Thank you for sharing!

Your article was successfully shared with the contacts you provided.
At the time President Bush signed the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), few would have predicted that it would become the catalyst for a mass filing of complaints against retailers and businesses in 2007. One unique provision of the FACT Act, however, has done just that, with potentially serious consequences for retailers, merchants and any other individual or business that accepts credit or debit cards from its customers. The FACT Act, Pub. L. No. 108-159, 117 Stat. 1952 (2003), became fully effective on Dec. 4, 2006, and penalties for noncompliance can be severe. The act requires any person or business accepting credit or debit cards to limit the amount of information that is printed on the cardholder’s receipt. A rash of new lawsuits has been filed recently seeking substantial damages from businesses that have allegedly failed to comply. Section 1681c(g) of the FACT Act provides that “no person that accepts credit or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” Id. To comply with this provision, electronically printed receipts may not contain more than five digits of the 16-digit card number and cannot include the expiration date of the card. Thus, a receipt in compliance with the FACT Act might appear as follows: Acct: ***********12345 Exp: **** The receipt may omit the expiration date field entirely, or provide fewer than five digits of the account number, and still be in compliance. This requirement applies only to receipts that are electronically printed and does not apply to handwritten or card-imprinted receipts. 15 U.S.C. 1681c(g)(2). The language of this section appears to permit a “copy of the card,” but there is some ambiguity as to whether Congress intended to permit merchants to photocopy the credit or debit card. Finally, the FACT Act contains a “phase-in” period, but as of Dec. 4, 2006, all cash registers or machines that print electronic receipts for credit and debit card transactions must be compliant. The FACT Act has two separate provisions that expose noncompliant businesses to potential civil liability. The first is for individuals or businesses that are liable for “willful noncompliance.” 15 U.S.C. 1681n. The second is for individuals or businesses that are liable for “negligent noncompliance.” 15 U.S.C. 1681o. A person who willfully fails to comply with � 1681c(g) may be liable to the consumer for any actual damages of not less than $100 and not more than $1,000; punitive damages; and attorney fees and costs. A person who is merely negligent in complying with this statute may be liable for any actual damages sustained by the consumer plus attorney fees and costs. While these provisions may not seem alarming at first glance, it is important to realize that each customer transaction constitutes a separate violation. Thus, liability at a minimum of $100 per transaction could quickly multiply to a staggering sum, not to mention the potential for attorney fees and punitive damages.
COMPLEX LITIGATION • The next big thing may be very small • What ‘Dura’ didn’t resolve • Credit security law spurs suits • Depositions as defense tool

Plaintiffs’ attorneys have taken note of the effective date of this legislation and have already started filing class actions. To date, more than 50 separate class actions have been filed in California on behalf of purported nationwide classes. These lawsuits have targeted retailers and other merchants, both large and small. New complaints are being filed at an average rate of one or two per day. Defining willful noncompliance An important question raised by these lawsuits is what constitutes “willful noncompliance”? While the FACT Act is contained within the Fair Credit Reporting Act (FCRA), neither statute actually defines willful noncompliance. Congress also neglected to provide any specific guidance in the legislative history of either the FACT Act or the FCRA. The rash of class actions alleges that the defendants’ noncompliance must be willful because the defendants either knew of the FACT Act’s requirements and failed to comply, or else acted in reckless disregard of those requirements. These complaints fail to recognize that the defendants may have made good-faith, but ultimately inadequate, attempts to comply with the act. Moreover, many merchants may inadvertently have violated the act because they relied on third-party processing companies to handle all credit and debit card transactions. Two recent U.S. Supreme Court cases may shed some light on this important question. On Jan. 16, the justices heard oral arguments in GEICO General Insurance Co. v. Edo,No. 06-100, and Safeco Insurance Co. of America v. Burr,No. 06-84. Both cases involve the 9th U.S. Circuit Court of Appeals’ departure from other federal circuits regarding the definition of a “willful” violation of the FCRA. In Safeco, the 9th Circuit interpreted the term “willful” to include “reckless disregard” of the FCRA’s requirements. The 9th Circuit then refined that interpretation in GEICOby holding that a company may be deemed to have acted recklessly, and thus willfully, if it relied in good faith on a legal opinion interpreting the FCRA that is subsequently found to be unreasonable. By contrast, several other circuits require actual knowledge that the defendant’s conduct violates the FCRA. While the GEICO/Safecocases do not involve the FACT Act directly, they may help clarify the “willfulness” issue because the damages provisions of both acts are governed by sections 1681n and 1681o. Businesses and merchants that have yet to come into compliance, however, should not wait for the Supreme Court’s decisions in GEICOand Safeco. Those decisions will not alter their responsibilities under the FACT Act. They may, however, provide some relief by limiting the potential damages these merchants may face. Businesses that have not fully implemented the requirements of � 1681c(g) may find themselves at risk. For example, a business that has truncated the information on its credit card receipts to limit the amount of digits, but that still shows credit card expiration dates, may face liability. It is imperative that any individual or company accepting credit or debit cards conduct an immediate audit to ensure that all applicable registers and machines are in compliance. While news of these class actions has not yet hit the front pages, any increased attention brings at least two additional risks to companies that have failed to act. First, increased consumer scrutiny of credit card receipts only serves to heighten the possibility that more consumers will come forward to file lawsuits for uncorrected errors. Second, the ability of companies to characterize noncompliance as mere negligence will decline as time passes and public awareness of this statute increases. It is important for companies to maintain records showing their good-faith efforts to comply with this law. Such records may be essential in order to prove in litigation that any alleged noncompliance was merely an unintentional oversight and not willful. Even if a company is not in compliance when served with a lawsuit, subsequent efforts to quickly comply might help limit potential damages. Diligent efforts to comply as soon as the oversight is brought to the attention of a defendant may tend to show that the previous noncompliance was not willful. Quick action also may limit the size of any potential class of allegedly injured consumers. Many of the companies that have been sued have outsourced all point-of-sale (POS) transactions to third-party vendors. In some cases, these merchants may have been assured by these vendors that the merchants and their cash registers were in compliance with the FACT Act. Unfortunately, the language of the FACT Act does not appear to permit merchants to avoid liability by blaming a third party. Merchants who find themselves in this position should gather and maintain all records showing these assurances from their third-party credit processors and POS software and hardware providers. While it may not completely exonerate the merchant, such evidence will be helpful in arguing that the conduct was merely negligent, and not willful, noncompliance. In addition, merchants who find themselves the target of a class action should review their contracts with their third- party credit processors and POS vendors. Merchants may be entitled to indemnification for any liability and damages they suffer because of noncompliance with the FACT Act. Insurance to the rescue Finally, individuals and merchants who have been sued should review their insurance policies to see whether they are covered for these claims. There are four main types of insurance policies that could potentially provide coverage for companies that face FACT Act liability. These include general liability policies, errors and omissions (commonly called “E&O”) policies, corporate identity theft policies and electronic commerce insurance products. General liability policies may provide some coverage in limited circumstances. It is worth reviewing these policies, however, because they are the type most often carried by businesses. Companies that print advertising messages on their electronically printed receipts are most likely to find coverage under this type of policy. Unfortunately, it is rare for companies to use their receipts in this manner. Errors and omissions (E&O) policies insure against wrongful acts or omissions. Typically, the wrongful act must arise out of a professional service. Companies may be able to successfully argue that providing customer receipts is part of a professional service. Not all companies carry E&O policies, but those that do may find that they have some coverage for these FACT Act claims. Corporate identity theft policies are not as typical, but may provide the best bet for companies seeking coverage for their defense of FACT Act claims. These policies were crafted to protect companies facing liability for selling goods over the Internet if their customers’ identities were stolen. These polices, as written, may well be broad enough also to cover liability for POS transactions. Many insurance companies offer e-commerce insurance products. These policies may have been designed initially to protect against e-commerce attacks and computer hackers who attempt to enter corporate computer systems. As with the corporate identity-theft insurance, however, these e-commerce insurance products may be broad enough to provide coverage for liability caused by FACT Act claims. Other insurance options In addition to these four primary types of insurance, there are myriad additional insurance products on the market. Some of these policies offer very narrow, targeted protection and some offer broader protection. Companies that face FACT Act lawsuits should, therefore, carefully review all of their insurance coverage to see whether they may count on their insurance carriers to ride to their rescue. Even companies that have verified that they are in compliance with the FACT Act should remain vigilant. State laws are set to impose additional requirements on merchants and businesses. In California, for example, California Civil Code � 1747.09 requires that credit card and debit card information be truncated in the same manner as the FACT Act. The California law, however, was initially enacted in 2001 and has been fully effective since Jan. 1, 2004! Moreover, last year California amended this section to impose additional restrictions on businesses and merchants that accept credit and debit cards. These new regulations limit the number of digits that can be printed on the receipts that merchants keep for their own records. While these regulations will not be fully operative until Jan. 1, 2009, it is important that merchants work to implement these changes ahead of time so that they are not caught by surprise when the regulations are fully implemented. State legislators in California and elsewhere may enact additional requirements in the future. The lesson to be learned from the FACT Act is that laws intended to enhance consumer protection require merchants to be informed and vigilant. Perry J. Viscounty is a partner in the Costa Mesa, Calif., office of Latham & Watkins and chairman of the firm’s global intellectual property, media and technology practice. He can be reached at [email protected] . Steve Fraley and Jennifer L. Barry are litigation associates in the Costa Mesa and San Diego offices, respectively. They can be reached at [email protected] and [email protected] .

Want to continue reading?
Become a Free ALM Digital Reader.

Benefits of a Digital Membership:

  • Free access to 3 articles* every 30 days
  • Access to the entire ALM network of websites
  • Unlimited access to the ALM suite of newsletters
  • Build custom alerts on any search topic of your choosing
  • Search by a wide range of topics

*May exclude premium content
Already have an account?


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.