Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Phishing for Taxpayers' Personal Information | Main | Iowa Breach Notification Bill; Emphasizes Need for Documented Security Policies and Breach Plans & Establishes "Identity Theft Passport" »

Over 100 FACTA Lawsuits Filed in California Against Businesses Printing PII on Receipts; Are You In Compliance With All FACTA Requirements?

I read with interest an article in today's issue of the BNA Privacy and Security Law Report about over 100 lawsuits that have recently been filed within the California federal courts because of the amount of personally identifiable information (PII) that is printed on credit and debit card receipts.

The Fair and Accurate Credit Transactions Act (FACTA), an extension of the Fair Credit Reporting Act (FCRA), applies to basicially any type of business that handles PII. One of the goals was to reduce identity theft by prohibiting businesses from printing excessive PII that could lead to identity theft on receipts.

FACTA was enacted in 2003, but merchants had until December 4, 2006 to meet compliance with the receipt requirements.

Think about the credit card receipts you got before FACTA; remember how they all had your full credit card number printed on them? Now, if the merchants are complying, you will typically see all X's where the credit card numbers used to be, typically with the last 4 digits of the card number still showing to allow the purchaser to know which of their cards they used for the transaction. Credit card companies are also making changes on their monthly statements; a couple of mine have started using X's in place of the real numbers on the statements themselves.

The list of defendants in these suits include Chanel Inc.; Toys-R-Us Delaware Inc.; Rite Aid Corp; Costco Wholesale Inc.; The Walt Disney Parks and Resorts; California Pizza Kitchen Inc.; El Pollo Loco; Levy Restaurants; United Artists Theatre Circuit Inc.; FedEx Kinkos Office and Print Services Inc.; Valero Energy Corp.; and Avis Rent-A-Car Systems Inc.

Businesses should realize that even though the suits were filed in California, FACTA is a Federal law, and all companies doing business throughout the U.S. need to comply. Two other FACTA violation cases were filed in Pennsylvania in March. The list will likely continue to grow throughout all the states.

Plaintiffs can recover a minimum of $100 and up to $1,000 in statutory damages per willful violation of the law under FACTA. Plaintiffs can also seek actual damages for negligent violations of the law. Think about it, PER VIOLATION. If your business does 1,000 transactions in violation of FACTA, then a penalty of 1,000 * 1,000 = $1,000,000 would be possible. It adds up quickly, doesn't it?

FACTA also has requirements for businesses to securely dispose of PII. These are elaborated upon in the Disposal Rule.

Another requirement is to ensure the PII you are responsible for is accurate.

Has your business taken actions to be compliant with FACTA? Do you know if it has even been addressed? The lawsuits have started; you'd better be prepared.

Tags:                        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on March 19, 2007 9:50 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/351

Listed below are links to weblogs that reference Over 100 FACTA Lawsuits Filed in California Against Businesses Printing PII on Receipts; Are You In Compliance With All FACTA Requirements?:

» Lifelock from Lifelock
As you\'re looking for id theft websites and info, be certain to utilize every one of the resources at your disposal. [Read More]

Tracked on October 3, 2007 6:24 AM

Comments

Some people don't even know how much they have benefited from the changes to receipts from credit card purchases. Every time I go to buy gas, I go to take my receipt out of the tray and 3-4 other receipts are usually still sitting in there.

Posted by: Michael | March 19, 2007 1:10 PM

Indeed; probably most people don't realize this.

I've also seen numerous receipts at the gas pump. A few other places I often see receipts are in airports, wadded up on the seats, in movie theaters left behind in the seats, in hotel lobbies on the check-in desk or put in the ash trays, and in restaurants left on the tables and in the restrooms.

Posted by: Rebecca | March 19, 2007 1:41 PM

Not that I have been thinking about it I go to several places on this list. Rebecca you know if this information is localized to CA and PA or are those companies guilty in other states such as Washington? Well guess it's time to go dig out some of the past months receipts and check.

Posted by: Michael | March 20, 2007 2:08 PM

I work in the consulting business in KY helping to educate companies on issues like these. Is it possible I could get a list of the companies that have been sued? I would appreciate any help.

Posted by: Jeff | March 21, 2007 9:53 AM

Hi Jeff,

See the fifth paragraph in my posting for the companies.

Posted by: Rebecca | March 21, 2007 11:28 AM

I was just curious if there are any lawsuits pending where the plaintiff is a buisness who is being sued for not being facta compliant & the defendant is the plaintiffs Point of Sale Provider / Credit Card processor


Posted by: KEITH MCCARTHY | September 5, 2007 2:45 PM

Keith, that is the situation in many of the cases that I've seen. For example, in Leowardy v. Oakley Inc. in California, Oakley is a movie theater.

Posted by: Rebecca | September 6, 2007 7:34 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.