, 2010). Carson filed a complaint against Michaels Stores, Inc., alleging violations of the Act and her constitutional right to privacy by requesting and recording her zip code, and then using her zip code to obtain her address from a public database. First, the court, following Pineda v. Williams-Sonoma Stores, Inc., 100 Cal.Rptr.3d 458 (Cal. App. Ct. 2009), affirmed the trial court’s holding that zip codes are not personal identification information under the Act. Because zip codes are not personal identification information under the Act, Michael’s use of this information to obtain plaintiff’s address was also held not to be prohibited under the Act. Id. at 7. (See our prior posts discussing Pineda and issues under the Act.)

In addition, the court held that plaintiff had no reasonable expectation of privacy in her address – as it was obtained from public databases available on the Internet – and therefore plaintiff did not have a valid invasion of privacy claim under the California constitution. Id. at 9-10.

Notably, the court declined to decide a significant open issue under the Act – whether the Act prohibits a retailer from requesting personal information as a condition of accepting the customer’s credit card payment.  Id. at n.4. This open issue is discussed in detail in the above-referenced article.

After working through the night, the Congressional conference committee tasked with negotiating a final financial reform bill voted 27-16 to approve the bill and send it back to each chamber for a final vote on the conference report.

Recaps of the long day and night of negotiations and the final bill are available from Poltico, the Wall Street Journal, and American Banker, among many others.

With regard to certain of the issues we have been following closely here, in the end, auto dealers will be exempt from the purview of the new Consumer Financial Protection Bureau, but payday lenders and other non-bank financial service providers will be subject to the new regulator. In addition, the Federal Reserve will be permitted to cap interchange fees, except for those on cards issued by governments.

The bill includes myriad other important provisions related to mortgage lending, the activities of banks, insurance regulation, corporate governance, and more. The Wall Street Journal provides an overview of some of the “major” provisions. Over the coming weeks and months we will be taking a closer look at certain aspects of the final bill and their implications, for example, increased litigation risk for financial service providers, including merchants and retailers.

In a previous post, we noted that the California Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., granted a petition to review the issue of whether a retailer violates California’s Song-Beverly Credit Card Act if, in connection with a credit card transaction, it records a customer’s zip code for the purpose of later using it and the customer’s name to obtain the customer’s address through a reverse search database. The appeal is now fully briefed. The following are some of the more significant arguments proffered by each side, and the potential impact of the ruling on retailers.

The trial court sustained Williams-Sonoma’s demurrer to Pineda’s Section 1747.08 claim on the grounds that under Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008) (discussed previously on this blog), zip codes can never constitute “personal identification information” for purposes of that section.  In its brief, Pineda asks the Supreme Court to disregard this well-reasoned precedent on the grounds that zip codes are expressly defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Pineda argues that the trial court and court of appeal erred by inserting an additional criteria into the definition and requiring that the information be “unique” to the cardholder, rather than merely “concerning” the cardholder as set forth in the statute. In addition, Pineda argues that Williams-Sonoma preys on its credit card customers who are accustomed to providing their zip codes for legitimate verification purposes at gas stations and mistakenly assume that Williams-Sonoma is requesting their zip codes to process their credit cards. Meanwhile, according to Pineda, their sole intent is to use its customers’ zip codes to “covertly” obtain their home addresses to build its customer database.

Williams-Sonoma, on the other hand, argues first that the question of whether a zip code is “personal identification information” was not certified for review by the California Supreme Court, thus, the court of appeal’s decision in Party City stands.  In addition, Williams-Sonoma argues that the Song Beverly Credit Card Act does not prohibit the use of information that is collected by a retailer at the point of sale. Instead, Song Beverly is silent as to any conduct other than the request and recording of “personal identification information” during a credit card transaction. Because a zip code has already been held to not fit within the definition of “personal identification information,” the inquiry ends there – it cannot be transformed into “personal identification information” based on how the zip code is used. Further, according to Williams-Sonoma, there is nothing improper about using zip codes to have third party vendors narrow down publicly available information about customers, such as their address.

How the California Supreme Court resolves this issue may have a substantial impact on retailers that collect customer zip codes. If the Supreme Court accepts Pineda’s interpretation of Song Beverly that zip codes are “personal identification information,” retailers could be left wondering what other conduct is prohibited, since neither “zip codes” nor “reverse data searches” are expressly mentioned in the language of the statute. In addition, after having relied on Party City, retailers could be left wondering whether they are now liable for this conduct under Song Beverly for up to $1,000 per transaction.

This appeal has not yet been set for oral argument.  We will keep you updated as to any developments.

Major provisions of a new law related to credit and gift cards take effect today. The Credit CARD Act, which was signed by President Obama in May 2009, marked the culmination of several legislative efforts to reform certain practices of card issuers. The law provisions related to credit cards, discussed in this Kelley Drye client advisory, are comprehensive and include new restrictions and requirements related to, among other things, rates, fees, billing and payment practices, disclosures and marketing, as well as additional rules specific to young consumers and college students.

The Act directed the Federal Reserve to develop implementation guidance and requirements, which were finalized on January 12, 2010. While most credit card issuers have been working for several months to comply with the Act, the Fed rules provide further detailed guidance. For example, the rules outline factors issuers should consider when determining a consumer’s ability to repay.

Notably, the Fed rules impact Regulation Z and, therefore, do not relate to debit card overdraft fees. Those fees fall under Regulation E, which is subject to a separate ongoing rulemaking process.

Nor do the portions of the CARD Act that take effect today relate to gift cards. Another Fed rulemaking to provide guidance related to gift cards is underway. Those Fed rules should be finalized soon, and together with the gift card provisions of the Act will take effect in August 2010. We will keep you posted on further developments.

The current economic climate has had many consequences, including an apparent increase in economic crimes such as credit card fraud. In recent months, numerous credit card scams involving restaurant chains have been reported. For example, the Washington Examiner reported on March 29 that wait staff at several high-end restaurants in Washington, DC, including M&S Grill, 701 Restaurant, Clyde’s of Gallery Place and Bowie’s Carrabba’s Italian Restaurant, stole credit card numbers from customers and ran up a $750,000 tab at various luxury retail stores. In addition, the article references a similar scam recently uncovered in New Orleans, in which a waitress at Bubba Gump Seafood Company used a skimming device to capture customers’ credit card information. “Skimming” devices, which can easily be purchased over the Internet, are small enough for wait staff to carry in their pockets or aprons, and within a second can capture the electronic information stored in a credit card’s magnetic strip.

While such scams obviously cost consumers, merchants are also victims due to loss of consumer trust, the time and expense of cooperating with authorities and, if applicable, notifying potentially affected customers, and potential lawsuits under negligence and/or negligent hiring theories. Although merchants can never be completely assured that rogue employees will not engage in theft, they should consider the following steps to mitigate their risk:

(1) Handle credit cards in view of the customer. If the customer never loses sight of the credit card, theft is more difficult if not impossible. Retailers, restaurants and other businesses may wish to consider switching to portable credit card processing devices that allow customers to pay at the table.

(2) Carefully screen job applicants. Simple background checks can identify applicants with prior criminal histories.

(3) Educate and monitor employees. Ensure that employees are aware of the risks and consequences of credit card fraud (e.g., mere possession of a skimming device is a felony in many states), and adopt policies for employees handling customer credit cards. Monitor employees and encourage them to report any suspicious activity on behalf of their coworkers.

In order to avoid the substantial risks of class action litigation, many financial service providers – both traditional and non traditional – require that customer agreements contain an arbitration clause and a waiver of the customer’s right to bring a class action. However, recent court decisions and pending legislation suggest that certain types of these arbitration clauses may no longer be viable.

The overwhelming body of case law upholds the enforceability of such arbitration and class waiver provisions. See Adler v. Dell, Inc., No. 08-CV-13170, 2008 WL 5351042 (E.D. Mich. Dec. 18, 2008) (enforcing consumer arbitration provision with class waiver); Jenkins v. First Am. Cash Advance of Ga., LLC, 400 F.3d 868 (11th Cir. 2005) (class waiver in borrowers’ payday loan agreements did not render arbitration agreements unconscionable or unenforceable); and Snowden v. CheckPoint Check Cashing, 290 F.3d 631 (4th Cir. 2002) (rejecting argument that arbitration agreement was unenforceable as unconscionable due to class waiver).

However, recently some courts have taken issue with these provisions and deemed them unconscionable. A recent example of such a case is Homa v. American Express Co., No. 06-02985, 2009 WL 440912 (3rd Cir. Feb. 24, 2009).

In Homa, plaintiff brought a putative class action suit against American Express and its Centurion unit, alleging that they misrepresented the actual terms of the Blue Cash card rewards program and that defendants failed to award him the promised amount of cash back in violation of the New Jersey Consumer Fraud Act. However, the credit card member agreement that accompanied the Blue Cash card contained an arbitration and class waiver provision. Further, the agreement contained a choice-of-law provision indicating that any disputes arising out of the agreement would be governed by Utah law. Defendants argued that the plaintiff should be required to arbitrate his claims on an individual basis, because Utah law expressly allows arbitration and class waiver provisions in consumer credit agreements. On the other hand, the plaintiff argued that New Jersey law applied, because, as the application of Utah law would violate New Jersey’s public policy against certain class-arbitration waivers, New Jersey choice-of-law principles dictated that the agreement’s choice of Utah law was invalid. The district court sided with the defendants and dismissed plaintiff’s complaint.

The Third Circuit Court of Appeals reversed the trial court’s decision. In the opinion, the Third Circuit held that that the Federal Arbitration Act (“FAA”), 9 U.S.C. §§ 1-16, did not preclude the district court from applying New Jersey unconscionability principles to void the arbitration and class waiver clause, and therefore, plaintiff was entitled to pursue a class action against defendants in federal court in New Jersey. In so doing, the Court relied on the holding in a New Jersey state court decision styled Muhammad v. County Bank of Rehoboth Beach, Delaware, 912 A.2d 88 (N.J. 2006), that “‘[t]he public interest at stake in . . . consumers[’] [ability to effectively] pursue their statutory rights under [New Jersey’s] consumer protection laws’ constituted the ‘most important’ reason for holding a similar class-arbitration waiver unconscionable.” Further, the Third Circuit held that this interest “overrides” a defendant’s right to seek enforcement of a class-arbitration waiver in an agreement, particularly where the claims at issue are of such a low value as effectively to preclude relief if pursued individually. The case is now back in the district court.

Furthermore, this issue may be resolved by pending federal legislation that seeks to ban certain types of arbitration provisions. The Arbitration Fairness Act of 2009 would ban provisions requiring arbitration of (1) an employment, consumer, or franchise dispute, or (2) a dispute arising under any statute intended to protect civil rights. See H.R. 1020   The bill, which was referred to the House Judiciary Committtee on Feb. 12, 2009, currently has 43 co-sponsors, including that Committee Chairman Conyers (D-MI). A recent Legal Times report noted the plaintiffs bar’s efforts to push the arbitration legislation on Capitol Hill. If enacted, the Act could start a wave of litigation in the consumer financial services sector.

The bottom line is that businesses should re-examine their customer agreement’s arbitration and class waiver provisions, paying particular attention to any choice of law provisions, and monitor these legal developments on a state-by-state basis. Homa tells us that the same arbitration and class waiver provision, while being upheld in one state, could be rejected in another.

Stay tuned for future posts analyzing cases decided in the wake of Homa and reporting on further developments with the Arbitration Fairness Act of 2009.

If you or your company have a loyalty program or collect customer information in any form, and reverse data mine for additional customer information, you face the risk of being sued in California for a violation of the California Constitutional right to privacy. Recently, in Watkins v. Autozone Parts, Inc., No. 08-cv-01509-H, 2008 WL 5132092 (S.D. Cal. Dec. 5, 2008), the United States District Court for the Southern District of California held that all a plaintiff needs to allege to state a claim for a breach of the constitutional right to privacy is that the defendant requested plaintiff’s personal information and then “covertly” reverse data mined for additional information about that plaintiff. As you may know, this decision cuts against the recent trend in California Courts of Appeal decisions aimed at narrowing the types of actions involving the collection of customer data that can be brought against retailer defendants (see e.g. Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008); TJX Cos., Inc. v. Sup. Ct., 163 Cal. App. 4th 80 (2008)), and creates great uncertainty for companies with respect to their ability to collect customer information.

In Watkins, plaintiff brought a putative class action alleging that Autozone violated the California Song-Beverly Credit Card Act, California Civil Code §1747.08 (the “Act” or “Section 1747.08”) by unlawfully requesting and recording personal customer information, and then “covertly” engaging in a “reverse search” to determine additional customer personal information, in violation of the California Constitution’s privacy provision.

First, the court held that plaintiff plead facts sufficient to support a claim for a violation of Section 1747.08. See 2008 WL 5132092, at *6. Second, and more significantly, in holding that plaintiff sufficiently plead a claim for invasion of privacy, the court reasoned that:

  • plaintiff adequately alleged a legally protected privacy interest in his home address;
  • the allegations that Autozone obtained and subsequently used his home address information from using his telephone number and credit card information after plaintiff’s purchase at Autozone satisfied the pleading requirements of a reasonable expectation of privacy in these circumstances; and
  • plaintiff sufficiently alleged that the invasion into his privacy was "serious," given his allegation that Autozone used his private information for profit without his consent and without informing him of the use of his information. See id.
  • Further, the court stated that the purpose of statutory provisions (including Section 1747.08) prohibiting the requesting of personal information from credit card customers “speaks to the potential seriousness of invasions that may occur.” Id. at *7 (citation omitted).

This holding creates great uncertainty for companies in determining in what circumstances collecting customer information and then reverse data mining is permissible. For instance:

  • Can a company utilize information that was obtained from a credit card customer for shipping purposes to reverse data mine for additional information about that customer?
  • Does a retail company violate a customer’s right to privacy by using a credit card customer’s zip code to obtain additional information about that customer given the recent California Court of Appeal holding that a zip code is not “personal identification information” under Section 1747.08? See Party City Corp. v. Sup. Ct. of San Diego County, No. D053530 (Cal. Ct. App. Dec. 19, 2008).


Continue Reading Use Of Customer Information For Data Mining May Be A Violation Of California Constitutional Right To Privacy

In yet another reminder to credit card providers that they need to continue monitoring government attempts to legislate and regulate credit card products, services and policies, two pieces of credit card legislation have been introduced that could significantly impact your business. The legislation follows recent action by the Federal Reserve Board, which on December 18, 2008, approved final regulations regarding credit card and other consumer banking practices that will take full effect by July 1, 2010. Those final rules virtually mirror the Fed’s May 2008 draft rules (summarized in this Kelley Drye Advisory). 

First, on January 22, 2009, Rep. Maloney (D-NY) re- introduced the Credit Card Holders’ Bill of Rights (H.R. 627), a prior version of which passed the House in 2008 but did not make it through the Senate. Then, on February 11, 2009, Chairman of the Senate Banking Committee Chris Dodd (D-CT), re-introduced The Credit Card Accountability, Responsibility and Disclosure Act (S. 414). That legislation likewise had a prior life, though it did not make it out the Senate Banking Committee during the 110th Congress.

The apparent purpose of the legislation is to attempt to fill perceived gaps in and to expedite implementation of the changes offered by the Fed rules. As a representative from the American Bankers Association testified during a recent Senate hearing regarding Senator Dodd’s bill, the legislation goes beyond the Fed rules in certain respects. For example, among other things, that bill would prohibit card companies from charging customers for paying their bill by phone, it would attempt to control charges for late payments or other violations of the cardholder agreement, and it would prohibit the issuance of cards to consumers under 21 years of age. These and other measures would significantly restrict institutions’ abilities to manage their business and offer choices to consumers. Further, in attempting to bring about reform more quickly, both pieces of legislation would shorten the implementation period needed by financial institutions to alter their business practices and comply with the new rules.

With so much government and public attention on financial services and given the consumer protection focus of the Obama Administration and Democrats on the Hill, credit card legislation may pick up substantial support and momentum in the current Congress. Whether lawmakers can agree on how to move forward, and whether they can do so before the Federal Reserve rules take effect, remains to be seen. In any event, credit card providers should stay tuned!

Which among the following businesses are potentially subject to consumer financial services laws, rules, and regulations?

A. a retail clothing chain
B. a bank or mortgage company
C. an internet retailer
D. a fast food franchisor
E. all of the above

If you answered E, “All of the above,” you are CORRECT. However, many companies do not realize their businesses are subject to consumer financial services laws. Consequently, their businesses may not be compliant and may be subject to litigation risk.

The focus of the Consumer Finance Law Blog is to keep – all on one site – traditional and non-traditional financial service providers subject to consumer financial services laws abreast of recent developments in:

  • State consumer protection statutes and regulations
  • State privacy statutes
  • Privacy and consumer protection litigation
  • Card Association Rules
  • Equal Credit Opportunity Act
  • Electronic Funds Transfer Act
  • Fair Credit Reporting Act
  • Fair Credit Transactions Act
  • Fair Debt Collection Practices Act
  • Payment Card Industry Data Security Standard
  • State Money Transmitter Statutes
  • State Retail Installment Sales Act
  • State and Federal Unfair and Deceptive Trade Practices Acts
  • TILA, RESPA, and related federal and state consumer disclosure and notice requirements
  • Insurance coverage issues
  • Legislation that may impact company compliance or create new litigation risk.

We welcome you and hope that you find our posts interesting, educational, and thought provoking. We also welcome your feedback and invite you to suggest topics or recent decisions of interest that you would like us to address.