Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 22, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s ruling that including too many digits of a consumer’s credit card account number on a receipt was sufficient to constitute a concrete injury even if the consumer’s identity was not stolen. Under the Fair and Accurate Credit Transactions Act (FACTA), merchants are prohibited from including more than the final five digits of a consumer’s credit card number on a receipt. According to the opinion, the consumer filed a class action suit against a chocolate company, alleging that one of its stores printed the first six and last four digits of his account number on a receipt, which exposed the class members “to an elevated risk of identity theft.” When the parties sought approval of a proposed settlement, two unnamed class members contested the settlement on the grounds that, among other things, the consumer/class representative lacked standing to sue because he had not suffered a concrete injury as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. The district court, however, approved the settlement.
On appeal, the 11th Circuit held that an increased risk of identity theft is sufficient to bring claims under FACTA, and that the class representative’s “alleged injury is ‘particularized’ because the heightened risk of identity theft affected him ‘in a personal and individual way’—it was his credit card number that appeared on the receipt.” Moreover, the appellate court noted, “In our view, if Congress adopts procedures designed to minimize the risk of harm to a concrete interest, then a violation of that procedure that causes even a marginal increase in the risk of harm to the interest is sufficient to constitute a concrete injury.”
On March 8, the U.S. Court of Appeals for the 3rd Circuit issued a precedential opinion holding that, without concrete evidence of harm, a consumer lacks standing under the Fair and Accurate Credit Transactions Act (FACTA) to sue a merchant for including too many digits of his credit card account number on a receipt. According to the opinion, the plaintiff claimed that he received receipts from three different stores owned by the defendant, all of which included both the final four digits and the first six digits of his account number. The plaintiff filed a class action lawsuit alleging the defendant willfully violated FACTA, which prohibits printing more than the last five digits of credit card number on a receipt. The plaintiff alleged that this violation, which he also claimed increased the risk of identity theft, constituted an injury-in-fact sufficient to confer Article III standing as required under the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Special Alert). The district court dismissed the suit.
On appeal, the 3rd Circuit agreed with the lower court, holding that the plaintiff failed to allege actual harm from the defendant’s practice. The appellate court held that the defendant’s technical violation of FACTA did not give the plaintiff standing to sue. Moreover, in the absence of actual harm, or a material risk of actual harm (the plaintiff did not allege that anyone—aside from the cashier—saw the receipt, that his credit card number had been misappropriated, or that his identity was stolen), the plaintiff would not have suffered the injury-in-fact that created federal court jurisdiction.
On September 19, the U.S. Court of Appeals for the Second Circuit issued an opinion ruling that a merchant who had printed the first six numbers of a consumer’s credit card on a receipt violated the Fair and Accurate Credit Transactions Act (FACTA), but that because the violation did not cause a concrete injury, the consumer did not have standing to sue the merchant. Under FACTA, merchants are prohibited from including more than the final five digits of a consumer’s credit card number on a receipt. In this instance, the plaintiff filed a complaint in 2014, followed by an amended complaint later that same year, in which he alleged that he twice received printed receipts containing the first six digits of his credit card number, in violation of FACTA. The plaintiff claimed that the risk of identity theft was a sufficient injury to establish standing. The defendants argued that that the first six digits of the credit card account only identified the card issuer and did not reveal any information about the consumer, which did not “raise a material risk of identity theft.” Citing a Supreme Court ruling in Spokeo v. Robins, the district court opined that a procedural violation of a statute is not enough to allow a consumer to sue, because it must be shown that the violation caused, or at least created a material risk of, harm to the consumer—which, in this case, was not present. Accordingly, the appellate court affirmed the district court’s dismissal for lack of subject matter jurisdiction, but found that the district court erred in dismissing the suit with prejudice.
On June 26, the U.S. Court of Appeals for the Second Circuit held that, without concrete evidence of actual harm, a consumer lacks standing under the Fair and Accurate Credit Transactions Act (FACTA) to sue a merchant for printing credit card expiration dates on receipts. The consumer alleged that printing the expiration date on her credit card receipt led to a material risk of identity theft, and therefore constituted an injury-in-fact sufficient to confer Article III standing. The court disagreed, noting that Congress’s amendments to FACTA belie that expiration dates on credit card receipts increase the risk of identity theft. Moreover, the court held that the consumer failed to allege actual harm from the merchant’s practice.
The court’s decision in Cruper-Wienmann comes approximately one month after the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 194 L. Ed. 2d 635 (2016), as revised (May 24, 2016), which held that “bare procedural violation[s], divorced from any concrete harm” are not enough to establish standing.
On April 18, the U.S. Court of Appeals for the Seventh Circuit dismissed a class action seeking damages against Shell under the Fair and Accurate Credit Transactions Act (FACTA) for displaying four digits of customers’ credit card numbers on receipts printed at Shell gas stations. Van Straaten v. Shell Oil Products Co. LLC, No. 11-8031, 2012 WL 1340111 (7th. Cir. Apr. 18, 2012). FACTA requires that such receipts truncate card numbers to display no more than the last five digits of the card number. Shell’s practice was to print the last four digits of what it calls the “primary account number,” which is the number appearing before the last five digits of the sequence of numbers appearing on the front of the credit card. The plaintiffs did not allege that Shell’s practice created a risk of identity theft, but that Shell violated FACTA by printing the wrong four numbers. Writing for a three-judge panel, Chief Judge Frank Easterbrook indicated that FACTA does not define the term “card number,” but the panel did not have to define the term, “because we can’t see why anyone should care how the term is defined.” He added that ”[a] precise definition does not matter as long as the receipt contains too few digits to allow identity theft.” As to FACTA’s authorization of $100 to $1,000 for each willful violation, Judge Easterbrook noted that “[a]n award of $100 to everyone who has used a Shell Card at a Shell station would exceed $1 billion, despite the absence of a penny’s worth of injury.” Because Shell now prints no such digits on its receipts, “the substantive question in this litigation will not recur for Shell or anyone else; it need never be answered.”
On March 12, the FTC released the results of a survey conducted to gauge consumer experiences in dealing with consumer reporting agencies (CRAs) following an identity theft. While the survey indicates that the majority of consumers were satisfied with their experiences, many consumers were unaware of their rights under the Fair and Accurate Credit Transactions Act (FACTA) before contacting a CRA. In response to concerns raised by consumers in the survey, the report recommends that (i) CRAs make it easier for consumers to reach a live person and (ii) the CFPB use its examination and rulemaking authority, and the FTC employ its enforcement authority, to address CRAs’ practice of attempting to sell identity theft products to consumers reporting identify thefts.
On January 24, the U.S. Court of Appeals for the Third Circuit affirmed a district court holding that printing of partial expiration dates does constitute a Fair and Accurate Credit Transactions Act (FACTA) violation, but held that the merchant, in this case, did not willfully violate FACTA by printing a portion of credit card expiration dates on customer receipts. Long v. Tommy Hilfiger U.S.A., Inc., No. 11-1554, 2012 WL 180874 (3rd Cir. Jan. 24, 2012). The consumer alleged, on behalf of a putative nationwide class, that the merchant’s practice of printing receipts that included the expiration month, but not year, willfully violated FACTA’s prohibition against printing “more than the last five digits of a credit card number or the expiration date upon any receipt provided” at the time of a transaction. On appeal, the court considered two questions: (i) whether the consumer properly alleged a FACTA violation, and (ii) whether the merchant’s alleged conduct constituted a willful violation of FACTA. The court held that FACTA prohibits printing of partial expiration dates, and that therefore plaintiff did properly allege a FACTA violation. The court explained that “expiration date” is not defined in the law, and found that “the most natural reading of the phrase” prohibits merchants from printing any of the numbers that appear in the expiration date field on a credit or debit card. If Congress had intended to allow partial expiration dates, the court stated, it would have used language similar to that used with regard to partial credit card numbers. However, the court held that the consumer could not recover statutory damages of $100 to $1,000 per violation, punitive damages, and attorneys fees, because the merchant’s action was not willful. Relying on a standard set in Safeco Insurance Company of America v Burr, 551 U.S. 47 (2007), the court held that the merchant’s interpretation that the statute permits partial expiration dates was not “objectively unreasonable”, because the statute does not provide a definition for “expiration date” and the interpretation has some foundation in the statutory text. According to the court, although the merchant’s interpretation of FACTA was wrong, it did not constitute a willful violation of the law.
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: The CFPB’s proposed debt collection rule
- Buckley Webcast: Trends in e-discovery technology and case law
- Brandy A. Hood to discuss "What the flood? Don’t get washed away by a flood of changes" at the American Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Mitigating the risks of banking high risk customers" at the American Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano, Kari K. Hall, Brandy A. Hood, and H Joshua Kotin to discuss "Regulations that matter in a deregulatory environment" at the American Bankers Association Regulatory Compliance Conference Power Hour
- Buckley Webcast: Data breach litigation and biometric legislation
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Douglas F. Gansler to discuss "Role of state AGs in consumer protection" at a George Mason University Law & Economics Center symposium