If Your Business Accepts Credit Cards, You Need to Read This
On December 4, 2003, Congress enacted the Fair and Accurate Credit Transactions Act ("FACTA"). Laudably, Congress sought to address rampant and costly identity theft and credit card fraud. The good news is that, because of FACTA, consumers are now entitled to a free credit report each year. The bad news (for all but plaintiffs' lawyers) is that FACTA has spawned more than 250 federal class-action lawsuits, ensnaring companies such as Wendy's, Victoria's Secret, Bath & Body Works, Costco, FedEx Kinko's, Avis Rent A Car, Toys "R" Us, IKEA, and Rite Aid.
FACTA added sections to the Fair Credit Reporting Act ("FCRA," 15 U.S.C. §§ 1681 et seq.), including three particular rights or obligations: (1) FACTA, as mentioned above, gave consumers the right to a free credit report each year; (2) FACTA created an obligation for businesses to protect customer and employee "consumer information," which is defined as information about consumers or employees, including consumer reports or information derived from a consumer report; and (3) FACTA mandated that retailers truncate the credit card information reflected on a transaction receipt. It is largely because of FACTA that retailers no longer print out receipts containing all 16 digits of your credit card number, but rather truncate the number to a maximum of five digits and remove the credit card expiration date. It is this third aspect which has caught the eye of class-action plaintiffs' counsel and which is the focus of this Commentary.
FACTA's Truncation Requirement
Section 1681c(g)(1) of the FCRA, part of the FACTA enactment, provides that "no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." This aspect of FACTA was phased in over time to allow large and small businesses to conform to the requirements and update the cash registers in service. The requirement was fully phased in as of December 4, 2006. Since then, the class-action lawsuits have come fast and furious.
With the law fully enacted and phased in, if a violation existed—say, for example, a retailer printed out the customer's receipt with the last seven digits or with the credit card's expiration date—plaintiffs' lawyers could either bring a negligence claim under section 1681o of the FCRA seeking "actual damages" or bring suit under section 1681n for a "willful violation" of 1681c(g) and seek between $100 and $1,000 per violation.
Because proving "actual damage" would prove elusive, if not impossible, virtually every class action brought under FACTA has alleged a willful violation and a right to statutory damages. Pause for a moment and contemplate the large retail entities that have been sued and the number of transactions they engage in during a single day. Now, multiply that by between $100 and $1,000. The numbers quickly run into the millions. Furthermore, there is no cap to the amount of total damages that can be sought, only a cap of $1,000 per violation. Simply put, hundreds of millions of dollars are at issue in these lawsuits. Considering that federal law caps consumers' loss for credit card theft at $50, these statutory damages simply create a windfall for plaintiffs at the expense of the other customers, who ultimately pay for that windfall through higher prices.
What Is a Willful Violation?
With such a large amount hanging in the balance, the definition of a "willful" violation became a pivotal question. More to the point, for a violation to be willful, must the retailer "knowingly" violate FACTA, or merely have a "reckless disregard" for it? In June, the United States Supreme Court answered this question through its unanimous decision in Safeco Insurance Co. of America v. Burr, 551 U.S. ___, 127 S. Ct. 2201 (2007). Unfortunately for retailers, the Supreme Court chose the lower standard of reckless disregard.
The Supreme Court held "that where willfulness is a statutory condition of civil liability, we have generally taken it to cover not only knowing violations of a standard, but reckless ones as well." Consequently, a plaintiff class need only show that the retailer was reckless in failing to truncate its credit card receipts to unlock the vault of statutory damages.
On a brighter note, however, the Court did clarify that "a company subject to FCRA does not act in reckless disregard of it unless the action is not only a violation under a reasonable reading of the statute's terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless." A company's reading of the statute will be found to be objectively reasonable if the statute is less than clear and there is a "dearth of guidance." In that situation, an unknowing violation "falls well short of raising the 'unjustifiably high risk' of violating the statute necessary for reckless liability."
With the standard for seeking statutory damages resolved, the next issue for retailers to closely monitor is how courts deal with the factual determination of what constitutes a reckless disregard for FACTA. Thus far, plaintiffs have argued, ipso facto, that a FACTA violation should be deemed reckless in all instances because the law has been in effect since 2003, and it has been phased in over the past four years. In other words, they would argue that a retailer has had plenty of time and opportunity to comply with FACTA; thus, any failure to do so by now must be deemed reckless. The error with this approach is that it ignores reality-based defenses (e.g., absent all 16 digits and the CVC code, the card number is likely of little value) in favor of strict liability.
Are There Any Defenses?
Assuming that the receipt fails to comply with FACTA, three basic defenses exist. The first defense focuses on the statutory text regarding whether the receipt in question falls within FACTA's purview. For example, FACTA applies to receipts received at the point of sale. Does "point of sale" mean a purchase at a store, or does it also apply to online transactions? This is likely an issue that will be addressed at the onset of a case. If successful, it would result in dismissal of the case.
The second defense requires proving that the alleged actions do not constitute a willful violation. If successful, this defense would require the plaintiff to prove actual damages, which would be almost impossible. If a business can show that its actions were reasonable based upon the law, even if later found to violate the law, then that action is likely not a willful violation. Furthermore, if a business can show that its actions were negligent rather than reckless—for example, the business changed its registers, but missed a few machines in the process—it is possible that the court may find that action to fall below the threshold required for a willful violation.
The final defense centers on disqualifying the plaintiff class, and it has gained some support. At least two federal district court judges have denied class certification for these types of cases. When comparing the plaintiffs' failure to show any actual harm against the potential harm to the defendants in the tens of millions to hundreds of millions of dollars, the court determined that class actions were not the best method to adjudicate these claims. Both judges determined that individual claims provided a better mechanism of enforcing FACTA's truncation provisions:
If Plaintiff is able to prove that Defendant committed a "willful" violation of FACTA, each class member would be eligible to receive between $100 and $1,000 in statutory damages. If the class is certified, Defendant faces statutory damages alone of between approximately $4.8 million and $48 million. (Def. Motion at 1). Given the disproportionate consequences to Defendant's business and the lack of any actual harm suffered by members of the potential class, the Court finds that Plaintiff fails to meet the superiority requirements.
That both defendants immediately corrected their error upon filing of the complaints served as a major consideration behind these decisions: "By immediately remedying their misconduct upon receiving Plaintiff's Complaint, Defendants demonstrated good faith and nullified any deterrence benefit that might have been derived from a class action." Ideally, this trend will continue and other trial courts will also deny class certification as long as the defendants immediately remedy any potential violation.
What Should My Business Do Now?
If your company has not been sued for a FACTA violation, you still need to act. Conduct an audit of the receipts issued to customers to ensure that all stores comply with FACTA. If any potential violation is noted, correct it immediately. Also, to avoid future unknown liability, monitor the decisions related to FACTA to determine whether there are any changes regarding the statute's interpretation. With that, your company will be able to immediately correct any "new" violations found to exist under the law.
If your company has been sued, act immediately to come into compliance with FACTA. Simultaneously, obtain legal counsel to help you explore the various defenses available to minimize the potential exposure your company may face. Otherwise, a simple receipt error could lead to enormous expense.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General e-mail messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Shawn J. Organ
Kasey T. Ingram
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
 127 S. Ct. at 2208.
 Id. at 2215.
 Id. at 2216.
 Soualian v. Int'l Coffee and Tea LLC, Case No. CV 07-502-RGK (JCx), 2007 U.S. Dist. LEXIS 44208, at *10–*11 (C.D. Cal. June 11, 2007); see also Spikings v. Cost Plus, Inc., Case No. CV 06-8125-JFW (AJWx), 2007 U.S. Dist. LEXIS 44214, at *11–*13 (C.D. Cal. May 25, 2007) (order denying class certification on same grounds as Soualian).
 Soualian, 2007 U.S. Dist. LEXIS at *12; see also Spikings, 2007 U.S. Dist. LEXIS 44214 at *14.