Over 100 FACTA Lawsuits Filed in California Against Businesses Printing PII on Receipts; Are You In Compliance With All FACTA Requirements?

I read with interest an article in today’s issue of the BNA Privacy and Security Law Report about over 100 lawsuits that have recently been filed within the California federal courts because of the amount of personally identifiable information (PII) that is printed on credit and debit card receipts.

The Fair and Accurate Credit Transactions Act (FACTA), an extension of the Fair Credit Reporting Act (FCRA), applies to basicially any type of business that handles PII. One of the goals was to reduce identity theft by prohibiting businesses from printing excessive PII that could lead to identity theft on receipts.
FACTA was enacted in 2003, but merchants had until December 4, 2006 to meet compliance with the receipt requirements.
Think about the credit card receipts you got before FACTA; remember how they all had your full credit card number printed on them? Now, if the merchants are complying, you will typically see all X’s where the credit card numbers used to be, typically with the last 4 digits of the card number still showing to allow the purchaser to know which of their cards they used for the transaction. Credit card companies are also making changes on their monthly statements; a couple of mine have started using X’s in place of the real numbers on the statements themselves.
The list of defendants in these suits include Chanel Inc.; Toys-R-Us Delaware Inc.; Rite Aid Corp; Costco Wholesale Inc.; The Walt Disney Parks and Resorts; California Pizza Kitchen Inc.; El Pollo Loco; Levy Restaurants; United Artists Theatre Circuit Inc.; FedEx Kinkos Office and Print Services Inc.; Valero Energy Corp.; and Avis Rent-A-Car Systems Inc.
Businesses should realize that even though the suits were filed in California, FACTA is a Federal law, and all companies doing business throughout the U.S. need to comply. Two other FACTA violation cases were filed in Pennsylvania in March. The list will likely continue to grow throughout all the states.
Plaintiffs can recover a minimum of $100 and up to $1,000 in statutory damages per willful violation of the law under FACTA. Plaintiffs can also seek actual damages for negligent violations of the law. Think about it, PER VIOLATION. If your business does 1,000 transactions in violation of FACTA, then a penalty of 1,000 * 1,000 = $1,000,000 would be possible. It adds up quickly, doesn’t it?
FACTA also has requirements for businesses to securely dispose of PII. These are elaborated upon in the Disposal Rule.
Another requirement is to ensure the PII you are responsible for is accurate.
Has your business taken actions to be compliant with FACTA? Do you know if it has even been addressed? The lawsuits have started; you’d better be prepared.

Tags: , , , , , , , , , , ,

Leave a Reply