Massachusetts’ highest court has just decided that a common credit card processing practice—recording customers’ zip codes—violates M.G.L. c. 93, § 105(a), which regulates consumer privacy in credit card transactions. Retailers may, simply by recording a customer’s address, be illegally breaching consumers’ privacy. The result could be a class action lawsuit, resulting in the award of multiple damages, attorneys’ fees and costs. The problem starts when a retailer collects personal information that is not required by the credit card company to complete the credit card form. In Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court (SJC) held that, even in the absence of identity theft or fraud, collecting non-essential customer information as part of the credit card transaction process violates M.G.L. c. 93, § 105(a).
In Tyler, the plaintiff brought a class action alleging that Michaels Stores collected customers’ zip codes when processing credit card transactions, used the zip codes to locate customers’ addresses, and delivered unsolicited marketing materials to them. In 2012, the U.S. District Court for the District of Massachusetts dismissed the plaintiff’s claim, finding that she had not suffered an injury covered by § 105(a). However, upon a post-dismissal motion by the plaintiff, the District Court certified questions to the SJC concerning the proper interpretation of § 105(a).
The SJC found that customers’ zip codes qualify as “personal identification information” and that the electronic transaction forms Michaels used were “credit card transaction forms” under § 105(a). However, the SJC disagreed with the District Court’s conclusion that the statute only applied in cases of identity fraud, reasoning that the statute’s language and legislative history indicate that its “principal purpose” is to “guard consumer privacy in credit card transactions.”
The SJC further held that although the mere collection of non-essential personal information, such as zip codes, violates § 105(a), plaintiffs may only recover damages for such violations by establishing the “separate, identifiable harm arising from the violation itself” necessary to trigger a claim under M.G.L. c. 93A. Expanding on this point, the SJC identified “at least two types” of harm that might result from the unlawful collection of personal data: (1) the actual receipt of unwanted marketing materials by consumers; and (2) the merchant’s sale of consumers’ personal information to third parties.
An amicus brief filed by the Retail Litigation Center (RLC) noted the harmful impact this ruling could have on the retail industry in Massachusetts. The RLC cautioned that a broad interpretation of § 105(a) would subject Massachusetts retailers to unfair fines and compliance costs for the past collection of zip codes, which was a common practice over the past two decades that, until now, retailers had no reason to worry about. The RLC also argued that subjecting retailers to heightened liability under § 105(a) would drive up business costs and deny businesses the analytical use of zip code data, ultimately resulting in decreased quality of service to consumers and communities.
The Tyler decision is a cause for concern for Massachusetts businesses. Based on the SJC’s ruling, the District Court reopened its consideration of Tyler, a putative class action against Michaels. The legal precedent set by the SJC could lead to additional lawsuits against other Massachusetts retailers. A similar California Supreme Court decision in 2011 led to hundreds of consumer class action lawsuits against major retailers. Plaintiffs who can demonstrate that they suffered an injury, such as the receipt of unwanted marketing mail, can recover attorneys’ fees under M.G.L. c. 93A. The potential award of attorneys’ fees changes the economic balance of power in civil litigation and increases the likelihood of claims.
This ruling has broad data privacy implications beyond credit cards. As the digital revolution has created a data-dependent society, new opportunities and risks for using confidential personal information arise. Common practices that were seen as “reasonable” or “safe” no longer suffice to protect citizens from identity theft or other forms of cyber liability. The threat to data privacy is now so great that experts are resigned to the fact that cyber breaches are inevitable rather than preventable!
While the information technology industry is gearing up with encryption, firewalls, and other protective measures, government agencies have enacted broad-ranging legislation and mandatory data privacy measures. The risk of a breach is so predictable that insurance companies are now offering cyber liability coverage. Massachusetts has enacted the most restrictive regulatory scheme in the United States. Although the Massachusetts regulations spell out many specifics, the appropriate data security measures that a company should implement depends upon many variables and is a matter of some debate. Despite this uncertainty, the Federal Trade Commission (FTC) has taken affirmative steps to impose data security standards on companies in the absence of specific legislation. After companies have suffered data breaches, the FTC retroactively declared the companies’ data security measures inadequate, resulting in fines, mandatory audits and consent decrees. One such company, Wyndham Hotels, has fought back and challenged the FTC’s authority to pass judgment on its data security practices. We discussed Wyndham’s challenge of the FTC’s authority in a separate article.
Whether Wyndham or the FTC prevails, there is no question that data privacy and cyber risk have become everyday concerns for both individuals and businesses. Whether it is a matter of backing up family photos on a cell phone or protecting our country’s energy grid from terrorist threats, everyone is concerned about the integrity of their data. Identifying the existence, scope and nature of a risk is an essential first step in any risk management program. Unfortunately, we are so dependent on electronic data throughout our lives that we take it for granted and often fail to realize our responsibility and duty to take affirmative steps to safeguard personal information. The Tyler case is a reminder of the way in which these technological developments impose new obligations and can expand the risk of both harm and liability.