On April 7, 2014, the U.S. District Court for the District of New Jersey issued an opinion in Federal Trade Commission v. Wyndham Worldwide Corporation, allowing the FTC to proceed with its case against the company. Wyndham had argued that the FTC lacks the authority to regulate data security under Section 5 of the FTC Act. The judge rejected Wyndham’s challenge, ruling that the FTC can charge Wyndham with unfair data security practices. The case will continue to be litigated on the issue of whether Wyndham’s data security practices constituted a violation of Section 5.
On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial Transactions” (“Section 105(a)”). The court ruled that (1) a ZIP code constitutes personal identification information under the Massachusetts law; (2) a plaintiff may bring an action for a violation of the Massachusetts law absent identity fraud; and (3) the term “credit card transaction form” refers equally to electronic and paper transaction forms. The Massachusetts court’s determination that a ZIP code constitutes personal identification information is similar to the determination in Pineda v. Williams-Sonoma Stores, Inc., in which the California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act. More than 15 states, including Massachusetts and California, have statutes limiting the type of information that retailers can collect from customers.
On February 4, 2013, the Supreme Court of California examined whether Section 1747.08 of the Song-Beverly Credit Card Act (“Song-Beverly”) prohibits an online retailer from requesting or requiring personal identification information from a customer as a condition to accepting a credit card as payment for an electronically downloadable product. In a split decision, the majority of the court ruled that Song-Beverly does not apply to online purchases in which the product is downloaded electronically.
As reported in BNA’s Privacy & Security Law Report, on December 14, 2012, a federal district court in California ruled that a retail store’s policy of collecting personal information only after providing customers with receipts does not violate the Song-Beverly Credit Card Act (“Song-Beverly”). Under Section 1747.08(a)(2) of Song-Beverly, a retailer that accepts credit cards for the transaction of business may not “[r]equest, or require as a condition to accepting the credit card as payment … the cardholder to provide personal identification information,” which the entity accepting the credit card then “writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”
On September 13, 2012, the PCI Security Standards Council (“PCI SSC”) issued new guidelines entitled “PCI Mobile Payment Acceptance Security Guidelines” (the “Guidelines”), which outline best practices for mobile payment acceptance security. As we reported in May, the PCI SSC Mobile Working Group published its “At a Glance: Mobile Payment Acceptance Security” fact sheet, detailing how merchants can more securely accept payments on mobile devices.
As reported in BNA’s Privacy & Security Law Report,on June 25, 2012, a federal district court in California ruled that the California Supreme Court’s 2011 Pineda decision, which held that requesting and recording zip codes during credit card transactions violates the state’s Song-Beverly Credit Card Act, applies retrospectively to OfficeMax’s collection of zip codes from its customers. The Plaintiffs in Dardarian v. OfficeMax had filed a class action lawsuit against OfficeMax over the company’s collection of ZIP code information from customers at the point of sale, a practice that OfficeMax ended the day the Pineda decision was handed down.
On June 26, 2012, the Federal Trade Commission announced that it had filed suit against Wyndham Worldwide Corporation and three of its subsidiaries (“Wyndham”) alleging failures to maintain reasonable security that led to three separate data breaches involving hackers accessing sensitive consumer data. The FTC’s complaint claims that Wyndham violated the FTC Act by posting misleading representations on Wyndham websites regarding how the company safeguarded customer information, and by failing to provide reasonable security for personal information it collected. According to the complaint, these alleged security failures led to unauthorized exposure of Wyndham’s customers’ personal information and caused financial injury to consumers and businesses through fraudulent charges and other costs.
On May 16, 2012, the PCI Security Standards Council’s (“PCI SSC’s”) Mobile Working Group published its “At a Glance: Mobile Payment Acceptance Security” fact sheet (the “Guidance”), which outlines best practices for securely accepting payments via mobile devices. The Guidance offers merchants practical advice for partnering with a Point-to-Point Encryption (“P2PE”) solution provider and satisfying their PCI Data Security Standard compliance requirements in the context of mobile payment acceptance. The Guidance includes recommendations for maintaining data security throughout the payment lifecycle, including securing account data at the point of capture and using an approved hardware accessory in combination with a validated P2PE solution.
As reported in BNA’s Privacy & Security Law Report, on May 4, 2012, the United States District Court for the Southern District of California granted plaintiffs’ motion for class certification in an action against IKEA U.S. West, Inc. (“IKEA”) under the Song-Beverly Credit Card Act of 1971 (the “Song-Beverly Act”). The suit alleges that IKEA violated the Song-Beverly Act by requesting that cardholders provide their ZIP codes during credit card transactions, and then recording that information in an electronic database. The Court found that the class definition was not overbroad and that IKEA’s practice of requesting ZIP codes demonstrated common questions of law best resolved through a class action.
Last month, two New Jersey judges issued opposing decisions in class action lawsuits regarding merchants’ point-of-sale ZIP code collection practices. The conflicting orders leave unanswered the question of whether New Jersey retailers are prohibited from requiring and recording customers’ ZIP codes at the point of sale during credit card transactions.