In addition to potential bank or credit union reimbursement under current and prospective data security laws, companies should note the prospect of liability under the Fair and Accurate Credit Transactions Act (“FACTA”). Under § 1681c(g)(1), “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last fi ve digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” Recently § 1681c(g)(1) has become the basis for many consumer class action lawsuits, specifi cally in California, Illinois, New Jersey, and Pennsylvania.

While many companies have challenged § 1681c(g)(1), claiming that it is vague and ambiguous, courts have held that the statute has only one reasonable meaning: that a receipt may not contain (1) the printing of more than the last fi ve digits and (2) the expiration date. Any person who “willfully fails to comply” with Fair Credit Reporting Act (“FCRA”) requirements may be liable for “actual damages sustained by the customer as a result of the failure or damages of not less than $100 and not more than $1,000.” “Willful failure” has been interpreted to mean a knowing and reckless disregard of the FCRA. A company’s action will be considered a reckless disregard of the law when there is a violation of an FCRA provision and a plaintiff can demonstrate that the company ran a risk of violating the law “substantially greater than the risk associated with a reading that was merely careless.”

If a company has failed to abbreviate credit or debit card receipts, a consumer may bring a private cause of action for statutory damages, which may include punitive damages. Notably, courts have typically held that plantiffs may be entitled to statutory and punitive damages even without proof of actual economic harm or loss.