Fear FACTA: Beware the Truncation Requirement of the Fair and Accurate Credit Transactions Act
All businesses, large and small, that issue electronically generated credit or debit card receipts to consumers at the point of transaction are subject to the “truncation” requirement of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). This seemingly modest provision, which forbids credit and debit card receipts, whether for $1 or $100,000, from displaying more than the last five digits of the cardholder’s account number, unleashed a wave of class action litigation, no doubt due in large part to the Act’s establishment of statutory damages of up to $1,000 per violation regardless of the occurrence of actual injury. Promoted by an active plaintiffs’ bar, lawsuits have been filed against businesses of all types and sizes, ranging from small mom-and-pop stores to the likes of Federal Express, Southwest Airlines, Adidas, 1-800-Flowers.com and Avis Rent-A-Car. Even defendants who have dodged such claims through early motions to dismiss or by later defeating motions for class certification have had to bear the significant costs and risks of defending against class action litigation. Others, not so fortunate, who have failed to defeat class certification motions, generally have settled to avoid facing the risk of trial and potentially crippling damage awards. The lessons learned from the first decade of FACTA counsel that businesses should indeed fear the consequences of violating the Act’s truncation requirement and be diligent in following some simple but essential safeguards.
In 2003, to combat the growing problem of identity theft and credit and debit card fraud, Congress enacted FACTA, Pub. L. 108-159, 15 U.S.C. § 1681c(g), as an amendment to the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (FCRA). FACTA includes, among other things, a “truncation” requirement that a person who accepts credit or debit cards for the transaction of business may not print more than the last five digits of the card number, or print the expiration date, on any electronically printed receipt given to a cardholder at the point of the sale or transaction; the requirement does not apply to transactions in which the credit or debit card account number is entered by handwriting or by an imprint or copy of the card. While the Act clearly applies to the issuance of paper receipts provided during face-to-face transactions, courts have disagreed over whether FACTA also applies when a business does not actually print the receipts, such as in Internet transactions where receipts are transmitted electronically to consumers.
The statute of limitations for bringing suit to remedy an alleged FACTA violation is two years from discovery of the violation, but not later than five years from the violation. 15 U.S.C. § 1681p. The truncation provision, which had a phased-in effective date depending on when registers were manufactured, became fully effective in December 2006, 15 U.S.C. § 1681c(g)(3), and was met with an almost overnight onslaught of class action lawsuits.
FACTA’s Damages Provisions
FACTA’s fear factor resides in its damages provisions. While Congress intended to stem the growth of identity theft and credit card fraud, it did not foresee that the damages provisions of the Act would result in potential damage awards of such magnitude as to be capable of causing the bankruptcy, and even the demise, of businesses held to have willfully violated its terms.
The Act provides that any person that negligently violates the truncation requirement is liable for actual damages, as well as attorneys' fees. 15 U.S.C. § 1681o(a). More significantly, in the case of “willful” violations, the Act provides for recovery of statutory damages of not less than $100 but not more than $1,000 per violation, as well as punitive damages and attorneys' fees. 15 U.S.C. § 1681n(a).
The meaning of “willful”, which is not defined in the Act, was an early battleground in FACTA litigation. However, in Safeco Ins. Co. of America v. Burr, 551 U.S. 47 (2007), the U.S. Supreme Court interpreted the willfulness requirement for statutory damages under FCRA as including not only a knowing violation, but also “reckless disregard” of the law’s requirements. “Recklessness” was explained as an action entailing “’an unjustifiably high risk of harm that is either known or so obvious that it should be known.’” Thus, the Court said, “a company subject to FCRA does not act in reckless disregard of it unless the action is not only a violation under a reasonable reading of the statuteʹs terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless.” In short, “recklessness” involves something more than negligence, but need not rise to the level of an intentional act. Lower courts have since applied Safeco in construing the willfulness element of FACTA, which was enacted as an amendment to FCRA.
Significantly, a class action plaintiff claiming statutory damages on account of a willful violation of FACTA is not required to prove that identity theft, or any other actual injury, resulted to it or any member of the putative class. The mere issuance of an improperly truncated receipt to a consumer is deemed to itself constitute injury for purposes of the statute and to confer standing to sue.
When claims are aggregated in a class action on behalf of all customers of a merchant that failed to properly truncate credit card numbers, the amount of damages can be massive. For example, a single credit/debit card terminal that is improperly programmed could spew more than 40,000 inadequately truncated receipts to customers in a single year. Should such a failure to have properly truncated the receipts be found to have resulted from reckless conduct, statutory damages could amount to as much as $40,000,000, and the defendant also could be subject to an award of punitive damages and attorneys’ fees. Where the failure to properly truncate receipts extends to scores or even hundreds of terminals, the number of unlawful receipts can rise into the hundreds of thousands or even millions, and the potential damages can be nothing short of catastrophic, with FACTA class actions against major retailers having been reported to involve potential damage claims amounting to billions of dollars (e.g., Costco–$17 billion; StubHub–$2 billion; Cost Plus World Market–$3.4 billion).
FACTA Class Action Litigation
Courts have shown varying degrees of receptiveness to FACTA class actions. Complaints often have been bare-bones, reciting little more than the basic elements of a FACTA claim and the federal class action rule, but alleging few facts to support claims of willfulness or recklessness. Some courts have dismissed such complaints, finding that they inadequately plead the required elements of a claim for a knowing violation of FACTA. Even partial dismissal of a complaint, striking the allegations of a knowing or reckless violation, can put an end to a putative FACTA class action, since absent access to statutory damages, each class member would be required to prove that he/she suffered actual damages from an improperly truncated receipt, which not only would be impossible for most class members but likely would render the case unsuitable for class action treatment. In such cases, most class action plaintiffs and their lawyers will elect to withdraw their case rather than proceed. Indeed, with willfulness as the key to FACTA class actions, it is no wonder that some plaintiffs disclaim any violation based on negligence, and that defendants focus their attack on a complaint’s allegations of willfulness. Unfortunately, many courts have failed to apply a discriminating eye to FACTA class action complaints, even when presented with little more than conclusory allegations of willfulness, deferring consideration of such issues to either the class certification hearing or trial, but not through an early motion to dismiss.
At the class certification stage, a number of courts have denied certification, focusing on the potentially annihilative amount of damages that a defendant could incur, and the disproportionate relationship of such damages to the absence of actual economic injury suffered by the plaintiff and class members. Those courts have expressed concern that the potentially enormous aggregation of statutory damages threatens to violate the due process rights of defendants, and to have an “in terrorem effect”, pressuring defendants to accept unfair settlements, even when meritorious defenses exist, to avoid facing the risk of ruinous liability. Additional factors that have influenced courts to deny class certification have included (1) expert testimony that printing the expiration date on an otherwise properly truncated receipt cannot possibly cause identity theft or other actual injury; (2) a defendant’s prompt efforts to properly truncate receipts after learning of the non‐compliance; and (3) the fact that denial of class certification would not prevent persons who actually suffered injury from bringing individual claims for compensatory damages, or persons who suffered no actual injury from bringing individual actions to recover statutory damages plus attorneys’ fees. Other courts, however, have granted certification, either rejecting the annihilation defense and other attacks on certification, or deciding that such issues should be addressed after trial, if liability is found, in the damages phase of the case.
In many early FACTA cases, defendants took the position that they were unaware of the Act’s truncation requirement. With the Act now ten years old, and given the widespread publicity surrounding the law, including industry advisories and even the imposition of compliance requirements by the major credit and debit card companies, it has become increasingly difficult for a business to assert that it was unaware of FACTA’s existence or requirements, and more likely that disregard of the Act’s requirements could be deemed to be reckless, if not knowing. Likewise, whereas plaintiffs frequently sought to define as large a class as possible, some plaintiffs’ counsel have now taken to defining the putative class more narrowly, on geographic or other bases, in anticipation of the annihilation defense, to ensure that potential damages in the case, while substantial, will remain in the non-lethal zone.
FACTA Safeguards
There are a number of steps that a business can, and should, take to discover any current or past FACTA noncompliance, reduce the likelihood of future FACTA violations, lessen exposure from past, present or future violations, and be positioned to respond to class action FACTA litigation, should it arise. These steps not only will reduce the potential for future lawsuits and mitigate any potential damage award in such litigation—particularly by reducing the likelihood of a violation being found to have been willful or reckless—but also may assist defense lawyers in negotiating an early settlement of FACTA litigation by demonstrating the weakness of the plaintiff’s claim of a willful violation.
- Review all current register and terminal supply, software and service contracts to determine whether vendors have been made responsible for FACTA compliance. If they have not, seek to amend the contracts (e.g., through contract extensions) to clearly (i) delegate responsibility to them for ensuring that terminals properly truncate receipts in compliance with FACTA requirements, (ii) impose liability and defense costs on vendors should they fail to do so, and (iii) be named as an additional insured on vendors’ insurance policies.
- Prospectively, include similar provisions in all new contracts with vendors and service providers.
- Review current insurance policies to determine whether they provide coverage for defense of FACTA claims and, if they do not, explore the availability and cost of securing such coverage.
- Adopt a written FACTA compliance policy.
- Routinely, and preferably on a quarterly basis, check all terminals to confirm that they are operating in compliance with FACTA truncation requirements.
- Inform employees of FACTA’s truncation requirement and their responsibility to promptly inform management of any instance where they observe that receipts issued to consumers are not properly truncated.
- If a potential FACTA violation is discovered, (i) take immediate action to determine the extent of noncompliance (i.e., how many registers are issuing non-compliant receipts, the reason for the noncompliance (e.g., intentional failure to correctly program registers, or error by the manufacturer or service provider), the time period during which noncompliant receipts were issued, and the number of noncompliant receipts that were issued to consumers); (ii) have vendors correct improperly programmed registers; (iii) verify that all other registers are properly truncating account numbers; (iv) review contracts of service providers to determine the scope of their responsibility for the violation and its consequences, and any notice requirements; and (v) review insurance policies to determine the extent of any coverage and applicable notification requirements. These actions should be taken under the supervision of counsel, in order to maintain all available privileges that may apply (e.g., attorney-client privilege, and privilege for voluntary self-corrective actions).
* * *
Identity theft is a significant, and growing, worldwide problem. In this environment, FACTA litigation shows no sign of abating. Please let us know if you have any questions regarding the applicability of, or compliance with, FACTA, or need assistance in reviewing your compliance with the Act’s requirements, preparing a FACTA truncation compliance policy, or responding to FACTA litigation.