If you receive Google news alerts on such phrases as “data breach”, “credit card fraud” and “identity theft”, chances are your inbox is always full. These alerts can notify you about news stories as they come on the wire, so that readers will always be aware of breaking news on selected subjects. The problem is that, if one were to gauge on volume alone, the picture painted would be one in which every payment card was compromised the moment it was used. (A recent report estimated the number of data breaches since 2005 to be over 160
million!) What’s worse is that in reading these articles and alerts, the notion is certainly conveyed that, due to card compromise everyone’s identity is at risk every minute of every day. Certainly measures should be taken to avoid identity theft, but there are really two questions at play in this issue: 1) Do data breaches result in identity theft? and 2) is account data compromise the same as identity theft?
These two questions are inextricably intertwined. The question of whether identity theft can be perpetrated as a result of an identity theft is somewhat nebulous. It depends upon what types of data were compromised. Certainly if one’s social security number, address, date of birth and similar information was compromised, than identity theft tops the list of possible outcomes. If only credit card data is compromised, chances of identity theft occurring are much less.
The media certainly equates credit card fraud and identity theft, and an argument can be made that credit card fraud is in fact a form of identity theft.
According to the Identity Theft Resource Center, identity theft can be defined as “a crime in which an imposter obtains key pieces of personal identifying information (PII) such as Social Security numbers and driver’s license numbers and uses them for their own personal gain.” Other sources further clarify the definition by stating that the information must then be used to impersonate another person to obtain credit or services in their name. This is where the confusion between credit card fraud and identity theft comes into play. In the case of identity theft, most often the perpetrators are trying to leverage the victim’s credit, employment, or criminal history to the benefit of the thief. The result is often extremely troublesome to the victims who spend countless hours and thousands of dollars trying to rectify the situation. In contrast, as relates to credit card fraud most major issuers now have a “zero liability”
policy for consumers, meaning that they are not responsible for fraudulent charges. Credit card fraud alone may not constitute a full-fledged case of identity theft.
The argument can be made that this misunderstanding of identity theft and what enables it is responsible for the spate of lawsuits being
filed around the Fair and Accurate Credit Transactions Act or FACTA.
Over one hundred lawsuits were filed against merchants claiming that consumers were placed at risk because the expiration date appeared on the receipt in conjunction with a truncated account number. To be fair, FACTA does state that merchants must only print the last five digits of the card number or the expiration date. However, the fact that this was written into legislation in and of itself is indicative of the fog of confusion surrounding the issue. Those that are in the industry can testify to the fact that the likelihood of committing identity theft with a truncated account number and an expiration data is negligible.
However, FACTA doesn’t require an actual demonstration of damages in order to file a suit. It simply states that printing too much information on the receipt is a violation of the law. Further, such violations may be punishable by up to $1,000 per “willful violation.” This phrase is important in and of itself. Many of these cases are filed in the 9th Circuit Court in California. This court traditionally has a much more lenient definition of the term “willful.” The United States Supreme Court passed down their interpretation of the term in June. The Supreme Court held that willful violations were those that were committed “knowingly and recklessly.” They further clarified a reckless action as on that is held to be “objectively unreasonable.” This is significant as many of the lawsuits claimed that the violations that were being alleged were, by virtue of the fact that they were occurring, a willful violation. This position is based on the belief that the violations had to be willful simply because FACTA was passed in 2003 and the truncation requirement became effective in December 2006. Given that span of time, companies must certainly have had time to remediate their systems to comply.
These lawsuits pose quite a threat to merchants, and increasingly to the third parties that support and enable merchants. As an example of the risk posed by the lawsuits, if one assumes a merchant is printing receipts with the truncated account number and the expiration date and that same merchant was processing 100,000 transactions per month that could amount to over $10 Million in fines for a single month. Of course, this sum does not include legal fees and other costs associated with defending a lawsuit.
Clearly, these lawsuits are extremely deleterious to the businesses they are targeting.
There have been some fortunate occurrences, though. In the past few
months a handful of these class action suits have been dismissed.
Commonly, judges are finding that the damages sought in these cases are out of line with the harm caused by the alleged violation. The concern cited by one judge included the potential economic harm that would be done to the community if a top retailer were forced to pay millions, perhaps billions, of dollars in fines for a violation which caused no actual harm to the consumers. In that case the judge decided that the potential negative impact to the community far outweighed any potential benefits to the consumers that would result from the lawsuit.
Additionally, in many of these cases the retailer being sued made immediate plans and progress towards rectifying the situation. This gave several judges cause to believe that the alleged violations were not intentional. As soon as the defendants were made aware of the situation, they immediately took steps to rectify it. Such actions impressed upon the courts that the retailers were not willfully placing consumers at risk of identity theft.
An even more heartening sign is the recognition that an expiration date is hardly sensitive personal information, particularly when printed in conjunction with a truncated card number. U.S. District Judge R. Gary Klausner stated in his decision to dismiss a case International Coffee and Tea, that “it appears virtually impossible for the inclusion of the expiration date on a credit card or debit card receipt to result in identity theft or any other actual harm…”
The lesson to the payments industry here is clear – that due to the public misperception of identity theft those in the Payments Industry must be prepared to demonstrate appropriate care of consumer data. Though in the case of the FACTA lawsuits, the violations alleged are at best nebulously related to the issue of identity theft, it is further demonstration that the media and the public are clinging to the popular misconception of identity theft. While steps can certainly be taken to correct this confusion, companies, for their own sakes, must also take steps to ensure that their actions are not contributing to the hype. At the end of the day, everyone is a consumer and the golden rule should apply, “Do unto others’ data, as you would have done unto yours.”
|
