Consumer Finance Law Blog : Consumer Finance Lawyer & Attorney : Kelley Drye & Warren Law Firm : Financial Privacy & Security

FTC Commissioner Julie Brill spoke about the new Consumer Financial Protection Bureau (“CFPB”) during a keynote address she delivered at the International Association of Privacy Professionals Second Annual Conference on December 7th. While describing how Congress enacted the Fair Credit Reporting Act (“FCRA”) to protect consumers’ personal information, Brill stated that the FTC and CFPB “need to make sure our current rules continue, in this technologically advanced age, to protect consumers’ rights under the FCRA.” Given that the FTC already has several staff members involved in setting up the CFPB, it is no surprise that the FTC plans to work in tandem with the CFPB to enforce existing consumer protection laws and to understand new uses of data in connection with such efforts.

During the address, Brill also outlined the major components of the FTC’s preliminary staff report on privacy, "Protecting Consumer Privacy in an Era of Rapid Change” which includes a proposal for a Do Not Track mechanism that would permit consumers to control their tracking preferences at every website they visit. For a more detailed discussion of the FTC’s Report, including the concepts behind Do Not Track, please click here to read the Kelley Drye client advisory.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week the BNA Privacy & Security Law Report published an article discussing in detail California’s Song-Beverly Credit Card Act (the “Act”). The aim of the article is to provide those persons and businesses that regularly engage in credit card transactions in California, most notably retail merchants, with a meaningful primer on some critical current and developing aspects of the Act.  The article provides an overview of the Act’s provisions, and discusses the important legal issues surrounding the Act, including several that California courts have resolved, several that are currently pending before those courts, and one that may be resolved in the near future.

On a related note, the California Court of Appeals, Fourth Appellate Division, recently issued a decision in Carson v. Michaels Stores, Inc., which addressed several issues under the Act. See id. at No. 37-2008-00089773-CU-BT-CTL, 2010 WL 2862077 (Cal. App. Ct. July 22, 2010). Carson filed a complaint against Michaels Stores, Inc., alleging violations of the Act and her constitutional right to privacy by requesting and recording her zip code, and then using her zip code to obtain her address from a public database. First, the court, following Pineda v. Williams-Sonoma Stores, Inc., 100 Cal.Rptr.3d 458 (Cal. App. Ct. 2009), affirmed the trial court’s holding that zip codes are not personal identification information under the Act. Because zip codes are not personal identification information under the Act, Michael’s use of this information to obtain plaintiff’s address was also held not to be prohibited under the Act. Id. at 7. (See our prior posts discussing Pineda and issues under the Act.)

In addition, the court held that plaintiff had no reasonable expectation of privacy in her address – as it was obtained from public databases available on the Internet – and therefore plaintiff did not have a valid invasion of privacy claim under the California constitution. Id. at 9-10.

Notably, the court declined to decide a significant open issue under the Act – whether the Act prohibits a retailer from requesting personal information as a condition of accepting the customer’s credit card payment.  Id. at n.4. This open issue is discussed in detail in the above-referenced article.

Kelley Drye attorney Veronica Jackson contributed to this post.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Southern District of New York, recently, in Hammond v. The Bank of New York Mellon Corp., No. 08-6060, 2010 WL 2643307 (S.D.N.Y. June 25, 2010) joined other courts from around the country in holding that plaintiffs who bring claims based on the risk of identity theft lack Article III standing. In each case, including the 26 cases cited in Hammond, the plaintiffs’ claims were dismissed, either on a motion to dismiss or summary judgment.

In Hammond, the plaintiffs, after being notified that their personal information, contained on unencrypted back up tapes, had been “lost” while being transported by a third party, brought a putative class action asserting claims for breach of implied contract, breach of fiduciary duty, negligence, and violation of state consumer protection laws. Three of the seven named plaintiffs alleged that they actually had suffered “unauthorized credit transactions” after the tapes were lost, although they ultimately conceded that the charges were either reimbursed or unrelated to the tape loss. Bank of New York’s original motion to dismiss was denied. It then moved for summary judgment based on a lack of Article III standing and argued that the alleged emotional distress or increased risk of harm did not constitute legally cognizable harm.

Discovery in the case, particularly plaintiffs’ deposition testimony, demonstrated that the plaintiffs did not suffer any damages.  The court, recognizing the apparent inconsistencies in its decisions on defendant’s motion to dismiss and plaintiffs’ motion for summary judgment, held that a finding that Article III standing exists at the motion to dismiss stage does not necessarily mean that it will be present at summary judgment.

Hammond is the latest in a long line of cases holding that the risk of identity theft is not a cognizable injury.  Thus, dismissal in these cases is not an issue of “if,” but of “when.” 

Click here to view previous posts on these and other related issues. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Updating a prior post, the Ninth Circuit, in Ruiz v. Gap, Inc., recently upheld a dismissal on summary judgment on the grounds that the mere risk of identity theft is too speculative of an injury to substantiate a cause of action based on negligence. See Ruiz v. Gap, Inc., No. 09-15971, 2010 WL 2170993 (9th Cir. May 28, 2010)

As background, Plaintiff, Mr. Joel Ruiz, submitted an online job application to work in a Gap store. As part of the application, Ruiz provided his social security number. Gap later disclosed that laptops were stolen from Vangent, the vendor with whom Gap had contracted for recruiting purposes. The laptops contained Ruiz’s unencrypted personal information, along with the information of nearly 800,000 other Gap job applicants.

Ruiz filed a putative class action alleging, among other things, negligence and violation of California Civil Code § 1798.85. Ruiz later amended his complaint to bring a breach of contract claim against Vangent. As discussed in a prior post, the court previously denied a motion to dismiss on the negligence claim. However, defendants were granted summary judgment on the negligence claim after discovery had done little to cure its speculative nature. See Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009). The court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” Id. at 913.

In the opinion, the Ninth Circuit held that while the increased risk of identity theft created sufficient concern to grant plaintiff Article III standing, the alleged injury was still too speculative to sustain a negligence claim under California law. See Ruiz v. Gap, Inc., No. 09-15971, 2010 WL 2170993, at *1 (9th Cir. May 28, 2010). “It is fundamental that a negligent act is not accountable unless it results in injury to another.” Id. Notably, the court refrained from answering whether money spent on credit monitoring, as the result of personal information theft, supported a negligence claim. Id. However, the court included a footnote citing authority in favor of awarding medical monitoring costs, thus suggesting that it might be inclined to draw a parallel between these issues in the future. Id. at n1.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On-line marketers that share their customers’ credit or payment card information with other business partners without the consumer’s knowledge or active consent – a practice referred to as a “data pass” – may wish to read a recently published BNA Privacy & Security Law Report titled “Scrutiny on Payment Card Data Pass: Raising the Profile of Personal Information Sharing Among Marketers.” Kelley Drye attorneys Alysa Z. Hutnik and Joseph D. Wilson co-authored this article, which:

• explores a rule recently announced by VISA and legislation recently proposed by Senate Commerce Committee Chairman, Jay Rockefeller (D-W.Va.) entitled “The Restore Online Shoppers’ Confidence Act” (S. 3386), both of which restrict companies’ ability to share customer payment card information. (Visit Kelley Drye's Advertising Law Blog for related articles on these topics);

• reviews two recently filed class actions, Ferrington, et al. v. McAfee Inc., 5:10-cv-1455 (N.D. Cal.), and Van Tassell, et al. v. United Marketing Group Inc., et al., 1:10-cv-2675 (N.D. Ill.), alleging that the data pass practices of certain on-line marketers violated numerous state consumer protection laws;

• advises on steps companies should consider taking to mitigate the risk that their data pass practices will come under FTC scrutiny; and

• discusses considerations companies should make if they find themselves the subject of a class action relating to their data pass practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a previous post, we noted that the California Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., granted a petition to review the issue of whether a retailer violates California’s Song-Beverly Credit Card Act if, in connection with a credit card transaction, it records a customer’s zip code for the purpose of later using it and the customer’s name to obtain the customer’s address through a reverse search database. The appeal is now fully briefed. The following are some of the more significant arguments proffered by each side, and the potential impact of the ruling on retailers.

The trial court sustained Williams-Sonoma’s demurrer to Pineda’s Section 1747.08 claim on the grounds that under Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008) (discussed previously on this blog), zip codes can never constitute “personal identification information” for purposes of that section.  In its brief, Pineda asks the Supreme Court to disregard this well-reasoned precedent on the grounds that zip codes are expressly defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Pineda argues that the trial court and court of appeal erred by inserting an additional criteria into the definition and requiring that the information be “unique” to the cardholder, rather than merely “concerning” the cardholder as set forth in the statute. In addition, Pineda argues that Williams-Sonoma preys on its credit card customers who are accustomed to providing their zip codes for legitimate verification purposes at gas stations and mistakenly assume that Williams-Sonoma is requesting their zip codes to process their credit cards. Meanwhile, according to Pineda, their sole intent is to use its customers’ zip codes to “covertly” obtain their home addresses to build its customer database.

Williams-Sonoma, on the other hand, argues first that the question of whether a zip code is “personal identification information” was not certified for review by the California Supreme Court, thus, the court of appeal’s decision in Party City stands.  In addition, Williams-Sonoma argues that the Song Beverly Credit Card Act does not prohibit the use of information that is collected by a retailer at the point of sale. Instead, Song Beverly is silent as to any conduct other than the request and recording of “personal identification information” during a credit card transaction. Because a zip code has already been held to not fit within the definition of “personal identification information,” the inquiry ends there – it cannot be transformed into “personal identification information” based on how the zip code is used. Further, according to Williams-Sonoma, there is nothing improper about using zip codes to have third party vendors narrow down publicly available information about customers, such as their address.

How the California Supreme Court resolves this issue may have a substantial impact on retailers that collect customer zip codes. If the Supreme Court accepts Pineda’s interpretation of Song Beverly that zip codes are “personal identification information,” retailers could be left wondering what other conduct is prohibited, since neither “zip codes” nor “reverse data searches” are expressly mentioned in the language of the statute. In addition, after having relied on Party City, retailers could be left wondering whether they are now liable for this conduct under Song Beverly for up to $1,000 per transaction.

This appeal has not yet been set for oral argument.  We will keep you updated as to any developments.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Allison v. Aetna, Inc., a recent opinion out of the Eastern District of Pennsylvania, adds to the burgeoning area of law that holds when a plaintiff fails to allege an actual injury resulting from a data breach, but instead only alleges an enhanced risk of identity theft, an injury-in-fact does not exist and the suit must be dismissed for lack of standing.

In Allison, Plaintiff alleged that he and others submitted their personal information to Aetna’s job application website. Soon after, Plaintiff alleged that he began receiving “phishing” emails requesting additional personal information, as the result of an alleged security breach of Aetna’s website. Plaintiff, other applicants, and over 65,000 current and former Aetna employees were sent notification letters advising them of the breach, stating that their email addresses had been accessed but that it was unclear whether additional information had been accessed.

Plaintiff then filed his class action suit alleging that Aetna had failed to “adequately protect the personal information of its current, former, and potential employees….” Plaintiff described the various remedial measure that he and potential class members had been forced to undertake, including time spent to monitor various accounts for signs of identity theft and out-of-pocket expenses for identity theft protection services. The complaint did not allege that Plaintiff, or anyone else, had suffered identity theft, but rather that they were subject to an “a significant risk of identity theft.” The suit asserted various claims including negligence, breach of implied contract, breach of express contract, negligent misrepresentation, and invasion of privacy. Aetna moved to dismiss all claims pursuant to Federal Rules of Civil Procedure 12(b)(1), arguing that Plaintiff lacked injury-in-fact standing., and 12(b)(6), arguing that Allison had failed to state a claim. 

The court held that Plaintiff’s increased risk of harm did not create an injury-in-fact because his chance of suffering from identity theft was not imminent and was too speculative. Despite Plaintiff’s conclusory allegations to the contrary, the court found that Plaintiff had merely alleged that unidentified hackers had accessed his email address, thus making actual identity theft unlikely. The court dismissed Allison’s claims based on a lack of standing. 

Compared to other recent opinions that address the risk of identity theft, this opinion stops short of addressing the heart of this issue -- namely, does a demonstrated risk of identity theft create an injury upon which relief can be granted? Would the court have ruled differently if Allison's social security number, as opposed to just his email address, had been accessed? Future plaintiffs are likely to attempt to distinguish their claims from Allison by contending that their claims are more fully and adequately plead to demonstrate a more imminent risk of identity theft. However, that does not mean a claim survives a motion to dismiss. In fact, as we discussed just last year, certain courts have held that while the increased risk of harm may be sufficient to satisfy the initial injury-in-fact element for standing, it may not suffice to show "actual damage" to support a claim for damages under negligence and other liability principles.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Updating a previous post regarding the rise last year in the number of data breaches involving customers’ personal information in the general business sector, the numbers of these breaches for the first third of 2010 reflect a similarly troubling trend. According to the Identity Theft Resource Center (“ITRC”), the total number of reported data breaches as of today stands at 245, or nearly half of the 498 total breaches reported for the entire year in 2009. The general business sector (not including companies in the more heavily-regulated financial and medical sectors) continues to experience the highest percentage of these data breaches, with a reported 38.8% of reported breaches thus far this year. These statistics underscore the urgency with which your company should act to ensure that adequate measures are in place to protect private data, or risk being subject to costly litigation. Stay tuned for further updates as additional data becomes available.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent study released by the Identity Theft Resource Center (“ITRC”), a non-profit organization dedicated exclusively to the prevention of identity theft, suggests that in 2009, while the government appeared to be improving data security, the protection of customers’ private information by some businesses may have worsened. The annual ITRC study is funded by the U.S. Department of Justice’s Office of Victims of Crime and tracks how a data breach occurs and identifies the breach by sector – including general business, medical and health, financial institutions, government/military, and educational.

The highlights of the 2009 ITRC study include the following:

• Breaches within the general business sector (not including companies in the more heavily-regulated financial and medical sectors) climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far.                   
• Paper breaches increased 46% from 2008 and now account for nearly 26% of known breaches.
• The number of breaches caused by a malicious attack surpassed the number resulting from human error for the first time in three years.
• In only six of the total 498 breaches reported was encryption or other strong security feature protecting the exposed data utilized.

These statistics highlight the importance of consistently evaluating the measures your company takes to secure private data. Otherwise, your company runs the risk of being sued for breach of privacy, including in the individual and class action context, or becoming the subject of investigation by state and/or federal regulators, who are becoming increasingly aggressive about investigating privacy breaches. Your company may also find itself liable to third-parties with whom it does business, including credit card issuers and merchant banks, especially if your company’s privacy protections fail to meet the industry standard. [Click here for a post from the Kelley Drye Advertising Group’s “Ad Law Access Blog” regarding a recent law passed in the state of Washington that establishes such liability.]

Click here for more information about ITRC’s 2009 Data Breach study.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If you or your company collect zip codes in California as part of a loyalty program or otherwise, and reverse data mine for additional customer information, you should be aware that the California Supreme Court recently granted a petition to review the issue of whether a retailer violates California’s Song-Beverly Credit Card Act if, in connection with a credit card transaction, it records a customer’s zip code for the purpose of later using it and the customer’s name to obtain the customer’s address through a reverse search database.

The Song-Beverly Credit Card Act prohibits merchants that accept credit cards in transacting business from making requests that the cardholder provide “personal identification information” and from recording that information. (Cal. Civ Code § 1747.08, subd. (a)(2).) Under the Act, “personal identification information” means information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number. In Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (Cal. App. Ct. 2008) (discussed previously on this blog), the California Court of Appeals considered the language of the Act and the legislative history and concluded, as a matter of law, that a zip code is not “personal identification information” within the meaning of section 1747.08, subdivision (b) because a zip code is not facially individualized information. Last year, in Pineda v. Williams-Sonoma Stores, Inc., 100 Cal.Rptr.3d 458 (Cal. App. Ct. 2009), the California Court of Appeals followed Party City and affirmed the decision below that Williams-Sonoma did not violate the Act by requesting and recording the customer’s zip code for the purpose of using it and the customer’s name to obtain the customer’s address through the use of reverse data mining. The Court of Appeals in Pineda also held that using a legally-obtained zip code to acquire and use an address that is public is not “a serious invasion of privacy,” which is a necessary element of a privacy claim. Pineda failed to allege facts showing that her home address was not otherwise publicly available or that she undertook efforts to keep it private.

While the Party City and Pineda decisions provided clarity for companies in California that collect customer zip codes and then reverse data mine, the California Supreme Court’s decision to review this issue again creates uncertainty as to whether the practice is permissible. Stay tuned for future posts on any developments.
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Numerous class action suits have been brought over the past several years under the Telephone Consumer Protection Act (“TCPA”) against entities that fax unsolicited advertisements (so-called “blast faxes”) to individuals and businesses.  Companies facing such suits in turn have sought insurance coverage under their comprehensive general liability (“CGL”) policies for costs incurred defending TCPA suits, and for indemnification of any liability.

While coverage disputes in blast faxing cases have historically yielded mixed results, a series of recent rulings have tilted the scales in favor of policyholders.  For example, the Florida Supreme Court decided on January 28, 2010 in Penzer v. Transportation Ins. Co., No. SC08-2068, 2010 WL 308043, that a standard CGL policy provided coverage for a suit brought under TCPA for alleged blast fax activities.  While other recent decisions have yielded similar results, Penzer is significant because it held that the plain language of the insurance policy compels coverage.

Despite the holding in Penzer, insurers will likely use the lack of unanimity among courts, and the potential for inconsistent results in jurisdictions yet to address the issue, as a basis to deny claims going forward.  Policyholders would be well served to not take these denials at face value, but rather should demand the coverage to which they are entitled.

A client advisory prepared by Kelley Drye & Warren LLP’s Insurance Recovery Group summarizes recent coverage decisions regarding blast faxing, including the Penzer decision, and discusses the implications of those cases for policyholders.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Several weeks ago, we discussed how most courts were rejecting lawsuits where the plaintiffs claimed “damages” in the form of an increased risk of identity theft, generally stemming from allegations of an accidental loss or theft of personal confidential information. Since we last blogged on this issue, two recent decisions highlight how that trend is continuing, and that courts increasingly require more than speculation about future harm to sustain a lawsuit over the loss of confidential information.

The first notable decision involved a court which was clearly aware of this growing body of case law. In Belle Chasse Automotive Care, Inc. v. Advanced Auto Parts, Inc., United States District Court Judge Kurt Engelhardt of the Eastern District of Louisiana dismissed a claim stemming from a security breach involving confidential information. The plaintiff in Belle Chasse alleged that this breach only had caused an increased risk of identity theft, not an actual identity theft. The court granted defendants’ Rule 12(b)(6) motion, and cited to the growing body of case law from around the nation supporting the position that these allegations amount only to “speculative damages for which [Louisiana] law provides no remedy.” Notably, the Court cited to the Pinero decision we referenced in our prior post and found United States District Court Judge Sarah Vance’s analysis in that case to be “directly on point.”

The second notable decision provides an example of a Court reversing course on this issue, citing this line of cases as authority. The Ruiz v. Gap, Inc. case already was notable in that United States District Court Judge Samuel Conti, in March 2008, had previously ruled  that allegations of a potentially increased risk of future identity theft were sufficient to make out a viable negligence claim under California law. At that time, Judge Conti denied the defendant’s motion to dismiss under Rule 12(b)(6) and held that the plaintiff had alleged an injury in fact, even though he noted that it was unclear what damages the plaintiff would be able to recover even if the plaintiff were to prevail on the merits. Compared to the many cases holding to the contrary, the Ruiz case was generally viewed as an outlier, as one of the few rulings to have held that an allegation of the mere increased risk of identity theft was sufficient to defeat a Rule 12(b)(6) motion.

But just this month, Judge Conti granted summary judgment to the defendants on this same issue. In doing so, the court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” The court expressly rejected parallels to medical monitoring claims in the toxic tort context, and expressly noted similar cases from other jurisdictions – namely Louisiana, Ohio, and Minnesota – none of which were referenced in the court’s 2008 opinion denying the defendants’ motion to dismiss. The decision appears to reflect a reconsideration of sorts by the court – the evidence obtained during depositions seemed to be no different from what the plaintiff alleged in his Complaint, so if those allegations were adequate to defeat a motion to dismiss, testimony to the same effect should have also been adequate to defeat summary judgment. This is merely our own speculation, but it could be that the court became aware, over the course of the past year, of the growing and substantial body of case law which has been rejecting these types of speculative claims.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The current economic climate has had many consequences, including an apparent increase in economic crimes such as credit card fraud. In recent months, numerous credit card scams involving restaurant chains have been reported. For example, the Washington Examiner reported on March 29 that wait staff at several high-end restaurants in Washington, DC, including M&S Grill, 701 Restaurant, Clyde’s of Gallery Place and Bowie’s Carrabba’s Italian Restaurant, stole credit card numbers from customers and ran up a $750,000 tab at various luxury retail stores. In addition, the article references a similar scam recently uncovered in New Orleans, in which a waitress at Bubba Gump Seafood Company used a skimming device to capture customers’ credit card information. “Skimming” devices, which can easily be purchased over the Internet, are small enough for wait staff to carry in their pockets or aprons, and within a second can capture the electronic information stored in a credit card’s magnetic strip.

While such scams obviously cost consumers, merchants are also victims due to loss of consumer trust, the time and expense of cooperating with authorities and, if applicable, notifying potentially affected customers, and potential lawsuits under negligence and/or negligent hiring theories. Although merchants can never be completely assured that rogue employees will not engage in theft, they should consider the following steps to mitigate their risk:

(1) Handle credit cards in view of the customer. If the customer never loses sight of the credit card, theft is more difficult if not impossible. Retailers, restaurants and other businesses may wish to consider switching to portable credit card processing devices that allow customers to pay at the table.

(2) Carefully screen job applicants. Simple background checks can identify applicants with prior criminal histories.

(3) Educate and monitor employees. Ensure that employees are aware of the risks and consequences of credit card fraud (e.g., mere possession of a skimming device is a felony in many states), and adopt policies for employees handling customer credit cards. Monitor employees and encourage them to report any suspicious activity on behalf of their coworkers.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

Over the last few years, incidents involving disclosures of personal information by consumer financial service providers have been big news, ranging from the theft of laptop computers containing social security numbers, to hacker attacks on computer networks containing confidential information, to the more "vanilla" theft of personal documents. Not surprisingly, the plaintiffs' bar has been attempting to turn all of this worry about identity theft into big money - even where no identity theft has occurred. However, courts around the nation have been considering such claims, and responding with a virtually uniform voice to state that, however the claim may be styled, a plaintiff's speculative fear of potential future identity theft does not constitute "actual damages" under the law, and accordingly reject such lawsuits.

In the latest court opinion to address this issue, Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535, 2009 U.S. Dist. LEXIS 660, (E.D. La. January 7, 2009), Chief Judge Sarah S. Vance dismissed various statutory and tort claims, including negligence, breach of contract, violations of a Louisiana data breach notification statute, and claims under the Tax Reform Act of 1976, against a national franchisor of income tax preparation services and its local independent franchisee. In the Pinero case, the plaintiff contended that the independent franchisee had failed to dispose of certain documents properly, which allegedly contained personal information. However, the plaintiff neither contended that her documents fell into the hands of a wrong-doer, nor that she had suffered any actual identity theft. Her damages claims were largely based on alleged emotional injuries and mental anguish, and theoretical consequential damages about steps she might need to take to deal with potential identity theft.

The Court rejected this theory of damages, and dismissed 6 of 7 claims, including negligence, breach of contract, and violations of the Louisiana data breach notification statute, holding that this type of speculative “injury” does not meet the required damages element. Also, in a holding of first impression, Judge Vance dismissed the federal claim for statutory penalties under the Tax Reform Act of 1976, ruling that commercial tax preparers are simply not subject to the provisions of the law governing disclosure of tax return information by the I.R.S. or its agents. The Court further ruled that the Louisiana data breach notification statute did not apply to paper documents – notably, Louisiana is not alone in this regard. Judge Vance also dismissed claims for fraudulent inducement and the Louisiana unfair trade practice law for a failure to adequately allege an intent to defraud. The Court only let the invasion of privacy claim survive, albeit noting skepticism about whether such a claim could succeed on the merits.

For further discussion of this case, see our recently published piece in the ABA "Secure Times" newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

(Andrew S. Wein and Veronica D. Gray represent Jackson Hewitt Tax Service in this case.)
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

If you or your company have a loyalty program or collect customer information in any form, and reverse data mine for additional customer information, you face the risk of being sued in California for a violation of the California Constitutional right to privacy. Recently, in Watkins v. Autozone Parts, Inc., No. 08-cv-01509-H, 2008 WL 5132092 (S.D. Cal. Dec. 5, 2008), the United States District Court for the Southern District of California held that all a plaintiff needs to allege to state a claim for a breach of the constitutional right to privacy is that the defendant requested plaintiff’s personal information and then “covertly” reverse data mined for additional information about that plaintiff. As you may know, this decision cuts against the recent trend in California Courts of Appeal decisions aimed at narrowing the types of actions involving the collection of customer data that can be brought against retailer defendants (see e.g. Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008); TJX Cos., Inc. v. Sup. Ct., 163 Cal. App. 4th 80 (2008)), and creates great uncertainty for companies with respect to their ability to collect customer information.

In Watkins, plaintiff brought a putative class action alleging that Autozone violated the California Song-Beverly Credit Card Act, California Civil Code §1747.08 (the “Act” or “Section 1747.08”) by unlawfully requesting and recording personal customer information, and then “covertly” engaging in a “reverse search” to determine additional customer personal information, in violation of the California Constitution’s privacy provision.

First, the court held that plaintiff plead facts sufficient to support a claim for a violation of Section 1747.08. See 2008 WL 5132092, at *6. Second, and more significantly, in holding that plaintiff sufficiently plead a claim for invasion of privacy, the court reasoned that:

• plaintiff adequately alleged a legally protected privacy interest in his home address;
• the allegations that Autozone obtained and subsequently used his home address information from using his telephone number and credit card information after plaintiff’s purchase at Autozone satisfied the pleading requirements of a reasonable expectation of privacy in these circumstances; and
• plaintiff sufficiently alleged that the invasion into his privacy was "serious," given his allegation that Autozone used his private information for profit without his consent and without informing him of the use of his information. See id.
• Further, the court stated that the purpose of statutory provisions (including Section 1747.08) prohibiting the requesting of personal information from credit card customers “speaks to the potential seriousness of invasions that may occur.” Id. at *7 (citation omitted).

This holding creates great uncertainty for companies in determining in what circumstances collecting customer information and then reverse data mining is permissible. For instance:

• Can a company utilize information that was obtained from a credit card customer for shipping purposes to reverse data mine for additional information about that customer?
• Does a retail company violate a customer’s right to privacy by using a credit card customer’s zip code to obtain additional information about that customer given the recent California Court of Appeal holding that a zip code is not “personal identification information” under Section 1747.08? See Party City Corp. v. Sup. Ct. of San Diego County, No. D053530 (Cal. Ct. App. Dec. 19, 2008).

• Email This
• Print
• Comments
• Trackbacks
• Share Link