Archive for the ‘FACTA’ Category

Class Action Plaintiffs Look to Fair Credit Reporting Act for Private Relief from Data Breaches Involving Health Information

Thursday, August 21st, 2014

A recent class action brought against the University of Miami (“University”) previews what could become an emerging trend among plaintiffs’ class action attorneys to seek damages for the unauthorized disclosure of personal health information under the Fair Credit Reporting Act (“FCRA” or the “Act”). Enforcement actions for data breaches involving the unauthorized disclosure of personal health information (“PHI”) by health care systems or hospitals typically fall under the purview of the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”). However, recent class action plaintiffs’ attorneys have advanced unique arguments in an attempt to bring data breaches involving PHI under the protections afforded by the FCRA.

The FCRA governs Credit Reporting Agencies (“CRAs”) and was enacted to ensure that CRAs accurately and fairly assemble personal information on consumers while maintaining the privacy of their personal information. 15 U.S.C. § 1681a(f). Typically, CRAs assemble and sell “consumer reports” for businesses, such as credit card companies and banks, to use in evaluating a consumer’s eligibility for credit, insurance or employment purposes. 15 U.S.C. § 1681a(d). The FCRA requires that CRAs follow reasonable procedures to protect the information. 15 U.S.C. § 1681e(a). Well known CRAs include Experian, TransUnion and Equifax. Notably, the FCRA provides for statutory damages of up to $1,000 and punitive damages for willful noncompliance with the Act. 15 U.S.C. § 1681n(b). Attorney’s fees may also be collected under the Act. 15 U.S.C. §§ 1681n(c) & 1681o(b).

Class Action Claims Against the University of Miami Health System

In February, current and former patients (“Patients”) filed a class action complaint in the U.S. District Court for the Southern District of Florida against the University of Miami (“University”) alleging that the University allowed the unauthorized access of confidential records of putative class members, including PHI, held by a third-party offsite records vendor without their knowledge or consent and without sufficient security.

Patients asserted, among other things, that the hospital violated the FCRA by failing to implement adequate safeguards to protect their personally identifiable information and PHI from a data breach suffered by the third party vendors. The Patients argued that the hospital was a CRA that created “consumer reports” containing sensitive information including names, dates of birth, social security numbers, billing information and confidential health records, and disseminated this information to medical service providers affiliated with the University. Patients alleged that the University allowed employees of the outside vendor and others to gain unrestricted access to the patients’ personally identifiable information and PHI, which was allegedly misused and intentionally disclosed to third parties for profit.

The University settled these claims last week for just over $100,000, before the court could consider the viability of plaintiffs’ arguments under the FCRA. Nonetheless, there is a class action currently pending in the U.S. District Court for the Middle District of Alabama where hospital patients advanced similar arguments regarding the disclosure of medical and personal information by a hospital under the FCRA. In light of the settlement by the University, the outcome of this case in Alabama may reveal how courts will consider these arguments under the FCRA.

Fair Credit Reporting Act

Plaintiffs’ theory of liability under the FCRA is likely based on the fact that the Act specifically restricts the reporting of medical information to limited purposes and only if the patient has specifically consented to the disclosure. 15 U.S.C. § 1681b(g). The Act also allows for the distribution of consumer reports for “any legitimate business need.” 15 U.S.C. § 1681b(3)(e). However, it is questionable whether hospitals and healthcare systems are CRAs that engage in the business of “regularly assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Hospitals have not traditionally been considered CRAs. Further, hospitals typically collect personal identity information and PHI for their own business and record keeping purposes, not for the purpose of creating and furnishing “consumer reports” to third parties as is required under the FCRA.

Emerging Cause of Action for Data Breach Involving Private Health Information

Importantly, the claims asserted by class plaintiffs in these cases illustrate a novel use of the FCRA in the context of private health data. Plaintiffs have traditionally utilized HIPAA to redress data breaches involving PHI. However, should courts accept the argument that hospitals and medical providers are CRAs subject to the requirements of the FCRA, it will enable plaintiffs to assert claims for statutory and punitive damages, rather than enlisting the HHS to institute enforcement actions under HIPAA when data breaches occur. As the recent data breach of 4.5 million patient records at Community Health Systems, Inc. illustrates, the number of patient records that may be involved in a particular incident can produce very substantial and potentially crippling statutory damages. If plaintiffs’ claims under the FCRA find traction, hospitals, medical providers and healthcare systems can certainly expect these types of private patient actions to follow.

Partial Printing of Expiration Date on Receipt Not Willful FACTA Violation, Says Appellate Court

Tuesday, January 31st, 2012

As most know by now, the Fair and Accurate Credit Transactions Act (FACTA) prohibits the printing of more than the last five digits of a customer’s credit or debit card number as well as displaying the expiration date of the card on the receipt.  The law as originally passsed was extremely confusing because it stated that it was illegal to print more than five digits OR the expiration date.  Many retailers – justifiably so – interpeted that provision to mean if they did not print more than 5 digits they could print the expiration date on a receipt.  Unfortunately, when Congress said “or,” it really meant “and” and so an epidemic of federal class action lawsuits were filed based on a hyper-technical violation occasioned by ambiguity in the law.  It got so bad that FACTA was amended by the Credit and Debit Card Receipt Clarification Act of 2007 which clarified that receipts could not display more than 5 digits nor the expiration date.

A recent case involving Tommy Hilfiger raised yet another nuanced question under FACTA – namely, whether a plaintiff can sue on a class action basis for display of a partial expiration date on a receipt?  In that case, the merchant allegedly printed the expiration month, but not the year, on plaintiff’s credit card.  The question for the Court was whether that partial display was a willful violation because in order to be entitled to statutory damages (up to $1,000 per receipt) a plaintiff must evidence a willful violation.  (A negligent violation is actionable but in that instance plaintiff must show actual damages – something that is often (always???) lacking in these cases.) 

The Court first considered whether the partial printing was a violation of FACTA in the first place because the law was silent on the question.  FACTA specifically delineates the number (and which ones, at that) of digits that may be printed (the last 5), but it does not speak in such specifics to the expiration date.  The Court concluded that a partial printing was a violation because the “most natural reading of the phrase ‘expiration date’ is that it refers to the information or data contained in the expiration date field on the fact of the card.”

Next, plaintiff had to prove that the violation was willful in order to be entitled to statutory damages.  This it could not do.  As this case demonstrates, willfullness is not satisfied merely upon a showing that the defendant’s interpretation was erroneous; rather, its interpretation must be “objectively unreasonable.”  The Court observed that defendant’s interpretation had some foundation in the text of FACTA (not to mention the fact that the district court agreed with it).  Since the merchant’s interpretation was reasonable (albeit wrong), there was no willful violation and therefore no statutory damages could be awarded.  The court affirmed the trial court’s dismissal.

This is the right result.  So many times, courts let these cases go forward despite the fact that the defendant’s interpretation was not objectively unreasonable as a matter of law.  While the FACTA law has laudable intentions (curb identity theft and credit card fraud), it is extremely vague and has ensared many a well-intentioned retailer over the last several years.  If cases like these are allowed to proceed beyond the pleading stage, defendants are often forced to capitulate to coercive settlements because their potential exposure (not to mention the costs and inconveniences of litigation) are ridiculously high.  Fortunately, courts have recently curtailed some of the unwarranted extensions of the law finding that it does not apply to electronic confirmations of Internet transactions (among other things) and this decision is yet another in the defense arsenal.

Decision is accessible here:

E-Filing Privacy Class Action to be heard by U.S. Supreme Court

Tuesday, January 17th, 2012

In a somewhat bizarre case, Chicago attorney Jim Bormes filed a FACTA class action against the government after he received an email confirmation of his e-filing transaction (it costs approximately $350 to file a federal lawsuit).  FACTA has been a big piece of my practice over the last several years, and it has received a considerable amount of press.  The precise issue in this appeal is whether the government can be sued for a FCRA (FACTA is a part of FCRA) claim or whether the government enjoys sovereign immunity.  While I enjoy the theoretical question of sovereign immunity, I wonder where plaintiff is intending to go with the case.  Several courts – including the Seventh Circuit – have ruled that electronic confirmations of internet transactions are NOT printed receipts actionable under FACTA, which generally prohibits printing more than 5 digits and displaying the expiration date of a consumer’s credit or debit card.  Sounds like plaintiff will have a number of hurdles to overcome.  This Courthouse News article provides a nice summary.

About Us
Sedgwick provides trial, appellate, litigation management, counseling, risk management and transactional legal services to the world’s leading companies. With more than 350 attorneys in offices throughout North America and Europe, Sedgwick's collective experience spans the globe and virtually every industry. more >

Subscribe via RSS Feed
Receive blog updates via email: