PCI DSSEarlier this week, the FTC issued orders to nine credit card and payment security auditors in an effort to gain insight into data security compliance auditing and its role in protecting consumers’ information and privacy.

The orders contain detailed questions concerning the assessment process for Payment Card Industry Data Security Standard (“PCI DSS”) compliance, including 

Last week the BNA Privacy & Security Law Report published an article discussing in detail California’s Song-Beverly Credit Card Act (the “Act”). The aim of the article is to provide those persons and businesses that regularly engage in credit card transactions in California, most notably retail merchants, with a meaningful primer on some critical current

After working through the night, the Congressional conference committee tasked with negotiating a final financial reform bill voted 27-16 to approve the bill and send it back to each chamber for a final vote on the conference report.

Recaps of the long day and night of negotiations and the final bill are available from Poltico

In a previous post, we noted that the California Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., granted a petition to review the issue of whether a retailer violates California’s Song-Beverly Credit Card Act if, in connection with a credit card transaction, it records a customer’s zip code for the purpose of later using

Major provisions of a new law related to credit and gift cards take effect today. The Credit CARD Act, which was signed by President Obama in May 2009, marked the culmination of several legislative efforts to reform certain practices of card issuers. The law provisions related to credit cards, discussed in this Kelley Drye

The current economic climate has had many consequences, including an apparent increase in economic crimes such as credit card fraud. In recent months, numerous credit card scams involving restaurant chains have been reported. For example, the Washington Examiner reported on March 29 that wait staff at several high-end restaurants in Washington, DC, including M&S Grill,

In order to avoid the substantial risks of class action litigation, many financial service providers – both traditional and non traditional – require that customer agreements contain an arbitration clause and a waiver of the customer’s right to bring a class action. However, recent court decisions and pending legislation suggest that certain types of these

If you or your company have a loyalty program or collect customer information in any form, and reverse data mine for additional customer information, you face the risk of being sued in California for a violation of the California Constitutional right to privacy. Recently, in Watkins v. Autozone Parts, Inc., No. 08-cv-01509-H, 2008 WL 5132092 (S.D. Cal. Dec. 5, 2008), the United States District Court for the Southern District of California held that all a plaintiff needs to allege to state a claim for a breach of the constitutional right to privacy is that the defendant requested plaintiff’s personal information and then “covertly” reverse data mined for additional information about that plaintiff. As you may know, this decision cuts against the recent trend in California Courts of Appeal decisions aimed at narrowing the types of actions involving the collection of customer data that can be brought against retailer defendants (see e.g. Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008); TJX Cos., Inc. v. Sup. Ct., 163 Cal. App. 4th 80 (2008)), and creates great uncertainty for companies with respect to their ability to collect customer information.

In Watkins, plaintiff brought a putative class action alleging that Autozone violated the California Song-Beverly Credit Card Act, California Civil Code §1747.08 (the “Act” or “Section 1747.08”) by unlawfully requesting and recording personal customer information, and then “covertly” engaging in a “reverse search” to determine additional customer personal information, in violation of the California Constitution’s privacy provision.

First, the court held that plaintiff plead facts sufficient to support a claim for a violation of Section 1747.08. See 2008 WL 5132092, at *6. Second, and more significantly, in holding that plaintiff sufficiently plead a claim for invasion of privacy, the court reasoned that:

  • plaintiff adequately alleged a legally protected privacy interest in his home address;
  • the allegations that Autozone obtained and subsequently used his home address information from using his telephone number and credit card information after plaintiff’s purchase at Autozone satisfied the pleading requirements of a reasonable expectation of privacy in these circumstances; and
  • plaintiff sufficiently alleged that the invasion into his privacy was "serious," given his allegation that Autozone used his private information for profit without his consent and without informing him of the use of his information. See id.
  • Further, the court stated that the purpose of statutory provisions (including Section 1747.08) prohibiting the requesting of personal information from credit card customers “speaks to the potential seriousness of invasions that may occur.” Id. at *7 (citation omitted).

This holding creates great uncertainty for companies in determining in what circumstances collecting customer information and then reverse data mining is permissible. For instance:

  • Can a company utilize information that was obtained from a credit card customer for shipping purposes to reverse data mine for additional information about that customer?
  • Does a retail company violate a customer’s right to privacy by using a credit card customer’s zip code to obtain additional information about that customer given the recent California Court of Appeal holding that a zip code is not “personal identification information” under Section 1747.08? See Party City Corp. v. Sup. Ct. of San Diego County, No. D053530 (Cal. Ct. App. Dec. 19, 2008).


Continue Reading

In yet another reminder to credit card providers that they need to continue monitoring government attempts to legislate and regulate credit card products, services and policies, two pieces of credit card legislation have been introduced that could significantly impact your business. The legislation follows recent action by the Federal Reserve Board, which on December 18,

Which among the following businesses are potentially subject to consumer financial services laws, rules, and regulations?

A. a retail clothing chain
B. a bank or mortgage company
C. an internet retailer
D. a fast food franchisor
E. all of the above

If you answered E, “All of the above,” you are CORRECT. However, many companies do not