Consumer Finance Law Blog : Washington D.C. Consumer Finance Lawyer & Attorney : Kelley Drye & Warren Law Firm : Financial Privacy & Security

Numerous class action suits have been brought over the past several years under the Telephone Consumer Protection Act (“TCPA”) against entities that fax unsolicited advertisements (so-called “blast faxes”) to individuals and businesses.  Companies facing such suits in turn have sought insurance coverage under their comprehensive general liability (“CGL”) policies for costs incurred defending TCPA suits, and for indemnification of any liability.

While coverage disputes in blast faxing cases have historically yielded mixed results, a series of recent rulings have tilted the scales in favor of policyholders.  For example, the Florida Supreme Court decided on January 28, 2010 in Penzer v. Transportation Ins. Co., No. SC08-2068, 2010 WL 308043, that a standard CGL policy provided coverage for a suit brought under TCPA for alleged blast fax activities.  While other recent decisions have yielded similar results, Penzer is significant because it held that the plain language of the insurance policy compels coverage.

Despite the holding in Penzer, insurers will likely use the lack of unanimity among courts, and the potential for inconsistent results in jurisdictions yet to address the issue, as a basis to deny claims going forward.  Policyholders would be well served to not take these denials at face value, but rather should demand the coverage to which they are entitled.

A client advisory prepared by Kelley Drye & Warren LLP’s Insurance Recovery Group summarizes recent coverage decisions regarding blast faxing, including the Penzer decision, and discusses the implications of those cases for policyholders.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Several weeks ago, we discussed how most courts were rejecting lawsuits where the plaintiffs claimed “damages” in the form of an increased risk of identity theft, generally stemming from allegations of an accidental loss or theft of personal confidential information. Since we last blogged on this issue, two recent decisions highlight how that trend is continuing, and that courts increasingly require more than speculation about future harm to sustain a lawsuit over the loss of confidential information.

The first notable decision involved a court which was clearly aware of this growing body of case law. In Belle Chasse Automotive Care, Inc. v. Advanced Auto Parts, Inc., United States District Court Judge Kurt Engelhardt of the Eastern District of Louisiana dismissed a claim stemming from a security breach involving confidential information. The plaintiff in Belle Chasse alleged that this breach only had caused an increased risk of identity theft, not an actual identity theft. The court granted defendants’ Rule 12(b)(6) motion, and cited to the growing body of case law from around the nation supporting the position that these allegations amount only to “speculative damages for which [Louisiana] law provides no remedy.” Notably, the Court cited to the Pinero decision we referenced in our prior post and found United States District Court Judge Sarah Vance’s analysis in that case to be “directly on point.”

The second notable decision provides an example of a Court reversing course on this issue, citing this line of cases as authority. The Ruiz v. Gap, Inc. case already was notable in that United States District Court Judge Samuel Conti, in March 2008, had previously ruled  that allegations of a potentially increased risk of future identity theft were sufficient to make out a viable negligence claim under California law. At that time, Judge Conti denied the defendant’s motion to dismiss under Rule 12(b)(6) and held that the plaintiff had alleged an injury in fact, even though he noted that it was unclear what damages the plaintiff would be able to recover even if the plaintiff were to prevail on the merits. Compared to the many cases holding to the contrary, the Ruiz case was generally viewed as an outlier, as one of the few rulings to have held that an allegation of the mere increased risk of identity theft was sufficient to defeat a Rule 12(b)(6) motion.

But just this month, Judge Conti granted summary judgment to the defendants on this same issue. In doing so, the court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” The court expressly rejected parallels to medical monitoring claims in the toxic tort context, and expressly noted similar cases from other jurisdictions – namely Louisiana, Ohio, and Minnesota – none of which were referenced in the court’s 2008 opinion denying the defendants’ motion to dismiss. The decision appears to reflect a reconsideration of sorts by the court – the evidence obtained during depositions seemed to be no different from what the plaintiff alleged in his Complaint, so if those allegations were adequate to defeat a motion to dismiss, testimony to the same effect should have also been adequate to defeat summary judgment. This is merely our own speculation, but it could be that the court became aware, over the course of the past year, of the growing and substantial body of case law which has been rejecting these types of speculative claims.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The current economic climate has had many consequences, including an apparent increase in economic crimes such as credit card fraud. In recent months, numerous credit card scams involving restaurant chains have been reported. For example, the Washington Examiner reported on March 29 that wait staff at several high-end restaurants in Washington, DC, including M&S Grill, 701 Restaurant, Clyde’s of Gallery Place and Bowie’s Carrabba’s Italian Restaurant, stole credit card numbers from customers and ran up a $750,000 tab at various luxury retail stores. In addition, the article references a similar scam recently uncovered in New Orleans, in which a waitress at Bubba Gump Seafood Company used a skimming device to capture customers’ credit card information. “Skimming” devices, which can easily be purchased over the Internet, are small enough for wait staff to carry in their pockets or aprons, and within a second can capture the electronic information stored in a credit card’s magnetic strip.

While such scams obviously cost consumers, merchants are also victims due to loss of consumer trust, the time and expense of cooperating with authorities and, if applicable, notifying potentially affected customers, and potential lawsuits under negligence and/or negligent hiring theories. Although merchants can never be completely assured that rogue employees will not engage in theft, they should consider the following steps to mitigate their risk:

(1) Handle credit cards in view of the customer. If the customer never loses sight of the credit card, theft is more difficult if not impossible. Retailers, restaurants and other businesses may wish to consider switching to portable credit card processing devices that allow customers to pay at the table.

(2) Carefully screen job applicants. Simple background checks can identify applicants with prior criminal histories.

(3) Educate and monitor employees. Ensure that employees are aware of the risks and consequences of credit card fraud (e.g., mere possession of a skimming device is a felony in many states), and adopt policies for employees handling customer credit cards. Monitor employees and encourage them to report any suspicious activity on behalf of their coworkers.

(Kelley Drye & Warren LLP Associate Joanna Baden-Mayer contributed to this post)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Over the last few years, incidents involving disclosures of personal information by consumer financial service providers have been big news, ranging from the theft of laptop computers containing social security numbers, to hacker attacks on computer networks containing confidential information, to the more "vanilla" theft of personal documents. Not surprisingly, the plaintiffs' bar has been attempting to turn all of this worry about identity theft into big money - even where no identity theft has occurred. However, courts around the nation have been considering such claims, and responding with a virtually uniform voice to state that, however the claim may be styled, a plaintiff's speculative fear of potential future identity theft does not constitute "actual damages" under the law, and accordingly reject such lawsuits.

In the latest court opinion to address this issue, Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535, 2009 U.S. Dist. LEXIS 660, (E.D. La. January 7, 2009), Chief Judge Sarah S. Vance dismissed various statutory and tort claims, including negligence, breach of contract, violations of a Louisiana data breach notification statute, and claims under the Tax Reform Act of 1976, against a national franchisor of income tax preparation services and its local independent franchisee. In the Pinero case, the plaintiff contended that the independent franchisee had failed to dispose of certain documents properly, which allegedly contained personal information. However, the plaintiff neither contended that her documents fell into the hands of a wrong-doer, nor that she had suffered any actual identity theft. Her damages claims were largely based on alleged emotional injuries and mental anguish, and theoretical consequential damages about steps she might need to take to deal with potential identity theft.

The Court rejected this theory of damages, and dismissed 6 of 7 claims, including negligence, breach of contract, and violations of the Louisiana data breach notification statute, holding that this type of speculative “injury” does not meet the required damages element. Also, in a holding of first impression, Judge Vance dismissed the federal claim for statutory penalties under the Tax Reform Act of 1976, ruling that commercial tax preparers are simply not subject to the provisions of the law governing disclosure of tax return information by the I.R.S. or its agents. The Court further ruled that the Louisiana data breach notification statute did not apply to paper documents – notably, Louisiana is not alone in this regard. Judge Vance also dismissed claims for fraudulent inducement and the Louisiana unfair trade practice law for a failure to adequately allege an intent to defraud. The Court only let the invasion of privacy claim survive, albeit noting skepticism about whether such a claim could succeed on the merits.

For further discussion of this case, see our recently published piece in the ABA "Secure Times" newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

(Donna L. Wilson, Andrew S. Wein, and Veronica D. Gray represent Jackson Hewitt Tax Service in this case.)
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If you or your company have a loyalty program or collect customer information in any form, and reverse data mine for additional customer information, you face the risk of being sued in California for a violation of the California Constitutional right to privacy. Recently, in Watkins v. Autozone Parts, Inc., No. 08-cv-01509-H, 2008 WL 5132092 (S.D. Cal. Dec. 5, 2008), the United States District Court for the Southern District of California held that all a plaintiff needs to allege to state a claim for a breach of the constitutional right to privacy is that the defendant requested plaintiff’s personal information and then “covertly” reverse data mined for additional information about that plaintiff. As you may know, this decision cuts against the recent trend in California Courts of Appeal decisions aimed at narrowing the types of actions involving the collection of customer data that can be brought against retailer defendants (see e.g. Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008); TJX Cos., Inc. v. Sup. Ct., 163 Cal. App. 4th 80 (2008)), and creates great uncertainty for companies with respect to their ability to collect customer information.

In Watkins, plaintiff brought a putative class action alleging that Autozone violated the California Song-Beverly Credit Card Act, California Civil Code §1747.08 (the “Act” or “Section 1747.08”) by unlawfully requesting and recording personal customer information, and then “covertly” engaging in a “reverse search” to determine additional customer personal information, in violation of the California Constitution’s privacy provision.

First, the court held that plaintiff plead facts sufficient to support a claim for a violation of Section 1747.08. See 2008 WL 5132092, at *6. Second, and more significantly, in holding that plaintiff sufficiently plead a claim for invasion of privacy, the court reasoned that:

• plaintiff adequately alleged a legally protected privacy interest in his home address;
• the allegations that Autozone obtained and subsequently used his home address information from using his telephone number and credit card information after plaintiff’s purchase at Autozone satisfied the pleading requirements of a reasonable expectation of privacy in these circumstances; and
• plaintiff sufficiently alleged that the invasion into his privacy was "serious," given his allegation that Autozone used his private information for profit without his consent and without informing him of the use of his information. See id.
• Further, the court stated that the purpose of statutory provisions (including Section 1747.08) prohibiting the requesting of personal information from credit card customers “speaks to the potential seriousness of invasions that may occur.” Id. at *7 (citation omitted).

This holding creates great uncertainty for companies in determining in what circumstances collecting customer information and then reverse data mining is permissible. For instance:

• Can a company utilize information that was obtained from a credit card customer for shipping purposes to reverse data mine for additional information about that customer?
• Does a retail company violate a customer’s right to privacy by using a credit card customer’s zip code to obtain additional information about that customer given the recent California Court of Appeal holding that a zip code is not “personal identification information” under Section 1747.08? See Party City Corp. v. Sup. Ct. of San Diego County, No. D053530 (Cal. Ct. App. Dec. 19, 2008).

• Email This
• Print
• Comments
• Trackbacks
• Share Link