Administrative And Private Civil Enforcement Of Customer Data Security Laws

January 2006

Although most enforcement of information privacy laws has involved criminal prosecutions, both regulatory agencies and private plaintiffs have begun to assert civil claims for relief.    Individual claims are frequently asserted against credit card companies under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA).  Unlike the Gramm-Leach-Bliley Act (GLBA), FCRA permits courts to award statutory damages and attorney’s fees for private causes of action, and does not cap liability for defendants.  The FCRA also produces perhaps the highest volume of claims in class actions.   Most of the actions under the FCRA and FACTA are precipitated by incorrect credit report data and credit scores arising out of the reporting of inaccurate information and the failure of creditors to correct inaccurate information. 

The federal legislative trend has been to rely upon regulatory enforcement for federal privacy laws protections.  This past year the Federal Trade Commission instituted several administrative actions for alleged violation of data security standards contained in the GLBA, which regulates protection of nonpublic personal financial information maintained by financial institutions.   Safeguard standards promulgated by the banking regulators as directed by the GLBA require financial institutions to institute formal programs to protect the security and confidentiality of consumer information.  In the Matter of Superior Mortgage, No. 0523136 (2005) the FTC asserted that Superior Mortgage, a residential mortgage broker that collects sensitive consumer information through its offices and websites (1) violated data safeguards required by the regulations implementing GLBA; (2) failed to assess security risks to customer data; (3) failed to password-protect and encrypt customer data; and (4) failed to assure GLBA compliance by its service providers.   The FTC alleged that because the broker had advertised data security in its online materials, these omissions also constituted an “unfair or deceptive trade practice” subject to FTC jurisdiction.  The mortgage company settled its claims with the FTC.  As a result, the company must now accurately represent the extent to which it maintains and protects consumer information provided through its websites and offices.  Further, the company must hire an independent third party auditor to assess the company’s security procedures every two years for the next ten years.

The FTC has also instituted administrative actions for violations of the Federal Trade Commission Act.  In recent news, the Commission charged discount shoe giant DSW for  unfair acts and/or practices.    In the Matter of DSW Inc., DSW was charged with (1) unnecessarily storing consumer information it no longer had a use for, (2)  lack of security measures to limit access to its computer networks through wireless access points on the networks, (3) failure to encrypt files that could be easily accessed by a commonly known user ID and password, (4) granting too much access from computers on one store network to other in-store and corporate networks, and (5) failure to employ methods to detect unauthorized access.   DSW also settled with the FTC and is now required to maintain a information security program implementing technical and physical safeguards for consumer information.  In addition, every two years, for twenty years, DSW must obtain an audit from a third party professional to assure that the security program is in compliance with the FTC’s requirements.         

As for private litigation, In re Jet Blue Airways Corp. Privacy Litigation, No. 04-MD-1587 (E.D.N.Y.), involved a nationwide class action alleging an airline’s improper disclosure of passenger data for use in a government-sponsored security study.   The court dismissed the action, holding that because the airline did not provide communications services, but instead merely utilized those services to obtain and manage customer data.   Thus, was not a communications provider subject to the Electronic Communications Privacy Act.   On the other hand, class action plaintiffs have been given the green light to pursue claims for relief against credit card companies and one of their data processing partners in Parke v. Cardsystems Solutions, No. CGC-05-44624 (Superior Ct. San Francisco , Calif. ). The Parke plaintiffs have asserted a class action for alleged violation of statutory and common law requirements relating to customer data security. Of particular interest are allegations that the defendants were negligent in (1) failing to protect customer data with adequate firewalls; (2) failing to encrypt customer data; (3) engaging in unauthorized storage & retention of customer data; (4) violating industry-specific data security standards; and (5) failing to monitor data security. 

A related development arises out the flurry of state legislative action that took place this year requiring disclosure notices for data breaches that began with SB 1 enacted by the California legislature.  Preemption challenges such as those addressed by the federal courts in California have thus far upheld the preemption by federal law of state law protections.  However, the fact that a total of 21 states now have enacted security breach notification laws, combined with increasingly aggressive states attorneys general, a heightened awareness by consumers of privacy risks and privacy claims, and the increase in identity theft, will likely drive new claims and in other states.       

If the plaintiffs are successful in the Parke case mentioned above, firms will find themselves subject to emerging privacy standards based upon general industry practices as well as statutory prescriptions.   Both the GLBA and the FTC Safeguard Standards expect firms that maintain confidential information to be held liable for acts or omissions of its business partners as well as for its own conduct.   It is therefore crucial to consider security requirements applicable to where and how customer data is managed and stored by use of third party service providers, in addition to the legal requirements that govern the substantive data itself.



Additional Documents: