Federal Agencies Issue FAQs on FACTA Red Flag Compliance

Posted on June 15, 2009 by Michael P. McGinn

Last week , the Federal Trade Commission, jointly with other federal agencies that regulate financial institutions, released "frequently asked questions" designed to provide additional assistance to companies required to comply with new identity theft rules pursuant to the Fair and Accurate Credit Transactions Act ("FACTA") . 

Those rules were issued in November 2007. Under the regulations, financial institutions are required to develop and implement written programs to detect and respond to possible identity theft as indicated by certain "red flags." These newly required programs were to be in place on or before November 1, 2008.

The FAQs are the latest step in a number of efforts by the FTC and others to assist companies in complying with the new FACTA rules. For instance, in July 2008, the FTC launched an outreach program to explain the rules in greater detail, to clarify the types of institutions to which the rules apply, and to offer guidance as to how these institutions can comply. That outreach effort included an alert providing information relating to definitions and terms used in the rules, including the definitions of “financial institution,” “creditor,” “transaction account,” and “covered account.” In addition, the alert addressed five categories of “red flag” activities.

Financial institutions should continue to monitor for guidance from the federal agencies, and/or consult with counsel, regarding their compliance with the new FACTA rules.

Tags: , ,

Wave of Class Actions for Data Security Breaches

Posted on June 10, 2009 by Veronica D. Jackson

If your company collects customers’ personal data in the course of its business, be aware of the wave of class actions that have recently been filed arising out of data security breaches. Finkelstein Thompson, a DC-based law firm, over the past year has filed a series of class actions against businesses that have fallen victim to such data breaches.

One such suit, filed in the Northern District of Georgia, asserts claims against RBS WorldPay, Inc. for negligence, breach of implied contracts, and violation of state unfair trade law, after hackers allegedly gained access to the personal information of approximately 1.5 million RBS cardholders. In an incident apparently related to this security breach, Fox News reported -- citing FBI sources-- that thieves, using cloned ATM cards with the stolen data, withdrew $9 million from ATMs in a coordinated attack in 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong. This incident has garnered considerable media attention and will likely result in similar suits being filed against RBS across the country as a result of the security breach.

While this sort of case is extremely difficult to sustain given the absence of actual harm, the litigation and reputational costs associated with them are significant for businesses targeted by this litigation, particularly given the resulting media attention. Therefore, be forewarned, and regularly evaluate your data collection, data use, and data maintenance procedures and infrastructure with both your IT personnel and legal counsel.

For further discussion of this case, see our recently published piece in the ABA “Secure Times” newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

Tags: ,

Plaintiffs File Suits Alleging Gift Cards With Expiration Dates In Less Than 10-Point Font Violate California Law

Posted on June 4, 2009 by Elissa O. Tomanda

A number of class action lawsuits recently have been filed in California state court in San Diego County against a wide range of merchants as well as gift card issuers alleging, among other things, that the defendants have violated the California Civil Code by issuing gift cards that bear either an obscured expiration date, or an expiration date that is not as prominently displayed as is required under California state law. Section 1749.5 of the California Civil Code makes it unlawful to sell gift certificates or gift cards that contain an expiration date unless the expiration date appears in capital letters in at least 10-point font on the front of the gift card. So far retailers such as Saks, Staples, Borders, Visa, and American Express, among others, have been sued in separate class actions alleging violations of Section 1749.5, as well as the Business and Professions Code and the California Consumer Legal Remedies Act.

For example, in Michaelson v. Staples, Inc., Case No. 37-2009-00083487 (Cal. Super. Ct., San Diego Cty.), plaintiff alleges that an expiration date on a Staples gift card, mailed to the plaintiff as part of a promotion, was in less than 10-point font. Plaintiff alleges the card expired before he noticed the expiration date. In Robert Loiseau v. Visa U.S.A. Inc., Case No. 37-2009-00085443 (Cal. Super. Ct., San Diego Cty.), plaintiff alleges that a gift card, purchased for its face value, improperly contained an obscured expiration date, charged a processing fee, and required other allegedly unreasonable terms and conditions.

Gift cards are a tricky business when it comes to complying with the patchwork quilt of state-by-state regulations (as well as FTC oversight) over them. The permissibility of expiration dates, redemption in cash once a minimum balance has been reached, disclosures of terms and conditions, and escheatment of remaining balances are just some of the issues that businesses must confront and address. This new wave of lawsuits serves as a reminder to merchants and gift card issuers of the need to monitor state and federal regulations, as well as to periodically evaluate their gift card programs with counsel.

Tags: ,