Are you the next target in the latest wave of class action litigation? Since January 1, 2007, over fifty lawsuits alleging violations of the Fair & Accurate Credit Transactions Act ("FACTA") have been filed against scores of businesses in the United States District Court for the Central District of California. Each of these businesses has three things in common. They: (1) are in the retail business; (2) issue machine printed credit card receipts; and (3) allegedly violated FACTA. The alleged violations expose each defendant to potentially massive damage awards (actual damages, punitive damages and attorney fees).
What Does the Fair Credit Transactions Act Require?
FACTA (Public Law 108-159) added new sections to the Fair Credit Reporting Act, codified at 15 U.S.C. §1681 et seq. FACTA was enacted into law in 2003, but did not become fully effective until December, 2006. One aspect of FACTA requires businesses to limit the amount of information printed on credit card receipts: "Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." 15 U.S.C. §1681c(g)(1).
To comply with Section 1681c(g)(1), electronically-printed credit card receipts should contain not more than the last five digits of the card number and should not include the card's expiration date. Alternatively, the receipt may contain the expiration date and not the last five digits of the card number. It sounds simple, but given the large number of pending lawsuits, many businesses may be struggling to comply. Businesses should also note that this subsection only applies to "receipts that are electronically printed, and shall not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card." 15 U.S.C. §1681(g)(2).
Penalties for Noncompliance Can Be Harsh
Pursuant to Section 1681n, a person who willfully fails to comply with these requirements "is liable" in an amount equal to the sum of:
- Actual damages of not less than $100 or more than $1000;
- Punitive damages; and
- Attorney fees and costs.
On the other hand, Section 1681o provides that a person who negligently fails to comply "is liable" in an amount equal to the sum of:
- Actual damages sustained; and
- Attorney fees and costs.
The lawsuits that have been filed thus far all allege willful non-compliance. In addition to the lure of recovering statutorily mandated actual damages (with a floor of $100 per violation), attorney fees and punitive damages, plaintiffs have likely chosen to focus on willfulness due to the Ninth Circuit U.S. Court of Appeals' less rigid standard for willfulness. While other circuits require a showing that businesses intentionally and knowingly failed to comply, the Ninth Circuit only requires a showing of reckless disregard.1
It is also important to remember that each transaction potentially constitutes a separate violation of FACTA and, therefore, the damages can grow at an alarming rate. So, for example, a business that printed 10,000 receipts could face statutorily mandated damages of $1,000,000 to $10,000,000, plus punitive damages and attorney fees. Even for those businesses that mount a successful defense, legal fees and costs can be substantial. Seeing a potential gold-mine, plaintiffs' attorneys appear eager to test the legal waters.
What Should You Do?
A comprehensive internal audit is a good starting point. Remember that even if you limit the digits printed, printing the expiration date can still be a potential violation. Surveying your credit card machines to assure compliance and correcting those that fail to meet statutory standards is imperative. Even if you discover machines that still need to be modified in order to comply with the law, quick modification could be used to show that the failure was not willful, though plaintiffs may argue that post-compliance modification shows that your business could have and should have complied sooner. Still, quick action may limit the size of any potential damage award — remember, each transaction is a potential violation. On the other hand, continued delay not only increases potential damages but also makes it increasingly difficult to argue that any noncompliance was merely negligent.