Private ordering, rather than government intervention, has been the primary force behind the development of data security measures in the payment card industry. [1] Government intervention often occurs in response to security breakdowns, which draw attention to weaknesses in the private ordering regime. When those weaknesses could potentially impact consumers, they create an almost irresistible temptation for lawmakers to come to the aid of their constituents through legislation. Unfortunately, legislation almost always creates unanticipated consequences.
The Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) [2] was enacted in part to address the security practices of merchants who accept payment cards. FACTA targets a very narrow problem – credit card numbers and expiration dates displayed on printed receipts – that was thought to present an enhanced risk to consumers for identity theft and fraud. Since receipts could easily fall into the wrong hands, FACTA requires merchants to truncate card numbers and block out expiration dates on printed receipts.
FACTA enforcement is based on a private litigation model, rather than agency enforcement. Since actual damages or harm from a particular disclosure event might be small or nonexistent, FACTA permits successful litigants to pursue statutory damages ranging from $100 to $1,000 per transaction, along with attorney fees and costs. By coupling statutory damages with the potential for a class action lawsuit, FACTA creates a potentially crippling liability threat for noncompliant merchants. A recent Ninth Circuit Case, Bateman v. American Multi-Cinema, Inc., [3] has concluded that neither the magnitude of potential liability in relation to actual harm, nor the good faith remedial efforts of the merchant after the breach of compliance, were grounds to prevent the certification of a class action. Consequently, AMC may be subject to liability of up to $290 million for conduct that essentially harmed no one.
Potential FACTA liability thus raises the stakes for being noncompliant far beyond the market-based consequences of insecure behavior. As payment card transactions have moved online, litigants have also focused on whether online merchants have FACTA obligations. This issue reached the Seventh Circuit in Shlahtichman v. 1-800 Contacts, Inc. [4], which concluded that FACTA should be applied restrictively to receipts that are printed on paper by the merchant.
This essay discusses the FACTA regime as illustrated in these recent appellate decisions and their impact on merchant liability. The consequences of noncompliance are potentially crippling, even when no real security threat is presented. In many circumstances, FACTA increases costs without any real contribution towards consumer wellbeing. Policymakers should pay careful attention to lessons learned from the FACTA’s litigation consequences as they consider additional regulations affecting data security. In particular, benefits obtained from rules enforced through “bounties” may not be worth the costs.
When governments intervene in the private ordering scheme, states often take a leading role. This approach reflects the dynamic nature of technology and changing human preferences, both of which sometimes favor “the workings of normal democratic processes in the laboratories of the States.” [5] Federal intervention often follows state attempts at legal solutions in order to address the patchwork of inconsistent laws that may emerge. However, in rare cases, federal legislation emerges early in the process of legal development, providing a single, national legal framework. FACTA appears to be that rare example.
FACTA’s legislative history is somewhat sparse on the details underlying this merchant restriction, but it is clear that identity theft was an important issue being targeted by legislators. [6] Although federal law already protects consumers from fraudulent charges by limiting their liability to $50, competition has resulted in an even better deal for consumers, who generally have zero fraud liability for unauthorized charges. [7] However, zero liability policies can only provide protection within the card networks, and these policies do not protect consumers who incur other costs in contesting fraudulent charges or dealing with other aspects of identity theft.
FACTA includes other provisions to assist consumers addressing credit reporting issues arising after identity theft had occurred, [8] but its provisions that restrict the display of card numbers and expiration dates on receipts provided a federally-mandated step toward preventing card information from falling into the wrong hands in the first place. Accordingly, FACTA prohibits a vendor who accepts a credit or debit card from “print[ing] more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” [9] However, this restriction applies only to receipts that are “electronically printed.” [10]
FACTA’s restriction clearly fits the retail merchant in a brick-and-mortar operation that electronically scans a payment card and gives an electronic receipt to a customer. The rules restricting FACTA obligations to “electronically printed” receipts excused smaller merchants using carbon-based forms to take imprints of the customer’s card, which necessarily printed all information from the face of the card. Technology and the desire to limit processing costs – both the product of private ordering within the payment network – would gradually eliminate the carbon paper forms. Yet Congress was sufficiently solicitous of small business interests so that they did not require the adoption of new technology, despite the risks that such paper forms may have presented.
Viewed from an economic perspective, this restrictive approach toward reducing security risks may be justified when the expected consumer harm (and merchant losses) from reduced access to payment options may outweigh the limited marginal risk from the low-volume and high-cost form of identity theft based on carbon forms. [11] However, it must be recognized that paper receipts generally may present higher cost alternatives to unencrypted electronic data for a prospective fraudster. Nevertheless, FACTA focuses only on these printed receipts, leaving the matter of protecting other electronic data to the matter of private ordering.
FACTA’s limited focus can thus be criticized based on underinclusiveness, but unfortunately, even the narrowly targeted area it covers is not designed very well. FACTA seems to contain a fundamental design flaw in that a merchant could violate FACTA not only by displaying card numbers but also by displaying only the expiration date on a card. The expiration date alone, without the associated card number, is highly unlikely to present any meaningful risk of a security breach. Nevertheless, by writing the statute in the alternative, i.e., card numbers or expiration date, the FACTA regime defined an infraction to include merchant conduct with an extremely limited potential for any significant consumer harm.
Other federal laws or regulations dealing with consumer financial privacy, such as Gramm-Leach-Bliley, generally rely on regulatory agencies for enforcement. [12] However, FACTA permits enforcement through litigation by consumers affected by unlawful disclosure. Whereas actual damages are likely to be limited or even nonexistent – a phenomenon that is recognized in other litigation based on data security breaches [13]- FACTA provides an option to pursue statutory damages ranging from $100 to $1000 for every willful violation, along with the recovery of attorney’s fees. [14] Combining this provision with class action litigation can thereby transform a disclosure causing little or no actual consumer harm into a significant liability event for a noncompliant merchant, as will be discussed below.
On September 27, 2010, the Ninth Circuit decided Bateman v. American Multi-Cinema, Inc., [15] which concluded that a class action lawsuit based on FACTA could be certified, despite the fact that the statutory damages claimed would be vastly out of proportion to any actual harm incurred by the plaintiffs. The AMC movie theater chain had printed more than 290,000 receipts at kiosks in theaters between December 4, 2006 and January 29, 2007, which contained the first four and the last four numbers of the credit card, a clear violation of the FACTA restriction. [16] The plaintiff did not allege any actual harm but instead sought statutory damages under FACTA on behalf of the putative class.
The district court had refused to certify the class, noting that AMC had taken prompt subsequent remedial actions and “AMC’s potential liability – $29 million to $290 million – was enormous and out of proportion to any harm suffered by the class.” However, the Ninth Circuit concluded that neither of these considerations provided a sufficient basis to deny class certification. [17] As a result, the lawsuit was allowed to go forward.
Statutory damages are only available when the FACTA violation is “willful.” [18] Willful violations are not merely technical but must be either “knowing” or “reckless” reflecting a violation “under a reasonable reading of the statute’s terms.” [19] Although the court found nothing in the legislative history to explain why Congress provided for statutory damages, [20] it surmised that the need for statutory damages was plain given that actual harm “will often be small or difficult to prove.” [21] The court also noted that damage provisions serve a purpose of deterrence, which would prevent businesses from willfully making consumer financial data available. [22] Absent a statutory basis for judicial interference, the court refused to contradict these supportive purposes through the procedural mechanism of refusing to certify a class.
In support of its position, the court also noted that FACTA had been amended in 2008 to address a problem of numerous class actions against merchants who had erroneously disclosed the card expiration date. [23] Merchants had apparently misread the disjunctive construction of the statute and printed receipts with truncated card numbers along with expiration dates, triggering hundreds of lawsuits to collect statutory damages for a willful violation. As Congress had explained in connection with this amendment, “[T]he purpose of this Act is to ensure that consumers suffering from any actual harm to their credit or identity are protected while simultaneously limiting the abusive lawsuits that do not protect consumers but only result in increased cost to business and potentially increased prices to consumers.” [24]
However, the safe harbor protection enacted was narrowly crafted to exempt expiration date disclosures between December 4, 2004 and June 3, 2008 from the category of willful violations. [25] Although Congress was aware of class action litigation involving FACTA (and thus could surmise the potential for large statutory damage awards), Congress did not restrict the class action remedy or impose a cap on recoveries, which it had done in other contexts involving statutory damages. [26] Although the court reserved judgment on the possibility that a damage award could be so disproportionate as to raise a constitutional issue, that issue would not provide a basis for failing to certify a class. [27] While Congress might choose to amend the statute to limit class action lawsuits or cap damages, until it does so, the court would choose to enforce the law as it was written. [28]
Bateman illustrates that private enforcement proceedings based on statutory damage awards can present windfalls for “bounty hunters” who are motivated by the profit potential from statutory damage awards coupled with attorney fees. Of course, recovery of attorney fees and litigation costs could still provide an inducement for individual lawsuits in cases involving actual damages, but the merchant exposure to liability in those cases is likely to be substantially less than the statutory damage alternative. While a bigger liability threat may indeed induce greater merchant vigilance, any security benefit to consumers comes at a cost. Overinvestment by merchants in monitoring and compliance (in relation to the real risks of causing actual damages) are likely to be passed on to consumers, particularly when this occurs throughout the marketplace.
In cases involving minor infractions of FACTA, litigation costs and damages may have purchased no security benefit. In enacting the Clarification Act in 2008, Congress makes a rare admission that its good intentions effectively harmed consumers through raising litigation costs regarding statutory violations that generated no demonstrable threat to consumer security. Despite this admission, it did not fix the problem. Instead, it left this liability regime in place, and perhaps even made it worse by confirming its intent that even bare disclosure of credit card expiration dates could subject a merchant to liability for a “willful” disclosure.
The online environment has proven to be a fertile ground for identity theft, thus presenting concerns about the security of payment card information. Although online merchants face numerous security threats that potentially affect consumer trust and confidence, the potential for FACTA liability also needs to be considered. After a number of district court cases addressing the scope of FACTA coverage, the Seventh Circuit appears to have provided online merchants with some relief from this FACTA anxiety in Shlahtichman v. 1-800 Contacts, Inc. [29]
The plaintiff, an online purchaser of contact lenses, sought to bring a class action against an online vendor that had provided a receipt via e-mail that included his credit card expiration date in violation of FACTA. Although such a disclosure was exempted from the willful category and thus would not have triggered statutory damages if it had occurred before June 3, 2008, [30] this disclosure occurred after June 3, 2008 and thus presented the possibility of a significant recovery for the plaintiff. The district court had dismissed the complaint on the ground that FACTA was inapplicable. According to the court, the offending e-mail confirmation was neither electronically printed nor provided at the point of sale.
The Seventh Circuit provided a long list of district court decisions that addressed whether electronic receipts were covered, with a majority of those decisions concluding they were not. It ultimately agreed with this majority view, holding that FACTA was not applicable without an “electronically printed receipt.” According to the court, FACTA covers printed receipts, and printing requires paper. [31] It also noted that an e-mail confirmation was not materially different from an online electronic receipt made available to a consumer on its website, neither of which involved printing on paper by the merchant. [32] Sending an electronic copy is not printing.
The court also took into account the logistical issue of where the “point of sale” occurred in the online transaction, which is relevant to the extent that a receipt must be provided “at the point of sale or transaction” to be covered by FACTA. As the court noted, Congress seems to contemplate brick-and-mortar stores with paper receipts printed by the vendor, as reflected in the statutory reference to “any cash register or other machine or device” put into service by the effective date. [33] According to the court, devices put into service by customers would be beyond the control of merchants, making this an implausible basis for imposing liability on the merchant. [34]
The court found another basis for rejecting FACTA’s application to electronic commerce in the fact that Congress knew about electronic commerce when it was enacting FACTA, and yet it made no specific effort to cover the Internet, e-mail or electronic receipts. In contrast, other legislation directed at the Internet clearly shows that Congress was aware of problem in that realm, thus suggesting that it intentionally limited the scope of FACTA. [35]
Although the court recognized that applying FACTA’s requirements could arguably be consistent with the statutory purpose of preventing identity theft, the court took its cues from the literal language of the statute, stating “we may not ignore the unambiguous language of the statue in order to further Congress’s expressed purpose in enacting the statute.” [36] The court also noted prudential considerations that favored treating electronic receipts differently from paper ones, including the reasonable belief that the consumer’s own computer or digital device is less subject to inadvertent disclosure or theft than the paper receipts.
As a further blow to plaintiffs, the court also noted that even if FACTA was applicable, such a disclosure in the electronic context would not constitute a “willful” violation. [37] In this context, neither a court of appeals nor a federal agency has construed FACTA to apply to e-mail receipts. The court viewed this position as objectively reasonable, which thus precluded the knowing or reckless behavior that is required for a willful violation and thereby precluding a recovery under the statutory damages provision.
Although other circuits may yet take up this issue, a finding against willfulness in this context may also be particularly damaging to the claims of other plaintiffs seeking statutory damages in the electronic context. Treating an electronic receipt differently from a paper one may seem to be at odds with the directional development of law in the realm of eCommerce, which generally treats electronic actions and documents similar to their analogues in the ink and paper realm. However, the result here is not only consistent with the statutory language but may also be prudentially justifiable. By stemming the tide of litigation threats from FACTA violations like this one, the court is inhibiting wasteful litigation that rewards bounty hunters but provides no meaningful protection for consumers. Congress may have intended for that kind of regime in the brick-and-mortar environment. Yet until it expresses a similar intention in the online environment, the court chose to draw a line that, by limiting litigation costs, may ultimately inure to the benefit of consumers.
One argument the Seventh Circuit would not consider in 1-800 Contacts, because it was not raised in the district court below, was the possibility that its restrictive construction of FACTA would leave the states free to regulate in this area in a manner inconsistent with 15 U.S.C. § 1681t, which preempts state law in this area. [38] The plaintiff argued that if electronic receipts were not covered by the federal statute, they would be subjected to a “very crazy quilt of State laws.” [39] So far, that sort of quilt has not yet emerged for online payment card disclosures. However, brewing controversy over the adequacy of private ordering for data security coupled with legislative sentiments favoring future regulation portend changes in this area.
In the meantime, merchants who take payment cards will do well to learn from the bad examples presented in these cases. Prudential considerations favor nondisclosure and heightened attention to security, regardless of whether FACTA applies in your environment. But if FACTA does apply, you cannot afford to be noncompliant. Policymakers would also do well to learn from Congress mistakes in designing the enforcement mechanisms in FACTA, which are likely to enhance consumer costs without delivering security benefits.
[1] Professor of Law, McGrath North Mullin & Kratz Endowed Chair in Business Law, Creighton University School of Law. Professor Morse also serves as chairman of the Payment Systems Data Security Breach Task Force, which is part of the Cyberspace Law Committee of the American Bar Association Section of Business Law. All opinions expressed here are personal and not attributable to either organization.
[2] See, e.g., Morse & Raval, PCI DSS: Payment Card Industry Data Security Standards in Context, 24 Computer Law & Security Report 540 (Elsevier 2008), available at http://ssrn.com/abstract=1303122 . For a more recent working paper on this topic, see Morse & Raval, Private Ordering in Light of the Law: Achieving Consumer Protection Through Payment Card Security Measures, available at http://ssrn.com/abstract=1670112
[3] Pub. L. No. 108-159, 117 Stat 1952 (Dec. 4. 2003).
[4] 623 F.3d 708 (9th Cir. 2010).
[5] 615 F.3d 794 (7th Cir. 2010), cert. denied, 2011 WL 134337 (Jan. 18, 2010).
[6]See District Attorney’s Office v. Osborne, 129 S.Ct. 2308, 2326 (2009) (quoting Atkins v. Virginia, 536 U.S. 304, 326 (Rehnquist, C.J., dissenting)). See also “Gonzales v. Raich,” 545 U.S. 1, 42 (2005) (O’Connor, J., dissenting) (noting states’ roles as laboratories when exercising police powers to protect the health, safety, and welfare of their citizens).
[7] Subsequent legislation amending FACTA provides a much clearer indication of purpose: “[FACTA] was enacted into law in 2003 and [one] of the purposes of such Act is to prevent criminals from obtaining access to consumers’ private financial and credit information in order to reduce identity theft and credit card fraud.” Credit and Debit Card Receipt Clarification Act of 2007, Pub. L. No. 110-241, § 2(a)(1), 122 Stat 1565 (June 3, 2008).
[8] See Morse & Raval, supra note 2.
[9] See generally Pub. L. No. 108-159, Subtitle B (“Protection and Restoration of Identity Theft Victim Credit History”).
[10] See 15 U.S.C. § 1681c(g)(1).
[11] See id. § 1681c(g)(2).
[12] Within the payment card industry, variable security assessment obligations apply depending on the size of the merchant, thus reflecting a similar approach toward balancing security and the value of consumer access.
[13] See, e.g., 15 U.S.C. § 6805 (delegating enforcement authority to federal functional regulations, state insurance authorities, and the Federal Trade Commission).
[14] For a recent case taking up the issue of whether an increased risk of identity theft could be considered as a basis for Article III standing, see Krottner v. Starbucks Corp., __F.3d __, 2010 WL 5141255 (9th Cir., December 14, 2010).
[15] See 15 U.S.C. §1681n. FACTA shares this statutory damage provision with the Fair Credit Reporting Act, which has likewise been interpreted by the Seventh Circuit as eligible for class certification despite the potential for damages that are significantly greater than actual harm. See Murray v. GMAC Mort. Corp., 434 F.3d 948 (7th Cir. 2006).
[16] 623 F.3d 708 (9th Cir. 2010), requiring class action certification for FACTA violation based on movie theater chain printing 290,000 receipts at kiosks during a one-year period. Subsequent remedial actions by AMC, coupled with “enormous liability completely out of proportion to any harm suffered by the plaintiff,” did not exempt AMC from this claim based on “willful” violation.
[17] However, it should be noted that in a credit card having sixteen numbers, the fact that eight numbers are missing still provides a significant challenge to a potential fraudster – roughly one-in-a-hundred-million odds against selecting the right number combination.
[18] Id. at 710.
[19] See id. (citing 15 U.S.C. § 1681n).
[20] See id. at 711, n.1 (quoting Safeco Ins. Co. of Am v. Burr, 511 U.S. 47, 57 (2007)).
[21] See id. at 718 and n. 7.
[22] Id. Of course, this presupposes that an incentive beyond the threat of actual damages claims is needed to induce security compliance.
[23] Id.
[24] See Credit and Debit Card Receipt Clarification Act of 2007, Pub. L. No. 110-241, 122 Stat 1565 (June 3, 2008).
[25] Id. §2(b).
[26] See 15 U.S.C. § 1681n (d) (codifying the safe harbor).
[27] See Bateman, supra, 623 F.3d at 720-21 (noting damage caps added to the Truth in Lending Act).
[28] See id. at 722.
[29] See id. at 724.
[30] 615 F.3d 794 (7th Cir. 2010), cert. denied, 2011 WL 134337 (Jan. 18, 2010).
[31] See 15 U.S.C. § 1681(n)(d).
[32] See Shlahtichman, supra, 615 F.3d at 798-99.
[33] See id. at 798, n.2.
[34] See id. at 800-01 (quoting 15 U.S.C. § 1681c(g)).
[35] See id. at 801. Of course, merchants can still control how information is displayed and sent to those customer devices.
[36] See id. at 801-02.
[37] Id. at 802.
[38] Id. at 803-04.
[39] See id. at 803.
[40] Id.