articles private disordering? payment card fraud liability rules

Transcription

ARTICLES
PRIVATE DISORDERING?
PAYMENT CARD FRAUD LIABILITY RULES
Adam J. Levitin*
This Article argues that private ordering of fraud loss liability in
payment card systems is likely to be socially inefficient because it does not
reflect Coasean bargaining among payment card network participants.
Instead, loss allocation rules are the result of the most powerful party in the
system exercising its market power. Often loss liability is placed not on the
least cost avoider of fraud, but on the most price inelastic party, even if that
party has little or no ability to prevent or mitigate losses. Moreover, for
virtually identical payment systems, there is international variation in both
loss liability rules and security standards, suggesting that at least some
variations are suboptimal.
True Coasean bargaining is not possible in payment systems; the
transaction costs are too high because of the sheer number of participants.
Targeted coordination and competition, however, can achieve outcomes that
if not Coasean, are at least optimized relative to the current system. Thus,
the Article suggests a pair of complimentary regulatory responses. First,
regulators should develop a system for coordinating payment card security
measures with governance that adequately represents all parties involved in
payment card networks. And second, regulators should pursue more
vigorous antitrust enforcement of card networks’ restrictions on merchant
pricing to expose the costs of participating in a payment system—which
include fraud costs—to market discipline. The Article also presents an
extended defense of the major existing regulatory intervention in payment
card fraud loss allocation, the federal caps on consumer liability for
unauthorized payment card transactions.
TABLE OF CONTENTS
INTRODUCTION ......................................................................................................... 2 I. PAYMENT CARD NETWORKS AND LIABILITY RULES ............................................ 10 A. Structure of Payment Card Networks ............................................................ 10 B. Payment Card Liability Rules in the United States ........................................ 14 II. WHAT HATH PRIVATE ORDERING WROUGHT? ................................................... 16 *
Associate Professor, Georgetown University Law Center. The author would like to thank
William Bratton, Mark Budnitz, Robert Hunt, Sarah Levitin, and Ronald Mann for their comments
and encouragement, and Steven Schwarzbach for research assistance. Comments?
[email protected].
2
BROOK. J. CORP. FIN. & COM. L.
[Vol. 5
A. Who Is the Least Cost Avoider? Card-Present Transactions......................... 16 B. Who Is the Least Cost Avoider? Card-Not-Present Transactions.................. 20 C. Making Sense of the Liability Rules ............................................................... 22 D. International Variation in Liability Rules and Fraud Arbitrage ................... 24 1. International Variation ............................................................................... 24 2. Fraud Arbitrage ......................................................................................... 29 III. REGULATORY INTERVENTIONS .......................................................................... 30 A. The Coordination Problem in Payment Card Networks ................................ 30 B. Encourage Better Governance for Security Standard Coordination ............. 32 C. More Vigorous Payments Antitrust Policy..................................................... 36 IV. LIMITATIONS OF CONSUMER LIABILITY: A DEFENSE ........................................ 38 A. Consumer Liability Rules for Unauthorized Payment Card Transactions..... 38 B. The Case Against Mandatory Liability Rules ................................................ 39 C. In Defense of the Consumer Liability Limitations ......................................... 40 1. Counterfactual Consideration .................................................................... 40 2. Monetary Deductibles, Copayments, and Contributory Negligence .......... 41 3. Non-Pecuniary Costs .................................................................................. 42 4. Limited Consumer Ability to Prevent Fraud............................................... 42 5. Consumer Knowledge of Liability Rules and Concerns About Issuer
Compliance..................................................................................................... 43 6. Adverse Selection as Justification for Mandatory Liability Rules .............. 44 7. Contractual Frictions: Information Asymmetries, Bargaining Costs,
Bundled Pricing, Hyperbolic Discounting, and Price Salience ..................... 45 8. Relative Ability to Bear Losses ................................................................... 46 CONCLUSION ........................................................................................................... 47 INTRODUCTION
Payment card fraud is a multi-billion dollar problem domestically and
globally. While there are no firm numbers on the actual cost of payment
fraud, one recent study estimates total costs of credit and debit card fraud in
the U.S. at approximately $109 billion in 2008.1 The losses from payment
card fraud are borne directly by merchants, a range of financial institutions,
1. See LEXISNEXIS, 2009 LEXISNEXIS TRUE COSTS OF FRAUD STUDY 6, 50, 54 (2009),
available at http://www.riskfinance.com/RFL/Merchant_Card_Fraud_files/LexisNexisTotalCost
Fraud_09.pdf [hereinafter LEXISNEXIS FRAUD STUDY] (estimating total cost of all payment fraud
in the U.S. at $191.30 billion and that credit and debit fraud account for 57% of the total). These
figures should not be taken as precise statements because the study’s methodology was not always
clear and the figures did not include the costs sunk into fraud prevention by financial institutions
and merchants or the non-pecuniary costs of fraud, such as distortions in consumer purchasing and
payment patterns or time and hassle for consumers to straighten out credit reports and accounts.
See id. at 17. For a very different estimate of fraud costs, see Richard J. Sullivan, The Changing
Nature of U.S. Card Payment Fraud: Industry and Public Policy Options, FED. RESERVE BANK
OF KANSAS CITY ECON. REV., 2Q 2010, at 101, 112, available at http://www.kansascityfed.org/
Publicat/Econrev/pdf/10q2Sullivan.pdf (estimating $3.718 billion in credit and debit card fraud
losses in 2006 in the US). See also Kate Fitzgerald, An Industry At A Loss, PAYMENTSSOURCE,
May 2010, at 16, 17 (reporting bank card fraud expenses as $.95 billion for 2009 and $1.11 billion
for 2008).
2010]
Private Disordering?
3
and consumers. Payment card fraud also creates deadweight loss for the
entire economy by increasing the cost of payments, the ultimate transaction
cost.2 Payment card fraud results in socialized losses because of the law
enforcement resources spent combating the problem and may also frustrate
some legitimate transactions that get caught by overly broad fraud
prevention methods.3
The allocation of these losses occurs through a combination of public
law and private ordering. Federal law generally limits individual consumer
liability for unauthorized credit and debit card transactions to $50.4 The
liability of merchants and financial institutions as well as business
cardholders5 is generally determined through private ordering.6
The loss allocation rules are important not only because of their
distributional consequences, but because of the incentives they create. The
greater a party’s liability for fraud losses, the greater incentive the party will
have to take care to avoid fraud. As payment card fraud has (apparently)
increased,7 it is worth asking whether the current loss allocation system is
the optimal one. Does it properly incentivize parties to take the optimal
level of care from a social welfare standpoint? Does the loss allocation
system facilitate or discourage commerce by limiting the transaction cost of
payment?
2. To the extent that merchants bear losses, payment fraud may get passed on to consumers in
the form of higher sale prices.
3. DELL INC., SUBMISSION OF DELL, INC. TO THE BOARD OF GOVERNORS OF THE FEDERAL
RESERVE REGARDING SECTION 920 OF THE ELECTRONIC FUNDS TRANSFER ACT (REDACTED
VERSION) 4, http://www.federalreserve.gov/newsevents/files/dell_comment_letter_20101118.pdf
[hereinafter DELL LETTER].
4. 15 U.S.C. §§ 1643(a), 1693g(a) (2006); 12 C.F.R. § 226.12(b)(1)(ii) (2010) (credit cards);
id. § 205.6(b) (debit cards). If the consumer does not provide the card issuer with timely notice
that the consumer’s card has been lost or stolen, the consumer’s liability can increase up to $500.
Id. See infra part IV for a more detailed discussion of consumer liability rules.
5. See 15 U.S.C. § 1603 (2006) (exempting “extensions of credit primarily for business,
commercial, or agricultural purposes, or to government or governmental agencies or
instrumentalities, or to organizations” from the credit transaction provisions of the Truth in
Lending Act); id. § 1693a (defining “account” for the purposes of the Electronic Fund Transfer
Act as being “established primarily for personal, family, or household purposes”). These
exemptions would cover even sole proprietors if the credit was extended or the account
established primarily for business purposes, as with a “business” card or “business” deposit
account.
6. An exception is state laws relating to data security breach notification. See Paul M.
Schwartz & Edward J. Janger, Notification of Data Security Breaches, 105 MICH. L. REV. 913,
924–25, 972–84 (2007).
7. LEXISNEXIS FRAUD STUDY, supra note 1, at 26–27. Given the lack of solid payment card
fraud statistics in the United States, it is impossible to say with absolute certainty whether fraud
levels are increasing, much less relative to the size of the market. While issuers report fraud
losses, some of these losses are first-party fraud, where the consumer simply denies having carried
out the transaction that he or she made, while others are third-party fraud. Jasbir Anand, First
Party Fraud, SC MAGAZINE (Apr. 1, 2008), http://www.scmagazineus.com/first-partyfraud/article/108545.
4
[Vol. 5
There is a sizeable literature on fraud and mistake liability allocation
rules in payments systems.8 This literature, however, generally focuses on
public law and on the propriety of liability allocation to consumers. There
has been little scholarly consideration of the private law that allocates
liability between merchants and financial institutions.9 The reason for this
comparative neglect is unclear. Until recently, payment card network
operating rules were not publicly available, which limited a critical primary
source for scholars. Moreover, scholars may have considered the allocation
of liability between merchants and financial institutions less of a policy
concern because the asymmetries in terms of information, sophistication,
and ability to exercise rights are less acute between merchants and financial
institutions than they are between consumers and financial institutions.
In perhaps the most extensive exposition on the issue, Professor
Richard Epstein and attorney Thomas Brown argue that the current system
of private loss allocation layered on top of a statutory baseline is flawed.10
Epstein and Brown argue that losses should be allocated solely through
private ordering. In their view, which they “would have thought beyond
8. See Mark E. Budnitz, Commentary: Technology as the Driver of Payment System Rules:
Will Consumers Be Provided Seatbelts and Air Bags?, 83 CHI.-KENT L. REV. 909 (2008); Robert
D. Cooter & Edward L. Rubin, A Theory of Loss Allocation for Consumer Payments, 66 TEX. L.
REV. 63, 71–72 n.42 (1987) (reviewing pre-1970s writings on this topic); Francis J. Facciolo,
Unauthorized Payment Transactions and Who Should Bear the Losses, 83 CHI.-KENT L. REV. 605
(2008); Clayton P. Gillette, Rules, Standards, and Precautions in Payment Systems, 82 VA. L.
REV. 181 (1996); Clayton P. Gillette & Steven D. Walt, Uniformity and Diversity in Payment
Systems, 83 CHI.-KENT L. REV. 499 (2008); Gail Hillebrand, Before the Grand Rethinking: Five
Things To Do Today with Payments Law and Ten Principles to Guide New Payments Products
and New Payments Law, 83 CHI.-KENT L. REV. 769 (2008); Sarah Jane Hughes, Duty Issues in the
Ever-Changing World of Payments Processing: Is It Time for New Rules?, 83 CHI.-KENT L. REV.
721 (2008); Ronald J. Mann, Credit Cards and Debit Cards in the United States and Japan, 55
VAND. L. REV. 1055 (2002) [hereinafter Mann, Credit Cards and Debit Cards]; Ronald J. Mann,
Making Sense of Payments Policy in the Information Age, 93 GEO. L.J. 633 (2005) [hereinafter
Mann, Making Sense of Payments]; James Steven Rogers, The Basic Principle of Loss Allocation
for Unauthorized Checks, 39 WAKE FOREST L. REV. 453 (2004); Linda J. Rusch, Reimagining
Payment Systems: Allocation of Risk for Unauthorized Payment Inception, 83 CHI.-KENT L. REV.
561 (2008).
9. I have identified only two works that focus on this issue in any detail. See Duncan B.
Douglass, An Examination of the Fraud Liability Shift in Consumer Card-Based Payment
Systems, FED. RES. BANK OF CHI. ECON. PERSP., 1Q 2009, at 43; Richard A. Epstein & Thomas P.
Brown, Cybersecurity in the Payment Card Industry, 75 U. CHI. L. REV. 203 (2008). Some other
works touch on payment card fraud liability rules, but do not consider them in detail, as they focus
on other types of payment systems. See Robert G. Ballen & Thomas A. Fox, The Role of Private
Sector Payment Rules and a Proposed Approach for Evaluating Future Changes to Payments
Law, 83 CHI.-KENT L. REV. 937 (2008) (focusing on payment transaction rules among financial
institutions); Facciolo, supra note 8 (including a review of checks, ACH debits and wire transfers
along with credit and debit cards); Mann, Credit Cards and Debit Cards, supra note 8; Rusch,
supra note 8 (focusing on risk-allocation in unauthorized debits from deposit accounts).
10. Epstein & Brown, supra note 9, at 209. Epstein and Brown approach payment systems
with a very strong set of anti-regulatory priors, or, as they refer to it, as their “classical liberal
perspective.” Id. at 203. Brown, an antitrust attorney, has previously worked in-house for Visa. Id.
at n. ††.
2010]
5
reproach . . . voluntary contracts offer by far the best way to allocate the
risks of loss, and the duties of prevention, among the various parties within
this elaborate network.”11 Thus, Epstein and Brown “see no reason even for
th[e] (modest) restriction on freedom of contract [created by the federal
limitation on consumer liability for unauthorized transactions]. If payment
card companies think larger penalties are appropriate and disclose such
penalties to consumers, the losses should not be socialized as a matter of
law.”12 For Epstein and Brown, all liability for unauthorized transactions
should be allocated contractually; mandatory (or even default) statutory
rules are inappropriate in their view.13
This Article argues that we should be skeptical of the efficiency of
private ordering in payment card markets. In a world with a complete set of
perfectly competitive markets, private ordering is surely the right
outcome—Coasean bargaining would ensure that fraud losses would be
allocated to the least cost avoider and the optimal level of care would ensue.
But there is never a complete set of perfectly competitive markets except in
economists’ models and dogmatic fantasies,14 and Coase’s great lesson is
that transaction costs matter; in their presence, the initial allocation of
liability is critical.15
Payment card markets are always incomplete, as there are no futures or
insurance markets in most areas of payments through which risks can be
hedged.16 If one commits to using a payment system, thereby incurring
fraud risk, one cannot also short payment fraud futures as a hedge, much
less the futures on a particular card or transaction. At best, one could short a
payment card network, but that is an imperfect proxy for fraud risk, as the
costs to a network from elevated fraud are limited, and is hardly negatively
correlated with fraudulent activity on a particular card-linked account.17
Payment card markets are also imperfect because of limited information.
For example, it is often impossible to determine how a fraud was
perpetrated and therefore who would have been the least cost avoider.
Epstein and Brown assume something close to a perfect market in
payment systems, noting the “high level of competition that exists
everywhere in the credit card industry.”18 Market realities are quite
11. Id. at 209.
12. Id. at 219.
13. See id. at 209, 219, 223. It is unclear whether Epstein and Brown would envisage payment
card companies actually bargaining with individual consumers or whether they would simply
present consumers with contracts of adhesion in which fraud loss rules were one of many nonnegotiable components of a package offer.
14. See JOSEPH E. STIGLITZ, WHITHER SOCIALISM? 27–44 (1994) (presenting a critique of the
first fundamental theorem of welfare economics).
15. R. H. Coase, The Problem of Social Cost, 3 J.L. & ECON. 1, 14–15 (1960).
16. See generally Mark D. Flood, An Introduction to Complete Markets, FED. RES. BANK OF
ST. LOUIS REV., Mar.-Apr. 1991, at 32 (explaining incomplete markets, futures, and hedged risks).
17. See generally LEXISNEXIS FRAUD STUDY, supra note 1.
18. Epstein & Brown, supra note 9, at 203.
6
[Vol. 5
different.19 Some parts of payment cards markets are intensely competitive,
while others are not.20 Payment card networks—MasterCard, Visa, Amex,
Discover, and around a dozen relatively small personal-identificationnumber (PIN)-debit networks—are two-sided networks.21 Network effects,
combined with the need to roll out payment networks nationally, at the very
least, create high barriers to entry for new networks.22 Further, while there
are numerous card issuers and acquirers, the market is heavily concentrated
in a handful of institutions. The five (ten) largest card issuers account for
74% (90%) of the credit card market and 43% (51%) of the debit card
market in terms of purchase volume.23 More critically, the mere fact that
there are numerous competitors does not mean that there is competition
along every axis of the market. For example, competition may exist for
market share or for price, but not for security.
Payment card systems also involve a variety of participants with
divergent incentives. This creates intense coordination problems. The
networks lead the coordination efforts, but they are driven by their own
incentives, primarily to increase the size of the network.24 As long as fraud
remains sufficiently low that it does not damage the network’s reputation,
the network’s primary concern is maximizing total transaction volume,
irrespective of whether the transactions are fraudulent.25 Increasing the size
of the network is a function of calibrating the network’s cost allocation
(including fraud) to fully leverage network participants’ price elasticity.26
Fraud liability is a cost of using a payment system and is therefore a
type of pricing affected by the level of competition in the market.
Therefore, more price inelastic participants (those whose demand for a
payment system’s services is the least sensitive to price changes) might bear
a larger share of fraud losses, regardless of whether they are the least cost
avoiders of the fraud. By allocating fraud losses to the most price inelastic
19. See Adam J. Levitin, Priceless? The Economic Costs of Credit Card Merchant Restraints,
55 UCLA L. REV. 1321, 1356–63 (2008) [hereinafter Levitin, Economic Costs].
20. Id.
21. Id. at 1387.
22. Id. at 1386–87; see also JOHN M. GALLAUGHER, INFORMATION SYSTEMS: A MANAGER’S
GUIDE TO HARNESSING TECHNOLOGY (2010), available at http://www.flatworldknowledge.com/
pub/1.0/information-systems-manager%E2%80%99s-/206326#web-206326.
23. See THE NILSON REP. ISSUE 919 (Feb. 2009); THE NILSON REP. ISSUE 918 (Jan. 2009);
THE NILSON REP. ISSUE 917 (Jan. 2009); Adam J. Levitin, Interchange Regulation: Implications
for Credit Unions, FILENE RESEARCH INST., Nov. 24, 2010, at 1, 39,
http://www.federalreserve.gov/newsevents/files/levitin_filene_paper.pdf.
24. See generally Levitin, Economic Costs, supra note 19, at 1356–59, 1364–65, 1398
(detailing ways that networks coordinate their systems to raise revenue and discussing the
negative network effect of negative externality).
25. See generally David Charny, Nonlegal Sanctions in Commercial Relationships, 104 HARV.
L. REV. 373, 393 (1990) (discussing the nonlegal sanction of loss of reputation among market
participants); Schwartz & Janger, supra note 6, at 929–32 (discussing the cost and associated
pressures of reputational sanctions).
26. See Levitin, Economic Costs, supra note 19, at 1364–66.
2010]
7
party, the number of network participants is maximized, but deadweight
loss may occur if the most price inelastic network participant is not also the
least cost avoider of fraud.
Previous work on payment systems has viewed fraud liability rules as
unconnected with competition issues.27 Thus, in their groundbreaking paper
on the economics of payment system loss allocation rules, written well
before the emergence of major payment card antitrust litigation, Professors
Robert D. Cooter and Edward L. Rubin noted that “[t]he structure of the
financial services industry may cause market failures, such as oligopolistic
or monopolistic behavior, but these tend to affect pricing rather than loss
allocation.”28 Ironically, though, one of the sources Cooter and Rubin cited
for this was the seminal paper on credit card interchange fee competition.29
While Cooter and Rubin viewed loss allocation as a distinct issue from
pricing, a major point of this Article is that loss allocation is itself a type of
pricing and cannot be viewed as unaffected by antitrust matters.
This Article argues that the rules for allocating payment card fraud loss
are likely to be suboptimal because they are shaped by discrepancies in
market participants’ bargaining power. In payment card networks there is
not unfettered bargaining over fraud loss allocation. Instead of Coasean
bargaining, there is merely fiat ordering by the most powerful party in the
network—the network association itself—which is interested in maximizing
total transaction volume, rather than total nonfraudulent transaction
volume.30 In such circumstances, we should be skeptical that private
ordering achieves socially efficient outcomes. Instead, in a market replete
with competition and information problems, private disordering may obtain,
and, with it, negative social externalities.
To this end, the Article reviews payment card network fraud liability
allocation rules, focusing on Visa and MasterCard, the two largest payment
card issuers that, combined, accounted for 84% of the total U.S. payment
card (debit, credit, and prepaid) market in purchase transaction volume in
2008.31 It shows that liability allocations among card network participants
are likely inefficient as they often place liability on parties with little or no
ability to prevent fraud.32 The Article also notes international variation in
liability rules and security measures, and the fraud arbitrage problems that
stem from these variations. International inconsistency in liability rules and
27. Professor Ronald Mann has recognized this point implicitly in his comparative study of
credit cards in the United States and Japan. See Mann, Credit Cards and Debit Cards, supra note
8, at 1088–99 (discussing impact of fraud rates on merchant fees).
28. Cooter & Rubin, supra note 8, at 68 n.30.
29. See id. (citing William Baxter, Bank Interchange of Transactional Paper: Legal and
Economic Perspectives, 26 J.L. & ECON. 541, 554–55, 586–88 (1983)).
31. THE NILSON REP. ISSUE 924, at 8 (Apr. 2009) (comparing 2008 “Totals” for Visa and
Mastercard “Credit” and “Debit & Prepaid” categories against 2008 “Credit & Debit Totals”).
32. See Douglass, supra note 9, at 46–47.
8
[Vol. 5
security measures for the same companies in virtually identical markets
suggests that private ordering may not be producing optimal results
globally.33
While private ordering may not produce optimal results, regulatory
intervention poses its own problems. Regulators are subject to their own
idiosyncratic concerns and pressures, and they also lack perfect
information.34 Yet, if regulatory intervention cannot achieve optimal
outcomes, it might still help optimize market outcomes. Thoughtful
regulatory intervention can compensate for some of the bargaining power
disparities and help achieve an outcome that is closer to that which would
obtain in a complete, perfectly competitive market.
Accordingly, this Article argues for two complimentary regulatory
interventions. First, broader-based payment card security measure
coordination should be encouraged. The current coordination mechanism
for payment card security—the Payment Card Industry Security Standards
Council—features a governance structure that does not adequately represent
all interests in payment card networks or provide them with due process. As
a result, the Council is perceived as being an instrumentality for the card
networks to reinforce the placement of liability on the most price inelastic
type of network participant, rather than engaging in effective reforms. To
this end, it might be necessary for payment card security coordination to be
conducted under a federal aegis.35
Second, card networks should be encouraged to compete more
vigorously for merchants, be this through legislation or rulemaking or
through antitrust enforcement of payment card network rules pertaining to
merchant pricing.36 Fraud costs are part of pricing.37 While the huge
transaction costs in coordinating multiple parties in payment card networks
defeats true Coasean bargaining, better price competition among networks
for merchants will help achieve a result closer to the Coasean ideal.
The Article also presents a defense of the federal limitation on
consumer liability.38 The federal limitation creates a moral hazard and
constrains the range of potential bargaining.39 It is tempered, however,
33. See infra pp. 22–30.
34. Once we accept that the market is flawed, however, there is no inherent reason to favor
market solutions over regulatory ones. Both systems might produce suboptimal outcomes, and we
have no way of ascertaining which system is more likely to do so or whether an outcome is in fact
optimal. In such circumstances, there is no good reason to fall back on anti-regulatory priors.
Instead, when efficiency proves an indeterminate metric, it must be jettisoned for a metric, such as
political accountability.
37. See Gillete & Walt, supra note 8, at 500; Adam J. Levitin, The Antitrust Super Bowl:
America’s Payment Systems, No-Surcharge Rules, and the Hidden Costs of Credit, 3 BERK. BUS.
L.J. 265, 273–74 (2005).
38. See infra Part IV.
39. Douglass, supra note 9, at 46.
2010]
9
through monetary and nonmonetary deductibles and copayments and
reflects a reasonable response to an adverse selection problem and to the
enormous informational and bargaining cost asymmetries between
consumers and card issuers regarding fraud risk, as well as to consumers’
limited ability to prevent most third-party fraud and limited ability to bear
losses relative to other payment card network participants.
This Article proceeds as follows. Part I provides an overview of the
structure of payment card networks and their loss allocation rules in the
United States. Part II questions whether the liability rules do in fact result in
a Kaldor-Hicks efficient outcome. Part III considers possible and existing
regulatory interventions to level the playing field and move payment card
networks closer to Coasean bargaining outcomes. Part IV examines the
consumer loss liability rules and presents a defense of the federal
limitations on consumer liability of unauthorized transactions.
An important introductory note: this Article focuses solely on the issue
of allocation of losses for unauthorized transactions. It does not generally
address the related issues of liability for compromised payment data storage
or data transmission that results in fraud losses for others. Data security
breaches have become a major issue in payment card security in recent
years. Whether there should be some form of tort liability for data security
breaches, whether liability should be set by private ordering, what the
liability standard should be, and whether compliance with industry
standards such as Payment Card Industry Data Security Standard would be
sufficient to relieve liability are important questions.40
Ultimately, however, flaws in data storage or data transmission only
matter to the extent that unauthorized transactions can occur. The data have
no inherent value; the data’s attraction to fraudsters derives solely from
their ability to capitalize on it, and using it for fraudulent transactions is the
most immediate way to do so.41 Thus, data breach liability is better
conceived as liability for potential fraud and the steps that must be taken to
reduce the likelihood that the breach will translate into fraud, such as
reissuance of cards with new numbers following a breach. It is also often
difficult to trace the unauthorized use of a card to a particular data security
breach, which makes the liability relationship more tenuous.42 To be sure,
there are improvements that can and should be made in data storage and
transmission—tokenization and end-to-end encryption should both be
pursued vigorously.43 But those improvements will not eliminate fraud
40. Cf. The T.J. Hooper, 60 F.2d 737, 740 (2d Cir. 1932) (Hand, J.) (suggesting that industry
standard is not necessarily the proper standard of diligence as “a whole calling may have unduly
lagged in the adoption of new and available devices”).
41. Not all data breach issues even relate to payments, although payment data is the most
readily monetizable type of data.
42. Sullivan, supra note 1, at 108, 110.
43. Tokenization is a data fortification strategy. It is meant to address the problem of data
residing in relatively vulnerable locations, such as with retailers. Tokenization means that data
10
[Vol. 5
problems. Better data protection will make it harder to get the data
necessary to commit certain types of fraud, but the critical line of fraud
defense for all third-party fraud is transaction authorization.
I. PAYMENT CARD NETWORKS AND LIABILITY RULES
A. STRUCTURE OF PAYMENT CARD NETWORKS
Payment card transactions all involve multi-party networks of financial
institutions, consumers, and merchants. Transmission of a payment from a
consumer to a merchant to pay for goods or services is conducted through at
least three financial institutions: the consumer’s bank (the issuer bank), the
merchant’s bank (the acquirer bank), and the card network association
(MasterCard, Visa, Amex, Discover, or PIN debit network) that
intermediates between the banks and sets the rules governing their
transactions. Thus, a payment card transaction involves at least five parties,
although in the case of American Express and Discover,44 the card network
is often also the card issuer and the acquirer. (See Figure 1).
Figure 1. Payment Card Network Structure
Often a payment card transaction involves additional parties. Acquirers
frequently outsource all but the financing element of their operations. The
task of recruiting merchant customers for the acquirer is often outsourced to
an independent sales organization (ISO), and all the technical linkages
between the merchant and the card network association are often outsourced
resides in harder-to-hack “fortified” locations; merchants would only retain a “token” number that
links to the data stored off-site. Instead of residing with merchants, who do not specialize in data
security, tokenization moves the data to companies with expertise and reputational capital (and
potentially insurance policies) that guarantee data protection. End-to-end encryption means that
card data is never transmitted in an unencrypted form.
44. Levitin, Economic Costs, supra note 19, at 1328.
2010]
11
to a separate data processor.45 For Internet transactions a separate gateway
provider might also be involved.46
In a payment card transaction, the consumer must first transfer
information about the consumer’s account (either funded or a line of credit)
to the merchant, or more precisely, to the merchant’s acquirer or data
processor. This can be done in several ways. The information can be
transferred electronically via a magnetic swipe. The information can be
transferred electronically via radio-frequency identity (RFID) chip
(“contactless”). The information can be transferred physically via an
impression made by an imprinter (a “knucklebuster”). The information can
be transferred orally and recorded by hand. The information can be
transferred in a written form, as occurs in mail-order transactions. Or the
information can be transferred electronically via a Web site. Some
transactions require additional information (such as a PIN number or a ZIP
code) to be conveyed via a PIN pad.
Once this information is conveyed to the merchant, it is then relayed to
the credit card network by the merchant’s processor for authorization,
capture, and settlement (ACS).47 Authorization involves the card network
first verifying that the card is real and then the issuer approving the
transaction. Once a transaction has been authorized, it may then be
captured.
Capture involves the transfer of funds from the issuer bank to the
acquirer bank. The transfer is done between the institutions’ accounts at the
card network association, which serves as a clearinghouse for the
payments.48 The issuer transfers to the acquirer the amount of the
transaction minus a fee, known as the interchange fee.49 The interchange fee
is set by the network and varies by the type and size of the merchant, the
type of card (consumer or commercial, credit or debit), and the level of
rewards on the card.50 The card network also takes out various fees to cover
its costs of processing the transaction plus its profit margin.51 Thus, the
network debits the issuer’s account for the amount of the transaction less
45. See Ramon P. DeGennaro, Merchant Acquirers and Payment Card Processors: A Look
Inside the Black Box, FED. RES. BANK ATLANTA ECON. REV., 1Q 2006, at 27, 31.
46. Adam J. Levitin, Priceless? The Social Costs of Credit Card Merchant Restraints, 45
HARV. J. ON LEGIS. 1, 5 n. 13 (2008) [hereinafter Levitin, Social Costs].
47. Sometimes the merchant never actually has control over the data, which instead goes
straight to the processor.
48. DeGennaro, supra note 45, at 33.
49. U.S. GOV’T ACCOUNTABILITY OFFICE, GAO-08-558, CREDIT AND DEBIT CARDS:
FEDERAL ENTITIES ARE TAKING ACTIONS TO LIMIT THEIR INTERCHANGE FEES, BUT
ADDITIONAL REVENUE COLLECTION COST SAVINGS MAY EXIST 1 (2008).
50. See Levitin, Economic Costs, supra note 19, at 1333.
51. Historically, MasterCard and Visa were mutual organizations owned by their member
institutions. Accordingly, they only charged a “switch” fee to cover their costs of processing
transactions. Since becoming publicly-traded stock companies, however, MasterCard and Visa
have needed to operate on a for-profit basis and have added additional fees.
12
[Vol. 5
the interchange fee and credits the acquirer bank’s account for the
transaction amount minus both interchange and network fees.
Finally, the transaction is settled, meaning that the acquirer credits the
merchant’s account with the funds representing the transaction amount
minus its own fee, called the merchant discount fee. The merchant discount
fee is set to cover the interchange fee and network fees paid by the acquirer,
as well as the acquirers’ other costs and a profit margin. Frequently the
merchant discount fee is explicitly priced as “interchange plus”—as a
spread over the applicable interchange and network fees—making
interchange and network fees functionally pass-thru fees to the merchant.52
When a transaction is reversed (referred to as a “chargeback”), the
system works backwards.53 The acquirer transfers funds from the
merchant’s account to its account and then to the network. These funds are
captured in the issuer’s account. The issuer then settles the funds back in
the consumer’s account. Chargebacks generally involve their own set of
additional fees from the network to the acquirer and thence from the
acquirer to the merchant.54 The interchange and network fees on the original
transaction are not always refunded to the merchant when there is a
chargeback.55
Payment card networks are “two-sided networks,”56 meaning that they
have two distinct types of end customers: merchants and consumers.
Payment card networks are unique among two-sided networks, however, in
that they have not only two different types of end customers, but also two
different types of intermediate customers: acquirers and issuers. The
existence of these four different types of customers significantly
complicates the economic workings of payment card networks.
In a two-sided network, the value of participating in the network to one
type of customer depends on how many of the other type of customer are
participating. For example, heterosexual bars and newspaper classifieds are
both examples of two-sided networks. At heterosexual bars, the appeal of
52. Interchange Reimbursement Fees, MERCHANT COUNCIL, http://www.merchantcouncil.org/
merchant-account-information/rates-fees.php (last visited Oct. 16, 2010). A “blended rate” that
gives merchants a single merchant discount rate, regardless of the particular mix of interchange
rates on the cards used, is a common alternative, especially for smaller merchants. Id. (Enhanced
Recover Reducer (ERR)).
53. Chargebacks & Dispute Resolution: Chargeback Cycle, VISA, http://usa.visa.com/mercha
nts/operations/chargebacks_dispute_resolution/chargeback_cycle.html (last visited Oct. 16, 2010).
54. Merchant Card Processing: Frequently Asked Questions, BANK OF AMERICA,
http://www.bankofamerica.com/small_business/merchant_card_processing/index.cfm?template=f
aqs#cb_2 (last visited Oct. 16, 2010).
55. See generally MASTERCARD WORLDWIDE, CHARGEBACK GUIDE (Apr. 16, 2010)
[hereinafter MASTERCARD CHARGEBACK GUIDE].
56. But see Dennis W. Carlton & Alan S. Frankel, Transaction Costs, Externalities, and “TwoSided” Payment Markets, 2005 COLUM. BUS. L. REV. 617, 626–31 (arguing that the concept of
two-sided markets is insufficiently defined and that most markets can be described as two-sided
because consumers benefit from the supply created in response to the demand of other
consumers).
2010]
13
the bar to men depends on the number of women present and vice-versa.
Straight men do not want to go to bars populated only by other straight
men, and straight women do not want to go to bars populated only by other
straight women. Likewise, newspaper classifieds are of interest to
advertisers based on the number of readers and to readers based on the
number of advertisers. Advertisers want classified readers and classified
readers want advertisers. Similarly, the value of being a cardholder in a
payment card network depends on the number of merchants in the network
and vice-versa.
In card networks, as with other two-sided networks, the increase in
marginal value from greater network participation diminishes as the
network grows. It is of little consequence to a consumer if a card network
has 50 million or 50 million and one merchants in the network. Once a
network is sufficiently well established, its marginal size is of limited
importance to its value to its participants.
A multi-bank payment card network like MasterCard or Visa (and
American Express and Discover for their third-party issuers) has a more
delicate balancing act to maintain than simply achieving a balance between
the two types of end-users, consumers and merchants. Multi-bank networks
also have to ensure participation of a sufficient number of both issuers and
acquirers in order to ultimately optimize and grow end-user participation.57
The existence of both intermediate customers and end-customers for
payment card networks further complicates the dependency. The value of a
network to the intermediate customers—issuers and acquirers—depends not
on the number of the other type of intermediate customer, but on the
number of the other type of intermediate customer’s end-customer.
Acquirers care about the number of cardholders in the network, and issuers
care about the number of merchants.58 This is not the case for the endcustomers. It is irrelevant to consumers and merchants how many
intermediate customers (issuers and acquirers) are in the network;59 instead,
network value depends on the numerosity (and geographic and industry
concentration) of the other type of end-customer.60
Price elasticities—willingness to pay—for network services are likely
to differ between customer types in a two-sided network. Because the value
of the network to its participants depends on increasing the size of both
sides of the network, pricing of access to the network involves allocating
network costs to the different types of participants according to their price
elasticity in order to maximize the size, and hence value, of the network.61
57. See id. at 631–37.
59. Consumers care about the number of issuers of cards in general, but for reasons related to
competition for card provision, rather than network dynamics.
61. Id.
14
[Vol. 5
A central role of the network association is to coordinate optimal
participation in the network through price manipulation, both in terms of
direct monetary pricing and indirect pricing through network rules that
impose liability on network participants for losses or limit network
participants’ ability to reallocate costs to other network participants.62
For merchants, these costs are the merchant discount fee, any sunk
equipment fees, and fees to ISOs and processors, as well as the costs of
fraud. For consumers using a credit card, these costs are an annual fee (if
any), the costs of revolving a balance, ancillary fees (over-limit, late, cash
advance, foreign transaction, e.g.), and the costs of fraud.63 For consumers
using a debit card, the costs are account maintenance fees (if any), overdraft
fees (if any), and the costs of fraud. For merchants and consumers, fraud
costs are part of the total cost of participating in a payment card network.
Fraud liability is a price component, just not one that is explicitly priced.
Payment card network associations do not have contractual privity with
the end-users of the networks.64 Accordingly, they do not have direct
control over the total price for the end-users. They may exercise this control
only indirectly through their pricing and rules for issuers and acquirers.
These prices and rules set a floor for the pricing and rules that issuers and
acquirers apply to their respective end-users, consumers, and merchants.
While the payment card networks’ rules technically bind only the card
networks’ member institutions—issuer and acquirer banks—the costs are
passed on to the end-users to the extent permitted by law (and card
association rules).65
B. PAYMENT CARD LIABILITY RULES IN THE UNITED STATES
In the United States, the liability for unauthorized payment card
transactions is allocated partially by statute and partially by private
ordering. Federal law generally limits individual consumer liability for
unauthorized transactions to $50 for credit and debit cards, albeit with
important exceptions discussed in Part IV, infra.66 The liability of
merchants and financial institutions is determined through private ordering
under payment card network rules. The payment card networks’ rules
technically bind only the card networks’ member institutions—issuer and
acquirer banks. Acquirers, however, uniformly pass on their liability to their
merchants by contract, sometimes adding fees.
62. Id. at 1334–38 (describing network rules that restrict merchants’ ability to reallocate costs
to consumers).
63. Consumers bear the cost of interchange indirectly in the form of higher prices or reduced
merchant services. See Levitin, Social Costs, supra note 46, at 27–37.
65. See id. at 1334–39.
66. See supra note 4.
2010]
15
All payment card networks have substantially identical rules,67 although
there is variation in the often inscrutable details. In certain circumstances,
the issuer is allowed to chargeback the transaction to the acquirer, thereby
putting loss liability on the acquirer.68 The card networks’ rules governing
chargebacks are extremely complicated and run hundreds of pages long, but
they can largely be summarized as follows: for card-present transactions,
where the merchant can physically examine the card and obtain a signature
or PIN code, the issuer bears all liability for unauthorized transactions,
provided that the merchant followed the required security steps. These steps
generally involve inspection of the card, obtaining authorization from the
issuer for the transaction, and obtaining a signature from the cardholder.69
Signatures, as we shall see, are not authorization devices, but ex post loss
allocation devices. Card-present transactions include any transaction in
which the card is physically swiped at a magnetic stripe (mag stripe) reader
in the presence of the merchant’s employee, and is imprinted on a
“knucklebuster” or otherwise physically handled by the merchant. Some
networks also include small ticket (“No Signature Required”) transactions
and contactless or “proximity” RFID transactions in this category.70 For
card-not-present (CNP) transactions, such as mail-order and telephoneorder (MOTO) or Internet transactions, the acquirer (and hence the
merchant) bears all liability for unauthorized transactions.71
67. See MASTERCARD WORLDWIDE, MASTERCARD RULES (May 12, 2010) [hereinafter
MASTERCARD RULES]; VISA, INT’L OPERATING REGULATIONS (Apr. 1, 2010) [hereinafter VISA
INT’L REGULATIONS]; AMERICAN EXPRESS, MERCH. REGULATIONS—U.S. (Apr. 2010);
DISCOVER, MERCHANT OPERATING REGULATIONS, RELEASE 10.2 (Apr. 16, 2010) [hereinafter
DISCOVER MERCHANT OPERATING REGULATIONS].
68. See, e.g., VISA, INT’L OPERATING REGULATIONS—DISPUTE RESOLUTION PROCEDURES 20
(Nov. 2, 2009), available at http://usa.visa.com/download/merchants/visa-international-operatingregulations-dispute-resolution-rules.pdf [hereinafter VISA DISPUTE PROCEDURES].
69. Id. at 100–02. Gas station pump transactions, which require a physical card to be swiped,
do not qualify as “card-present” because there is no physical examination of the card by a station
employee.
70. See id. at 102–03; AMERICAN EXPRESS, MERCH. REGULATIONS—U.S. (Oct. 2009) §
4.6.2., at 31. The shifting of fraud liability from merchants to issuers for these types of
transactions is to foster merchant acceptance of contactless and signature-free transactions, which
issuers might anticipate resulting in larger ticket transactions because of the seamlessness of the
spending process.
71. VISA DISPUTE PROCEDURES, supra note 68, at 112–13. There are some important
exceptions to this rule. For example Visa puts the loss on the issuer if the merchant shipped
merchandise and the issuer did not participate in its Address Verification Service. Id. at 114–15.
16
[Vol. 5
II. WHAT HATH PRIVATE ORDERING WROUGHT?
A. WHO IS THE LEAST COST AVOIDER? CARD-PRESENT
TRANSACTIONS
In a world of perfect markets, liability for a harm is optimally allocated
to the least cost avoider of that harm.72 The fact that payment cards are twosided networks is irrelevant to the application of the least cost avoider
principle; allocating the loss to the least cost avoider is the efficient
outcome, regardless of varying price elasticities between merchants and
card issuers. This can be seen from considering how the total value of a
payment system to its participants varies with fraud loss allocation. The
total value (V) of a payment system to its participants is equal to their
collective net benefit from the system excluding fraud costs (E) minus fraud
costs (F). Thus, V=E-F. We can refine this as V=EMerchant+EBank-FMerchantFBank.
The values of FMerchant and FBank depend on which party is liable for
fraud. If a party is not liable, then its fraud costs are zero. For simplicity’s
sake, assume that fraud costs can either be allocated wholly to the merchant
or wholly to the issuer bank, but not shared. Therefore, if the costs are
allocated wholly to the merchant, FBank= 0, and if the costs are allocated
wholly to the card issuer, then FMerchant=0.
Thus, the value maximizing proposition depends on whether
EMerchant+EBank-FMerchant >?< EMerchant+EBank-FBank, which means it depends on
whether the issuer bank and the merchant are liable, FBank>?<FMerchant. The
relative values of FBank and FMerchant depend on how cheaply each party can
avoid fraud, as F, the total costs of fraud, is the sum of fraud losses plus
fraud avoidance expenses. If the merchant can avoid fraud more cheaply
then the issuer bank, then FBank>FMerchant, and V will be maximized by
placing liability on the merchant, whereas if the issuer bank can avoid fraud
more cheaply, then FBank<FMerchant, and V will be maximized by placing
liability on the issuer bank.
The key point to see here is that E is irrelevant to the outcome. E is the
net benefit that the network’s participants derive from participating
(excluding fraud costs). The participants’ maximum willingness to pay in
the absence of fraud costs—the limit to their price elasticity—must equal E,
as they will not pay beyond the net benefit received. This means that the
network participants’ price elasticity is irrelevant for the application of the
least cost avoider principle. Even in a two-sided network, then, the least
cost avoider principle is unaltered.
72. See, e.g., GUIDO CALABRESI, THE COST OF ACCIDENTS: A LEGAL AND ECONOMIC
ANALYSIS 136–38 (1970) (exploring the least cost avoider in a typical car and pedestrian
accident).
2010]
17
So, are fraud losses in payment card networks allocated to the least cost
avoider? Are the card networks’ fraud loss allocation rules efficient?
For card-present transactions, the rules place the loss on the issuer,
unless the merchant has failed to follow some basic steps in inspecting the
card and obtaining a signature or PIN (with exceptions for proximity and
no-signature small ticket transactions).73 Consider how this allocation
applies in the five basic card-present fraud situations:74
1.
The “friendly fraud” or “first-party fraud” scenario, when a real
cardholder uses his or her card to obtain goods or services and then
denies having authorized the transaction or otherwise claims that the
transaction was defective (by claiming nondelivery of goods or
nonconforming merchandise, e.g.).
2.
The “stolen card” scenario, when a card is stolen and used by the thief
(or a taker from the thief) to perform a transaction. The card is a real
card being used by an unauthorized user.
3.
The “fraudulent issuance” scenario, when a transaction is performed
on a real card that was issued based on fraudulent information
(typically to a fictitious individual). The card is a real card being used
by an authorized (but fake) user.
4.
The “real account, counterfeit card” scenario, where the transaction is
performed using a counterfeit card that uses real data copied from an
actual card. The card is a fake card, but the user is an authorized user.
5.
The “fake account, counterfeit card” scenario, where a transaction is
performed using a counterfeit card that uses generated data that does
not match any actual account (but often partially matches with
fraudster). This is a fake card with an unauthorized user.
For situation one, the “friendly fraud” or “first-party fraud” scenario,
the least cost avoider is the consumer. If it can be shown that the consumer
did in fact perform the transaction, the consumer will bear the liability
(assuming the consumer can be found and is solvent). In this scenario, there
is no particular care that either the merchant or the issuer can take to avoid
the fraud ex-ante. The transaction is indistinguishable from a legitimate
purchase until the cardholder denies having made the transaction. At that
point, the question is whether there is sufficient proof that the transaction
was in fact properly authorized. Proof of authorization depends on the
authorization method. If the merchant follows authorization protocols, then
the issuer is the least cost avoider, as the issuer controls the authorization
procedures. Accordingly, if the first-party fraud cannot be proven, the issuer
73. VISA DISPUTE PROCEDURES, supra note 68, at 100–07.
74. This Article does not address the various merchant-initiated fraud situations that can arise,
including factoring for money laundering purposes.
18
[Vol. 5
bears the liability in the card-present environment. This means that liability
rests on the least cost avoider.
For situation two, the “stolen card” scenario, if the consumer received
the card, then the consumer is likely the least cost avoider, at least until the
point that the card’s theft is reported, at which point the issuer is the least
cost avoider as the issuer can simply deactivate the card and deny any
authorization requests.75 Likewise, if the consumer did not receive the card
because it was intercepted by a fraudster, then the issuer would be the least
cost avoider as the issuer controls the card activation procedures.
The merchant is unlikely to be the least cost avoider for a stolen or
intercepted card. The merchant might be able to recognize a card as stolen
based on an obvious mismatch of the user and the name on the card—such
as if Dolly Parton used Barack Obama’s credit card—but card network
rules do not expect merchants to catch obvious mismatches, and the
merchant may generally not demand identification as a condition of
accepting the card.76
Card network rules do generally require merchants to compare the
signature on the charge slip with the specimen signature on the card,77 but
signature matching is an art, not a science, at least when practiced by store
clerks, and is of little use in preventing fraud. The signature of a harried
consumer, such as one in a grocery line attempting to soothe a bevy of
bawling toddlers, is likely to vary significantly from a calmly written
specimen. In a typical commercial context, the store clerk never examines
the card in any way, not least because it is not an efficient use of the clerk’s
time. Even if a merchant’s employees were diligent in examining
signatures, the fraud reduction savings would likely be minimal. These
savings would also be unlikely to offset the costs to the merchant from
slower transaction speed at the register, namely the loss of sales because of
greater transaction costs for customers due to increased wait times at the
register or the cost of hiring more employees to work at the register. As
75. The major exception is the small minority of U.S. card transactions that are not authorized
in real time (e.g., knucklebuster or telephone transactions). In those cases, the merchant may have
parted with the merchandise before obtaining an authorization. When a merchant delivers without
having obtained prior authorization, then the merchant is the least cost avoider.
76. MASTERCARD RULES, supra note 67, § 5.8.4, at 5-17; VISA INT’L REGULATIONS, supra
note 67, at 468 (only requiring merchant review of additional identification where the signature
panel is blank). The merchant may also require the cardholder’s address or ZIP code for certain
transactions. MASTERCARD RULES, supra note 67; VISA INT’L REGULATIONS, supra note 67, at
469. Discover requires merchants to examine two pieces of identification, one of which must be
government issued for authorizing transactions on unsigned cards, but its rules are silent regarding
examination of extrinsic identification for signed cards. See DISCOVER MERCHANT OPERATING
REGULATIONS, supra note 67, § 3.1.2.1.
77. See, e.g., MASTERCARD CHARGEBACK GUIDE, supra note 55, §§ 2.1.6.3.1–3.2; VISA INT’L
REGULATIONS, supra note 67, at 463–64; DISCOVER MERCHANT OPERATING REGULATIONS,
supra note 67, §§ 3.1.2–3.1.2.1.
2010]
19
with situation one, the ultimate least cost avoider in a stolen/lost card
scenario is the issuer, and that is where liability rests.
In situation three, involving a fraudulently issued card, the issuer is the
least cost avoider. There is no real consumer, and the merchant has even
less ability to detect the fraud than with a stolen card, as the card
information, including the signature, can be tailored to match that of the
fraudster using the card. Again, the least cost avoider is liable.
In situation four, “real account, counterfeit card,” it is not clear who is
the least cost avoider. As the counterfeit card is made using real consumer
data, data protection is the critical issue for preventing this type of fraud.
The least cost avoider for data protection varies as data flows through the
transaction process and is also retained for various purposes. But even with
optimal data protection, there is still the possibility of “skimming”—the
recording of card data from a magnetic stripe when the card is tendered to a
merchant’s employee (a particular problem in restaurants).78 The skimmed
data is then encoded onto a counterfeit card (or used in card-not-present
transactions).
Thus for “real account, counterfeit card” the least cost avoider largely
depends on how the fraudster obtained the real account information.
Depending on how the information was obtained, the consumer, issuer,
merchant or acquirer/processor could be at fault. Once the information is in
circulation, however, the ability to prevent the counterfeiting largely
depends on the issuer and the network and the security features they require
for physical cards. The merchant is unlikely to detect the counterfeit. The
merchant has no particular skill or ability to detect a counterfeit card
beyond a blatantly poor forgery. This means the merchant has virtually no
ability to stop the fraud. As the issuer controls the physical design of the
card, and hence the ease of counterfeiting, the issuer is the least cost
avoider, and yet again, the issuer is liable.
In situation five, with a counterfeit card using fake account information,
the least cost avoider is likely the issuer. In this situation there is no actual
consumer, and the merchant has little ability to detect the forgery. While the
network and issuer have control over the physical characteristics of the
card, which affect ease of counterfeiting, the issuer must authorize the
transaction, and if the card does not match an existing account number, the
issuer can easily deny the transaction. As with the other card-present
scenarios, the issuer is the least cost avoider and is liable.
For card-present transactions, the least cost avoider may vary somewhat
situationally, but it is typically the issuer. It makes sense to require the
merchant to take basic anti-fraud steps and, if followed, place the loss on
the issuer, who is then the least cost avoider. This is exactly what card
78. See Facciolo, supra note 8, at 629.
20
[Vol. 5
network rules mandate. Thus, the current arrangement of loss allocation for
card-present rules seems largely sensible.
B. WHO IS THE LEAST COST AVOIDER? CARD-NOT-PRESENT
TRANSACTIONS
Card-not-present transactions present a different story. CNP liability
rules are a product of the historical development of payment card markets.
When card networks first began, there were no CNP transactions. All
transactions required physical presentment of the card, and the issuer bore
the risk of unauthorized transactions (as explained above) as merchants
were unwilling to assume fraud risk for a nascent technology over which
they had little control.79
Merchants, however, wanted to be able to take cards for mail-order and
telephone-order (MOTO) transactions, where no card would be presented
physically.80 Issuers were reluctant to assume fraud risk for these
transactions, even if the expiry date was used as a password and
merchandise was required to be sent to the cardholder’s billing address.81
Merchants concluded that the gains from these transactions outweighed the
fraud risks, so they agreed to assume liability for unauthorized MOTO
transactions82 (certainly it was no riskier for them than shipping before a
check was received and cleared).
The fraud liability rules made sense in their historical origins. Today,
however, they are less sensible, as most CNP transactions are not MOTO,
but Internet transactions. Historically, card fraud involved situations one
through four (friendly fraud, stolen card, fraudulent issuance, counterfeit
card using actual information), but not situation five (new account fraud).
Fraudsters would obtain the card or card data of a real cardholder and
would use it to purchase goods that would be shipped to the fraudster.
Contemporary fraud involves both existing account fraud and new account
fraud.83
The problem with CNP liability rules is that they do not account for
changed circumstances. Now, as before, merchants have little ability to
79. Admittedly, until the 1970s, fraud prevention for card-present transactions was also quite
difficult, as transactions were not authorized in real time. See ROSS J. ANDERSON, SECURITY
ENGINEERING: A GUIDE TO BUILDING DEPENDABLE DISTRIBUTED SYSTEMS 394–95 (Carol A.
Long, ed., 2001); Steve Mott, Perhaps It’s Time to Mothball the Mighty Mag-Stripe, PYMTS
(2010), http://www.pymnts.com/perhaps-it-s-time-to-mothball-the-mighty-mag-stripe.
80. See ANDERSON, supra note 79, at 394.
81. Id. at 394.
82. See CYBERSOURCE, MANAGING RISK ON THE NET WHITE PAPER: WHAT INTERNET
MERCHANTS NEED TO KNOW 2 (2000), available at http://www.cybersource.com/resources/colla
teral/pdf/ifs_wp111500.pdf.
83. Joseph Campana, Identity Theft: More than Account Fraud: What Everyone Should Know
1 (Apr. 2006) (unpublished manuscript), available at http://www.jcampana.com/JCampana
Documents/IdentityTheftMoreThanAccountFraud.pdf.
2010]
21
prevent CNP fraud in any of these situations. The merchant’s role in the
transaction is limited to requiring whatever information the network and/or
issuer require. The merchant has no ability to verify the information or the
identity of the customer.84 Moreover, CNP merchants face substantially
higher interchange rates than card-present (CP) merchants in addition to a
different set of fraud rules.85
Issuers’ ability to prevent CNP fraud, however, has changed
dramatically. Advances in card security arguably make CNP transactions
safer than CP transactions.86 In a CNP transaction, it is easy to require the
cardholder to transmit not only the card account data and the Card
Verification Value (CVV),87 which is written on the back of the card and
not included in the card number on the front or on the mag stripe, but also
the billing address, billing telephone, or e-mail address information. If
additional information beyond the card account data—the account number,
the account holder’s name, and the expiry data—is required, then a
fraudster needs more than the physical card (which is easy to forge given
that mag stripe technology is now over thirty years old88) or a copy of the
face of the card to use the card successfully.
Accordingly, the issuer has the ability to prevent at least some CNP
fraud. The issuer can first verify the information supplied to the merchant to
ensure that it is a real account and that the card information matches the
CVV code on the back of the card. Second, the issuer can verify the billing
84. See Mann, Making Sense of Payments, supra note 8, at 6771 (noting that in CNP settings,
merchants lack a “credible mechanism for verifying the identity of the purported cardholder”).
85. See DELL LETTER, supra note 3, at Appendix 1 (listing the “Differential Between Card
Present and Card Not Present Visa Debit Interchange Fees”); Letter from Paul Misener, Vice
President for Global Pub. Policy, Amazon.com, to Louise L. Roseman, Dir., Div. of Reserve Bank
Operations and Payment Sys., Federal Reserve Board of Governors 14 (Nov. 20, 2010), available
at http://www.federalreserve.gov/newsevents/files/amazon_comment_letter_20101120.pdf
(showing that there is as much as a 98 basis point and two cents difference in CNP and CP
interchange rates); see also Letter from Joshua R. Floum, Exec. Vice President, General Counsel
and Secretary, Visa U.S.A., Inc., to Louise L Roseman, Dir., Div. of Reserve Bank Operations and
Payment Sys., Federal Reserve Board of Governors 13 (Nov. 8, 2010), available at
http://www.federalreserve.gov/newsevents/files/visa_comment_letter20101118.pdf (noting that
interchange rates reflect fraud risks).
86. See generally VISA, GLOBAL VISA CARD-NOT-PRESENT MERCHANT GUIDE TO GREATER
FRAUD CONTROL: PROTECT YOUR BUSINESS AND YOUR CUSTOMERS WITH VISA’S LAYERS OF
SECURITY, available at http://usa.visa.com/download/merchants/global-visa-card-not-presentmerchant-guide-to-greater-fraud-control.pdf.
87. This code is variously called the Card Security Code (CSC), Card Verification Value
(CVV or CV2 or CVV2), Card Verification Value Code (CVVC), Card Verification Code (CVC),
Verification Code (V-Code or V Code), or Card Code Verification (CCV). The two included in
some abbreviations is to distinguish it from the code on the front on the card and mag stripe (the
card number). See Kimberly Kiefer Peretti, Data Breaches: What the Underground World of
“Carding” Reveals, SANTA CLARA COMP. & HIGH TECH. L.J. 375, 387 n. 66 (2009); see also
Card Security Code (CSC) and Card Verification Value (CVV), BOOTSTRAP,
http://mediakey.dk/~cc/card-security-code-csc-and-card-verification-value-cvv (last visited Oct.
19, 2010).
88. See Mott, supra note 79.
22
[Vol. 5
address or other borrower information. Third, the issuer can use statistical
fraud prevention tools called neural networks that can identify anomalies in
spending behavior by analyzing transactions in relation to the cardholder’s
transaction history, looking for outliers in geography, merchant type, and
transaction amount. The speed of these networks allows issuers to prevent
suspicious transactions at the authorization stage.
Thus, if an 18-year old Peoria resident’s card was used at 5PM CDT to
make a purchase at a fast food restaurant in Peoria, and then used at 5:15PM
CDT to purchase a $2,000 dinner in Paris, there is likely a fraud occurring.
The issuer can deny the questionable transaction and freeze the account
until and unless the real cardholder contacts the issuer to unlock the account
by providing some additional verification information.89 Critically, only the
issuer has the ability to examine data from multiple transactions to observe
transaction patterns; merchants only observe one-off transactions.
Issuers’ ability to prevent unauthorized CNP transactions has advanced
by leaps and bounds since the 1970s, when MOTO transactions began.90
Moreover, issuers no longer need to be induced to authorize CNP
transactions; e-commerce is so well established that issuers cannot and
would not abandon the market if they were to bear liability for unauthorized
transactions.
The efficiency of CNP liability rules is suspect in light of changes in
the marketplace. Originally, it made sense for merchants to bear the risk of
fraud on CNP transactions because there was no effective avoidance and
because merchants gained the greatest benefit from the transactions. Now
issuers are the clear least cost avoider. Accordingly, placing the liability on
issuers would be the efficient outcome; indeed, it would likely encourage
greater security efforts, such as the use of two-factor identification methods
that rely on factors other than CVV and billing address, such as a randomly
generated PINs, which would be known only to the cardholder, absent
cardholder carelessness.91
C. MAKING SENSE OF THE LIABILITY RULES
Payment card network rules for allocating liability for unauthorized
transactions seem well-designed for card-present transactions, but are
89. To be sure, the issuer’s ability to prevent fraud is far from perfect. Small ticket, local
transactions are unlikely to get noticed. But compared to the merchant, the issuer has much greater
ability to avoid the fraud. Yet, liability for CNP transactions is not on the issuer.
90. ANDERSON, supra note 79, at 394.
91. To be sure, we might ask whether their current situation is Kaldor-Hicks efficient. Why
don’t merchants simply pay issuers for greater security measures up to the point where there
would be no marginal benefit? The answer is because of a coordination problem due to high
transactions—there are millions of merchants and thousands of issuers that must be coordinated—
and because of a free-riding problem. The benefits of improved issuer fraud prevention are shared
by all merchants. If any merchant paid for better security, it would have to share the benefits with
free-riders. Better, a merchant would calculate, to free-ride, than to be freely ridden.
2010]
23
unlikely to be optimal in a CNP setting. Figure 2 summarizes the variations
between actual rules and the likely optimal rules, assuming that all
authorization procedures are properly followed by the merchant.
Figure 2. Actual and Likely Optimal Fraud Allocation Rules
EXISTING ACCOUNT
FRAUD
ACTUAL
OPTIMAL
RULE
RULE
CARD
PRESENT
CARD NOT
PRESENT
ISSUER
MERCHANT
NEW ACCOUNT FRAUD
ACTUAL
RULE
OPTIMAL
RULE
ISSUER
ISSUER
ISSUER
ISSUER
MERCHANT
ISSUER
Why would the United States have suboptimal liability rules for
payment card networks? Part of the answer is historical. As Part II.B.
explained, for CNP transactions, rules that made sense in their original
context have ossified and become outmoded by changes in technology.
The history of the payment card networks themselves explains this
ossification. Until 2005–2006, MasterCard and Visa, the largest payment
card networks, were mutual organizations dominated by their large issuer
banks.92 The large issuer banks had little incentive to change the CNP
liability rules. Under the rules, issuers incur fraud losses that are only a
fraction of merchants’.93 Thus in 2009, issuers incurred $0.95 billion in total
(CP and CNP) fraud losses.94 In contrast, one study puts merchants’ total
fraud losses at over $100 billion.95 While issuers are the least cost avoiders,
they do not bear most of the costs of fraud. Therefore, they have little
incentive to engage in aggressive anti-fraud efforts.96 For example,
networks and issuers have persisted in using mag stripe cards with account
numbers embossed on the front.97 These cards are extremely vulnerable to
92.
93.
94.
95.
96.
Levitin, Economic Costs, supra note 19, at 1327–28.
LEXISNEXIS FRAUD STUDY, supra note 1, at 23.
Kate Fitzgerald, supra note 1, at 17.
LEXISNEXIS FRAUD STUDY, supra note 1, at 23.
In theory, in the credit card space, the other two networks, American Express and
Discover, could have tried competitive differentiation based on different CNP fraud rules.
However, these networks had little to gain from such differentiation. At best, it would increase
their merchant acceptance rates, but it would not necessarily garner them more transactions, as
merchants do not choose which card network a payment will be on. Moreover, these networks are
also their own primary issuers (and were their sole issuers before 2005), so the competitive
benefits from signing up more merchants would have to be weighed against the network-issuer
incurring greater fraud losses. The calculus, apparently, weighed in favor of keeping the losses on
merchants. For debit cards, CNP transactions have never been a critical issue because there are
very few CNP debit transactions. MOTO and Internet debit transactions are rare.
97. See Mott, supra note 79.
24
[Vol. 5
skimming, to use when they are stolen, and to having account numbers
simply copied down and then used in CNP transactions.98 Simple steps such
as adopting Chip & PIN technology (discussed in more detail in the next
section) would frustrate skimming and theft, while card numbers need not
be displayed on the card.99
Anti-fraud efforts must be implemented by issuers, but the role of
setting standards falls to the network association itself. The problem is that
the network associations compete with each other for issuer membership.
The networks make most of their revenue from per transaction fees.100 This
means that they want to increase volume on their cards, which in turn
means that they need to have more cards in circulation. In order to increase
the number of cards, networks need to have more and larger issuers in their
stables. Networks thus compete for issuers.
If a network required greater anti-fraud measures from issuers, it would
impose additional costs on issuers and therefore make itself less attractive
to them. The full cost of anti-fraud would be borne by the issuer, but the
benefits would accrue primarily to the merchant, and issuers have little
interest in subsidizing merchants for the overall good of the network.
Mandating additional anti-fraud measures can cost a network market share,
while bringing the network itself no tangible benefit.
D. INTERNATIONAL VARIATION IN LIABILITY RULES AND FRAUD
ARBITRAGE
1. International Variation
There is significant international variation in payment card fraud
liability allocation rules.101 The international variation suggests that private
ordering does not always produce optimal results. It is possible that
98. Id.
99. The short-lived Revolution Card (purchased by Amex in 2010) did not have an account
number visible on the front and required a PIN for all transactions. See What is RevolutionCard?,
REVOLUTIONCARD, http://www.revolutioncard.com/what-is-revolutioncard.aspx (last visited Oct.
9, 2010)
RevolutionCards don’t display your name, signature or other personally identifying
information on the card, offering you unparalleled security. So, even if you lose your
card, no one knows it’s yours, and if they do find out, they can not use it without your
PIN. RevolutionCards are PIN-based, and members can create their own unique 4-digit
Card Authorization Code (CAC) that is entered as a PIN into the PIN-pads at merchants
locations, and can be used for online shopping and phone-orders. Cardholders can also
generate random One Time CAC numbers, so they never need to give out their primary
CAC/PIN when they are using the card for online purchases, phone or other card-notpresent transactions.
Id.
100. See DeGennaro, supra note 45, at 28.
101. See MASTERCARD RULES, supra note 67, §§ 3.9.1, at 11-1, 3.9.1(3), at 14-2
(corresponding rules in the Canada and the South Asia, Middle East, and Africa regions).
2010]
25
different orderings are optimal in different countries, perhaps reflecting
variations in market penetration by payment cards. Yet there are variations,
even among very similarly developed economies with similar payment card
market penetration and usage patterns.
Such variation is evidence that private ordering might not always result
in optimal liability rules. But it does not tell us which, if any, of the private
orderings is optimal. There is reason to believe, however, that the private
ordering in the United States is suboptimal compared with systems around
the world. Financial institutions in virtually every developed economy
outside of the United States have adopted integrated circuit (IC), or chip
cards, as their standard.102 Chip cards contain a microchip in the card.103
The microchip is, like any microchip, multifunctional,104 but among its
chief purposes is that it allows a card reader that operates on the same
standard, known as EMV (short for EuroPay-MasterCard-Visa), to verify
the authenticity of the card. The chip is thus an anti-counterfeiting device.
Australia, Canada, Cambodia, China, Hong Kong, Indonesia, Japan, Korea,
Malaysia, New Zealand, Singapore, South Africa, Taiwan, United Arab
Emirates, and virtually all of Europe have adopted EMV technology.105
Unlike the traditional mag stripe card, a chip card is quite difficult to
counterfeit.
The chip technology itself is only a protection against counterfeiting
physical cards, including duplication of actual cards. The chip does not
prevent unauthorized transactions if a card is stolen.106 In some countries
and regions, such as Australia, Canada, and Europe, financial institutions
have gone further to require Chip & PIN technology, where the IC card can
only be used with a PIN.107 Thus in Europe, all new, upgraded, or replaced
point-of-sale chip terminals must have a PIN pad.108
The PIN provides two-factor identification (the first factor being
possession of the card) where one factor is separate from the card (unlike
CVV), and helps ensure not only that the card is genuine, but that it is being
used by its authorized user.109 Thus, the Oliver Wyman Group reports that
in 2008 fraud loss rates on signature debit cards in the United States were
102. See John Hill & Victoria Conroy, EMV: The Story So Far, CARDS INT’L, Apr. 2009,
http://www.vrl-financial-news.com/asia-pacific/banking--payments-asia/issues/bpa-2009/bpa2009/emv-the-story-so-far.aspx; Thad Rueter, U.S. Stays on Sidelines As Other Nations Make
EMV Game Plans, CARDS & PAYMENTS, Nov. 2009, at 14, 16.
103. See Mott, supra note 79 (“Payment Cards ‘Smart’”).
104. Id. (“Is Contactless the New Hope?”).
105. Hill & Conroy, supra note 102; Rueter, supra note 102.
106. See Hill & Conroy, supra note 102.
107. MASTERCARD RULES, supra note 67, § 12-3.9.1(3), at 12-15.
108. Id. (discussing PIN Entry Device Mandate for the European Region). In Europe, issuers
are also forbidden from authorizing CNP transactions unless there is CVC2 verification. Id. §
3.9.2, at 12-15 (“CVC Processing for Card-Not-Present Transactions”).
109. Claes Bell, Are Chip and PIN Credit Cards Coming?, BANKRATE.COM (Feb. 2, 2010),
http://www.bankrate.com/finance/credit-cards/are-chip-and-pin-credit-cards-coming-1.aspx.
26
[Vol. 5
7.5 basis points, whereas PIN debit fraud loss rates were only one basis
point.110 Although Chip & PIN is not a failsafe technology, it is a far
stronger safety measure than anything on the American market.111
In the United States, only two cards have been rolled out with a chip:
the American Express Blue Card (Blue), first introduced in 1999,112 and the
United Nations Federal Credit Union (UNFCU) Visa card, introduced in
2010.113 Blue is American Express’s non-exclusive, mass-market card.114
Blue enables Amex to charge its premium merchant discount fee rates for
non-premium cardholders. While Amex equipped Blue cards with a chip,
the chip is useless as a security measure as almost no American merchants
have chip readers.115 Instead of serving as a security measure, the chip is
used for storing information about rewards programs.
The UNFCU Visa card, in contrast, does use Chip & PIN for security
reasons.116 UNFCU moved to Chip & PIN technology both because it
experienced particularly high fraud rates and because many of its members
use their cards outside of the United States in countries where Chip & PIN
is the norm and plain mag stripe cards are sometimes refused.117 In the
United States, though, the UNFCU Visa card operates just as a regular mag
stripe card, and it gains no security benefits from its Chip & PIN capability
due to the lack of Chip & PIN enabled point-of-sale terminals.118
Card network rules provide that use of Chip and Chip & PIN
technologies has been coupled with a shift in liability for card-present
transactions. Under the liability shift, merchants become, by default, liable
for all unauthorized card-present transactions.119 But, if the transaction used
a Chip reader, then the merchant will not be liable for losses from
counterfeit cards; instead liability will shift back to the issuer.120 Similarly,
110. Stephanie Bell, Study: Debit Fraud Rates Rose Sharply Last Year, AM. BANKER, May 21,
2010, at 6.
111. Stephen J. Murdoch et al., EMV PIN Verification “Wedge” Vulnerability, UNIV. OF
CAMBRIDGE, http://www.cl.cam.ac.uk/research/security/banking/nopin (last visited Dec. 30,
2010); see also Ross Anderson et al., Chip and Spin (May 2005) (unpublished manuscript),
available at http://chipandspin.co.uk/spin.pdf; Saar Drimer et al., Optimised to Fail: Card Readers
for Online Banking 8–12 (Feb. 26–29, 2009) (unpublished manuscript), available at
http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf (last visited Oct. 9, 2010).
112. Jennifer Kingson, A Credit Card Loses Its High-Tech Cred, N.Y. TIMES BITS BLOG (Dec.
5, 2008, 11:30 AM), http://bits.blogs.nytimes.com/2008/12/05/a-credit-card-loses-its-high-techcred.
113. David Morrison, United Nations FCU Becomes First Chip and PIN Card Issuer in the
U.S., CREDIT UNION TIMES (May 26, 2010), http://www.cutimes.com/Issues/2010/May-262010/Pages/United-Nations-FCU-Becomes-First-Chip-and-PIN-Card-Issuer-in-the-US.aspx.
114. Query, is “Blue” short for blue collar?
115. Morrison, supra note 113.
116. Id.
117. Id.
118. See id.
119. MASTERCARD CHARGEBACK GUIDE, supra note 55, § 2.8.2.
120. Id.
2010]
27
if the transaction is with a Chip & PIN card and is properly used with an
EMV reader, then liability for unauthorized transactions shifts back to the
issuer.121
These liability-shifting rules are consciously designed to encourage
merchant adoption of EMV readers. Some card networks have also
encouraged this shift by imposing an “incentive interchange rate”—
interchange penalties and rewards. In some regions, MasterCard offers a ten
basis point reduction in interchange for Chip & PIN transactions, and
imposes a ten basis point penalty for non-Chip & PIN card-present
transactions.122
At least for MasterCard, the decision of whether to implement a Chip
liability shift is left up to the financial institution members of the network—
not the merchants who are also affected. MasterCard permits a Chip
liability shift program in any country or region in which MasterCard
member financial institutions representing “75 percent of the currency
volume of both acquiring and issuing transactions” approve.123 Thus,
Europe has had a Chip liability shift since January 1, 2005, Brazil since
March 1, 2008, Columbia since October 1, 2008, and Venezuela since July
1, 2009. In Canada, Africa, Asia, and the Middle East the shift took effect
on October 15, 2010.124 Intraregionally, Europe, Latin America, and the
Caribbean have had Chip liability shifts since 2005.125
121. Id.; VISA DISPUTE PROCEDURES, supra note 68, at 102 (noting that a chargeback is invalid
“if the Device is EMV PIN-Compliant and the Transaction was correctly processed to completion
in accordance with EMV and VIS using the Chip Card data”).
For purposes of these Rules, “EMV-compliant” means in compliance with the EMV
standards then in effect.
1. Chip Liability Shift. The liability for intraregional counterfeit fraudulent Transactions in
which one Regional Member (either the Issuer or the Acquirer) is not yet EMV-compliant
is borne by the non–EMV-compliant Regional Member.
2. Chip/PIN Liability Shift. The liability for intraregional lost, stolen, and never received
fraudulent Transactions in which one Regional Member (either the Issuer or the Acquirer)
is not yet able to support chip/PIN Transactions is borne by the non-chip/PIN-compliant
Regional Member.
MASTERCARD RULES, supra note 67, § 3.9.1, at 12-14.
122. MASTERCARD RULES, supra note 67, § 3.9.1(2), at 10-2 (applicable to the Asia & Pacific
Region); id. § 3.9.1(4), at 10-3 (applicable to the Latin America and Caribbean Region); id. §
3.9.1(2), at 14-2 (applicable to the South Asia, Middle East and Africa Regions). This implies that
MasterCard believes that in these regions, the total costs of fraud borne by merchants plus the cost
of investing in Chip & PIN readers is less than twenty basis points.
123. MASTERCARD CHARGEBACK GUIDE, supra note 55, §2.8.2.4.1.1, at 2-54.
124. MASTERCARD RULES, supra note 67, § 3.9.1, at 11-1 (corresponding to the Canada
Region); id. § 3.9.1(3), at 14-2, 14-3 (corresponding to the South Asia, Middle East, and Africa,
regions).
125. MASTERCARD WORLDWIDE, CIRRUS WORLDWIDE OPERATING RULES, § 11.1.1 (Sept. 15,
2010). As MasterCard notes:
28
[Vol. 5
The absence of Chip & PIN technology in the United States bears
comment. It is widely recognized that Chip & PIN technology significantly
reduces fraud losses.126 In the UK, losses on fraud in face-to-face (cardpresent) transactions fell from £135.9 in 2005 to £72.1M in 2009.127 So why
hasn’t Chip & PIN been adopted in the United States?
An initial answer may be that it is simply not efficient from a systemwide perspective. While readily comparable international fraud loss rate
data is not available, the United States was historically reputed to have
relatively low fraud loss rates, in part due to low cost telecommunications
that made real-time authorization possible.128 Moreover, total fraud losses
on payment cards are noticeably lower than on competing payment
methods, such as checks.129 If payment card fraud costs are sufficiently low,
then there may simply not be an economic case for adopting Chip & PIN.
On the other hand, a recent study estimates that U.S. payment card fraud
losses rates are higher in the U.S. than in Australia, France, Spain, and the
UK.130
It is not clear, however, whether Chip & PIN would be an inefficient
overinvestment in fraud prevention technology. Another explanation is that
Chip & PIN implementation is actually an efficient investment, but it is
stymied by the organization of and conflicts of interest in payment card
networks, which fail to properly incentivize parties to take optimal care in
preventing fraud.
EMV chip technology can provide a more secure alternative to non-chip technology for
reducing fraudulent Transactions. Therefore, certain countries and Regions have
decided to migrate to the EMV chip platform.
Many of these same countries and Regions have instituted a chip liability shift program
for domestic and intraregional Transactions to protect Members that have made the
early investment in EMV chip.
...
Chip liability shift means that when a counterfeit fraud Transaction occurs in a country
or Region that has migrated to the Chip platform the liability for the Transactions will
shift to the non-chip-compliant party.
Id.
126. See Rueter, supra note 102.
127. Facts and Figures, UK CARDS ASS’N, http://www.theukcardsassociation.org.uk/view_po
int_and_publications/facts_and_figures (last visited Oct. 9, 2010).
128. See Mann, Credit Cards and Debit Cards, supra note 8, at 1069–70, 1090–91 (noting the
role of telecommunications costs in determining payment card fraud resistance).
129. Chris Costanzo, Combating Fraud, BANK DIRECTOR MAG., Q1 2007,
http://www.bankdirector.com/issues/articles.pl?article_id=11865. It is unclear if fraud loss rates
are lower for checks currently; historically they were. See William Roberds, The Impact of Fraud
on New Methods of Retail Payment, FED. RESERVE BANK OF ATLANTA ECON. REV., 2Q 1998, at
42, 45, available at http://www.frbatlanta.org/filelegacydocs/Roberd.pdf (noting a 2 basis point
loss rate for checks compared with 18 basis point loss for credit cards in 1995).
130. Sullivan, supra note 1, at 110, 112–14.
2010]
29
Merchants have no ability to adopt Chip & PIN; they are not part of
card networks and cannot change card network rules. Moreover, there is
little reason for them to invest in Chip & PIN enabled point-of-sale
terminals unless issuers are issuing Chip & PIN Cards. As acquirers pass
fraud costs through to merchants, they have little interest in the matter.
Only issuers have a direct interest and are part of card networks. Issuers,
however, do not want to incur the cost of having to reissue cards to make
them Chip & PIN capable. The counterfeiting losses in the United States do
not justify the reissuance expense of issuers, and for debit cards, issuers do
not want to see transactions shift from signature debit cards (which have
higher interchange rates) to PIN debit cards.131 Card network organization
structure and economics frustrate the adoption of the best technology for
fraud prevention.
2. Fraud Arbitrage
International variation in fraud liability and security rules creates
opportunities for fraud arbitrage, thereby undermining security systems.
Fraudsters, often highly organized, use cards from more secure locations in
less secure ones.132
In particular, the lack of Chip & PIN protection in the United States
undermines Chip & PIN systems abroad.133 For example, Canada has
adopted Chip & PIN technology, but Canadian credit cards can be used to
pay in the United States.134 When a Canadian card is used in the United
States, it is used without a Chip & PIN because almost no American
merchants have Chip & PIN capable readers.135 Canadian fraudsters know
that they merely have to use stolen Canadian card numbers in the United
States. Furthermore, Canadian consumers and merchants might be less
vigilant about protecting their physical cards because of the lulling effect of
131. Kate Fitzgerald, Calculating the Cost: Debit Fees Could be Cut by $5B, AM. BANKER,
June 28, 2010, at 1 (noting higher interchange rates on signature debit cards than on PIN debit
cards). This shift may happen regardless because of the Durbin Interchange Amendment. DoddFrank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, § 1075,
124 Stat. 1376, 2068–74 (2010).
132. See Rueter, supra note 105, at 14, 17.
133. US at Risk of Becoming “A Centre For Card Fraud”, CARDS INT’L, AUG. 2010,
http://www.vrl-financial-news.com/cards--payments/cards-international/issues/ci-2010/ci-445446/us-at-risk-of-becoming-a-centr.aspx; Ian Kerr, Challenges in Migrating to EMV, ATM MEDIA
RESOURCE CENTRE (Mar. 11, 2010, 3:19 PM), http://www.atmindustryinfo.com/2010/03/chall
enges-in-migrating-to-emv.html (fraud migrated from EMV adopters in Singapore and Malaysia
to non-EMV Thailand); Rueter, supra note 102, at 14 (discussing shift of fraud from EMVenabled UK to non-EMV countries and from Canada to US with Canadian adoption of Chip &
PIN security).
134. See Rueter, supra note 102.
135. For example, Wal-Mart’s POS terminals are Chip & PIN capable, but Wal-Mart does not
actually use the terminals for Chip & PIN transactions when presented with a Chip & PIN card.
See Kate Fitzgerald, Wal-Mart Claims Issuers Block Progress of EMV Cards in U.S., AM.
BANKER, May 24, 2010, at 7.
30
[Vol. 5
two-factor Chip & PIN identification; Canadian consumers believe that the
card by itself is useless without the PIN—and it is—but not when the card
is used south of the border.
Another variation of this international fraud arbitrage problem is the use
of European cards in the United States. The Chip & PIN arbitrage also
exists between Europe and the United States, but there is another variation
in security as well.136 In the United States, real time authorization is the key
line of fraud prevention.137 Because of historically high telecommunications
costs, however, Europe does not use real time authorization systems.138
Instead, European anti-fraud efforts were channeled into better security
features in the cards and the terminals—Chip & PIN.139 When European
cards are used in the United States, the worst of both worlds exists. The
superior card and terminal security features are not functional, and there is
no real time authorization.
III. REGULATORY INTERVENTIONS
A. THE COORDINATION PROBLEM IN PAYMENT CARD NETWORKS
The problems of international fraud arbitrage speak to the core
coordination issue in payment systems. Payment systems are the backbone
of the economy; they are the infrastructure of commerce. Payment systems
allow commerce to move beyond barter by creating a common liquid
medium for exchanging value. Liquidity requires standardization.
Standardization is the lubricant of exchange, and every successful payment
medium has been standardized to a greater or lesser degree: wampum, cell
phone minutes, gold, or electronic payment commands.
Standardization includes standardized security measures. The security
measures (or lack thereof) of individual participants in a payment system
may have positive or negative externalities on other system participants. A
participant’s strong security measures can help deter fraud generally and
catch fraudsters as well as frustrate attempts to obtain data that can be used
to defraud other system participants. Similarly, lax security measures (such
as poor data security) can result in fraud losses at other system participants.
Payment system participants do not internalize these costs or benefits,
however, so left to their own devices, they may not achieve the optimal
level of security.140 Mandatory coordination among system participants is
136. See Sullivan, supra note 1, at 115 (noting that with Chip & PIN adoption in the UK, UK
counterfeit card fraud is now mainly done on transactions in the U.S. because of lack of Chip &
PIN adoption in U.S.).
137. Rueter, supra note 102, at 16.
138. See Mott, supra note 79; see also supra note 128 and accompanying text.
139. See Kerr, supra note 133.
140. See Sullivan, supra note 1, at 118.
2010]
31
critical, then, for optimizing security measures and promoting positive
externalities.
Accordingly, participation in various payment systems is dependent
upon abiding by system standards. These standards are sometimes indirect
and mandatory by public law, such as bank safety and soundness
requirements like Know Your Customer rules. Other times, they are private
law that operate through contract, such as membership in a payment card
network or a check clearinghouse or automated clearinghouse.
Standardization requires a standard setting process. One of the major
roles of payment card networks is standard setting. For multi-institution
networks, this is a tremendous coordination task. International fraud
arbitrage shows that in a global economy, international standards are
needed for data security.141 It is insufficient for standards to be nationally
based. If electronic payments are to be global currency, they need uniform
security standards.
Setting standards in payment card networks involves coordinating
between multiple parties.142 For multi-issuer networks, such as MasterCard,
Visa, and all the PIN debit networks, it is necessary to coordinate between
numerous issuers and acquirers. This often involves the network acting
unilaterally; the transaction costs of individual issuer-acquirer negotiations
for networks that can involve 16,000143 financial institutions are simply too
great. Similarly, merchants’ dealings with the networks via their acquirer
banks cannot readily be individually negotiated; there would need to be too
many negotiations. Coasean bargaining is not possible given the transaction
costs in multi-party networks.
Given the impracticality of Coasean bargaining with payment systems,
how can we hope to optimize outcomes? The answer lies in highlighting
both cooperative and competitive features of payment card networks.
Payment card networks represent an unusual confluence of competition and
cooperation, or as David Evans and Richard Schmalensee have termed it,
“co-opetition.”144 Improving fraud loss liability allocations involves two
seemingly contradictory moves, each of which playing to a different aspect
of co-opetition. First, coordination problems can be smoothed over by
encouraging greater security coordination between card networks (and their
participants). Second, antitrust enforcement on the long-simmering
interchange issue—which has been only partially resolved by the Durbin
141. See supra Part II.D.2.
142. See supra Part I.A.
143. VISA INC., CORPORATE OVERVIEW 2, available at http://phx.corporate-ir.net/External.File
?item=UGFyZW50SUQ9NDYxMzZ8Q2hpbGRJRD0tMXxUeXBlPTM=&t=1.
144. DAVID S. EVANS & RICHARD SCHMALENSEE, PAYING WITH PLASTIC: THE DIGITAL
REVOLUTION IN BUYING AND BORROWING 7 (2nd ed. 2005).
32
[Vol. 5
Interchange Amendment145 and the antitrust litigation brought by the
Department of Justice and seven states against MasterCard, Visa, and
American Express146—will ensure that there is true price competition in the
payment card market between networks and merchants. As fraud liability is
a component of price, enabling price competition will help achieve a result
closer to that of Coasean bargaining. In the presence of overwhelming
transaction costs, strong competition can substitute for Coasean bargaining.
B. ENCOURAGE BETTER GOVERNANCE FOR SECURITY STANDARD
COORDINATION
Payment card security measures are largely undertaken at the network
level;147 the network mandates particular practices, and issuers and
acquirers must comply.148 Despite most security measures being mandated
on the network level, networks do not compete on security measures for
end-users. Merchants, who bear the bulk of fraud losses, are indifferent to
variations in networks’ security measures. Most merchants accept cards
from multiple networks, and to the extent that they do not accept particular
networks’ cards, it is usually because of interchange fees, not security rule
variations. Merchants typically get bundled acquiring (or at least
processing) services; the acquirer or processor will handle all of the
merchant’s payment card transactions using the same interface.149 Thus,
from the merchant’s perspective there is no difference between card
networks except pricing; security distinctions are invisible to the merchants.
Similarly, consumers are utterly indifferent to network-level security
mandates. The federal consumer liability limitation for unauthorized
payment card transactions and the networks’ zero liability policies for
unauthorized transactions reduce consumers’ incentive to care about card
security measures.150 Consumers have no contractual privity with the
network and see no difference in card functionality between networks. A
MasterCard and a Visa credit card are completely interchangeable from a
consumer’s perspective, and issuers will sometimes switch consumer’s
accounts among networks. Likewise, the same debit card is often an access
device for multiple debit card networks: Accel, Cirrus, Interlink, NYCE,
145. See Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No.
111-203, § 1075, 124 Stat. 1376, 2068–74 (2010).
146. See Complaint, United States v. Am. Exp., Co., No. 1:10-cv-04496 (E.D.N.Y., Oct. 4,
2010) (alleging violations of Section 1 of the Sherman Antitrust Act based on various card
network merchant restraint rules); [Proposed] Final Judgment, United States v. Am. Exp., Co., No.
1:10-cv-04496 (E.D.N.Y., Oct. 4, 2010).
148. See id.; Ballen & Fox, supra note 9, at 940–41.
149. See EVANS & SCHMALENSEE, supra note 144, at 6–7.
150. Note, however, that not all debit card networks have zero liability policies. Given the low
rate of PIN debit fraud and the existing Regulation E limitations on consumer liability, such a zero
liability policy would not mean much to consumers.
2010]
33
Plus, Pulse, Star, etc.151 Consumers never select what networks will have
preferred routing flags on their debit cards; that choice is left to their banks.
While most security features are mandated by the networks, there is
variation among issuers in security features and practices. In particular,
issuers’ fraud detection relies heavily on neural networks, but individual
issuers have their own neural network designs. Consumers have little reason
to care about variations in issuer anti-fraud measures, as they are almost
never themselves liable, and, perhaps more importantly, they cannot gauge
the value of anti-fraud technologies. There is no way for a consumer to
know whether a particular issuer’s technology is better than another’s.
Fraud protection is not like a burglar alarm. There are a limited number of
ways into a dwelling, and a consumer can, in theory, test an alarm system
against simulated burglary. The same cannot be done for card fraud.
Because payment card end-users are indifferent to variations in
networks’ anti-fraud measures, there is little reason to foster competition
among networks on security measures. Bundled merchant services and
consumer indifference mean that networks have little incentive to compete
in terms of security measures. Indeed, because the costs of security
measures are borne by issuers, while most of the benefits accrue to
merchants, issuers are resistant to greater security measures. A network that
unilaterally imposes more demanding and costly security measures risks
losing issuer business to other networks.
Given that the market is structured against competition for heightened
security measures, how can we encourage greater security measures in
payment card networks? One way is to encourage coordination among
networks. If networks could coordinate security measures, they could adopt
them uniformly, thereby eliminating market pressure from issuers for lower
security measures. Security measures are an area where we might actually
want some type of standard setting. (And, to the extent that we view
security standards as a form of price, price-fixing!)
Network coordination should be guided by the principle of locating
what method would benefit the overall payment card industry—that is, a net
social welfare gain—rather than what would increase the size of any
particular network—that is, a gain to any particular competitor.
Coordination on security measures would essentially liberate the networks
to engage in more effective allocation of that portion of price among
network participants.
The card networks have already devised a corporatist form of
coordination using the Payment Card Industry Security Standards
151. See, e.g., FUMIKO HAYASHI, RICHARD SULLIVAN & STUART E. WEINER, PAYMENT SYS.
RESEARCH DEP’T, FED. RES. BANK OF KANSAS CITY, A GUIDE TO THE ATM AND DEBIT CARD
INDUSTRY 20 (2003), available at http://www.kansascityfed.org/publicat/PSR/BksJournArticles/
ATMpaper.pdf.
34
[Vol. 5
Council.152 PCI SSC is a nominally independent organization created by the
card networks to promulgate non-binding data security standards for
payment cards.153 PCI SSC is owned by the five major credit card networks
(American Express, Discover Financial Services, JCB International (Japan
Commerce Bank), MasterCard WorldWide, and Visa, Inc.).154 Each
network appoints an officer to the PSC SSC executive committee and
management committee. PCI SSC has 612 “participating organizations,”
including financial institutions and intermediaries of various sorts, trade
associations, and merchants ranging from Wal-Mart to the University of
Notre Dame.155 Participating organizations get to nominate and vote for the
PCI SSC’s twenty-member Board of Advisors (which currently only has
four representatives from entities classified as “merchants”) and to review
proposed PCI standards and revisions thereto, including the Payments Card
Industry Data Security Standards (PCI DSS), before they are made public.
Neither participating organization nor the Board of Advisors has any formal
ability to determine the standards.156 While PCI SSC cannot itself enforce
the PCI DSS because it does not have a contractual relationship with card
network participants, all of the networks incorporate the PCI DSS in their
rules, and require network participants to be PCI DSS compliant.157
To date, the operation of the PCI SSC has been controversial.158
Networks and issuers play a leading role in PCI SSC, and merchant groups
complain that PCI DSS is geared toward advancing issuers’ interests.159 In
particular, merchant groups object to PCI SSC data retention requirements,
which issuers want because of chargeback issues.160 PCI SSC requires
152. Epstein & Brown, supra note 9, at 214–15.
153. Id. at 215.
154. About the PCI Security Standards Council, https://www.pcisecuritystandards.org/
organization_info/index.php (last viewed Dec. 30, 2010).
155. Participating
Organizations,
PCI
SECURITY
STANDARDS
COUNCIL,
https://www.pcisecuritystandards.org/get_involved/member_list.php?category=&region=
(last
viewed Dec. 30, 2010).
156. Participating Organization Rights, Obligations and Rules of Participation, PCI SECURITY
STANDARDS COUNCIL, https://www.pcisecuritystandards.org/get_involved/rights_responsibilities.
php (last visited Dec. 30, 2010).
157. See Epstein & Brown, supra note 9, at 214–215; see also DISCOVER MERCHANT
OPERATING REGULATIONS, supra note 67, at ix; AMERICAN EXPRESS MERCHANT REFERENCE
GUIDE—U.S. (Apr. 2010), supra note 67, § 8.3; VISA INT’L REGULATIONS, supra note 67, at 684.
Non-compliant merchants face higher, penalty interchange rates. The particular form of this
coordination is shaped by antitrust concerns. Epstein & Brown, supra note 9, at 215.
159. Id.
160. See David Taylor, Moving Beyond PCI, CARDS & PAYMENTS, May 2009, at 40 (noting
that “tokenization, seeks to remove card data from the retail environment as soon as possible and
substitute account numbers with ‘fake,’ or one-time, numbers that have no intrinsic market
value”); Avivah Litan, Where to Begin for End-to-End Encryption Systems, AM. BANKER, Sept.
15, 2009, at 15 (arguing that “[p]ayments companies will also need to change some business
processes, so that merchants are not required to hold on to card data for business purposes, such as
resolving chargebacks, or preauthorization and presettlement processes”).
2010]
35
merchants to retain certain transaction data.161 While the data is supposed to
be encrypted and otherwise protected, merchants object that the mere
presence of large volumes of transaction data make them tempting targets
for fraudsters.162
Moreover, the effectiveness of the PCI DSS is unclear. Heartland
Payment Systems, Inc., a major card processor, was subjected to hacking
from December 2007 until October 2008, during which time 130 million
records were stolen.163 Heartland was certified as PCI DSS compliant in
April 2008.164 Visa disputes Heartland’s PCI DSS compliance.165 In 2009, a
data security breach occurred at Network Solutions, which had also been
certified as PCI DSS compliant.166
These incidents raise the question of what benefit there is to payment
card network participants of becoming PCI DSS compliant. PCI DSS
compliance is extremely expensive, but might not ultimately protect them
from data breaches and liability for the expenses caused by the breach,
including reissuance of cards.167
As a concept, inter-network security coordination for payment systems
makes sense. The PCI SCC is designed to facilitate coordination between
competing payment card networks. This is an important goal, with
potentially precompetitive effects through positive security externalities.
Nevertheless, the PCI SCC’s structure raises serious antitrust concerns. In
execution, PCI DSS might be skewed by the dynamics of payment card
network economics as well, and reflect the interest of issuers—the most
price elastic type of network participant—rather than the overall interests of
all network participants. In other words, the structure of the PCI SCC raises
concerns that PCI DSS is being used to bolster the pre-existing problems in
the payment card interchange fee system.
Given the significant benefits that can come from data security standard
setting, standard-setting processes should be encouraged. But it is also
important that they be fair. Standard setting needs to be a tool to further
161. See DISCOVER MERCHANT OPERATING REGULATIONS, supra note 67, §§ 4.1.3, 7.1.5.
163. Indictment at 3, United States v. Gonzalez, No. 09-cr-00626-JBS (D. N.J., Aug. 17, 2009);
Kim Zetter, TJX Hacker Charged with Heartland, Hannaford Breaches, WIRED (Aug. 17, 2009,
2:34 PM), http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland.
164. Alex Goldman, Heartland Hit With $12M Breach Tab, INTERNETNEWS.COM (May 8,
2009), http://www.internetnews.com/security/article.php/3819596; Jaikumar Vijayan, Heartland
Breach Shows Why Compliance Is Not Enough, PC WORLD (Jan. 6, 2010, 11:15 AM),
http://www.pcworld.com/article/186036/heartland_breach_shows_why_compliance_is_not_enoug
h.html; Zetter, supra note 163.
165. Linda McGlasson, Heartland Data Breach: Visa Questions Processor's PCI Compliance,
BANKINFO SECURITY (Mar. 24, 2009), http://www.bankinfosecurity.com/articles.php?art_id
=1309.
166. Linda McGlasson, Top 9 Breaches of 2009, CU INFO SECURITY (Dec. 14, 2009),
http://www.cuinfosecurity.com/articles.php?art_id=2001&pg=1.
167. See Steven Mott, Why POS Merchants Don’t Buy into Payment Security, DIGITAL
TRANSACTIONS (Sept. 7, 2007), http://www.digitaltransactions.net/index.php/news/story/1503.
36
[Vol. 5
competition, not to squelch it. This suggests two seemingly contradictory
regulatory interventions: encouragement of inter-network coordination for
data security setting and more vigorous antitrust enforcement. Standard
setting should be encouraged, but only with a more adequately
representative and fair governance structure that provides a balance of
interest and due process.
The precise mechanics of a reformed payment system security standard
setting are beyond the scope of this Article, but given the critical
infrastructure utility role that payment card networks play in commercial
transactions and the law enforcement resources involved, some level of
government involvement to ensure that standards are set through a fair
process that produces socially optimal outcomes is appropriate.168 Already,
the Durbin Interchange Amendment provides for the Federal Reserve to
consider fraud prevention costs and technology in its rule-making regarding
debit card interchange fees.169
Government involvement in payment card data security need not mean
government setting of security standards. Instead, the involvement could be
limited to government supervision of process. Because of its lack of formal
procedural requirements, the PCI DSS standard setting process should be
relatively nimble, but this comes at the expense of due process and adequate
representation of all constituencies involved in payment card transactions,
including merchants, consumers, and law enforcement. Payment card data
security needs coordination between ostensible competitors, but if such
coordination is to be permitted, it must be through a process that does not
allow competing networks to leverage security standard setting to further
their own economic interests at the expense of optimal security standards.
C. MORE VIGOROUS PAYMENTS ANTITRUST POLICY
The other concurrent approach that should be pursued is to improve
inter-network competition for merchants’ business. As the situation
currently stands, networks compete with each other primarily for issuers,
not for merchants. The goal of networks is to increase network transaction
volume, and that requires getting as many of their cards in circulation as
possible. Maximizing cards in circulation requires vigorous recruiting of
issuers.
Once a network signs up issuers, it will get its cards out to consumers,
and once a consumer presents the network’s card at a merchant, the network
168. Carl Cargill & Sherri Bolin, Standardization: A Failing Paradigm, in STANDARDS AND
PUBLIC POLICY 296, 312, 316 (Shane Greenberg & Victor Stango, eds., 2007) (arguing that
standards are an “impure public good” which justifies government intervention when private
standard setting processes fail).
169. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111203, § 1075(a)(2), 124 Stat. 1376, 2068–74 (2010) (amending § 920 of The Electronic Fund
Transfer Act).
2010]
37
has a monopoly on processing the transaction. This means that the networks
do not have to court merchants as assiduously as they do issuers. To be
sure, a merchant can opt-out of accepting a particular network’s cards, and
some do, particularly for American Express;170 but as long as the credit and
signature networks all price fairly similarly for credit, signature debit, and
PIN debit, respectively, there is no reason for a merchant to take one
network brand and not another. Moreover, the complexity of interchange
rates makes it difficult for merchants to even determine what relative
pricing is between networks, as pricing depends on the type of card and the
level of rewards, as well as the merchant’s industry.171 Because card
network competition has focused on competition for issuers, rather than
both issuers and merchants, the cost of payment card acceptance, including
fraud liability, is structured to favor issuers.
The Durbin Interchange Amendment will change this situation by
creating more competition for merchant business—but only for debit cards
and small dollar credit card transactions. The Durbin Amendment requires
that debit card interchange fees be “reasonable and proportional to the cost
incurred by the issuer,” meaning the incremental cost of a transaction, with
an issuer-specific adjustment for fraud prevention costs, as determined by
the Federal Reserve.172 This provision could result in debit interchange
pricing that strongly encourages the use of PIN or Chip & PIN technology;
regulatory intervention might accomplish the optimal end that privateordering has failed to do. It will take the outcome of the Federal Reserve’s
rule-making, to be finalized in early 2011,173 before the ultimate effect is
clear.
The Durbin Amendment also permits merchants to offer discounts
(including in-kind discounts) to incentivize consumer use of particular
payment systems;174 and, critically, the Durbin Amendment forbids network
exclusivity on debit cards and lets merchants choose the routing of debit
transactions.175 Thus, debit cards will be capable of “multi-homing”—
clearing over multiple networks,176 and merchants, rather than issuers, will
decide which networks. The result should be that networks have to compete
more for merchant routing decisions, which means lowering costs, be it
direct pecuniary costs like interchange fees or indirect costs like fraud
170. See Meghan Boyer, Discover Striving To Raise U.S. Merchants’ Awareness Of CardAcceptance Abilities, PAYMENTSSOURCE, Apr. 21, 2010, http://www.paymentssource.com/news/3001446-1.html.
172. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111203, § 1075(a)(2), 124 Stat. 1376, 2068–74 (2010) (amending § 920 of The Electronic Fund
Transfer Act).
173. Id. § 1075(b)(1)(A).
174. Id. § 1075(b)(2)(A).
175. Id. § 1075(b)(1)(A).
176. Id. § 1075(b)(1)(B).
38
[Vol. 5
liability. The Durbin Amendment is likely to affect not just debit cards, but
also credit cards to the extent that credit competes with debit for small
ticket transactions.
The Durbin Amendment is not a complete solution to the competition
problems in the payment systems marketplace, but it opens the door to a
rationalization of the fraud liability rules for merchants and issuers.
IV. LIMITATIONS OF CONSUMER LIABILITY: A DEFENSE
A. CONSUMER LIABILITY RULES FOR UNAUTHORIZED PAYMENT
CARD TRANSACTIONS
The most major federal intervention in payment system loss allocation
is the limitation by federal law of consumer liability for unauthorized
transactions.177 Consumer liability for unauthorized credit card transactions
is limited to $50, and the consumer has no liability once the consumer has
notified the card issuer about the loss, theft, or possible unauthorized use of
the card.178 The burden of proof to show that the use was authorized is on
the card issuer.179
For debit cards, consumer liability is generally limited to $50,180 but it
increases to a maximum of $500 if the consumer does not notify the issuer
within two business days of learning of the loss or theft of the card, and the
card issuer establishes that the transactions would not have occurred had
there been timely notice.181 In addition, if the consumer does not report an
unauthorized transaction that appears on a periodic account statement
within sixty days of the transmittal of the statement, then the consumer
incurs unlimited liability for all unauthorized transactions that occur
between the end of those sixty days and notice to the issuer, provided that
the issuer can show that the transactions would not have occurred had there
been timely notice.182 These time limits can be extended for extenuating
circumstances, such as extended travel or hospitalization.183 Again, in all
177. The legal definition of “unauthorized transaction” is somewhat different for credit cards
and debit cards. Compare 12 C.F.R. § 226.12(b)(1) (2010) (defining “unauthorized use” as “the
use of a credit card by a person other than the cardholder, who does not have actual, implied, or
apparent authority for such use, and from which the cardholder receives no benefit”), with 15
U.S.C. § 1693a(11) (2010), and 12 C.F.R. § 205.2(m) (2010) (defining an “unauthorized
electronic fund transfer” as “an electronic fund transfer from a consumer’s account initiated by a
person other than the consumer without actual authority to initiate the transfer and from which the
consumer receives no benefit” and then noting several exceptions). These distinctions do not
matter, however, for the purposes of this Article. See Gillette, supra note 8, at 200–02 (discussing
the public choice issues with payment card liability limitation rules).
178. 15 U.S.C. § 1643 (2006); 12 C.F.R. § 226.12(b).
179. 15 U.S.C. § 1643(b).
180. 15 U.S.C. § 1693g(a) (2006); 12 C.F.R. § 205.6(b)(1) (2010).
181. 15 U.S.C. § 1693g(a); 12 C.F.R. § 205.6(b)(2).
182. 15 U.S.C. § 1693g(a); 12 C.F.R. § 205.6(b)(3).
183. 15 U.S.C. § 1693g(a); 12 C.F.R. § 205.6(b)(4).
2010]
39
cases, the burden of proof to show that a transaction was in fact authorized
is on the card issuer.184
These rules apply to all unauthorized usage, not just fraud, which is the
focus of this Article. The federal liability rules thus create something close
to a strict liability regime for credit card fraud and a strict liability scheme
with an exception for contributory negligence for debit cards.185 It is worth
noting that liability for unauthorized payment card transactions contrasts
with checks, where there is no consumer liability for unauthorized
transactions (meaning orders of payment) whatsoever, absent consumer
negligence that “substantially contributes” to the fraud.186 Whereas the
checking system has a true contributory negligence scheme, credit cards are
strict liability, and debit cards are strict liability with contributory
negligence regarding the amount, but not the fact, of the loss.
B. THE CASE AGAINST MANDATORY LIABILITY RULES
Epstein and Brown contend that consumer liability for unauthorized
transactions should not be capped by statute, as they “see no reason even
for this (modest) restriction on freedom of contract. If payment card
companies think larger penalties are appropriate and disclose such penalties
to consumers, the losses should not be socialized as a matter of law.”187
While Epstein and Brown’s major complaint about the mandatory
liability caps is that it could frustrate more efficient private bargaining over
liability, that is not the only problem with the mandatory liability rules for
unauthorized transactions. The mandatory liability rules also create a moral
hazard and effectuate a wealth redistribution from consumers who engage
in low-risk behavior to consumers who engage in high-risk behavior. The
limitation on consumer liability, in most cases to $50 (which is not inflation
indexed), provides little pecuniary incentive for consumers to take care in
their transactions and with their cards. Moreover, given the difficulties in
proving first-party fraud, with the burden of showing unauthorized
transactions resting on the card issuer, the liability limitation creates a very
real moral hazard of first-party fraud.
In addition, the liability rules create a perverse redistribution that
rewards high-risk behavior. Low-risk consumers might prefer to incur more
potential liability in exchange for savings on other payment card price
terms. By being pooled with high-risk consumers under the same
184. 15 U.S.C. § 1693g(b).
185. There is a rich literature which considers the differences in fraud and error liability rules
for different payment systems and whether they should be harmonized. See supra note 8.
186. U.C.C. § 3-401(a) (2006) (no liability on instrument without signature); id. § 3-403
(unauthorized signature on instrument is only effective as that of the unauthorized signer); id. § 3406 (liability if negligence “substantially contributes” to fraud on instrument). Uniform
Commercial Code Article 3 does not distinguish between consumer and nonconsumer drawers of
checks.
40
[Vol. 5
mandatory liability rules, the low-risk consumers are being forced to forgo
these potential savings for the benefit of high-risk consumers. The result is
to penalize precisely those consumers whose behavior should be
encouraged. In such circumstances, a rational consumer will be incentivized
to engage in higher-risk behavior in order to be a recipient, rather than the
payee of the subsidy.
Notably, MasterCard188 and Visa189 both have so-called “zero liability”
policies that reduce consumer liability in many cases beneath the federal
liability cap.190 These caps essentially install a negligence regime for
liability up to $50, after which the federal strict liability regimes take over.
Epstein and Brown argue that the zero liability policies demonstrate that
“[m]arket pressures have pushed the balance still further, insulating
payment card users from essentially all fraud losses.”191 In other words, the
federal law is an unnecessary (but fortunately harmless) intervention.
Indeed, as Duncan Douglass has observed, the zero liability policy arguably
creates a moral hazard, as consumers have little reason to take care to
protect their cards and card data.192
C. IN DEFENSE OF THE CONSUMER LIABILITY LIMITATIONS
Despite the problems created by the mandatory liability caps, there is
nevertheless a good case supporting them. Absent the mandatory caps, the
zero liability policies might not obtain and adverse selection,
disproportionate negotiation costs, information asymmetries, consumer
hyperbolic discounting and optimism biases, the relative salience of
different price points to consumers, and consumers’ limited ability to
absorb losses relative to other payment card network participants all
militate for capping consumer liability.
1. Counterfactual Consideration
Epstein and Brown’s reading of the impact of the zero liability policy is
reasonable, but it is hardly the only fair interpretation. First, it is worth
188. Zero Liability, MASTERCARD, http://www.mastercard.com/us/personal/en/cardholder
services/zeroliability.html (last visited Dec. 30, 2010).
189. Zero Liability, VISA, http://usa.visa.com/personal/security/visa_security_program/zero_
liability.html (last visited Dec. 30, 2010).
190. Bank of America offers its own “zero liability” policy. See, e.g., Bank of America Merrill
Lynch Visa® Reward Card Terms and Conditions, BANK OF AMERICA,
https://prepaid.bankofamerica.com/RewardCard/PRC384/CP384-T00-002/docs/terms.htm
(last
visited Dec. 30, 2010). It is important to remember that the stated zero liability policy is not zero
liability. It is conditional on the cardholder having taken reasonable care (in the issuer’s view), the
cardholder having had no more than two other incidents in the last year, and the cardholder’s
account being “in good standing.” See, e.g., MASTERCARD RULES, supra note 67, § 3.11(2), at 157 (conditions governing cardholder liability in the United States). Zero liability is great marketing,
but it is not clear how often it is really zero liability.
2010]
41
considering a counterfactual scenario. What would the world look like
without the federal $50 liability limitation on credit cards? Would Visa and
MasterCard have adopted zero liability policies? Maybe. The zero liability
policy was only adopted in 2000,193 which indicates that it might have been
a move to encourage e-commerce.
But it might also be that once consumer liability is limited to $50, the
marketing benefits to the network of going from $50 liability to zero
liability for nonnegligent consumers outweigh the fraud losses. Given the
costs of pursuing the last $50 of liability, issuers really do not give up
anything by going to zero liability, and they gain a significant marketing
benefit. The zero liability policies are advertised in a way that implies that
they are strict liability regimes, with the fact that they are highly
discretionary negligence regimes hidden in vaguely worded fine print.
Thus, consumers might well assume that they have less liability than they
do under the zero liability policies. Moreover, the cost of disputing up to
$50 with consumers might simply not be worthwhile for issuers.
The real question is whether networks would adopt zero liability
policies if by statute consumers were liable for $100 or $500 or $1,000? We
don’t know, but it cautions against assuming that the $50 liability limit has
been toothless or that zero liability would be the policy the networks would
generally adopt.194
2. Monetary Deductibles, Copayments, and Contributory
Negligence
The mandatory liability caps are part of a system that includes notable
moral hazard mitigants. The federal consumer liability limitations are a type
of strict liability regime for card fraud. As Samuel Rea has noted, “[s]trict
liability without contributory negligence is essentially mandatory
insurance.”195 A standard insurance move to reduce moral hazard is to
require deductibles and copayments. The $50 liability cap on credit cards
193. Letter from Russel W. Schrader, Visa U.S.A., to Fed. Trade Comm’n (Sept. 15, 2000),
available at http://www.ftc.gov/bcp/workshops/idtheft/comments/schraderrussellw.pdf (discussing
Visa’s zero liability policy that took effect on April 4, 2000); Selco Visa Cards—Zero Liability,
SELCO, https://www.selco.org/creditcards/zero.liability.asp (last visited Sept. 23, 2010); Eden
Jaeger, Should You Be Afraid of Your Debit Card?, FINANCE & FAT (Jan. 4, 2008),
http://www.financeandfat.com/archives/should-you-be-afraid-of-your-debit-card.
194. One factor that might push for some sort of liability limiting policy even in the absence of
the federal caps is the recognition that consumer loss aversion is a major obstacle to increasing the
use of payment cards. Would consumers have adopted payment cards on as wide of a scale as they
have without the federal liability caps? We cannot be sure, but it seems likely that the liability
caps at least contributed to greater consumer adoption of payment cards, and by further reducing
the caps the card networks aimed to eliminate the residual loss aversion.
195. Samuel A. Rea, Jr., Comments on Epstein, 14 J. LEGAL STUD. 671, 672 (1985); see also
Gillette, supra note 8, at 201 (discussing liability cap as insurance).
42
[Vol. 5
can thus be seen as equivalent to a $50 deductible on a mandatory federal
insurance policy.196
For debit cards, federal law creates a strict liability regime with a
peculiar kind of contributory negligence. The contributory negligence under
the Electronic Funds Transfer Act and Reg E is only for losses incurred
after the loss or theft of the card due to failure to promptly report the loss or
theft; it does not apply to pre-loss or pre-theft behavior.197 In other words,
the contributory negligence component of consumer liability for
unauthorized debit card transactions only goes to the magnitude of the loss
due to unauthorized use, not the actions that caused the loss in the first
place. The result is that it does not incentivize consumers to take
precautions to prevent loss or theft. This means that in terms of fraud losses,
there is primarily a strict liability regime for debit cards too, and with a $50
deductible.
3. Non-Pecuniary Costs
In addition to the monetary deductible, there can also be considerable
non-pecuniary harms to consumers from unauthorized card usage. It is not
merely “the major inconvenience of the disruption of service,”198 or having
to get the charges reversed, but also things like having to monitor credit
reports, close other accounts, etc.199 These additional, non-pecuniary costs
are essentially copayments. Thus, built into the federal liability limitation
are two standard responses to moral hazard problems—deductibles and
copayments.
4. Limited Consumer Ability to Prevent Fraud
Imposing liability on consumers for unauthorized transactions makes
little sense if that liability does not alter consumer behavior. Some
unauthorized transactions are due to consumer negligence, but others are
not. We lack an empirical sense of the role cardholder negligence plays in
unauthorized transactions. Clearly there are numerous fraud possibilities
even when a consumer acts responsibly. Consider a simple case where a
196. One can, of course, argue whether that is a sufficiently large deductible to ensure optimal
care, not least given that the $50 liability limit is not inflation adjusted and has remained constant
for decades.
197. See 12 C.F.R. § 205.6(b)(2) (2010).
Negligence by the consumer cannot be used as the basis for imposing greater liability
than is permissible under Regulation E. Thus, consumer behavior that may constitute
negligence under state law, such as writing the PIN on a debit card or on a piece of
paper kept with the card, does not affect the consumer’s liability for unauthorized
transfers.
Id. § 205, at Supplement I to Part 205, Official Staff Interpretations, ¶6(b) (2).
199. See Mann, Making Sense of Payments, supra note 8, at 638.
2010]
43
consumer is robbed and the card is used for a transaction by the thief before
the consumer can report its loss. What justification is there for consumer
liability then? More typically, card data is not stolen directly from the
consumer, but from a merchant or a financial institution. Again, the
justification for consumer liability is missing in such cases; the consumer
has no ability to control merchant or financial institution data security
measures.
Instead, the case for consumer liability seems limited to situations in
which a consumer fails to take reasonable care of his or her physical card,
such as writing a PIN number on a debit card and then leaving a debit card
in a location where it could be pilfered by a domestic employee. It seems
unlikely that such situations account for a significant portion of payment
card fraud.
Consider, then, an intermediate situation, in which the cardholder
leaves his card out long enough for someone to copy down the card digits.
Should the cardholder be liable in such a situation? Or should the liability
be better placed on the card issuer that issued an account access device that
is so easily compromised?
5. Consumer Knowledge of Liability Rules and Concerns About
Issuer Compliance
In addition, as Professor Ronald Mann has noted, consumers may not
know of the liability limitation.200 It is doubtful, for example, that most
consumers are aware of the contributory negligence rules for debit card
liability. Similarly, Mann notes that even informed consumers might doubt
whether financial institutions would comply with the law.201 If a financial
institution does not comply with the liability rules in the case of a debit
transaction, the consumer simply loses his or her money. In the case of a
credit transaction, the consumer might be able to avoid the monetary loss,
but risks the loss of a credit line, a damaged credit report, and debt
collection harassment. While the consumer could litigate the issue, in many
cases, the cost of litigating would vastly outweigh the harm to the
consumer.202
When consumers are unaware of the liability limitation, moral hazard
simply will not exist, and if they are concerned about legal compliance,
then moral hazard must be discounted. All of these factors—deductibles,
copayments, contributory negligence, lack of knowledge about the law, and
doubts about compliance with the law—suggest that moral hazard concerns
200. Id.; see also Cooter & Rubin, supra note 8, at 75 (“Liability, however, is a useful
incentive, whether for precaution or innovation, only to the extent that behavior responds to it; a
particular assignment of liability that does not influence behavior has no economic justification.”).
201. Mann, Making Sense of Payments, supra note 8, at 638.
202. See Cooter & Rubin, supra note 8, at 81.
44
[Vol. 5
about the federal liability limitation are overblown, and that consumers
have a reasonably strong incentive to protect their cards and card data.
Finally, while the zero liability policy could create a moral hazard if the
counterweights of deductibles and copayments were insufficient, that moral
hazard must be weighed against the alternative. We have to consider the
situation that would obtain in the absence of the zero liability policy or $50
federal liability cap. What would consumer liability look like? Would it
reflect a Coasean bargain between consumers and card issuer? It is hard to
believe that it would because of the tremendous information asymmetries
between card issuers and consumers.203
6. Adverse Selection as Justification for Mandatory Liability
Rules
Information asymmetries raise the possibility of adverse selection
problems, which are a standard justification for mandatory insurance
regimes like the federal consumer liability limitations. (An analogous
consumer liability situation is state law mandating nonrecourse
mortgages.204) The problem of adverse selection arises because of a
tendency of low-risk individuals to drop out of insurance pools when
insurers cannot distinguish between high- and low-risk individuals.205
Insurers must charge a blended price, which is too high for the low-risk
individuals. The result is that insurance pools are then comprised of higher
risk individuals, so insurers charge higher premiums, which further
exacerbates the adverse selection by driving out the lower-risk individuals
remaining in the pool. The result can be a socially suboptimal level of
insurance.
A standard response to adverse selection is to mandate insurance, so as
to force both low-risk and high-risk individuals into the same risk pool.206
In the case of payment card fraud, there is good reason to encourage
mandatory insurance. There is a possibility of suboptimal insurance due to
consumers’ difficulty in gauging both the likelihood and magnitude of
payment card fraud loss because neither relates solely to their behavior. To
the extent that consumers overestimate the risks, they may well opt-out of
using payment cards altogether. Liability limitations are a market
confidence building measure.
203. See id. at 68–70 (discussing the problems of information asymmetries in payment markets,
wherein financial institutions typically have superior information to consumers).
204. I am indebted to Professor Ron Harris of Tel Aviv University School of Law for this
insight, which comes from his work-in-progress on nonrecourse mortgages.
205. Tom Baker, Containing the Promise of Insurance: Adverse Selection and Risk
Classification, in RISK AND MORALITY, RICHARD V. ERICSON & AARON DOYLE, EDS. 258, 259,
261 (2003). But see Peter Siegelman, Adverse Selection in Insurance Markets: An Exaggerated
Threat, 113 YALE L.J. 1223 (2004).
206. See Rea, supra note 195, at 673.
2010]
45
7. Contractual Frictions: Information Asymmetries, Bargaining
Costs, Bundled Pricing, Hyperbolic Discounting, and Price
Salience
Adverse selection is driven by one set of information asymmetries—
that consumers know more about their own riskiness than card issuers.
Another set of information asymmetries—that issuers know more about the
terms of cardholder agreements than consumers—combines with
asymmetric negotiation costs to create further frictions that impede efficient
Coasean bargaining. As Professors Cooter and Rubin have noted:
[T]he cost of negotiating the loss allocation provisions of a
consumer deposit agreement typically exceeds the potential benefit.
Shopping for alternative sets of fixed term contracts—a more
realistic scenario than bargaining for specific terms—eliminates
these negotiation costs, but replaces them with search costs.
Moreover, asymmetric information limits the effectiveness of
consumer shopping. Consumers are unlikely to think about the
liability terms of a contract when opening an account, and those that
do, find their curiosity rewarded with the incomprehensible
legalisms of form contracts and statute books. Even if they knew
what the terms meant, consumers generally would not know how to
value differences in these terms.207
A further reason to be skeptical that private bargaining would produce
optimal consumer liability rules is that liability for unauthorized
transactions is only one term among many in cardholder agreements.208 If
one takes Epstein and Brown’s subscription to a Coasean universe
seriously, this observation should be heartening. It should not matter what
the fraud liability rule is because the parties can simply reallocate if that is
efficient.209 Liability for unauthorized use is merely one component of
payment card pricing. Thus, the federal liability cap does not restrict total
pricing of payment cards. It only affects one way of expressing that price.
Accordingly, parties can effectively reallocate the total price through other
price components of payment cards. In the Coasean world, whether the
price of using a payment card is allocated via liability rules or annual fees
or interchange fees should not matter if there is the same level of
competition on each and every price term. In other words, if Epstein and
Brown are correct about the market, the federal liability cap does not create
a troublesome distortion.
207. Cooter & Rubin, supra note 8, at 68–69.
208. Oren Bar-Gill, Bundling and Consumer Misperception, 73 U. CHI. L. REV. 33, 33–35
(2006).
209. See generally Coase, supra note 15.
46
[Vol. 5
In reality, however, not all price terms for payment cards are equal and
fully interchangeable. There is more vigorous competition on some price
terms than others, in part due to their salience to consumers. When
confronted with a multi-term contract, consumers may give undue emphasis
to terms that are particularly salient either because of the manner in which
the information is presented to the consumer or because of hyperbolic
discounting of contingent events.210 This means that there is a discounting
that occurs in the trade-off between price terms, so the reallocation of costs
among price terms might not be neutral in terms of total cost. If payment
card pricing is forced by regulation from less salient to more salient price
terms, there will be more vigorous price competition, which will push down
the total cost of using a payment card.
This suggests that in the absence of regulation, a profit-maximizing
firm will place as much of the price as possible on less salient terms and
will max out on consumers’ price elasticity on less salient terms before
letting pricing spill over to more salient terms. Regulation, then, does not
necessarily result in a one-for-one substitution of price terms, but can result
in an overall reduction in price (and profit margin).
The contingent nature of liability for unauthorized card usage, as well
as the potential absence of a clear monetary price term if either a consumer
negligence standard or strict consumer liability were to apply, means that
fraud liability is unlikely to be a salient term for consumers.211 In the
context of these bundled contracts, there might not be optimal pricing of
fraud terms, even if there were vigorous competition among issuers for
consumers. Thus, the federal liability cap might actually have
precompetitive effects by forcing payment card issuers to shift pricing away
from a less salient term like liability for unauthorized use and to more
salient price points like annual fees or interest rates.
The federal statutory limitations on consumer liability may not be
optimal (not least because the $50 deductible is not inflation indexed, so the
real potential pecuniary liability is constantly decreasing), but it is far from
clear that they result in an inferior outcome than private-ordering. The
regulatory outcome may not be Kaldor-Hicks optimal, but it might increase
consumer surplus by encouraging more vigorous price competition.
8. Relative Ability to Bear Losses
A final argument for the federal liability cap is distributional, or as
Cooter and Rubin refer to it, the “loss spreading principle”.212 Once there
210. See, e.g., Els C. M. van Schie & Joop van der Pligt, Influencing Risk Preference in
Decision Making: The Effects of Framing and Salience, 63 ORG. BEHAV. & HUM. DECISION
PROCESSES 264 (1995).
211. Cooter & Rubin, supra note 8, at 70 (“Consumer payment contracts contain elements other
than loss allocation terms, but market failure is most likely to involve these technical, obscure
elements of the contract, rather than the comprehensible and salient ones.”).
212. Id. at 70–73.
2010]
47
are losses in the system, they must be allocated somewhere, and placing
losses on parties in accordance with their ability to absorb losses presents a
potential principle for loss allocation. The loss spreading principle stands in
some tension with a least cost avoider principle, as it is based on ability to
absorb, rather than prevent, losses.
Cooter and Rubin argue that risk should be assigned to the party that
can achieve risk-neutrality—that is having equal valuation of a risk of a loss
and the average value of that loss—at the lowest cost.213 As Cooter and
Rubin explain, risk neutrality is dependent upon the relative size of the loss
to a party’s assets and the party’s ability to spread the loss.214 Both factors
point to financial institutions and merchants being able to achieve risk
neutrality more cheaply than consumers.
Because consumers’ resources are generally more limited than financial
institutions’ or merchants’, consumers are less well suited to bear unlimited
liability from the unauthorized use of a payment card than a financial
institution or a merchant. Liability for $100,000 in unauthorized charges
would be devastating to most households’ finances in a way that it would
not be for a financial institution or certainly a large merchant. This makes
consumers more risk averse than financial institutions or merchants.
Consumers also have less ability to spread losses than financial
institutions or merchants. For a consumer, the unauthorized use of a
payment card is a fairly remote risk, but with potentially high costs. These
costs will likely be borne entirely by the consumer; they cannot easily be
passed on to other parties.215 For a financial institution or a merchant, fraud
is a regular occurrence, and its costs can be amortized over a large base of
transactions. Moreover, because financial institutions and merchants have
superior information about their risks from payment card fraud relative to
consumers, they are more likely to optimally insure against it.216
Consumers’ more limited ability to absorb losses than other payment card
network participants is an additional argument for limiting their liability by
statute.
CONCLUSION
Payment card networks, if left to their own devices, are as likely to
produce private disorder, as efficient private order. Regulatory attention has
focused on the explicit price points in payments—interchange fees—but the
latent price point of fraud liability allocation is equally important.
Optimizing fraud liability allocation necessitates recognition of the co213. Id. at 71.
214. Id.
215. Consumers are unlikely to insure against losses because the risk is difficult to estimate,
which results in known bargaining costs outweighing the questionable benefit of the insurance. Id.
at 72.
216. Id. at 72-73.
48
[Vol. 5
optetive nature of payment card networks. Some issues are best approached
through encouraging fairer and more adequate representation of all parties
in interest in coordination among payment card networks. Other issues are
best approached through encouraging more vigorous competition. We
should not assume that the invisible hand will guide the payment card
industry to the optimal outcome; but with limited regulatory corrections,
payments card network liability rules can come closer to achieving a
Coasean paradise, and making payments—the ultimate unavoidable
transaction cost—more efficient, thereby reducing transaction costs
throughout the rest of the economy.
RULES, STANDARDS, AND GEEKS
Derek E. Bambauer*
INTRODUCTION
When it comes to regulating technology, the age-old debate between
rules and standards tilts heavily towards standards. Rules, for all their
clarity, are seen as slow-changing tools in industries characterized by
dynamism. They are also viewed as being both under- and over-inclusive,
and in prizing form—one means of achieving a desired result—over
substance—the result itself.1 Moreover, setting legal rules for technology
risks creating lock-in, which may cement a given technology in place. In
short, standards—particularly standards that look to industry best
practices—are lauded as the best means for governing code through law.2
This Article, though, argues that rules are preferable for regulating data
security, at least under certain conditions. In part, this is so because data
security typically focuses on controlling the wrong set of events. Security is
often preoccupied with regulating access to data—in particular, with
preventing unauthorized access.3 Yet, strangely, unauthorized access is
ubiquitous. Employees lose laptops,4 hackers breach corporate databases,5
and information is inadvertently e-mailed6 or posted to the public Internet.7
*
Associate Professor of Law, Brooklyn Law School. A.B., Harvard College; J.D., Harvard
Law School. The author thanks Lia Sheena, Lia Smith, and Carolyn Wall for expert research
assistance. Thanks for helpful suggestions and discussion are owed to Miriam Baer, Ted Janger,
Thinh Nguyen, and Jane Yakowitz. The author welcomes comments at
<[email protected]>.
1. See, e.g., John F. Duffy, Rules and Standards on the Forefront of Patentability, 51 WM. &
MARY L. REV. 609 (2009); Daniel A. Crane, Rules Versus Standards in Antitrust Adjudication, 64
WASH. & LEE L. REV. 49 (2007).
2. See, e.g., Daniel Gervais, The Regulation of Inchoate Technologies, 47 HOUS. L. REV. 665,
702 (2010) (stating that “an inchoate technology may provide a better solution than regulation—
perhaps industry-based standards will emerge making legal regulation unnecessary at best and
potentially counterproductive”).
3. See, e.g., STUART MCCLURE, JOEL SCAMBRAY & GEORGE KURTZ, HACKING EXPOSED:
NETWORK SECURITY ISSUES AND SOLUTIONS 135–50 (1999) (discussing hacking Microsoft
Windows credentials).
4. E.g., Kay Lazar, Blue Cross Physicians Warned of Data Breach; Stolen Laptop Had
Doctors’ Tax IDs, BOS. GLOBE, Oct. 3, 2009, at B1; Nathan McFeters, Stanford University Data
Breach Leaks Sensitive Information of Approximately 62,000 Employees, ZDNET (June 23, 2008,
9:28 PM), http://www.zdnet.com/blog/security/stanford-university-data-breach-leaks-sensitiveinformation-of-approximately-62000-employees/1326; Study: Many Employees Undermine Data
Breach Prevention Strategies, INS. J. (Apr. 27, 2009), http://www.insurancejournal.com/news/
national/2009/04/27/99982.htm.
5. Hacker Hits UNC-Chapel Hill Study Data on 236,000 Women, NEWS & REC. (Greensboro,
N.C.), Sept. 25, 2009, http://www.news-record.com/content/2009/09/25/article/hacker_hits_unc_
chapel_hill_study_data.
6. E.g., David Hendricks, KCI Working to Contain Employee Data Breach, SAN ANTONIO
EXPRESS-NEWS, Sept. 3, 2010, at C1; Sara Cunningham, Bullitt School Employees’ Social
Security Numbers Mistakenly Released, THE COURIER-J. (Louisville, Ky.), Oct. 21, 2009.
7. E.g., Evan Schuman, Announce a Data Breach And Say It’s No Big Deal?, CBS NEWS,
Apr. 29, 2010, http://www.cbsnews.com/stories/2010/04/29/opinion/main6445904.shtml; Elinor
50
[Vol. 5
This Article argues that preventing data breaches is not only the wrong goal
for regulators, it is an impossible one. Complex systems design theory
shows that accidents are inevitable.8 Thus, instead of seeking to prevent
crashes, policymakers should concentrate on enabling us to walk away from
them. The focus should be on airbags, not anti-lock brakes. Regulation
should seek to allow data to “degrade gracefully,” mitigating the harm that
occurs when a breach (inevitably) happens.9
Such regulatory methods are optimally framed as rules under three
conditions. First, minimal compliance—meeting only the letter of the law—
is sufficient to avoid most harm. Second, rules should be relatively
impervious to decay in efficacy over time; technological change, such as
increased CPU speeds, should not immediately undermine a rule’s
preventive impact.10 Furthermore, compliance with a rule should be easy
and inexpensive to evaluate. In addition, rules are likely to be helpful where
error costs from standards are high; where if an entity’s judgment about
data security is wrong, there is significant risk of harm or risk of significant
harm. Finally, this argument has implications for how compliance should be
assessed. When regulation is clear and low-cost, it creates an excellent case
for a per se negligence rule, or, in other words, a regime of strict liability for
failure to comply with the rule. This Article thus addresses not the
desirability of regulation—when data security should be mandated—but
rather how to structure that regulation once it is deemed worthwhile.
The debate about framing legal commands as rules or as standards is a
venerable one. Scholars have addressed the dichotomy in contexts from real
property rights11 to patent law12 to antitrust.13 The merits and shortcomings
of each approach have been analyzed from a variety of theoretical
perspectives.14 Rules offer clearer signals to those whose behavior is
Mills, Hacker Defends Going Public With AT&T’s iPad Data Breach (Q&A), CNET NEWS (June
10, 2010, 4:12 PM), http://news.cnet.com/8301-27080_3-20007407-245.html.
8. See generally Maxime Gariel & Eric Feron, Graceful Degradation of Air Traffic
Operations: Airspace Sensitivity to Degraded Surveillance Systems, 96 PROCEEDINGS OF THE
IEEE 2028 (2008), available at http://arxiv.org/PS_cache/arxiv/pdf/0801/0801.4750v1.pdf
(discussing degraded operations of air transportation systems and conflict resolutions for past and
future system evolutions); see also HOWARD LIPSON, CARNEGIE MELLON UNIV. SOFTWARE
ENG’G. INST., EVOLUTIONARY SYSTEMS DESIGN: RECOGNIZING CHANGES IN SECURITY AND
SURVIVABILITY RISKS 1 (2006), available at www.cert.org/archive/pdf/06tn027.pdf.
9. See Gariel & Feron, supra note 8, at 2029–32; see also MARK GRAFF & KENNETH R. VAN
WYK, SECURE CODING: PRINCIPLES & PRACTICES 43 (2003).
10. Intel co-founder Gordon Moore famously observed that the number of transistors on a
CPU doubles every two years. Michael Kanellos, Prospective: Myths of Moore’s Law, CNET
NEWS (June 11, 2003, 4:00 AM), http://news.cnet.com/Myths-of-Moores-Law/2010-1071_3-1014
887.html.
11. See Carol M. Rose, Crystals and Mud in Property Law, 40 STAN. L. REV. 577, 580 (1988).
12. See Duffy, supra note 1, at 611.
13. See Crane, supra note 1, at 52.
14. See, e.g., Louis Kaplow, Rules Versus Standards: An Economic Analysis, 42 DUKE L.J.
557 (1992); Kathleen M. Sullivan, Foreword: The Justices of Rules and Standards, 106 HARV. L.
REV. 22 (1992); Cass R. Sunstein, Problems with Rules, 83 CALIF. L. REV. 953 (1995).
2010]
Rules, Standards, and Geeks
51
constrained; they help both regulated and regulators assess compliance
more cheaply and easily.15 In addition, they may prevent abuse by
conferring less discretion on regulators.16 However, rules are often underinclusive—failing to cover behavior that should fall within their ambit, or
failing to prevent risks they are designed to address—or over-inclusive—
imposing burdens on unrelated actors or activities.17 Standards, by contrast,
are more readily adapted to complex or changing situations, but often at the
price of predictability and cost.18
The discussion becomes more complex when we recognize that the
distinction is continuous rather than binary. Standards can be rule-like, and
rules standards-like. Consider two security mandates: “encrypt,” and
“follow industry best practice for securing data.” The former looks like a
rule, and the latter like a standard. However, “encrypt” could be seen as a
standard: the command specifies a method, but leaves the implementation
entirely up to the regulated entity. Encryption has been used since the days
of Mary, Queen of Scots;19 its modes range from simple (and simply
cracked) transposition ciphers20 to elliptic curve cryptography.21 Even a
more specific command like “encrypt using asymmetric key cryptography”
can be met with a variety of responses. The RSA, ElGamal, and DSS key
techniques all meet the criterion, but have important differences among
them.22 Thus, a rule can be transformed into a standard by altering the level
of specificity.
Similarly, “follow industry best practice for securing data” could be a
rule. If, for example, the industry has standardized on the use of SSL
(Secure Sockets Layer) to safeguard sensitive data while it is being
communicated over a network, that best practice standard effectively
becomes a rule: “use SSL.”23 Thus, even if an alternative technique were
demonstrated to be functionally equivalent, it would not comply with the
standard, even though standards are typically viewed as ends-driven and not
15. See generally Colin S. Diver, The Optimal Precision of Administrative Rules, 93 YALE L.J.
65, 66–71 (1983).
16. See generally Paul B. Stephan, Global Governance, Antitrust, and the Limits of
International Cooperation, 38 CORNELL INT’L L.J. 173, 190 (2005).
17. See generally Frederick Schauer, When and How (If At All) Does Law Constrain Official
Action?, 44 GA. L. REV. 769, 781 (2010).
18. See, e.g., Dale A. Nance, Rules, Standards, and the Internal Point of View, 75 FORDHAM
L. REV. 1287, 1311 (2006).
19. SIMON SINGH, THE CODE BOOK 32–39 (1999).
20. Id. at 7–8.
21. See generally The Case for Elliptic Curve Cryptography, NATIONAL SECURITY AGENCY,
http://www.nsa.gov/business/programs/elliptic_curve.shtml (last updated Jan. 15, 2009).
22. See generally RICHARD A. MOLLIN, RSA AND PUBLIC-KEY CRYPTOGRAPHY 53–78
(Kenneth H. Rosen ed., 2003); Taher Elgamal, A Public Key Cryptosystem and a Signature
Scheme Based on Discrete Logarithms, 31 IEEE TRANSACTIONS ON INFO. THEORY 469 (1985).
23. See generally ERIC RESCORLA, SSL AND TLS: DESIGNING AND BUILDING SECURE
SYSTEMS (2001).
52
[Vol. 5
means-driven. In short, the line between rules and standards blurs,
particularly as a rule’s command becomes more general.
The Article next assesses the conventional wisdom for technological
regulation, which holds that standards are the preferred modality. It then
turns to arguments in favor of using rules instead, under certain defined
conditions. Finally, it closes with observations about the larger role of
technology regulation in the context of data security in the payment system.
I. THE VIRTUES OF STANDARDS
Technology changes quickly; law, slowly. Most commentators favor
standards when dealing with technological regulation of issues such as
security, for at least five reasons.
First, standards allow regulated entities to comply in a more costefficient fashion than rules. Requiring a particular technology or approach
may be unnecessarily expensive, especially where infrastructures differ
significantly, where there are a range of alternatives, or where the endpoint
can be achieved without applying technology in some situations.24 Rules
can limit creativity in achieving regulators’ goals.25
Second, standards can be less vulnerable to obsolescence. Rule-based
specifications may decay quickly when technology changes rapidly. This
either undercuts the efficacy of regulation, or forces frequent updates to it.
The Clipper Chip controversy of the mid-1990s provides a potent example;
regulation that mandated use of one particular encryption technique might
well have undercut the deployment of e-commerce and other advances
dependent on data security.26
Third, standards can minimize the ill-effects of information asymmetry
regarding technology.27 Regulators may not know what technologies are
cutting-edge or appropriate or unnecessarily costly. Standards can wrap in
expertise from regulated entities while meeting regulatory goals.
Fourth, standards may deal better with interoperability concerns. Most
organizations have heterogeneous information technology environments for
a variety of reasons: mergers, legacy systems, customer demands, and so
forth. Regulations that specify a particular technology, or method of
compliance, may make demands that are impossible or inapposite. For
example, Deutsche Bank used the IBM operating system OS/2 long after
24. Cf. Christopher S. Yoo, Network Neutrality, Consumers, and Innovation, 2008 U. CHI.
LEGAL F. 179, 202–17 (2008) (discussing shortcomings of network neutrality mandate, versus
multiple network architectures).
25. See generally C. Steven Bradford, The Cost of Regulatory Exemptions, 72 UMKC L. REV.
857, 864–71 (2004).
26. See generally A. Michael Froomkin, The Metaphor is the Key: Cryptography, the Clipper
Chip, and the Constitution, 143 U. PA. L. REV. 709 (1995).
27. Cf. Shubha Ghosh, Decoding and Recoding Natural Monopoly, Deregulation, and
Intellectual Property, 2008 U. ILL. L. REV. 1125, 1161–66 (describing problems of rate regulation
due to information asymmetry for intellectual property).
2010]
53
most other customers had migrated to Microsoft Windows or a UNIX
platform.28 Thus, requirements tied to Windows (for example, using the
NTFS file system) or to software only available for that operating system
would have forced Deutsche Bank into a costly migration, or to fall out of
compliance. In contrast, a standard that specifies its goal, but is technologyagnostic, allows entities with a range of infrastructures to comply
adequately.
Finally, selecting one technology for regulatory compliance risks
producing market-making effects. Regulation may confer success, or at
least widespread adoption, on a single product or company—a problem that
worsens if the technology is sub-optimal. For example, the memory chip
manufacturer Rambus was able to influence the industry group JEDEC
(Joint Electron Device Engineering Counsel) to adopt, as part of its
standard for SDRAM (Synchronous Dynamic Random Access Memory),
technology over which Rambus held patent rights.29 (Indeed, Rambus
actually amended its pending patent applications to conform better to the
JEDEC technology.)30 This led to lawsuits against Rambus for fraud, and to
an initial Federal Trade Commission (FTC, or Commission) finding that the
company had engaged in antitrust violations (under Section 2 of the
Sherman Act).31 However, Rambus emerged unscathed from both the suits
and the FTC investigation.32 Similarly, a legal mandate to incorporate a
particular technology could create market power for that technology’s
owner, particularly if the technology were protected by intellectual property
rights such as a patent. Thus, a rule may entrench a single technology into a
powerful if not unassailable market position.
The use of standards in technology regulation is a familiar aspect of the
data payment system in the United States. For example, the FTC imposed
standards-based requirements for the security of non-public information,
known as the Safeguards Rule, as part of its rulemaking authority under the
Gramm-Leach-Bliley (GLB) Act.33 The Commission mandates a
“comprehensive information security program that is written in one or more
28. Jonathan Collins, IBM Steps Up to Blame Microsoft for OS/2 Failure, COMPUTERGRAM
INT’L (Nov. 18, 1998), http://findarticles.com/p/articles/mi_m0CGN/is_3541/ai_53238418.
29. Scott Cameron, Rambus Inc.: FTC Finds That Valid Patent Acquisition Can Amount to a
Violation of Antitrust Laws, IP LAW BLOG (Oct. 20, 2006), http://www.theiplawblog.com/archives
/-patent-law-rambus-inc-ftc-finds-that-valid-patent-acquisition-can-amount-to-a-violation-ofantitrust-laws.html.
30. Id.
31. Edward Iwata, Rambus Stock Soars 24% After Antitrust Ruling by FTC; Royalties Capped,
Not Killed, USA TODAY, Feb. 6, 2007, at B3.
32. Austin Modine, FTC Drops Rambus ‘Patent Ambush’ Claims, CHANNEL REGISTER (May
14, 2009), http://www.channelregister.co.uk/2009/05/14/ftc_drops_rambus_antitrust_case; see
also Dean Wilson, Rambus Sues IBM to Reverse Patent Ruling, TECHEYE (Aug. 24, 2010, 3:21
PM), http://www.techeye.net/business/rambus-sues-ibm-to-reverse-patent-ruling.
33. Standards for Safeguarding Customer Information, 67 Fed. Reg. 36,484 (May 23, 2002)
(to be codified at 16 C.F.R. pt. 314).
54
[Vol. 5
readily accessible parts and contains administrative, technical, and physical
safeguards that are appropriate to [an organization’s] size and complexity,
the nature and scope of its activities, and the sensitivity of any customer
information at issue.”34 Regulated entities must perform a risk assessment,
and then “[d]esign and implement information safeguards to control the
risks [it] identif[ies] through risk assessment, and regularly test or otherwise
monitor the effectiveness of the safeguards’ key controls, systems, and
procedures.”35 Thus, the GLB Act is a purposive regulatory standard: it sets
goals, and identifies key areas and targets, but is method-agnostic. Financial
institutions can implement its requirements using the technology they think
best fits their infrastructures and businesses. The Commission’s final
rulemaking emphasized that the “standard is highly flexible,” and the notice
repeatedly reassured regulated institutions that its approach was factspecific and contextual.36
Indeed, there are zones of regulatory concern regarding payment data
security where standards appear superior. One example is application
design. As I have written elsewhere, both custom-designed and off-the-shelf
applications in the payment system suffer from security flaws.37 Some of
these bugs result from coding errors; others, from the inherent complexity
of data processing and from interactions between systems and data stores.38
As Microsoft’s Patch Tuesday ritual reminds us, bugs are inevitable.39 They
can be minimized, but not eliminated.40 Thus, as with data losses and
security breaches themselves, the best regulatory goal for application design
is to minimize bugs.41 Software design involves the familiar trade-off
between time and cost versus greater security, with a minimum optimal
bugginess greater than zero.
For application design, then, the critical regulatory issue is
methodology: setting parameters for the design, testing, and deployment of
the software.42 Again, this approach is familiar to the payment industry. The
Payment Card Industry Data Security Standard (PCI DSS) Requirements
and Security Assessment Standards, promulgated by an industry association
founded by payment card networks such as American Express, create
34.
35.
36.
37.
Id. at 36,494.
Id.
Id. at 36,488.
Derek E. Bambauer & Oliver Day, The Hacker’s Aegis, 60 EMORY L.J. (forthcoming
2010) (manuscript at 8).
38. See generally id. at 8–10.
39. Microsoft
Security
Bulletin
Advance
Notification,
MICROSOFT,
http://www.microsoft.com/technet/security/bulletin/advance.mspx (last visited Dec. 30, 2010).
40. See Bambauer & Day, supra note 37 (manuscript at 8–14).
41. See generally FREDERICK P. BROOKS, JR., THE MYTHICAL MAN-MONTH: ESSAYS ON
SOFTWARE ENGINEERING (3rd prtg. 1979).
42. See generally GLENFORD J. MYERS, THE ART OF SOFTWARE TESTING (2d ed. 2004).
2010]
55
private law regulation of customer account data.43 To comply with PCI
DSS, an organization must develop its software applications in accordance
with the DSS standards, and with industry best practices. Requirements
include validating application input to prevent buffer overflow and crosssite scripting (CSS) attacks, checking error handling, validating encrypted
storage, validating communications security, and checking role-based
access controls.44 Organizations must implement code review for custom
software before deploying applications.45 Public Web applications are
subject to additional standards, such as developing based on the Open Web
Application Security Project Guide, and protecting against newly
discovered vulnerabilities by using a firewall or vulnerability assessment
tools.46 The goal of these requirements is to prevent breaches from common
attacks, such as the SQL injection attack that caused the data spill at
Heartland Payment Systems.47
PCI DSS, as its moniker suggests, is framed as a standard and not as a
rule. This is clear from its focus on process, such as engaging in code
review, and on goals, such as protecting against new attacks or
vulnerabilities. Thus, for example, PCI DSS requires validating secure
communications, not using a particular secure communications technology
such as SSL.48 Application design is a sensible target for standards-based
regulation, for at least three reasons. First, history matters. Most financial
institutions maintain legacy systems, such as mainframe-based applications,
due to the cost and difficulty of upgrading.49 It may be impossible for them
to employ a given technology to achieve security without expensive
wholesale changes to their infrastructure. Second, systems heterogeneity
means that even applications with a common goal, such as connecting to
43. See generally PCI SCC Data Security Standards Overview, PCI SEC. STANDARD
COUNCIL, https://www.pcisecuritystandards.org/security_standards/index.php (last visited Dec.
30, 2010).
44. PCI SECURITY STANDARDS COUNCIL, PAYMENT CARD INDUSTRY (PCI) DATA SECURITY
STANDARD: REQUIREMENTS AND SECURITY ASSESSMENT PROCEDURES 30–35 (July 2009),
available at https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
[hereinafter PCI SECURITY PROCEDURES].
45. Id. at 32.
46. Id. at 33.
47. Julia S. Cheney, Heartland Payment Systems: Lessons Learned from a Data Breach 3–5
(Fed. Reserve Bank of Phila., Discussion Paper No. 10-1, 2010), available at
http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2010/D2010-January-Heartland-Payment-Systems.pdf; Kim Zetter, TJX Hacker Charged with Heartland,
Hannaford Breaches, WIRED (Aug. 17, 2009, 2:34 PM), http://www.wired.com/threatlevel/2009/
08/tjx-hacker-charged-with-heartland.
48. PCI SECURITY PROCEDURES, supra note 44, at 31.
49. See, e.g., Sol E. Solomon, Legacy Systems Still in the Main Frame, ZDNET (Aug. 14,
2008), http://www.zdnetasia.com/legacy-systems-still-in-the-main-frame-62044820.htm; Rusty
Weston, Reconsider the Mainframe, SMART ENTER., http://www.smartenterprisemag.com/articles/
2008winter/markettrends.jhtml (last visited Dec. 30, 2010).
56
[Vol. 5
payment networks, likely must be custom-coded.50 Forcing financial
institutions to use one technology or method to gain security ends would
drive up their costs unnecessarily. Finally, here rule-based specifications
seem more vulnerable to decay. New attacks and vulnerabilities appear
constantly.51 Having a single approach to security across the financial
industry may, like monoculture agriculture, leave institutions vulnerable to
a single new pathogen.52 In short, security may well degrade rapidly, rather
than slowly. For these three reasons—legacy systems, customized code, and
rapid degradation—a standards-based regime is preferable to a rule-based
one for application design.
Regulation by standards rather than rules is the established norm in the
data payment system.53 Indeed, as the discussion of application design
demonstrates, this preference may be sensible in some areas. However,
standards are not always superior. The next section explores the virtues of
regulation by rules for security.
II. THE VIRTUES OF RULES
Arguing for rules in technological regulation is an uphill climb: they
can become obsolete rapidly, may increase costs by forcing entities to
comply in a highly specific fashion, and may be both over- and underinclusive. Yet, this Article argues that rules are preferable to standards
when at least three conditions hold: sufficient minima, slow or low decay,
and inexpensive verification.
First, a rule is helpful when the specified level of data security—
effectively, a minimum—suffices in most or all circumstances. One
example would be to mandate that transmission of data take place over a
connection protected by 128-bit SSL.54 SSL certificates are widely and
cheaply available, and root certificates are built into all major browsers.55
Currently, 128-bit SSL traffic is proof against brute-force decryption
attacks even when adversaries use clusters or supercomputers.56 Thus, 128bit encryption is strong enough to protect data in communication, even if
50. HAZELINE ASUNCION & RICHARD N. TAYLOR, INST. FOR SOFTWARE RESEARCH,
ESTABLISHING THE CONNECTION BETWEEN SOFTWARE TRACEABILITY AND DATA PROVENANCE
10 (2007), available at http://www.isr.uci.edu/tech_reports/UCI-ISR-07-9.pdf.
51. See, e.g., SECUNIA, SECUNIA HALF YEAR REPORT (2010), available at http://secunia.com/
gfx/pdf/Secunia_Half_Year_Report_2010.pdf.
52. See generally DANIEL D. CHIRAS, ENVIRONMENTAL SCIENCE 116 (8th ed. 2010).
53. See PCI SECURITY PROCEDURES, supra note 44.
54. See, e.g., Roy Schoenberg, Security of Healthcare Information Systems, in CONSUMER
HEALTH INFORMATICS 162, 176 (Deborah Lewis et al., eds., 2005).
55. Id.
56. See, e.g., JOSEPH STEINBERG & TIM SPEED, SSL VPN: UNDERSTANDING, EVALUATING,
AND PLANNING SECURE, WEB-BASED REMOTE ACCESS 33–67 (2005).
2010]
57
institutions do not take additional measures, such as protecting against
eavesdropping.57
A corollary is that rules may be helpful where the impact of a data
breach is high, and where the specified technology raises the cost to an
attacker or discoverer of captured information. One example here is hard
drive encryption. Stories of lost laptops, backup tapes, and USB drives are
legion. Here, rules serve not to prevent loss—indeed, hard drive encryption
is only useful after the loss has taken place—but to reduce its effects.58
Similarly, a rule mandating logging of access to sensitive data cannot
prevent an employee from copying down customer account information
displayed on a computer monitor, but can aid an institution to detect what
has been revealed in the breach, and perhaps to minimize its spread.59 This
condition requires that the rule specify protection that is good enough in
most or all cases.
Second, rules work well when they need not be frequently updated—in
other words, when they decay slowly. This reduces the administrative cost
of the rule, and allows it to retain effectiveness over time.60 128-bit
encryption, for example, will likely suffice against brute-force attacks for at
least ten years, given current rates of advance in CPU clock cycles and
parallelization.61 To take another encryption case study, DES (Data
Encryption Standard) was adopted as a Federal Information Processing
Standard in 1976.62 It remained impervious to commercial-level decryption
(as opposed to governmental attacks) until the late 1990s.63A technology-
57. “Man in the middle” attacks against SSL are still theoretically possible, but financial
institutions (unlike end users) should be sophisticated enough to take steps such as verifying
certificate signatures to safeguard against such hacks. See, e.g., Larry Seltzer, SSL Man-in-theMiddle Attack Exposed, PCMAG.COM (Nov. 5, 2009), http://www.pcmag.com/article2/0,2817,235
5432,00.asp; Ben Laurie, Another Protocol Bites the Dust, LINKS (Nov. 5, 2009, 8:03 AM),
http://www.links.org/?p=780; Dan Goodin, Hacker Pokes New Hole in Secure Sockets Layer,
REGISTER (London) (Feb. 19, 2009, 5:38 GMT), http://www.theregister.co.uk/2009/02/19/ssl_
busting_demo.
58. Sasha Romanosky, Rahul Telang & Alessandro Acquisti, Do Data Breach Disclosure
Laws Reduce Identity Theft? 12 (Sept. 16, 2008) (unpublished manuscript), available at
http://weis2008.econinfosec.org/papers/Romanosky.pdf; Robert Vamosi, Protect Data With Onthe-Go Drive Encryption, PCWORLD (Mar. 1, 2010, 9:00 PM), http://www.pcworld.com/article/
189034/protect_data_with_onthego_drive_encryption.html.
59. See, e.g., Sarah Cortes, Compliance Fundamentals: Database Logging, Privileged Access
Control, IT COMPLIANCE ADVISOR (Apr. 13, 2009, 3:28 PM), http://itknowledgeexchange.tech
target.com/it-compliance/compliance-fundamentals-database-logging-privileged-access-control.
60. Sunstein, supra note 14, at 1012–16.
61. See, e.g., Bradley Mitchell, Encryption: What is the Difference Between 40-bit and 128-bit
Encryption?, ABOUT.COM, http://compnetworking.about.com/od/networksecurityprivacy/l/aa011
303a.htm (last visited Nov. 4, 2010).
62. History of Encryption, SANS INSTITUTE, http://www.sans.org/reading_room/whitepapers/
vpns/history-encryption_730 (last visited Nov. 4, 2010).
63. Press Release, Electronic Frontier Foundation, “EFF DES Cracker” Machine Brings
Honesty to Crypto Debate (July 17, 1998), http://w2.eff.org/Privacy/Crypto/Crypto_
58
[Vol. 5
specifying rule that remains effective for over twenty years is relatively
low-cost to update and relatively impervious to decay.64
Finally, rules are particularly effective when monitoring is low-cost and
accurate. An ongoing problem with data security breaches is the causation
of downstream harm. For example, if a bank suffers a data spill, and its
customers later suffer identity theft, is there a causal connection to the spill?
Courts have largely interpreted the causation requirements built into tort
law to exempt data owners or storehouses from liability.65 This may result
in insufficient incentives to take precautions. A rule, for example, that
requires data holders to encrypt data usefully serves as a bright-line
negligence test—especially when compliance is relatively low-cost.
Holding institutions responsible for downstream consequences of harms
related to the spilled information provides strong incentives to comply with
the rule—including that liability can be avoided entirely (under the current
doctrine) simply through encryption.66 Concerns about over-deterrence, or
excessive investment in precautions, are minimized (if not eliminated)
where the entity can avoid liability relatively simply and cheaply, and
where errors in adjudication are unlikely. When a rule is effective, both
initially and over time, and where regulators can assess compliance cheaply
and with confidence, a rule is likely to be superior to a standard in
specifying technological measures for data security. Thus, data security
rules can helpfully act as a forcing device that reduces the level of harm
from breaches.
One example of a data security rule that appears beneficial (though it is
sufficiently new that empirical data is lacking) is the data breach
notification scheme added to HIPAA (the federal Health Insurance
Portability and Accountability Act of 1996, which set data privacy and
security rules for personally-identifiable health information) by the
HITECH Act of 2009.67 The HITECH Act regulates information security
indirectly: if a covered entity under HIPAA has a breach of “unsecured
protected health information,” that entity must inform people whose data
was released and, in the case of a breach affecting more than 500 people,
misc/DESCracker/HTML/19980716_eff_descracker_pressrel.html. In 1998, the Electronic
Frontier Foundation cracked DES ciphertext in just under three days with commercially-available
technology. Id.
64. Sunstein, supra note 14, at 993–94.
65. See, e.g., Sovereign Bank v. BJ’s Wholesale Club, Inc., 533 F.3d 162, 176 (3d Cir. 2008);
Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) (affirming judgment on pleadings for
defendant bank); Hammond v. Bank of N.Y. Mellon Corp., No. 08 Civ. 6060, 2010 WL 2643307,
at *14 (S.D.N.Y. June 25, 2010) (dismissing suit); Amburgy v. Express Scripts, Inc., 671 F. Supp.
2d 1046, 1050 (E.D. Mo. 2009).
66. STEVEN SHAVELL, ECONOMIC ANALYSIS OF ACCIDENT LAW 210 (1987).
67. Health Information Technology for Economic and Clinical Health Act of 2009, Pub. L.
No. 111-5, 123 Stat. 226 (2010).
2010]
59
must also inform the news media.68 Unsecured protected health information
(PHI) is PHI that is neither encrypted or destroyed.69 Thus, a breach of
encrypted data does not impose a notification requirement, while a breach
of unencrypted PHI does. The HITECH Act is specific about the encryption
technologies that meet its mandate, pointing covered entities to a list of
methods certified by the National Institute of Standards and Technology
(NIST).70 Examples of NIST-approved encryption methods include the use
of Transport Layer Security (TLS), SSL, or IPSec for data communications,
and the NTFS file system for data storage.71 The new HIPAA data security
mandate acts like a rule: there is a bright-line test for compliance—either
PHI is encrypted with an approved method, or it is treated as unsecured—
and the consequences of non-compliance are clear—the entity assumes
responsibility for notification in case of a data breach. While the mandate is
a soft one—covered entities need not comply if they are willing to notify if
a breach occurs—it is nonetheless structured as a rule. The HITECH
requirement meets all three conditions specified above. First, encryption is
sufficient to mitigate or prevent most harms; second, the NIST-specified
standards are relatively slow to decay; and third, compliance is easy to
measure—either data is encrypted or it is not.72
Even if a rule risks being under-protective, such as where it decays
relatively quickly in efficacy (potentially violating the second condition
outlined above), it may still be valuable, especially if paired or reinforced
by a standard. This is likely to be true where technological changes are not
rapid enough to call for a standard, but are faster than, for example, the
changes in encryption effectiveness described above. For example, security
regulation could employ a rule specifying encryption with a 256-bit
symmetric key algorithm, and a standard requiring stronger encryption
where industry best practices so indicate. Such a move incorporates both
strict liability—failure to utilize 256-bit or greater encryption creates per se
liability—and negligence-based analysis—failure to use stronger encryption
when one’s industry does so can create liability. This hybrid approach
increases compliance costs, as potentially liable entities must engage in
additional investigation to determine the standard of care, and also
68. Breach Notification for Unsecured Protected Health Information, 74 Fed. Reg. 42,740,
42,767–70 (Aug. 24, 2009) (to be codified at 45 C.F.R pt 160 and 164).
69. Id. at 42,768.
70. Id.; see Guidance to Render Unsecured Protected Health Information Unusable,
Unreadable, or Indecipherable to Unauthorized Individuals, U.S. DEP’T OF HEALTH & HUMAN
SERVS., http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.
html (last visited Oct. 7, 2010) [hereinafter Guidance to Render Unsecured Protected Health].
71. Guidance to Render Unsecured Protected Health, supra note 70.
72. The difference between cleartext and ciphertext is obvious even to a layperson—one is
readable text and one appears to be gibberish—although the level of encryption used to encode the
ciphertext is not.
60
[Vol. 5
monitoring costs, as enforcers must perform the same task.73 However, it
can usefully augment a bright-line rule where there are significant concerns
that the rule may become under-protective.
This framework suggests, by way of example, three areas where rulebased regulation will be helpful: data storage, data transport, and access
logging.
Both data storage and data transport can be governed by a simple rule:
encrypt. Data encryption technology is ubiquitous, inexpensive, and
reliable, yet the wave of data spills suggests that data owners and
distributors have insufficient incentives to employ it.74 A rule requiring
entities to encrypt data during storage and transport, on pain of facing
liability for all harms resulting from breaches or spills, would usefully
create incentives for protection and would also drive ineffective or
incompetent data handlers from the market. Typical concerns about overdeterrence do not apply where compliance is relatively low-cost and where
errors in evaluating it are rare if not absent entirely. Encryption for storage
and transport meets the three preconditions this Article posits for rules.
First, encrypting data when it is stored or sent should protect against misuse
in most circumstances.75 While sophisticated adversaries can decrypt
protected information, doing so requires time, technology, and resources.
Encryption raises the cost of data misuse, even if it does not affect the
likelihood of data spills. Second, a rule requiring encryption is relatively
obsolescence-proof. While faster GPUs and CPUs are decreasing the time
necessary to decrypt data without authorization, current protocols are likely
to be sufficient for at least ten years.76 Finally, detection is cheap and easy.
Encryption can be verified through visual inspection. Moreover, given that
encryption is strong protection against data misuse, courts might even adopt
a presumption that misused data was, in fact, not protected. Res ipsa
loquitur is a traditional cost-saving enforcement mechanism that could also
helpfully force regulated entities to verify encryption or to enable it by
default.77
Access logging—tracking who has accessed, changed, or deleted
data—is also a strong candidate for rule-based regulation.78 Moreover,
73. See generally W. KIP VISCUSI, REFORMING PRODUCTS LIABILITY 121–23 (1991)
(discussing enforcement and information costs).
74. See, e.g., Adam J. Levitin, Private Disordering? Payment Card Fraud Liability Rules, 5
BROOKLYN J. CORP. FIN. & COMM. L. 1 (2010); Chronology of Data Breaches: Security Breaches
2005-Present, PRIVACY RIGHTS CLEARINGHOUSE, http://www.privacyrights.org/data-breach (last
updated Nov. 7, 2010).
75. See supra Part II.
76. Mitchell, supra note 61.
77. See generally THOMAS J. MICELI, THE ECONOMIC APPROACH TO LAW 63–64 (2004).
78. See, e.g., Logging User Authentication and Accounting Requests, MICROSOFT TECHNET,
http://technet.microsoft.com/en-us/library/cc783783(WS.10).aspx (last updated Jan. 21, 2005)
(discussing
Windows
Server
2003);
Enabling
Access
Logging,
IBM,
http://publib.boulder.ibm.com/infocenter/wchelp/v5r6/index.jsp?topic=/com.ibm.commerce.admin
2010]
61
access monitoring is an example of a mitigation effort rather than a
prevention effort; recording who has access to data does not impede
copying or misuse directly, but can deter attackers and can also make cleanup efforts easier and more effective.79 A rule for access logging could be
quite specific, mandating that entities capture the user credentials, time of
access or alteration, and location of access or alteration in durable form. In
addition, the rule could allow some flexibility—become more standardlike—by prescribing what must be captured, when, and how, but not by
mandating a particular mode of access control. For example, specifying that
a system of electronic medical records must record what records are
accessed, what changes are made, by whom (user name, for example), from
where (IP address or computer host name, for example), and when, would
provide a clear trail that would enable recovery efforts after a data spill.
Access logging also meets this Article’s three preconditions. Knowing
who—or, at least, whose credentials—accessed the data is helpful to
divining downstream data access after a breach; thus, even minimal
tracking is quite effective.80 Second, access logging has changed relatively
little since the days of mainframe data storage; users still authenticate via
credentials such as names and passwords.81 Even access controls that
employ digital signatures or keys are only variants on this basic technique.
Finally, verifying compliance is straightforward: either the entity keeps logs
of access, or it does not. Protective techniques such as checksums and
hashes can easily test for ex post alteration of access logging, preventing
malefactors from obscuring evidence.82 Thus, not only is access logging
usefully regulated by a rule, but it also serves as an example of a necessary
shift in regulatory focus: from prevention to mitigation.
As these examples demonstrate, regulation by rule has considerable
virtues for technology, at least where the technology has effective minima,
slow decay, and easy verification.
CONCLUSION
The default assumption for regulating information technology is that
standards are not only the superior choice; they are nearly the only choice.
This is because scholars and policymakers have focused on the wrong
.doc/tasks/tseacclog.htm (last visited Oct. 10, 2010) (discussing IBM WebSphere Commerce
server); Logging Control In W3C httpd, W3.ORG, http://www.w3.org/Daemon/User/Config/
Logging.html (last visited Oct. 21, 2010).
79. Galen Gruman, “CSI” For the Enterprise?, CIO, Apr. 15, 2006, at 25, 30, 32.
80. Id.
81. See, e.g., GARY P. SCHNEIDER, ELECTRONIC COMMERCE 493 (8th ed. 2009); Julie
Webber, Software Alone Can’t Protect Your Data, PC Managers Warn, INFOWORLD, Mar. 28,
1988, at S2.
82. Michael Baylon, Using Checksums to Test for Unexpected Database Schema Changes,
MICHAEL BAYLON’S BLOG (Oct. 16, 2010, 3:40 PM), https://michaelbaylon.wordpress.com/
2010/10/16/using-checksums-to-test-for-unexpected-database-schema-changes.
62
[Vol. 5
problem: they seek to prevent data spills, rather than to mitigate their
impact. Rules can helpfully reduce the effects of a breach. For technology,
rules are preferable when they can specify a minimum level of protection
that is relatively effective against most risks or attacks; where obsolescence
occurs slowly; and where monitoring the rule’s implementation is relatively
low-cost and accurate.83 Standards are not always superior, nor are they
always inferior—instead, the preferred embodiment of regulation varies
with the characteristics of the technological problem at issue. While
application design is best governed by standards, due to the critical role of
process, the transport and storage of data, along with identification of
access to information, are best dealt with via rules.84 This Article questions
the prevailing consensus in favor of standards for regulating technology,
and also seeks to create testable predictions about when rules will work
better. In short, I argue sometimes geeks require rules, not standards.
WARRANTING DATA SECURITY
Juliet M. Moringiello*
INTRODUCTION
Massive data security breaches have grabbed headlines in the past few
years. The data thieves responsible for these breaches have stolen the credit
and debit card data of customers of retailers such as TJ Maxx,1 DSW Shoe
Warehouse,2 BJ’s Wholesale Club,3 and the Hannaford grocery store chain.4
A thief in control of payment card data, which can include debit and credit
card numbers, expiration dates, security codes, and personal identification
numbers,5 has the ability to open new credit accounts and make charges on
existing consumer accounts. These data breaches leave individuals fearful
that their personal information will be used in ways that will disrupt their
financial transactions and damage their credit.6
The legal protection of privacy in the United States is far from
comprehensive.7 The level of privacy protection provided to individuals
depends on the sector of the economy in which they are participating.8 One
sector of the economy in which privacy legislation exists is the financial
sector, but the protection provided by such legislation is not
comprehensive.9 Although individuals may think that they have some
protected right to financial privacy because of the Gramm-Leach-Bliley
Act, that statute—which requires financial institutions to disclose their
privacy policies to consumers—does nothing to protect the consumer when
*
Professor, Widener University School of Law. I thank Ted Janger for organizing the
Symposium at which this paper was presented, and all the participants, especially James
Grimmelmann and Sarah Jane Hughes, for their very helpful comments on an early draft. Matthew
Banks provided terrific research assistance for this Article.
1. Ross Kerber, Banks in Region Set to Sue TJX Over Breach; Group Says Its Plan Reflects
Ire Over Lax Security by Retailers, BOS. GLOBE, Apr. 25, 2007, at C1; Joseph Pereira, Jennifer
Levitz & Jeremy Singer-Vine, U.S. Indicts 11 in Global Credit-Card Scheme, WALL ST. J., Aug.
6, 2008, at A1.
2. Bill Husted & David Markiewicz, Info Theft Slams Chain; 1.4 Million Card Numbers
Stolen, ATLANTA J.-CONST., Apr. 20, 2005, at A1.
3. Todd Mason, Philadelphia-Based Sovereign Bank to Replace 83,000 Compromised Debit
Cards, KNIGHT RIDDER TRIB. BUS. NEWS (Washington), June 4, 2004, at 1.
4. Mark Albright, Grocer Credit Data is Swiped, ST. PETERSBURG TIMES, Mar. 18, 2008, at
D1.
5. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 116 (D.
Me. 2009).
6. Identity Theft: Hearing Before the S. Comm. on Commerce, Sci., and Transp., 109th Cong.
28 (2005) (statement of Deborah Platt Majoras, Chairman, Fed. Trade Comm’n).
7. See, e.g., MARGARET JANE RADIN, JOHN A. ROTHCHILD, R. ANTHONY REESE &
GREGORY M. SILVERMAN, INTERNET COMMERCE: THE EMERGING LEGAL FRAMEWORK 390–92
(2nd ed. 2006).
8. Id.
9. Id. at 391.
64
[Vol. 5
her financial information is stolen from the payment system.10 Despite the
fact that almost all states have provided a measure of protection to
consumers by enacting data breach notification statutes, these statutes
merely require companies that hold consumer data to notify consumers of a
breach so that the consumers can protect themselves.11 Data breach
notification statutes do not grant a private right of action to consumers to
recover their losses.12 A comprehensive statutory and regulatory scheme
allocates losses in the credit and debit card systems, and this scheme tends
to pass fraud losses on to the banks that issue the cards.13 While this scheme
insulates the individual cardholders from most of the major financial losses
resulting from a data breach, it does nothing to compensate the cardholders
for the time and money they must spend to monitor their credit, obtain
replacement cards, cancel and reinstate recurring automatic payments, and
repair their credit in cases in which the data was used to open new
fraudulent accounts.
Consumers affected by data breaches understandably feel exposed to
serious financial harm, even in the absence of liability for fraudulent
charges. A consumer’s credit score affects her ability to finance important
purchases, and the events that occur in the aftermath of a data breach can
negatively affect that score.14 Because their losses are not addressed by
existing privacy and payment system statutes, consumers have attempted to
recover them using various common law theories; such theories, however,
have uniformly failed to provide them any meaningful recovery for these
losses.15 In this Article, I will discuss cases in which consumers have been
denied recovery for losses arising out of data breaches. I then focus on a
novel argument made by the plaintiffs in the Hannaford case. The
Hannaford plaintiffs argued that Article 2 of the Uniform Commercial
10. See Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as
amended in scattered sections of 12 U.S.C. and 15 U.S.C.).
11. See, e.g., IND. CODE §§ 24-4.9-1-1–9-5-1 (West 2009); MASS. GEN. LAWS ANN. ch. 93H,
§§ 1–6 (West 2010); N.Y. GEN. BUS. LAW § 899-aa (McKinney Supp. 2010). As of April 2010,
“46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands had enacted
legislation requiring notice to individuals of security breaches involving personal information.”
See State Security Breach Notification Laws, NAT’L CONFERENCE OF STATE LEGISLATURES,
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreach
NotificationLaws/tabid/13489/Default.aspx (last visited Sept. 21, 2010). Several attempts to pass a
federal data breach notification law have failed. See Donald G. Aplin, Network Security: Carper,
Bennett Reintroduce Bipartisan Financial Data Security, Breach Notice Bill, BNA: ELECTRONIC
COMM. & L. REP., July 21, 2010, http://news.bna.com/epln (search “Donald G. Aplin”; then
follow “7/19/2010” hyperlink).
12. See Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 637 (7th Cir. 2007) (stressing that the
Indiana data breach notification statute grants enforcement authority only to the Attorney
General).
13. See generally Truth in Lending Act of 1968 §§ 102–87, 15 U.S.C. §§ 1601–1667f (2006);
Electronic Fund Transfer Act of 1978 § 902, 15 U.S.C. §§ 1693–1693r (2006).
14. Gail Hillebrand, After the FACTA: State Power to Prevent Identity Theft, 17 LOY.
CONSUMER L. REV. 53, 55–57 (2004).
15. See discussion infra Part II.
2010]
Warranting Data Security
65
Code (UCC) should provide a remedy to individuals harmed by a data
breach because every time a retailer accepts a payment card from a buyer, it
warrants that its payment system is secure.16
While a warranty of data security might be a good idea, Article 2 is not
the best place for it because of its limitation to sales of goods. Instead,
courts could impose a common law warranty of data security, under which
all sellers would warrant that their chosen payment system is secure. In this
Article, I will propose a non-waivable common-law warranty of data
security that is drawn from both Article 2 warranties and the warranties
provided in Articles 3 and 4 of the UCC which apply to negotiable
instruments and the check collection system.17 I will then compare the
problem of ensuring safe data transactions today to the problem of ensuring
the habitability of rental housing in the mid-20th century, which judges
addressed by imposing an implied warranty of habitability in leases for
residential real property.18 The story of that warranty can add to the
discussion about how best to ensure the safety of personal financial data.19
To develop my argument, in Part I, I will describe the mechanics of a
data breach. In Part II, I will focus on the case law to discuss the difficulties
that consumers face in recovering their data breach losses. I discuss various
UCC warranties in Part III, and in Part IV, I analogize today’s data security
problems to the problems of scarce habitable rental housing in the midtwentieth century and suggest that today’s courts should protect personal
financial data by imposing a warranty modeled in part on the warranty of
habitability developed by courts in the 1970s. I conclude by calling on
courts to develop a common-law warranty to compensate individuals
harmed by data breaches.
I. ANATOMY OF A DATA BREACH
A payment card transaction involves four parties—the card issuer, the
customer, the merchant, and the merchant bank—each of which is in
control of payment data at some point in the transaction.20 The role of
merchant bank is complicated because a merchant bank may itself act as
acquirer or processor, or it may sponsor access to the payment card network
Me. 2009).
17. U.C.C. §§ 3-416, 3-417, 4-207, 4-208 (2002).
18. See discussion infra Part IV.
19. Modern data collection practices provide legal scholars with an excellent opportunity to
analogize privacy regulation to the regulations of past social problems. See generally James
Grimmelmann, Privacy as Product Safety, 19 WIDENER L.J. 793 (2010). One possible analogy is
to product safety regulation. Id. at 813.
20. Julia S. Cheney, Heartland Payment Systems: Lessons Learned from a Data Breach 1
(Payments Cards Center, Fed. Reserve Bank of Phila., Discussion Paper No. 10-1, 2010),
available at http://ssrn.com/abstract=1540143.
66
[Vol. 5
for its partner transaction processor.21 Some data breaches, such as the TJ
Maxx data breach, involved data in the merchant’s control.22 Others, such
as the Heartland Payment Systems (Heartland) breach, involved data in the
processor’s control.23 In some cases, it is difficult to determine the identity
of the party at fault for the breach, and as a result, the retailer and its
payment processor are often both named as defendants in data breach
suits.24
The TJ Maxx breach, which was discovered by the company in
December 2006, involved customer data held in the company’s computer
systems.25 In a Securities and Exchange Commission filing, the company
claimed that the data thieves, using software they placed in the company’s
systems without authorization, captured both unencrypted and encrypted
data.26 The company reported in its filing that it believed that the hackers
had access to the decryption tool for the encryption software used by TJ
Maxx.27 According to one news report on the breach, this decryption tool
could have been acquired by an insider who participated in the data theft or
by a successful entry into the TJ Maxx database where the decryption keys
were held.28
The Heartland and Hannaford breaches were different from prior
attacks in that the hackers focused not on data stored in a consumer
database, but on data as it moved from the stores to the credit card
processors.29 In late 2007, fraudsters breached Heartland’s system by a
method known as SQL injection,30 which allowed them to exploit a
21. Id. at 1–2.
22. See TJX Co., Annual Report (Form 10-K), at 7 (Mar. 28, 2007), available at
http://ir.10kwizard.com/files.php?source=487&page=14&ext=1 (reporting that TJX had suffered
“an unauthorized intrusion into portions of [its] computer system”).
23. Cheney, supra note 20, at 3.
24. See, e.g., Amerifirst Bank v. TJX Co., Inc., 564 F.3d 489, 491–92 (1st Cir. 2009) (naming
both the retailer and its processing bank as defendants, alleging that they both “failed to follow
security protocols prescribed by Visa and MasterCard”).
25. See TJX Co., Annual Report, supra note 22, at 7.
26. Id. at 9.
27. See id.
28. Larry Greenemeier, T.J. Maxx Parent Company Data Theft is the Worst Ever,
INFORMATIONWEEK.COM (Mar. 29, 2007), http://www.informationweek.com/news/security/show
Article.jhtml?articleID=198701100.
29. See Linda McGlasson, Hannaford Data Breach May Be ‘Tip of Iceberg’, BANK INFO
SECURITY (Apr. 4, 2008), http://www.bankinfosecurity.com/articles.php?art_id=810 (quoting a
security expert who described the Hannaford incident as “highly significant because it represents
the first publicly-acknowledged theft of sensitive card authorization data in transit”); see also
Cheney, supra note 20, at 3.
30. SQL stands for “structured query language,” which is defined as “a standardized language
for defining and manipulating data in a relational database.” IBM, SQL REFERENCE VOLUME 1, 1
(2006), available at ftp://public.dhe.ibm.com/ps/products/db2/info/vr9/pdf/letter/en_US/db2
s1e90.pdf. For a good explanation of how SQL works and a detailed description of some of the
high-profile data breaches mentioned in this article, see generally James Verini, The Hacker Who
Went Into the Cold, N.Y. TIMES MAG., Nov. 14, 2010, at 44.
2010]
67
vulnerability in Heartland’s corporate and payment processing networks.31
They then installed software that captured payment card data as it moved
through Heartland’s system.32 In early 2008, Hannaford discovered that
hackers had placed malicious software on their servers to capture payment
card information.33 The software picked up credit card numbers and
expiration dates as they traveled through the system and sent that
information to overseas servers.34
It is important to note that the Payment Cards Industry Standards
Council, founded by the five payment card networks, manages a set of
security standards (known collectively as the Payment Card Industry Data
Security Standard, or PCI DSS)35 with which all merchants and processors
must comply in order to participate in the card payment systems.36 While TJ
Maxx had not fully complied with the PCI DSS standards,37 Heartland had
been certified as compliant at the time its system was breached.38 PCI DSS
is not seen as the “gold standard” in data security, however, and most
companies do more to protect their data than is required by PCI DSS.39
The amount of data compromised in these breaches can be staggering.
The Hannaford data breach resulted in the theft of 4.2 million credit and
debit card numbers and related information such as PIN codes.40 The DSW
Shoe Warehouse breach involved more than 1.4 million credit and debit
card numbers and almost 100,000 checking account numbers and driver’s
license numbers.41 The BJ’s Wholesale Club breach allowed “unauthorized
parties [to gain] access to magnetic stripe data from 9.2 million credit
cards.”42 The TJ Maxx breach was one of the largest, with 94 million
compromised records, according to one estimate.43 The largest breach to
date was the Heartland breach, which affected about 130 million credit and
31. Cheney, supra note 20, at 3.
32. Id.
Me. 2009).
34. McGlasson, supra note 29.
35. About the PCI Data Security Standard (PCI DSS), PCI SECURITY STANDARDS COUNCIL,
http://www.pcisecuritystandards.org/security_standards/pci_dss.shtml (last visited Oct. 26, 2010).
36. Id.
37. Bill Brenner, TJX Security Breach Tied to Wi-Fi Exploits, COMPUTERWEEKLY.COM (May
8, 2007), http://www.computerweekly.com/Articles/2008/08/08/223672/TJX-security-breach-tiedto-Wi-Fi-exploits.htm.
38. See Cheney, supra note 20, at 4.
39. See id. (discussing the observations of Bob Carr, the CEO of Heartland Payment Systems).
Me. 2009).
41. Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 777 (W.D. Mich. 2006).
42. Cumis Ins. Soc’y, Inc. v. BJ’s Wholesale Club, Inc., 918 N.E.2d 36, 39 (Mass. 2009).
43. See Data Security Breaches Reach a Record in 2007, WALL ST. J., Dec. 31, 2007, at B5
(reporting that while the company acknowledged that 46 million records were compromised, Visa
and MasterCard estimated that 94 million TJ Maxx records were compromised).
68
[Vol. 5
debit cards.44 These breaches have exposed the personal financial data of
millions of individuals, giving unauthorized parties the ability to enter into
fraudulent payment card transactions. The data thief is often hard to find, so
the data breach victims seek recovery from the company to whom they
entrusted their information by making a payment.45 Although consumers are
protected from liability for the fraudulent transactions themselves, they
have had almost no success recovering other costs arising from these
breaches.46
II. THWARTED ATTEMPTS TO RECOVER FOR DATA THEFT
Rules governing both credit cards and debit cards protect consumers
from most of the liability for fraudulent charges. The Truth in Lending Act
limits the liability of a consumer for unauthorized use of her credit card to
$5047 and many credit card issuers promise no liability to cardholders if the
cardholder notifies the issuer immediately after the card was lost or stolen.48
The Electronic Funds Transfer Act contains a $50 liability limitation for the
unauthorized use of a debit card, but the consumer can be liable for a
greater amount if she fails to report the loss of her card within a prescribed
amount of time.49 Yet data breaches cause consumers to suffer a wide range
of other financial and non-financial harms.
Consumer plaintiffs in data breach cases have alleged a variety of
harms. Although they ultimately incur little to no liability for unauthorized
charges, consumer victims of a data breach spend time and money to
address and resolve their financial disruptions.50 For example, an individual
whose personal information has been compromised as a result of a data
breach often feels the need to pay to monitor her credit51 because an
unauthorized party might use the stolen data to assume the affected
individual’s identity and obtain credit or other benefits fraudulently in that
44. Linda McGlasson, Heartland Breach: Consumer Settlement Proposed, BANK INFO
SECURITY (May 6, 2010), http://www.bankinfosecurity.com/articles.php?art_id=2498.
45. See, e.g., In re Hannaford Bros. Co., 613 F. Supp. 2d at 114; Hendricks, 444 F. Supp. 2d at
776; Settlement Agreement, In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig.
(S. D. Tex. 2009) (No. 4:09-MD-2-46), available at http://www.hpscardholdersettlement.com/
Documents/Settlement%20Agreement.pdf [hereinafter Heartland Settlement Agreement].
46. See discussion infra Part II.
47. Truth in Lending Act of 1968 § 133, 15 U.S.C. § 1643 (a) (1) (2006).
48. See Mastercard Zero Liability: Zero Liability Protection for Lost & Stolen Cards,
MASTERCARD, http://www.mastercard.com/us/personal/en/cardholderservices/zeroliability.html
(last visited Aug. 27, 2010); Visa Zero Liability, VISA, http://usa.visa.com/personal/security/visa_
security_program/zero_liability.html (last visited Aug. 27, 2010).
49. Electronic Fund Transfer Act of 1978 § 909, 15 U.S.C. § 1693g (2006).
50. In re Hannaford Bros. Co., 613 F. Supp. 2d at 116.
51. Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 631 (7th Cir. 2007); In re Hannaford Bros.
Co., 613 F. Supp. 2d at 116; Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 777
(W.D. Mich. 2006); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1019 (D. Minn.
2006).
2010]
69
person’s name.52 If that individual finds unauthorized payments or charges
on her bank and credit card statements, she must take the time to contest the
fraudulent charges. As a result, many victims of a data breach seek
compensation for credit monitoring costs.53 The Hannaford plaintiffs
alleged a comprehensive list of harms, which covered almost everything
that can happen when the security of a credit or debit card is
compromised.54 Some customers were deprived of the use of their cards
because their bank accounts were overdrawn and their credit limits were
exceeded.55 Customers also lost bonus points on their cards for the period of
time when their cards were cancelled.56 Some banks required customers to
pay for replacement cards.57 Customers were also forced to spend time
dealing with pre-authorized charges because they had to give new credit
card numbers to the payees to whom the pre-authorized payments were
made.58 When a consumer’s pre-authorized payments cannot be made
because the credit card on file is not valid, the consumer incurs additional
charges such as late fees. Therefore, the Hannaford plaintiffs also claimed
damages for the disruption of their pre-authorized charge relationships.59
Courts have rejected consumer attempts to recover these costs.
Most courts have found that the harms caused by the exposure of personal
financial information are too speculative to form the basis for a claim for
damages in either contract or tort law.60 In Pisciotta v. Old National
Bancorp, the plaintiffs sought compensation, under a negligence theory, for
both the credit monitoring services they were forced to obtain and for the
emotional distress that they suffered after their personal financial
information was taken from the defendant bank’s Web site.61 In order to
recover on their negligence claim, the plaintiffs were required to show that
they suffered “a compensable injury proximately caused by [the bank’s]
breach of duty.”62 To show that they had suffered a compensable harm, the
plaintiffs pointed to the Indiana data breach notification statute, arguing that
the Indiana legislature, by enacting such a statute, agreed that consumers
suffer compensable harm at the moment their personal financial information
52. See Heartland Settlement Agreement, supra note 45, at 12–13.
53. See, e.g., Pisciotta, 499 F.3d at 631; In re Hannaford Bros. Co., 613 F. Supp. 2d at 116;
Forbes, 420 F. Supp. 2d at 1020.
55. Id.
56. Id.
57. Id.
58. Id.
59. Id.
60. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 637 (7th Cir. 2007); Forbes v.
Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Hendricks v. DSW Shoe
Warehouse, Inc., 444 F. Supp. 2d 775, 779–81 (W.D. Mich. 2006).
61. Pisciotta, 499 F.3d at 631–32.
62. Id. at 635 (emphasis omitted) (quoting Bader v. Johnson, 732 N.E.2d 1212, 1216–17 (Ind.
2000)).
70
[Vol. 5
is compromised by a data breach.63 The court rejected this argument, noting
the absence of any statement by the legislature that it intended to allow such
a recovery.64
The plaintiffs in Forbes v. Wells Fargo were also denied recovery for
credit monitoring costs.65 In that case, the plaintiffs sued Wells Fargo for
both negligence and breach of contract when their financial information was
stolen from a Wells Fargo service provider.66 The court rejected the
plaintiffs’ arguments, holding that credit monitoring expenses were not
incurred because of any present injury, but were rather incurred to prevent
future injury, stressing that the plaintiffs’ injuries were “solely the result of
a perceived risk of future harm.”67 The court denied the plaintiffs’ breach of
contract claims in Hendricks v. DSW Shoe Warehouse because the plaintiff
did not prove that her personal information had been used in any way and
therefore had suffered no cognizable loss.68 The court characterized the
plaintiffs’ claim for credit monitoring costs as “damages to buy peace of
mind.”69
Although several plaintiffs have attempted to recover for their losses on
a breach of contract theory, the Hannaford plaintiffs made a particularly
novel contract argument. They argued that every time Hannaford accepted a
payment card, it impliedly warranted that its payment system “was fit for its
intended purpose, namely the safe and secure processing of credit and debit
card payment transactions,” and that this warranty was breached because
the system “allowed wrongdoers to steal the customers’ confidential
personal and financial data.”70 This resembles the implied warranty of
fitness for a particular purpose from Article 2 of the UCC.71 The plaintiffs
argued not that the Article 2 warranty applies by its terms to payment
processing transactions, but that Article 2 “provides an ‘analogue’ on which
[the] . . . court should draw in crafting a common law implied warranty to
fit their situation.”72
The court refused to imply such a warranty for several reasons,
focusing on the requirements of Article 2.73 In order for a warranty of
fitness for a particular purpose to be implied in a contract of sale, the seller
must have reason to know of two facts: the particular purpose for which the
63.
64.
65.
66.
67.
68.
Id. at 637.
Id.
See Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006).
Id. at 1020.
Id. at 1021.
Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 779–81 (W.D. Mich.
2006).
69. Id. at 780.
70. In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 119–20
(D. Me. 2009) (quotations omitted).
71. U.C.C. § 2-315 (2002).
73. Id.
2010]
71
buyer requires the goods, and that the buyer is relying on the seller’s skill or
judgment in selecting or furnishing such goods.74 The court emphasized that
the warranty applies to goods sold, and the definition of goods does not
include the payment system used to process the payment for the goods.75 In
addition, the implied warranty of fitness for a particular purpose is implied
not when a buyer seeks goods for their ordinary purpose, but only when a
buyer seeks goods for a purpose that is particular to that buyer’s needs.76
The court correctly observed that the buyers did not use the payment system
for a particular purpose;77 instead, they relied on it to process credit and
debit card payments in the same way as did all other grocery purchasers.78
However, while Article 2 may not be the best place to locate a warranty
or provide the best analogy, implying a warranty of data security in
consumer payment transactions is a good idea. A better analogy might be
the non-waivable implied warranty of habitability developed by courts in
the early 1970s to respond to the societal changes wrought by
urbanization.79 As I will discuss in Part IV, some of the same concerns that
drove the courts of forty years ago to protect consumers of urban rental
housing exist today in the area of payment data security.80
An implied warranty of data security would allow consumers to recover
their losses without overly straining established legal doctrines. Today,
there are two major impediments to recovery for the losses that individuals
incur as a result of a data breach. The first, applicable to both contract and
tort actions, is that the damages are seen as too speculative.81 Second,
purely economic losses that are not coupled with personal injury or physical
property damage are not recoverable in tort.82 One justification for this
doctrine is to allow parties to allocate their economic losses by contract.83 In
the consumer context, however, reliance on freedom of contract often fails
to protect consumer welfare.84 Because of this preference for freedom of
contract, consumers appear doomed to absorb some costs of data breaches
themselves. In order for an implied warranty of data security to truly protect
74.
75.
76.
77.
78.
79.
80.
81.
82.
U.C.C. § 2-315 (2002).
In re Hannaford Bros. Co., 613 F. Supp. 2d at 120.
U.C.C. § 2-315, cmt. 2.
In re Hannaford Bros. Co., 613 F. Supp. 2d at 120.
Id.
See, e.g., Javins v. First Nat’l Realty Corp., 428 F.2d 1071, 1078 (D.C. Cir. 1970).
See discussion infra Part IV.
See cases cited supra note 60.
In re Hannaford Bros. Co., 613 F. Supp. 2d at 127; JAMES J. WHITE & ROBERT S.
SUMMERS, UNIFORM COMMERCIAL CODE § 11-5, at 538–39 (6th ed. 2010); Michael D. Scott,
Tort Liability for Vendors of Insecure Software: Has the Time Finally Come?, 67 MD. L. REV.
425, 470 (2008).
83. See WHITE & SUMMERS, supra note 82, § 11-5, at 541.
84. See Oren Bar-Gill & Elizabeth Warren, Making Credit Safer, 157 U. PA. L. REV. 1, 7–8
(2008) (arguing that markets for consumer credit function only when consumers are rational and
informed).
72
[Vol. 5
consumers, it would have to be non-waivable. There is precedent for nonwaivable warranties both in the UCC and the common law.85 The remainder
of this Article will discuss the various warranties that are implied in
commercial transactions, and will propose that an implied warranty of data
security be imposed on retailers.
III. EXISTING UCC WARRANTIES: CAN WE EXPAND THEM TO
PROTECT DATA?
The proposed warranty of data security would be implied in all
contracts between a seller accepting a payment card and the buyer using
that card. The seller is the best person to give such a warranty because the
seller is the party who deals with the consumer and is also the party that the
consumer trusts to handle her payments safely. The seller would be
warranting the safety of a transaction, not a product. Nevertheless, elements
of several UCC warranties can be incorporated into an implied warranty of
data security.
The UCC implies several warranties under Article 2, which governs
sales of goods, and Articles 3 and 4, which govern some aspects of the
payment system.86 The persons giving these warranties represent that a
product,87 a transaction,88 or both89 meet certain quality and reliability
requirements. Parties to a transaction can waive some,90 but not all,91 of
these warranties. Although a payment card transaction falls strictly outside
of the UCC’s scope—and therefore a warranty protecting it could not find a
home in the UCC—an implied warranty of data security could draw on and
combine elements of several of these warranties. In the remainder of this
section, I will discuss the elements of the UCC warranties that should be
included in a warranty of data security and argue that a warranty approach
to the data breach problem has several advantages over a tort approach.
A. UCC PRODUCT WARRANTIES
Under the implied warranties of merchantability92 and fitness for a
particular purpose,93 a seller in a transaction governed by Article 2 promises
that goods sold meet some standard of quality (in the case of
85. See, e.g., Javins v. First Nat’l Realty Corp., 428 F.2d 1071, 1081–82 (D.C. Cir. 1970)
(holding that the implied warranty of habitability is non-waivable); U.C.C. § 3-417(e) (2003)
(providing that the Article 3 presentment warranty cannot be waived with respect to checks).
86. See generally U.C.C. §§ 2-312–317, 2-321, 3-318, 3-415–416, 4-207–209 (2002).
87. See infra notes 93–123 and accompanying text.
90. U.C.C. § 2-316 (2002) (setting forth the requirements for Article 2 warranty disclaimers).
91. See, e.g., U.C.C. § 3-417(e) (2003) (providing that the Article 3 presentment warranty
cannot be disclaimed with respect to checks).
92. U.C.C. § 2-314 (2002).
93. Id. § 2-315.
2010]
73
merchantability) or of suitability (in the case of fitness for a particular
purpose). A seller in a payment card transaction is providing two different
things: the product or service sold, and the system that processes the
payment.
A discussion of an argument that the Hannaford plaintiffs could have
but failed to make illustrates some of the advantages and disadvantages in
using Article 2 of the UCC to protect payment card data. Rather than asking
the court to apply the Article 2 warranties by analogy, the Hannaford
plaintiffs could have argued that the payment system software itself
breached the warranty of merchantability that is implied, unless excluded,
in all contracts covered by Article 2.94 Most courts have held that the
transfer of software is a sale of goods for the purpose of Article 2.95
However, the software warranty in a payment card transaction would first
run from the payment software vendor to the retailer, leaving the plaintiffs
with a privity barrier, one that I will explain below.
An examination of this hypothetical argument highlights some of the
benefits that an implied warranty might give consumers in payment card
transactions and also illustrates the impediments that consumers would face
in relying on existing warranties. First, the warranty of merchantability is
implied in all contracts for the sale of goods in which the seller is a
merchant.96 The UCC defines a merchant as “a person who deals in goods
of the kind or otherwise by his occupation holds himself out as having
knowledge or skill peculiar to the practices or goods involved in the
transaction.”97 All merchants give this warranty because they, as merchant
sellers, hold themselves out as having special knowledge with respect to the
products sold.98 A buyer need not show that he relied on any representations
made by the seller in order to recover for breach of warranty.99 Because the
warranty of merchantability is implied, unless excluded, in all transactions
in which goods are sold by a merchant, it is curious that the Hannaford
plaintiffs did not try to claim damages for its breach.100
The application to all merchant seller transactions is one element of the
warranty of merchantability that should be incorporated into a warranty of
data security. For this purpose, a merchant can be defined as anyone who
94.
95.
96.
97.
98.
Id.
Scott, supra note 82, at 436 (discussing judicial classification of software).
U.C.C. § 2-314.
Id. § 2-104(1).
WHITE & SUMMERS, supra note 82, § 10-11, at 482 (tracing the logic behind the warranty
of merchantability to the pre-Code warranty implied in transactions with manufacturers).
99. Id.
100. According to the two leading commentators on the UCC, a key reason that a transferee
might seek to classify its transaction as a purchase of goods is to receive the benefit of Article 2’s
warranty of merchantability. See WHITE & SUMMERS, supra note 82, § 10-2, at 449.
74
[Vol. 5
accepts a payment card for goods or services.101 Merchant sellers choose the
persons responsible for handling the data that they collect,102 so imposing a
warranty on these sellers would force them to choose their payment
processors carefully and to negotiate indemnification clauses with those
processors.
To satisfy the implied warranty of merchantability, the seller must
provide goods that “are fit for the ordinary purposes for which [they] are
used”103 and that “pass without objection in the trade under the contract
description.”104 A merchant who provides customers with the convenience
of using a card payment system should be deemed to represent that its
payment system is fit for the ordinary purpose for which a payment system
is used—the safe and secure processing of a purchaser’s payment data. One
of the reasons the plaintiffs’ warranty argument failed in the Hannaford
case was that the plaintiffs had chosen to argue for a warranty of fitness for
a particular purpose despite the fact that the payment system was actually
being used for its ordinary purpose.105 An argument that the payment
system in the transaction was not fit for its ordinary purposes might have
fared better.
There are two major intertwined problems with arguing that an
individual victim of a data breach can recover from the provider of payment
software under the implied warranty of merchantability. First, the implied
warranty of merchantability can be disclaimed in the contract between the
buyer and seller.106 Sellers of goods tend not to disclaim this warranty
altogether, choosing instead to limit the damages recoverable because
concerns for future business force attention to quality.107
One reason that suing the payment system software vendors is
undesirable is that the problem of warranty disclaimers is magnified when
the product transferred is software. The tumultuous drafting history of
Article 2B of the UCC (which became the Uniform Computer Information
101. Individuals making isolated sales could be exempted from this definition. U.C.C. § 2-314
cmt. 3 (2002) (exempting a person making an isolated sale from the Article 2 implied warranty of
merchantability). These individuals do not participate in the payment system by choosing from a
variety of payment processors; if they do accept payment cards, they do so through person-toperson payment systems such as PayPal. See PAYPAL, https://www.paypal.com (select “personal”
tab; then select “get paid” from top bar; then select “accept credit cards” from drop-down list)
(last visited Oct. 9, 2010) (explaining how individuals can accept payment cards through PayPal
from persons who do not have PayPal accounts).
102. Businesses can choose among many payment processing service companies. See, e.g.,
ACH PAYMENTS, http://www.ach-payments.com (last visited Dec. 18, 2010); ELIOT
MANAGEMENT GROUP, http://www.e-mg.com (last visited Dec. 18, 2010); HEARTLAND
PAYMENT SYSTEMS, http://www.heartlandpaymentsystems.com (last visited Dec. 18, 2010).
103. U.C.C. § 2-314(2)(c).
104. Id. § 2-314(2)(a).
105. See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 120
(D. Me. 2009).
106. See U.C.C. § 2-316(2) (2002).
107. DANIEL KEATING, SALES: A SYSTEMS APPROACH 151 (4th ed. 2009).
2010]
75
Transactions Act after the American Law Institute withdrew from the
project) shows how averse software vendors are to Article 2 warranty
liability.108 Software vendors almost universally disclaim the warranty of
merchantability because vendors contend that “[c]omputer software has
peculiar qualities” that render a comparison among software programs
senseless.109 Such a comparison is necessary in order to determine that
software would “pass without objection in the trade under the contract
description,” for the purpose of the warranty of merchantability.110
Second, even in the unlikely absence of a disclaimer, the aggrieved
individuals would have difficulty recovering for a breach of warranty
because they never buy or take a transfer of the payment processing
software.111 Because warranty liability is based on contract law, the general
rule is that a warrantor is directly liable only to the person with whom it has
a contract.112 The harsh effects of this general rule have been ameliorated in
the sale of goods area, and today, most manufacturer warranties run to the
ultimate buyer for two reasons. First, most states have eliminated the
vertical privity requirement by common law when a consumer is personally
injured by a manufacturer’s product.113 Second, most manufacturers, for
reasons of reputation, treat their warranties as though they run to the
ultimate purchaser.114
This erosion of the privity barrier would not assist a consumer harmed
by a data breach, however. Although Article 2 of the UCC allows nonbuyers affected by a product to sue for breach of warranty, most states, in
their versions of Article 2, deny a cause of action to a third party non-buyer
in the absence of personal injury.115 A person whose payment card data has
been stolen has not suffered any personal injury. In states that have adopted
the third alternative to § 2-318, a third party has a cause of action against
108. See generally Peter A. Alces, W(h)ither Warranty: The B(l)oom of Products Liability
Theory in Cases of Deficient Software Design, 87 CALIF. L. REV. 269 (1999) (discussing the
Article 2B drafting process).
109. Robert Gomulkiewicz, The Implied Warranty of Merchantability in Software Contracts: A
Warranty No One Dares to Give and How to Change That, 16 J. MARSHALL J. COMPUTER &
INFO. L. 393, 398–99 (1997); Jane K. Winn, Are “Better” Security Breach Notification Laws
Possible?, 24 BERKELEY TECH. L.J. 1133, 1150 (2009) (quoting Scott, supra note 82, at 426)
(explaining that “software vendors have traditionally . . . used various risk allocation provisions of
[the U.C.C.] to shift the risk of insecure software to the licensee”).
110. See U.C.C. § 2-314 (2) (2002); Gomulkiewicz, supra note 109 (explaining that, as
essentially diverse collections of ideas that cannot reasonably be compared to one another,
attempts to identify minimum quality standards for software products would be difficult and
unfair).
111. See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 121
(D. Me. 2009); see also Cheney, supra note 20, at 1–2 (describing a credit card transaction).
112. See U.C.C. §§ 2-313–315 (2000); see also Metro. Coal Co. v. Howard, 155 F.2d 780, 784
(2d Cir. 1946) (“A warranty is an assurance by one party to a contract of the existence of a fact
upon which the other party may rely.”).
113. KEATING, supra note 107, at 178–79.
114. Id. at 178.
76
[Vol. 5
the seller if it is “injured” by the breach of warranty.116 This alternative
would seem to allow someone harmed by payment processing software to
recover. In these states, however, a seller can disclaim the warranty as to
third parties who did not suffer personal injury as a result of the breach of
warranty.117
The foregoing discussion illustrates the hurdles that a consumer would
face in attempting to recover damages from a payment software vendor for
breach of the Article 2 implied warranty of merchantability. Although
imposition of the Article 2 implied warranty of merchantability to payment
transactions is not feasible, the policies underlying the warranty are
particularly salient to today’s electronic payment transactions. Before the
mass production of goods, buyers were bound by caveat emptor and no
warranties were implied.118 The old law was based on a system in which
traders were neighbors.119 Caveat emptor was considered just in face-toface transactions in which the seller and buyer had roughly equal
commercial experience and the buyer had ample opportunity to inspect the
goods he was buying.120 Over the course of the last century, courts and
legislatures have chipped away at the doctrine, recognizing the inequality of
knowledge and bargaining power between buyers and sellers.121 As mass
production of goods proliferated, warranties were imposed on professional
sellers.122 The move away from caveat emptor was slower in real estate law,
as mass production of housing did not emerge until after World War II.123
Caveat emptor has no place in card payment transactions. Payment
processing transactions are completely invisible to consumers. The clerk at
my local grocery store will ask me whether I want to use my Visa debit card
(which is not a credit card) as a “debit or credit” card, having no idea that
she is asking me which payment network (the Visa network or the PINbased debit card network) I want to use.124
B. UCC TRANSACTION WARRANTIES
The discussion above analogizes a warranty of data security to a
warranty of product quality. The UCC imposes transaction warranties as
well,125 and a data security warranty might be better analogized to such a
116. U.C.C. § 2-318 (2003).
117. Id. § 2-318 cmt. 2.
118. See Timothy J. Sullivan, Innovation in the Law of Warranty: The Burden of Reform, 32
HASTINGS L.J. 341, 356 (1980).
119. See Allison Dunham, Vendor’s Obligation as to Fitness of Land for a Particular Purpose,
37 MINN. L. REV. 108, 110 (1952).
121. Id.
122. See id. at 356–57.
123. See Dunham, supra note 119, at 111.
124. I would not know that either had I not taught Payment Systems for a number of years.
125. See, e.g., U.C.C. § 2-312 (2002).
2010]
77
warranty. These transaction warranties also contain elements that a court
could incorporate in an implied warranty of data security. Unlike the
warranty of merchantability, the implied warranty of title helps to ensure
the quality of the transaction in which the goods are transferred.126
Therefore, a seller giving a warranty of title promises that the transaction is
reliable.127 Under Article 2, all sellers give a warranty that title to the goods
“shall be good and its transfer rightful.”128 This warranty has nothing to do
with the quality of the product, rather it relates to the transactions in which
the goods reach the seller. If there is a thief in the chain of title, the seller
breaches the warranty.129 The UCC permits a seller to disclaim this
warranty, but any disclaimer must clearly indicate that the seller claims no
title in the goods sold.130
The purpose behind this warranty is to ensure that the buyer will not be
exposed to litigation in order to protect its title to the goods because of
defects in purchase transactions in his chain of title.131 Although the implied
warranty of title looks backwards, holding the seller liable for the
wrongdoing of persons in the past, its basic purpose, to protect the buyer
from transaction defects, could be used as a basis for an implied warranty of
data security. A data security warranty would necessarily be forwardlooking, but it would also serve to guarantee the quality of a chain of
transactions, rather than a product. A warranty of data security can ensure
that someone who uses a payment card will not be forced to incur costs to
protect her personal information from misuse in the chain of transfers
comprising a payment transaction.
The warranty of title imposes strict liability on the seller.132 Under UCC
§ 2-312, a seller is not protected from liability on the warranty of title by his
lack of knowledge that the title conveyed is not good.133 A thief of goods
breaks the chain of title, so the warranty of title functions to pass the risk
that the transaction is not good to the person who dealt most closely with
the thief.134 The result is to place the loss on the person best situated to
avoid it. Using the same logic, a seller who takes a payment card is best
situated to guard against unsafe payment transactions, and if it enters into
an unsafe payment transaction with a consumer, it should bear the loss
regardless of its knowledge that the transaction may be unsafe.
In the payment system, as in the sales system, warranties play an
important loss allocation function. Payment warranties pass the risk of fraud
126.
127.
128.
129.
130.
131.
132.
133.
134.
Id.
Id. § 2-312(1)(a).
Id. § 2-312.
See West v. Roberts, 143 P.3d 1037, 1045 (Colo. 2006).
U.C.C. § 2-312(3).
Id. § 2-312(1) cmt. 1.
Id. § 2-312.
KEATING, supra note 107, at 279.
See id. at 279–80.
78
[Vol. 5
to the person closest to the fraud. When a bank pays the wrong person by
honoring a check bearing a forged endorsement, it must re-credit its
customer’s account.135 The warranties under Article 4 of the UCC then
allow the bank to seek compensation from persons up the collection
stream.136 However, unlike most warrantors in the sales system, those
giving payment warranties vouch for both the transaction and the product.
The warrantor of a negotiable instrument vouches for the product (the
negotiable instrument) in that it warrants that “the instrument has not been
altered” and that “all signatures . . . are authentic and authorized,” but it also
vouches for the transaction in that it warrants that it is “entitled to enforce
the instrument” and that “the instrument is not subject to a defense or claim
in recoupment by any party.”137
In order to effectively protect personal financial information, the
implied warranty of data security should be non-waivable. There is
precedent in the UCC for a non-waivable warranty. The warranties in
Articles 3 and 4 of the UCC cannot be disclaimed with respect to checks.138
This prohibition of disclaimers protects the checking system; checks are
collected and paid by automated means, so banks rely on the warranties for
their protection.139
Warranty is a good theory on which to give a remedy to injured
consumers. Privity remains an issue in imposing a warranty of data security
on data controllers. Privity is not a problem when the merchant itself is
responsible for the breach, because that merchant will always have a
contract with the aggrieved purchaser. Lack of privity, however, should not
bar recovery from the payment processors. All consumers entering the
payment system through a merchant, however, have a contract with that
merchant.140 Therefore, imposing a warranty on that merchant makes sense;
that merchant must then either make sure that it protects the data, or
negotiate an agreement with its processor that the processor will protect the
data and indemnify the merchant from any losses as a result of a data
breach. The retailer is in the best position to know whether its processor
136. See id.
137. U.C.C. § 3-416 (2002) (setting forth transfer warranties); id. § 3-417 (setting forth
presentment warranties, which do not include a warranty that there are no defenses or claims in
recoupment to the instrument); id. § 4-207 (setting forth transfer warranties in the check collection
system); id. § 4-208 (setting forth presentment warranties in the check collection system, which
also do not include the warranty that there are no defenses or claims in recoupment).
138. See id. §§ 3-416(c), 3-417(e), 4-207(d), 4-208(e).
139. See id. § 3-417 cmt. 7.
140. Consumers use the payment system for several reasons: to purchase goods, services, and
information, and to make loan payments. In all of these transactions, there is some contract
between the consumer and the merchant. See, e.g., In re Hannaford Bros. Co. Customer Data Sec.
Breach Litig., 613 F. Supp. 2d 108, 118 (D. Me. 2009) (“Both sides agree that at the point of
sale—the cash register—there is a contract for the sale of groceries.”).
2010]
79
handles data safely, and can choose to use a more secure system if the
processor will not cover losses from data breaches.
Contract law, unlike tort law, allows recovery for purely economic loss.
A buyer aggrieved by a breach of the warranty of merchantability can
recover the difference in value between the goods accepted and the goods as
warranted.141 This difference can be measured by the cost of repair.142 The
damages claimed by consumer plaintiffs in data breach cases are in essence
claims for the cost of repair to their credit profile, because a consumer who
must pay for card replacement or credit monitoring is trying to restore the
data to the condition it was in before the breach. Recognizing this type of
remedy would eliminate one of the major hurdles to protecting data security
through tort law—the limitations on economic loss damages.
Some have suggested treating privacy concerns in a manner analogous
to product safety.143 Although both tort law and contract law have a role in
ensuring product safety, those who urge a product safety approach to
privacy have focused primarily on tort law.144 Some have proposed a tort
action based on strict products liability for data breaches;145 products
liability law, however, does not often grant recovery for economic loss.146
While some have argued that new technology begs a redefinition of
injury,147 a warranty approach would not force courts to strain existing tort
doctrine in that way. Every transaction in which payment data is passed is a
contract transaction, either for goods, information, or services. Therefore, a
contract will always exist into which a warranty of data security could be
implied. The tendency of courts to rule that one party to a contract cannot
sue the other party for negligence might make such an implied warranty
preferable to a tort action.148
There is no doubt that consumers are harmed by unauthorized uses of
their personal financial data even in the absence of liability for the
141. U.C.C. § 2-714(2) (2002). A buyer can also recover incidental and consequential damages.
Id. § 2-714(3).
143. See generally Grimmelmann, supra note 19.
144. See id. at 814–17 (discussing several scholars’ approaches to protecting personal
information using a product safety analogy).
145. See, e.g., Danielle Keats Citron, Reservoirs of Danger: The Evolution of Public and
Private Law at the Dawn of the Information Age, 80 S. CAL. L. REV. 241, 296 (2007); Scott, supra
note 82, at 470 (identifying the economic loss rule as “[t]he most significant impediment to the
use of strict product liability law to recover damages caused by insecure software”).
146. See James J. White, Reverberations from the Collision of Tort and Warranty, 53 S.C. L.
REV. 1067, 1068 (2002) (“loss that is solely ‘economic’ may be recovered in warranty but not in
tort”) (citing Rich Prods. Corp. v. Kemutec Inc., 241 F.3d 915, 918 (7th Cir. 2001); Calloway v.
City of Reno, 993 P.2d 1259, 1264 (Nev. 2000); Steiner v. Ford Motor Co., 606 N.W.2d 881, 884
(N.D. 2000)). Courts have rejected this cause of action in data breach cases. See, e.g., Amerifirst
Bank v. TJX Co., Inc., 564 F.3d 489, 498 (1st Cir. 2009).
147. See, e.g., Citron, supra note 145, at 295–96.
148. See Scott, supra note 82, at 456 (discussing tendency of courts to deny plaintiffs’
negligence claims when those plaintiffs are parties to contracts with their defendants).
80
[Vol. 5
fraudulent charges made to their accounts. Although a warranty of data
security is desirable, data security does not fit neatly into the existing UCC
warranties for several reasons. First, the articles in the UCC are organized
by type of transaction. Even if a warranty regarding goods could be
stretched to include the payment system used to purchase the goods, many
payment transactions do not involve goods. The payment system contains
numerous warranties, but these warranties—designed to place the risk of
fraud in checking and other negotiable instrument transactions on the
person closest to the fraud—do nothing to compensate an individual who is
harmed by identity theft. Revising the UCC to include data security within
the Article 2 warranties is probably politically unfeasible149 and in addition,
an Article 2 warranty would not give any recovery to those whose data was
taken in a sale of services transaction.
IV. THE IMPLIED WARRANTY OF HABITABILITY: A GOOD
ANALOGY?
To adequately protect consumers, any warranty of data security should
be implied in all payment card transactions between an individual and a
merchant and should be non-waivable. The use of payment cards to pay for
almost everything has allowed sellers and payment processors to collect
tremendous amounts of personal financial information. Havoc ensues when
this information falls into the wrong hands. The changes in the conduct of
business wrought by the electronic processing of payments beg a judiciallycreated remedy tailored to the emerging and serious problem of data theft.
One can find precedent for such a remedy in landlord-tenant law. In this
section, I will apply lessons from landlord-tenant law to the protection of
payment card data.
Real property law provides some precedent for judge-made, nonwaivable warranties to protect consumers. One that exists today—either by
statute or case law in nearly every state and the District of Columbia—is the
warranty of habitability implied in leases for residential real property.150
This warranty that a dwelling be safe, clean, and fit for human habitation
cannot be waived in a lease.151
149. The goal of the UCC’s sponsoring bodies, the American Law Institute and the National
Conference of Commissioners on Uniform State Laws, is to draft a uniform law that can be
enacted in all U.S. jurisdictions. See Edward J. Janger, Predicting When the Uniform Law Process
Will Fail: Article 9, Capture, and the Race to the Bottom, 83 IOWA L. REV. 569, 571 n. 8 (1998).
For an excellent discussion of political pressures in the uniform law drafting process, see id. at
582–93.
150. See Michael Madison, The Real Properties of Contract Law, 82 B.U. L. REV. 405, 417
(2002).
151. Hilder v. St. Peter, 478 A.2d 202, 208 (Vt. 1984). Another implied real estate warranty is
the warranty of workmanlike quality that is given from the builder to the buyer of a newlyconstructed home; this is also a consumer-protective warranty. Lempke v. Dagenais, 547 A.2d
290, 294 (N.H. 1988). The warranty of workmanlike quality is given only by builders of new
2010]
81
The initial judicial imposition of this warranty recognized the
modernization of the landlord-tenant relationship. When the common law
landlord-tenant rules first developed, the typical lessee was more interested
in the land than the dwelling and was expected to make repairs to the
dwelling himself.152 The modern urban tenant is interested solely in a
habitable dwelling, and has neither the ability nor economic incentive to
make repairs to the dwelling because his lease is often for a fairly short
term.153 Courts relied on consumer protection concepts to imply a warranty
of habitability in all residential leases because tenants, particularly poor
urban tenants, had little leverage to demand better quality housing.154
In imposing implied warranties in residential leases and in contracts for
the sale of new homes, courts recognized that the caveat emptor doctrine
did nothing to protect tenants and home buyers.155 The justification for
caveat emptor was that a tenant or buyer could “discover and protect
himself against defects in [real] property.”156 In addition, traditional
landlord-tenant law was developed for an agrarian society in which the land
was much more valuable to the tenant than the dwelling.157 Modern tenants
have far less bargaining power than their agrarian predecessors, and unlike
those predecessors, the modern tenant does not have the skill to discover
defects in a building’s complex systems.158
Courts avoid rewriting contracts, and the courts that first read an
implied warranty of habitability into residential leases recognized this
limitation on their power.159 They justified the warranty by assuming that
reasonable people would agree that housing must be “habitable and fit for
living” and that therefore, if a landlord and tenant were to negotiate a lease,
such a warranty would be included.160
As society placed increasing value on safe, affordable rental housing,
legislatures and administrative bodies began to enact statutes and
regulations aimed at ensuring the availability of such housing.161 These
codes and rules represented “a policy judgment—that it [was] socially (and
homes and not by lay sellers of existing homes, recognizing that a vendor-builder has control over
the habitability of premises. Stevens v. Bouchard, 532 A.2d 1028, 1030 (Me. 1987).
152. See Javins v. First Nat’l Realty Corp., 428 F.2d 1071, 1077 (D.C. Cir. 1970).
153. Id. at 1078–79.
154. See id.
155. Frona M. Powell & Jane P. Mallor, The Case for an Implied Warranty of Quality in Sales
of Commercial Real Estate, 68 WASH. U. L.Q. 305, 309–12 (1990).
156. Id. at 308.
157. See Katheryn M. Dutenhaver, Non-Waiver of the Implied Warranty of Habitability in
Residential Leases, 10 LOY. U. CHI. L.J. 41, 45 (1978).
158. See Javins, 428 F.2d at 1078; see also Dutenhaver, supra note 157, at 51.
159. See Javins, 428 F.2d at 1077–78; Marini v. Ireland, 265 A.2d 526, 532 (N.J. 1970); Pines
v. Perssion, 111 N.W.2d 409, 412 (Wis. 1961).
160. Marini, 265 A.2d at 533–34.
161. Mary Ann Glendon, The Transformation of American Landlord-Tenant Law, 23 B.C. L.
REV. 503, 503–05 (1982).
82
[Vol. 5
politically) desirable to impose [the duty of providing safe housing] on a
property owner” and thus abolish the rule of caveat emptor.162 Describing
the need for safe housing in the 1960s, one court urged that “[t]he need and
social desirability of adequate housing for people in this era of rapid
population increases is too important to be rebuffed by that obnoxious legal
cliché, caveat emptor.”163
The imposition of an implied warranty of habitability was seen as a
move away from classifying a lease as a property conveyance to classifying
a lease as a contract.164 Yet, by making the warranty of habitability nonwaivable, the courts veered from a freedom of contract approach. They
recognized also that the validity of the distinctions between contract and
property rules in landlord-tenant law was primarily historical and that
courts have a duty to “reappraise old doctrines in the light of the facts and
values of contemporary life.”165 In data security law, there is no such
history to discard, and the law can be written on a cleaner slate, with
protections pulled from contract, property, and tort law.166 William Prosser
once described the implied warranty as “a freak hybrid born of the illicit
intercourse of tort and contract.”167 This illicit intercourse might provide the
right remedy for the theft of personal information; by importing contract
law concepts, judges can avoid twisting tort law to evade its limitation on
recovery for purely economic loss.168
One challenge that courts will face in implying a warranty of data
security is developing the standards that a payment system must meet in
order to satisfy the warranty. Courts imposing an implied warranty of
habitability were able to rely on housing codes for standards.169 In data
breach cases, the proper source for the elements of a quality payment
system is not as clear. In a case like DSW Shoe Warehouse, the plaintiffs
could use the fact that the FTC had filed a complaint against the retailer,
alleging that it had “fail[ed] to employ reasonable and appropriate security
measures to protect personal information and files.”170 The failure to
162.
163.
164.
165.
166.
Pines, 111 N.W.2d at 412–13.
Id. at 413 (emphasis in the original).
See Glendon, supra note 161, at 503.
Javins v. Nat’l Realty Corp., 428 F.2d 1071, 1074 (D.C. Cir. 1970).
One could also analogize a data transaction to a bailment. Doing so might strain doctrine
even less than imposing a warranty would. When a bailee misdelivers goods, the bailee is strictly
liable to the bailor for damages. See R.H. Helmholtz, Bailment Theories and the Liability of
Bailees: The Elusive Uniform Standard of Reasonable Care, 41 U. KAN. L. REV. 97, 99 (1992).
One can certainly think of a data breach as a misdelivery of personal payment data.
167. William L. Prosser, The Assault Upon the Citadel (Strict Liability to the Consumer), 69
YALE L.J. 1099, 1126 (1960).
168. See supra notes 143–148 and accompanying text.
169. See, e.g., Javins, 428 F.2d at 1081–82; Berzito v. Gambino, 308 A.2d 17, 22 (N.J. 1973)
(listing factors that a court should consider in determining whether a lessor had breached a
covenant of habitability).
170. Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 777 (W.D. Mich. 2006)
(citations omitted).
2010]
83
comply with PCI DSS would clearly constitute a breach of warranty, but as
noted above, PCI DSS is seen as a minimum standard of data security.171
The judicially-created implied warranty of habitability was a response
to changing social and economic conditions.172 Courts implied the warranty
of habitability at a time when society started to recognize that shelter is a
basic human necessity.173 The federal government recognized this in the
Housing Act of 1949, “which committed [the government] to . . . achieving
. . . the goal of a . . . suitable living environment for every American
family.”174 While data security is not yet ingrained in our culture as a basic
human need, lawmakers today are well aware that Americans may not
“fully understand and appreciate what information is being collected about
them” and may not have the power to stop unsafe practices from taking
place.175 Legislatures that have enacted data breach notification laws
likewise recognize that data theft is a significant problem; in fact California,
the first state to enact such a law, did so after one of the state’s general
purpose data centers suffered a security breach.176 The legislative findings
accompanying that law recognized that identity theft was one of
California’s fastest growing crimes, and that rapid notice of a data breach
might help consumers minimize potential harm to them.177
In imposing an implied warranty of habitability, courts recognized that
when a tenant rents an apartment or a house, that tenant “seek[s] a well
known package of goods and services” that includes working utilities and
proper maintenance.178 Likewise, a consumer giving her payment card in a
transaction expects that her information will be safeguarded in such a way
that she will not be exposed to identity theft. Because she, like the urban
tenant, cannot ensure the safety of her data on her own, courts should
consider imposing a warranty of data security on sellers who accept
payment cards.
CONCLUSION
Like residential tenants and buyers of new homes, the consumer who
uses the payment system on a daily basis has little ability to protect herself
171. Cheney, supra note 20, at 4 (discussing observations of Robert Carr, CEO of Heartland
Payment Systems at the time of the 2009 Heartland data breach).
172. See cases cited supra note 159.
173. See generally Glendon, supra note 161, at 528–45.
174. Id. at 519 (internal quotations omitted).
175. Consumer Online Privacy: Hearing Before the S. Comm. on Commerce, Sci., and Transp.,
111th Cong. (2010) (unpublished statement of John D. Rockefeller IV, Chairman, S. Comm. on
Commerce, Science and Transportation), available at http://commerce.senate.gov/public/index.cf
m?p=Hearings (follow “July 2010” hyperlink; then follow “Chairman John D. (Jay) Rockefeller
IV” hyperlink).
176. Winn, supra note 109, at 1142–43.
177. Id.
178. Javins v. Nat’l Realty Corp., 428 F.2d 1071, 1074 (D.C. Cir 1970).
84
[Vol. 5
from data breaches. Some loss, therefore, should fall on the persons best
able to guard against data theft. The real estate warranties are examples of
judge-made warranties that respond to modern changes that put the
consumer at risk for economic harm. Unsafe electronic payment systems
likewise pose significant risks to consumers, particularly of data theft. One
of the beauties of the common law is that courts can refine it to respond to
modern conditions; indeed, the common law’s “continued vitality . . .
depends upon its ability to reflect contemporary community values and
ethics.”179 Payment cards are a wonderful innovation,180 but the misuse of
the data that is collected from the users of those cards is a significant
problem. Judges should recognize that consumers feel less secure in their
financial lives when their data is compromised and fashion a warranty to
compensate them for their losses.
179. Id. (internal quotations omitted).
180. In late 2009, no less an expert than former Federal Reserve Chairman Paul Volcker
described the ATM as the most important financial innovation of the last 20 years. See Alan
Murray, Paul Volcker: Think More Boldly: The Former Fed Chairman Says the Conference
Proposals Don’t Go Nearly Far Enough to Accomplish What Needs to be Accomplished, WALL
ST. J., Dec. 14, 2009, at R7.
KNOWN AND UNKNOWN, PROPERTY AND
CONTRACT: COMMENTS ON HOOFNAGLE
AND MORINGIELLO
James Grimmelmann
In addition to gerund-noun-noun titles and a concern with the
misaligned incentives of businesses that handle consumers’ financial data,
Chris Hoofnagle’s Internalizing Identity Theft1 and Juliet Moringiello’s
Warranting Data Security2 share something else: hidden themes.
Hoofnagle’s paper is officially about an empirical study of identity theft,
but behind the scenes it’s also an exploration of where we draw the line
between public information shared freely and secret information used to
authenticate individuals. Moringiello’s paper is officially a proposal for a
new warranty of secure handling of payment information, but under the
surface, it invites us to think about the relationship between property and
contract in the payment system. Parts I and II, respectively, of this brief
essay will explore these hidden themes in Hoofnagle’s and Moringiello’s
articles. I hope the exercise will tell us something interesting about these
two papers, and also about the problems of privacy and security in the
payment system. A brief conclusion will add a personal note to the mix.
I. INTERNALIZING IDENTITY THEFT: KNOWN AND
UNKNOWN
Chris Hoofnagle’s Internalizing Identity Theft is built around a clever,
if obscure, provision in the federal Fair and Accurate Credit Transactions
Act of 2003 (FACTA).3 A victim of identity theft is entitled to obtain any
“application and business transaction records” relating to the theft from the
entity that did business with the identity thief.4 This remedy helps victims
recover from identity theft,5 but Hoofnagle realized it could also be used to
study the problem. He convinced identity-theft victims to request their files
and share them with him, allowing him to sketch a portrait of how newaccount fraud happens in the real world.6

Associate Professor of Law, New York Law School. My thanks to the participants in the
Data Security and Data Privacy in the Payment System Symposium, particularly Ted Janger, Chris
Hoofnagle, and Juliet Moringiello. Aislinn Black and Caucus also provided helpful comments.
This essay is available for reuse under the Creative Commons Attribution 3.0 United States
license, http://creativecommons.org/licenses/by/3.0/us/.
1. Chris Jay Hoofnagle, Internalizing Identity Theft, 13 UCLA J.L. & TECH. 1 (2009).
2. Juliet Moringiello, Warranting Data Security, 5 BROOKLYN J. CORP. FIN. & COMM. L. 63
(2010).
3. Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117 Stat. 1953
(amending the Fair Credit Reporting Act and codified with it at 15 U.S.C. §§ 1681–1681x).
4. 15 U.S.C. § 1681g(e)(1) (2006).
5. Hoofnagle, supra note 1, at 4–7.
6. Id. at 6–8.
86
[Vol. 5
Running through Internalizing Identity Theft is a recurring question:
how much information about us should be well-known and public, and how
much should be unknown and private? In the first place, identity theft itself
depends on what is known and unknown about potential victims. Hoofnagle
frames the issue in terms of a debate between Daniel Solove and Lynn
LoPucki.7 To Solove, identity theft is a crime of too much knowledge.8
When an individual’s identifying, personal information flows freely through
computer systems, unscrupulous fraudsters can access that information and
use it to impersonate her.9 In contrast, LoPucki describes identity fraud as a
crime of too little knowledge.10 Identity thieves take advantage of the fact
that all of the millions of differences between themselves and their victims
are unknown to the credit-granting business.11
Despite this apparent tension, both stories are right in important ways.
Identity theft is only possible when the fraudster knows enough about the
victim to plausibly impersonate her and the credit grantor doesn’t know
enough to make the impersonation implausible again. That is, identity theft
is a crime of differential knowledge; it requires the perpetrator to know at
least as much about the victim as the credit grantor does. It’s a kind of
Turing Test: if the would-be thief can answer every question about the
victim that the credit grantor knows how to ask, there is no way for the
grantor to tell the two of them apart.12 It follows that identity theft is not a
monotonic function of the quantity of publicly available information about
the victim. Putting more information in circulation helps thieves fool
businesses and helps businesses catch thieves; which effect will dominate
isn’t something we can easily determine without getting our hands dirty.
Hence the importance of studies like Hoofnagle’s. The remarkably
consistent pattern in his results is that credit grantors aren’t making
effective use of the information they already have access to. Every single
fraudulent application in the study got basic, easily checked information
wrong: the wrong address, the wrong date of birth, even the wrong spelling
7. Id. at 1–3.
8. Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54
HASTINGS L.J. 1227 (2003).
9. Id. at 1229–39.
10. See Lynn M. LoPucki, Did Privacy Cause Identity Theft?, 54 HASTINGS L.J. 1277 (2003)
[hereinafter LoPucki, Privacy]; see also Lynn M. LoPucki, Human Identification Theory and the
Identity Theft Problem, 80 TEX. L. REV. 89 (2001) [hereinafter LoPucki, Human Identification
Theory].
11. Hoofnagle, supra note 1, at 2.
12. See Alan M. Turing, Computing Machinery and Intelligence, 59 MIND 433 (1950),
reprinted in THE TURING TEST: VERBAL BEHAVIOR AS THE HALLMARK OF INTELLIGENCE 67
(Stuart Shieber ed., 2004) (arguing that claims of artificial intelligence might be evaluated using
an “imitation game” in which a person and a computer both attempt to convince a questioner, who
can communicate with them only via typewritten messages, that they are the person).
2010]
Known and Unknown, Property and Contract
87
of the victim’s name.13 Identity thieves are dumb, and the companies who
offer them credit are even dumber.
While this may be a depressing comment on the sloppiness of
American business practices, it’s actually an encouraging finding from a
policy perspective. We’re not caught between Solove’s rock and LoPucki’s
hard place; there’s information readily available to businesses that
fraudsters don’t have.14 This means there may well be money lying on the
table; if businesses had cleaner credit-granting procedures, they’d get more
cases right.15 Hoofnagle suggests that credit grantors be subject to strict
liability for the harms they cause when they grant credit to the wrong
person.16 He’s not asking them to do the impossible.
The tension between known and unknown also crops up in the FACTA
file-access process Hoofnagle’s study relies on. There’s an obvious security
benefit from procedures like it, which give consumers the right to find out
the details when someone applies for credit in their names. Not only does it
help them fix mistakes after the fact; it helps them detect and prevent
impersonation attempts in the first place.17
But there’s a catch. There’s always a catch. A credit grantor who
receives a FACTA request cannot simply assume that the requester really is
the person whose name appears in the file. Structurally, this is a hard
problem for exactly the same reasons that identification during the creditgranting process is hard. The credit grantor has no personal history with the
requester, is dealing with him or her at arm’s (or more likely, wire’s)
length, has few outside sources of identifying information it can consult,
and may even have incorrect data in its own files.18
FACTA takes a cut at this dilemma by requiring identity verification
before the business releases its records to the requester.19 Indeed, the
business may decline to release the records if it “does not have a high
degree of confidence in knowing the true identity of the individual
requesting the information.”20 There are similar processes in the Fair Credit
Reporting Act,21 the Health Insurance Portability and Accountability Act,22
13.
14.
15.
16.
17.
Hoofnagle, supra note 1, at 8–13.
Id. at 13.
Id. at 15–17.
Id. at 29–34.
See Solove, supra note 8, at 1264–66; see also LoPucki, Human Identification Theory,
supra note 10, at 119.
18. LoPucki, Privacy, supra note 10, at 1284.
19. 15 U.S.C. § 1681g(e)(2)(A) (2006). The business may also require proof of identity theft in
the form of a police report, a threshold that can act as a deterrent to would-be impostors. Id. §
1681g(e)(2)(B)(i).
20. Id. § 1681g(e)(5)(B).
21. See id. § 1681g(a) (giving consumers a right of access to files on them held by consumer
(credit) reporting agencies); id. § 1681h(a)(1) (requiring “proper identification” as a condition of
access).
88
[Vol. 5
and the Privacy Act,23 among other places. Any measure designed to give
individuals control over the distribution of their personal information—that
is, to limit knowledge about them—requires, as a practical matter, some
kind of identity-verification system.
Any such system, in essence, allows someone who presents the right
kind of credentials to see certain information. As the very existence of the
FACTA file-access remedy itself demonstrates, however, not everyone
presenting credentials is who they claim to be. Sarah Palin’s Yahoo! email
account was hacked, in “an attack that any 17-year-old in America could
have mounted,” by an intruder who spent 45 minutes of Internet research
looking up Wasilla, Alaska’s two zip codes and confirming that Palin and
her husband had met in high school.24 Moreover, rules designed to filter out
fraudsters almost certainly also filter out some legitimate requests from
victims of identity theft. These victims thus find themselves trapped in the
Kafkaesque position of being unable to prove that they really are
themselves, to the satisfaction of a business that has already shown itself
incapable of correctly telling who they are.
Worse, identification measures designed to limit information flows also
necessarily create them. Information used to authenticate in one context can
be used to defraud in another. When multiple web sites use the same
security questions—What is the name of your pet? What is your mother’s
maiden name?—they become security risks for each other. Even systems
that use sophisticated, interactive, multi-step authentication technologies are
vulnerable to being snookered by phishers who first impersonate a business
to its customer, and then, having talked the customer out of the critical
identifying information, impersonate the customer to the business.25 The
continual slow leakage of “private” information used to authenticate
individuals has a hydraulic effect; as this information becomes increasingly
public, the threshold of information required for reliable authentication
rises.
22. See 45 C.F.R. § 164.524(a)(1) (2009) (giving individuals a right of access to “protected
health information about the individual”); id. § 164.524(b)(1) (allowing entities to require that
such requests be “in writing”).
23. See 5 U.S.C. § 552a(d) (2006) (giving individuals a right of access to records pertaining to
them held by federal agencies); id. § 552a(f)(2) (allowing agencies to establish “reasonable . . .
requirements for identifying an individual who requests his record”).
24. Kate Pickert, Those Crazy Internet Security Questions, TIME, Sept. 24, 2008,
http://www.time.com/time/business/article/0,8599,1843984,00.html.
25. See Stuart E. Schechter et al., The Emperor’s New Security Indicators: An Evaluation of
Website Authentication and the Effect of Role Playing on Usability Studies (2007 IEEE
Symposium on Security and Privacy, Working Draft, 2007), available at
http://usablesecurity.org/emperor/emperor.pdf; Christopher Soghoian & Markus Jakobsson, A
Deceit-Augmented Man In The Middle Attack Against Bank of America’s SiteKey ® Service,
SLIGHT PARANOIA BLOG (Apr. 10, 2007, 3:46 PM), http://paranoia.dubfire.net/2007/04/deceitaugmented-man-in-middle-attack.html.
2010]
89
In a final twist, the problem of the known and the unknown also
appears in the difficulty Hoofnagle had finding subjects to participate in the
FACTA study, even after posting ads on the heavily-read Craigslist site.26
For understandable reasons, victims of identity theft often prefer not to talk
publicly about the experience.27 But this means there is no simple way to
find a list of identity theft victims and call them up. Ultimately, only six
subjects completed the study, and five of them were recruited through ID
Watchdog, a company that helps victims of identity theft.28 They, in other
words, had already stepped forward to identify themselves. This is how you
end up with an N=6 study.
For similar reasons, Hoofnagle’s study identifies the subjects only as
X1 through X6. It’s a common social-science precaution to protect study
participants, and one obviously of particular concern to identity-theft
victims. Even with confidentiality, two participants found the subject too
“upsetting” and dropped out of the study after learning what it would
entail.29 For a study about the problem of identification, the results are a bit
incongruous. At one point, Hoofnagle writes, “It is difficult to visualize this
case without illustration, but such a description would breach
confidentiality.”30 One shudders to think what the process of obtaining IRB
approval must have been like.31
Amusingly, Hoofnagle also had to deal with would-be fraudsters
himself. The study provided gift cards to participants to compensate them
for their time and effort.32 Multiple people called in response to the initial
Craigslist ads, “with dubious tales of fraud, in transparent attempts to get a
gift card.”33 They were, in other words, fraudsters pretending to be people
whom fraudsters had pretended to be—taking advantage of the fact that
there is no public listing of actual victims. This secondary deception
illustrates, yet again, the obscurity that suffuses the subject of identity theft;
Internalizing Identity Theft sheds some rare, but valuable light on it.
II. WARRANTING DATA SECURITY: PROPERTY AND
CONTRACT
Juliet Moringiello’s Warranting Data Security investigates the rights of
consumers whose payment information—such as credit card numbers—is
26.
27.
28.
29.
30.
31.
Hoofnagle, supra note 1, at 7.
Id.
Id. at 6–8.
Id. at 5.
Id. at 15.
See generally ZACHARY M. SCHRAG, ETHICAL IMPERIALISM: INSTITUTIONAL REVIEW
BOARDS AND THE SOCIAL SCIENCES, 1965–2009 (2010) (describing the history of institutional
review boards created to ensure that research does not harm human subjects, and expressing
concern about overreaching by such boards).
32. Hoofnagle, supra note 1, at 5.
33. Id. at 5.
90
[Vol. 5
stolen in a data breach.34 Although consumers typically face little if any
liability for unauthorized charges35 (at least the ones that they notice
promptly36), they bear a number of other costs, both monetary and
intangible: credit monitoring, replacement card fees, lost time and effort,
and emotional distress, to name a few.37 Moringiello argues that as between
the consumer and the merchant whose sloppy security led to the data
breach, it would be fairer and more efficient to let these costs fall on the
merchant.38 The heart of her paper is an attempt to map this normative
argument onto the doctrines of payments law; she concludes that an implied
warranty of a secure payment system would be a good fit.39
This time, the recurring motif is the uncertain boundary between
property and contract. Moringiello’s analysis jumps off from a classic
question of contract law: whether the implied warranties in Article 2 of the
Uniform Commercial Code (UCC) provide a basis for consumers to recover
their indirect damages.40 Unfortunately for consumer plaintiffs, contract law
as reflected in the UCC doesn’t offer suitable warranties.41 Neither the
warranty of merchantability nor the warranty of fitness for a particular
purpose is a close fit for payment information security.42 Worse, the UCC
applies only in the sale of goods43 (i.e. the sale of tangible movable
property44), and both warranties can be disclaimed.45
This leads Moringiello to shift from contract law to property law,
specifically to the law of residential leases.46 Led by the Court of Appeals
for the District of Columbia Circuit, American courts in many states read an
implied warranty of habitability into most residential leases over the last
half century.47 A residential tenant is entitled to premises “fit for
34. Moringiello, supra note 2, at 63–72.
35. See, e.g., 15 U.S.C. § 1693g (2006) (limiting the liability of a debit cardholder for
unauthorized charges); 12 C.F.R. § 226.12(b) (2010) (limiting the liability of a credit cardholder
for unauthorized charges).
36. See, e.g., 12 C.F.R. 205.6(b)(2) (2009) (raising the liability limit when a credit cardholder
“fails to notify the financial institution within two business days after learning of the loss or
theft”).
37. Moringiello, supra note 2, at 64, 68–69.
38. Id. at 65, 72–80.
39. Id. at 80–83.
40. Id. at 72–80 (drawing inspiration from a recent case, In re Hannaford Bros. Co. Customer
Data Sec. Breach Litig., 613 F. Supp. 2d 108 (D. Me. 2009), in which the plaintiffs unsuccessfully
argued that the defendant supermarket chain had implicitly warranted that it would keep their
payment information secure).
41. Id. at 71.
42. See id. at 72–80.
43. U.C.C. § 2-102 (2009).
44. Id. § 2-103(k).
45. See id. § 2-316.
47. See 2 POWELL ON REAL PROPERTY § 16B.04 n.37 (Michael Allan Wolf ed., Matthew
Bender & Company, Inc. 2010) (listing states).
2010]
91
habitation”;48 an unsafe apartment is ipso facto a breach of the lease on the
landlord’s part.49 Moringiello’s proposal for an analogous, unwaivable
implied warranty of payment information security is thus a conscious effort
to make contract law more like property.50
Historically, however, courts and commentators described the implied
warranty of habitability as a movement in the other direction, one in which
property law became more like contract.51 Common-law courts had treated
a lease as a pair of “independent covenants”: the landlord conveyed a
leasehold estate to the tenant, and the tenant covenanted to pay rent.52 Even
if the land was uninhabitable, the tenant’s independent obligation to pay
rent continued.53 As the court in Paradine v. Jane explained, “[T]hough the
land be surrounded, or gained by the sea, or made barren by wildfire, yet
the lessor shall have his whole rent.”54
The courts that created the implied warranty of habitability took
inspiration from contract law, emphasizing instead the real-world purposes
for which the lease was made.55 On a contractual view of the world, an
uninhabitable residence looks a lot like the subject matter of a contract
whose essential purpose has failed, and thus, it becomes plausible to treat
the tenant’s promise to pay rent as dependent on the landlord’s promise to
deliver possession in a form the tenant can actually use.56 Other doctrinal
shifts in the landlord-tenant revolution, such as imposing a duty to mitigate
damages on the landlord whose tenant moves out mid-lease, similarly drew
48. Javins v. First Nat’l Realty Corp., 428 F.2d 1071, 1079 (D.C. Cir. 1970).
49. See RESTATEMENT (SECOND) OF PROPERTY (LANDLORD AND TENANT) § 5.1 (1977)
(“[T]here is a breach of the landlord’s obligations if . . . the leased property . . . is not suitable for
residential use.”); see also id. § 5.4 (same, if condition arises after tenant’s entry and landlord fails
to make repairs within a reasonable period).
51. See, e.g., Javins, 428 F.2d at 1074–75; Hiram H. Lesar, The Landlord-Tenant Relation in
Perspective: From Status to Contract and Back in 900 Years?, 9 U. KAN. L. REV. 369, 372–75
(1961).
52. See, e.g., Wade v. Jobe, 818 P.2d 1006, 1011 (Utah 1991) (“Under traditional property
law, a lessee's covenant to pay rent was viewed as independent of any covenants on the part of the
landlord.”).
53. See, e.g., Lawler v. Capital City Life Ins. Co., 68 F.2d 438, 439 (D.C. Cir. 1933).
[I]t is long established that upon the letting of a house there is no implied warranty by
the landlord that the house is safe; or well built; or reasonably fit for the occupancy
intended. The tenant is a purchaser of an estate in the property he rents, and he takes it
under the gracious protection of caveat emptor.
Id.
54. Paradine v. Jane, (1647) 82 Eng. Rep. 897 (K.B.) 898.
55. Javins, 428 F.2d at 1079.
56. See Edward Chase & E. Hunter Taylor, Jr., Landlord and Tenant: A Study in Property and
Contract, 30 VILL. L. REV. 571, 616–41 (1985) (discussing destruction-of-premises cases as
propertarian or contractual).
92
[Vol. 5
on the idea that the lease was primarily a contract and only secondarily a
transfer of a property interest.57
Still, as much as a lease is a contract, it is still also a property
transaction, and as the habitability revolution took hold, it stopped drinking
as deeply from the contractarian well. Concerned about oppressive
landlords and unfortunate tenants, courts allowed tenants alleging a breach
of the warranty to remain in possession while withholding rent, even when
the most natural contractual remedy would have been recission.58 Even
more dramatically, they made the implied warranty of habitability nonwaivable—a logical enough consumer-protection move, but not exactly one
consistent with classical freedom of contract.59 The modern implied
warranty of habitability—a strong set of mandatory minima for residential
houses and apartments—has less to do with the logic of contract, in which
the parties are free to pick whatever rule they wish, and more to do with the
logic of property, in which legal interests come only in a few standardized
packages, and the parties must order one or another from the menu given
them.60
On that note, return to Moringiello’s proposed warranty—to be
provided in any transaction that uses the payments system—that the
retailer’s payment system is secure, regardless of whether the transaction is
for goods, services, intangibles, or what-have-you.61 One way of thinking
about this new warranty is that it would be incident to any transaction
involving a payment (i.e. sales and leases), which would seem to locate it
squarely in the contractual tradition. But perhaps “warranty” isn’t the
closest legal category. Focus on what the retailer actually promises: to
protect the information given to it during the payment.62 This promise
focuses on the payment information, rather than on the nominal subject of
the transaction. On this view, the retailer sounds more like a bailee,
promising to keep consumers’ property (i.e. their payment information)
secure while in its possession. While bailments are technically a species of
property relationship, like leases they sit on the border that property shares
with contract.63
57. See, e.g., Sommer v. Kridel, 378 A.2d 767, 768–69 (N.J. 1977).
58. See, e.g., Pugh v. Holmes, 405 A.2d 897, 907–08 (Pa. 1979). Indeed, from the tenant’s
point of view, the ability to remain in possession was the warranty’s principal advantage over the
common-law doctrine of constructive eviction—an early termination of the lease by a tenant who
claimed the premises had become unusable and proved it by moving out. See, e.g., Boston Hous.
Auth. v. Hemingway, 293 N.E.2d 831, 837–38 (Mass. 1973).
59. See, e.g., Boston Hous. Auth., 293 N.E.2d at 843.
60. See generally Thomas W. Merrill & Henry E. Smith, Optimal Standardization in the Law
of Property: The Numerus Clausus Principle, 110 YALE L.J. 1, 3 (2000) (discussing “limited
number of standard forms” in property law).
62. Id.
63. Thomas W. Merrill & Henry E. Smith, The Property/Contract Interface, 101 COLUM. L.
REV. 773, 811–20 (2001).
2010]
93
Bailments doctrine turns out to be a surprisingly good fit for
Moringiello’s proposed warranty, even though bailments are most
commonly created for tangible items: cars left in parking lots;64 goods
stored in warehouses.65 Bailments can arise by implication, just like the
warranty.66 A bailee is strictly liable for misdelivery, which captures the
core legal promise of the proposed warranty.67 And a bailee’s risk of
liability ends when it returns the goods; presumably, a retailer who deletes
its only remaining copy of a customer’s payment information ought to be
on safe ground from then on.68 Given this close fit, Moringiello’s bailmentlike warranty may be a more workable borrowing from property law than
more ambitious (but so far unsuccessful) attempts to create full-fledged
property rights in personal information.69
Moringiello’s proposed warranty points in yet another intriguing
direction that mixes property and contract: the problem of privity. Privity is
already one of the classic issues in payment systems law. A promise to pay
is a contractual obligation; the genius of negotiability doctrines is that they
synthesize freely transferrable in rem property rights from these in
personam contractual obligations.70 Warranties enter the picture to allocate
liability. When something goes wrong due to fraud or carelessness, the
various actors in the payment chain invoke their warranties to push the loss
along the chain until it lands at the “right” place—the one whose mistake
caused the loss.71 Privity is thus both a problem to be overcome and a
device to track legally significant relationships.
The same issues arise in a world with a warranty of safe payment
information handling. If the warranty is a purely contractual affair—a
promise made by a retailer to its customers—then it doesn’t apply when the
breach happens further upstream, say at the retailer’s payment processor.72
To work, the warranty seems to need to be a genuinely propertarian duty,
one that runs with the personal data to which it is attached, no matter whose
64. See, e.g., Allen v. Hyatt Regency-Nashville Hotel, 668 S.W.2d 286, 287 (Tenn. 1984)
(treating a car left in hotel garage as a bailment).
65. See U.C.C. art. 7 (2004) (establishing rights and duties of bailees under warehouse receipts
and bills of lading).
66. See, e.g., Russell v. American Real Estate Corp., 89 S.W.3d 204, 210–11 (Tex. App.
2002).
67. See RESTATEMENT (SECOND) OF TORTS § 234.
68. See id.
69. See, e.g., LAWRENCE LESSIG, CODE: AND OTHER LAWS OF CYBERSPACE 160–61 (1999)
(proposing “a kind of property right in privacy”).
70. See U.C.C. § 3-203(b) (2010) (“Transfer of an instrument . . . vests in the transferee any
right of the transferor to enforce the instrument.”); see also id. §§ 3-202, 3-305, 3-306 (allowing
the “holder in due course” of a negotiable instrument to enforce it free from various personal
defenses that would otherwise apply).
71. See id. §§ 3-416, 3-417 (specifying warranties given by transferors and presenters of
negotiable instruments).
94
[Vol. 5
hands that data is in.73 Or, perhaps, the retailer who let the data out of its
control (by entrusting it to the untrustworthy payment processor) should be
held liable for its subsequent misadventures.
Either way, however, the property/contract logic of payments law
shows the way forward. The commercial entities that process payments
information are linked to each other by chains of contracts: merchant to
payment processor to acquiring bank to association to issuing bank. Those
contracts can come with warranties, express or implied or statutory, and
losses can be pushed along the chain until they stop at the “right” place—
usually (but perhaps not always) the entity whose lax security caused the
breach. By framing the issue as a problem of handling information
(property) safely during a transaction (contract), Moringiello’s proposal
enables us to focus on the essential risk-allocation question at the heart of
payment data security.
III. I AM X6
And now for the twist ending: I am X6. One evening in the spring of
2007, someone walked into a Kohl’s in Trumbull, Connecticut and claimed
to be me. (I have an alibi; I was at a conference in Germany on the day I
was allegedly shopping in Connecticut.) The identity thief applied for a
Kohl’s credit card, was approved, and promptly charged a $400 mixer and
$150 cutlery set to the card. Thoughtfully, if somewhat bafflingly, he or she
also signed me up for the Account Ease plan, which would forgive up to
$10,000 of debt were I to die or be seriously hospitalized.
I first heard about it when “my” new credit card showed up in the mail;
I promptly called up Kohl’s to inquire, and the friendly Upper
Midwesterners who answered the phone walked me through the process of
submitting an affidavit that my identity had been stolen. Within two days,
they agreed that I was the victim of identity theft and released me from all
charges. And there the matter sat, or would have, had I not offhandedly
mentioned the incident to Chris Hoofnagle, a year and a half later, and been
recruited into his FACTA study.
What came back in response to my FACTA request of Kohl’s was
unimpressive.74 There was an application, on which my last name was
spelled “Grimmalan” in the space reserved for the first name. The signature
looked nothing like mine—and not very much like the signature on the
charge slip, either. The charge slip did have my social security number
(listed as my “Cust ID”) and my name—this time, misspelled only to the
extent of “Grimmelman.” The clerk who took the application had clearly
73. See generally Molly Schaffer Van Houweling, The New Servitudes, 96 GEO. L.J. 885
(2008) (discussing servitudes in intangible property).
74. See Brad Stone, How Lenders Overlook the Warning Signs of ID Theft, N.Y. TIMES BITS
BLOG (Apr. 7, 2010, 2:21 PM), http://bits.blogs.nytimes.com/2010/04/07/how-lenders-overlookthe-warning-signs-of-id-theft.
2010]
95
been sloppy, too: the store number and date were missing from the form.
There was nothing else in the file. Even though the application specifically
stated, “You MUST have a state issued picture ID and a current charge card
to apply,” Kohl’s apparently hadn’t kept copies of either on file—leading
one to ask whether the fraudster provided them in the first place. Kohl’s did
know my mailing address—that’s how they sent me the credit card and
bill—but it didn’t appear in the application.
All in all, the application was transparently slipshod. Looking over the
file, it was obvious why the nice Upper Midwesterners on the phone at
Kohl’s had been so nice. One even remotely skeptical look at the
application would have been enough to show that it was fraudulent.
No one looked, though, and as a result, Kohl’s lost a mixer and some
kitchenwares. That sort of thing happens all the time; mistaken sellerfinanced credit is just another source of shrinkage, along with clumsy
stockroom clerks and five-finger discounts. The difference is that with
identity theft there’s another victim, even when the fraud is detected and
admitted by the store. Kohl’s is out a mixer, but I lost time, and could have
lost some of my creditworthiness. I didn’t lose much of either, but other
victims aren’t so lucky.
Most importantly, there was nothing I could have done to prevent the
identity theft. To this day, I still don’t know where the fraudster got the
information about me that he or she gave to Kohl’s. Nor was I present at
Kohl’s when the deal went down; by the time I could wave my arms and
say, “Wait! That’s not me!” the mixer was long gone. That’s why
Hoofnagle and Moringiello appropriately focus on assigning responsibility
within the payment system. Until we fix the systematic flaws that made
stealing my identity feasible and profitable, it could happen to you too.
LOCATING THE REGULATION OF DATA
PRIVACY AND DATA SECURITY
Edward J. Janger
In our 2007 Article on notification of security breaches, Paul Schwartz
and I explored the concept of a centralized response agent to help
coordinate private and public efforts to respond to data spills.1 In that
Article, we were agnostic about whether the coordinated response agent
should be public or private, and if public where, institutionally, it should be
situated.2 An important element of that agnosticism was our retrospective
focus. We were concerned with response to breaches that had already
occurred. The question of regulating data security and privacy is, of course,
broader, encompassing the formulation of norms for appropriate data use,
data protection, and breach response.3 In this essay, I will briefly address
my agnosticism, and ask, more broadly, which institutions might best
handle the generation and enforcement of legal entitlements regarding
invasions of privacy and data security breaches.
The occasion for asking this question is the recent enactment of the
Wall Street Reform and Consumer Protection Act, which creates, as a
crucial component of efforts to reregulate the banking industry, a Consumer
Financial Protection Bureau (CFPB or the Bureau).4 The principal goal of
the new Bureau will be to examine consumer credit instruments as products
to ensure that they are “safe” for consumers to “use.”5 The proposal for such
an agency, made initially by Elizabeth Warren and Oren Bar-Gill, was

David M. Barse Professor, Brooklyn Law School and Anne Urowsky Visiting Professor,
Yale Law School. The author would like to thank Lisa Baldesweiler for able research assistance,
and Joan Wexler and the Dean’s Research Fund for generous support of this project. Mistakes are,
of course, mine alone.
1. Paul M. Schwartz & Edward J. Janger, Notification of Data Security Breaches, 105 MICH.
L. REV. 913 (2007) [hereinafter Schwartz & Janger, Data Security Breaches].
2. See id. at 961.
3. We have addressed these questions as well in earlier work, both together and separately.
See generally Edward J. Janger & Paul M. Schwartz, The Gramm-Leach-Bliley Act, Information
Privacy, and the Limits of Default Rules, 86 MINN. L. REV. 1219 (2002) [hereinafter Janger &
Schwartz, Limits on Default Rules]; Edward J. Janger, Privacy Property, Information Costs and
the Anticommons, 54 HASTINGS L.J. 899 (2003) [hereinafter Janger, Anticommons]; Edward J.
Janger, Muddy Property: Generating and Protecting Information Privacy Norms in Bankruptcy,
44 WM. & MARY L. REV. 1801 (2003) [hereinafter Janger, Muddy Property].
4. At the time of the Symposium, the proposal for the “Bureau” was embodied in the
Consumer Financial Protection Agency Act of 2009, H.R. 3126, 111th Cong. § 111 (2009). In
July, President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act
of 2010, Pub. L. No. 111-203, 124 Stat. 1376 (2010). Title X of that Act was called the Consumer
Financial Protection Act of 2010. Id. Instead of creating a separate agency, that Act created a
Consumer Financial Protection Bureau within the Federal Reserve Bank. Id.
5. Id.
98
[Vol. 5
based on two linked insights.6 First, that modern consumer credit
instruments—be they mortgages, credit cards, or debit cards—are just as
much products as a toaster.7 And second, that while there is a consumer
products safety commission that is tasked with ensuring the safety of
toasters, there is no similar agency tasked with ensuring that financial
products are safe.8 Warren and Bar-Gill note that there is a congeries of
agencies that have some jurisdiction over consumer financial protection—
the Federal Reserve, the Office of the Comptroller of the Currency (OCC),
the Federal Trade Commission (FTC), the Federal Deposit Insurance
Corporation (FDIC), and so on.9 Most of these agencies have as their focus
the regulation of the banking system, rather than the protection of a bank’s
customers.10 The FTC alone focuses on consumer protection, but its
jurisdiction is spread across the market generally.11
The discussion of the CFPB might not, at first glance, seem relevant to
questions of data privacy in the payment system. Indeed, much of the
discussion of the safety of consumer financial products has focused on the
credit and repayment terms associated with credit cards and mortgages.12
But the use and security of data gathered and transferred in credit and
payment card transactions is every bit as much a danger of these products as
over-indebtedness.13 Identity theft and invasion of privacy are harms
associated with these products. Moreover, the contracting process
associated with such non-price terms is particularly prone to lemons
equilibria, and hence even more problematic than that relating to the price
of credit.14 Therefore, it is fair to ask whether data privacy and data security
ought to be included in the mission of the CFPB.
In this essay, I will explore whether locating regulation of data privacy
and data security in the CFPB would be beneficial, or whether jurisdiction
would be better left to the existing regulators. I argue that responsibility for
protecting personal information would best be split in two. The generation
of privacy and data security norms can—and probably should—be situated
6. Oren Bar-Gill & Elizabeth Warren, Making Credit Safer, 157 U. PA. L. REV. 1, 98–100
(2008).
7. See id. at 3–6.
8. See id. at 4–5.
9. See id. at 86.
10. See id. at 85.
11. See id. at 86.
12. Susan Block-Lieb & Edward J. Janger, The Myth of the Rational Borrower: Rationality,
Behaviorism, and the Misguided “Reform” of Bankruptcy Law, 84 TEX. L. REV. 1481, 1513
(2006).
13. See infra Part I.C (discussion on Hannaford Brothers and TJX Companies).
14. See, e.g., ROBERT COOTER & THOMAS ULEN, LAW AND ECONOMICS 41 (2d ed. 1997);
George A. Akerlof, The Market for “Lemons”: Quality Uncertainty and the Market Mechanism,
84 Q.J. ECON. 488, 489–90 (1970); Richard Craswell, Property Rules and Liability Rules in
Unconscionability and Related Doctrines, 60 U. CHI. L. REV. 1, 49 (1993); Janger & Schwartz,
Limits on Default Rules, supra note 3, at 1240–41; Michael Spence, Consumer Misperceptions,
Product Failure and Producer Liability, 44 REV. ECON. STUD. 561, 561 (1977).
2010] Locating the Regulation of Data Privacy and Data Security
99
in an agency like the CFPB. By contrast, measures for responding to data
spills might best be coordinated by the existing banking-focused agencies.
Finally, regulation of data security precautions should be shared between
the consumer protection agency and the bank regulatory agency.
This Article will proceed in three steps. First, I will explain the
differences between data privacy and data security, and describe the
existing regulatory architecture. In the second part, I will explore the
various ways in which data privacy and data security norms can be
fashioned, starting with contract, then self-regulation, and finally methods
of public regulation. Third, I will discuss the possibility that, while the
CFPB has a role to play in regulating data privacy and data security, there
are important differences between norm generation for data privacy, data
security, and loss mitigation that suggest different locations for regulatory
authority. I will argue that the proposed CFPB has an important role to play
in the formulation of the data privacy and data security norms that govern
consumer relationships with their banks. By contrast, loss mitigation may
be more appropriately handled through industry self-regulation, or through
the regulatory institutions that are focused on systemic risk.
I. DATA PRIVACY AND DATA SECURITY
Data privacy and data security are closely related concepts, but they are
not the same. Data privacy requires that data be kept secure, but data may
be kept secure for reasons other than privacy.15 Entities that wish to hold
their data secure may not care at all about the privacy of those who
disclosed the data.16 So first, it is important to define terms. If data privacy
is viewed as the power to keep data secluded and safe from view, then data
privacy and data security are the same. This conflation turns, however, on
the mistaken view that data privacy is purely about concealment. This is
only partially true. In all contexts that matter, data privacy involves a
bilateral or multilateral relationship between a discloser and a recipient, or
recipients, of information.17 Privacy is not usually about data concealment,
it is about enforcing norms and expectations with regard to data sharing.18
15. Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 VAND. L. REV. 1609, 1663
(2001) (describing the “data seclusion deception”). The conflation of privacy and security arises
from the mistaken impression that data privacy is actually about keeping data private. Id.
16. For example, data aggregators such as Choice Point or credit reporting agencies gather
personal information, and keep it secure, not because they care particularly about consumer
expectations of privacy, but because information is their stock-in-trade. Schwartz & Janger, Data
Security Breaches, supra note 1, at 922–23.
17. See Schwartz, supra note 15, at 1660 (“We can refer to these ideas as . . . the ‘autonomy
trap’ and . . . the ‘data seclusion deception.’”); see also ROBERT C. POST, CONSTITUTIONAL
DOMAINS: DEMOCRACY, COMMUNITY, MANAGEMENT 51–88 (1995). See generally Robert C.
Post, The Social Foundations Of Privacy: Community and Self in the Common Law Tort, 77 CAL.
L. REV. 957 (1989).
18. See Janger, Anticommons, supra note 3, at 904–08.
100
[Vol. 5
In the payment system, for example, a purchaser reveals his or her
identity and account information to a merchant, the merchant passes that
information through a data conduit to the clearance network, the availability
of funds or credit is verified, and the transaction is processed.19 Along the
way, at least four entities are given access to potentially sensitive personal
information. The merchant learns the customer’s name, credit card number,
and purchasing preferences. Some or all of that information is also passed
to the merchant’s bank, the clearance network (i.e., Visa, MasterCard,
Amex), and to the customer’s bank.20 All of these disclosures may be fairly
characterized as consistent with the primary purpose of the discloser—
accomplishing payment.
Data privacy refers to the norms which govern information sharing and
the permitted secondary uses of disclosed information by each of the
entities that handle or come into possession of personal information.21 The
touchstone is the discloser’s reasonable expectations of privacy.22 Privacy
norms govern what happens once these various entities have identifiable
personal information about the discloser. What may they do with that
information? With whom may they share it? What secondary uses of
personal information are permitted to the recipients of that information?
Data security, by contrast, regulates the procedures for ensuring that the
disclosed information remains where the parties to the transaction intend
and may be accessed only by people who are authorized.23 Thus, a privacy
violation usually involves an intentional act by the information recipient
19. LYNN M. LOPUCKI, ELIZABETH WARREN, DANIEL KEATING & RONALD J. MANN,
COMMERCIAL TRANSACTIONS: A SYSTEMS APPROACH 317 (4th ed. 2009).
20. Id.
21. See, e.g., Joel R. Reidenberg, Privacy Wrongs in Search of Remedies, 54 HASTINGS L.J.
877 passim (2003); Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38 HOUS. L.
REV. 717, 720 (2001); Joel R. Reidenberg, Resolving Conflicting International Data Privacy
Rules in Cyberspace, 52 STAN. L. REV. 1315, 1347 (2000); Joel R. Reidenberg, Restoring
Americans’ Privacy in Electronic Commerce, 14 BERKELEY TECH. L.J. 771, 773 (1999). See also
Daniel J. Solove, Data Mining and the Security-Liberty Debate, 75 U. CHI. L. REV. 343 passim
(2008); Daniel J. Solove, “I’ve Got Nothing to Hide” and Other Misunderstanding of Privacy, 44
SAN DIEGO L. REV. 745, 754–60, 767–70 (2007). See generally Daniel J. Solove, A Taxonomy of
Privacy, 154 U. PA. L. REV. 477 (2006) (developing a new taxonomy for privacy, focusing on
activities that invade privacy); Daniel J. Solove, Identity Theft, Privacy, and the Architecture of
Vulnerability, 54 HASTINGS L.J. 1227 (2003) (conceptualizing privacy and advocating for
protections that shape this concept).
22. See, e.g., Joel R. Reidenberg, Privacy in the Information Economy: A Fortress or Frontier
for Individual Rights?, 44 FED. COMM. L.J. 195, 221–27 (1992) (discussing various types of
actionable invasions of privacy in the common law and the general requirement that there be a
reasonable expectation of privacy in the appropriated information) [hereinafter Reidenberg,
Frontier for Individual Rights].
23. Compare Gramm-Leach-Bliley Financial Modernization Act of 1999 § 501, 15 U.S.C. §
6801 (2006) (stating that a financial institution “shall establish appropriate standards . . . (3) to
protect against unauthorized access”), with id. § 6802 (stating that a financial institution “may not
. . . disclose . . . to a nonaffiliated third party any nonpublic personal information”).
101
that violates the expectations of the receiver.24 A security violation, by
contrast, may involve a violation of a duty of care,25 but it rarely—if ever—
involves an intentional disclosure of information.26 These differences
suggest that different approaches may be necessary for generating and
enforcing data security and data privacy norms.
A. DATA PRIVACY AND GLB
Until recently, the principal regulation governing data privacy in the
payment system was the Graham-Leach-Bliley Act27 (GLB).28 Section 501
of the Act creates an obligation to protect the privacy of customer data.29
Section 502 gives some limited heft to that obligation, requiring notice and
an opportunity to opt out of any sharing of data with a non-affiliate, and
limiting the reuse of that information by non-affiliates.30 This regime has
been criticized for killing trees with relatively useless privacy notices, for
providing precious little data privacy protection because affiliate sharing is
permitted, and because the opt-out rule sets the default in favor of nonaffiliate sharing.31
As a result, the onus for developing privacy standards, and establishing
enforceable privacy rights, rests on consumers’ willingness and ability to
contract for protection. In other words, if a consumer wishes to limit the
sharing of her data, she must affirmatively opt out of data sharing, and, to
the extent she wishes to limit affiliate sharing, she will have to negotiate for
it.32 In most cases this will mean foregoing the commercial relationship
with the financial institution. The limits of consumer contracting and the
problem of contracts of adhesion have been well discussed elsewhere.33
Paul Schwartz and I have discussed it specifically in the context of GLB,
24.
25.
26.
27.
28.
29.
Reidenberg, Frontier for Individual Rights, supra note 22, at 222–23.
Id. at 223–24.
Id.
15 U.S.C. § 6801.
See generally Schwartz & Janger, Data Security Breaches, supra note 1.
15 U.S.C. § 6801(a) (“It is the policy of the Congress that each financial institution has an
affirmative and continuing obligation to respect the privacy of its customers and to protect the
security and confidentiality of those customers’ nonpublic personal information.”).
30. Id. § 6802.
31. Timothy J. Muris, Chairman, Fed. Trade Comm’n, Remarks at the 2001 Privacy
Conference: Protecting Consumers’ Privacy: 2002 and Beyond (Oct. 4, 2001),
http://ftc.gov/speeches/muris/privisp1002.shtm.
32. Jerry Kang, Information Privacy in Cyberspace Transactions, 50 STAN. L. REV. 1193,
1246–67 (1998); Richard S. Murphy, Property Rights in Personal Information: An Economic
Defense of Privacy, 84 GEO. L.J. 2381, 2402–04 (1996); Paul M. Schwartz, Privacy and the
Economics of Personal Health Care Information, 76 TEX. L. REV. 1, 53–67 (1997) [hereinafter
Schwartz, Privacy Economics]; Jeff Sovern, Opting In, Opting Out, or No Options at All: The
Fight for Control of Personal Information, 74 WASH. L. REV. 1033, 1101–13 (1999); see also
Janger & Schwartz, Limits on Default Rules, supra note 3, at 1221.
33. C & J Fertilizer. Inc. v. Allied Mutual Ins. Co., 227 N.W.2d 169, 174 (Iowa 1975); see
generally Todd D. Rakoff, Contracts of Adhesion: An Essay in Reconstruction, 96 HARV. L. REV.
1173 (1983).
102
[Vol. 5
and found the result unsatisfactory.34 We concluded that the likely product
of GLB’s notice and opt-out regime is a lemons equilibrium in which bad
privacy practices prevail.35 We raised these issues in 2002, and nothing that
has happened since then has led us to question these conclusions. Instead
the focus of regulatory concern has been identity theft, which is really not a
“privacy” problem at all. The reasons for this shift of focus are discussed
below.
B. DATA SECURITY AND GLB § 501(B)
GLB has relatively little to say on the subject of data security, but
curiously, that is where the action has been.36 Section 501 of GLB consists
principally of a delegation to the agencies that govern financial
institutions.37 It provides in full:
(b) Financial institutions safeguards
In furtherance of the policy in subsection (a) of this section, each
agency or authority described in section 505(a) of this title shall
establish appropriate standards for the financial institutions
subject to their jurisdiction relating to administrative, technical,
and physical safeguards—
(1) to insure the security and confidentiality of customer records
and information;
(2) to protect against any anticipated threats or hazards to the
security or integrity of such records; and
(3) to protect against unauthorized access to or use of such
records or information which could result in substantial harm or
inconvenience to any customer.38
It instructs the various bank supervisory agencies to develop regulations
for handling customer data, such as PIN numbers, social security numbers,
and other data that might create a risk of, among other things, identity
34. Janger & Schwartz, Limits on Default Rules, supra note 3, at 1230–32.
35. Craswell, supra note 14, at 49. Richard Craswell states:
Because terms that are good for buyers are generally more expensive for sellers, any
seller that offers better terms will charge a higher price to make the same level of
profits she could make by offering less favorable terms at a lower price. However, if
most buyers have good information about prices but only poor information about nonprice terms, they may not notice an improvement in non-price terms, while they will
definitely notice the higher price. As a result, many buyers may stop purchasing from
this seller.
Id.
36. See Gramm-Leach-Bliley Financial Modernization Act of 1999, 15 U.S.C. § 6801 (2006).
37. Id. § 6801(b).
38. Id.
103
theft.39 In response, the various bank supervisory agencies promulgated the
Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice that mandates risk assessments
and the creation of a response program by financial institutions.40 In
addition, the regulations contemplate a two-tier system of reporting security
breaches.41 Any security breach must be reported to the financial
institution’s supervising agency.42 If, after an investigation, it appears that
there is risk to the consumer, then notice of the security breach must also be
given to the consumer.43 While the Interagency Guidance is not perfect, it
does mandate a relatively comprehensive architecture for managing
sensitive personal financial data.44 The delegation contained in § 501(b)
could have been exercised in any number of ways. But, unlike privacy, the
task of regulating data security has not been left to contract. Data security
has been regulated more robustly than secondary use.
C. SELF REGULATION AND STANDARD SETTING—PCI DSS
The regulation of data security has not been limited to government
agencies. The payment card industry has taken it upon itself to engage in
self regulation in this area through the creation of the Payment Card
Industry Security Standards Council (PCI SSC).45 The PCI SSC consists of
the entities responsible for clearing payment card transactions—Visa,
MasterCard, American Express. This group has promulgated a series of
protocols called the Payment Card Industry Data Security Standard or PCI
DSS.46 This standard is intended to form the basis for auditing the security
practices of participants in the payment card clearance system.47 The PCI
DSS standard requires participants in the payment system, in broad outline,
to:
39. Id. §§ 6801(a), 6804(a)(1); Interagency Guidance on Response Programs for Unauthorized
Access to Customer Information and Customer Notice, 70 Fed. Reg. 15,736, 15,752 (Mar. 29,
2005), available at http://edocket.access.gpo.gov/2005/pdf/05-5980.pdf.
40. Interagency Guidance on Response Programs for Unauthorized Access to Customer
Information and Notice, 70 Fed. Reg. at 15,751–54.
41. Id. at 15,752; see also Edward J. Janger & Paul M. Schwartz, Anonymous Disclosure of
Security Breaches: Mitigating Harm and Facilitating Coordinated Response, in SECURING
PRIVACY IN THE INTERNET AGE 223, 227 (Anum Chander, et al. eds., 2008).
42. Interagency Guidance on Response Programs for Unauthorized Access to Customer
Information and Customer Notice, 70 Fed. Reg. at 15,752.
43. Id.
44. Schwartz & Janger, Data Security Breaches, supra note 1, at 920.
45. PCI SECURITY STANDARDS COUNCIL, http://www.pcisecuritystandards.org (last visited
Dec. 30, 2010).
46. PCI SSC Data Security Standards Overview, PCI SECURITY STANDARDS COUNCIL,
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml (last visited Dec. 30,
2010).
47. Doug Drew & Sushila Nair, Payment Card Industry Data Security Standard in the Real
World, INFO. SYS. CONTROL J., 1 (Sept./Oct. 2008), http://www.isaca.org/Journal/PastIssues/2008/Volume-5/Documents/jpdf0805-payment-card-industry.pdf.
104
[Vol. 5
1. Install and maintain a firewall configuration to protect cardholder data.
2. [N]ot use vendor-supplied defaults for system passwords and other
security parameters.
3.
Protect stored cardholder data.
4.
Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software [on all systems
commonly affected by malware].
6.
Develop and maintain secure systems and applications.
7.
Restrict access to cardholder data by business need-to-know basis.
8.
Assign a unique ID to each person with computer access.
9.
Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder
data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security. 48
Notwithstanding the implementation of PCI DSS, there have been
numerous data spills. Indeed, Hannaford Brothers and TJX Companies were
both hacked in 2008.49 Ironically, Hannaford received its certification one
day after being made aware of a two-month compromise of its internal
system.50 The proponents of PCI DSS point out that PCI DSS compliance is
assessed at a specific moment in time, and that none of the entities that have
been breached was actually complying with the PCI DSS protocol at the
time of its breach.51 They lay the blame, not on the protocols, but on the
implementation of compliance validation procedures.52
48. Id. at 2.
49. Brian Krebs, Three Alleged Hackers Indicted in Large Identity-Theft Case, WASH. POST,
Aug. 18, 2009, at A11; Dan Goodin, TJX Suspect Indicted in Heartland, Hannaford Breaches,
THE REGISTER (Aug. 17, 2009, 8:49 PM), http://www.theregister.co.uk/2009/08/17/heartland_pay
ment_suspect.
50. Middleware Audits and Remediation for PCI Compliance: The New Frontier of PCI,
EVANS RES. GRP., 1 (2009), http://www.evansresourcegroup.com/partners.html (follow “Read our
Whitepaper: Middleware Audits and Remediation for PCI Compliance: The new frontier of PCI”
hyperlink at bottom of page).
51. Jaikumar Vijayan, Post-Breach Criticism of PCI Security Standard Misplaced, Visa Exec
Says, COMPUTERWORLD (Mar. 19, 2009, 12:00 PM), http://www.computerworld.com/s/article/
9130073/Post_breach_criticism_of_PCI_security_standard_misplaced_Visa_exec_says. See also
Goodin, supra note 49; Kim Zetter, TJX Hacker Charged with Heartland, Hannaford Breaches,
WIRED (Aug. 17, 2009, 2:34 PM), http://www.wired.com/threatlevel/2009/08/tjx-hacker-chargedwith-heartland/.
52. Andrew Conry Murray, PCI and the Circle of Blame, NETWORK COMPUTING (Feb. 23,
2008), http://networkcomputing.com/data-protection/pci-and-the-circle-of-blame.php.
105
Interestingly, the payment card industry has proven much more
interested in creating norms and an architecture for protecting data security
than in articulating data sharing norms.53 One might point to the emergence
of private issuers of “privacy seals,” such as Trust-E and Secure Scan, but
the recent FTC settlement with ControlScan suggests that this market
solution is far from perfect.54 In that case, a privacy seal provider was
shown to have regularly failed to verify the privacy practices of the
merchants it endorsed.55
D. CONCLUSIONS AND QUESTIONS
This brief review of the regulatory architecture raises a number of
questions. First, why do the regulating agencies seem inclined to leave the
creation and enforcement of data privacy norms to the law of contracts,
while taking a more proactive approach to protecting data security? Second,
why hasn’t the market responded through competition over privacy
practices? And third, what does this tell us about the appropriate
government approach to regulating data privacy as compared to data
security?
II. SOURCES OF REGULATION: COMMON LAW, CONTRACT
AND REGULATION
To decide whether public regulation is necessary one starts by asking
whether there is a market failure.56 That question further turns on whether,
left to themselves, the combination of private contracting behavior, contract
law, and tort law will produce optimal regulation. The answer to this
question in the context of data privacy and security may be too obvious to
bear discussion. To the extent that contract is involved, Susan Block-Lieb
and I, as well as Oren Bar-Gill, have written at length about the extent to
which consumers make cognitive and heuristic errors in deciding whether
to enter into consumer credit transactions.57 Consumers, it turns out, are
notoriously bad at figuring out how much it is going to cost them to borrow
money; they are also relatively bad at making inter-temporal comparisons
between consumption in the present and consumption in the future.58 There
is, moreover, a considerable literature on the extent to which consumers are
53. Evan Schuman, FTC: Web Site Security Seals are Lies, CBSNEWS.com, Mar. 5, 2010,
http://www.cbsnews.com/stories/2010/03/05/opinion/main6270104.shtml.
54. Id. (discussing the “bogus” security verification supplied by ControlScan in the context of
the FTC settlement).
55. Id.
56. RICHARD A. POSNER, ECONOMIC ANALYSIS OF LAW 389 (7th ed. 2007).
57. Bar-Gill & Warren, supra note 6, at 12–13; Block-Lieb & Janger, supra note 12, at 1489–
90.
58. Bar-Gill & Warren, supra note 6, at 29–33.
106
[Vol. 5
even worse at negotiating over the non-price terms of contracts.59 What is
clear is that consumers are not good at bargaining over either privacy or
data security. As such, relying on contract to establish data privacy and
security norms will place all of the power in the hands of the financial
institutions that receive the information.60
While comparing bad to worse may not be profitable, it is possible that
consumers’ ability to bargain over data security is even worse than their
ability to bargain over privacy terms. Consumers may be able to articulate
their expectations about how their information might be used in broad
terms.61 This failure of imagination and lack of information is even worse
for data security. Consumers cannot be expected to understand or monitor
the data security practices of their banks. And, while, from time to time,
banks compete on the basis of data security,62 as far as consumers are
concerned, their claims are entirely unverifiable. Indeed, the time when
most financial institutions spend the most advertising about data security is
after they have been subject to a breach.63
Where bargaining is impossible, as with data security, the natural
common law substitute is tort law.64 The law of negligence might be
expected to step in to establish data security norms. The problem with
relying on common law enforcement through private litigation is that even
when consumers discover that they have been the victims of identity theft it
is virtually impossible for the consumer to discover the source of the
breached data.65 Thus, most data security breaches are likely to escape
detection, and hence financial institutions are unlikely to fully internalize
the costs associated with lax security practices.
For these reasons, it is not surprising that contract and tort have not
provided adequate protection of either data privacy or data security. Thus, it
would appear that some form of regulatory response would be appropriate
for determining what data privacy terms should be embodied in consumer
credit and consumer payment contracts. Similarly, the nature of the
obligation to prevent data theft, fraud, or identity theft will have to be
created by public processes. Finally, the architecture for responding to data
spills will likely require some degree of public coordination.
59. Richard Craswell, Contract Law, Default Rules, and the Philosophy of Promising, 88
MICH. L. REV. 489, 505–08 (1989).
60. Schwartz & Janger, Data Security Breaches, supra note 1, at 927; Joseph Turow et al., The
Federal Trade Commission and Consumer Privacy in the Coming Decade, 3 I/S: J.L. & POL’Y
FOR INFO. SOC’Y 723, 730–32 (2007).
61. But even here there may be a failure of imagination. Few consumers realize how many
hands information passes through in completing a transaction.
62. Schwartz & Janger, Data Security Breaches, supra note 1, at 948.
63. Id.
64. GUIDO CALABRESI, THE COSTS OF ACCIDENTS: A LEGAL AND ECONOMIC ANALYSIS 125–
26 (1970).
65. Schwartz & Janger, Data Security Breaches, supra note 1, at 962–63.
107
III. THE CONSUMER FINANCIAL PROTECTION BUREAU AS A
REGULATOR OF PRIVACY AND SECURITY
As noted above, in their 2008 article, Elizabeth Warren and Oren BarGill proposed the creation of an independent consumer financial protection
agency.66 The tasks of such an agency would be to review the various
consumer credit products offered to consumers to ensure that they were
safe.67 A CFPB is part of the financial reform bill that was enacted this
year.68 The financial reform bill is over 1300 pages long, but the key
provisions are §§ 1031 and 1032. Section 1031 grants power to the Bureau
to promulgate regulations that prohibit unfair, abusive, or deceptive acts or
practices.69 Section 1032 authorizes the Bureau to mandate certain
disclosures, and to create loan forms that, if used, provide a safe harbor
from liability.70
The principal focus in discussion of these sections has been the
financial terms associated with such consumer credit products. Modern
products, including credit cards and home mortgages, have often been
designed expressly to hide their true costs.71 Back end fees, teaser rates,
default rates, negative amortization, and balloon payments are just a few of
what Warren describes as the “tricks and traps” that have become standard
practices in the consumer credit market and, in particular, the subprime
market.72 Warren and Bar-Gill proposed an agency that would examine
such products for transparency and would examine marketing practices to
ensure that loans were only extended to people for whom they were
appropriate.73 The absence of such regulation played an important role in
the financial meltdown of the last few years.
Institutional competence is at the heart of Warren and Bar-Gill’s
argument for a CFPB.74 It is not that statutory protections did not exist for
consumers in credit transactions. Their concerns were the related problems
of regulatory capture and diffusion of responsibility.75 Warren and Bar-Gill
were concerned instead that too many agencies had jurisdiction over
consumer protection, but none had it as its core purpose.76 The FDIC, the
66. Bar-Gill & Warren, supra note 6, at 98.
67. Id. at 98–99.
68. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111203, § 1011, 124 Stat. 1376, 1964–65 (2010).
69. Id. § 1031.
70. Id. § 1032.
71. Bar-Gill & Warren, supra note 6, at 54–55.
72. Id. at 56.
73. Id. at 98–100; see also Susan Block-Lieb & Edward Janger, Demand-Side Gatekeepers in
the Market for Home Loans, 82 TEMP. L. REV. 465, 495 (2009).
74. Bar-Gill & Warren, supra note 6, at 74.
75. Id. at 99–100, nn. 323, 325.
76. Bar-Gill & Warren state:
108
[Vol. 5
OCC, and the Federal Reserve all had some responsibility for consumer
protection, but their core function was protecting the safety and soundness
of the banking system.77 By contrast, the FTC had consumer protection as a
core function, but little expertise with financial products.78
While the CFPB’s intended focus is on lending products, and on the
credit function associated with payment cards, the use of credit cards as
payment devices raises a different set of safety issues that might be handled
similarly by such an agency. Data privacy and data security are just as much
terms of the credit/payment card contract as is the interest rate. And, if
anything, they are less transparent. The question therefore is not, could the
CFPB mandate include data privacy and data security; the question is
whether it should, as a matter of comparative institutional competence.
In considering whether the CFPB would be an appropriate regulator of
financial privacy and security, the divide between data privacy and data
security is instructive. While legislation and regulation at the federal level
have not been perfect in either category, the regulations promulgated under
§ 501(b) relating to data security are far more thoughtful than those relating
to data privacy.79 Similarly, to the extent that self regulation has had any
impact whatsoever, it has had influence on the data security side.80
This discrepancy may be traceable to the intrinsic difference between
data privacy and data security. Where data privacy is involved, there is an
inherent conflict of interest between consumers and banks. Consumers
expect their data to be kept confidential, and expect secondary use to be
narrowly cabined. The financial institutions would like to have as much
discretion as possible in how they use personal information. They have
every incentive to contract for broad discretion, and to ensure that
legislation does not interfere with their ability to use information as they
desire.
By contrast, where data security is involved, the conflict of interest
between consumer and financial institution has a different contour. While
financial institutions do have an incentive to limit the extent to which
contracts or legal regulations might lead to the imposition of liability, they
This litany of agencies, limits on rulemaking authority, and divided enforcement
powers results in inaction. No single agency is charged with supervision over any single
credit product that is sold to the public. No single agency is charged with the task of
developing expertise or is given the resources to devote to enforcement of consumer
protection. No single agency has an institutional history of protecting consumers and
assuring the safety of products sold to them.
Id. at 97 (citations omitted).
77. Id. at 93–95.
78. Id. at 95–96.
79. See supra Part I.B.
80. See supra Part I.C.
109
also have a relatively strong interest in ensuring that personal data remains
secure.
This interest is not a product of their particular interest in data security.
Instead, it is a product of the risk of loss rules that govern parties in the
payment system. One can go as far back as the rule in Price v. Neal,81 and
the properly payable rule under 4-401 of the Uniform Commercial Code
(UCC) to see that the risk of fraud is placed, in the first instance, on the
bank that fails to detect it.82 If a financial institution honors an unauthorized
check, it must re-credit the account.83 Similarly, under the Truth in Lending
Act (TILA), the credit card bank must re-credit the account if an
unauthorized charge is made on a credit card.84 While, in both cases, it may
be possible for the paying bank to push liability down to the merchant who
initially took the check or accepted the card, the loss is going to rest on a
bank, not on the consumer. In this regard, banks have every incentive to
make sure that data remains secure. This interest is reflected in the self
regulation that produced a program like PCI DSS. Here, the alignment
between the banking industry and the bank regulatory agencies may be a
plus rather than a minus.
This alignment of interest between consumers and financial institutions
appears to be reflected as an alignment of interest between regulators and
the regulated. There are types of coordination and response that cannot be
handled by one firm alone. Neither can a consortium of private actors
accomplish such coordination without public assistance.
PCI DSS and the Hannaford data spill offer an example of both the
promise of self regulation and its limits. PCI DSS may be a well considered
and effective standard for protecting data security, but the standard setting
body has limited power to enforce the standards it sets.85 It can audit
participants in the payment system.86 It can deprive victims of data spills
membership going forward, but it cannot, in any meaningful way, punish,
and it has limited power to exclude members.87
By contrast, the existence of a standard such as PCI DSS may work
effectively in conjunction with tort law to set the standard by which
negligence might be judged, after the fact. PCI DSS could provide a
framework for regulatory agencies to include or exclude participants from
the payment system.
81. Price v. Neal, (1762) 97 Eng. Rep. 871 (K.B.) 871–72; 3 Burr. 1354, 1357. The rule in
Price v. Neal places the risk of loss for a forged check on the depositors’ bank that pays the
instrument without noticing that the signature is forged. Id.
82. See U.C.C. § 4-401 (2002).
83. Id.
84. Truth in Lending Act of 1968 § 133, 15 U.S.C. 1643 (2006); Truth in Lending (Regulation
Z), 12 C.F.R. § 226.13 (2007).
85. Drew & Nair, supra note 47, at 1.
86. Id. at 1–2.
87. Id.
110
[Vol. 5
Note here, however, that the pattern I am describing for data security is
very different from the one the CFPB would establish for defining terms.
This pattern involves cooperation among a self-regulatory organization, the
industry, and the agency. This is the sort of cooperation that might best be
accomplished through the OCC or Federal Reserve where the goal is the
safety and soundness of the financial system, and protection (for better or
worse) of the industry itself. By contrast, where data privacy is involved,
such a cooperative relationship is anathema to the function of protecting
consumers.
CONCLUSION
As such, and in conclusion, it appears that it may be desirable to split
the regulation of data privacy and data security in two. The articulation of
data security and data privacy norms might properly be entrusted to the
CFPB. An agency focused on consumer protection is in the best position to
generate and impose the default terms relating to privacy and security that
will find their way into consumer credit and payment contracts. However,
the regulation of data protection procedures, and the development of
programs for mitigating the harm caused by security breaches would best be
handled by the bank regulatory agencies themselves.
PAYMENTS DATA SECURITY BREACHES AND
OIL SPILLS: WHAT LESSONS CAN PAYMENTS
SECURITY LEARN FROM THE LAWS
GOVERNING REMEDIATION OF THE EXXON
VALDEZ, DEEPWATER HORIZON, AND
OTHER OIL SPILLS?
Sarah Jane Hughes
Legal regimes for remediating defects and certain accidents range from
strict liability in tort to warranty enforcement litigation to international
treaties and conventions with explicit, pre-ordained compensation limits
and procedures. Although to date no over-arching legal regime has
governed data security defects and breaches in the United States or
elsewhere, data security breaches are as capable of inflicting externalities
on counter-parties and consumers as the types of defects and accidents that
are covered by such schemes.1

Copyright © 2010. Sarah Jane Hughes. All rights Reserved. Sarah Jane Hughes is the
University Scholar and Fellow in Commercial Law at the Maurer School of Law, Indiana
University, Bloomington, Indiana. Professor Hughes would like to thank Professor Edward (Ted)
Janger and Brooklyn Law School for the invitation to present this Article as part of the Data
Security and Data Privacy in the Payment System Symposium, Dean Lauren Robel and the
Maurer School for research support for it, and the other participants in this Symposium, the
faculty of Brooklyn Law School, and the editors of the Brooklyn Journal of Corporate, Financial
& Commercial Law for their helpful comments and camaraderie. I also thank Fred H. Cate,
Distinguished Professor of Law and Director of the Center for Applied Cybersecurity Research,
Indiana University, Roland L. Trope, and Stephen T. Middlebrook for conversations about aspects
of this Article; Professor Edward Robertson of the Indiana University School of Informatics for
assistance with the concept of how an analogy to a double-hulled vessel would work in the field of
data security; and John P. Lowrey and Sean P. Giambattista, Maurer School of Law Classes of
2010 and 2011, respectively, for research assistance. Special thanks go to Professor Frank
Pasquale, Lofton Professor of Law, Seton Hall Law School, for his helpful commentary on the
Symposium draft of this Article. His references to earlier e-commerce scholarship, including
articles such as Dennis D. Hirsch, Protecting the Inner Environment: What Privacy Regulation
Can Learn from Environmental Law, 41 GA. L. REV. 1 (2006), which drew upon more traditional
environmental law analogies, enlivened discussion at the Symposium, and his historical
perspective persuaded me to try to make the connection between the maritime-environmental law
solutions and possible approaches to payments data security more clearly. Despite all of this
talented help, all mistakes here are my own.
This Article is dedicated to dear friends, Inez Janger, who coincidentally is Ted Janger’s
mother, and the late Peter Ghee. Ms. Janger’s experience and extraordinary common sense have
helped steer a unique non-profit organization successfully through very stormy seas that have had
nothing to do with data security or oil spills. Mr. Ghee’s long career in the oil industry, shipping
and maritime law and his acumen and foresight helped bring about the International Convention
for the Prevention of Pollution from Ships, which is known as MARPOL 73/78 and my
acquaintance with it, which I discuss in this Article.
Research for this Article ended on August 2, 2010, which was the 105th day after the
explosion on the BP Deepwater Horizon drilling platform and subsequent oil spill into the Gulf of
Mexico.
1. See Chris J. Hoofnagle, Internalizing Identity Theft, 13 UCLA J.L. & TECH. 2, 29–34
(2009).
112
[Vol. 5
When I began thinking about a paper for this Symposium, I was struck
by the similarities and differences between data security breaches and
maritime accidents, at least in terms of their substantial consequential and
incidental damages. In payments data security, these damages include card
cancellation and replacement expenses, database clean-up expenses,
counter-party and customer business relation expenses, reputational injuries
(including loss of customers and market capitalization to business counterparties), and the risk of identity theft, damage to credit ratings, lost credit
opportunities, and emotional distress to card or account holders.2 In the
maritime and exploration industries, these damages include damage to the
environment, shore and sea life, and livelihoods.3
In particular, I began wondering about whether pollution and seaworthiness analogies might exist between famous payments data security
breaches—that Professors Edward Janger, one of our hosts, and Paul
Schwartz, a faculty alumnus of Brooklyn Law School, called “data
spills”4—such as TJX,5 Hannaford Brothers,6 and Heartland Payments,
Inc.,7 and famous maritime accidents such as the Torrey Canyon wreck,8 the
Exxon Valdez grounding,9 and the BP Deepwater Horizon explosion.10 This
line of inquiry also led me to the 1973 and 1978 international conventions
that were drafted in response to Torrey Canyon,11 and to ponder whether the
2. See United States v. Karro, 257 F.3d 112, 121 (2d Cir. 2001) (discussing the human cost of
identity theft, including emotional costs).
3. See Joe Stephens, The Valdez’s Unheeded Lessons; BP was Part of Alaska Response, but
Decades Later Same Problems Persist, WASH. POST, July 14, 2010, at A1.
4. See generally Paul M. Schwartz & Edward J. Janger, Notification of Data Security
Breaches, 105 MICH. L. REV. 913 (2007).
5. See, e.g., Press Release, Fed. Trade Comm’n, Agency Announces Settlement of Separate
Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide
Adequate Security for Consumers’ Data (Mar. 27, 2008), http://www.ftc.gov/opa/2008/03/data
sec.shtm [hereinafter Settlement of Separate Actions].
6. See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108 (D.
Me. 2009).
7. See Linda McGlasson, Heartland, Visa Announce $60 Million Settlement Funds Would
Reimburse Card Issuers for Breach-Related Losses, BANKINFOSECURITY (Jan. 8, 2010),
http://www.bankinfosecurity.com/articles.php?art_id=2054.
8. See In re Barracuda Tanker Corp., 281 F. Supp. 228 (S.D.N.Y. 1968). The Torrey Canyon,
an oil tanker carrying more than 119,000 tons of oil from the Persian Gulf to Wales, was stranded
on the rocks off the southwestern coast of England, causing the Torrey Canyon’s oil tanks to
rupture and discharge oil into the Atlantic, polluting both shorelines of the English Channel. See
id. at 229. The British Royal Air Force eventually bombed the Torrey Canyon, destroying the ship
and leading to a total loss of its cargo. Id.
9. See Exxon Shipping Co. v. Baker, 128 S. Ct. 2605 (2008). The Exxon Valdez, a
“supertanker” carrying 53 million gallons of oil from Alaska to the lower 48 states, “grounded on
Bligh Reef off the Alaskan coast,” causing the discharge of millions of gallons of crude oil into
Prince William Sound after the ship’s hull fractured. Id. at 2611–13.
10. See Campbell Robertson, 11 Remain Missing After Oil Rig Explodes Off Louisiana; 17 are
Hurt, N.Y. TIMES, Apr. 22, 2010, at A13.
11. See Background on Pollution Prevention and MARPOL 73/78, INTERNATIONAL
MARITIME ORGANIZATION, http://www.imo.org/OurWork/Environment/PollutionPrevention/
2010]
Payment Data Security Breaches and Oil Spills
113
core teachings of those conventions might help frame approaches for data
security breach prevention, clean-up, and liability.
Just as Professor Juliet M. Moringiello’s Article for this Symposium
harks back to property law and common law warranties to suggest an
approach for more contemporary payments data security breaches,12 I
recognize that data spills are newer phenomena than maritime accidents and
oil spills. Thus, in searching for approaches to these problems, I, too,
looked backwards—but to different sources of law. However, like accidents
involving discharges of oil and other pollutants at sea, such as Exxon
Valdez, and incidents involving problems with oil and gas exploration, such
as Deepwater Horizon, data security breach remediation may require the
development of laws, treaties, and conventions to govern these types of
accidents.
Of course, at the March 19, 2010 Symposium at Brooklyn Law School,
we had no idea that only a month later one of the most devastating oil spills
in U.S. history would occur. The events surrounding the April 20, 2010
explosion on the BP Deepwater Horizon oil drilling platform in the Gulf of
Mexico will be featured prominently in our discussions of energy policy,
environmental policy, and general disaster management for decades,13 just
as the data security breaches at TJX, RBS WorldPay, and Heartland will in
future discussions of data security policy.
The WellPoint data breach—disclosed in June, 201014—and Hannaford
highlight additional concerns with payments data risk management and data
governance that had not been the focus of the Symposium draft of this
Article. These concerns include a lack of coordinated rapid-fire response
capacities and delays in sharing information about breaches with affected
constituencies—including merchant banks and customers—that need it
most.15 Similarly, Deepwater Horizon confirmed that we still lacked
sufficient rapid-fire disaster relief capability for natural disasters than was
evident following Hurricane Katrina or Exxon Valdez.16 In both data and
natural disasters, we depend on private risk determinations pre- and postaccidents and largely private efforts to manage critical pieces of the
recovery processes. The incentives of the companies that bear the largest
OilPollution/Pages/Background.aspx (last visited Dec. 27, 2010); see also International
Convention for the Prevention of Pollution from Ships, 1973, concluded Nov. 2, 1973, 1340
U.N.T.S 184, 12 I.L.M. 1319, 1340, as modified by Protocol of 1978 Relating to the International
Convention for the Prevention of Pollution from Ships, 1973, concluded Feb. 17, 1978, 1340
U.N.T.S 61, 17 I.L.M. 146 [hereinafter MARPOL 73/78].
12. Juliet Moringiello, Warranting Data Security, 5 BROOKLYN J. CORP. FIN. & COMM. L. 63
(2010).
13. See Stephens, supra note 3.
14. See Steve Ragan, WellPoint: Data Breach Caused by Attorneys and Faulty Security
Update, TECH. HERALD (June 29, 2010, 6:11 PM), http://www.thetechherald.com/article.php/
201026/5807/WellPoint-Data-breach-caused-by-attorneys-and-faulty-security-update.
15. Id.
114
[Vol. 5
responsibility for oil spills are similar to the incentives of private payments
systems and users that report payments data security breaches to authorities,
and their nearly exclusive role in remedying the damages to others affected
by payments data breaches.17 Thus, we are all hostages in a sense to private
decision-making in the prevention and remediation of certain events and to
the rigorous cost-cutting that has typified business practice in the United
States.18 In addition, pending criminal investigations (or even the prospect
of them) generally delay access to critical information about culpability. It
often is some time before we can know the full details about accidents—
whether oil spills or shipping mishaps, or data security breaches—and these
delays themselves may slow the process of crafting appropriate protections
and remediation schemes for the specific incidents and applying the lessons
learned from each going forward.
The totality of ship and drilling accidents—of which, federal records
suggest, a “handful” occurred in the Gulf of Mexico annually from 1964 to
2009,19—also sent me thinking beyond the negligent or criminal data
security breach events that occupied most of my thinking prior to the
Symposium. Broader transnational crimes, national security threats, and
disaster management concerns present themselves in the payments data
arena almost as starkly as in the maritime and environmental accidents
arena.20
Much has been written about payments data security breaches and the
damages they can impose on consumers who are victims.21 Perhaps just as
much has been written about various state laws and federal proposals that
require providers to notify consumers when their personally identifiable
information has been lost.22 The quality of these articles leaves me free to
17. See Schwartz & Janger, supra note 4, at 919.
18. See Stephens, supra note 3; see also Hoofnagle, supra note 1, at 33.
19. Steven Mufson, Since ‘64, A Steady Stream of Oil Spills Has Tainted Gulf, WASH. POST,
July 24, 2010, at A1.
20. In the days following the 9/11 World Trade Center attacks, the Federal Reserve System put
hundreds of millions of dollars of liquidity into the U.S. banking system in order to keep the
economy running. James J. McAndrews & Simon M. Potter, Liquidity Effects of the Events of
September 11, 2001, FED. RESERVE BANK OF N.Y. ECON. POL’Y REV., Nov. 2002, at 59, available
at http://www.newyorkfed.org/research/epr/02v08n2/0211mcan.pdf. The Federal Reserve lent
billions of dollars through the discount window, more than 200 times the daily average amount of
lending in the prior month, and temporarily waived daylight overdraft fees and overnight overdraft
penalties. Id. at 69–70.
21. E.g., J. Howard Beales, III & Timothy J. Muris, Choice or Consequences: Protecting
Privacy in Commercial Information, 75 U. CHI. L. REV. 109, 121–23 (2008); Chris J. Hoofnagle,
Identity Theft: Making the Known Unknowns Known, 21 HARV. J.L. & TECH. 97, 98 (2007); Joel
R. Reidenberg, Privacy Wrongs in Search of Remedies, 54 HASTINGS L.J. 877 (2003); Schwartz &
Janger, supra note 4.
22. See, e.g., Janine S. Hiller, David L. Baumer & Wade M. Chumney, Due Diligence on the
Run: Business Lessons Derived from FTC Actions to Enforce Core Security Principles, 45 IDAHO
L. REV. 283, 285–88, 305–08 (2009) (discussing international, federal, and state laws regarding
hacking and privacy, and the application of legal principles to enhance consumer privacy); Bruce
A. Colbath, Customer Privacy & Data Security: The Importance of Guarding Your Hen-House,
2010]
115
pursue other issues here; which, of course, does not suggest that I could
handle them as well as their authors did.
But relatively less has been written about the “direct and indirect”
damages and “opportunity costs” that payments systems participants suffer
because of data spills.23 These businesses normally are not the targets or
entry points of data security breaches, but rather sustain forms of collateral
“pollution” from those data security “spills”24 much like maritime accidents
pollute physical and environmental assets. These payment systems
participants include entities upstream from a data security breach, as well as
others on its periphery.25 To complicate recovery of collateral costs borne in
these cases, contractual disclaimers for third-party losses dominate in the
major agreements governing the operation of the credit card systems.26
They are less common in wire transfer bank-customer agreements because
the Uniform Commercial Code (UCC)’s Article 4A regime requires an
explicit agreement to pay consequential damages and also limits—to the
extent allowed by Section 4A-305—the opportunity to vary the liability of
the receiving bank by agreement.27
Data security in payments takes on a new urgency in light of reports
about recent mass-scale hackings—including the hacking into Google
Gmail accounts by the People’s Republic of China28—reports that
individuals based in China are hacking into commercial databases,29 and
reports about the increasing scope of criminal hacking episodes.30 The
60 CONSUMER FIN. L. Q. REP. 603, 607 (2006) (discussing state statutes enacted in the wake of the
Choicepoint data breach).
23. For an example of specific research addressing these issues, see PONEMON INSTITUTE,
2008 ANNUAL STUDY: COST OF A DATA BREACH (2009), available at
http://www.encryptionreports.com/download/Ponemon_COB_2008_US_090201.pdf.
24. See id.
25. See id.
26. See VISA, RULES FOR VISA MERCHANTS: CARD ACCEPTANCE AND CHARGEBACK
MANAGEMENT GUIDELINES 60 (2007), available at http://www.emscard.com/uploads/Documents
/rules_for_visa_merchants.pdf.
27. U.C.C. § 4A-305 (2001). Of course, UCC Article 4A also sets forth a series of rules that
are designed to allow the receiving bank to identify erroneous payment orders by reliance on
specific arrangements in the security procedure agreed to by the sender and its receiving bank.
E.g., id. § 4A-205 (2001). The sender also has a duty to discover and report errors in orders
accepted by the receiving bank. Id. § 4A-205(b). In addition, in connection with a claim for
liability for late or improper execution or failure to execute payment orders, § 4A-305(a) of the
U.C.C. limits damages to those payable under subsections (a) and (b). Other damages, including
consequential damages, are recoverable to the extent provided in an express written agreement of
the receiving bank. Id. § 4A-305(c)–(d).
28. See, e.g., A New Approach to China, THE OFFICIAL GOOGLE BLOG (Jan. 12, 2010, 3:00
PM), http://googleblog.blogspot.com/2010/01/new-approach-to-china.html.
29. Mike Harvey, China Raid on Google ‘Also Hit Global Industrial Targets’; Hackers
Installed ‘Back Door’ to Gain Control of Computers, TIMES (UK), Jan. 16, 2010, at 15.
30. Id. In contrast, the combined number of data security breaches reported by government and
military agencies in the United States fell in 2009 compared with 2008, but the number of records
affected was larger. Hilton Collins, Many More Government Records Compromised in 2009 than
TECH.
(Dec.
2,
2009),
Year
Ago,
Report
Claims,
GOV’T
116
[Vol. 5
cross-border aspects of such breaches add to this urgency,31 particularly
because they make business-to-business (B2B) and business-to-consumer
(B2C) compensation more complicated.32 Additional concerns emerge from
the prospect of strategic hacking incidents, including the lack of apparent
well-coordinated disaster response and management capacity, and the
continued reliance on private actors to prevent, report, and respond to data
security breaches.33
We also must confront the fact that many cyber-breaches are never
publicized to persons whose information may have spilled or to law
enforcement.34 In some cases, even incidents that are publicized in news
media may not be revealed with particularity to customers. For example,
following Heartland, my family received new credit cards in the mail with
new account numbers and no explanation whatsoever from the card issuers
of why they suddenly were replacing cards that had not expired. In early
2010, I received a new set of American Express cards bearing the same
expiration date also with no explanation; concerned, I called the company
and learned that the replacements were part of its private remediation of a
former employee’s theft of hard drives containing many thousands of
cardholders’ personal information that had been detected nine months prior.
Apparently to reassure me, the company’s representative told me that the
perpetrator was now cooperating with the recovery efforts and that my
account data had only recently been identified as having been affected by
the theft.
http://www.govtech.com/gt/articles/734214 (discussing a report by the Identity Theft Resource
Center that the number of breaches reported up to December 2009 was 82 compared with 110 for
all of 2008 but that the number of records affected soared from less than three million to more
than 79 million). The report apparently called for greater vigilance in securing data, including
“when it’s mobile.” Id. The article also cited 461 separate data breaches in “all sectors” affecting
222 million records, as opposed to a total of 656 breaches in 2008 that affected “more than 35
million compromised records.” Id.
31. William Resnik et al., Wave of Online Banking Fraud Targeting Businesses, K&L GATES
NEWSSTAND (Feb. 15, 2010), http://www.klgates.com/newsstand/detail.aspx?publication=6209
(explaining the growing theft and misuse of user names and passwords to online banking accounts
and use of fraudulent wire transfers and automated clearing house (ACH) transfers to foreign
countries).
32. See id. The terms “B2B” and “B2C” refer, respectively, to business-to-business and
business-to-consumer transactions in e-commerce and e-payments. See, e.g., Jane K. Winn,
Consumers and Standard Setting in Electronic Payments Regulation, 5 ELEC. BANKING L. &
COM. REP. 11, 15 (2002); Robert Kossick, The Internet in Latin America: New Opportunities,
Developments, & Challenges, 16 AM. U. INT’L L. REV. 1309, 1310 (2001).
33. See Ellen Nakashima, War Game Reveals U.S. Lacks Cyber-Crisis Skills; Staged
Emergency Displays Need for Strategy, Organizers Say, WASH. POST, Feb. 17, 2010, at A3
(covering the February 2010 “Cyber Shock Wave” simulation conducted in Washington, D.C.).
34. See Diane Bartz & Jim Finkle, Cyber Breaches Are a Closely Kept Secret, REUTERS, Nov.
24, 2009, available at http://www.reuters.com/article/idUSTRE5AN4YH20091124 (detailing the
reluctance of companies that are victims of breaches to disclose them because of fear of
reputational damage, loss of customers, injury to profits, and criminal attention shifting to smaller
and medium-sized firms whose data is less well protected).
2010]
117
Finally, in a reminder that seemingly ordinary burglaries may cause
massive expenses and potential liability, on March 1, 2010, a report
emerged about an October 2, 2009 burglary of fifty-seven hard drives from
a closet at a BlueCross BlueShield of Tennessee training facility.35 These
hard drives apparently contained unencrypted data from more than one
million customer support calls and 300,000 “screen shots” of computer
monitors made contemporaneously with the support calls; most of the calls
and many screen shots revealed sensitive personal information that is used
in identity theft, according to the report.36
The Ponemon Institute’s annual report on data breach costs suggests
that the overwhelming percentage of breaches is attributable to negligence
by insiders.37 Negligence in the handling of sensitive personal information
in transmission or storage is not dissimilar from the captain’s absence from
the bridge as the Exxon Valdez approached the reefs in Prince William
Sound, Alaska with an inebriated harbor pilot at the controls,38 or the series
of “risk-based decisions” that BP apparently made in the management of
the drilling process at the Deepwater Horizon facility and for which
government investigators tentatively concluded that the operators chose the
“least expensive option even though it potentially elevated the risk.”39 So,
in the prevention of oil spills, one commentator observed the lessons we
ought to have learned from the grounding of the Exxon Valdez went
“unheeded” too long.40 The same may be said of data spills because of the
slow pace of U.S. card security to adopt Europay, MasterCard, and Visa
(EVM) security, and this may involve risk assessments that opt for less
expensive technologies over those that offer greater security for data.41
35. Robert McMillan, Data Theft Creates Notification Nightmare for BlueCross, PCWORLD
(Mar. 1, 2010, 5:30 PM), http://www.pcworld.com/businesscenter/article/190461/data_theft_
creates_notification_nightmare_for_bluecross.html [hereinafter McMillan, Data Theft].
36. Id. (detailing more than five months of work including notification of more than 300,000
customers so far and expenses of more than $7 million).
37. PONEMON INSTITUTE, supra note 23, at 7.
38. See Stephens, supra note 3. For more detailed information about the Exxon Valdez
grounding, oil spill, and its causes, see ALASKA OIL SPILL COMMISSION, SPILL: THE WRECK OF
THE EXXON VALDEZ, IMPLICATIONS FOR SAFE TRANSPORT OF OIL (1990), available at
https://www.washingtonpost.com/wp-srv/special/oil-spill/docs/alaska-commission-report.pdf.
39. Joel Achenbach & David Hilzenrath, From Series of Missteps to Calamity in the Gulf;
Investigators Believe that BP Cut Corners, WASH. POST, July 25, 2010, at A1.
40. Stephens, supra note 3 (reporting on BP predecessor British Petroleum’s “central role” in
the Exxon Valdez incident and pointing a finger at cost-cutting to maximize profits and regulators
“too close to the oil industry” that “approved woefully inadequate accident response and cleanup
plans”). Stephens also described comments made by the Chairman of the former Alaska Oil Spill
Commission, Walt Parker, including “‘[i]t’s almost as though we had never written the report [on
the Exxon Valdez].’” Id.
41. Kate Fitzgerald, Fraud Could Come from North After Canada Phases in EMV, AM.
BANKER, July 14, 2010, at 6 (citing a prediction by Christopher Justice, the president for North
America of the French payment terminal maker Ingenico S.A., that “‘fraudsters specializing in
magnetic stripes will begin to focus more heavily on the U.S. as Canada moves away from mag-
118
[Vol. 5
This Article suggests sources of law for an institutional framework that
would create stronger incentives for the prevention of payments data
breaches and for their prompt remediation, including a requirement for
compulsory notice to a central agency regardless of the number of
individuals or records involved. It does not advocate compulsory notice to
consumers whose rights may be affected by a cyber-security breach, and
instead recommends that the central agency—whether domestic or
international—decide whether notifying consumers whose accounts might
be affected is warranted. The Article also considers whether our current
means of redressing losses through payments system rules and litigation is
preferable to possible federal schemes like the oil liability provisions of the
Clean Water Act,42 and the liability provisions of the Oil Pollution Act
(OPA) of 1990.43 The former established strict liability civil penalties and
significantly higher civil penalties for cases involving gross negligence.44
The latter establishes a liability framework that increases incentives for
prevention by limiting damages to removal costs and maximum damages
unless the oil spill incident was caused by the gross negligence or willful
misconduct of the responsible party or the failure or refusal of the
responsible party or its counter-parties to report the incident.45 If the
liability limits are too low, the tendency will be either to devote too few
resources to prevention, or to fail to report or underreport the severity of the
spill, as may have happened in Deepwater Horizon.46 Incomplete or delayed
notice requirements in the data spills hinder remediation and may contribute
to broader complications, including threats to larger payments systems and
critical infrastructure. Reporting delays or incomplete reporting would
particularly complicate the remediation of malicious attacks or strategic
behavior designed to cripple part or all of the domestic payments systems.
Part I of this Article briefly describes what government agencies, think
tanks, and the media have reported about recent high-profile data spills
affecting payments systems, and particularly the prospects of large-scale
criminal and even strategic cyber-security threats.47 Part II describes the
stripe’” and also that converting “back-office and software . . . to switch from mag-stripe card
would cost billions” as an explanation of the slower pace of EMV adoption here).
42. Federal Water Pollution Control Act (Clean Water Act), 33 U.S.C. §§ 1251–1321 (2006).
43. Oil Pollution Act of 1990, 33 U.S.C. §§ 2702, 2704 (2006).
44. Compare 33 U.S.C. § 1321(7)(A) (strict liability civil penalty), with 33 U.S.C. § 1321
(7)(D) (significantly higher civil penalty for cases involving gross negligence). However, neither
penalty was sufficiently large to deter the cost-cutting and low-balled risk assessments that
allegedly led to the Deepwater Horizon explosion.
45. Compare 33 U.S.C. § 2704(a)(3) (maximum liability and removal costs for offshore
facilities is “the total of all removal costs plus $75,000,000”), with 33 U.S.C. § 2704(c)(1)–(2) (the
prior limit is inapplicable if the incident is proximately caused by gross negligence or willful
misconduct, or involves a violation of a federal safety, construction, or operating regulation, or if
the responsible party does not report the incident).
46. See Mufson, supra note 19.
47. See Nakashima, supra note 33.
2010]
119
origins of the International Convention for the Prevention of Pollution from
Ships 1973, as modified by the Protocol of 1978 relating thereto,
collectively known as MARPOL 73/78,48 in major pollution events
associated with maritime accidents and particularly the Convention’s
requirements for the prevention of pollution. It also describes the federal
Clean Water Act, which prescribes rules for spills from pipelines as well as
oil wells,49 and the OPA, which prescribes special rules for off-shore
facilities and deepwater ports spill liability.50 Part III compares the
requirements and remedies that MARPOL and the OPA offer with those
available for the prevention of data security breaches. Part IV evaluates
recently passed and introduced bills focused on data security breaches and
cyber-security problems generally. It also briefly discusses recent state
legislation relating to data security breaches. Part V asks whether “safe
harbor” provisions in legislation might result in reduced prevention and less
effective care to recover from data spills rather than more. Part VI sets forth
conclusions.
I. PAYMENTS DATA SECURITY BREACHES/DATA SPILLS
Like maritime or oil exploration accidents discharging oil or other
pollutants, data security breaches come in many sizes.51 However, unlike
the provisions of the OPA that specifically allow removal costs incurred in
connection with oil spills into the navigable waters, adjoining waters, or the
exclusive economic zone of the United States,52 there is no comparable
federal liability scheme for data spills. Accordingly, prevention plans and
remediation efforts have largely been left to private actors in the data spill
arena.53 For example, the federal “Safeguards Rule” implementing Section
501 of the Gramm-Leach-Bliley Act (GLBA) Privacy provisions,54 and the
Disposal and Red Flags Rules implementing the Fair and Accurate Credit
Transactions Act of 2003 (FACTA)55 that apply to providers of consumer
financial products and services, reflect legislative and regulatory
preferences for self-assessments of risks and for implementation by private
48.
49.
50.
51.
MARPOL 73/78, supra note 11.
33 U.S.C. § 1321.
33 U.S.C. §§ 2701–2762 (2006).
Mark Jewell, TJX Breach Could Top 94 Million Accounts, MSNBC.COM, Oct. 24, 2007,
http://www.msnbc.msn.com/id/21454847.
52. 33 U.S.C. § 2702(a)–(b)(1).
53. See, e.g., Standards for Safeguarding Customer Information, 67 Fed. Reg. 36,484, 36,484
(May 23, 2002) (to be codified at 16 C.F.R. § 314).
54. See Standards for Safeguarding Customer Information, 16 C.F.R. § 314 (2010). § 501
privacy provisions that are the underlying authority for the Safeguards Rule are codified at 15
U.S.C. §§ 6801–6809 (2006).
55. Duties Regarding the Detection, Prevention, and Mitigation of Identity Theft, 16 C.F.R. §
681.2 (2006); Disposal of Consumer Report Information and Records, 16 C.F.R. § 682 (2006).
See also Fair and Accurate Credit Transactions Act (FACTA) of 2003, Pub. L. No. 108-159, 117
Stat. 1952 (codified as amended at 15 U.S.C. § 1681).
120
[Vol. 5
actors of policies and procedures that match these self-assessments.56 State
laws also leave to private actors the ability to own or license personal
information about their customers, and implement and maintain “reasonable
security procedures and practices,” but require these procedures and
practices to be “appropriate to the nature of the information” to protect it
from “access, destruction, use, modification, or disclosure.”57 Thus,
incentives exist for low-balling risk in order to reduce the costs associated
with prevention of data security breaches, just as it appears that low-balled
or ignored risks contributed to the well explosion and subsequent inability
to control the oil spill from the Deepwater Horizon well.58
The next portion of this Article examines recent data spills and their
remediation costs. These examples reflect different types of spills—some
negligent and some presumptively criminal or malicious—and their effects
in terms of unauthorized access to account information or loss of funds by
some affected parties.
A. RECENT SPILLS INVOLVING PAYMENTS DATA
Four recent examples suggest that substantial damages may result from
payments data breaches. These examples represent different problems that
payments systems participants have with data security, including B2B
liability and B2C liability, as well as qualifications to participate in
payment systems.
1. WellPoint
WellPoint, Inc. (WellPoint) is the nation’s largest health insurer with a
customer base of more than 30 million.59 It apparently experienced a data
breach in October 2009, as the result of a failed security update.60 WellPoint
reports that the breach “could have exposed personal information,”
including medical history and payment information, “belonging to 470,000
customers.”61 WellPoint did not learn about the breach until it received a
subpoena the following March.62 The company attributed some
unauthorized access to manipulation by attorneys representing an applicant
56. See, e.g., Standards for Safeguarding Customer Information, 67 Fed. Reg. at 36,484 (final
rule requires financial institutions to develop written information security programs appropriate to
the size and complexity of their operation, the nature and scope of activities in which they engage,
and the sensitivity of the customer information they obtain, and also that “certain basis elements”
be included to “ensure that it addresses the relevant aspects of the financial institution’s operations
and that it keeps pace with developments that may have a material impact on its safeguards”).
57. E.g., CAL. CIV. CODE § 1798.81.5(b) (Deering 2009).
58. Achenbach & Hilzenrath, supra note 39.
59. See Ragan, supra note 14.
60. Id.
61. Id.
62. Id.
2010]
121
for insurance.63 It had notified 470,000 customers—including 230,000 in
California alone—by June 29, 2010, and had undertaken other remediation
measures. WellPoint continued to access its options for the recovery of its
expenses and data as it remains unclear precisely who or how many
unauthorized persons gained access to the records.64
2. Royal Bank of Scotland
Data spills affecting the Royal Bank of Scotland (RBS) are a reminder
that not all payments data spills target U.S. providers or consumers in the
U.S. RBS has had more than one payments data security breach. In 2008,
the company—along with American Express and UK-based NatWest
Bank—lost data contained on a server that was sold on eBay for the
equivalent of $64; the server apparently contained unencrypted back-up
data “includ[ing] names, addresses, bank account numbers, telephone
numbers and customer signatures.”65
On November 8, 2008, RBS WorldPay experienced widespread fraud
as a result of another data breach.66 The data breach had occurred earlier
when unauthorized individuals accessed the information.67 This time, RBS
lost $9 million when thieves used ATMs in forty-nine cities around the
world to gain the cash after penetrating RBS WorldPay servers.68 After
stealing encrypted data from payroll cards and the associated PINs, some
members of the group also allegedly accessed the RBS WorldPay network
and raised the applicable limits on the cards as well as limits on what could
be withdrawn at ATMs with the cards.69 Following that breach, Visa
stripped RBS of its status as a validated service provider, but by May 22,
2009, it had restored RBS’ status as a Payment Card Industry Data Security
Standard (PCI DSS) validated service provider.70
3. Helsinki, Finland Merchant
A second case concerning a non-U.S. owner of data involved a
Helsinki, Finland merchant who reported that data from more than 100,000
payment cards had been stolen from the merchant’s server; of these, 40,000
63. Id.
64. Id.
65. Tom Espiner, Amex, Royal Bank of Scotland, NatWest Customer Details Sold on eBay,
CNET NEWS (Aug. 26, 2008, 10:57 AM), http://news.cnet.com/8301-1009_3-10026032-83.html.
66. Robert Lemos, Data-Breach Lawsuit Follows $9 Million Heist, SECURITYFOCUS (Feb. 6,
2009), http://www.securityfocus.com/brief/903.
67. Id.
68. Id.
69. RBS WorldPay Indictment Outlines Sophisticated Hacker Coordination, DIGITAL
TRANSACTIONS (Nov. 11, 2009), http://www.digitaltransactions.net/index.php/news/story/2371.
70. Warwick Ashford, RBS WorldPay Regains Security Approval After Data Breach,
COMPUTERWEEKLY (May 22, 2009, 9:25 AM), http://www.computerweekly.com/Articles/2009/
05/22/236142/RBS-WorldPay-regains-security-approval-after-data-breach.htm.
122
[Vol. 5
were active cards.71 The Helsinki Criminal Police’s Information
Technology Crimes Unit reported that: (a) the attacks on the merchant’s
servers were traced to internet protocol addresses in Romania and the
United States although they were uncertain that the attacks originated in
either country; (b) the data breach occurred in mid-January, but involved
payment cards from 2005 to January 2010—as many as three-fifths of
which may have expired; (c) a routine computer security check uncovered
the breach; and (d) the merchant has removed the vulnerable system from
use and has replaced it with the newer-age, less vulnerable EMV system.72
The merchant had decided to notify only those domestic and foreign
cardholders whose cards have been fraudulently used.73 Finland’s largest
credit card services company, Luottokunta, noted that because Finnish
merchants use the PCI DSS, advanced monitoring, and card shutdown
systems, the level of payment card abuses was “half” the rate experienced
in other countries.74
4. P2P File Sharing (Unnamed Victims or Potential Victims).
A fourth type of data spill apparently involves person-to-person (P2P)
file sharing at almost 100 organizations, as reported by the Federal Trade
Commission (FTC) in February 2010. The details about these data spills are
vague, but the FTC’s press release makes it clear that file sharing software
enabled the transmission of personally identifiable and account information
otherwise available on the computer on which the file-sharing programs
were run.75
B. WHAT DO PAYMENTS DATA SPILLS COST?
As the above data security breaches suggest, reported costs for data
security breaches have risen over the past few years. For example, the 2008
Annual Study: Cost of a Data Breach, issued in February 2009, reported
that “total annual costs” incurred in seventeen different industries rose to
“$202 per record compromised [in 2008], an increase of 2.5 percent since
2007 ($197 per record) and 11 percent [since] 2006 ($182 per record).”76
The same study reported that the largest cost increase involved “abnormal
71. Marcus Hoy, Data Security: Payment Card Data Theft from Merchant is Finland’s
Largest Card Breach, Police Say, 94 BNA BANKING REP. 443 (2010).
72. Id. An EMV system is a specialty security platform that Europay, MasterCard, and VISA
use outside the United States; it features chip-and-PIN technology. See CARDLOGIX, SMART
CARD & SECURITY BASICS 7 (2009), available at http://www.smartcardbasics.com/pdf/7100030_
BKL_Smart-Card-&-Security-Basics.
73. Hoy, supra note 71.
74. Id.
75. Press Release, Fed. Trade Comm’n, Widespread Data Breaches Uncovered by FTC Probe
(Feb. 22, 2010), http://www.ftc.gov/opa/2010/02/p2palert.shtm.
2010]
123
churn,” which indicates customer turnover.77 The report also noted that
healthcare and financial services companies that experienced data breaches
had the highest churn (customer defections) factors of 6.5 and 5.5 percent,
respectively, which the report attributed to both the sensitivity of the data
collected and customer expectations that information will be protected.78
Other factors in the overall costs of data spills identified in the
Ponemon Institute report include “outlays for detection, escalation,
notification, and after the fact (ex-post) response.”79 Companies that
experience data security breaches—like those that experience oil spills—
also suffer declines in their market capitalizations that can be significant.80
Evidence suggests that payments-related data spills cost an average of more
than $6.6 million.81 TJX reported losses of more than $1 billion in
connection with its 2006 breach,82 and direct remediation expenses of $256
million.83And, in addition, companies that suffer payments data spills often
experience significant declines in their capitalization in the period following
report of the breach.84
These significant declines in capitalization appear to be in addition to
the direct remediation costs reported above and costs associated with
enforcement actions and instituting and maintaining compliance plans. FTC
77.
78.
79.
80.
Id.
Id.
Id. at 3.
See, e.g., Jim Puzzanghera & Ronald D. White, BP Courts Mideast Investors; Increased
Stakes from the Region Could Hurt Its Image Further and Trigger U.S. Reviews, L.A. TIMES, July
8, 2010, at A1 (“Solvency has been a concern as BP’s stock value has plummeted as much as 55%
since oil started spewing from the Gulf of Mexico well in April.”).
Heartland Payments Systems, Inc. fared worse than TJX did in terms of market
capitalization gyrations after their data security incidents. Compare Jaikumar Vijayan, One Year
Later: Five Takeaways from the TJX Breach, COMPUTERWORLD (Jan. 17, 2008, 12:00PM),
http://www.computerworld.com/s/article/9057758/One_year_later_Five_takeaways_from_the_TJ
X_breach (“Despite being the biggest, costliest and perhaps most written-about breach ever,
customer and investor confidence in TJX has remained largely unshaken. TJX’s stock was worth
about $30 per share when the breach was disclosed, and its closing price today was just over
$29.”), with Todd Wallack, Data Breach Ensnares Many in Mass.; Credit and Debit Card
Numbers Compromised, BOS. GLOBE, May 13, 2009, at B1 (“Heartland shares dropped sharply
after the company disclosed the breach Jan. 20. The company’s stock, which peaked at more than
$18 per share in early January, fell rapidly in the days after the disclosure, going as low as $4 in
March. It closed yesterday at $9.04.”). When seeing such a disparity one is tempted to ask, is this
disparity in investor reaction a measure of the likely differences between retailers that have goods
to sell to consumers and data processors that exist in a different, highly competitive market but
whose direct counter-parties are better able to move to another processor? Concerns over the
effects on local economies of the Deepwater Horizon spill have caused worries for banks. See
Rachel Witkowski, Equity Flows Out of Fla. As Oil Seeps in, AM. BANKER, July 15, 2010, at 1.
81. PONEMON INSTITUTE, supra note 23, at 4. Data breaches such as the BlueCross BlueShield
of Tennessee breach are considered “more complex than a typical data breach,” and are likely to
cost more than the average amount. See McMillan, Data Theft, supra note 35.
82. Jeff Kress, Is Your Information Safe?, CA MAGAZINE, Aug. 1, 2008, at 44.
83. Ross Kerber, Cost of Data Breach at TJX Soars to $256m—Suits, Computer Fix Add to
Expenses, BOS. GLOBE, Aug. 15, 2007, at A1.
124
[Vol. 5
enforcement actions involving violations of its financial privacy and
safeguards rules, or pursuant to its unfair or deceptive practices authority,
have required—in various combinations—civil penalties, consumer redress
payments, implementation of comprehensive data security programs, and
implementation of independent audits of compliance.85 For example,
ChoicePoint, Inc. (ChoicePoint) paid $10 million in civil penalties and $5
million in consumer redress to settle the FTC’s charges in 2006.86 In a May
2005 filing with the Securities and Exchange Commission, BJ’s estimated
that these claims were worth approximately $13 million.87 ChoicePoint also
was involved in a second enforcement action in 2009, for violations of its
2006 consent order.88 At the time BJ’s Wholesale Club, Inc. settled the
FTC’s charges, banks and credit unions were pursuing BJ’s to recover for
fraudulent payments and for damages associated with the cancellation and
re-issuance of credit and debit cards.89 The FTC consent order against
CardSystems Solutions—a third-party payment service provider charged
with violations of FTC Act Section 5’s unfair or deceptive acts or practices
authority—provides a good example of its requirements for new
comprehensive data security programs to protect the security,
confidentiality, and integrity of personal information that it collects or
receives from consumers by adopting administrative, technical, and
85. For a summary of FTC Section 5 enforcement actions involving financial privacy and data
security, see Enforcement, FED. TRADE COMM’N, http://www.ftc.gov/privacy/privacy
initiatives/promises_enf.html (last visited Nov. 21, 2010). For an example of an FTC settlement
requiring implementation of a comprehensive information security program and long-term
independent audits, see Settlement of Separate Actions, supra note 5.
86. Press Release, Fed. Trade Comm’n, ChoicePoint Settles Data Security Breach Charges; To
Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress (Jan. 26, 2006),
http://www.ftc.gov/opa/2006/01/choicepoint.shtm. The violations of the Fair Credit Reporting Act
included failure to employ reasonable procedures to screen prospective clients for its specialized
credit reporting services and eventual disclosures of the personally identifiable information
pertaining to more than 160,000 customers when the clients to whom disclosures were made had
applications that raised red flags, including using commercial mail drops as business addresses,
using cell phone numbers as business telephone contact numbers, and paying for services using
money orders drawn on multiple issuers. See Complaint for Civil Penalties, Permanent Injunction,
and Other Equitable Relief at 5, 7, United States v. Choicepoint, Inc., No. 06-cv-0198 (N.D. Ga.
Jan. 30, 2006), available at http://www.ftc.gov/os/caselist/choicepoint/0523069complaint.pdf. The
FTC also charged that ChoicePoint in one case continued to provide consumer information after
ChoicePoint had suspended the customer for nonpayment on more than one occasion. Id. at 7.
87. Press Release, Fed. Trade Comm’n, BJ’s Wholesale Club Settles FTC Charges (June 16,
2005), http://www.ftc.gov/opa/2005/06/bjwholesale.shtm [hereinafter BJ’s Wholesale Club Press
Release].
88. See Supplemental Stipulated Judgment and Order for Permanent Injunction and Monetary
Relief, United States v. ChoicePoint, Inc., No. 06-cv-0198-JTC (N.D. Ga. Oct. 14, 2009),
available at http://www.ftc.gov/os/caselist/choicepoint.shtm. ChoicePoint also is a recidivist like
BP. See id.
89. See BJ’s Wholesale Club Press Release, supra note 87. For the complaint and consent
order, see In re BJ’s Wholesale Club, Inc., 140 F.T.C. 465 (2005).
2010]
125
physical safeguards for personally identifiable information.90 Of course,
design and implementation of a new security program is a significant
expense.
II. INTERNATIONAL CONVENTION GOVERNING NOTICE OF
AND COMPENSATION FOR MARITIME SPILLS OF OIL AND
OTHER HAZARDOUS SUBSTANCES
As mentioned above, there may be many parallels drawn between
payments data spills and pollution from maritime accidents. Both impose
costs on unsuspecting people that include huge risks of collateral damage to
livelihoods. Maritime accidents affect fisheries, shipping activities, and the
welfare of shore life. Businesses affected by data spills may experience a
fall in share values/market capitalization,91 exclusion from participation in
payment systems,92 and reputational damage. Individuals may experience
emotional distress, decreased credit ratings, and a loss of the privilege of
using credit rather than cash.
Both types of spills impose costs from long-term remediation efforts.
Indeed, reports suggest that TJX spent at least $256 million on recovery
efforts related to its data spill and that its overall losses were $1 billion.93
Exxon claims to have spent about $2 billion cleaning up the 11-milliongallon spill from the Exxon Valdez and another $1 billion to settle civil and
criminal charges against it.94 Consequential damage from the grounding to
sea life alone included the loss of 250,000 seabirds and more than 20 orca
whales.95 To compensate victims affected by Deepwater Horizon, BP has
established a fund in the range of $20 billion96 and spent more than $3
billion on the early stages of the clean-up and recovery.97 To deal with the
90. In re CardSystems Solutions, Inc., No. 052-3148, 2006 WL 515749 (F.T.C. Feb. 23,
2006). For more information about this and other FTC actions involving payments data security
breaches, see Martha L. Arias, Internet Law—Computer and Data Security Breaches, INTERNET
BUS. L. SERVS. (Sept. 17, 2007), https://www.ibls.com/internet_law_news_portal_view.aspx?s=
latestnews&id=1852.
91. See Kimberly K. Peretti, Data Breaches: What the Underground World of “Carding”
Reveals, 25 SANTA CLARA COMPUTER & HIGH TECH. L.J. 375 (2009).
92. E.g., Anthony M. Freed, Visa Puts Heartland on Probation Over Security Breach,
SEEKING ALPHA (Mar. 13, 2009), http://seekingalpha.com/article/125849-visa-puts-heartland-onprobation-over-security-breach (reporting the suspension of the Heartland system from VISA
participation until it had been recertified).
93. Peretti, supra note 91, at 380; Kerber, supra note 83.
94. See Jonathan Stempel, Special Report: BP Oil Spill a Gusher for Lawyers, REUTERS, Jun.
30, 2010, available at http://www.reuters.com/article/idUSTRE65T2MZ20100630.
95. Dan Joling & Mark Thiessen, In Alaska, Painful Memories of Exxon Valdez,
CBSNEWS.COM, May 3, 2010, http://www.cbsnews.com/stories/2010/05/03/national/main6456
927.shtml.
96. Fiona Maharg-Bravo & Robert Cyran, Tallying BP’s Bill on the Gulf Coast, N.Y. TIMES,
July 14, 2010, at B2.
97. Jad Mouawad, BP Begins Its Next Challenge: Reassuring Investors, N.Y. TIMES, July 8,
2010, at B1.
126
[Vol. 5
consequences of these oil spills many conventions have been concluded.
Importantly, these conventions serve as useful comparisons for ways to deal
with data spills.
MARPOL 73/78 is the short-hand name for one such convention, the
1973 International Maritime Organization convention and a series of related
amendments, annexes, and protocols, including the 1978 and 1997
amendments to the convention.98 MARPOL 73/78 is not the only
convention dealing with the consequences of maritime collisions or with
certain forms of hazardous substance releases from sea-going ships.99 There
is also, for example, the Convention on Limitation of Liability for Maritime
Claims.100 U.S. laws also govern incidents such as fatalities and oil spills.101
MARPOL has features that could serve as a template for a regime to
deal with data spills. It is a document with global force and, therefore, with
legitimacy, and it relies on governmental mechanisms, non-governmental
organizations, and—as one of its most attractive features for the purpose of
addressing data spills provides—its scheme relies on a diverse group called
“experts” to solve various technical, legal, and political problems that arise
under its provisions.102
MARPOL 73/78, the amendments to the 1978 Protocol and subsequent
regulations implementing the whole scheme, and U.S. laws implementing
the MARPOL scheme or other environmental protection requirements offer
four guiding points for a possible framework for payments data spills: (1)
the requirement of compulsory notice to a central agency;103 (2) a
compensation scheme that extends to third-parties affected by the hazardous
substance spills;104 (3) operational restrictions;105 and (4) the requirement to
outfit sea-going ships with double hulls or other alternative protections,
such as double bottoms, so as to protect against the accidental release of
98. International Convention for the Prevention of Pollution from Ships (MARPOL), INT’L
MARITIME ORG., http://www.imo.org/About/Conventions/ListOfConventions/Pages/InternationalConvention-for-the-Prevention-of-Pollution-from-Ships-(MARPOL).aspx (last visited Dec. 27,
2010).
99. E.g., International Convention for the Prevention of Pollution of the Sea by Oil, concluded
May 12, 1954, 12 U.S.T. 2989, T.I.A.S. No. 4900, 327 U.N.T.S. 3 [hereinafter OilPOL];
International Convention on Civil Liability for Oil Pollution Damage, concluded Nov. 29, 1969,
973 U.N.T.S. 3, amended by Protocol, Nov. 27, 1992, 1956 U.N.T.S. 255.
100. Convention on Limitation of Liability for Maritime Claims, concluded Nov. 19, 1976,
1456 U.N.T.S. 221.
101. Death on the High Seas Act of 1920, 46 U.S.C. §§ 30302–30308 (2006); Federal Water
Pollution Control Act (Clean Water Act), 33 U.S.C. §§ 1251–1321 (2006).
102. See Clay Maitland, Is MARPOL Dead?, MARINE LOG, Dec. 2007, at 52 (concluding that
MARPOL is not dead).
103. See MARPOL 73/78, supra note 11, at art. 8, ¶ 2(b). The 1972 Federal Water Pollution
Control Act (Clean Water Act) requires notice of spills of hazardous substances, such as oil. 33
U.S.C. § 1321(b)(5).
104. MARPOL 73/78, supra note 11, at art. 7, ¶ 2.
105. Amendments to the Annex of the Protocol of 1978 Relating to the International
Convention for the Prevention of Pollution From Ships, 1973, Resolution MEPC.117(52), adopted
Oct. 15, 2004, 2057 U.N.T.S. 68 [hereinafter Revised Annex 1 of MARPOL 73/78].
2010]
127
hazardous substances in the ships.106 A fifth guiding principle of the oil spill
prevention scheme—the creation of the International Maritime
Organization (IMO) as an international organization focused on the
problem—predated MARPOL.107
A comprehensive national or international approach to data security
breaches might even avoid one of the pitfalls that MARPOL and other
international conventions and U.S. environmental protection statutes share
in terms of fixed liability limits that prove very hard to update. For
example, the liability limit in the Clean Water Act was intended to subject
violators to civil penalties in amounts “up to $25,000 per day of violation or
an amount up to $1,000 per barrel of oil.”108
But regardless of these imperfections, the five pivot points found in
MARPOL, its amendments and IMO regulations as well as U.S.
environmental protection laws offer some useful approaches for data
security spills.
A. COMPULSORY NOTICE OF SPILLS
One of the most useful analogies that payments data security can draw
from MARPOL 73/78 is its requirement of compulsory notice of oil spills
to a central agency.109 There is no de minimus rule in the MARPOL
scheme; that is, the ship’s operators must report every spill or discharge.110
In contrast, enacted state legislation and pending federal bills regarding
data security breaches, discussed infra, only require prompt notice to law
enforcement if the breach affects a threshold number of individuals or
records—such as at least 10,000 individuals or a million or more records,
and separate notices to consumers whose card data has been breached.111 It
106. Id. at regulation 19.
107. See Introduction to IMO, INT’L MARITIME ORG., http://www.imo.org/About/Pages/Default
.aspx (last visited Dec. 28, 2010) (describing the IMO’s origins in 1948 as the Inter-Governmental
Maritime Consultative Organizations, a name changed to International Maritime Organization in
1982). The IMO entered into force in 1958 just prior to the entry into force of OilPOL. Marine
Environment Pollution Prevention Background, INT’L MARITIME ORG., http://www.imo.org/Our
Work/Environment/PollutionPrevention/OilPollution/Pages/Background.aspx (last visited Dec.
28, 2010).
108. 33 U.S.C. § 1321(b)(7)(A) (2006).
109. See MARPOL 73/78, supra note 11, at art. 8; Revised Annex I of MARPOL 73/78, supra
note 105, at regulation 37.
110. See MARPOL 73/78, supra note 11, at art. 8; Revised Annex I of MARPOL 73/78, supra
note 105, at regulation 37.
111. Nearly every federal data security bill allows delays in notices to consumers so that law
enforcement investigations may take place. E.g., Data Accountability and Trust Act, H.R. 2221,
111th Cong. § 3(c)(2) (as passed by House, Dec. 8, 2009) (providing delay for regular law
enforcement purposes and for longer periods if notification would threaten national or homeland
security). In both cases, delays must be based on determinations of necessity, and requests for
delays are made in writing. E.g., Personal Data Privacy and Security Act of 2009, S. 1490, 111th
Cong. § 311(d) (2009). Additional delays may be requested. E.g., H.R. 2221, § 3(c)(2)(A) (thirty
days original delay for general law enforcement purposes subject to subsequent requests for delay
with no specified outer limit if requests also made in writing).
128
[Vol. 5
is this Article’s position that, in order to protect critical infrastructure assets
and national security, notice between the entity that suffers the breach and a
central authority (at least at the national level) that a payments data spill has
occurred should be mandatory regardless of its size, rather than based on
some threshold. Proprietary payments systems rules and credit and debit
card master agreements should require the merchants, payments processors,
or financial institutions whose systems are breached to notify their counterparties as well, regardless of the number of records or accounts affected.
Thresholds, I would argue, keep from central scrutiny data problems at their
beginning, may allow them to spread, and certainly provide no earlywarning system equivalent of orchestrated attacks on a retailer, payment
system, or financial institution that would protect everyone involved.
B. COMPENSATION FOR THIRD-PARTY LOSSES
MARPOL 73/78 is also part of a longstanding scheme of compensation
for third-party losses that reaches back to 1954, beginning with the
convention known as OilPOL.112 Compensation allows affected
communities and individuals to survive the damage to livelihoods and to
physical environments on which they depend or around which they live.
Since OilPOL, various international conventions and domestic laws
implementing them in some cases have increased the amount of first-level
compensation.113
The group of international conventions providing for compensation
includes two that predate MARPOL 73/78, the 1969 International
Convention on Civil Liability for Oil Pollution Damage (commonly known
as the 1969 Civil Liability Convention), and the 1971 International
Convention on the Establishment of an International Fund for
Compensation for Oil Pollution Damage (commonly known as the 1971
Fund Convention), each of which has been replaced by new protocols in
1992, now known, respectively, as the 1992 Civil Liability Convention and
the 1992 Fund Convention.114 The 1992 Civil Liability Convention imposes
112. OilPOL, supra note 99. The 1978 Protocol to the 1973 Convention essentially replaced
OilPol. See Background on Pollution Prevention and MARPOL 73/78, supra note 11. However,
Congress then repealed the Oil Pollution Act of 1961, Pub. L. No. 87-167, 75 Stat. 402, which had
implemented OilPOL and the Oil Pollution Act Amendments of 1973. Act to Prevent Pollution
from Ships of 1980, Pub. L. No. 96-478, 94 Stat. 2303 (codified as amended at 33 U.S.C. §§
1901–1915).
113. U.S. statutes implemented these compensation schemes to include, inter alia, Federal
Water Pollution Control Act (Clean Water Act), 33 U.S.C. §§ 1251–1321 (2006), the Outer
Continental Shelf Lands Act Amendments of 1978, 43 U.S.C. § 1814 (1988) (repealed 1990), the
Trans-Alaska Pipeline Authorization Act, 43 U.S.C. § 1653 (1988), and the Deepwater Port Act,
33 U.S.C. § 1517 (1988).
114. The International Regime for Compensation for Oil Pollution Damage: Explanatory Note
Prepared by the Secreteriat of the International Oil Pollution Compensation Funds, INT’L OIL
POLLUTION COMPENSATION FUNDS (Dec. 2010), http://www.iopcfund.org/npdf/genE.pdf
[hereinafter Explanatory Note].
2010]
129
strict liability on ship owners for oil pollution damage.115 The 1992 Fund
Convention provides supplementary compensation for oil pollution victims
if the former convention’s compensation is inadequate.116 In addition, a
Protocol to the 1992 Fund Convention created a third tier compensation
prospect through the International Oil Pollution Compensation
Supplementary Fund, raising the maximum payable for one incident to
750,000,000 Special Drawing Rights, which is equivalent to
$147,500,000.117
Examples of domestic legislation providing for compensation exist in
the United States and Turkey. In the United States, the OPA specifies the
types of damages that individuals and other entities that suffered injury
could obtain from persons responsible for oil spills.118 These include
damages to natural resources, real or personal property, subsistence uses of
natural resources, revenues, public services, and profits.119 In addition, it
specifies the scope of clean-up costs for which responsible persons are
liable, including containment and actions necessary to “minimize or
mitigate damage to public health or welfare, including, but not limited to,
fish, shellfish, wildlife, and public and private property, shorelines, and
beaches[.]”120 The OPA allows the States to impose liability on responsible
parties beyond the liability that the Act provides.121 Turkey’s law was
adopted in 2005.122
A special scheme for damages to third-parties—like the overall scheme
supporting compensation for oil-spill victims briefly described above—
might be used to sustain credit reporting blocks or monitoring and recovery
expenses, particularly when breaches affect smaller merchants or
institutions, or other sorts of damages that are hard to quantify in advance.
115. See id.; see also International Convention on Civil Liability for Oil Pollution Damage,
1992, art. 1 ¶ 6, art. 3 ¶ 1, opened for signature Jan. 15, 1993, 1956 U.N.T.S. 255, available at
http://www.iopcfund.org/npdf/Conventions%20English.pdf.
116. See Explanatory Note, supra note 114; see also International Convention on the
Establishment of an International Fund for Compensation for Oil Pollution Damage, 1992, at art.
II, ¶ 1, opened for signature Jan. 15, 1993, 1953 U.N.T.S. 330, available at
http://www.iopcfund.org/npdf/Conventions%20English.pdf.
117. Explanatory Note, supra note 114. To determine the daily value of Special Drawing rights
under this scheme, see Exchange Rate Archives by Month, INT’L MONETARY FUND,
http://www.imf.org/external/np/fin/data/param_rms_mth.aspx (last visited Dec. 28, 2010). For a
comprehensive analysis of the overall oil pollution damages scheme, see MICHAEL MASON,
TRANSNATIONAL COMPENSATION FOR OIL POLLUTION DAMAGE: EXAMINING CHANGING
SPATIALITIES OF ENVIRONMENTAL LIABILITY (2002), http://eprints.lse.ac.uk/570/1/RPESAno69(2002).pdf.
118. Oil Pollution Act of 1990, 33 U.S.C. §§ 2701–2720, 2731–2738 (2006).
119. Id. § 2702(b)(2)
120. Id. § 2701(30).
121. Id. § 2718(a).
122. For a thorough discussion of this law, see MURAT TURAN, TURKEY’S OIL SPILL RESPONSE
POLICY: INFLUENCES AND IMPLEMENTATION (2009), available at http://www.un.org/Depts/los/
nippon/unnff_programme_home/fellows_pages/fellows_papers/turan_0809_turkey.pdf.
130
[Vol. 5
In establishing a compensation scheme for counter-party and consumer
damages from data spills, however, we should take care to create a
mechanism to provide for periodic increases in basis compensation. This
would avoid the problems associated with compensation schemes in which
allowed damages have not kept pace with inflation, such as in the Death on
the High Seas Act of 1920123 or in 13 U.S.C. § 1321(7)(A), which
establishes a civil penalty for “owner[s], operator[s] or person[s] in charge
of any vessel, onshore facility or offshore facility from which oil or a
hazardous substance is discharged in violation of” 13 U.S.C. § 1321(3) that
is capped at $25,000 per day of violation for discharges of oil or other
hazardous substances or at up to $1,000 per barrel of oil or unit of
reportable quantity of hazardous substances discharged.124 In addition, in
cases in which the violation “was the result of gross negligence or willful
misconduct” of an owner, operator, or person in charge described in 13
U.S.C. § 1321(7)(A), the person is “subject to a civil penalty of not less
than $100,000, and not more than $3,000 per barrel of oil unit of reportable
quantity of hazardous substance discharged.”125
In addition, the compensation scheme might reward prompt and
accurate reporting of the data spill to avoid the obvious temptation to
lowball the estimate of damages inflicted. In the Deepwater Horizon
incident, for example, there were many reports that BP was under-reporting
the discharge from the well so that it could take advantage of the “strict
liability” penalties in 13 U.S.C. § 1321(7)(A) and avoid the higher penalties
for “gross negligence” provided in 13 U.S.C. § 1321(7(D).126
C. OPERATIONAL RESTRICTIONS
MARPOL 73/78 imposes additional operational requirements and some
restrictions on tankers and other vessels that do not meet its mandates. For
example, just as VISA suspended RBS PayCard’s approved service
provider status after its breach revealed that its compliance with PCI DSS
was inadequate,127 vessels that do not meet certain criteria under MARPOL
may not enter certain waters or ports,128 and may be required to keep
expanded records and undergo additional inspections.129
This multi-pronged approach to prevention may be more effective than
the single-factor reliance on encryption or double-factor encryption and best
123.
124.
125.
126.
Death on the High Seas Act of 1920, 46 U.S.C. §§ 30302–30308 (2006).
Clean Water Act, 33 U.S.C. § 1321(7)(A) (2006).
Id. § 1321(7)(D).
John Schwartz, Liability at Issue in Oil Flow Rate in Gulf, N.Y. TIMES, Jul 19, 2010, at
A17; see also Press Release, The Select Committee on Energy, Independence and Global
Warming, Markey: Flow Rate Report Shines Light on BP’s Financial Liability, True Size of Spill
(May 27, 2010), http://globalwarming.house.gov/mediacenter/pressreleases_2008?id=0255.
127. Ashford, supra note 70.
128. Revised Annex I of MARPOL 73/78, supra note 105, at regulations 20–21.
129. Revised Annex I of MARPOL 73/78, supra note 105.
2010]
131
practices approaches seen in state data security breach laws as well as
pending federal legislation.130
D. DOUBLE HULLS AND COMPARABLE SAFE-DESIGN
REQUIREMENTS
MARPOL 73/78 also requires specific structural defenses to guard
against oil spills and other discharges into the sea. For tankers built after
1981, MARPOL requires that construction be double-hulled.131 The
convention requires that vessels with large capacities but built before June
1, 1982 or contracted to be built before that year, be retrofitted with double
bottoms and structural improvements to their sides.132 Vessels without
appropriate structural defenses as required by MARPOL should not expect
access to certain ports.133 Similarly, payments systems participants that
cannot comply with PCI DSS’s required firewalls and 128-bit encryption
security features—or that employ EMV/chip-and-PIN technology instead—
might be precluded or suspended from certain payments systems. Such was
the fate of Heartland after its breach.134
E. MODEL FOR INTERNATIONAL COOPERATION AND AVOIDANCE OF
TRADE-HINDERING NATIONAL LEGISLATION
The fifth lesson that MARPOL 73/78 offers to the solution of payments
data spills relates to its role as a model for international cooperation in the
effort to reduce the temptation to deal with certain issues piecemeal through
national legislation. Because of rising evidence that the perpetrators of data
security breaches operate internationally,135 and because the threat of
transnational criminal prosecution may not deter cyber thieves, international
cooperation through private standard setting and international conventions
130.
131.
132.
133.
See infra Part IV.
Revised Annex I of MARPOL 73/78, supra note 105, at regulation 20.
Id.
Id. For an analogous situation regarding data breaches, see Ashford, supra note 70
(describing how banks may be removed from Visa’s and Mastercard’s list of validated service
providers if they are not compliant with the Payment Card Industry Data Security Standard).
134. E.g., Freed, supra note 92 (reporting the suspension of the Heartland system from VISA
participation until it had been recertified); Lemos, supra note 66 (mentioning the use of low-level
thieves called “cashers” to withdraw funds from ATMs in Montreal, Moscow, Hong Kong, and
other cities in the U.S. and abroad depleting 100 accounts and revealing personal information on
1.5 million cardholders and the social security numbers of 1.1 million of them); Robert McMillan,
FTC Says Scammers Stole Millions, Using Virtual Companies, COMPUTER WORLD, Jun. 27, 2010,
http://www.computerworld.com/s/article/9178560/FTC_says_scammers_stole_millions_using_vir
tual_companies (scammers used U.S. residents to move money to Bulgaria, Cyprus, and Estonia)
[hereinafter McMillan, FTC Catches Scammers]. More recently, reports suggest that Russian
hackers broke into check image depositary and used information to generate counterfeit checks
and stole $9 million. Elinor Mills, Check Counterfeiting Using Botnets and Money Mules, CNET
NEWS (July 28, 2010), http://news.cnet.com/8301-27080_3-200111885-245.html.
135. See, e.g., McMillan, FTC Catches Scammers, supra note 134.
132
[Vol. 5
offers an attractive approach for the prevention and resolution of data
security incidents.
III. HOW DO PAYMENTS DATA SPILLS AND MARITIME SPILLS
COMPARE?
Part II of this Article focuses on costs associated with the prevention
and remediation of spills, both payments data and oil-related. This Part
focuses on the causes of spills. In this regard, payments data spills and
maritime accidents share things in common. First, both may derive from
insiders’ negligence or recklessness, or cost-cutting that affects riskprevention measures.136 Examples of negligence leading to data spills
include:
 Theft of unencrypted information on hard drives stored in an
apparently unsecure closet in a training facility of BlueCross
BlueShield of Tennessee. These hard drives contained data, as well
as photos of the screens on which trainees and operators were
working that revealed sensitive personally identifiable information
about customers;137 and
 The spectacular TJX breach affecting 94 million payment records
of credit cards and debit cards involving the use of wireless Internet
transmissions of data vulnerable to interception in a process known
as “war driving” in which thieves use readers to capture
transmissions leaving known store locations.138
Maritime examples include:
 The disarming of one or more warning systems on the Deepwater
Horizon oil drilling platform in the days and weeks prior to the
explosion and spill, and the failure to heed other signals that
important safety features were not functioning as planned;139
 The grounding of the Exxon Valdez in the Valdez Inlet near
Anchorage, Alaska in 1989. Investigation of the cause of the
accident revealed that, despite the known shoal dangers of Prince
William Sound through which the Valdez was moving,140 only one
officer was on the bridge at the time of the accident and that the
136. For a discussion on oil spills, see Achenbach & Hilzenrath, supra note 39.
137. See McMillan, Data Theft, supra note 35.
138. Byron Acohido, Cyberthieves Find Workplace Networks are Easy Pickings; Simple
Hacking Techniques Have Potential to Collect Data From Any Entity Using a Digital Network,
USA TODAY, Oct. 9, 2009, at B1 (discussing the TJX and Hannaford data security breaches and
the means used to intercept data).
139. David S. Hilzenrath, Alarm System on Rig Was Disabled, Technician Testifies, WASH.
POST, July 24, 2010, at A5.
140. See ALASKA OIL SPILL COMMISSION, supra note 38.
2010]
133
pilot had been under the influence of alcohol at the time of the
grounding;141 and
 The Cosco Busan accident that spilled 53,569 gallons of heavy
crude into San Francisco Bay on November 7, 2007.142 The United
States filed felony and misdemeanor charges against the Cosco
Busan’s management and pilot for sailing in fog, travelling at an
unsafe speed, failing to make plans or use radar, and falsifying
documents.143
Second, the sources of spills may be entirely different. For example, the
1978 wreck of the Amoco Cadiz was caused by the failure of the tanker’s
steering mechanism and subsequent rough weather, which in turn caused
the tanker to split apart, spilling 68.4 million gallons of oil and despoiling
more than 125 miles of the coast of France.144 This tanker was not fitted
with a double hull—because MARPOL’s requirement was not in effect at
the time—placing its cargo at greater risk in the event of grounding.145
Does the grounding of the Exxon Valdez bear a stronger resemblance to
the BlueCross BlueShield of Tennessee spill—which involved unencrypted
data in an unguarded location—or the Google spill—which involved the
high-tech penetrations of significant firewalls around wire transfer
systems?146
While considering the above, it may be helpful to think about the
differences between navigating correctly charted waters, on the one hand,
and navigating areas in which recent storms or sand accretions may affect
the reliability of the charts. Or, in other words, navigating around known
rocks is easier because, normally, big rocks do not move often and sand
does.147 The chart and, therefore, the charted course should be all right if all
one is interested in is avoiding the rocks. But the same won’t work with
sand, which is constantly eroding and accreting.148
141. Stephens, supra note 3; see also ALASKA OIL SPILL COMMISSION, supra note 38, at 27.
Among other sea and shore life, the oil spill killed 250,000 sea birds and more than twenty orca
whales in Prince William Sound, Alaska, alone. Joling & Thiessen supra, note 95.
142. UNITED STATES DEPARTMENT OF HOMELAND SECURITY, INCIDENT SPECIFIC
PREPAREDNESS REVIEW (ISPR) M/V COSCO BUSAN OIL SPILL IN SAN FRANCISCO BAY: REPORT
ON INITIAL RESPONSE PHASE (2008), available at http://www.uscg.mil/foia/CoscoBuscan/Cosco
BusanISPRFinalx.pdf (listing number of birds caught (1,039), cleaned (681), and dead (1,365) due
to the Cosco Butan oil spill and discussing origins of the spill).
143. Bob Egelko, Felony Charges for Ship’s Management, S. F. CHRON., July 24, 2008, at B3.
144. Allen Tony, MV Amoco Cadiz, THE WRECKSITE ARCHIVE (June 26, 2007),
http://www.wrecksite.eu/wreck.aspx?10339.
145. See Background on Pollution Prevention and MARPOL 73/78, supra note 11.
146. More E-Mail Account Details Leak Online, N.Y. TIMES GADGETWISE BLOG (Oct. 6, 2009,
11:05 PM), http://gadgetwise.blogs.nytimes.com/2009/10/06/more-e-mail-account-details-leakedonline/?scp=3&sq=wire%20transfer&st=cse.
147. Interview with Roland Trope, Esq., Partner, Trope & Schramm, LLP, in Coral Gables, FL
(Jan. 25, 2010).
148. Examples of accretions and erosion abound. Storms may cause breaches that radically alter
tidal flows in their vicinities and lesser weather changes may cause significant shifts in sand bars
134
[Vol. 5
But, as new operating systems are rushed to market, data security
confronts efforts by cyber-thieves that are analogous to movements of both
rocks and sand on a constant basis as thieves search for any available
vulnerability and seek to penetrate systems that may have been considered
impenetrable just prior to the breach. So, in some respects, detecting and
preventing risks to data security may be harder than avoiding the
aforementioned types of shipping accidents. However, the risks to critical
infrastructures and national security are such that stronger incentives for
appropriate levels of monitoring and deterrence as well as some legal,
centralized, or collective solutions are needed.
IV. LEGISLATIVE RESPONSES TO DATA SPILLS AND
PROSPECTS—DO PROPOSALS SUFFICIENTLY ADDRESS
SPILL PREVENTION AND DATA SPILL REMEDIES FOR
BUSINESSES OR CONSUMERS WHOSE SYSTEMS OR
PERSONAL INFORMATION IS BREACHED?
A. CONGRESSIONAL LEGISLATION
Notwithstanding the numerous data spills and the damages resulting
from them, the only recent federal law specifically related to data breach
notification is the Health Information Technology for Economic and
Clinical Health Act of 2009 (HITECH Act).149 The Act expanded the
enforcement jurisdiction of the Health Insurance Portability and
Accountability Act (HIPAA)150 to allow state attorneys to enforce HIPAA’s
provisions and implementing regulations.151
and shoals that affect tides or otherwise threaten maritime safety. See, e.g., Nelson Sigelman,
Three Years Later, Norton Point Breach Marches On, MARTHA’S VINEYARD TIMES, Apr. 29,
2010, http://www.mvtimes.com/marthas-vineyard/article.php?id=536; Nelson Sigelman, Ocean
Forces Continue to Shape Katama Cut, MARTHA’S VINEYARD TIMES, June 19, 2008,
http://www.mvtimes.com/2008/06/19/news/norton-point-breach.php.
Studies
of
sand-bar
migration include Edith L. Gallagher, Steve Elgar & R.T. Guza, Nearshore Sandbar Migration,
106 J. GEOPHYSICAL RES. 11,623 (2001); Edith L. Gallagher, Steve Elgar & R.T. Guza,
Observations of Sand Bar Evolution on a Natural Beach, 103 J. GEOPHYSICAL RES. 3203 (1998);
D.J. Phillips & S.T. Mead, Investigation of a Large Sandbar at Raglan, New Zealand: Project
Overview and Preliminary Results, 1 REEF J. 267 (2009).
149. Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5,
123 Stat. 115, 226 (2009) (codified in scattered sections of 42 U.S.C.).
150. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110
Stat. 1936 (codified in scattered sections of 16, 26, 29, 42 U.S.C.).
151. Health Information Technology for Economic and Clinical Health Act § 13410(e). Using
this new authority, the State of Connecticut was reported to be investigating the WellPoint data
breach. See Joseph Goedert, Conn. AG Probes WellPoint Breach, HEALTH DATA MGMT (July 6,
2010), http://www.healthdatamanagement.com/news/breach-wellpoint-anthem-connecticut-attorn
ey-general-40596-1.html. Prior to the HITECH Act, only the Secretary of Health and Human
Services could enforce HIPAA’s privacy and security rules. See Priscilla M. Regan, Federal
Security Breach Notifications: Politics and Approaches, 24 BERKELEY TECH. L.J. 1103, 1111
n.47 (2009) (citing GINA STEVENS & EDWARD C. LIU, CONG.. RESEARCH SERV., R40546, THE
2010]
135
Congress has been considering additional data security legislation since
at least 2005.152 Thus far in the 111th Congress, the House has passed two
bills—the Data Accountability and Trust Act153 and the Cybersecurity
Enhancement Act of 2010.154 This section looks at those bills, and two
Senate bills introduced in the 111th Congress, to consider whether their
provisions would help or hinder the deterrence and resolution of payments
data spills. It also discusses H.R. 1319, the Informed P2P User Act, and S.
3027, a companion bill to H.R. 1319, which was introduced in the Senate in
February 2010.
Each of these bills would impose new requirements on the handling of
financial account data that is among the most valuable data for data thieves
to access. Each bill only attempts to address a segment of a total data
security scheme. For example, the Data Accountability and Trust Act
directs the Federal Trade Commission to promulgate regulations to require
owners and possessors of electronic data containing personal information
and engaged in interstate commerce to provide for security procedures,
vulnerability testing, and proper disposal of data, and requires notification
of data security breaches to the FTC and to affected individuals.155 The
Cybersecurity Enhancement Act focuses on the creation of strategic plans
and support for research in the data security field, and requires the National
Science Foundation to recruit for and fund a scholarship program for
professionals in this field.156
As a result, merchants, payments processors, and operators of payments
systems will be subject to the Gramm-Leach-Bliley Financial Services
Modernization Act of 1999 (GLBA) and the Fair and Accurate Transactions
Act (FACTA) requirements, and “data brokers” may be subject to new
statutes such as the Data Accountability and Trust Act.157 Of course,
providers of consumer financial services and products are already governed
PRIVACY AND SECURITY PROVISIONS FOR HEATH INFORMATION IN THE AMERICAN RECOVERY
AND REINVESTMENT ACT OF 2009, at 18 (2009)).
152. Beginning in the 109th Congress to early March 2010, numerous bills dealing with data
security from different perspectives have been introduced in the House of Representatives. See
generally Legislation in Current Congress, LIBRARY OF CONGRESS, www.thomas.gov (last visited
Dec. 28, 2010). Among these were Consumer Notification and Financial Data Protection Act of
2005, H.B. 3374, 109th Cong. (2005) and the Consumer Data Security and Notification Act of
2005, H.B. 3140, 109th Cong. (2005), from the Committees on Banking and Financial Services
and on the Judiciary, respectively. For an excellent history of Congress’ interest in breach
notification legislation, see Regan, supra note 151, at 1112.
153. Data Accountability and Trust Act, H.R. 2221, 111th Cong. (as passed by House, Dec. 8,
2009).
154. Cybersecurity Enhancement Act of 2010, H.R. 4061, 111th Cong. (as passed by House,
Feb. 9, 2010).
155. H.R. 2221 §§ 2–3.
156. H.R. 4061 §§ 103, 106.
157. See Gramm-Leach-Bliley Act (GLBA), Pub. L. No. 106-102, 113 Stat. 1338 (1999); Fair
and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117 Stat. 1952 (2003)
(codified as amended at 15 U.S.C. § 1601).
136
[Vol. 5
by Title V of the GLBA.158 S. 1490 creates enforcement mechanisms for
violations of its own requirements,159 and it authorizes the FTC to
promulgate regulations to implement its privacy and data security
requirements.160 In addition, the Senate bill confirms the role of the United
States Secret Service as the primary federal agency to be notified of data
security breaches161 and strengthens the tools that the federal government
may use in combating such breaches.162 It does not expand remedies for
consumers, largely because error resolution for unauthorized transactions
should be covered by rights available to them under laws governing other
payments system rules including the Fair Credit Billing Act163 for credit
card transactions or the Electronic Fund Transfer Act for debit and payroll
card transactions.164 However, it leaves consumers affected by data spills
affecting bank and other transaction accounts, including gift cards, without
a specific remedy.
1. Bills Passed by the House of Representatives
The House of Representatives has passed two data security bills since
the beginning of 2009. These bills are:
a. H.R. 1319
The House of Representatives passed H.R. 1319 on December 8, 2009;
it requires P2P providers to disclose to users which files a P2P program can
share and consent of the users before the files can be shared over that
program.165 The bill also makes it unlawful for any entity covered by its
provisions to prevent an owner or authorized user of a protected computer
158. Personal Data Privacy and Security Act of 2009, S. 1490, 111th Cong. § 301 (as reported
by S. Comm., Nov. 5, 2009) (exempting financial institutions regulated under GLBA from S.
1490). S. 1490 also would not apply to entities governed by HIPAA. Id. (exempting HIPAAregulated entities from S. 1490).
159. Id. § 101 (“Organized criminal activity in connection with unauthorized access to
personally identifiable information”); id. § 102 (“Concealment of security breaches involving
sensitive personally identifiable information”); id. § 104 (“Effects of identity theft on bankruptcy
proceedings”); id. § 202 (FTC enforcement powers against data brokers); id. § 303 (FTC
enforcement of requirements for privacy and security of personally identifiable information
programs); id. §§ 317–18 (enforcement by state and federal Attorney Generals of breach
notification requirements).
160. Id. § 202.
161. Id. § 316.
162. Id. §§ 101–02, 202, 302, 317, 318.
163. Fair Credit Billing Act of 1974, Pub. L. No. 93-495, §§ 301–08, 88 Stat. 1500 (codified as
amended in scattered sections of 15 U.S.C.).
164. Electronic Fund Transfer Act, Pub. L. No. 95-630, § 2001, 92 Stat. 3728 (codified at 15
U.S.C. §§ 1693–1693r (2006)).
165. Informed P2P User Act, H.R. 1319, 111th Cong. (2009). Section 2’s requirement of notice
prior to installation or downloading of a P2P program or activation of a file-sharing function of
such a program does not apply to pre-installed software or to software upgrades. Id. § 2(a)(2)
(“Non-application to pre-installed software”); id. § 2(a)(3) (“Non-application to software
upgrades”).
2010]
137
from: (1) using “reasonable efforts” to block installation of a file-sharing
program or function if covered by the bill; and (2) “having a reasonable
means to” disable covered file-sharing programs or removing file-sharing
programs that the covered entity caused to be installed or induced another
person to install.166 The bill grants authority to the FTC to enforce its
requirements making failure of the provider to comply the equivalent of a
violation of a rule defining unfair or deceptive acts or practices under
§ 18(a)(1)(B) of the FTC Act.167 The bill also authorizes the FTC to
promulgate rules to accomplish its provisions.168
b. H.R. 2221—The Data Accountability and Trust Act
Section 2 of the Data Accountability and Trust Act instructs the FTC to
promulgate regulations to:
[R]equire each person engaged in interstate commerce that owns or
possesses data containing personal information, or contracts to have any
third party entity maintain such data for such person, to establish and
implement policies and procedures regarding information security
practices for the treatment and protection of personal information taking
into consideration—
(A) the size of, and the nature, scope, and complexity of the
activities engaged in by, such person;
(B) the current state of the art in administrative, technical, and
physical safeguards for protecting such information; and
(C) the cost of implementing such safeguards.169
One of the problems with H.R. 2221 is its safe harbor from liability for
encrypted data because encryption alone170 is unlikely to sufficiently protect
data from all hacking. Rather, it is the bundle of physical, administrative,
and technical safeguards—which include but are not limited to encryption
efforts—that are more likely to yield comprehensive protections. The
incident at BlueCross BlueShield of Tennessee discussed supra
demonstrates how easily data may be stolen, particularly in large quantities,
if more than one of the three forms of protection is not in use.
With the enactment of the Dodd-Frank Wall Street Reform and
Consumer Protection Act of 2010 in July 2010, it is unclear whether the
rulemaking authority that H.R. 2221 granted to the FTC will remain there
166.
167.
168.
169.
Id. § 2(b).
Id. § 3.
Id. § 5.
Data Accountability and Trust Act, H.R. 2221, 111th Cong. § 2(a)(1) (as passed by House,
Dec. 8, 2009).
170. Id. § 3(f)(2)(A).
138
[Vol. 5
or will transfer to the newly created Bureau of Consumer Financial
Protection.171
c. The Cybersecurity Enhancement Act of 2010, H.R. 4061
On February 4, 2010, the House of Representatives passed the
Cybersecurity Enhancement Act of 2010. The Act, among other things,
encourages social and behavioral research in cybersecurity,172 provides for
sponsorship of the development of scholarship and funding for training,173
and encourages development and promotion of international cybersecurity
technical standards and an “identity management research and development
program.”174 If enacted, this bill is likely to encourage, in many respects,
new approaches to deterrence and more cooperation on spill prevention.
2. Bills Considered by the Senate
The Senate has considered numerous bills since January, 2009. The
following sections consider them in detail.
a. S. 1490—The Personal Data Privacy and Security Act of
2009
The Senate Committee on the Judiciary found that 9,300,000 individual
records pertaining to personal payment transactions were compromised in
2008.175 Based on this finding, the Committee reported out S. 1490, the
Personal Data Privacy and Security Act of 2009. Its provisions cover
consumer access and correction rights to information held about them by
“data brokers.”176 Data brokers are entities that collect and sell commercial
data, including personally identifiable information, to others, including
governments.177 This bill resolves gaps left between the GLBA and FACTA
safeguards and disposal rules178—and indeed by HIPAA179—because
entities already subject to those statutes and regulations would not be
171. See Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203,
124 Stat. 1376 (2010).
172. Cybersecurity Enhancement Act of 2010, H.R. 4061, 111th Cong. § 104 (as passed by
House, Feb. 4, 2010).
173. Id. § 106 (“Federal Cyber Scholarship for Service Program”); id. § 107 (requiring an
analysis of and recommendations for securing an “adequate, well-trained Federal cybersecurity
workforce”).
174. Id. § 202 (development and promotion of “International Cybersecurity Technical
Standards”); id. § 204 (“Identity Management Research and Development” program).
175. Personal Data Privacy and Security Act of 2009, S. 1490, 111th Cong. § 2 (as reported by
S. Comm., Nov. 5, 2009).
176. Id. §§ 201–04.
177. Id. § 3(5) (defining “data broker”).
178. Disposal of Consumer Report Information and Records, 16 C.F.R. 682 (2006). This rule
implements provisions of the Fair Credit Reporting Act. See 15 U.S.C. § 1681w (2006).
2010]
139
governed by S. 1490.180 Three key features of the bill require data brokers
who collect or maintain records pertaining to 10,000 or more individuals to:
(1) have privacy and security programs;181 (2) audit and update those
programs;182 and (3) notify the United States Secret Service in the event of
data security breaches if the number of individuals whose personal
information is obtained without authorization exceeds 10,000 or if a
database or network containing 1 million or more individual records is
breached.183 A separate requirement to notify individuals whose personally
identifiable information is involved in the breach is excused if the data
broker’s risk assessment pertaining to that breach concludes that:
(A) there is no significant risk that a security breach has resulted in, or will
result in, harm to the individuals whose sensitive personally identifiable
information was subject to the security breach, with the encryption of such
information establishing a presumption that no significant risk exists, or
(B) there is no significant risk that a security breach has resulted in, or will
result in, harm to the individuals whose sensitive personally identifiable
information was subject to the security breach, with the rendering of such
sensitive personally identifiable information indecipherable through the
use of best practices or methods, such as redaction, access controls, or
other such mechanisms, which are widely accepted as an effective
industry practice, or an effective industry standard, establishing a
presumption that no significant risk exists[.]184
b. S. 139—The Data Breach Notification Act
S. 139, the Data Breach Notification Act, is a narrower bill than S.
1490. It does not impose the same requirements for new privacy and
security programs that S. 1490 imposes and its requirements for notification
of individuals by “data brokers” after a data breach also are narrower.185 S.
180.
181.
182.
183.
S. 1490.
Id. § 302.
Id. § 302(e).
Id. § 316. Notice to the U.S. Secret Service by entities experiencing data security breaches
is limited to cases in which 10,000 individual victims may be involved or to cases in which a
database or network is involved that contains information about one million individuals or more.
Id.
184. Id. § 312(b)(1) (emphasis added).
185. S. 139’s Sections 5 and 6 use a threshold for notices required to cases involving 5,000 or
more individuals. Data Breach Notification Act, S. 139, 111th Cong. §§ 5–6 (2009); see also id. §
3(b)–(c) (safe harbor presumptions). However, Section 7 is similar to S. 1490 in that it requires
notice to law enforcement only if the Serial Peripheral Interface Bus (SPI) of about 5,000 or more
individuals is believed to have been acquired or the affected database or integrated databases
contain SPI for one million or more individuals. See id. § 7.
For S. 1490, Title II’s provisions on notice to affected consumers in Sections 311 and 312
do not contain the threshold that Sections 5 and 6 of S. 139 do. See id. §§ 311–12. Title III’s
Section 316 contains similar threshold to S. 139’s Section 7 on notice to law enforcement—a key
weakness in both bills. See id. § 316. However, Title III’s Section 302 contains much stronger
140
[Vol. 5
139 allows a complete defense to liability in enforcement actions brought
for violations of its requirements if the data is encrypted or the database
follows “best practices.”186
c. S. 773—The Cybersecurity Act
S. 773, the Cybersecurity Act of 2009, takes a very different approach
from the other bills discussed in this part of the Article. It focuses on the
development by the National Institute of Standards and Technology (NIST)
of standards for federal government agencies’, government contractors’,
and grantees’ “critical infrastructure information systems and networks.”187
It also envisions financial assistance to create and support regional
cybersecurity centers to assist small and medium-sized businesses.188
Among many other provisions, it also places NIST in the position of
representing the United States in international cybersecurity standards
development projects,189 makes the Department of Commerce (Commerce)
the clearinghouse for all “cybersecurity threat and vulnerability
information,”190 and grants the Secretary access to data regardless of “any
provision of law, regulation, rule or policy restricting such access.”191 The
bill also authorizes the President to declare a “cybersecurity emergency”
and to “‘order the limitation or shutdown of Internet traffic to and from any
compromised Federal Government or United States critical infrastructure
information system or network.’”192
provisions on the scope, design, assessment of and periodic reassessment of protocols designed to
protect SPI, and also on training of personnel to protect SPI. Id. § 302.
186. See S. 139 § 3(b)(2)(A)(B).
187. Cybersecurity Act of 2009, S. 773, 111th Cong. § 6 (2009).
188. Id. § 5. S. 773 does not reach depositary institutions or providers of securities and
insurance products. Jurisdiction over depositary institutions is with the Senate Committee on
Banking, Housing, and Urban Affairs. Committee Information, U.S. SENATE COMMITTEE ON
BANKING, HOUSING & URBAN AFFAIRS, http://banking.senate.gov/public/index.cfm?FuseAction=
CommitteeInformation.Jurisdiction (last visited Aug. 27, 2010).
189. S. 773 § 6(a).
190. Id. § 14(a).
191. Id. §§ 6, 14. The breadth of this authority would allow the Secretary of Commerce to avoid
the requirements of the Federal Right to Financial Privacy Act, 18 U.S.C. §§ 3401–3422 (2006),
and of other federal pro-privacy protections in the Fair Credit Reporting Act, 15 U.S.C. §
1681(u)–(v) (2006), the Electronic Communications Privacy Act, 18 U.S.C. § 2701(a) (2006), and
the National Security Act, 50 U.S.C. § 401 (2006). In the absence of restrictions such as these, the
government could obtain any information that an individual voluntarily gave to a third-party or
that resulted from their transactions.
192. See S.773—Cybersecurity Act of 2009, OPENCONGRESS, http://www.opencongress.org
/bill/111-s773/show (last visited Aug. 29, 2010) (citing S. 773 § 18(2)); see also James Corbett,
The Rising Tide of Internet Censorship, GLOBAL RESEARCH (Feb. 5, 2010),
http://www.globalresearch.ca/index.php?context=va&aid=17433 (reporting, among other things,
the finding in conjunction with the bill’s introduction in 2009 that “‘voluntary action is not
enough’” to manage cyber security threats) (citation omitted).
2010]
141
d. S. 3027—The P2P Cyber Protection and Informed User Act
S. 3027, the P2P Cyber Protection and Informed User Act, is a
companion bill to H.R. 1319, which was introduced on February 23,
2010.193 Its substance is identical to that of H.R. 1319, described in Section
IV.A.1.a of this Article, supra.194
B. STATE LEGISLATION
While the federal government has been trying to enact and consider
data security bills, at least forty-six states, and the District of Columbia,
Commonwealth of Puerto Rico, and the U.S. Virgin Islands have enacted
some form of data security breach notification requirements.195 One state
has enacted a provision that requires retailers whose conduct causes
payments data spills to compensate the parties with whom they have
dealt,196 and a second is considering imposing a statutory contributory
negligence standard197 as well as a fund to which merchants would
contribute on a per-transaction basis to manage compensation for victims of
payments data security breaches.198
1. General Observations on State Data Security Breach Laws
State law requirements that make vendors liable to financial institutions
for breaches of unencrypted credit and debit card payment transaction data
could make a big difference in the overall integrity of the payments system.
To date, only Minnesota has enacted legislation that creates incentives to
deter breaches in this manner.199 The Minnesota law requires the use of
PCI,200 the only state to do so. It also imposes liability on merchants for
data security breaches.201 The forty-five other states that have required
breach notices to affected consumers create incentives for stronger
193. P2P Cyber Protection and Informed User Act, S. 3027, 111th Cong. (as introduced, Feb.
23, 2010).
194. Id.; see supra Part IV.A.1.a.
195. State Security Breach Notification Laws, NAT’L CONFERENCE OF STATE LEGISLATURES,
http://www.ncsl.org/default.aspx?tabid=13489 (last modified Apr. 12, 2010). For an excellent
discussion of the variables in state data security laws, see G. Martin Bingisser, Note, Data Privacy
and Breach Reporting: Compliance with Various State Laws, 4 SHIDLER J.L. COM. & TECH. 9
(2008), available at http://www.lctjournal.washington.edu/Vol4/a09Bingisser.html (written when
about half the states had enacted data security breach notification laws).
196. MINN. STAT. § 325E.64 Subd. 6 (2009); MINN. STAT. § 8.31 Subd. 3 (2009).
197. 2010 H.B. 1149, 2010 Leg., 61st Sess. (Wash. 2010).
198. An earlier version of Wash. 2010 H.B. 1149 contained the authority to collect the two-cent
fee to establish the fund. Data Security: Amended Bill Assigning Payment Card Breach Liability
Passes Washington House, Banking Rep. (BNA) No. 94, at 429 (Mar. 2, 2010) [hereinafter
Amended Bill Passes WA House].
199. § 325E.64; see also James T. Graves, Note, Minnesota’s PCI Law: A Small Step on the
Path to a Statutory Duty of Data Security Due Care, 34 WM. MITCHELL L. REV. 1115, 1117,
1132 (2008).
200. § 325E.64.
201. Id. Subd. 3.
142
[Vol. 5
technical, administrative, and physical safeguards for payments data by
requiring notice to all consumers whose personally identifiable information
has been released in a security breach.202
But each state’s laws vary slightly, and many employ subjective or
objective thresholds before action is required. For example, Washington’s
statute relieves an individual or entity from the duty to disclose the breach if
the breach “does not seem reasonably likely to subject customers to a risk of
criminal activity.”203 Virginia’s standard is both objective and similarly
subjective; disclosure of the breach is required if:
[I]nformation is accessed and acquired in an unencrypted form, or if the
security breach involves a person with access to the encryption key and
the individual or entity [suffering the breach] reasonably believes that such
a breach has caused or will cause identity theft or other fraud to any
resident of the Commonwealth.204
Reliance on the subjective assessments of the entity suffering the
breach may be likely to produce too little notification and, therefore, too
little customer or public pressure to reform data security practices.
State data security breach laws often do not provide much in the way of
direct redress for consumers whose payments transaction data is
compromised. For example, the Indiana security breach statute does not
create a private right of action for consumers.205
Other state proposals use high thresholds, such as the restriction in H.B.
1149 in Washington limiting its application to businesses and government
agencies that process 6 million or more payment card transactions in a
year,206 and also (perhaps incorrectly) exempts businesses or agencies from
liability provisions if they are in compliance with PCI DSS207 (because
compliance ends when a breach is demonstrated). The varied requirements
of these state laws undoubtedly have contributed to the numbers of data
security bills introduced in Congress, as interstate companies work to
preempt with inconsistencies across states. 208
State breach notification statutes may be seen by some as comparable to
the outbreaks of “domestic legislation” that from time to time propelled
202.
203.
204.
205.
See, e.g., id. Subd. 3(5).
WASH. REV. CODE ANN. § 19.255.010(d) (West 2010) (emphasis added).
VA. CODE ANN. § 18.2-186.6(C) (West 2010).
Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 637 (7th Cir. 2007) (adding that the Indiana
statute “imposes no duty to compensate affected individuals for inconvenience or potential harm
to credit that may follow”).
206. See Amended Bill Passes WA House, supra note 198.
207. Id.
208. Thomas M. Lenard & Paul H. Rubin, Much Ado About Notification: Does the Rush to Pass
State-Level Data Security Regulations Benefit Consumers?, REGULATION, Spring 2006, at 44, 49–
50, available at http://www.cato.org/pubs/regulation/regv29n1/v29n1-5.pdf.
2010]
143
amendments to MARPOL’s requirements.209 The varying compliance
responsibilities of separate state laws and their costs likely draw funds210
and energy away from technical innovations aimed at overall safety goals.
In the data security context, however, the willingness of states to enact data
security breach laws has had the benefit of “increase[ing] the visibility” of
data security.211
C. NOVEL STATE PROPOSALS TO REDRESS OR DETER PAYMENTS
DATA SECURITY BREACHES
H.B. 1149, the bill that the Washington legislature passed,212 originally
suggested two new means of redressing liability. First, it made vendors that
sell payment card processing software and equipment contributorily liable
for breaches caused by faults in their software or hardware.213 Also, it
allowed merchants to charge two cents per transaction to offset the costs of
the insurance merchants would have to cover their liability to financial
institutions should data that merchants retained be breached.214 Only the
former of these made it though Washington’s House of Representatives.215
The bill also prohibits merchants “from retaining credit card security code
data, PIN codes or verification numbers, or the full content of ‘magnetic
stripe data’ after authorization of a transaction without the express consent
of customers.”216 In addition, it makes retailers liable for breaches of
retained payment card data if the breach affected 5,000 or more
unencrypted individuals’ names or account numbers, as long as the business
or agency processes 6 million or more payment card transactions per
year.217 This provision is unique in that it limits liability to cases in which
the breach reaches a threshold number, as opposed to the more standard
numerical trigger for notices of the breach to consumers. If this provision is
209. See, e.g., Maitland, supra note 102, at 52; Senator Lautenberg—Naval Architect?, MARINE
LOG, Apr. 2008, at 14 (describing the October 2006 amendments to MARPOL and the notion that
if the International Maritime Organization moves in “too ‘reasonable’ [a manner] it may not fend
off unilateral action by individual countries”).
210. Caroline Stenman, The Development of the MARPOL and EU Regulations to Phase Out
Single Hulled Oil Tankers 8, 23–24 (May 2005) (masters thesis, Goteborg University School of
Economics and Commercial Law), available at http://gupea.ub.gu.se/bitstream/2077/1941/1/2005
56.pdf (explaining how unilateral EU action spurred adoption of stricter MARPOL guidelines,
phasing out single-hulled ships more quickly); see generally Michael E. Porter & Claas van der
Linde, Toward a New Conception of the Environment-Competitiveness Relationship, 9 J. OF
ECON PERSP. 97, 113–14 (1995); Roy Rothwell, Industrial Innovation and Government
Environmental Regulation: Some Lessons From the Past, 12 TECHNOVATION 447 (1992).
211. Graves, supra note 199, at 1116.
212. 2010 H.B. 1149, 2010 Leg., 61st Sess. (Wash. 2010), amending WASH REV. CODE §
19.225.RCW (2010).
213. Id. § 3(b).
214. Amended Bill Passes WA House, supra note 198.
215. Id.
216. Id.
217. Id.
144
[Vol. 5
enacted, it could establish a precedent of non-liability for breaches affecting
only smaller numbers of individuals, which would not create incentives for
stronger data security.
V. ARE “SAFE HARBORS” OR PRESUMPTIONS BASED ON
ENCRYPTION OR OTHER SECURITY METHODS
APPROPRIATE?
As mentioned above, some of the data security bills pending in
Congress provide exemptions from requirements to notify individuals
whose personally identifiable information may have been affected by the
data security breach if the holder of the information has had the data
encrypted or subject to some other security methods. In some cases,
exemptions are possible based on encryption alone. This approach is used
in Ohio, West Virginia, and Virginia.218 In other cases, use of encryption
alone is sufficient to establish a presumption that there is no significant risk
that personally identifiable information was exposed in the breach.219
Encryption alone does not prevent attacks: data in the Heartland breach was
encrypted at the store, but apparently not in transmission.220
In early 2010, at a lecture on encryption given by Indiana University
School for Informatics Professor Steven A. Myers,221 I asked a question
about basing a “safe harbor” for data security on encryption alone. The
reaction by the Informatics faculty and graduate students in the room was
immediate and visceral: their jaws dropped. Their ensuing remarks made it
clear their collective belief that encryption alone should not suffice to
qualify for a safe harbor. Rather, they preferred a combination of encryption
218. Many states create safe harbors by defining personal information as unencrypted and
readable data elements. See, e.g., OHIO REV. CODE ANN. § 1347.12(A)(6)(a) (West 2010). Other
states create safe harbors by defining a breach as “unauthorized access and acquisition of
unencrypted and unredacted data.” W. VA. CODE ANN. § 46A-2A-101(1) (2010). Others create
explicit safe harbors. See, e.g., VA. CODE ANN. § 18.2-186.6(C) (West 2010).
An individual or entity shall disclose the breach . . . if encrypted information is
accessed and acquired in an unencrypted form, or if the security breach involves a
person with access to the encryption key and the individual or entity reasonably
believes that such a breach has caused or will cause identity theft or other fraud to any
resident of the Commonwealth.
VA. CODE ANN. § 18.2-186.6(C).
219. Several states define “significant risk” as excluding the breach of encrypted data. See, e.g.,
R.I. GEN. LAWS § 11-49.2-3(a) (2010) (“Any state agency or person . . . shall disclose any breach
of the security of the system which poses a significant risk of identity theft . . . to any resident of
Rhode Island whose unencrypted personal information was [breached] . . . .”).
220. See Heartland Hacker Gonzalez Pleads Guilty to Compromise of Over 170 Million Cards,
ATMMARKETPLACE.COM (Sept. 14, 2009), http://atmmarketplace.com/article.php?id=1131
9&na=1 [hereinafter Heartland Hacker Pleads Guilty].
221. Steven A. Myers, Lecture at the Maurer School of Law, Indiana University: One Bit
Encryption (February 16, 2010). For the text of the paper on which this lecture was based, see
Steven Myers & Abhi Shelat, Bit Encryption Is Complete (2009) (unpublished manuscript) (on
file with author).
2010]
145
and “best practices” involving administrative, technical, and physical
safeguards. Dr. Meyers and others in that audience also noted that the value
of encryption also depends to some extent on the portions of the data and
data transmission to which encryption is applied and the manner through
which the data were obtained. For example, the group of thieves responsible
for the TJX and Hannaford Brothers data spills were engaged in diverse
strategies including one known as “war driving” in which the group
intercepted payments data during transmission over wireless Internet
connections by positioning themselves close to store locations from which
the data were being transmitted.222
VI. ARE RECENT PAYMENTS DATA SECURITY
DEVELOPMENTS MOVING CLOSER TO A MARPOL-LIKE
REGIME?
Data security laws in the United States normally do not mandate that a
particular form of data security/anti-fraud process be employed, with
Minnesota’s law as the possible vanguard of a new approach.223 Rather,
existing state laws impose requirements on the owner of data if a data
security breach occurs.224 Thus, the norm is to allow the marketplace to
devise means to protect data so as to avoid the expense and reputational risk
of revealing that a data security breach occurred. This places the
responsibility of protecting data on each entity that holds payments data and
related personally identifiable information. One advantage of this approach
is that there is no single standard method of protecting payments data; the
diversity of approaches serves as a barrier to easier hacking, and there is no
static standard that would require legislative action to amend. However, as
reports of the “iffy decisions” made by BP and its partners in the drilling of
the Deepwater Horizon well show,225 self-driven risk assessments in highly
competitive environments may result in the commitment of too few
resources to disaster prevention.226
Payments systems and others could create more incentives for users to
keep up-to-date in deploying new security. They could, for instance, require
software developers to warrant their programs (as discussed in subsection A
below) or could push towards adoption of more secure technologies (as
discussed in subsection B).
222. Indictment at 4–5, United States v. Albert Gonzalez, No. SBK/EL/2009R00080 (D. N.J.
2009). Gonzalez has since pled guilty to identity theft, wire fraud, computer fraud, and conspiracy
in Massachusetts and New York, though charges are still pending in New Jersey. See Heartland
Hacker Pleads Guilty, supra note 220.
223. Graves, supra note 199, at 1117.
224. State laws typically impose duties to disclose and/or compensate after a breach has
occurred. See, e.g., CAL. CIV. CODE §§ 1785.11.2, 1798.29(a) (West 2007).
225. See Achenbach & Hilzenrath, supra note 39.
146
[Vol. 5
A. SECURITY BASED ON SOFTWARE & WARRANTIES
Beyond requirements for prevention of payments data spills that are
comparable to MARPOL’s, some commentators have suggested that we
should use different methods to make payments systems software less
susceptible to hacking, including for example by requiring providers of
software and database operators to warrant their products or their services
to end users. Two of the proponents of specialty payments data warranties
are Roland Trope227 and Professor Juliet Moringiello.228
Warranties are a common way to manage externalities and to overcome
asymmetries in information between manufacturers and providers of
services and their customers.229 Warranties in sales transactions include
express and implied warranties of merchantability and fitness for a
particular purpose, as well as warranties of good title and quiet enjoyment,
and warranties against infringements of patents and trademarks.230 In the
payments data security arena—as in other vertical manufacturing and
retailing environments—warranties present some attractive market
opportunities for providing remedies if software fail to deliver their
promised results or services do not protect data in transmission or storage.
In 2004, Roland Trope argued for the creation of a software “limited
cyberworthiness warranty” based on the doctrine of seaworthiness.231 He
made two observations that bear upon both the focus of this Article and his
cyber-worthiness proposal. First, he explained that common law in the
United States treats ships as “unseaworthy when [they are] ‘insufficiently or
defectively equipped.’”232 He also observed that “[c]ourts have come to
regard the seaworthiness of a ship as analogous to a warranty.”233
As Mr. Trope conceives of this new limited warranty, its target is the
capacity of a software “application’s capabilities to protect confidential
information from unauthorized access from, or disclosure to,
cyberspace.”234 He proposes that such a warranty might require that:
227. Roland L. Trope, A Warranty of Cyberworthiness, IEEE SECURITY & PRIVACY, Mar./Apr.
2004, at 73 [hereinafter Cyberworthiness].
228. See generally Moringiello, supra note 12.
229. See Claire A. Hill, A Comment on Language and Norms in Complex Business Contracting,
77 CHI.-KENT. L. REV. 29, 42 (2001).
Contractual provisions, typically representations and warranties, serve to credibly
communicate information, chiefly to rebut the presumption of undesirable attributes
which divergent interests inspire and information asymmetry makes possible. They
provide a means for one party to signal to the other the absence of undesirable attributes
and presence of desirable attributes.
Id.
230.
231.
232.
233.
234.
U.C.C. §§ 2-312–315 (2003).
Cyberworthiness, supra note 227, at 73–74.
Id. at 74 (citing Waldron v. Moore-McCormack Lines, Inc., 386 U.S. 724, 726 (1967)).
Id. at 74 (citing Brister v. A.W.I., Inc., 946 F.2d 350, 355 (5th Cir. 1991)).
Id. at 73.
2010]








147
Prior to the software’s release, the maker subjected [the software]
to rigorous tests to verify its degree of security against intrusion by
unauthorized persons, electronic agents, or code (that is, it verified
its cyberworthiness).
By the time of release, the maker [should have] removed all known
critical security vulnerabilities found in the software. (I define
“critical” as any vulnerability that, if exploited, would enable
unauthorized access to confidential information or unauthorized
control of a user’s computing device.)
After release, the maker shall continue to diligently probe the
software for security vulnerabilities.
When the maker learns of a critical vulnerability, it will
immediately email all high-priority customers, describe the problem
in detail, and provide suggestions for a temporary solution—
disabling features, and so on—to diminish or limit the vulnerability
until the maker can provide a patch. (“High-priority customers” are
those likely to have valuable confidential information at risk in
systems linked to cyberspace. To become such a customer, the
party would enter into a written agreement with the software maker
that any vulnerabilities disclosed and patches released to it would
be kept confidential to prevent hackers from gaining early
knowledge of such vulnerabilities. These customers would pay an
increased purchase price in exchange for the incremental increase
in protection.) The vulnerability notice also would include
information that would alert users to take additional precautions to
safeguard their confidential information until they had received a
security patch.
Immediately after creating a vulnerability security patch, the maker
would email it first to the high-priority customers and, after an
interval, to all registered software users.
When distributing a security patch, the software maker shall not
attach to it any disclaimer as to the accuracy of information
provided with the patch or its fitness for correcting the specified
security vulnerability. . . .
The software’s warranty will be valid for a period of three years
from the release date. (A security patch or newly marketed software
should be warranted for a period comparable to that covered by the
computing device’s warranty. It should be a period long enough to
earn a user’s trust. . . .
The warranty would be valid for purchasers who buy directly from
the maker and for those who buy from third-party sellers, but
[whose purchaser is] still in the direct chain of distribution from the
maker.
148
[Vol. 5

The warranty would prescribe precautions to which purchasers
must adhere, such as “do not open unknown attached files in emails
from unknown senders.” Purchasers who violate the precautions
(and suffer or cause harm) void the warranty, and will not be
entitled to damages from the maker.
 If the maker breaches the warranty, the purchaser (buyer or
licensee) is entitled to an expeditious remedy of a liquidated
damage in an amount and through a procedure specified in the
warranty . . . .235
Mr. Trope also proposes that this cyber-warranty be “phased in . . . with
the first security-patch release.”236 In addition, he suggests that warrantors
“would offer only the portion of the proposed warranty that applies to each
patch.”237
Professor Moringiello urges a warranty like the homeowners’ warranty
(HOW) that first became popular in the late 1970’s.238 She analogizes to
early warranties created by law in which courts were unwilling to allow
injured end users no remedy as against a provider with superior knowledge
and the ability to control the end product through contract and preventive
measures.239 Although courts have been far more reluctant to create
warranties in the data security arena, the theories undergirding early
common law warranties and the original common law homeowners’
warranties240 may apply with equal force to payments data security.
To allay payments-related data security concerns, the United States and
others will need to employ both MARPOL-based approaches and
warranties such as Trope’s phased-in cyber-worthiness warranty and
Moringiello’s HOW-like proposals. PCI DSS—a certification process based
on technical standards241—represents a significant advantage in protecting
the whole electronic payments data chain, but problems nevertheless have
arisen within systems that recently had been judged PCI DSS compliant.
For example, Hannaford Brothers apparently met credit card industry
security standards prior to breach but was still vulnerable to hacking.242
235.
236.
237.
238.
239.
240.
241.
Id. at 73–74.
Id. at 74.
Id.
Moringiello, supra note 12, at 80–82.
Id.
See id.
For a description of the PCI DSS standards as well as the opportunity to download them,
see PCI SSC Data Security Standards Overview, PCI SECURITY COUNCIL,
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml (last visited Dec. 30,
2010).
242. See Ross Kerber, Advanced Tactic Targeted Grocer ‘Malware’ Stole Hannaford Data,
BOS. GLOBE, Mar. 28, 2008, at 1A (noting that Hannaford met standards set by VISA, Inc. and
other card companies but that these were not sufficient to avoid the breach, explaining that the
breach was attributable to that which analyst Steve Rowen described as “‘markedly more
2010]
149
B. SECURITY BASED ON THE CARDS THEMSELVES OR ON THE CARD
AND THE CARD AUTHENTICATION PROCESS:
More recent payments security advances include “chip-and-PIN”
systems associated with the Europay, MasterCard, and VISA (EMV)
system. EMV generates transaction data from the “card authentication
[process] and from the cardholder verification processes” the issuer may
employ.243 Deployed in the EU, Canada, and Asia beginning in 2004, and
mandatory in the UK beginning in 2005, chip-and-PIN technologies offer
more protections against hacking.244 For example, in the first year of its
deployment in the UK, chip-and-PIN technology contributed to a 13 percent
decline in card fraud in Britain.245 However, as a “skimming” fraud246
aimed at Shell oil stations in the UK in 2006 demonstrated, for cards that
contain magnetic stripes as well as EMV/chip-and-PIN technology, even
EMV is not fail-safe.247 And, as Jane Adams reports, thieves can still
perpetrate “card-not-present” frauds by bypassing the chip or magnetic
stripe.248
Despite the issues with these technologies, EMV/chip-and-PIN
technologies offer more advanced anti-fraud approaches, including the
ability to “identify fraud patterns and credit risk situations” by comparing
data gleaned from the current transaction to data from prior transactions.249
However, EMV technology has been slower to gain traction in the United
sophisticated,’” and reporting that the hackers “mined a stream of data that merchants and banks
were not responsible for protecting under industry rules”).
243. Jane Adams, Dynamic Risk Management with EMV Data, ACI WORLDWIDE, July 2006, at
1, http://surveycenter.tsainc.com/pdfs/3065%20EMV%20flyer.pdf (citing Michael Hendry, a
payments consultant who helped implement EMV systems in the EU).
244. See, e.g., Fed Official Warns Card Fraud Threat Growing in U.S., COLLECTIONS &
CREDIT RISK (July 27, 2010), http://www.collectionscreditrisk.com/news/fed-official-warns-cardfraud-threat-growing-3002682-1.html (citing Richard Oliver of the Atlanta Federal Reserve
Bank’s Retail Payments Risk forum advocating for shift to EMV smart-card technology to thwart
fraud rings and criminals used in Europe, Canada, and other regions of the world); Fitzgerald,
supra note 41 (describing phase-in deadlines for EMV technology in Canada and liability
increases for merchants that have not deployed it on schedule); Brian Ooi, The EMV Migration
Path in the Asia Pacific Region, FROST & SULLIVAN (Aug. 25, 2005), http://www.frost.com/prod/
servlet/market-insight-top.pag?docid=46281303; Vijayan, supra note 80.
245. Adams, supra note 243, at 1.
246. See Petrol Station Worker Admits Credit Card Fraud, NORTHAMPTON CHRON. & ECHO
(U.K.), Apr. 9, 2009, http://www.northamptonchron.co.uk/news/Petrol-station-worker-admitscredit.5156481.jp.
247. Adams, supra note 243, at 1.
248. Id.
249. Id. at 2. Adams reported that information stored on the card and capable of being passed
back through EMV includes information relevant to prior efforts to misappropriate the card and
the authorization process such as evidence that data authentication, script processing, or
authorization request cryptogram verification has failed. Id. Card data also would show repeated
uses at untended terminals. Id. Some of the data that the card can send pertain to offline
transactions, which Adams reported are “particularly prone to fraud.” Id.
150
[Vol. 5
States250 than in Europe251 and the absence of EMV chips is an obstacle to
U.S.-based consumers using their cards for international travel.252 Among
the issues that may work against broader-scale deployment in the U.S. are
the costs of the readers253 for EMV cards and concerns that full-deployment
of the cards featured could implicate privacy concerns.254
CONCLUSION
The cost and extent of payments-related data security breaches have
been rising in the United States.255 Legislation to curb data security
breaches and to enhance enforcement of federal laws that have emanated
recently from the Committee on the Judiciary in the House of
Representatives and the Senate Committees on the Judiciary, Homeland
Security, and Commerce, Science and Technology offer promise. These
bills are steps in the right direction but they still suffer from the
jurisdictional limitations under which the Senate Committees in particular
250. See Chips Cards in the U.S., THE NILSON REPORT ISSUE 930, at 6 (July 2009) (explaining
most U.S. issuers will have EMV-compliant chip cards available by the end of 2010 with plans to
market them to upscale frequent international travelers). The slow adoption of chip-and-PIN
technology has made it harder for individuals with credit cards issued in the U.S. to use them
abroad. See Michelle Higgins, For Americans, Plastic Buys Less, N.Y. TIMES, Oct. 4, 2009, at
TR3 (explaining that 22 countries including “much of Europe, Mexico, Brazil, and Japan, have
adopted the technology” and that another 50 countries are “in various stages of migrating to the
technology in the next two years, including China, India, and most of Latin America”). In
addition, Ms. Higgins reported that as Canada deploys this technology issuers there “plan[] to stop
accepting magnetic stripe debit cards at A.T.M.s after 2012 and at point-of-sale terminals after
2015.” Id. For more information on Canada’s movement to chip-and-PIN technology, see
Canada’s Migration to Chip, EMV CANADA, http://www.emvcanada.com/merchant_documents/
background.pdf (last visited Dec. 30, 2010). EMVCanada is a web site provided by ACT Canada,
a non-profit organization, to provide a neutral forum for consumers, merchants, and the media to
learn and share information related to secure payments. Id.
251. See Brandon Glenn, Visa Hopes European Unit Can Give More Flexibility to Customers,
IRISH TIMES, May 7, 2004, at 58 (discussing the introduction of chip-and-PIN systems throughout
Europe).
252. EMV Chip Cards Expected for Upscale U.S. Cardholders, SMART CARD ALLIANCE,
http://www.smartcardalliance.org/resources/pdf/EMV_Cards_Issued_in_US.pdf (last visited Sept.
22, 2010).
253. See Dan Balaban, Turning the Corner, CARD TECH., Nov. 1, 2005, at 42 (reporting on the
slow roll-out of readers across Europe).
254. Adams, supra note 243, at 2–3 (discussing the capacity to build a “detailed user profile”).
Chipped cards are capable of holding significant amounts of personal data, such as passport and
driver’s license information, health records, and medical histories. See Fundamentals of EMV
Chip: The Next Revolution: The Payment Environment Is Quickly Changing. Are You Ready to
Make Contact in this Brave New World?, INSIGHTS, Winter 2006, at 4, available at
http://www.mastercard.com/ca/wce/PDF/14049_Insights2006-Fundamentals-EN.pdf [hereinafter
Fundamentals of EMV Chip].
255. See PONEMON INSTITUTE, supra note 23, at 4. For a more comprehensive discussion of
card payment fraud, particularly its potential for damage and increases in fraud, see Richard J.
Sullivan, The Changing Nature of U.S. Card Payment Fraud: Industry and Public Policy Options,
FED. RESERVE BANK OF KANSAS CITY ECON. REV., 2Q 2010, at 101.
2010]
151
operate.256 These jurisdictional limitations caused the current gaps in data
security left by GLBA,257 FACTA,258 and HIPAA.259 Thus, the more recent
bills described in this paper—apart from S. 773—focus on “data brokers,”
commercial entities whose primary role is to collect and sell posttransaction information including personally identifiable information, as
opposed to persons who themselves engaged in transactions with consumers
whose personal and account information is the target of thieves or those
already are governed as “consumer reporting agencies” by the Fair Credit
Reporting Act and FACTA.260
These bills will impose on data brokers particular federal requirements,
but will leave them unconnected legally to end users, that is, the consumers
or businesses whose transaction information they have obtained will still be
without legal recourse against the entity that was holding their data at the
time of the breach.261 For this reason, the lack of a unified regulatory regime
operating on an end-to-end basis leaves the door open to future database
hacking because of decisions such as that by the Supreme Judicial Court of
Massachusetts in Cumis Insurance Society, Inc. v. BJ’s Wholesale Club,
Inc.262 Moreover, Congressional bills, such as H.R. 2221 and S. 1490,
which grant a safe harbor from prosecution for violations of their
requirements, including the requirement to notify affected individuals if the
data are encrypted or the entity uses other “best practices” to bolster the
benefits of encryption, are likely to leave a lot of account data and other
personally identifiable information without sufficient protection.263
256. For example, it apparently is much more difficult in the Senate to take up a subject or to
propose a law governing an industry that lies partly in the jurisdiction of another committee. Thus,
each committee drafts legislation uniquely aimed at solutions to issues within its own purview,
often leaving associated issues unresolved for jurisdictional reasons. Senate Committees, U.S.
SENATE, http://www.senate.gov/artandhistory/history/common/briefing/Committees.htm (last
visited Oct. 2, 2010).
257. Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999).
258. Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117 Stat. 1952.
260. Fair Credit Reporting Act, 15 U.S.C. § 1681a(f) (2006).
The term ‘consumer reporting agency’ means any person which, for monetary fees,
dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the
practice of assembling or evaluating consumer credit information or other information
on consumers for the purpose of furnishing consumer reports to third parties, and which
uses any means or facility of interstate commerce for the purpose of preparing or
furnishing consumer reports.
Id.
261. See supra text accompanying notes 149–194.
262. Cumis Ins. Soc’y, Inc. v. BJ’s Wholesale Club, Inc. 918 N.E.2d 36, 46–47, 50–51 (Mass.
2009).
263. See Data Accountability and Trust Act, H.R. 2221, 111th Cong. § 3 (as passed by House,
Dec. 8, 2009); Personal Data Privacy and Security Act of 2009, S. 1490, 111th Cong. § 311 (as
reported by S. Comm., Nov. 5, 2009).
152
[Vol. 5
The current enacted and proposed legislation addresses many of the
similarities between data spills and maritime accidents. But, unfortunately,
many of our data security efforts to date seem to miss the most critical
distinction between legal schemes for the prevention of pollution from
maritime accidents and other legal prevention schemes: that paymentsrelated data security breaches are different from the hazards of maritime
activities. It is important to remember Roland Trope’s highly useful
observation that it is easier for ships to avoid encounters with charted rocks
and shallow waters than with shifting sand bars.264 The former do not move.
Sand bars move, and their movement may be accelerated by storms and
other weather conditions. But even sand bars are better known risks than
data-security attacks. Sand bars and other natural maritime risks move
much less frequently and normally with more predictability than does the
capacity, indeed the determination and artistry, of individuals determined to
penetrate databases or to intercept real-time exchanges of payments-related
data.
Maritime accidents fall into two categories—collisions between two
ships, or accidents involving the oil-and-gas exploration or the operation of
deepwater ports, which are primarily the result of operator negligence, on
the one hand, and groundings or collisions with rocks, sand bars and shoals,
and other inherent sea hazards.265 Payments data security breaches seem
more closely associated with the former category because cost-cutting and
inadequate risk assessments by private actors contribute to disasters with
broad-reaching implications, as the Deepwater Horizon explosion and spill
tragically demonstrated.266 But payments-related data spills are even harder
to prevent because, unlike events caused by storms, negligence, or merely
bad choices, data security breaches are perpetrated by determined
individuals who are constantly exploring new methods of getting access to
data and systems they need to engage in crimes. Thus, in payments-data
security, the “terrain”-based threats seem to be subject to even more
constant changes than are sand bar risks to maritime activities.
Like MARPOL and the associated compensation conventions—such as
Civil Liability 1992 and Fund 1992, and their predecessors267—we should
make data protection a dynamic process that receives persistent attention,
specifically by rethinking and restructuring it as new means of safeguarding
against data protection penetration as administrative, technical, and physical
safeguards come into being. Encryption is one of the technical safeguards
264. Interview with Roland Trope, supra note 147.
265. See supra text accompanying notes 139–146; see also Graham Mapplebeck, Int’l Mar.
Org., Navigational Safety and the Challenges of Electronic Navigation (Feb. 14, 2008) (transcript
available at https://www.imo.org/includes/blastDataOnly.asp/data_id%3D21091/Navigation
alsafety.pdf).
266. See Achenbach & Hilzenrath, supra note 39.
2010]
153
that should be part of this process, but it alone is insufficient to protect data,
counter-parties, or consumers.
Moreover, despite traditional and appropriate reluctance in this country
to require that certain technologies be employed, developments elsewhere
may make the use of specific technologies, comparable to the double-hull
requirement in MARPOL,268 mandatory. For example, with EMV
increasingly in use in the EU and Canada, it may only be a matter of time
before EMV is more widely used here by credit and debit card issuers.
However, while EMV technologies can contribute to greater fraud
prevention, they do not yield 100% protection from fraud269—and their
protection may come at the price of consumer/user privacy.270
Third, despite the widespread damage that a maritime accident may
create, the causes and effects of data spills are much less localized than the
effects of typical maritime accidents. Data security breaches of a system in
one part of the world—such as the penetration of Royal Bank of Scotland’s
WorldPay system and the rapid subsequent withdrawals at ATMs in fortynine countries271—affect payments systems in other parts of the world.272
Fourth, Congress and the states have crafted legislation that addresses
consumer concerns more than actual prevention of payments data spills.
With the exception of S. 773, the other bills discussed in this Article require
consumer notification once the spill has occurred if the owners’
assessments of the number of consumers affected exceed specified
thresholds and also address certain limited law enforcement concerns.273
But they generally leave risk-assessment and choices of administrative,
technical, and physical safeguards for systems and data to the private actors
involved.
Consumers in a breach-prone environment are a lot like birds, fish, and
other animals whose habitats are affected by spills of hazardous substances
they did not cause. They often lack the ability to protect themselves.
However, in the data security environment, consumers with access to
information concerning data spill events may be better able to thwart
additional damages to their financial well-being such as identity theft and
credit-rating damage. However, at this time in the United States, as
268.
269.
270.
271.
Revised Annex 1 of MARPOL 73/78, supra note 105.
Adams, supra note 243, at 1.
Fundamentals of EMV Chip, supra note 254, at 4.
See Part I.A.1; see also Ashford, supra note 70; Espiner, supra note 65; Lemos, supra note
66.
272. Lemos, supra note 66 (persons acting in concert with the hackers were located in fortynine cities around the world and accessed roughly 130 ATM’s in their respective areas to carry out
the last phase of this payments fraud). In the longer-standing attack announced by the FTC in
February, the perpetrators used multiple command and control centers around the world to
manage their money movements. Robert McMillan, SEC, FTC Investigating Heartland After Data
Theft, PCWORLD (Feb. 25, 2009, 6:10 PM), http://www.pcworld.com/businesscenter/article
/160264/sec_ftc_investigating_heartland_after_data_theft.html.
154
[Vol. 5
described in this Article, there is no standard requirement for disclosure,
and in some states disclosure is limited to large-scale data spills, such as the
6-million-payments-card processed-per-year threshold in Washington
State’s H. 1149.274 Even consumers who might consider switching to new
providers or to other retailers after a data-spill event affected their former
provider or favorite grocery chain, there are few guarantees that the security
systems that their new providers employ are any less vulnerable to a breach
than their former providers’ systems were.
Similarly, some data spills cause other providers’ systems to become
infected, in a manner like Deep Water Horizon or the Exxon Valdez in
which oil spread away from the primary location.275 Accordingly, entities
that own or possess payments data should receive legal or other financial
incentives to employ ever-strengthening administrative, technical, and
physical protections for data related to consumer deposit accounts, credit
cards, debit cards, and other prepaid cards, as well as for other types of
financial accounts such as insurance and securities. And there should be
adequate legal consequences of failing these duties to maintain adequate
safeguards beyond those already codified such as the rules implementing
GLBA, FACTA, and other federal statutes and rules, including appropriate
private rights of action provided by relevant federal statutes or fines as the
OPA allows.276
As EMV/chip-and-PIN technologies deploy around us,277 they probably
will become the standards for retail payments security. EMV and PCI DSS
are different solutions to these issues, employed in different nations, to
protect the integrity of card-based payments. EMV and PCI DSS represent
different philosophies for providing protection on the order of MARPOL’s
double-hulled ship scheme. However, employing some security technology
such as EMV imposes a real trade off in the form of privacy, because the
technology can retain more information about purchasing habits than other
card systems retain on the card itself.278 This does not present the same
types of concerns in Canada or the EU as it may in the U.S. because of the
restrictions on trading the types of information that EMV technologies and
other payment card transactional records may contain. This concern would
grow larger if legislation such as S. 773 is enacted because it grants openended access to information to the Secretary of Commerce, without mention
of any restrictions on retention or other use of the information unconnected
with prosecution and resolution of the data security breach.279 Thus, it could
274. 2010 H.B. 1149, 2010 Leg., 61st Sess. (Wash. 2010), amending WASH REV. CODE §
19.225.RCW (2010).
275. See supra Part III.
277. Deployments in Canada and Mexico are considerably ahead of deployment in the U.S. See
EMV Chip Cards Expected for Upscale U.S. Cardholders, supra note 252, at 1 n. 5.
278. Fundamentals of EMV Chip, supra note 254.
279. See Cybersecurity Act of 2009, S. 773, 111th Cong. § 14(b) (2009).
2010]
155
enable a vast warehousing of payments transaction data by Commerce
without protections already applicable to other government data requests or
collection.280
Among the solutions discussed in this Article, the types of cyber
warranties that Mr. Trope and Professor Moringiello have advocated are
attractive so long as they cannot be disclaimed, depriving end users and
consumers of their protections. New data security warranties could be
enacted at the state level, or by Congress, or could form part of a
MARPOL-like multilateral approach with its prescriptive regulation of
aspects of accident prevention and intentional shipping discharges of oil
and other pollutants—such as its double-hull and operational requirements,
as well as its additional operational requirements or “penalties” on ships
that do not comply.281 MARPOL’s requirement of notice of spills and
discharges to a central agency is similar to proposals in Congress that
require notice to the U.S. Secret Service.282 Notice allows a government
authority to monitor recovery processes and to coordinate law enforcement
resources as needed.
However, in terms of compensation for victims of shipping spills and
discharges and oil-and-gas exploration accidents, neither MARPOL nor the
Oil Liability provisions of the Clean Water Act offers optimal solutions for
the payments data security breach arena for at least two reasons. First,
unlike shipping or exploration events that are unlikely to repeat themselves,
payments data breaches may recur or thieves may use and/or resell the
information they obtain. Second, once liability limits are enacted in statutes
or agreed to in treaties or conventions, they are difficult to raise.283
Enabling stronger deterrence of, and finding means of resolving
payments data security breaches when they occur, is vitally important to the
integrity of the payments system and to individuals’ trust of it. We should
strive for more seamless recovery methods than are currently available in
280. Id. (“The Secretary of Commerce—(1) shall have access to all relevant data . . . without
regard to any provision of law, regulation, rule, or policy restricting such access.”).
281. Revised Annex I of MARPOL 73/78, supra note 105.
282. Data Privacy and Security Act of 2009, S. 1490, 111th Cong. § 316 (as reported by S.
Comm., Nov. 5, 2009); see also S. REP. NO. 111-110, at 5 (2009) (“[T]he bill also requires that
business entities and Federal agencies notify the Secret Service of a data security breach within 14
days of the occurrence of the breach.”).
283. E.g., Mailtland, supra note 102, at 51. As an example of how long a ceiling or floor stays
in a federal statute, consider the Truth in Lending Act, 15 U.S.C. §§ 1601–1693r (2006). Since its
original enactment in 1968, it has exempted transactions in which the total amount financed
exceeds $25,000. Id. § 1603(3); see also id. § 1601. Certainly, $25,000 bought a lot more in 1968
than it would today. In the oil spill context, Senator Lautenberg of New Jersey has introduced
legislation that would phase out federal liability limits for oil spills from single-hulled tankers and
raise liability limits for oil spills overall. See, e.g., Coast Guard and Maritime Transportation Act
of 2006, Pub. L. No. 109-241, 120 Stat. 516, § 603. For additional discussion of Senator
Lautenberg’s efforts, see Senator Lautenberg—Naval Architect?, supra note 209.
156
[Vol. 5
the U.S., through regulatory or private litigation.284 The movement from a
private claims process conducted by BP for persons whose employment
was adversely affected as a result of the Deepwater Horizon oil spill to a
federal claims czar overseeing the claims—such as Kenneth Feinberg’s
Deepwater Horizon and 9/11 Claims processes285—suggests a model for
claims resolution outside the court system at the election of the claimant.286
Such claims processes are particularly important in cases in which there
may be thousands of similarly situated claimants as well as those cases in
which the claimant is unlikely to be able to access the technical expertise
necessary to pursue his claims apart from the option of class actions. A
rigorous claims procedure also would protect the entity experiencing the
breach in the same manner that the alleged tortfeasor is protected by the
“economic loss doctrine” barring recovery to claimants that cannot
demonstrate actual damages.287
Payments data security is increasingly vital to the economy and to
national security. After the 2010 Cyber Shock Wave simulation,288 the
former director of the National Security Agency during the Clinton
Administration argued that the government needs more capacity to deal
with cyber security events and strategies as well as the ability to work
cooperatively with the private sector.289 Only two of the federal bills
analyzed in this Article—H.R. 2221 and S. 773—address strategic
payments and non-payments security issues, such as malicious and strategic
cyber attacks on infrastructure in the payments, utilities, and
telecommunications areas in the U.S. This is accomplished through their
grants of authority to order sequestration of systems that are compromised
or that threaten other systems and infrastructures.290 We also may need to
impose stronger requirements on companies who have had more than one
data security breach, such as ChoicePoint. And, finally, we can hope that
284. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 637 (7th Cir. 2007); Cumis Ins.
Soc’y, Inc. v. BJ’s Wholesale Club, Inc., 918 N.E.2d 36, 46–47, 50–51 (Mass. 2009) (denying
recovery on a third-party beneficiary basis).
285. See Matthew Jaffe, Ken Feinberg Named BP Oil Spill Escrow Pay Czar, ABC NEWS, June
17, 2010, http://abcnews.go.com/Business/bp-gulf-oil-spill-ken-feinberg-appointedhead/story
?id=10933766; see also Laurel Brubaker Calkins, BP Spill Claims Process Inadequate, Too Slow,
Fishermen Tell Federal Judge, BLOOMBERG NEWS, May 21, 2010, http://www.bloomberg.com/
news/2010-05-21/bp-spill-claims-process-inadequate-too-slow-fishermen-tell-federal-judge.html;
Leigh Coleman, BP Stalls Payments to Oil Spill Victims: Feinberg, REUTERS, July 24, 2010,
available at http://www.reuters.com/article/idUSTRE66N15020100724.
286. See, e.g., Mireya Navarro, Deal is Reached on Health Care Costs of 9/11 Workers, N.Y.
TIMES, Mar. 12, 2010, at A1 (describing option to pursue individual claims in court, which few
heirs of the victims of the 9/11 attacks took).
287. See, e.g., In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498–99 (1st Cir. 2009);
Banknorth, N.A., v. BJ’s Wholesale Club, Inc., 394 F. Supp. 2d 283, 286–87 (D. Me. 2005).
288. See Mike McConnell, To Win the Cyber-War, Look to the Cold War, WASH. POST, Feb.
28, 2010, at B1.
289. Id.
290. Cybersecurity Act of 2009, S. 773, 111th Cong. § 18(2), (6) (2009).
2010]
157
multilateral organizations in the payments industry can play a stronger role
than they have so far in framing for payments data protection functional
equivalents of MARPOL’s double-hulled vessels and other operational
restrictions.
With the growing evidence of the cross-border implications of data
spills, we would also do well to consider the benefits of international
cooperation—recognizing, as Melissa Hathaway, former acting senior
director for cyberspace for the National Security and Homeland Security
Councils did, that the U.S. “‘cannot succeed in securing cyberspace if it
works in isolation.’”291
291. Steve Rangor, Cyber Security: War Games or Mission Impossible?, ZDNet (Apr. 27,
2009), http://www.zdnetasia.com/cybersecurity-war-games-or-mission-impossible-62053582.htm
(quoting Hathaway’s speech at the 2009 RSA Conference in San Francisco).
NOTES
CREDIT CARD ACCOUNTABILITY,
RESPONSIBILITY AND DISCLOSURE ACT OF
2009: PROTECTING YOUNG CONSUMERS OR
IMPINGING ON THEIR FINANCIAL
FREEDOM?
INTRODUCTION
There are an estimated 1.22 billion credit cards in the United States.1
The average adult has about five credit cards.2 This increased use of credit
has led to substantial debt and an increase in bankruptcy filings across the
nation.3 College students are not immune to this trend.4 Although reports
vary on the number of college students with credit cards, students are a well
known market for credit card issuers.5 According to a 2001 Government
Accountability Office (GAO) Report, almost “two-thirds of all college
students had at least one credit card . . . .”6 In fact, of the nearly 9.9 million
students currently enrolled at four-year colleges, each has an average of 2.8
cards.7 Estimates of credit card debt upon graduation range from $2,2008 to
1. Press Release, Wisconsin Public Interest Research Group, Sen. Kohl et al., WISPIRG
Advocate Student Credit Card Reform Proposals (Apr. 7, 2009), http://www.wispirg.org/newsreleases/consumer-protection/consumer-protection-news/sen.-kohl-reps.-hintz-and-hixson-wispirg
-advocate-student-credit-card-reform-proposals (citing CardTrack.com) [hereinafter WISPIRG].
2. U.S. PUB. INTEREST RESEARCH GROUP EDUC. FUND, THE CAMPUS CREDIT CARD TRAP:
A SURVEY OF COLLEGE STUDENTS AND CREDIT CARD MARKETING 1 (Mar. 2008), available at
http://cdn.publicinterestnetwork.org/assets/x-3Q-0RsKNbZtwOKzK1-dA/AZ-Campus-CreditCard-Trap-Report.pdf (citing THE FEDERAL RESERVE BOARD OF GOVERNORS, REPORT TO THE
CONGRESS ON THE PROFITABILITY OF CREDIT CARD OPERATIONS OF DEPOSITORY INSTITUTIONS
(July 2007)) [hereinafter CAMPUS CREDIT CARD TRAP].
3. Wayne Jekot, Note, Over the Limit: The Case for Increased Regulation of Credit Cards for
College Students, 5 CONN. PUB. INT. L.J. 109, 113–14 (2005).
4. In the time between initially writing this note and its subsequent publication, Regina L.
Hinson published Credit Card Reform Goes to College in the North Carolina Banking Institute.
Regina L. Hinson, Note, Credit Card Reform Goes to College, 14 N.C. BANKING INST. 287
(2010). While both notes discuss flaws in the Act, the theses and approaches to the material differ
in salient ways. Hinson addresses, among other things, the Act’s failure to regulate underage
consumers’ spending habits (such as maximum credit limit and number of cards issued) and
discusses how earlier versions of the Act would have required underage consumers to attend a
financial literacy course prior to obtaining a credit card. Id. at 303–08. This note, rather, focuses
on the general lack of protections for student data, discusses the impact on the rights of young
consumers in depth, and suggests potential alternatives for dealing with the underlying issues
facing young consumers. See infra Part III–IV.
5. Jekot, supra note 4, at 112–13.
6. U.S. GOV’T ACCOUNTABILITY OFFICE, GAO-01-773, CONSUMER FINANCE: COLLEGE
STUDENTS AND CREDIT CARDS 17 (June 2001), available at http://www.gao.gov/new.items/
d01773.pdf [hereinafter GAO REPORT].
7. College Credit Card Statistics, U.C.M.S.COM, http://www.ucms.com/college-credit-cardstatistics.htm (last visited Nov. 20, 2010) (listing statistics on college marketing).
8. WISPIRG, supra note 1.
160
[Vol. 5
$4,100.9 It is no wonder that credit solicitors aggressively target this market.
As Senator Tom Carper (D-DE) stated, “[t]hey wallpaper all of those
college hallways with credit cards because if you can get someone at that
age to start using credit cards with your company, then you have got them
for a long period of time.”10 In fact, more than 70% of students keep their
first credit card.11 This provides a powerful incentive for the credit card
industry.
There have been several attempts by colleges and universities,12 state
attorneys general,13 and state legislators to address this issue.14 However,
only recently did Congress pass reform legislation that targets credit card
marketing on college campuses and offers protections for students. The
Credit Card Accountability, Responsibility and Disclosure Act of 2009
(Credit CARD Act or the Act)15 was intended as general credit reform
legislation geared toward assisting those in debt and stopping abusive
tactics of the credit card industry.16 The Act also specifically addresses
young consumers. In Title III, the Act places a number of restrictions on
extending credit to consumers under twenty-one, limits the ability of credit
card issuers to solicit students, and adds protections for students from
prescreened offers.17 The Act also places heavy disclosure requirements on
institutions of higher education.18
This note argues that Title III is a huge step toward protecting young
consumers and reigning in the credit card industry. The Act puts an end to a
number of coercive and deceptive practices of credit issuers19 while
pressuring universities to be more open and forthcoming regarding their
9. Anne Flaherty, Credit Reform Means New Era for College Students, ASSOCIATED PRESS,
May 21, 2009, available at http://www.signonsandiego.com/news/2009/may/21/us-congresscredit-cards-052109/?education; Joshua Heckathorn, Credit CARD Act of 2009 Restricts Credit
for Students, BROKEGRADSTUDENT.COM (Aug. 4, 2009), http://www.brokegradstudent.com/
credit-card-act-of-2009-restricts-credit-for-students.
10. Connie Prater & Tyler Metzger, A Guide to the Credit CARD Act of 2009,
CREDITCARDS.COM (July 30, 2009), http://www.creditcards.com/credit-card-news/credit-cardlaw-interactive-1282.php (follow “Youth and credit” hyperlink; then follow “Under-21 college
students” hyperlink) (quoting Senator Tom Carper).
11. College Credit Card Statistics, supra note 7.
12. Jonathan D. Glater, Extra Credit, N.Y. TIMES, Jan. 1, 2009, at B1.
13. CAMPUS CREDIT CARD TRAP, supra note 2, at 10.
14. Creola Johnson, Maxed Out College Students: A Call to Limit Credit Card Solicitations on
College Campuses, 8 N.Y.U. J. LEGIS. & PUB. POL’Y 191, 255 (2004).
15. Credit CARD Act of 2009, Pub. L. No. 111-24, 123 Stat. 1734 (codified as amended in
scattered sections of 15 U.S.C.).
16. See Ben Rooney, Credit Card Relief: Phase one: The First Part of Obama’s Crackdown
on the Credit Card Industry Will Give Consumers More Notice When Contracts are Changed and
the Option to Reject Rate Increases, CNNMONEY.COM, Aug. 20, 2009, http://money.cnn.com/
2009/08/19/news/economy/credit_card_reform/?postversion=2009082004.
17. 15 U.S.C.A. §§ 1637(c), (p), (r), 1650(f), 1681b(c)(1)(B) (West 2010).
18. Id. § 1650(f).
19. See id. §§ 1637(p), 1650(f).
2010]
Protecting Young Consumers
161
participation in the problem.20 However, this note will assert that Title III
also creates several legal and policy problems in how it restricts young
consumers and how alternative solutions may have provided more efficient
and impactful ways of addressing the underlying problems.
Part I of this note provides a brief overview of the marketing, soliciting,
and lending practices of credit card companies on college campuses, the
ramifications of student credit card debt, past attempts at reform, and the
movement that led to the passing of the Credit CARD Act. Part II breaks
down Title III of the Act and examines the rules and protections placed on
young consumers and the institutions of higher education that they attend.
Part III discusses the legal and policy ramifications of the Act, arguing that
Title III severely curtails the financial autonomy of eighteen- to twenty-oneyear-olds, and falls short in protecting students from coercive marketing
practices. Finally, Part IV suggests that the Act fails to solve the
documented problems, and proposes alternative solutions that might better
address the underlying issues.
I. THE PROBLEM OF SOLICITING AND MARKETING
PRACTICES BY CREDIT ISSUERS ON U.S. CAMPUSES
Credit issuers flood college students with brochures, applications,
advertisements, and freebies.21 As a result, 56% of students have their first
card at age eighteen.22 By their final year, 91% have at least one credit card
and 56% carry four or more cards.23 Credit issuers set up tables on
campuses and outside school events in order to sell their products.24 This
practice is so rampant that 76% of students have reported stopping at such
tables to consider applying for credit cards.25 Most of the time students are
enticed to stop at these tables by the offer of free gifts.26 The gifts are
conditioned, however, on applications for cards.27 Once the cards are in the
20. See id. §§ 1637(r), 1650(f).
21. CAMPUS CREDIT CARD TRAP, supra note 2, at 2–4.
22. Jessica Dickler, Credit Card Debt on Campus: Unprepared Students Have Been
Increasingly Targeted by Card Issuers, and Some Lawmakers are Taking Notice,
CNNMONEY.COM, July 14, 2008, http://money.cnn.com/2008/07/10/pf/credit_cards_college/?
postversion=2008071413 (citing data from Nellie Mae).
23. Id.
24. Lucy Lazarony, Marketing Plastic to Students Causes Lawmakers, Educators to Melt
Down, BANKRATE.COM (June 21, 1999), http://www.bankrate.com/brm/news/cc/19990621.asp.
26. Id. at 3–4.
27. Id. Of the 76% of students who stop, 31% report being offered a free gift. Most common
gifts are t-shirts (50%), other (40%), frisbee or sports toy (20%), and mug or water bottle (18%).
The “other” was most commonly food. Id.; see also Amy Johannas, College Bound: Marketers
Welcome, But Credit Card Companies Get a Warning Signal, PROMO (Aug. 1, 2008, 12:00 PM),
http://promomagazine.com/eventmarketing/0801-companies-college-campaigns.
‘There is just this kind of crazy marketing atmosphere on campuses,’ [says Christine
Lindstrom, the higher education program director for U.S. PIRG]. ‘It’s pretty easy
162
[Vol. 5
hands of the students, the issuers continually increase interest rates and
employ high penalties, exacerbating the consequences of the original
misguided judgment.28
The scene that awaits students is not a product of chance, nor is it solely
due to credit issuers’ initiative. Indeed, universities have a stake in these
exchanges and actively facilitate the marketers’ access to their students.29
Universities have multimillion-dollar deals with credit card companies.30
For example, “Michigan State [University] had a seven-year, $8.4 million
contract with Bank of America during which MSU gave the bank
information on students, alumni, sports ticket holders and employees.”31 In
addition, many universities have affinity card agreements that allow the
credit issuer to use the university’s name to market its cards.32 In exchange,
the university receives a share of the profits from new accounts.33 This
incentivizes the university to entice and indebt students with credit cards.34
Some, however, see the agreements between universities and credit card
issuers as a win-win situation.35 Banks get ideal marketing opportunities,
students get help paying the bills, and universities get an additional revenue
source.36
when facing [a gift of] free pizza for a student to say, ‘Oh, I’ll just go ahead and get the
card.’ That is a big problem.’
Id.
28. See WISPIRG, supra note 1.
29. Glater, supra note 12.
30. Flaherty, supra note 9. Bank of America is one of the biggest credit card issuers on college
campuses. Glater, supra note 12. As of January 2009, the bank has agreements with about 700
colleges and alumni associations. Id.
31. Susan Tompor, Credit Cards to be Curbed at Colleges, DETROIT FREE PRESS, Aug. 27,
2009, http://www.freep.com/article/20090827/COL07/908270447/Credit-cards-to-be-curbed-atcolleges. Michigan State University even stands to receive additional money if the students who
sign up carry a balance. Glater, supra note 12. According to the New York Times, Michigan State
University gets “$3 for every card whose holder pays an annual fee, and a payment of a half
percent of the amount of all retail purchases using the cards,” and “$3 if the holder has a balance
at the end of the 12th month after opening an account.” Id. Additionally, the “alumni association
of the University of Michigan is guaranteed $25.5 million” in exchange for “lists of names and
addresses of students, faculty, alumni and holders of season tickets to athletic events” over an 11
year agreement with Bank of America. Id.
32. GAO REPORT, supra note 6, at 7.
33. E.g., Tompor, supra note 31. The profit from these contacts with credit issuers is so
important to many universities that they have fought legislative reform. See, e.g., Joseph Kenny,
College Fights to Preserve Student Credit Card Marketing, JSNET.ORG (Apr. 10, 2009),
http://www.jsnet.org/news-article/college-fights-to-preserve-student-credit-card-marketing
(describing Ohio State University’s fight against legislation that would limit their agreements with
credit issuers).
34. See Ben Protess & Jeannette Neumann, As Student Credit Card Debt Rises, Banks Quietly
Reward Schools, HUFFINGTON POST INVESTIGATIVE FUND (June 8, 2010, 8:01 AM),
http://huffpostfund.org/stories/2010/06/student-credit-card-debt-rises-banks-quietly-rewardschools.
35. See Glater, supra note 12.
36. Id.
2010]
163
There are several reasons why the university campus is an ideal
marketing setting for banks and credit card companies. First, most students
are first time credit card users, making them a fresh market.37 Second, they
constitute an isolated and easily identifiable market.38 Most college students
live on or commute to a campus.39 Third, because they are relatively new
consumers, they are more likely to be naïve to the practices of the credit
card industry.40 Most students realize that they must build their credit
because it will be a useful tool for future purchases.41 At the same time,
they may not be educated in the nuances of how credit works.42 For
example, a student may realize that he must pay the credit card company
every month but may not understand what an annual percentage rate (APR)
is or how it will affect his balance.43 Credit card issuers rely on this naiveté
when they raise interest rates to increase their profits. Lastly, many
students, like other consumers, keep and continue to use their first credit
card.44 These factors lead to heavy soliciting of, and marketing to, college
students on or near campuses.45
This heavy marketing is demonstrated by the twenty-five to fifty credit
card solicitations students receive per semester.46 The solicitations take
various forms, including tabling at school events, direct mail solicitations,
and brochures in a variety of campus locations.47 A study conducted by the
U.S. Public Interest Research Group reported that 80% of respondent
students had received mail solicitations from credit card issuers and 22%
“reported receiving an average of nearly four (3.6) [solicitation] phone calls
per month . . . .”48
In a 2005 report, Ohio State University’s Creola Johnson described the
scene set by credit card companies that awaits incoming freshmen as “a
‘carnival atmosphere’ of blaring music and free food . . . with glossy
promotional brochures and loaded with free T-shirts, Frisbees and other
37.
38.
39.
40.
Dickler, supra note 22.
See CAMPUS CREDIT CARD TRAP, supra note 2, at 1.
Id.
See Laurie A. Lucas, Integrative Social Contracts Theory: Ethical Implications of
Marketing Credit Cards to U.S. College Students, 38 AM. BUS. L.J. 413, 414–16, 422–24 (2001).
42. Lucas, supra note 40, at 414–16.
43. See generally Basic Facts About Credit Card Rates: Key Information Every Cardholder
Should Know, BANK OF AMERICA, http://learn.bankofamerica.com/articles/managing-credit/
basic-facts-about-credit-card-rates.html (last visited Nov. 20, 2010) (describing the complexities
in applying APR rates to credit card balances).
44. See CAMPUS CREDIT CARD TRAP, supra note 2, at 7 (detailing how credit card companies
compete for college students to become their “first-in-the-wallet, top-of-the-wallet” card).
45. See id. at 2–4.
46. College Credit Card Statistics, supra note 7.
47. CAMPUS CREDIT CARD TRAP, supra note 2, at 2–4.
48. Id. at 4.
164
[Vol. 5
gifts to lure students into applying for credit cards.”49 Johnson goes on to
explain that, “[c]ompany representatives do not talk about the interest rates
or fees associated with the cards. Presumably, that information is contained
in the brochures. Instead, the credit card vendors emphasize the free items
and an easy way to buy clothes and books or pay for spring break
vacations.”50
These practices have contributed to a documented increase in student
credit card debt and financial management problems.51 Many critics also
cite excessive credit lines for those who do not necessarily qualify as an
additional source of the problem.52 Although introductory credit limits may
be low, they can quickly rise to $2,000 or $4,000.53
In response, some universities are starting to rethink their policies and
agreements with credit issuers.54 In recent years, there has been a big push
from students and public advocates who oppose such aggressive marketing
techniques on college campuses.55 Some universities have banned or greatly
restricted the practice of soliciting on campus altogether56 while others have
limited its scope and frequency.57
Along with the push for change from within the university, some state
legislators are stepping in and trying to set limits on these practices.
However, while statistics vary on the number of states with legislation
specifically restricting marketing on campus, the number remains generally
low.58 Texas, California, New York, and Oklahoma are among the few
49. Martin Merzer, Student Credit Card Issuers Losing Their Welcome on Campus:
Relationship Between Banks, Colleges is Complex, CREDITCARDS.COM (Dec. 8, 2008),
http://www.creditcards.com/credit-card-news/student-credit-card-issuers-losing-welcome-oncampus-1279.php.
50. Id.
51. See SALLIE MAE, HOW UNDERGRADUATE STUDENTS USE CREDIT CARDS: SALLIE MAE’S
NATIONAL STUDY OF USAGE RATES AND TRENDS 2009, at 3 (Apr. 2009), available at
http://www.salliemae.com/NR/rdonlyres/0BD600F1-9377-46EA-AB1F-6061FC763246/10744/
SLMCreditCardUsageStudy41309FINAL2.pdf [hereinafter SALLIE MAE STUDY]; see also Jekot,
supra note 3, at 113–14; Johnson, supra note 14, at 206–19.
52. See, e.g., Tompor, supra note 31 (citing as an example a student who was given $25,000
even though he did not have a full-time job).
53. Jeanne Sahadi, Dad, Will You Pay My Visa?; That’s One Question Facing Parents of
College Students Who’ve Racked Up Credit Card Debt, CNNMONEY.COM, Dec. 12, 2002,
http://money.cnn.com/2002/12/10/commentary/everyday/sahadi (citing Robert Manning during
his testimony before the U.S. Senate Committee on Banking, Housing and Urban Affairs).
54. GAO REPORT, supra note 6, at 25–29.
56. Id. at 25–27.
57. Id.; Johnson, supra note 14, at 195–96. For example, Ball State University, whose alumni
association had a contract with a credit issuer, does not give out student information to marketers.
Glater, supra note 12. Likewise, University of Oregon has a similar policy. Id.
58. Editorial, The College Credit Card Trap, N.Y. TIMES, Oct. 18, 2008, at A22 (“A halfdozen states have placed restrictions on how credit cards can be marketed at public colleges.”);
Jon Chavez, Card Firms Lure Students; Experts Urge Crackdown, TOLEDO BLADE, Oct. 14,
2007,
http://toledoblade.com/apps/pbcs.dll/article?AID=/20071014/BUSINESS04/71013025
(“About 15 states restrict or ban credit-card marketing to students on campus . . . .”); see also
2010]
165
states that have passed such laws.59 For example, the California law, passed
in 2007, prohibits the exchange of gifts for applications.60 The New York
statute (part of New York’s Education Law) is much broader.61 It prohibits
marketing altogether, except as allowed by university policy.62 The law also
makes suggestions for fair policies that schools could adopt.63
In addition to these state legislative reforms, several attorneys general
have tried to initiate reform in credit marketing to college students. Several
have opened investigations into the practices of credit card issuers on
campuses.64 For example, in 2008, former New York Attorney General
Andrew Cuomo investigated whether credit card marketers had offered
money to universities in exchange for access and information on students.65
Likewise, the Ohio Attorney General sued Citibank, a credit card marketing
company, and a sandwich shop over their alleged deceptive marketing to
college students.66
On the federal level, there have been a number of congressional
attempts to add protections for college students wishing to obtain credit.67
For example, the Consumer Credit Card Protection Amendments of 1999
(CCCPA) was introduced in the Senate and in the House of Representatives
Tyler Metzger, Campus Credit Card Regulation Brewing . . . Again, CREDITCARDS.COM (Feb. 3,
2009), http://blogs.creditcards.com/2009/02/campus-credit-card-regulation-brewing.php (detailing
proposed New Jersey bill).
59. Merzer, supra note 49. Maryland also passed legislation which “requires higher education
institutions to develop practices regarding credit card marketing and the use of free gifts on
campus.” Johannas, supra note 27. If the universities allow these practices, they must also provide
additional educational credit information. Id. Another example is Tennessee, where state
legislators passed a law that prohibits credit issuers from using student organizations or facilities
in order to recruit applicants. Id. They are, however, allowed to do so at athletic events, but are
banned from giving gifts in exchange for applications. Id.
60. College Student Credit Protection Act of 2007, Ch. 679, 2007 Cal. Stat. 262; Ashley
Geren, Credit Card Death: Students Might Want to Think Twice Before Getting a Credit Card,
THEROUNDUPNEWS.COM (Sept. 16, 2009), http://www.therounduponline.net/features/credit-carddeath-1.1878895.
61. See N.Y. EDUC. § 6437 (McKinney 2010).
62. Id.
63. Id.
65. Id.
66. Id. The Ohio Attorney General sued Citibank, Elite Marketing, and Potbelly Sandwiches
for “‘unfair and deceptive’ marketing practices.” Johannas, supra note 27. The Attorney General
alleged that “students visited local restaurants for free food, only to find out they had to apply for
a credit card to receive it.” Id. The case has been partially settled. Id. As part of the settlement,
Potbelly agreed to give out coupons for its products as an incentive to get students to watch a
documentary on the credit industry. Id.
67. See Student Credit Card Protection Act of 2007, S. 1925, 110th Cong. (2007); College
Student Credit Card Protection Act, H.R. 1208, 109th Cong. (2005); Credit Card Accountability
Responsibility and Disclosure Act of 2004, S. 2755, 108th Cong. (2004); College Student Credit
Card Protection Act, H.R. 184, 107th Cong. (2001); Credit Card Protection Amendments of 1999,
S. 787, 106th Cong. (1999); Consumer Credit Card Protection Amendments of 1999, H.R. 900,
106th Cong. (1999).
166
[Vol. 5
in April and May of 1999, respectively.68 Like the Credit CARD Act of
2009, the CCCPA contained a provision mandating a consumer under
twenty-one have a parent or guardian co-signer or to have an independent
means of repaying their credit card debt.69
Despite several attempts in both the House and Senate, including the
CCCPA, credit reform for college students had not passed into law.70
However, things in Washington changed with the 2008 election.71 President
Obama made consumer protection a part of his campaign.72 Amid a climate
of foreclosures and high debt, Obama pushed for reform in several
industries, including the credit card sector.73 In the White House press
release announcing the Credit CARD Act, President Obama tied the new
law into his larger economic recovery plans.74 With the turbulent changes in
the economy, the shift in Washington, and new support for major credit
reform, the Credit CARD Act survived the legislative process and passed
into law.75
II. PROTECTIONS PROVIDED BY THE CREDIT CARD ACT
In January 2009, Representative Carolyn B. Maloney (D-NY)
introduced H.R. 627, which would later form the basis for the Credit CARD
Act.76 H.R. 627 was intended to amend the Truth in Lending Act77 and the
Fair Credit Reporting Act (FRCA)78 in order to “establish fair and
transparent practices relating to the extension of credit under an open end
68. Todd Starr Palmer, Mary Beth Pinto & Diane H. Parente, College Students’ Credit Card
Debt and the Role of Parental Involvement: Implications for Public Policy, 20 J. PUB. POL’Y &
MARKETING 105, 106 (Spring 2001).
69. H. R. 900 § 7; S. 787 § 7; 15 U.S.C.A. 1637(c) (West 2010).
70. Kimberly Gartner & Elizabeth Schiltz, What’s Your Score? Educating College Students
About Credit Card Debt, 24 ST. LOUIS U. PUB. L. REV. 401, 408–09 (2005); see also Johnson,
supra note 14, at 254–56.
71. See Philip Elliott, Obama Signs Law Curbing Surprise Credit Card Fees, ASSOCIATED
PRESS, May 22, 2009, available at http://www.huffingtonpost.com/2009/05/22/obama-signs-lawcurbing-s_n_206944.html.
72. Press Release, The White House, Fact Sheet: Reforms to Protect American Credit Card
Holders (May 22, 2009), http://www.whitehouse.gov/the_press_office/Fact-Sheet-Reforms-toProtect-American-Credit-Card-Holders [hereinafter White House Press Release].
73. See Elliott, supra note 71.
74. See White House Press Release, supra note 72 (“‘With this new law, consumers will have
the strong and reliable protections they deserve. We will continue to press for reform that is built
on transparency, accountability, and mutual responsibility—values fundamental to the new
foundation we seek to build for our economy.’”).
75. See id.
76. Bill Summary & Status: 111th Congress (2009-2010): H.R. 627: All Congressional
Actions with Amendments, LIBRARY OF CONGRESS, http://thomas.loc.gov/cgi-bin/bdquery/
z?d111:HR00627:@@@S (listing Rep. Maloney as the sponsor of the bill H.R. 627 that
ultimately became the Credit CARD Act).
77. Truth in Lending Act, 15 U.S.C. §§ 1601–1667f (2006).
78. Fair Credit Reporting Act, 15 U.S.C. §§ 1681–1681x (2006).
2010]
167
consumer credit plan, and for other purposes.”79 It became public law on
May 22, 2009 when President Obama, in a Rose Garden ceremony, signed
the bill.80 The Act covers general consumer protection, enhanced consumer
disclosures, protection of young consumers, gift cards, and other
miscellaneous items.81
Title III of the Act is devoted exclusively to protecting young
consumers and is broken down into five sections. The first section of Title
III amends the Truth in Lending Act by limiting the “extension of credit to
underage consumers.”82 Section 301 prohibits the issuance of a credit card
or open end credit plan to a consumer under the age twenty-one83 unless the
application for that consumer contains a signature of a co-signer84 or
financial information indicating means of repayment.85 According to the
Act, the co-signer can be a “parent, legal guardian, spouse, or any other
individual” twenty-one-years-of-age or older.86 The co-signer must have the
“means to repay the debts” of the consumer and will be considered jointly
liable for that debt.87 However, the co-signer is only liable for the debt
incurred before the consumer has reached the age of twenty-one.88
Alternatively, absent a viable co-signer, a credit card applicant under the
age of twenty-one may demonstrate an “independent means of repaying any
obligation arising from the proposed extension of credit . . . .”89 The text
does not give much explanation as to what “means” would qualify under
this provision. It only requires that the consumer submit such financial
information through the application or otherwise.90
Section 301(C) tasks the Board of Governors of the Federal Reserve
System (the Board) with issuing regulations outlining the standards required
to satisfy subparagraph (B)(ii).91 The Board usually issues clarifications on
79.
80.
81.
82.
Credit CARD Act of 2009, H.R. 627, 111th Cong. (2009).
Elliott, supra note 71.
Credit CARD Act of 2009, Pub. L. No.111-24, 123 Stat. 1734 (2009).
15 U.S.C.A. § 1637(c) (West 2010) (implying that the use of the word “underage” applies
to consumers under the age of twenty-one).
83. Id. § 1637(c)(8)(A).
84. Id. § 1637(c)(8)(B)(i).
85. Id. § 1637(c)(8)(B)(ii).
86. Id. § 1637(c)(8)(B)(i).
87. Id.
88. Id.
89. Id. § 1637(c)(8)(B)(ii).
90. Id.
91. Id. § 1637(c)(8)(C). The regulations, over 800 pages, detail what credit card issuers must
do to grant or extend credit to all consumers covered under the Act. Connie Prater, Fed: Want a
Credit Card? Prove You Can Pay the Bill, CREDITCARDS.COM (Sept. 30, 2009),
http://www.creditcards.com/credit-card-news/credit-card-act-fed-income-rules-1282.php.
The
regulations also clarify several vague terms in the provisions dealing with young consumers,
including “prohibited inducements,” “near campus,” “independent means of paying,” and cosigner requirements. Jay MacDonald, Fed: Credit Card Issuers, Stay Far Away From College
Campus: Stay At Least 1,000 Feet Away, New Regulations State, CREDITCARDS.COM (Sept. 30,
168
[Vol. 5
the terms of a newly issued law,92 and it did so on September 28, 2009,
providing examples of the type of information that would qualify as proof
of an independent means of repaying.93 This included “expected salary,
wages, bonus pay, tips and commissions” for any type of employment,
“interest or dividends, retirement benefits, public assistance, alimony, child
support, or separate maintenance payments,” or “savings accounts or
investments that the consumer can or will be able to use.”94 These
provisions likely limit the number of college students under age twenty-one
who could qualify.95 It is unclear, however, how strictly credit issuers must
adhere to this “proof” standard.96
The Act further provides that even once a student has been issued a
credit card, the co-signer, if jointly liable for a consumer under twenty-one,
must approve any increase to the credit line for that consumer.97 By
amending § 127 of the Truth in Lending Act,98 § 303 of the Credit CARD
Act restricts young consumers beyond the application process.99 It places an
additional hurdle for eighteen- to twenty-one-year-olds to obtain and
manage their credit by requiring that the co-signer approve the credit
increase.
To stem the flow of solicitations on college campuses, Congress
included protections from prescreened offers as well as restrictions on the
distribution of promotional items. Title III, § 302 amends § 604(c)(1)(B) of
the FRCA100 to include restrictions on prescreened credit offers to
consumers under twenty-one.101 This section provides that credit reporting
agencies can furnish credit reports for offers of credit only if the consumer
is over twenty-one or has consented to the disclosure.102 In other words,
except for eighteen- to twenty-one-year-olds who have consented to the
2009), http://www.creditcards.com/credit-card-news/student-credit-card-rules-1279.php. This is
discussed infra Part III.
92. MacDonald, supra note 91.
93. Truth in Lending Proposed Rule, 74 Fed. Reg. 54,125, 54,313 (Oct. 21, 2009) (to be
codified at 12 C.F.R. pt. 226).
94. Id.
95. See generally Prater, supra note 91. See also Brian Burnsed, New Rules Place Barriers
Between Students, Credit Card Issuers, US NEWS & WORLD REP., Feb. 19, 2010,
http://www.usnews.com/articles/education/best-colleges/2010/02/19/new-rules-place-barriersbetween-students-credit-card-issuers.html.
96. See generally MacDonald, supra note 91 (explaining the Federal Reserve’s clarifications
but noting the failure to clarify certain aspects of the Act); see also Prater, supra note 91 (failing
to specify what reasonable policy or procedure might entail).
97. 15 U.S.C.A. § 1637(p) (West 2010).
98. Truth in Lending Act § 127, 15 U.S.C. § 1637(c) (2006).
99. 15 U.S.C.A. § 1637(p).
100. Fair Credit Reporting Act § 604, 15 U.S.C. § 1681b(c)(1)(B) (2006).
101. 15 U.S.C.A § 1681b(c)(1)(B)(2)(iv) (West 2010).
102. Id.
2010]
169
disclosure of their credit report for offers of credit, the automatic flood of
mailings that bombard college freshman should theoretically start to ebb.103
The Act also adds protection from solicitations by proscribing physical
inducements in exchange for applications.104 Section 304(f)(2) prohibits
creditors from offering “tangible item[s]” to college students in exchange
for a credit card application.105 However, this prohibition is limited to offers
made on or near campus or at a school-sponsored event.106 In its
clarifications of the Act, the Board gave examples of what types of
inducements would be prohibited.107 The Act proscribes the use of tangible
items, such as a “gift card, a T-shirt, or magazine subscription” in exchange
for filled applications, but does not prohibit “non-physical items” like
“discounts, reward points, or promotional credit terms.”108 Not only is the
type of item an important distinguishing factor in determining the legality
of a practice, but the agreement must indeed be a quid pro quo.109 If the
items are given out freely regardless of whether applications are in fact
being filled out, then it would seem the Act does not apply.110
The Board’s regulations also specify that “near campus” is defined as
“within 1,000 feet of the border of the campus of an institution of higher
education . . . .”111 The borders should be determined by the institution.112
The prohibition against promotions near campus also extends to related
events, including any event in which the institution’s name or logo is used
in connection with the event so as to imply the institution’s sponsorship.113
In this way, § 304 potentially covers an expansive area on or near campus.
Besides the limitations specifically outlined in § 304, Congress also
recommends that institutions of higher education adopt their own policies to
help monitor and limit credit card marketing.114 It recommends that these
institutions instruct credit issuers to notify them of the locations where
marketing of credit cards will occur.115 Section 304 also recommends that
schools limit the number of locations for marketing116 and offer debt
counseling and education to new students.117
103.
104.
105.
106.
107.
108.
See 15 U.S.C. § 1681b(c)(1)(B); see also Heckathorn, supra note 9.
15 U.S.C.A. § 1650(f)(2) (West 2010).
Id.
Id.
MacDonald, supra note 91.
Truth in Lending Proposed Rule, 74 Fed. Reg. 54,123, 54,127 (Oct. 21, 2009) (to be
109. See id. at 54,328.
110. MacDonald, supra note 91.
111. Truth in Lending Proposed Rule, 74 Fed. Reg. at 54,328; MacDonald, supra note 91.
112. Truth in Lending, 74 Fed. Reg. at 54,328; MacDonald, supra note 91.
113. Truth in Lending, 74 Fed. Reg. at 54,328; MacDonald, supra note 91.
114. 15 U.S.C.A. § 1650(f)(3) (West 2010).
115. Id. § 1650(f)(3)(A).
116. Id. § 1650(f)(3)(B).
117. Id. § 1650(f)(3)(C).
170
[Vol. 5
The final protection Title III provides is required disclosure of the
contracts between universities and creditors.118 Institutions of higher
education must “publicly disclose any contract or other agreement made
with a card issuer or creditor for the purpose of marketing a credit card.”119
Likewise, the Act mandates reporting by each creditor who has any
“business, marketing, and promotional agreements and college affinity
card120 agreements with an institution of higher education.”121 The report
must include the terms and conditions of any agreements between creditors
and universities, including memoranda of understanding, amounts of
payments between them, and the number of accounts covered by the
agreement.122 Once creditors have submitted the reports to the Board, the
Board will review them and submit an annual report to Congress and the
public.123 Additionally, from time to time the Comptroller General of the
United States is to review the Board’s reports, determine the impact of
creditor agreements, and write a report recommending any needed action.124
The passage of Title III is a tacit recognition of the need to protect
young consumers against the aggressive and deceptive practices of credit
issuers. The Act finally puts an end to the exchange of gifts for
applications.125 Prohibiting tangible inducements will limit the ability of
marketers to get the attention of college students.126 In turn, only those truly
interested in obtaining a credit card will likely approach a promotional
table. Furthermore, the Act protects students from insidious pre-screened
offers with which they are consistently bombarded.127
118. Id. §§ 1650(f)(1), 1637(r)(2)(A).
119. Id. § 1650(f)(1).
120. The Act defines college affinity card as a:
[C]redit card issued by a credit card issuer under an open end consumer credit plan in
conjunction with an agreement between the issuer and an institution of higher
education, or an alumni organization or foundation affiliated with or related to such
institution, under which such cards are issued to college students who have an affinity
with the institution, organization and—
(i) the creditor has agreed to donate a portion of the proceeds of the credit
card to the institution . . . ;
(ii) the creditor has agreed to offer discounted terms to the consumer; or
(iii) the credit card bears the name, emblem, mascot, or logo of such
institution . . . or other words, pictures, or symbols readily identifies with
such institution, organization, or foundation.
Id. § 1637(r)(1)(A).
121. Id. § 1637(r)(2)(A).
122. Id. § 1637(r)(2)(B)(i)–(iii).
123. Id. § 1637(r)(3).
124. Id. § 1637(r)(3)(B)(1)–(2).
125. Id. § 1650(f)(2).
126. See generally CAMPUS CREDIT CARD TRAP, supra note 2, at 13 (proposing “prohibit[ing]
use of gifts in marketing on campus” as part of “fair campus credit card marketing principles”).
127. 15 U.S.C.A. 1681b(c)(1)(B) (West 2010).
2010]
171
Finally, forcing the universities to disclose their contracts with credit
issuers will provide a new level of transparency and accountability. Most
students are unaware of the benefits the university is gaining through credit
marketing on campus.128 With every application and subsequent account,
the university usually makes a profit.129 These deals may stipulate when and
how marketing can be done, provide unlimited access to student registration
data, or even allow for use of the university name in connection with the
credit cards.130 Exposing the agreements will not only increase public
awareness about these practices but may also deter the more unconscionable
aspects of these agreements.131
Although the Act has the potential to provide significant protection for
young consumers, it also implicates several legal and policy issues. The Act
discriminates on the basis of age by imposing additional requirements on
consumers under twenty-one132 and disproportionately impacts specific
segments of the young adult population.133 The Act also does not go far
enough in protecting students from solicitations on campus134 and fails to
solve the underlying problems that originally created the need for reform.135
III. LEGAL AND POLICY RAMIFICATIONS OF THE ACT
A. RIGHTS OF YOUNG CONSUMERS
Title III of the Act creates different contractual standards for consumers
between the ages of eighteen and twenty-one.136 Placing additional
restrictions on this specific age group is both discriminatory and
ineffective.137 In addition, the all-inclusive restrictions freeze out many
young consumers who would benefit from a credit card and are capable of
handling credit responsibly but who cannot meet the heightened
standards.138 Lastly, the restrictions disproportionately affect lower income
students as well as eighteen- to twenty-one-year-old non-students.139
128.
129.
130.
131.
See Glater, supra note 12.
Id.
Id.
See, e.g., Ylan Q. Mui, Credit Reforms Reach Campuses, WASH. POST., Aug. 27, 2010, at
A14 (describing some of the contracts between credit card issuers and universities and the hope
that the contract disclosure requirement will increase transparency); Protess & Neumann, supra
note 34 (describing the millions of dollars and secrecy surrounding agreements between
universities and credit card companies).
132. See Palmer et al., supra note 68 (discussing similar objections to a bill introduced in 1999).
133. See infra Part III.A.
134. See infra Part III.B.
135. See infra Part IV.
136. 15 U.S.C.A. §§ 1637(c)(8), 1637(p) (West 2010).
137. See discussion infra Part III.
172
[Vol. 5
Young consumers are a vital and important part of the economic
marketplace.140 They often lead the way in consumer trends and shape
certain markets.141 Although most people enter the marketplace at a young
age under the purchases of their parents, once they reach the age of
majority—eighteen in most states142—they can be considered financially
independent consumers.143 At the age of majority, consumers gain the right
to enter into binding economic contracts, along with the right to vote and
join the military without parental consent.144 Parents’ legal duty of support
ends when offspring reach this age, as does parental authority.145 Although
many parents may continue to support their children, they are not legally
required to do so.146
Although a child under eighteen may enter into a contract, the child
retains the right to disaffirm any contract before she reaches the age of
majority.147 The right of disaffirmance is meant to protect children from
careless financial decisions and reduce the incentive for adults to enter into
contracts with children.148 At the age of majority, however, young adults
lose this right and are bound by their contractual obligations.149 Because
they are responsible for their contractual agreements, young adults at the
age of majority should therefore be given full control over their contractual
decisions.150
Despite the full responsibility young adults assume for their contractual
obligations, Title III of the Act places limitations on their ability to enter
into contractual agreements with credit card companies.151 These limits are
140. “Teenagers spend billions of dollars annually on clothing, video games, CD players,
stereos, and cars.” ROBERT H. MNOOKIN & D. KELLY WEISBERG, CHILD, FAMILY, AND THE
STATE: PROBLEMS AND MATERIALS ON CHILDREN AND THE LAW 675 (Wolters Kluwer 6th ed.
2009) (citation omitted).
141. See id.
142. LAUREN KROHN ARNEST, CHILDREN, YOUNG ADULTS, AND THE LAW: A DICTIONARY
199–200 (1998).
143. See generally id.
144. See generally ARNEST, supra note 142, at 84–85, 199; 10 U.S.C. § 505 (2006). A few
rights, such as buying alcohol, are withheld from eighteen year olds; however, these are the
exceptions rather than the rule. See James Mosher, The History of Youthful-Drinking Laws:
Implications for Public Policy, in MINIMUM-DRINKING-AGE LAWS: AN EVALUATION 26–31
(Henry Wechsler ed., 1980), reprinted in MNOOKIN & WEISBERG, supra note 140, at 682.
145. ARNEST, supra note 142, at 199.
146. See id.
147. Id. at 84–85.
148. See, e.g., McGuckian v. Carpenter, 110 A. 402 (R.I. 1920); see also ARNEST, supra note
142, at 84–85.
149. ARNEST, supra note 142, at 84–85.
150. See generally Ashley Goetz, Editorial, Credit Card Act Treats Adults as Children, MINN.
DAILY, June 9, 2009, http://www.mndaily.com/2009/06/09/credit-card-act-treats-adults-children
(“Congress is saying that college-aged people aren’t really adults yet.”).
151. 15 U.S.C.A. § 1637(c)(8)(B) (West 2010).
2010]
173
stricter than those placed on adults over the age of twenty-one.152 Section
301(B) requires an eighteen- to twenty-one-year-old applicant without a cosigner to indicate through financial information that he or she has the ability
to repay any obligation under the account.153 In contrast, § 109 of Title I of
the Act, which applies to consumers over twenty-one, states that in order to
open an open-end consumer credit plan, the card issuer must consider “the
ability of the consumer to make the required payments under the terms of
such account.”154 Section 109 provides a much easier standard to qualify for
a credit card than § 304. First, it only applies to open-end consumer credit
plans, rather than any credit card application.155 Second, the issuer must
only consider the consumer’s ability to make required payments, as
compared to requiring an ability to repay any obligation.156 In other words,
under § 109, the card issuer must consider only whether the consumer over
twenty-one is able to make minimum monthly payments, while § 304
requires that the consumer under twenty-one be able to repay any debt
incurred. The tougher standards for consumers eighteen- to twenty-one
years old discriminate against this group solely on the basis of their age.157
Despite the fact that eighteen-year-olds are considered adults and bound by
their contractual obligations, the Act treats them as a separate and distinct
group—different from children but not yet having full financial rights.
The arguably arbitrary restrictions on eighteen- to twenty-one-year-olds
also freeze out many young adult consumers who want and would benefit
from credit. In an attempt to protect young consumers, Congress has
“limited the ability of their more responsible peers to build up credit
histories they’ll need when they graduate.”158 It is wise for many young
consumers to build such histories. Credit reports are being used more and
more for a variety of purposes including renting apartments, loan rates, job
152. Compare id. § 1665e (describing the requirements necessary for individuals over twentyone years of age to qualify for credit cards), with id. § 1637(c)(8)(A)–(B) (describing the
requirements necessary for those under twenty-one years of age to qualify for credit cards).
153. Id. § 1637(c)(8)(B).
154. Id. § 1665e.
155. Compare id. § 1665e (applying new regulation to “open end consumer credit plans” only),
with id. § 1637(c)(8)(B) (applying restrictions to anyone who chooses “to open a credit card
account”).
156. Compare id. § 1665e (requiring credit card companies to “consider[] the ability of the
consumer to make the required payments under the terms of such account”), with id. §
1637(c)(8)(B) (applying restrictions in regards to “any obligation arising from the proposed
extension of credit in connection with the account”).
157. Consider if the Act made tougher restrictions for adults over sixty-five than for those under
sixty-five. The issue of age discrimination would be central in the debate. However, when it
comes to discrimination based on age against the young, most commentators dismiss it as
necessary and miss the inherent paternalism and prejudice. See Goetz, supra note 150.
158. William P. Barrett, College Students Face New Credit Card Cut-Off, FORBES.COM (Aug.
4, 2009, 12:20 PM), http://www.forbes.com/2009/08/04/credit-card-reform-bill-college-studentspersonal-finance-collegecredit.html; see also Burnsed, supra note 95.
174
[Vol. 5
hiring, and insurance.159 However, many students who need and are capable
of handling credit would not qualify under the new rules. First, because the
co-signer will incur any of the obligations and suffer any damages that
result from the student’s use of the card, few students are likely to obtain a
potential co-signer other than a parent.160 Second, without co-signers, it may
be difficult for young consumers who actually need and will use credit
cards responsibly to provide enough documentation to demonstrate that
they are financially stable, even to issuers who require the bare minimum.161
“Many—especially college students and lower-income young adults—don’t
have easy access to a financially stable co-signer, [or] a full bank account . .
. .”162
Not only will these restrictions limit students’ ability to build credit
histories, but it will also hamper their ability to finance important
purchases, like books or health insurance.163 Many students are no longer
financially supported by their parents.164 They may be unable to pay for
expensive textbooks all at once, and would rather finance the purchase and
make payments over a few months.165 By restricting their ability to get
credit, the Act is especially harmful to responsible students working to put
themselves through school.166
In the same way the Act hurts responsible young adults wishing to build
their credit, it also has a disproportionate effect on lower income students.
These students may have little or no financial support from their parents.167
Likewise, they or their parents may not be able to provide proof of their
ability to repay.168 So while these lower income students may be able to
make minimum monthly payments and repay their obligation over time,
they may not be able to prove that to a credit issuer.
Another group adversely affected by the Act is non-students. Although
many sections of Title III are aimed at protecting students from aggressive
solicitations, it also has a significant impact on young non-student
consumers.169 Many young adults do not continue on to college after high
159.
160.
161.
162.
163.
Barrett, supra note 158.
For example, late payments will show up on their credit history. Tompor, supra note 31.
Goetz, supra note 150.
Id.
Ninety-two percent of undergraduates with credit cards report using the card for an
education related expense, such as textbooks, fees, or general school supplies. SALLIE MAE
STUDY, supra note 51, at 3.
164. Scott Jaschik, Understanding Independent Students, INSIDE HIGHER ED (Oct. 24, 2005),
http://www.insidehighered.com/news/2005/10/24/independent.
165. See SALLIE MAE STUDY, supra note 51, at 3.
166. Heckathorn, supra note 9.
167. See Jekot, supra note 3, at 126.
168. See id.
169. See Press Release, Office of Senator Chris Dodd, Senate Approves Dodd’s Bill to Protect
Consumers from Abusive Credit Card Practices (May 19, 2009), http://dodd.senate.gov/?q=
node/4968; see also White House Press Release, supra note 72; Ashley Goetz, Credit CARD Act
Impacts College Students: The Act Has Received Mixed Reactions, MINN. DAILY, June 2, 2009,
2010]
175
school graduation, often opting to work or go to a vocational training
program.170 According to the National Center for Education Statistics,
compared with the sixty-three million students in elementary and secondary
school, only twenty-one million are in post-secondary degree granting
institutions.171 These eighteen- to twenty-one-year-old young adults are
especially vulnerable to the new restrictions. Often independent from their
parents and building a life of their own, they may need to make significant
purchases such as a car, furniture, insurance, or even a house.172 Obtaining
credit in order to finance such purchases and build a credit history is vital in
establishing financial independence.173 By placing heavier restrictions on
acquiring credit, the Act hampers the ability of these eighteen- to twentyone-year-olds to become fully independent adult consumers despite the fact
that they function as such in every other aspect.174
Although the Act frames the issue as one of protectionism, its
restrictions on the financial freedom of young adults is saturated with
paternalism. At a certain point, society must stop placing restrictions on the
autonomy of young adults.175 Usually this point comes at the age of
majority when children are considered legal adults, independent from their
parents and subject to the same rights and responsibilities as other adults.176
By restricting the ability of eighteen- to twenty-one-year-olds to get a credit
card like any other adult, the Act merely delays full financial freedom and
tramples on the autonomy of young consumers.
The Act also only delays and does not solve the youthful misjudgments
its proponents were originally concerned about. In passing the Act, many
legislators and advocates justified the provisions with the idea that young
consumers were getting buried in debt because they did not know how to
manage and build responsible credit.177 Those young adults who now
cannot get a credit card under Title III will be no better equipped with the
skills and knowledge necessary to manage credit upon their twenty-first
birthday.178 By failing to mandate credit education or provide any additional
http://www.mndaily.com/2009/06/02/credit-card-act-impacts-college-students (noting that the Act
“has certain rules and restrictions designed to protect college-age students”).
170. Projected Number of Participants in Educational Institutions, by Level and Control of
Institution: Fall 2008, NATIONAL CENTER FOR EDUCATION STATISTICS, http://nces.ed.gov/
programs/digest/d08/tables/dt08_001.asp (last visited Nov. 21, 2010).
171. Id.
172. See Barrett, supra note 158.
173. Id.
174. See Goetz, supra note 150.
175. See generally Gary B. Melton, Decision Making by Children: Psychological Risks and
Benefits, in CHILDREN’S COMPETENCE TO CONSENT 21–37 (Melton, Koocher, & Saks eds., 1983)
(discussing the psychological aspects of decision making by young adults); Goetz, supra note 150;
Geren, supra note 60.
176. See ARNEST, supra note 142, at 199.
177. See WISPIRG, supra note 1.
178. See generally Johnson, supra note 14, at 269–76.
176
[Vol. 5
resources to teach young consumers these skills, Title III does not get to the
heart of the underlying problem.179 On the contrary, the financial
independence of young consumers is merely delayed, specific groups are
disproportionately impacted, and the autonomy of young adults is hampered
without adequately addressing the issues that form the basis of the problem.
B. NOT FAR ENOUGH: CONTRACT AGREEMENTS AND LIMITATIONS
ON MARKETING
While the Act’s limitations on marketing and its requirements of
university contract disclosures contribute to solving the problem of
predatory solicitation on college campuses, these limitations do not go far
enough. Contract disclosures will not prevent universities from providing
student data to credit card issuers.180 At the same time, the disclosures may
violate confidentiality provisions and impinge on contractual privacy.181 In
addition, Title III’s limits on marketing merely prevent the distribution of
pre-screened offers and tangible gifts,182 leaving large loopholes for
solicitors to continue to take advantage of students on campus.
Forcing universities to disclose their contracts with credit issuers183 may
have some beneficial effects. For one, it may deter universities from using
blatantly unconscionable contract provisions.184 However, it will not likely
deter universities from freely giving out student data in exchange for a
portion of the profits issuers realize from student credit accounts.185 The
sharing of student information provides creditors with the ability to target
the student market and provides the essential means for the tactics the Act is
trying to stop.186 By failing to limit student data disclosure, the Act does not
go far enough in addressing contractual agreements between universities
and credit card issuers.
179. See id.
180. See CAMPUS CREDIT CARD TRAP, supra note 2, at 9.
181. Memorandum from Bond, Schoeneck & King, Higher Education Law Information Memo:
Federal Credit CARD Act Regulates College and University Relationships with Credit Card
Issuers (Aug. 2009), available at http://www.bondschoeneckking.com/pdfinfomemos/08-2009
%20im%20higher%20ed.pdf.
182. 15 U.S.C.A. §§ 1650(f)l, 1681b(c)(1)(B) (West 2010).
183. Id. § 1637(r).
184. See Protess & Neumann, supra note 34 (describing provisions that allow universities to
“receive bonuses when students incur debt” and when students carry a balance from one year to
the next); see also Glater, supra note 12.
185. See Glater, supra note 12 (discussing the practice of using revenue from credit card issuers
to fund “scholarships and other programs”). In a separate survey earlier this year, USA Today
found that “two-thirds of the nation’s largest 15 universities either partner with banks to promote
debit cards or are looking to do so.” Kathy Chu, Credit Cards Go After College Students; Banks
Increase Efforts to Forge Relationships with Attractive Demographic, USA TODAY, Mar. 31,
2008, at B6.
186. See Glater, supra note 12. However, many students are unaware of this information
sharing. Id.
2010]
177
The Act also insufficiently limits marketing on campus. Although it
prohibits giving out tangible items in exchange for credit card application,
the Act does not prohibit issuers from providing these gifts for free.187
Under Title III, credit card marketers are still able to give out free items to
entice students to come over to a table and speak with representatives. The
items simply cannot be conditioned on a filled out application.188 In other
words, before the Act the marketers had tables giving out free pizza in
exchange for a filled out application, and now the marketers can still have
tables with pizza and applications but just no quid pro quo exchange.189
There is no doubt that students will still be enticed by the smell of free
pizza and fall into the same traps laid by the solicitors.190 While the
elimination of the quid pro quo exchange is an important and crucial step in
reforming credit card marketing practices on college campuses, it is not
enough.
IV. THE ACT’S FLAWS PREVENT IT FROM ADDRESSING SOME
OF THE UNDERLYING ISSUES FACING YOUNG
CONSUMERS WHILE OTHER ALTERNATIVES MAY
PROVIDE MORE FUNDAMENTAL SOLUTIONS
Although the Act may bring about some important changes in the
predatory lending practices of credit card issuers on college campuses, it
does not solve some core problems. Reform that does not directly restrict
student access would likely prove a better solution.191 A combination of
stronger protections for student data, increased marketing limitations on
credit card issuers, and student credit education would inform and empower
students to take responsibility for their own finances while still protecting
them from the most deceptive and coercive practices. Protecting student
data would force universities to be more honest and accountable to their
students.192 Placing further limitations on marketing on campuses would
decrease the availability of credit cards and therefore force responsible
students to more actively seek out credit information on their own.193
187.
188.
189.
190.
See MacDonald, supra note 91.
15 U.S.C.A. § 1650(f) (West 2010).
See MacDonald, supra note 91.
See generally id. (stating that if the gift is given to students regardless of whether they fill
out an application it is not an inducement under the Act).
191. See Heckathorn, supra note 9.
192. See U.S. PUB. INTEREST RESEARCH GROUP EDUC. FUND, IMPROVING THE CREDIT CARD
ACT’S BENEFITS TO STUDENTS AND OTHER YOUNG PEOPLE: A GUIDE FOR COLLEGES AND
POLICYMAKERS 7–8 (Aug. 2010), available at http://www.studentpirgs.org/uploads/
0b/3a/0b3a756061e78f775da9c1dd228bf0f4/CreditCARDACTissuebrief_Aug2010.pdf
[hereinafter PIRG GUIDE FOR COLLEGES].
193. See Johnson, supra note 14, at 267–68.
178
[Vol. 5
Finally, better credit education would inform and empower students rather
than suppress their financial freedom.194
A. STRONGER PROTECTIONS FOR STUDENT DATA
Student data is already partially protected by the Family Educational
Rights and Privacy Act (FERPA).195 FERPA was enacted in order to protect
student privacy and educational records.196 It includes a general prohibition
against releasing information from a student’s educational record without
written permission.197 However, there is an exception for student directory
information198—the exact type of information institutions of higher
education provide to credit issuers.199 Further, FERPA only applies to
schools receiving Department of Education funds.200
The exception for student directory information does, however, include
the requirement that the school have an opt-out provision.201 Therefore,
schools may release student directory information but must allow students
to opt-out of the disclosure. For example, at the University of Michigan
students are generally told how they can opt-out of having their information
publicly displayed in directories or provided in response to a request.202 The
policy is not specific to credit card companies.203 However, opt-out systems
are problematic because they require an affirmative step by the individual
student before her information is protected.204 In addition to placing the
burden on the student, universities may also fail to widely publicize the
option.205 In order to truly protect student data, this FERPA exception must
be changed to require an opt-in for disclosure.
An opt-in privacy policy is one in which students would have to
expressly give permission before their information may be shared with
194. See id. at 269–77.
195. See 20 U.S.C. § 1232g (2006).
196. Federal Education Rights and Privacy Act (FERPA), U.S. DEPT.
OF ED.,
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html (last modified 6/16/09).
197. 20 U.S.C. § 1232g(b).
198. Id.
199. See id. at 1232g(a)(5)(A) (defining “directory information” as “the student’s name,
address, telephone listing, date and place of birth, major field of study . . . .”); see also Glater,
supra note 12 (“‘Students are generally told how they can opt out of having their information
publically displayed in directories . . . .’”).
200. 20 U.S.C. § 1232g(a)(3)
201. Id. § 1232g(a)(5)(B).
202. Glater, supra note 12.
203. Id.
204. Jeff Sovern, Opting In, Opting Out, Or No Options At All: The Fight For Control of
Personal Information, 74 WASH. L. REV. 1033, 1071–91 (1999).
205. See Glater, supra note 12 (discussing the lack of awareness by students to agreements
between universities and credit card companies); see also Eric Goldman, On My Mind: The
Privacy Hoax, FORBES.COM (Oct. 14, 2002), http://www.forbes.com/forbes/2002/1014/042.html.
Goldman argues that the “cost-benefit ratio [of protecting privacy/information] is titled too high
for consumers.” Id. A similar argument can be made for students opt-out provisions.
2010]
179
credit card marketers.206 By requiring this affirmative step, the opt-in policy
would decrease available member lists.207 In this way, opt-in regimes would
slow, if not end, direct marketing to college students by limiting the amount
of information shared with credit issuers.208
The decision between opt-out and opt-in policies comes down to who
should internalize the costs of protecting student information—the
university or the student. Universities may not want opt-in policies because
they will incur the costs when students opt-out while getting very few
benefits in return.209 When students fail to opt-in, the university has less
information to sell and therefore will receive less money in exchange for
student directories.210 They will also incur costs from disseminating opt-in
information to students, persuading them to act, and sorting through
requests received.211 Due to the low benefit and high cost to the universities,
legislation may be required in order to ensure the use of opt-in policies.212
Opt-out policies, on the other hand, are better for universities but worse
for the protection of students. They provide for some student control while
eliminating the cost of permission seeking.213 The efficiency of the opt-out
system assumes that the student has full information and can easily and
readily regain control over her personal information.214 Students often do
not receive, read, or understand the implications of university policies on
the use and sharing of their information.215 As a result, students will
internalize the costs of the information sharing.216 Opt-out policies diminish
student power and make it substantially more difficult for students to secure
their personal data.217 As a result, they provide little protection of student
information.
A default opt-in policy—or any default rule in which the individual
retains control over her information even after she provides it freely to one
206. See Sovern, supra note 204, at 1103.
207. See Michael E. Staten & Fred H. Cate, The Impact of Opt-In Privacy Rules on Retail
Credit Markets: A Case Study of MBNA, 52 DUKE L.J. 745, 770 (2003).
208. See id.
209. Sovern, supra note 204, at 1106.
210. See id. at 1106–13.
211. See Staten & Cate, supra note 207, at 767 (discussing the costs of opt-in policies for
particular credit issuers).
212. See generally Sovern, supra note 204, at 1081–83 (discussing how businesses may adopt
opt-out systems to preempt government regulation).
214. See id.
215. See generally Goldman, supra note 205.
216. See Sovern, supra note 204, at 1106; see also Paul M. Schwartz, Property, Privacy, and
Personal Data, 117 HARV. L. REV. 2056, 2076–84 (2004).
217. See Sovern, supra note 204, at 1072–78; see also Paul M. Schwartz, Privacy and the
Economics of Personal Health Care Information, 76 TEX. L. REV. 1, 49 (1997) (discussing how
information shortfalls in the health care context lead to a “monopoly equilibrium” that is
maintained through a shallow consent process that does not provide consumers with the
information they need and therefore makes it more difficult for them to retain any real control
over their data).
180
[Vol. 5
entity—would provide for more protection of student data than an opt-out
system. Professor Jerry Kang points out that a default rule placing power in
the student’s hands would eliminate inefficiencies common to the contrary
approach.218 If the default rule leaves the use of students’ personal
information to the university’s discretion, a single student would face
considerable difficulties in determining what information is collected and
how it is used or distributed.219 With a default rule reserving student control
over her information, these information costs would be greatly decreased;
students would know how their information is being used because the
university would be required to seek their permission to use it.220 This type
of default rule or opt-in to university disclosure of student directory
information is necessary to protect students’ data privacy.221 Amending
FERPA to include such a rule would provide a more comprehensive
solution to the endless flow of credit offers that bombard college students
by addressing the problem at its source.222
B. STRONGER MARKETING LIMITATIONS ON CREDIT CARD ISSUERS
In order to truly address the problem of predatory solicitations on
college campuses, the loopholes in § 304 of the Act must be closed.223
Although these provisions ostensibly provide protections from some of the
more coercive marketing practices, they may be easily navigated around.224
Credit issuers will likely only have to change their behavior slightly in
order to legally continue the same practices.225
Credit issuers should be prohibited from providing free gifts on
campus. Under Title III, credit card marketers may technically still be able
to give out free items to entice students to come over and speak with
them.226 However, they cannot provide the items as a quid pro quo
exchange for a filled-out credit card application.227 Students will likely still
be unduly enticed by the offer of free gifts.228 This is a deceptive practice
218. See Jerry Kang, Information Privacy in Cyberspace Transactions, 50 STAN. L. REV. 1193,
1253–57 (1998).
219. See id.
220. See id.
221. See PIRG GUIDE FOR COLLEGES, supra note 18, at 3. Some universities are already putting
these types of policies in place. See Grant McCool, NY AG Cuomo Strikes Student Credit-Card
Reform Agreement, REUTERS, Sept. 7, 2010, available at http://www.reuters.com/article/
idUSTRE6863S020100907.
222. See PIRG GUIDE FOR COLLEGES, supra note 192, at 3.
223. See supra Part III.B.
224. See MacDonald, supra note 91 (describing the opportunity for credit card issuers to avoid
the restrictions of the Act by offering items without requiring that students apply for the card).
225. See id.
226. See id.
227. 15 U.S.C.A. § 1650(f) (West 2010).
228. See MacDonald, supra note 91.
2010]
181
that the Act should have completely eliminated.229 Title III should have
required that only information be provided at tables.230 This would provide
a balance between allowing credit issuers access to students while
prohibiting any undue influence.231 The information would be there for
those students who wish to seek it out. This convenience will still likely
pull in many new customers for the credit issuers, but the new customers
would not have been enticed by the usual traps.232
C. CREDIT EDUCATION
With 39% of students arriving on campus with a credit card233 and 84%
of the overall student population having credit cards,234 credit education is
more important than ever. In general, college students may lack the
financial knowledge and skills necessary to successfully manage their
credit.235 This ignorance of basic credit management information makes
credit education an essential element in solving underlying credit misuse by
undergraduates.236 Financial education can be successful for many
vulnerable groups, including those new to credit.237 Using guidance from
students on how to provide the information, universities should be required
to implement programs that actively educate students on the proper and
responsible use of credit.238
More and more freshman students are carrying credit cards. A study
conducted by Sallie Mae reported a 60% increase—from the Fall of 2004 to
the Spring of 2008—in the percentage of first-year students carrying credit
cards.239 At the same time, a large percentage of these students have
reported being “surprised” by their credit balance.240 Fully 38% have at
some point expressed surprise at their credit card balance and 22% report
being frequently surprised.241 Although the feeling of “surprise” may be
attributed to a number of factors, including failure to account for all
229.
230.
231.
232.
233.
234.
235.
236.
237.
See CAMPUS CREDIT CARD TRAP, supra note 2, at 13.
See supra Part III.B.
See supra Part III.B.
Johnson, supra note 14, at 266–68.
SALLIE MAE STUDY, supra note 51, at 6.
Id. at 5.
Johnson, supra note 14, at 268–76.
Id. at 269; see also CAMPUS CREDIT CARD TRAP, supra note 2, at 13.
See Gartner & Schiltz, supra note 70, at 419–20 (discussing a project that brought all
stakeholders in the credit debate together for educational purposes and conducted a study that
determined that new credit users are “especially vulnerable” and “could benefit from initiatives
designed to help consumers manage credit cards successfully”).
238. SALLIE MAE STUDY, supra note 51, at 16 (reporting that students are “interested in
pursuing some areas of education to increase financial literacy” and presenting data collected
regarding how and when students would like to receive such information).
239. Id. at 6.
240. Id. at 11.
241. Id.
182
[Vol. 5
purchases or how they will add up,242 it is difficult to imagine that a student
would be frequently surprised if they completely understood the way credit
works. In fact, 84% of undergraduates admitted the need for more financial
management information.243 Credit education could be used to limit the
likelihood of surprise based on such lack of knowledge. Financial literacy
can be gained through credit education.244 Credit education provides basic
information about terms and conditions, how to avoid and manage debt, and
how interest rates and penalties work.245 Increasing awareness of credit
issues through education could influence how young consumers view and
use credit cards.246 At a time when they are being bombarded with credit
offers, credit education is particularly vital to stemming the flood of poor
credit decisions.247
Students appear to agree with this idea. In all, 84% of undergraduate
students indicated that they would like more education on financial
management.248 Many students are not receiving this information.249
Furthermore, 64% indicated that they would like to receive information in
high school and 40% as college freshman.250 In addition to providing a
positive response to the idea of credit education, the Sallie Mae study also
asked students about the best way to provide such information.251 Students
reported wanting financial management information provided in person,
preferably “in the classroom” or “through one-on-one meetings.”252 With
students willing to participate in educational programs and providing the
roadmap on how best to do it, credit education programs should be
relatively easy to implement.
In fact, many credit issuers already provide financial education to
undergraduate students.253 Likewise, some universities offer financial
242. See id.
243. Id. at 16; see also Johnson, supra note 14, 227–28 (citing 2002 survey of 401 students at
The Ohio State University that found that less than half of the freshman understood that missed
payments will negatively affect their credit).
244. See U.S. FIN. LITERACY & EDUC. COMM’N, TAKING OWNERSHIP OF THE FUTURE: THE
NATIONAL STRATEGY FOR FINANCIAL LITERACY xi–xii (2006), available at
http://205.168.45.52/sites/default/files/downloads/ownership.pdf [hereinafter LITERACY STUDY].
245. Johnson, supra note 14, at 268–76; CAMPUS CREDIT CARD TRAP, supra note 2, at 13.
246. Gartner & Schiltz, supra note 70, at 423 (“[T]he results of one issuer demonstrate that
credit education works for people who are new to credit, especially college students.”); Johnson,
supra note 14, at 268–69.
247. Johnson, supra note 14, at 268–76.
248. SALLIE MAE STUDY, supra note 51, at 16.
249. Id. A third of respondents for the Sallie Mae study reported that they had never or rarely
discussed credit cards with their parents. Id.
250. Id.
251. Id.
252. Id.
253. Jessica Silver-Greenberg, Majoring in Credit-card Debt, BLOOMBERG BUSINESSWEEK,
Sept. 5, 2007, http://www.msnbc.msn.com/id/20607411/ns/business-businessweekcom/.
2010]
183
literacy and credit education.254 The Credit CARD Act could have taken
credit education a step further by mandating it in universities.255 In the
alternative, the Act could have required credit education only when the
university had a contract with a credit issuer.256 Either way, this would go
further in addressing the underlying dearth of knowledge that can lead to
credit mismanagement by young consumers.257 As it is, the Act’s limits on
eighteen- to twenty-one-year-olds merely delay the potential problem
instead of providing the fundamental education needed to solve it.
CONCLUSION
Title III of the Credit CARD Act is a huge step toward providing better
protection for young consumers. The aggressive solicitation and marketing
practices by credit issuers on college campuses made change necessary.
Although the Act gets it right when it comes to banning the quid pro quo
exchange of tangible items, prohibiting pre-screened offers, and mandating
contract disclosures, it leaves open many loopholes and fails to address
some fundamental problems. Restricting young adult ownership of credit
cards only delays credit misuse; it does not solve it. The Act should not be
aimed at discouraging all use, but rather encouraging responsible use. A
combination of stronger protection of student data, increased marketing
limitations on credit card issuers, and credit education would create a
solution where informed and empowered students could take responsibility
for their own finances and still be protected from the most deceptive and
coercive practices.
Kathryn A. Wood
Bank of America, Citibank, JPMorgan Chase, American Express, and others say they
are providing a valuable service to students and they work hard to ensure that their
credit cards are used responsibly. Citibank and JPMorgan both offer extensive financial
literacy materials for college students. Citibank, for instance, says it distributed more
than 5 million credit-education pieces to students, parents, and administrators last year
for free.
Id.
254. LITERACY STUDY, supra note 244, at 93–94 (discussing examples and the importance of
“higher education institutions . . . providing financial literacy opportunities to students”); Grant
McCool, supra note 221 (discussing N.Y. Attorney General’s negotiations with the State
University of New York System to adopt practices like financial literacy programs to educate
students, as well as an opt-in system for sharing students’ personal information with credit card
companies).
255. See 15 U.S.C.A. § 1650(f) (West 2010).
256. See Johnson, supra note 14, at 268–76.
 B.S., New York University, 2005; J.D. candidate, Brooklyn Law School, 2011. I would
like to thank my family for their constant love and support, as well as the editing staff of the
Journal for their assistance with this note. Most importantly, I want to thank my inspiration,
Adam, for his unwavering support, patience, and encouragement through all my endeavors.
WHO’S THE BOSS? THE NEED FOR
REGULATION OF THE TICKETING INDUSTRY
INTRODUCTION
To many music fans, the chance to see their favorite performers live is a
rare and special experience. Given the infrequency of such events,
consumers are often willing to spend large sums of money to obtain tickets
to attend these shows. However, these consumers may be unaware that they
are regularly being misled by the largely unregulated ticketing industry into
overpaying for their tickets.
On Monday, February 2, 2009, at 10 a.m., tickets to Bruce Springsteen
and the E Street Band’s “Working on a Dream” tour1 went on sale to the
public through Ticketmaster.com2 for the May 21, 2009 and May 23, 2009,
shows at the Izod Center at the New Jersey Meadowlands, in East
Rutherford, New Jersey.3 Because Springsteen hails from New Jersey,4
“[h]undreds of thousands of local Springsteen fans were” seeking tickets to
these shows.5 Within minutes of the commencement of the sale, consumers
were met with error messages and were redirected6 to TicketsNow.com,7 a
wholly-owned subsidiary of Ticketmaster, Inc. (Ticketmaster) and the
second largest secondary ticketer in the world.8 There, some tickets were
sold at prices four times greater than their actual face value.9 This was done
despite the fact that original tickets to the shows were still available on
Ticketmaster.com.10 Instead of offering tickets at face value on its primary
1. Daniel Kreps, Bruce Springsteen Announces “Working on a Dream” Tour, ROLLING
STONE MUSIC (Jan. 27, 2009), http://www.rollingstone.com/music/news/15765/91347
(announcing a 26-show U.S. concert tour that followed the band’s late January 2009 release of
their album Working on a Dream).
2. Ticketmaster is a leader in “e-commerce and ticketing sites online, operating in 18 global
markets, and with 19 worldwide call centers.” About Ticketmaster, http://www.ticketmaster.com/
h/about_us.html?tm_link=tm_homeA_i_abouttm (last visited Sept. 20, 2010). “Ticketmaster has
been connecting fans to live entertainment since 1976, and is a Live Nation Entertainment, Inc.
company.” Id.
3. Peggy McGlone, Ticketmaster Reveals Details of Rapid Sales: There are 38,778 Tickets
for Two N.J. Concerts by Bruce Springsteen. You’re Chances of Getting One? ABOUT ZERO,
STAR-LEDGER (Newark, N.J.), May 21, 2009, at 1 [hereinafter McGlone, Ticketmaster
Springsteen Concert].
4. DAVE MARSH, BRUCE SPRINGSTEEN: TWO HEARTS: THE DEFINITIVE BIOGRAPHY, 19722003, at 278 (2004).
5. McGlone, Ticketmaster Springsteen Concert, supra note 3.
6. Id.; see also Ben Sisario, Ticketmaster Reaches Settlement on Complaints of Deceptive
Sales, N.Y. TIMES, Feb.19, 2010, at B3 (describing the details of a settlement between the Federal
Trade Commission and Ticketmaster stemming from complaints from “thousands of customers
[that claimed that] Ticketmaster’s Web site . . . pointed [them] to TicketNow.com . . . [and] offered similar tickets at inflated prices”).
7. Ticketmaster purchased TicketNow in January 2008 for $265 million. Jon Hood,
TicketsNow Once Again in Hot Water, CONSUMER AFFAIRS (May 21, 2009),
http://www.consumeraffairs.com/news04/2009/05/ticketsnow.html.
8. Id.
9. Id.
10. Id.
186
[Vol. 5
ticketing site, Ticketmaster blocked those primary sales and immediately
sent consumers to its secondary ticketing Web site, TicketsNow.com,
without warning, to purchase more expensive tickets.11
Almost immediately, deceived consumers began filing complaints with
the New Jersey Attorney General’s (Attorney General) Office and the New
Jersey Division of Consumer Affairs.12 During the course of the
investigation, Ticketmaster revealed that a software glitch was the official
source of the problem.13 However, in response to an open letter posted by
Springsteen to his fans on his Web site blaming Ticketmaster for the
mishandling of his concert ticket sales,14 Ticketmaster CEO Irving Azoff
acknowledged that in certain circumstances the company did intentionally
direct consumers to TicketsNow.com.15 Ticketmaster and the Attorney
General’s Office eventually reached a settlement in which the company
agreed to provide for consumers who overpaid for their tickets and to
change its business practices in order to better protect and inform its
customers.16
This incident is not an isolated occurrence, but exemplifies a much
bigger problem in the largely unregulated ticketing industry.17 In both the
primary18 and secondary19 ticketing markets, companies are engaging in
predatory practices that adversely affect consumers.20 In the primary
11. See id.
12. See Press Release, New Jersey Division of Consumer Affairs, Attorney General
Announces Settlement with Ticketmaster on Sale of Springsteen Tickets (Feb. 26, 2009),
http://www.state.nj.us/lps/ca/press/brucefinal.htm [hereinafter N.J. AG Settlement Press Release].
13. Ticketmaster Changes Sales Practices After Springsteen Flap, CBC NEWS (Feb. 23, 2009),
http://www.cbc.ca/consumer/story/2009/02/23/ticketmaster-settlement.html.
14. Bruce Springsteen Ticketmaster Controversy! Letters from the Boss, a Congressman &
CEO + Live Nation, TicketsNow, BROOKLYN VEGAN (Feb. 5, 2009, 11:13 AM),
http://www.brooklynvegan.com/archives/2009/02/bruce_springste_17.html.
15. Ray Waddell, Ticketmaster Responds to Springsteen, Fans, BILLBOARD.COM (Feb. 5,
2009, 12:37 PM), http://www.billboard.com/bbcom/news/ticketmaster-responds-to-springsteenfans-1003938632.story#/bbcom/news/ticketmaster-responds-to-springsteen-fans1003938632.story. In Azoff’s defense, he stated that “‘[t]his redirection only occurred as a choice
when we could not satisfy fans’ specific search request for primary ticket inventory.’” Id.
16. N.J. AG Settlement Press Release, supra note 12. The settlement terms included: a series
of concessions towards consumers directly affected by the Springsteen ticket fiasco; “a wall
between Ticketmaster and its ticket re-selling subsidiary TicketsNow.com for at least a year”;
“approval from the [N.J.] Attorney General for any links between [Ticketmaster’s] ‘No Tickets
Found’ Internet page to its TicketsNow re-sale website”; no “paid Internet search advertising that
would lead consumers searching for ‘Ticketmaster’ on Internet search engines to its TicketsNow
re-sale site”; a guarantee that all tickets “it receives for sale to the general public will be sold on its
primary market website”; and no sale or offer of sale of “any tickets on the TicketsNow.com reselling website until the initial sale begins on its primary website.” Id.
17. See Hood, supra note 7 (indicating online ticket market problems for recent Hannah
Montana and Phish shows).
18. See discussion infra Part I.A.
19. See discussion infra Part I.B.
20. See Competition in the Ticketing and Promotion Industry: Hearing Before the Subcomm.
on Courts and Competition Policy of the H. Comm. on the Judiciary, 111th Cong. 5–7 (2009)
(statement of N.J. Rep. Pascrell, Jr.).
2010]
Who's the Boss?
187
ticketing market such predatory practices include diverting tickets to
secondary ticket sellers,21 and having a limited, unknown number of tickets
available for public sale,22 which are often the result of limited ticket presale events.23 In the secondary market, predatory practices include
exorbitant markups on ticket prices,24 the sale of tickets before the initial
primary ticket release,25 and the sale of “phantom tickets.”26 Regulation is
necessary to combat these predatory practices, protect the consumer, and
rectify the ills that currently exist. Representative Bill Pascrell, Jr.27 has
proposed federal legislation; the Better Oversight of Secondary Sales and
Accountability in Concert Ticketing Act of 2009 (the BOSS ACT, or the
Act),28 which seeks to “overhaul the concert ticket industry and improve
fans’ chances of scoring tickets to their favorite acts.”29
This note explores the need for regulation of the primary and secondary
ticketing markets and suggests that the passage of federal legislation is the
solution. In light of the recent and repeated problems affecting the ticketing
industry, and the prevalence of predatory practices adverse to consumer
interests, congressional action is necessary. The BOSS ACT will protect
consumers and rectify predatory practices throughout the primary and
secondary ticketing markets; it will make the ticketing industry more
reliable and transparent, and afford regular fans a fair chance to attend their
favorite events.
Part I of this note presents an overview of the ticketing industry as a
largely unregulated trade consisting of distinct primary and secondary
markets, and identifies the major players in each segment of the industry.
Part II examines the predatory practices currently being employed and the
adverse effect such practices are having on consumers. Part III analyzes the
proposed BOSS ACT and the effect it could have on the industry, and
advocates that Congress swiftly pass this legislation. Finally, Part IV
proposes additional rules the Federal Trade Commission (FTC) should
21. Hood, supra note 7.
22. See McGlone, Ticketmaster Springsteen Concert, supra note 3.
23. See Clark P. Kirkman, Note, WHO NEEDS TICKETS? Examining Problems in the
Growing Online Ticket Resale Industry, 61 FED. COMM. L.J. 739, 751 (2009) (describing the
anger of parents who received no ticket purchasing privileges despite paying membership fees to
have access to ticket presales).
24. See, e.g., Ethan Smith, Concert Tickets Get Set Aside, Marked Up by Artists, Managers,
WALL ST. J., Mar. 11, 2009, at B1.
25. See, e.g., Editorial, Who Can Tame the Scalpers?, N.Y. TIMES, June 1, 2009, at A20.
26. Id. (describing phantom tickets as the sale of tickets that do not exist).
27. Representative Pascrell, Jr. is a Democrat representing the 8th Congressional District of
New Jersey. Biography of Bill Pascrell, Jr., HOUSE.GOV, http://pascrell.house.gov/news/
biography.shtml (last visited Sept. 24, 2010).
28. Better Oversight of Secondary Sales and Accountability in Concert Ticketing Act of 2009,
H.R. 2669, 111th Cong. (2009).
29. Peggy McGlone, The BOSS ACT Rewrites Rules on Ticket Sales, STAR-LEDGER (Newark,
N.J.), June 1, 2009, at 1 [hereinafter McGlone, The BOSS ACT Rewrites].
188
[Vol. 5
promulgate upon the passage of the BOSS ACT to facilitate the regulation
of the ticketing industry.
I. OVERVIEW OF THE MARKETS FOR TICKETS
The ticketing industry emerged out of necessity for commercial
entertainment.30 According to several historians, “commercial entertainment
began in sixteenth century England with the introduction of for-profit
theatres.”31 At that time, theaters were divided into sections and consumers
were charged incrementally differing amounts to access more exclusive
sections.32 From what was once a simple ticketless process, ticketing has
developed into a thriving, multi-billion dollar industry consisting of many
buyers and many sellers in two distinct markets: the primary ticketing
market and the secondary ticketing market.33
A. PRIMARY TICKETING MARKET
A ticket,34 which entitles the bearer the right to enter a particular event,
is first sold in a primary sale35 in the primary market.36 To understand how
the primary market works, consider the typical organization of a concert. A
promoter will hire an act, book a venue, and all parties involved will
negotiate a plan to divide potential profits.37 The promoter will generally set
the ticket price and determine when the “advertising and selling” of the
tickets should begin.38 The venue will make some tickets available “through
the box office39 where the event will be held and the promoter (or the
venue) [will] also contract[] with a ticketing agency,” such as Ticketmaster,
to facilitate the majority of the ticket sales.40 Tickets issued by the venue are
placed on the market, and the venue is considered the “primary ticket
30.
31.
32.
33.
34.
See Pascal Courty, Some Economics of Ticket Resale, 17(2) J. ECON. PERSP. 85, 90 (2003).
Id.
Id.
See id. at 87–89.
“The term ‘ticket’ means a ticket of admission to a sporting event, theater, musical
performance, or place of public amusement of any kind.” Better Oversight of Secondary Sales and
Accountability in Concert Ticketing Act of 2009, H.R. 2669, 111th Cong. § 6(10) (2009). The
definitions adopted throughout this note are the definitions utilized in the pending BOSS ACT
legislation.
35. See Courty, supra note 30, at 87 (describing the general mechanics of a primary sale).
Additionally, “[t]he term ‘primary sale,’ with regards to a ticket, means the initial sale of a ticket
that has not been sold previous to such sale, by a primary ticket seller to the general public on or
after the date advertised such sale.” H.R. 2669 § 6(7).
36. OFFICE OF N.Y. ATTORNEY GEN., "WHY CAN'T I GET TICKETS?": REPORT ON TICKET
DISTRIBUTION PRACTICES 16 (1999) [hereinafter SPITZER REPORT].
37. Courty, supra note 30, at 87.
38. Id.
39. “The term ‘box office’ means a physical location where tickets are offered for primary
sale.” H.R. 2669 § 6(3).
2010]
Who's the Boss?
189
seller”41 or “original ticket seller.”42 The “face value”43 of the ticket is
printed on the ticket and is comprised of the “base price”44 as well as some
of the “ancillary charges”45 the ticketing agency, and sometimes the box
office, adds on.46 Despite the fact that ticketing agencies charge additional
fees on top of the base price, most tickets are typically sold through them
because agencies can reach a significantly larger audience than the box
office.47
Estimates of the total value of tickets sold per year vary greatly. In
2008, Ticketmaster sold nearly 142 million tickets valued at over $8.9
billion.48 According to Forrester Research, the primary ticketing sales
market in the U.S. for live music and sporting events approximates $22
billion per year.49 Other studies, from the late 1990s to the early 2000s,
“estimate[] [that the] total primary market tickets vary in range from $7 to
$60 billion, with that range depending on the set of events” that were
considered.50 Although Ticketmaster dominates the primary ticket market,
41. H.R. 2669 § 6(8).
The term ‘primary ticket seller’ means an owner or operator of a venue or a sports team,
a manager or provider of an event, or a provider of ticketing services (or an agent of
such owner, operator, manager, or provider) that engages in the primary sale of tickets
for an event or retains the authority to otherwise distribute tickets.
Id.
42. SPITZER REPORT, supra note 36, at 16.
43. “The term ‘face value’ means the total price of a ticket including both the base price and
any ancillary charges.” H.R. 2669 § 6(6).
44. “The term ‘base price’ means the price charged for a ticket other than any ancillary
charges.” Id. § 6(2).
45. “The term ‘ancillary charges’ means service fees, convenience charges, parking fees, and
other charges associated with the purchase of a ticket and not included in the base price of the
ticket.” Id. § 6(1).
47. Id.
48. Press Release, Sen. Kohl, Kohl Urges Department of Justice to Closely Scrutinize
Ticketmaster/Live Nation Merger (July 27, 2009), http://kohl.senate.gov/newsroom/pressrelease.
cfm?customel_dataPageID_1464=2986.
49. Press Release, TicketNetwork.com, Ticket Resale Industry Protects Consumers With Fair
Market Prices and Secure Transactions (Feb. 4, 2009) (on file with author) [hereinafter Consumer
Protection Press Release].
50. Courty, supra note 30, at 87; Stephen K. Happel & Marianne M. Jennings, Creating A
Futures Market for Major Event Tickets: Problems and Prospects, 21 CATO J. 443, 448–49
(2002), available at http://www.cato.org/pubs/journal/cj21n3/cj21n3-6.pdf.
Using data from U.S. Statistical Abstracts, Variety, Newsday, Amusement Business,
Team Marketing Report, and the League of American Theaters and Productions,
TicketAmerica (1998) derived an estimate of $7.2 billion spent through primary ticket
channels in 1997. The Kelsey Group (1999) gives estimates and forecasts of total ticket
sales from 1999 to 2004 as $14.5 billion, $16.25 billion, $18.1 billion, $19.9 billion,
$21.9 billion, and $24.4 billion, respectively. LiquidSeats (2001) estimates the face
value of all tickets sold in the United States for live events and attractions in 1999 to be
$16.7 billion. In contrast, TickAuction.com (2000) finds the primary ticket market to be
over $41 billion in 2002, and EventTixx finds the “Tier 1 Event Marketplace” (major
190
[Vol. 5
Live Nation,51 TeleCharge,52 and TicketWeb53 are other significant
players.54
B. SECONDARY TICKETING MARKET
Once a ticket has been sold in the primary ticket market a ticket
“resale” or “secondary sale”55 by a secondary ticket seller56 can occur in the
secondary market.57 This process is generally referred to as “ticket
league sports, college football and basketball, concerts, Broadway theater, select golf
and tennis tournaments, etc.) to have ticket sales in excess of $60 billion in 2000.
Happell & Jennings, supra at 448–49.
51. Live Nation About Us, http://www.livenation.com/company/getCompanyInfo (last visited
Sept. 24, 2010).
Live Nation Entertainment (NYSE-LYV) is the largest live entertainment company in
the world, consisting of five businesses: concert promotion and venue operations,
sponsorship, ticketing solutions, e-commerce and artist management. Live Nation seeks
to innovate and enhance the live entertainment experience for artists and fans: before,
during and after the show.
In 2009, Live Nation sold 140 million tickets, promoted 21,000 concerts, partnered with
850 sponsors and averaged 25 million unique monthly users of its e-commerce sites.
Id.
Merger talks between Live Nation and Ticketmaster became public in February 2009. See
Ethan Smith, Ticketmaster, Live Nation Near Merger, WALL ST. J., Feb 4, 2009, at A1. The
merger was completed in January 2010, after the Justice Department announced conditions that
had to be met before they would accept the merger. Ben Sisario, Justice Dept. Clears Ticketmaster
Deal, N.Y. TIMES, Jan. 26, 2010, at B4. Both parties agreed to the conditions which included
Ticketmaster selling off one of its ticketing divisions and licensing its software to a competitor, as
well as 10 years of “tough antiretalitation provisions” to prevent monopolistic control of the
industry. Id.
52. About Telecharge.com, http://www.telecharge.com/aboutUs.aspx (last visited Dec. 21,
2009) (describing Telecharge.com as the “official ticketing agency for most of New York City’s
theatres” and as a division of The Shubert Organization Inc.).
53. About TicketWeb, http://event.ticketweb.com/about/index.html (last visited Dec. 21,
2009).
TicketWeb is a self-service online ticketing and event marketing application operated
by Ticketmaster, the world’s leading ticketing company. The proprietary system allows
venues and event providers of any size to manage the full range of box office operations
on the Web, with the added value of integration and distribution through
Ticketmaster.com.
Id.
54. Press Release, Ticket News, Ticket News Announces Top Ticket Sellers for Week Ending
October 10, 2009 (Oct. 16, 2009), http://www.ticketnews.com/Ticket-News-Announces-TopTicket-Sellers-for-Week-Ending-October-10-2009.
55. “The terms ‘resale’ or ‘secondary sale,’ with regards to a ticket, mean any sale of a ticket
that occurs after the initial sale of the ticket.” Better Oversight of Secondary Sales and
Accountability in Concert Ticketing Act of 2009, H.R. 2669, 111th Cong. § 6(9) (2009).
56. “The term ‘secondary ticket seller’ means a person engaged in reselling tickets for an event
and who charges a premium in excess of the face value. Such term does not include an individual
who resells fewer than 25 tickets during any 1-year period.” Id. § 6(12).
2010]
Who's the Boss?
191
scalping.”58 Institutional secondary ticket sellers are considered either ticket
scalpers or ticket brokers.59
Ticket scalpers first emerged in the late nineteenth and early twentieth
century as unauthorized sellers of the unused portions of long-distance
railroad tickets.60 Today, ticket speculators are more generally known as
scalpers; a ticket speculator is “[a] person who buys tickets and then resells
them for more than their face value; in slang, a [ticket] scalper.”61 Ticket
scalping is broadly defined as the reselling of tickets to entertainment or
sporting events at a price that is dictated by the marketplace.62 The more
popular the event, the more likely it is that ticket scalping will occur and the
higher the price at which the tickets will be sold.63 However, scalping, at
face value or even for below face value, will often still occur when an event
“is in low demand or not sold out.”64
In contrast to ticket scalpers, ticket brokers are formal businesses that
engage in the buying and selling of tickets.65 Ticket brokers have been
around since the turn of the twentieth century, at which time they served as
“remote sales outlets for theatres and ballparks,” where customers could
purchase tickets without having to travel long distances.66 Today,
companies such as Ticketmaster have replaced that primary ticketing
function, relegating ticket brokers into the secondary ticketing market.67
58. See Jonathan C. Benitah, Note, Anti-Scalping Laws: Should They Be Forgotten?, 6 TEX.
REV. ENT. & SPORTS L. 55, 57 (2005).
59. See id. at 5759 (describing the history of ticket scalpers and ticket brokers).
60. See generally Burdick v. People, 36 N.E. 948 (Ill. 1894); Fry v. State, 63 Ind. 552 (Ind.
1878). The railroad would offer discounts on round trip tickets, so scalpers would purchase these
“deals” and resell the unused portions to other customers. See Ill. Cent. R.R. Co. v. Caffrey, 128
F. 770, 77071 (C.C.E.D. Mo. 1904). Soon thereafter, similar scalping enterprises sprang up with
regards to theater tickets, in which “ticket speculators,” as they were known, would buy large
batches of tickets from the box office and attempt to sell them outside of the venue above face
value. See William O. Logan, Ticket Scalpers Arrested, THE BUFFALONIAN,
http://www.buffalonian.com/history/articles/1851-1900/1899TICKETSCALPERS.html
(last
visited Sept. 9, 2010) (quoting Ticket Speculators, BUFFALO EXPRESS, Dec. 26, 1899).
61. BLACK’S LAW DICTIONARY 1520 (8th ed. 2004).
62. Thomas A. Diamond, Ticket Scalping: A New Look at an Old Problem, 37 U. MIAMI L.
REV. 71, 71 (1982).
63. Jonathan Bell, Note, Ticket Scalping: Same Old Problem with a Brand New Twist, 18 LOY.
CONSUMER L. REV. 435, 438 (2006). Additionally, the unique quality of each event makes tickets
desirable whether the ticket price is high or low. See Stephen K. Happel & Marianne M. Jennings,
The Folly of Anti-Scalping Laws, 15 CATO. J. 65, 66–67 (1995), available at http://www.cato.org/
pubs/journal/cj15n1-4.html.
64. Bell, supra note 63, at 438 n.16.
65. TicketLiquidator Glossary Page, TICKETLIQUIDATOR, http://www.ticketliquidator.com/
dictionary.aspx (last visited Dec. 21, 2009).
66. Scott D. Simon, Note, If You Can’t Beat ‘em, Join ‘em: Implications for New York’s
Scalping Law in Light of Recent Developments in the Ticket Business, 72 FORDHAM L. REV. 1171,
1172 (2004).
67. Id. at 1172–73. Furthermore, ticket brokers are typically small firms with only a few
employees and $3-4 million in revenue per year. Happel & Jennings, supra note 50, at 449. For
the purposes of this article, ticket scalping will be used to reference both ticket scalpers and ticket
brokers.
192
[Vol. 5
The ticket scalping process typically begins with the purchase of tickets
from the promoter, venue, or ticketing agency of the event, usually in bulk,
and then waiting for the ticket supply to sell out.68 The scalper then offers
the tickets to consumers at the marketplace price.69 This process of
consumers purchasing tickets from the scalper, a secondary seller, rather
than the venue or ticketing agency, the primary seller, creates the secondary
market for tickets.70
Ticket scalping is derived, in part, by the common practice of promoters
selling tickets at below market prices.71 The rules of supply and demand
justify this practice as lower prices will create a higher demand,72 resulting
in more tickets sold, and the higher probability of a sellout, the promoters’
ultimate goal.73 This practice creates an ideal situation for ticket scalpers,
but also for the average ticket holder who either cannot or no longer wants
to attend the event.74 Because many consumers are willing to pay more than
the advertised prices in the primary market for high demand tickets,
scalpers can purchase premium tickets at face value and sell them to the
highest bidder, confident that they will not be stuck with the tickets.75
The Internet has revolutionized the ticketing industry. A process that
once required going in person to purchase tickets or speaking with a
ticketing agent on the phone can now be completed almost instantaneously,
twenty-four hours a day, in the comfort of one’s own home.76 This has been
especially beneficial to the secondary ticketing market.77 Scalpers may—
through the use of an “online resale marketplace,”78 such as StubHub,79
68. Diamond, supra note 62, at 72.
69. See id.
70. See Jasmin Yang, Note, A Whole Different Ballgame: Ticket Scalping Legislation and
Behavioral Economics?, 7 VAND. J. ENT. L. & PRAC. 111, 111 (2004).
71. Phyllis L. Zankel, Wanted: Tickets-A Reassessment of Current Ticket Scalping Legislation
and the Controversy Surrounding Its Enforcement, 2 SETON HALL J. SPORT L. 129, 144 (1992).
Promoters engage in this practice to promote good will among their followers, which they hope
will yield greater long-term profits. Id.
72. Simon, supra note 66, at 1176.
73. See id. By pricing tickets below what the average consumer would spend for the ticket, the
likelihood of shortage of tickets is increased. See id.
74. See id. The ticket scalper can step in as a middleman and purchase the tickets from the
original ticket holder who no longer desires to attend above face value at a profit to that individual
and then turn around and sell them at still a higher price to another consumer who desires entry
into the event, creating a profit for both. Id.
75. See Robert E. Freeman & Daniel Gati, Internet Ticket Scalping: If You Can’t Beat ‘em,
Join ‘em, 21 ENT. & SPORTS LAW. 6, 6 (2003).
76. See Benitah, supra note 58, at 74–75; see also Bruce Orwall, Online: Ticket Scalpers Find
a Home on the Web, WALL ST. J., Feb. 4, 1999, at B1.
77. See Kirkman, supra note 23, at 741.
78. “The term ‘online resale marketplace’ means an Internet website—(A) that facilitates or
enables the resale of tickets by secondary ticket sellers; or (B) on which secondary ticket sellers
offer tickets for resale.” Better Oversight of Secondary Sales and Accountability in Concert
Ticketing Act of 2009, H.R. 2669, 111th Cong. § 6(11) (2009).
79. “StubHub is the world’s largest ticket resale marketplace, enabling fans to buy and sell
tickets to tens of thousands of sports, concert, theater and other live entertainment events.”
2010]
Who's the Boss?
193
eBay,80 Craigslist,81 RazorGator,82 and TicketsNow—be able to offer their
inventory to the widest array of consumers and collect substantial returns.83
The estimate of the value of tickets sold in the secondary market varies.
While scalping was once an illicit, cash-only practice that took place
outside of event venues, secondary ticket reselling over the Internet can
provide a more readily analyzable source of industry activity data.84
Forrester Research estimates that “U.S. online secondary ticket sales will
grow at a 12% [rate] over the next five years, reaching $4.5 billion by
2012.”85 Other sources indicate that the U.S. resale market is a $10 billion
business, with online sales accounting for $3 billion per year, and rising.86
Another figure cited estimates of secondary ticketing sales to be between $2
and $14 billion.87 Regardless of the most precise number, the secondary
market now comprises a substantial portion of the ticket industry.
II. PREDATORY PRACTICES OF THE TICKETING INDUSTRY
The primary and secondary ticketing markets have been actively
working together for several years. The first time two major primary and
secondary ticketing companies worked together to cross-promote and sell
tickets was in 2007.88 By blurring the line between primary and secondary
StubHub is the Fan’s Ticket Marketplace, STUBHUB!, http://www.stubhub.com/about-us/ (last
visited Sept. 29, 2010). StubHub was acquired by eBay in January 2007. eBay Inc., Current
Report (Form 8-K) (Jan. 10, 2007).
80. “With more than 90 million active users globally, eBay is the world's largest online
marketplace, where practically anyone can buy and sell practically anything.” Who We Are— eBay
Inc., http://www.ebayinc.com/who (last visited Dec. 21, 2009).
81. Craigslist is a centralized network of online communities, featuring free online classified
advertisements—with sections devoted to jobs, housing, personals, for sale, services, community,
and discussion forums. See Craigslist Factsheet, CRAIGSLIST.ORG, http://www.craigslist.org/
about/factsheet (last visited Sept. 29, 2010).
82. RazorGator is a ticket resale marketplace that empowers its clients by providing them a
connection to buy or sell “Hard-to-Get®” tickets to any event on the planet. RazorGator—About
Us, http://www.razorgator.com/tickets/about-us (last visited Sept. 29, 2010).
83. See Kirkman, supra note 23, at 740 (describing industry returns of $3 billion in 2006).
84. See, e.g., Courty, supra note 30, at 88 (citing the total number of tickets available for sale,
for a certain number of events, along with the auction prices, for a given day in August 2002 on
eBay).
85. Consumer Protection Press Release, supra note 49.
86. Julie Gibson, Hot Tickets: The Move From Streetside Scalping to Online Ticket
Speculation, THE LAWYERS WEEKLY (May 9, 2008), http://www.lawyersweekly.ca/index.php?
section=article&articleid=676.
87. Happel & Jennings, supra note 50, at 448–49 (citing estimates that made different
assumptions as to the percentage of primary sale tickets brokers would resell in the secondary
market).
88. Alfred Branch Jr., Tickets.com and RazorGator: Blurring the Lines Between Primary and
Secondary, TICKETNEWS.COM (Jun. 26, 2007), http://www.ticketnews.com/Tickets.com-andRazorGator-Blurring-the-Lines-Between-Primary-and-Secondary27266. RazorGator and Major
League Baseball’s Tickets.com used “Tickets.com customer database to promote events where
Tickets.com [was] not the primary seller.” Id. Tickets.com decided to send a RazorGator
newsletter to the Tickets.com customer database advertising an upcoming Dave Matthews Band
194
[Vol. 5
markets, primary ticket sellers are able to evade public scrutiny and appear
to “distance themselves from the secondary market,” while maintaining
significant control of that market.89 Although the outsourcing of tickets by
primary ticketing companies to the secondary ticketing market may appear
to be an innocent practice,90 such cooperation between the two ticketing
markets fosters rampant predatory practices that deceive the public.91
Predatory practices are widespread in both the primary and secondary
ticketing markets. In the primary market, such practices include diverting
tickets to secondary ticketing market sellers,92 having a limited, unknown
number of tickets available for public sale,93 and ticket presale events that
are available to only a select group of consumers thereby limiting the
number of tickets available to the public at large.94 Predatory practices in
the secondary market include the use of exorbitant ticket price markups,95
the sale of tickets before the initial primary release,96 and the sale of
“phantom tickets.”97 All of these practices adversely affect the consumers
who are forced to pay higher prices for fewer available tickets, resulting in
an economic loss to consumers.98 The predatory practices and their effect
on consumers will be analyzed in turn.
A. BAIT-AND-SWITCH: DIVERTING TICKETS TO AFFILIATED
SECONDARY MARKET SELLERS
Although the primary ticketing market is considerably larger than the
secondary market in terms of the number of ticket sales and value of the
industry as a whole,99 primary sellers face a limitation that does not affect
their secondary market counterparts: primary ticketers are limited in what
they may charge per ticket to the base value plus ancillary charges.100 In an
tour, in which Tickets.com was not the primary seller, and RazorGator was selling tickets only as
a secondary seller. Id.
89. Id.
90. Id. (noting legitimate aspects of the cooperation between the primary and secondary
markets, such as the reality that “‘it’s more profitable to outsource secondary marketing sales then
[sic] do it internally’”).
91. See, e.g., Hood, supra note 7 (citing several examples of predatory practices when the
primary and secondary ticket markets work together).
92. Id.
93. See, e.g., McGlone, Ticketmaster Springsteen Concert, supra note 3.
94. See id.
95. See, e.g., Smith, supra note 24.
96. See, e.g., Who Can Tame the Scalpers?, supra note 25.
97. Id. Phantom tickets refer to the sale of tickets that do not exist, including sales for nonexistent sections. See id.
98. See Simon, supra note 66, at 1176–77 (discussing the economic transfer that occurs as a
result of ticket purchaser’s willingness to pay higher amounts than charged by the box office,
thereby allowing the “consumer surplus” to be transferred to secondary sellers).
99. See discussion supra Part I.A–B.
100. See Courty, supra note 30, at 87. Secondary ticket sellers face no such price limitation
since they exist in a market of supply and demand in which the sale will occur at whatever price
the market will bear. See Simon, supra note 66, at 1177.
2010]
Who's the Boss?
195
effort to capitalize on marked-up prices, primary ticket sellers—particularly
Ticketmaster101—who have close connections with secondary sellers, are
engaging in a bait-and-switch practice with consumers.102 Often without the
consumers’ knowledge, the primary sellers direct consumers to their
affiliated secondary sellers to complete the transactions, thereby causing
consumers to purchase tickets at higher prices than the face value offered
directly by the primary seller.103 At other times, this bait-and-switch
happens after face value tickets are no longer available, but still without a
clear indication to the consumer that she has been redirected from a primary
ticket seller to a secondary one.104
While this practice came to light out of the Ticketmaster sale of Bruce
Springsteen tickets for the “Working on a Dream” tour,105 it is hardly the
only reported instance of such conduct. Allegations of bait-and-switch
practices have also been claimed with ticket sales for Britney Spears,106 The
Dead,107 Fleetwood Mac,108 Phish,109 and the Wizard of Oz Broadway
performance.110 A class action lawsuit filed in the United States District
Court in Trenton, N.J., states that consumers seeking tickets to the
aforementioned shows as well as those for “Radiohead . . . Hannah
Montana and numerous others” have been subjected to bait-and-switch
practice by being redirected from Ticketmaster to its subsidiary resellers.111
101. See supra Introduction and accompanying Bruce Springsteen discussion.
102. See, e.g., Hood, supra note 7.
103. Id. Such conduct is occurring even while tickets still exist through the primary ticket seller
at face value. Id.
104. See Waddell, supra note 15 and accompanying text.
105. See discussion supra Introduction.
106. On Jan. 25, 2009, purchaser bought Britney Spears tickets for $150 after Ticketmaster
automatically redirected them to TicketsNow. Elise Young, Lawsuit Challenges Ticket Site’s
Markups: Class-Action Filing Takes on Ticketmaster, STAR-LEDGER (Newark, N.J.), May 7,
2009, at 13. It was not until the tickets were delivered that purchaser realized the seats only had a
face value of $30. Id.
107. Purchaser bought tickets to the April 22, 2009 concert of The Dead from TicketsNow,
spending $348.50 without ever knowing that TicketsNow was a ticket reseller, or how
TicketsNow obtained her credit card information that she had saved into her Ticketmaster
account. Peggy McGlone, More Music Fans Claim Scalpings by Ticketmaster, STAR-LEDGER
(Newark, N.J.), Feb. 9, 2009, at 1 [hereinafter McGlone, Scalping by Ticketmaster].
108. Purchaser bought two tickets to the March 21, 2009 Fleetwood Mac concert for $606.50
from what they thought was Ticketmaster. Id. However, the transaction was processed through
TicketsNow only hours after the tickets went on sale, with “thousands of unsold tickets to the
Fleetwood Mac show” still available at their face value. Id.
109. A lawsuit was filed in Federal Court in Massachusetts claiming that when a purchaser
logged in to Ticketmaster seeking tickets to a Phish show, he was immediately told tickets were
sold out and “immediately rerouted to TicketsNow,” where he bought nine tickets for $2,064,
although the face value was only $60 per ticket. Hood, supra note 7.
110. On Feb. 18, 2009, purchaser bought four “Wizard of Oz” performance tickets for about
$65 each, when the face value was only $35, after being automatically redirected from
Ticketmaster to TicketsNow. Young, supra note 106.
111. Class Action Complaint and Jury Demand at 10, Vining v. Ticketmaster Entm’t, Inc., No.
09-cv-02096 (D. N.J. filed May 5, 2009), 2009 WL 1344722.
196
[Vol. 5
There have been additional reports of the same tactics being used for
AC/DC and 3 Doors Down shows.112 Such predatory conduct extends to
sales outside the United States as well.113
Although many consumers may have been unaware that they were
deceived until reports surfaced regarding the Bruce Springsteen show, ticket
diversion adversely affects consumer interests.114 Consumers are directed to
a secondary ticket seller without warning.115 This leads them to believe they
are paying the face value of tickets when, in fact, they are paying much
higher prices that are dictated by the marketplace, rather than the show’s
management.116 Consumers are therefore purchasing tickets from secondary
sellers at marked-up prices, even while face value tickets remain available
from primary sellers.117
The settlement reached in February 2009 between Ticketmaster and the
Attorney General’s Office resulting from the Bruce Springsteen
investigation sought to remedy this practice, in addition to compensating
the aggrieved parties;118 however, further regulation is needed. Diversionary
redirection is detrimental to consumers who are tricked into purchasing
tickets in the secondary market,119 while primary ticket sellers who are
affiliated with these secondary market sellers collect consumer surplus.120
B. UNKNOWN NUMBER OF TICKETS AVAILABLE FOR PUBLIC SALE
The number of tickets that will be available for public sale depends on
several factors. The size of the venue will determine the maximum number
112. McGlone, Scalping by Ticketmaster, supra note 107.
113. Ticketmaster Changes Sales Practices After Springsteen Flap, supra note 13. In Canada, a
class action lawsuit was filed against Ticketmaster resulting from a purchaser attempting to buy
Toby Keith tickets for the Oct. 8, 2008 performance at the Rexall Place in Edmonton, Alberta.
Press Release, Sutts, Strosberg LLP, Class Action Lawsuit Commenced in Alberta Against
Ticketmaster Entertainment, Inc., Ticketmaster Canada Ltd., TNOW Entertainment Group, Inc.
and Premium Inventory, Inc. (Feb. 23, 2009), http://www.newswire.ca/en/releases/archive/
February2009/23/c3133.html. After accessing Ticketmaster Canada’s Web site, the purchaser was
automatically redirected to TicketsNow, where she purchased one ticket for $219.15 and was
never told the face value of the ticket before the transaction was completed. Id. When she received
her ticket, she discovered the face value of the ticket was only $79.95. Id.
114. See McGlone, Scalping by Ticketmaster, supra note 107.
115. See, e.g., id. (noting that this automatic redirection misleads consumers to believe they are
buying from the primary seller, when they are actually purchasing tickets in the secondary
market).
116. See, e.g., id.
117. See id. (describing how thousands of unsold tickets, both better and cheaper, to the
Fleetwood Mac show were still available at time of purchaser’s purchase from TicketsNow);
Hood, supra note 7 (describing how tickets were still available for purchase to the Bruce
Springsteen shows on Ticketmaster when consumers were directed to TicketsNow to purchase
tickets in the secondary market).
118. N.J. AG Settlement Press Release, supra note 12 and accompanying text.
119. See Hood, supra note 7.
120. See Simon, supra note 66, at 1202 (discussing a 20% markup that is collected in large part
by secondary market sellers).
2010]
Who's the Boss?
197
of tickets that could be made available for sale.121 However, most
consumers are unaware that the “house” holds back many of those
potentially available tickets.122 Furthermore, instead of returning unused
house tickets to public sale, these tickets often find their way to the scalpers
and ticket brokers who sell them in the secondary ticket market.123
Moreover, tickets that are held for performers and managers are often sold
directly by them in the secondary market to consumers.124 An additional
subset of tickets is sold through various pre-sale events, such as fan clubs
and other groups, further limiting the number of tickets available for public
sale.125 With such practices largely unknown to the public, consumers often
have unrealistic expectations of their chances of obtaining their desired
tickets through a general public sale.126
The two Bruce Springsteen shows at the center of the Ticketmaster
controversy demonstrate the false perceptions eager fans may have
regarding their chances of getting tickets to a show. The total capacity for
both shows was 38,778; however, only 28,284 tickets were made available
for public sale—a little more than 14,000 per show.127 Tickets were held
back for a variety of groups that included the media, the sponsors, the
record label, and the band, among others.128 “In total, about 5,200 seats
were excluded from the Ticketmaster sale for each show.”129 Had the public
been made aware of the number of tickets being withheld, perhaps
122. SPITZER REPORT, supra note 36, at 5. The house consists of “the producer, the promoter,
the record company, the performer or other such individuals.” Id.
123. Id. at 42.
124. Smith, supra note 24.
125. SPITZER REPORT, supra note 36, at 46–47.
126. See id. at 5.
127. McGlone, Ticketmaster Springsteen Concert, supra note 3.
128. Id.
The Izod Center held back more than 1,600 tickets for each concert for sponsors, media
members and prospective sponsors, arena suite owners and the disabled. In addition,
1,098 tickets were held back because of technical demands: the size of the stage and its
exact sound and lighting equipment hadn’t been decided before the sale, so the tour
kept back seats that may have limited sightlines.
Just under 2,000 tickets for each concert—almost 10 percent—were held back for
Springsteen and the [New Jersey Sports and Exposition Authority], which sponsored
the show. . .
...
An additional 550 tickets for each show were reserved for the band’s record label,
Sony, and the booking agent, Creative Arts Agency.
Id.
129. Id. For an exact breakdown of tickets sold to the May 21, 2009 and May 23, 2009 shows
and to see what happened to the withheld tickets, see links provided in Peggy McGlone, Getting
Into a N.J. Bruce Springsteen Concert is Harder Than Imagined, NJ.COM (May 20, 2009, 9:40
PM), http://www.nj.com/news/index.ssf/2009/05/getting_into_a_nj_bruce_spring.html.
198
[Vol. 5
customers could have appropriately adjusted their expectations of obtaining
tickets.130
A large number of tickets are often held back by the house.131
Generally, house seats that are not sold or used within forty-eight hours of
the show are supposed to be returned to the box office for public sale.132
However, experienced box office employees who have become familiar
with this release schedule often sell these premium seats to ticket brokers
just before the scheduled release,133 resulting in a loss to the general
consumer of a chance to purchase the best seats at face value.134 Ticketing
employees also take tickets that are intended for public sale “out of the
system just prior to public sale,” decreasing the public’s allotment, and
instead sell those tickets to secondary market outlets.135 Improperly
regulated and supervised, house tickets often feed directly into the
secondary ticketing market.
Tickets that have been withheld from public sale frequently make their
way into the secondary market through the conduct of performers and
management themselves. Although most consumers believe the primary
sellers in the secondary market are ticket brokers or fans who are unable to
use their tickets, the premium tickets offered for sale on Ticketmaster’s
TicketExchange136 are not being sold by typical fans, but by the artists
themselves.137 In fact, the transactions that occur in the TicketExchange
131. Id. These “tickets are almost always the best seats in the house,” further depriving the
public of a fair chance for the quality seats. Id. The sheer number of tickets withheld from public
sale creates the opportunity for manipulation and abuse. See id. The release of house seats is
actually on a “time-release” schedule such that some tickets “are released 72 hours before the
performance, 48 hours before the performance, and 24 hours before the performance,” with some
tickets held for last minute emergencies and VIPs. Id. at 43 n.46.
132. Id. at 43.
133. Id.
134. See id. at 5. Between April 1994 and July 1994, almost 1,000 house seats for the “Beauty
and the Beast” and “Grease” shows were sold to ticket brokers just before their scheduled release
for public sale. Id. at 43–44.
135. Id. at 45. For six concerts held at Madison Square Garden in 1998, 452 seats that were
supposed to be designated for public sale were withheld last minute in a “management hold
status,” and sold at the box office by box office employees. Id. Engaging in a similar scheme, for
the Hootie and the Blowfish shows at Jones Beach Marine Theater in 1996, the box office
treasurer and assistant treasurer withheld tickets valued at $300,000 to the first ten rows for 37
shows, selling them to ticket brokers instead. Id. at 46. Consequently, the treasurer pled guilty to a
series of felony charges. Id.
136. TicketExchange is Ticketmaster’s online service that supposedly enables “fan-to-fan
transactions,” by serving as the middleman between buyer and seller, authenticating tickets when
fans are connected to Ticketmaster’s ticketing systems. About TicketExchange,
http://www.ticketmaster.com/h/te/about.html (last visited Oct. 1, 2010).
137. Smith, supra note 24. In an effort to recapture the profits lost when tickets are sold by
ticket brokers, Ticketmaster works with artists and managers to list “hundreds of the best tickets
per concert” with its affiliated secondary sellers and divides the extra revenue, “which can amount
to more than $2 million on a major tour,” with artists and management. Id. Ticketmaster CEO
Azoff argued “that when ticket brokers resell tickets without permission from artists or promoters,
2010]
Who's the Boss?
199
“Marketplace” pages rarely list tickets offered by fans, and whenever
Ticketmaster lists so-called “platinum seats,” the marketplace is selling
only artist-sanctioned seats.138 Reports claim that almost every major
concert tour today involves the sale of withheld tickets being sold by artists
and promoters in the secondary market.139 Professional sports teams have
been selling their own tickets in the secondary market as well.140 Because
artists and management profit from the secondary market, ticket brokers
should not take all of the blame; regulation is needed to limit and protect all
parties involved.
The sale of tickets to the public is further limited by the existence of
various presales such as those for fan clubs and certain credit card
holders.141 However, even these fan club members have also been the
victims of predatory practices of the ticketing industry.142 The existence of
these presales can severely limit the number of tickets available for public
sale, further distorting the public’s perception of total ticket availability.143
The predatory practice of very limited disclosure regarding the number
of tickets available for public sale for any given event impairs the general
consumer by diverting a large number of tickets away from public sale and
creating an unrealistic expectation of her chance of acquiring her desired
ticket.144 Should more information be made available—as regulation of the
it ‘drives up prices to fans, without putting any money in the pockets of artists or rights holders.’”
Id.
138. Id. Tickets for a Britney Spears concert in March 2009 had a link from Ticketmaster to
TicketExchange accompanied by the message “[b]rowse premium seats plus tickets posted by
fans.” Id. However, after inquiry by The Wall Street Journal, the “tickets posted by fans” part of
the message was removed. Id.
139. Id. (listing as examples recent tours by Bon Jovi, Celine Dion, Van Halen and Billy Joel).
140. See, e.g., Benitah, supra note 58, at 75–77. For example, the Chicago Cubs set up a ticket
brokerage called Wrigley Field Premium Ticket Services and the Seattle Mariners established the
Ticket Marketplace to serve as a middleman between buyers and sellers and collect a commission
for completed transactions. Id. at 75.
141. Event presales refer to special offerings of tickets available to select groups before the
tickets are made available for public sale. TicketLiquidator Glossary Page, supra note 65. Fan
clubs provide unrivaled access to their favorite artists and often club members are able to secure
tickets to an event before those tickets are made available to the public by virtue of their
participation, often a paid subscription, to the fan club. See Hood, supra note 7 (describing a
Hannah Montana fan club). Additionally, presales often occur as a bonus for being a member of a
certain group. SPITZER REPORT, supra note 36, at 41 (describing special ticketing benefits
available to a member of a theater party or of a large group); Ellen Rosen, In the Race to Buy
Concert Tickets, Fans Keep Losing, N.Y. TIMES, Oct. 6, 2007, at C6 (discussing ticket purchasing
advantages provided for being an American Express or Visa card holder).
142. Hood, supra note 7. A Hannah Montana—the persona of child star Miley Cyrus—Web site
offered $30 memberships to its fan club that included early access to concert tickets; however, the
“website failed to inform club members that the sales went public within fifteen minutes of first
being offered to members.” Id. Additionally, the site offered early access “pre-sale codes” after
the shows had already been sold out. Id.
143. Rosen, supra note 141. Of 11,000 seats available for a Hannah Montana concert,
Ticketmaster was allocated 8,400 tickets by the promoter, with half going to the fan club and the
other half going to the general public. Id.
200
[Vol. 5
industry would require—the consumer would be better equipped to assess
her chance of acquiring tickets; she would also better understand that
additional tickets may be made available closer to show time,145 and could
therefore avoid overpaying for tickets in the secondary market.
C. EXORBITANT MARKUPS
In the secondary market, the marketplace often dictates ticket resale
prices.146 However, the price of tickets in the secondary market is also
distorted by the below-market price maintained in the primary market147 as
well as the excessive mark-ups that some ticket resellers add to the ticket
price.148 One primary reason for this large mark-up is that ticket resellers
often have to recover the costs of illegal payments that are used to acquire
the tickets.149
This practice, known as “‘ice’ is money paid, in the form of a gratuity,
premium or bribe, in excess of the printed box office price of a ticket, to an
operator of any ‘place of entertainment’ or their agent, representative or
employee” for withholding the best seats from the public.150 By selling
tickets at below the market-clearing price, the primary market participants
enable this illegal practice because brokers and other individuals are willing
to bribe the ticketing agents knowing they will be able to recoup their costs
in the secondary market.151 Thus, the predatory practice of marking-up
tickets to exorbitant prices that often occurs in the secondary market is the
direct result of the illegal—and often clandestine—relationship between
ticket resellers and ticket agents through which the secondary market sellers
acquire their tickets.152 Regulation of this practice is necessary to protect
consumers from excessive prices and rectify the illegal ticket exchanges
that exist between ticket agents and secondary sellers.
145.
146.
147.
148.
SPITZER REPORT, supra note 36, at 56–57.
See Diamond, supra note 62, at 73.
See Benitah, supra note 58, at 71–72; see also discussion supra Part I.B.
See Kirkman, supra note 23, at 746 (describing the common practice employed by
promoters where they charge lower face value rates because of the awareness that extra fees will
be generated through the secondary market). For example, an average seat to a Broadway musical
in New York City during the 1990s costing $75 or $80 would be sold for between $100 and $175
and sometimes more. See SPITZER REPORT, supra note 36, at 14.
149. See Simon, supra note 66, at 1180.
150. Andrew Kandel & Elizabeth Block, The “De-Icing” of Ticket Prices: A Proposal
Addressing the Problem of Commercial Bribery in the New York Ticket Industry, 5 J.L. & POL’Y
489, 489–90 (1997).
151. Simon, supra note 66, at 1180.
152. See SPITZER REPORT, supra note 36, at 19 (concluding that “one of the primary reasons for
the inflated prices on the resale market is that certain brokers have to cover the cost of payments
of ice”).
2010]
Who's the Boss?
201
D. SECONDARY SALE OF TICKETS AT OR BEFORE INITIAL PRIMARY
TICKET RELEASE
Typically, a show’s promoter determines when the sale of tickets is to
begin.153 However, since the Internet has taken over the secondary
market,154 ticket resellers often engage in the predatory practice of listing
tickets for sale before or at roughly the same moment of the primary
market’s initial ticket release.155 Because secondary retailers should not
have the actual tickets before the original sale, some consumers believe the
system constitutes a scam.156
The 2007 Hannah Montana “Best of Both Worlds Tour,” is illustrative
of this systemic problem. Tickets to this fifty-four-date, nationwide concert
tour went on sale at 10 a.m., and were sold out by 10:05 a.m.157 However,
by 10:05 a.m. several secondary ticketing sites already had many tickets
available, but at much higher prices.158 Similarly, tickets for the final Bruce
Springsteen shows at Giants Stadium for September 30, 2009 and October 2
and 3, 2009—officially priced between $33 to $98159—appeared on Web
sites such as ebay.com, cheaptickets.com,160 and selectaticket.com161 up to a
week before the official ticket release,162 with prices up to $1,300 a ticket.163
The same phenomenon plagued the 2007 reunion tours of The Police and
Van Halen.164
The sale of tickets in the secondary market before or at the same time as
an original ticket release is a predatory practice that hurts the consumer. It
limits the number of consumers who are able to purchase tickets in the
primary market,165 and is indicative of the dubious means by which
153.
154.
155.
156.
Courty, supra note 30, at 87.
See Kirkman, supra note 23, at 741.
See id. at 750.
See Peggy McGlone, ‘Banned’ Ticket Sale Practice Persists: Jacked-up Prices for the
Boss’ Shows, STAR-LEDGER (Newark, N.J.), May 27, 2009, at 1 [hereinafter McGlone, Jacked-up
Prices for the Boss’ Shows]. Certain consumers are convinced that secondary brokers are either
promised tickets beforehand, purchase tickets from individuals who had access to an event
presale, or engage in other dubious conduct to acquire tickets. Id.
157. Randall Stross, Hannah Montana Tickets on Sale! Oops, They’re Gone, N.Y. TIMES, Dec.
16, 2007, at 34.
158. Id. Tickets that had a face value of between $21 and $66 were listed almost
instantaneously on Web sites like StubHub, for many times the face value. See id.
159. McGlone, Jacked-up Prices for the Boss’ Shows, supra note 156.
160. CheapTickets.com is a secondary market ticket reseller affiliated with Orbitz.com. About
Orbitz Worldwide, http://corp.orbitz.com/about (last visited Oct. 2, 2010). “Orbitz Worldwide is a
leading global online travel company that uses innovative technology to enable leisure and
business travelers to research, plan and book a broad range of travel products.” Id.
161. Select-A-Ticket is a New Jersey ticket broker that has been buying and selling tickets to
and from customers for over 30 years. About Select-A-Ticket, http://www.selectaticket.com/
About-Us (last visited July 28, 2010).
162. McGlone, Jacked-up Prices for the Boss’ Shows, supra note 156.
163. Who Can Tame the Scalpers?, supra note 25.
164. Rosen, supra note 141.
165. See id.
202
[Vol. 5
secondary sellers obtain their tickets through illegal practices.166 Increased
regulation is necessary not only to prevent the secondary sale of tickets
before the primary ticket release and to prevent secondary sellers from
obtaining the tickets before the original sale, but also to maximize the
number of tickets in the primary market and thereby increase the chances
for regular consumers to obtain them.167
E. SALE OF “PHANTOM TICKETS”
Another practice plaguing the secondary market is the sale of tickets
that do not actually exist.168 In yet another Bruce Springsteen tour ticketing
gaffe, TicketsNow oversold the May 18, 2009 Washington D.C. show by
selling “phantom tickets”169 to several hundreds of consumers.170 This
practice has been called “plain fraud” by New Jersey Attorney General
Anne Milgram,171 and despite the efforts to rectify the problem for those
300 consumers who purchased the phantom tickets, regulation is required to
prevent similar occurrences in the future.172 Greater transparency is
necessary so that such frauds may be spotted more easily by consumers
who can then find legitimate sources for tickets.
III. PROPOSED REGULATION OF THE TICKETING INDUSTRY
In response to the predatory practices currently plaguing the primary
and secondary ticket markets, the federal government has taken the first
steps towards rectifying this largely unregulated industry. On June 2, 2009,
Representative Bill Pascrell, Jr. introduced a bill in the House of
Representatives—the Better Oversight of Secondary Sales and
Accountability in Concert Ticketing Act of 2009173—“to direct the Federal
Trade Commission [FTC] to prescribe rules to protect consumers from
unfair and deceptive acts and practices in connection with primary and
166. See, e.g., Kandel & Block, supra note 150, at 489–90 (discussing secondary ticket brokers
obtaining tickets through illegal payments to ticketing agents).
167. See McGlone, Jacked-up Prices for the Boss’ Shows, supra note 156; see also SPITZER
REPORT, supra note 36, at 56 (“Any amendment to the current law should control the supply of
tickets in the secondary or resale market.”).
169. Who Can Tame the Scalpers?, supra note 25. Phantom tickets refer to the sale of tickets
that do not exist, including sales for non-existent sections. See id.
170. Mark Mueller, Ticketmaster Takes Heat For Another Springsteen Snag: Pascrell Promises
a New Law After Finding Subsidiary Sold Nonexistent Tickets, STAR-LEDGER (Newark, N.J.),
May 14, 2009, at 13.
171. Peggy McGlone, AG Sues Resellers on Boss Tickets They Don't Have, STAR-LEDGER
(Newark, N.J.), May 28, 2009, at 1.
172. Hood, supra note 7.
173. The title of the bill is in reference to Bruce Springsteen, whose shows were at the center of
the ticketing controversy described throughout this note. McGlone, The BOSS ACT Rewrites,
supra note 29.
2010]
Who's the Boss?
203
secondary ticket sales.”174 The bill is currently stalled in the House
Committee on Energy and Commerce, where it has been referred.175
However, the BOSS ACT effectively combats many of the deceptive
practices in the industry and its immediate passage is necessary to protect
consumers. The Act is substantively divided into four sections: 1) Rules on
Transparency of Ticket Marketing, Distribution, and Pricing by Primary
Ticket Sellers; 2) Rules for Secondary Ticket Sellers; 3) Registration of
Secondary Ticket Sellers and Online Retail Marketplaces; and 4)
Enforcement.176 Each of these sections will be analyzed.
A. RULES ON TRANSPARENCY OF TICKET MARKETING,
DISTRIBUTION, AND PRICING BY PRIMARY TICKET SELLERS
With regard to the primary sale, distribution, and pricing of tickets, the
BOSS ACT instructs the FTC to promulgate rules that require the
disclosure of general information to the public before tickets go on sale.177
First, the Act requires primary sellers disclose the total number of tickets
that a seller has available for public sale.178 Next, primary sellers must
disclose the “total number and the distribution method of all tickets” that
are not available for public sale.179 Additionally, the Act requires the
“distribution method and the date and time of the primary sale be printed on
each such ticket.”180 Furthermore, the Act calls for primary sellers to list, in
addition to the total cost, all of the ancillary charges associated with the
ticket in all advertising or ticket listings.181 Finally, the Act mandates that a
ticket refund include all ancillary charges.182
The BOSS ACT requires primary sellers to disclose the total number of
tickets they will have available for primary sale for each show or event.183
This provision combats the well-documented predatory practice of
withholding the number of tickets that are actually available for public
sale.184 While consumers attempting to obtain tickets to performances and
174. Better Oversight of Secondary Sales and Accountability in Concert Ticketing Act of 2009,
H.R. 2669, 111th Cong. (2009). The bill is co-sponsored by 17 other representatives. H.R. 2669
Cosponsors, LIBRARY OF CONGRESS, http://thomas.loc.gov/cgi-bin/bdquery/z?d111:HR026
69:@@@P (last visited July 10, 2010).
175. H.R. 2669 CRS Summary, LIBRARY OF CONGRESS, http://thomas.loc.gov/cgi-bin/
bdquery/z?d111:HR02669:@@@D&summ2=m& (last visited July 10, 2010).
176. H.R. 2669.
177. Id. § 2.
178. Id. § 2(1).
179. Id. § 2(2).
180. Id. § 2(3).
181. Id. § 2(4).
182. Id. § 2(5).
183. Id. § 2(1) (including “[a] requirement that a primary ticket seller disclose and display on
the Web site of such primary ticket seller the total number of tickets offered for sale by such
primary ticket seller not less than 7 days before the date on which tickets shall be available for
primary sale”).
184. See SPITZER REPORT, supra note 36, at 5.
204
[Vol. 5
events frequently understand that not every ticket is available for public
sale, they often do not know whether it is 500 tickets being withheld or
5,000.185 Accordingly, consumers are unable to develop appropriate
expectations with regard to their chances of acquiring tickets.186 By
mandating the release of this information to the public, the BOSS ACT will
help consumers to accurately assess their chances of getting tickets, thus
rectifying a deceptive practice and major source of malcontent among
consumers.
This legislation also requires primary ticket sellers to make known the
number of tickets and method of distribution for tickets they are responsible
for that are not available for general sale.187 The disclosure of this
information to the public will serve two main functions. First, in
conjunction with the disclosure of the number of tickets that are available
for public sale, consumers will be better equipped to have realistic
expectations with regard to their ability to obtain tickets.188 Second,
consumers who particularly desire tickets to a given show will be aware of
presale events available only to certain groups of people and may be
afforded the opportunity to join these groups in anticipation of the
presales.189 The ultimate effect will provide greater transparency so
members of the public who covet tickets can more effectively strategize and
navigate the market than they can under the current system.
The BOSS ACT will require that the “distribution method . . . and date
and time of the primary sale be printed on each [] ticket.”190 This will
combat several predatory practices. First, it will deter primary ticket sellers
from diverting tickets to their wholly owned subsidiaries, as the source of
the tickets will be more easily discernable.191 Second, it will diminish the
sale of tickets in the secondary market before the primary ticket sale
because it will make it more obvious when tickets were obtained through
illicit means.192 Finally, the existence of these identification marks on the
187. H.R. 2669 § 2(2). The bill has:
A requirement that a primary ticket seller make publicly available, not less than 7 days
before the day on which tickets shall be available for primary sale, the total number and
distribution method of all tickets not made available for sale to the general public, the
distribution of which is the responsibility of that primary ticket seller.
Id.
188.
189.
190.
191.
See Rosen, supra note 141.
See TicketLiquidator Glossary Page, supra note 65.
H.R. 2669 § 2(3).
See Hood, supra note 7 (requiring tickets to contain the distribution method and the date
and time will deter primary sellers like Ticketmaster because any improper transfer to secondary
sellers will be transparent to consumers when they receive their tickets).
192. Id.; see also McGlone, Jacked-up Prices for the Boss’ Shows, supra note 156 (discussing
how consumers purchasing a ticket in the secondary market prior to the printed date of the
2010]
Who's the Boss?
205
tickets will ease the enforcement costs for the FTC, as, barring fraud, it will
be immediately apparent the route the tickets have taken through the
market. This information will better protect consumers and deter the
dubious business practices that currently run rampant throughout the
ticketing industry.
To ensure that consumers are aware of the full price of the tickets they
purchase, the BOSS ACT will also require that primary sellers list the final
face value of the ticket, including all ancillary charges, on both the ticket
itself and in any advertising or marketing.193 This provision serves to
protect consumers from being deceived with regard to the ticket price, as
many purchasers do not factor in or notice the ancillary charges—which can
reach up to 50%—that primary ticket sellers add on as convenience or
service fees.194 Additionally, this will allow secondary purchasers to
understand the true cost of the ticket and to accurately compare the prices
offered between the primary and secondary ticket sellers.195 The
requirement that the face value of the ticket, including ancillary charges, not
only be on the ticket, but in all advertising and listings as well, will ensure
that consumers are not “accidently” charged more than they expect when
they complete their transactions.
The BOSS ACT will change the refund policy of many primary sellers
by requiring that they “include all ancillary charges in any refund of a
ticket” that is subject to a refund.196 Most refund policies currently offer to
refund the base ticket price plus some of the ancillary charges.197 However,
this regulation will broadly define ancillary charges to include charges
associated with a ticket “not included in the base price.”198 While it may be
argued that a delivery fee is a charge associated with the purchase of a
primary sale will be better equipped to expose any improper diversions by primary sellers to
secondary sellers).
193. H.R. 2669 § 2(4). The bill requires that:
[T]he primary ticket seller include, with any listing of the price of a ticket on the
primary ticket seller’s website or in any promotional material where the ticket price is
listed, all ancillary charges related to the purchase of a ticket, and include such charges
and the total cost to the consumer on each individual ticket.
Id.
194. Don Oldenburg, The Ticketmaster Fee-nomenon, WASH. POST, June 29, 2004, at C10.
195. See Kirkman, supra note 23, at 746 (announcing the difference between primary and
secondary prices will shine light on the common practice of “the secondary market dress[ing] up
as a genuine supply-and-demand-based free market, [and will expose] . . . that the market is
instead based on bribery”).
196. H.R. 2669 § 2(5).
197. See, e.g., Ticketmaster Purchase Policy, http://www.ticketmaster.com/h/purchase.html?
tm_link=help_nav_4_purchase (last visited Oct. 23, 2010) (noting that Ticketmaster “will issue a
refund of the ticket's face value paid (or, if a discounted ticket, then instead the discounted ticket
price paid), all service fees and any convenience charge . . . .” but “[i]n no event will delivery
charges or any other amounts [including processing fee] be refunded”).
198. H.R. 2669 § 6(1).
206
[Vol. 5
ticket, delivery fees are explicitly exempted from many primary ticket seller
refund policies.199 The Act will require that primary ticket sellers change
their refund policies, affording consumers a refund of the full amount they
spend on tickets, rather than just the portion of the ticket price the primary
ticket seller is willing to return.
B. RULES FOR SECONDARY TICKET SELLERS
The BOSS ACT mandates that the FTC adopt regulations affecting the
secondary ticket market to protect consumers and eliminate the deceptive
practices that currently exist.200 When secondary ticket sellers do not have
possession of the ticket at the time of the sale, the Act requires such sellers
to clearly state they do not currently possess the ticket, and outline the
procedure for a refund if the ticket received does match what was
advertised.201 Next, the Act prohibits the purchase of tickets by secondary
ticket sellers in the primary market during the first forty-eight hours of the
sale.202 The legislation also requires secondary ticket sellers to disclose “the
distribution method and face value of each ticket,” the seat location, the
date and time of purchase if acquired through primary sale, and “the
number or identifier assigned to them.”203 Furthermore, the BOSS ACT
requires that online resale marketplaces clearly post on their Web sites a
disclaimer that they are secondary ticket sellers and users must confirm
seeing the disclaimer.204 The Act also prohibits employees of any entity
involved with the sale of primary tickets to resell tickets for higher than
face value or to resell them to any person who the employees know or
should reasonably know intends to sell the ticket for more than face
value.205 Finally, online resale marketplaces are required to disclose when
the seller is the “primary ticket seller, venue, or artist associated with the
event to which the ticket relates.”206
The BOSS ACT requires full disclosure of secondary ticket sellers
when they do not possess a ticket at the time of the ticket resale and the
procedures by which purchasers may obtain a refund if the tickets they
receive do not match what was advertised.207 Initially, such disclosure will
199.
200.
201.
202.
203.
204.
205.
206.
207.
See, e.g., Ticketmaster Purchase Policy, supra note 197.
See H.R. 2669 § 3.
Id. § 3(1).
Id. § 3(2).
Id. § 3(3).
Id. § 3(4).
Id. § 3(5).
Id. § 3(6).
Id. § 3(1). The bill states the following:
A requirement that if the secondary ticket seller does not possess the ticket at the time
of the sale that such secondary ticket seller provide—
(A) a clear statement that the secondary ticket seller does not possess the
ticket; and
2010]
Who's the Boss?
207
make consumers more aware of the potential risks associated with
transacting business with a particular secondary ticket seller.208 This allows
consumers to weigh the risks and gives them the information they need to
decide to purchase their tickets from a party who actually has them in hand.
Additionally, the overall risk of dealing with these secondary ticket sellers
will be reduced because, in the event there is a ticket discrepancy, the
refund policy will have been disclosed. Thus, the disclosure of this
information to the public will help to give fans a better chance of obtaining
tickets to their favorite performances and events by increasing their
knowledge of the ticket resale situation and lessen the risks associated with
dealing with secondary ticket sellers.209
The Act will prohibit a secondary ticket seller from purchasing tickets
in the primary ticket market within forty-eight hours of the primary ticket
sale.210 This provision will both limit the initial stock of tickets that brokers
have available for resale and maximize the number of tickets that are
available for primary sale to eager fans. It will limit the use of automated
and computerized programs that secondary ticket sellers employ to beat the
security mechanisms in place on ticket Web sites that are designed to
prevent the sale of large blocks of tickets at once.211 Furthermore, the
prohibition will lessen the bait-and-switch practice employed throughout
the industry during the first forty-eight hours of a primary sale—at least
with respect to in-hand ticket transactions—as secondary ticket sellers will
be unable to instantaneously offer tickets to sold-out events and
performances.212 Accordingly, the ultimate goal of this legislation will be
(B) an explanation of procedures to be followed by the purchaser to obtain a
refund from the secondary ticket seller if the ticket the purchaser ultimately
receives does not match the description of the ticket by the secondary ticket
seller.
Id.
208. See Hood, supra note 7 (discussing the future prevention of predatory practices that were
orchestrated by Ticketmaster during the Bruce Springsteen primary ticket offering). Some of the
warnings may include a disclaimer that the tickets received may be different than what is
advertised or what they purchased, the seller may be unable to deliver on the sale if the seller’s
ticket source does not come through, or these tickets might not exist at all. See id. For example,
this could have possibly prevented TicketsNow’s practice of overselling the Bruce Springsteen
show when they sold tickets that did not exist to over 300 consumers. See id.
209. Press Release, Rep. Pascrell, Jr., Pascrell Unveils “BOSS ACT” to Make Ticket Sales
Transparent; Reel in Secondary Ticket Market (June 1, 2009), http://www.house.gov/apps/list/
press/nj08_pascrell/pr612009.shtml [hereinafter Pascrell BOSS ACT Press Release].
210. H.R. 2669 § 3(2). An exception exists making this provision inapplicable with respect to
the sale of “season tickets or bundled series tickets.” Id.
211. See Kirkman, supra note 23, at 753–57. The practice of ticket brokers purchasing large
ticket volumes during primary offerings was the issue at the heart of the lawsuit between
Ticketmaster and RMG Technologies in 2007. Ticketmaster, L.L.C. v. RMG Technologies, Inc.,
507 F. Supp. 2d 1096 (C.D. Cal. 2007).
208
[Vol. 5
achieved by giving the regular fan a better opportunity to purchase
reasonably priced tickets in the primary market.213
The BOSS ACT imposes a series of additional disclosure requirements
on secondary ticket sellers. First, they must disclose “the distribution
method and face value of each ticket.”214 This combats predatory bait-andswitch practices by ensuring that purchasers are aware of the primary sale
face value of the ticket, and are thus informed about the markup they are
paying for tickets in the secondary market.215 Secondary ticket sellers must
also make known the seat locations of the tickets they offer for sale.216 This
disclosure will enable purchasers to accurately assess the worth of the
tickets, and prevent advertisers from deceptively drawing in consumers
with claims of “premium” tickets that are actually located in the least
desirable sections.217 Additionally, if secondary sellers acquired their tickets
through primary sales, the date and time of the purchases must be
disclosed.218 This should help combat the illegal practices by which
secondary sellers acquire their tickets as most tickets are released through
public sale, and there are only limited legal means by which to get tickets
through presale events.219 Thus, the failure of a secondary ticket seller to list
the date and time of purchase could be a sign that illegal conduct is
occurring. Finally, the Act requires that secondary ticket sellers disclose the
“number or identifier assigned to them” as part of a system of mandated
federal registration.220 Collectively, these disclosures will increase the
available information to the public about ticket resale and about the
secondary ticket sellers themselves, and provide some protection to
consumers from deceptive market practices.
The BOSS ACT requires that online resale marketplaces post a “clear
and conspicuous notice” on their Web sites that they are secondary ticket
sellers and requires that the “user confirm having read such notice before
starting any transaction.”221 This provision was drafted to ensure that
213. See Pascrell BOSS ACT Press Release, supra note 209.
214. H.R. 2669 § 3(3)(A).
215. See, e.g., Young, supra note 106 (purchaser who bought Britney Spears tickets did not
know the face value of the ticket they purchased for $150 was only $30 until the tickets arrived in
the mail). See also discussion supra Part II.A.
216. H.R. 2669 § 3(3)(B). The bill requires disclosure of the following:
the precise location of the seat or space to which the ticket would entitle the bearer, or, .
. . descriptive information about the location of the seat or space, such as a description
of a section or other area within the venue where the seat or space is located . . . .
Id.
217. See Help—Contact Us—Why Aren’t Seat Numbers Provided?, STUBHUB!,
http://www.stubhub.com/help/?searchKeyword=top-questions-buyer (last visited Oct. 2, 2010)
(describing the current policy of StubHub with regards to disclosing seat information).
218. H.R. 2669 § 3(3)(C).
220. H.R. 2669 § 3(3)(D). See also discussion infra Part III.C.
221. H.R. 2669 § 3(4).
2010]
Who's the Boss?
209
consumers are aware of when they are exploring the secondary marketplace
for tickets.222 It is designed to combat the bait-and-switch practices that led
to the outcry for regulation of the ticketing industry in February 2009.223
The regulation will make it more difficult to trick consumers into
purchasing tickets in the secondary market when under a false belief that
they are buying from a primary seller.
The Act also endeavors to combat the illegal procedures by which
secondary ticket sellers acquire their inventory of tickets. Specifically, it
prohibits any employee of a group that is involved with the event to resell a
ticket for more than face value or to resell to any other party who will sell
the ticket for more than face value.224 This provision serves to eliminate
illegal payments in two ways. First, it makes it unlawful for someone to
make a payment of “ice”225 or any money above the face value of a ticket to
a person involved in the event or performance in some way.226 Second, it
prohibits the sale of tickets to a person who intends to sell the tickets for a
profit in the secondary market. This will effectively eliminate the principal
source of tickets for secondary ticket sellers.227 Accordingly, by making this
conduct illegal, the BOSS ACT will ensure that tickets are sold in the
primary market rather than illegally diverted into the secondary market.
The BOSS ACT also requires that online resale marketplaces disclose
those instances when the “secondary ticket seller of a ticket is the primary
ticket seller, venue, or artist associated with the event to which the ticket
relates.”228 This provision uses disclosure requirements to inform
consumers when the insiders of a given performance or event are diverting
tickets away from the primary market and into the secondary market to
collect higher profits.229 In doing so, the Act both discourages this practice
222. See Hood, supra note 7 (unlike during the Springsteen primary ticket offering, where
consumers had no idea they were transferred to a secondary seller).
223. See id.
224. H.R. 2669 § 3(5). The bill states the following:
[a] prohibition on the resale of a ticket by an individual employee of any venue,
primary ticket seller, artist, online resale marketplace, or box office that is involved in
hosting, promoting, performing in, or selling tickets if such resale—
(A) is for a higher price than face value of the ticket; or
(B) is made to any third party and the employee has actual knowledge, or
knowledge fairly implied on the basis of objective circumstances, that the
third party intends to sell the ticket for a higher price than face value of the
ticket.
Id.
225. See discussion supra Part II.C.
226. See Simon, supra note 66, at 1180.
227. See id. (since primary ticket sellers will no longer be provided with a bribe, they will no
longer be willing to favor secondary ticket brokers in selling their allotments).
228. H.R. 2669 § 3(6).
229. See Smith, supra note 24; see also discussion supra Part II.B.
210
[Vol. 5
by artists and management,230 and gives consumers the choice whether to
reward such behavior by purchasing those tickets. This provision, like the
others, is intended to maximize the number of tickets available for public
sale in the primary market to provide regular fans with a fair chance to
attend their desired performances and events.231
C. REGISTRATION OF SECONDARY TICKET SELLERS AND ONLINE
RETAIL MARKETPLACES
In an effort to provide better oversight of the secondary ticketing
market, the BOSS ACT would require the FTC to implement registration
requirements for all secondary ticket sellers and online resale
marketplaces.232 First, this legislation calls for every secondary ticket seller
and online resale marketplace to register with the FTC.233 The registration
must include a “viable street address, telephone number, and email address .
. . ,” and this information must be verified annually.234 Additionally, the
FTC will assign a unique “identification number or other identifier” to each
registered secondary ticket seller or online resale marketplace; this
information must be disclosed upon offering any tickets for sale.235
Collectively, these requirements will provide greater oversight of the
secondary market.
Without this legislation, the secondary ticket market will continue to
function as a largely unregulated industry. Ticket brokers have attempted
self-regulation in an effort to appear as reputable businesses236 rather than
unscrupulous ticket hoarders—an image currently shared by many.237 In
1994, the National Association of Ticket Brokers (NATB) was formed as a
voluntary trade organization for ticket brokers.238 Although the NATB
includes a code of ethics and uniform complaint procedures by which every
member must abide,239 voluntary membership prevents the organization
from binding the actions of all secondary market sellers on the national
230.
231.
232.
233.
234.
235.
236.
See Smith, supra note 24.
See Pascrell BOSS ACT Press Release, supra note 209.
H.R. 2669 § 4.
Id. § 4(a)(1).
Id. § 4(a)(2)–(3).
Id. § 4(b).
See National Association of Ticket Brokers, http://www.natb.org/ (last visited Oct. 2,
2010).
237. See generally Daniel McGinn, The Biggest Game in Town: A Single Seat for $35,000?
How Does This Happen, and Does It Hurt the Fan? Inside the High-stakes, High-stress World of
Ticket Brokers, BOS. GLOBE SUNDAY MAG., Sept. 21, 2008, at 22.
238. National Association of Ticket Brokers, supra note 236. The NATB’s stated mission is “to
establish an industry-wide standard of conduct and to create ethical rules and procedures to protect
the public and foster a positive perception of the industry.” Id.
239. Id.
2010]
Who's the Boss?
211
scale.240 Thus, the BOSS ACT is necessary to require uniform oversight
over all secondary market sellers, not just those choosing to abide by
established trade association rules.
The mandatory registration requirement will allow the FTC to track
secondary ticket sellers and ensure that they operate in accordance with
FTC guidelines.241 As it will be unlawful for secondary ticket sellers to
operate without registering with the FTC, the BOSS ACT will enable
consumers to assess the reputability of their operations.242 By maintaining
contact information for secondary ticket sellers on file, the FTC will be
better able to locate and enforce regulations, rather than wasting resources
searching for entities that exist solely on the Internet without a fixed
location.243 Additionally, the existence of “centralized registration” will
help ensure that secondary ticket sellers can be identified for the payment of
appropriate taxes.244 Furthermore, requiring secondary ticket sellers to post
their identification number when engaging in the resale of tickets will
provide consumers a viable avenue of recourse against those who do not
transact business according to federal regulations; it will enable consumers
to file complaints with the FTC or obtain the seller’s contact information
from the FTC in order to seek private legal remedies.245 The BOSS ACT
will build upon the mission of the NATB, elevating its optional standards to
industry-wide requirements by which all secondary ticket sellers and online
resale marketplaces must abide.
D. ENFORCEMENT
The BOSS ACT contains a strong enforcement clause that gives some
teeth to the substantive regulations and oversight encompassed in the
legislation. The enforcement provision states that a violation will be treated
as an unfair or deceptive act and that the FTC will enforce the Act.246 In
240. Membership in the NATB is not required for ticket brokers. See id. (listing no mandatory
requirement that a secondary market ticket seller be a member of NATB).
241. See Better Oversight of Secondary Sales and Accountability in Concert Ticketing Act of
2009, H.R. 2669, 111th Cong. § 4(a) (2009).
242. By requiring that secondary ticket sellers disclose their unique registration number
assigned by the FTC when offering tickets for sale, the absence of such a registration number will
signal to consumers that something is not right with this secondary seller. See id. § 3(3)(D).
243. See id. § 4(a)(2).
244. Daniel J. Glantz, Note, For-Bid Scalping Online?: Anti-Scalping Legislation in an Internet
Society, 23 CARDOZO ARTS & ENT. L.J. 261, 299–300 (2005).
245. See id. at 301 (describing centralized identification as the “necessary reporting and security
mechanism . . . in place for the collection of taxes [and] private enforcement”).
246. H.R. 2669 § 5(a). The bill states the following:
A violation of a rule prescribed pursuant to section 2 or 3 or a violation of section
4(a)(1) shall be treated as a violation of a rule defining an unfair or deceptive act or
practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15
U.S.C. 57a(a)(1)(B)). The Federal Trade Commission shall enforce this Act in the same
manner, by the same means, and with the same jurisdiction as though all applicable
212
[Vol. 5
addition, the Act provides State Attorneys General the power to bring civil
actions on behalf of the residents of that State for violations of the rules.247
Furthermore, the FTC, upon receiving appropriate notice of civil action
brought by a State on matters related to the BOSS ACT, may intervene and
“be heard on all matters arising in such civil action.”248 Additionally, should
the FTC file a civil or administrative action, a State may not pursue a civil
suit until the completion of the FTC’s action.249 Finally, a State may
“recover reasonable costs and attorney fees from the lender or related party”
if it prevails in a civil action.250
An established enforcement mechanism will provide this federal
legislation with the muscle to effectively regulate the ticketing industry.
The problem facing voluntary associations and other forms of selfregulation, such as the NATB, is that there is little effective enforcement,
besides being removed from the group.251 However, voluntary selfregulation is often an insufficient deterrent to predatory practices affecting
an industry.252 The BOSS ACT, conversely, provides strong means to
enforce its provisions. It allows for enforcement by both the FTC, under its
general enforcement powers, and the respective State Attorneys General,
who are charged with protecting the residents of their state.253 The
opportunity for these groups to seek both injunctive and monetary relief—
in addition to individual consumers’ ability to pursue independent legal
action254—will effectively enforce the BOSS ACT and ensure appropriate
compliance throughout the ticketing industry.
terms and provisions of the Federal Trade Commission Act were incorporated into and
made a part of this Act.
Id.
247.
248.
249.
250.
251.
Id. § 5(b)(1).
Id. § 5(b)(3).
Id. § 5(b)(6).
Id. § 5(b)(7).
National Association of Ticket Brokers Code of Ethics, http://www.natb.org/consumer/
index.cfm?pg=code.cfm (last visited Oct. 2, 2010).
252. Since the NATB is a voluntary organization, and many consumers are probably unaware of
its existence to begin with, membership in the organization may be of little concern to many potential members, especially those engaging in predatory practices. See Neil Gunningham & Joseph
Rees, Industry Self-Regulation: An Institutional Perspective, 19 LAW & POL. 363, 366–70 (1997)
(describing self-regulation as “a cynical attempt by self-interested parties to give the appearance
of regulation (thereby warding off more direct and effective government intervention) while serving private interests at the expense of the public.”).
253. H.R. 2669 §§ 5(a), 5(b).
254. Although individuals can pursue remedies under standard state fraud theories, there is no
private cause of action for violations of the FTC Act. E.g., R.T. Vanderbilt Co. v. Occ. Saf. & H.
Rev. Com'n, 708 F.2d 570, 574–75 n. 5 (11th Cir. 1983); Fulton v. Hecht, 580 F.2d 1243, 1248–
49 n. 2 (5th Cir. 1978); Alfred Dunhill Ltd. v. Interstate Cigar Co., Inc., 499 F.2d 232 (2d Cir.
1974); Holloway v. Bristol-Myers Corp., 485 F.2d 986, 1002 (D.C. Cir. 1973); Carlson v. CocaCola Co., 483 F.2d 279 (9th Cir. 1973). Additionally, at least one circuit has said a state common
law fraud claim is not supportable by a knowing violation of the FTC Act. Morrison v. Back Yard
Burgers, Inc., 91 F.3d 1184 (8th Cir. 1996).
2010]
Who's the Boss?
213
IV. RECOMMENDATION OF RULES FOR THE FTC TO
PROMULGATE IN ACCORDANCE WITH THE BOSS ACT
The BOSS ACT requires that the FTC promulgate rules in accordance
with the provisions that appear throughout the Act.255 However, it does not
limit the FTC to only adopting rules in accordance with those provisions.
Rather, the FTC is free to adopt, as part of its rulemaking authority, more
exhaustive rules or even include rules that have not been explicitly
contemplated by the BOSS ACT.256 While the Act seeks to remedy many of
the problems that exist throughout the ticketing industry, some additional
regulations should be established to further protect consumers and to better
regulate the industry.
The FTC should adopt a rule that protects primary ticket seller Web
sites from being hacked by professional computer programmers and
computer software.257 Although the forty-eight-hour prohibition on the
purchase of tickets in the primary market by ticket brokers may reduce the
incentive to obtain tickets in this manner,258 the FTC should prohibit the
conduct explicitly and at all times. Computer programs or other automated
devices that are designed to circumvent copy protection systems of
ticketing Web sites and to access many tickets at once—practices which the
courts have held constitutes copyright infringement and are considered an
illicit industry practice—will be more directly regulated through such a
rule.259 Furthermore, the explicit prohibition of this practice will provide
regulators with more avenues by which to pursue violators, and will
hopefully make more tickets available to the general public through initial
public sales.
The FTC should also require that online resale marketplaces maintain
records of user activity for at least two years.260 This rule can be modeled
after New Jersey Statute 56:8:27(d) that requires licensed brokers to
“maintain[] records of ticket sales, deposits and refunds for a period of not
less than two years.”261 Such a rule will ensure that if consumer problems
arise there will be ample records to appropriately resolve the matter.
Additionally, the FTC could utilize the records during investigations, most
likely through subpoenas, into alleged illegal sales that may be occurring
throughout the online resale marketplaces from secondary ticket sellers who
255. See generally H.R. 2669.
256. Under Section 18 of the Federal Trade Commission Act, 15 U.S.C. § 57a (2006), the FTC
is authorized to prescribe “rules which define with specificity acts or practices which are unfair or
deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 57a(a)(1)(B).
257. See Kirkman, supra note 23, at 761–63.
258. See H.R. 2669 § 3(2).
259. Press Release, Ticketmaster, Default Judgment and Permanent Injunction Against RMG
Technologies, Inc. Entered in U.S. District Court (June 25, 2008), http://iac.mediaroom.com/
index.php?s=43&item=1542.
260. See Glantz, supra note 244, at 301.
261. Id. (citing N.J. STAT. ANN. § 56:8:27(d) (2005)).
214
[Vol. 5
are not complying with the FTC regulations.262 This recording requirement
would further serve to protect consumers in the secondary ticket market and
facilitate complete compliance with the regulations that govern the ticketing
industry.
CONCLUSION
Recently, it has become clear that the continued operation of the
primary and secondary ticketing markets as a largely unregulated industry
is adversely affecting consumers. Because regular fans deserve the
maximum opportunity to purchase tickets to events at face value in the
primary market or through controlled means in the secondary market,
federal legislation is necessary to protect consumers and prevent predatory
practices from continuing to occur. The BOSS ACT, currently pending in
Congress, is precisely the type of legislation that is necessary to combat the
problems that exist throughout the industry to ensure that consumers
receive the protection they deserve. The Act will effectively maximize the
number of tickets for public sale to consumers in the primary market, equip
consumers with more information about the numbers of tickets available
and from whom they are purchasing tickets, and establish uniform
procedures for the secondary market. The BOSS ACT will make the
ticketing industry a more reliable and honest practice and will afford regular
fans a fair chance to attend their favorite events.
Zachary H. Klein
262. See H.R. 2669 § 4(a).
 B.A., New York University, 2008; J.D. candidate, Brooklyn Law School, 2011. I would
like to thank my parents and family for all of their love and support, and for the story that led to
selecting this topic. I am also grateful for the work of Steven Bentsianov, Robert Marko,
Christopher Vidiksis, and the entire staff of the Brooklyn Journal of Corporate, Financial &
Commercial Law for their hard work and editing. Finally, to Hila, thank you for your
encouragement, patience, and support.
PROTECTING THE UNDERSERVED:
EXTENDING THE ELECTRONIC FUND
TRANSFER ACT AND REGULATION E TO
PREPAID DEBIT CARDS
INTRODUCTION
Millions
of
lowand
moderate-income
Americans—the
“underserved”—have no traditional bank accounts or financial services.1
The underserved, comprised of the “unbanked”—individuals and families
without checking or savings accounts2—and the “underbanked”—those that
utilize non-traditional banking3—rely heavily on alternative financial
service providers, such as check cashing services, payday lenders, and
money transmitters,4 for most of their financial needs. These individuals
and families pay high premiums for performing “basic” financial
transactions in the alternative sector.5
In recent years, the prepaid debit card6 has emerged as a new payment
application marketed to underserved consumers who lack access to
traditional banking institutions.7 Conveniently, prepaid debit cards can be
purchased at retail locations, and money can be instantaneously loaded onto
the card, giving underserved consumers an account substitute that allows
1. Michael S. Barr, Banking the Poor, 21 YALE J. ON REG. 121, 123 (2004) (citing studies
that approximate that 8.4 million “low-income families” lacked a bank account as early as 1998).
2. FEDERAL DEPOSIT INSURANCE CORP., NATIONAL SURVEY OF UNBANKED AND
UNDERBANKED HOUSEHOLDS 16 (2009), available at http://www.fdic.gov/householdsurvey/Full
_Report.pdf [hereinafter FDIC HOUSEHOLD SURVEY].
3. Id. at 32.
4. See JULIA S. CHENEY, FEDERAL RESERVE BANK OF PHILADELPHIA PAYMENT CARDS
CENTER, CONFERENCE SUMMARY: PAYMENTS CARDS AND THE UNBANKED: PROSPECTS AND
CHALLENGE 8 (2005), available at http://www.phil.frb.org/payment-cards-center/events/
conferences/2005/PaymentCardsandtheUnbankedSummary.pdf [hereinafter CHENEY, PAYMENT
CARDS AND THE UNBANKED].
[T]he underserved often rely on check cashing outlets to effect certain types of
transactions. In addition to cashing checks, for which they may charge from 1.5 percent
to 3.5 percent of face value, these services also give underserved customers a way to
transmit funds and pay bills. . . .
To access a form of credit and to manage liquidity needs, the underserved often rely
on payday lenders and may take out refund anticipation loans (RAL) at tax time.
Id. (summarizing “Keynote Address” by Michael S. Barr).
5. See Barr, supra note 1, at 123–24 (describing the reality that most alternative banking
services “come at a high cost to low-and-moderate income borrowers”).
6. Various names have been attributed to the prepaid debit card. For clarity and uniformity,
the term “prepaid debit card” will be adopted for use in this note, except as otherwise discussed or
quoted.
7. Rob Walker, Social Currency: Prepaid Cards That Cash In on the Status of Plastic, N.Y.
TIMES MAG., Nov. 9, 2008, at 26.
216
[Vol. 5
them to make purchases, pay bills, and withdraw cash from ATMs.8 The
appeal and convenience of prepaid debit cards is clear, but users must
weigh these benefits against the risks and problems incurred with their use.9
In particular, prepaid debit card users are susceptible to complicated fee
structures and security issues.10 As the popularity of prepaid debit cards
increases among the underserved, particularly in this economic climate,11 it
is important that cardholders are protected by the security of federal law.
In light of the increasing use of prepaid debit cards as an account
substitute for the underserved,12 this note calls for the extension of current
federal laws, including the Electronic Fund Transfer Act (EFTA)13 and its
regulatory companion, Regulation E,14 to this prepaid payment method. Part
I of this note describes the underserved market and the obstacles to
obtaining conventional banking products. Part II details the rise of the
prepaid card industry and the numerous prepaid products currently available
to consumers, including, among others, the prepaid debit cards, gift cards,
payroll cards, and electronic benefit transfer (EBT) devices. The advantages
of the prepaid debit card as an alternative to traditional financial services
and as a vehicle for financially empowering the underserved, as well as the
common risks incurred through use of these cards are explored in Part III.
Part IV untangles the web of federal laws that currently apply to payment
methods, including debit and several prepaid products. Finally, this note
proposes the extension of Regulation E and the EFTA to the prepaid debit
card industry to protect the financial well-being of underserved consumers
who place their trust and personal finances in this payment product.
I.
THE UNDERSERVED
A. WHO ARE THE UNDERSERVED?
Although “economic self-sufficiency” demands “[a]ccess to a bank
account and [traditional] financial services,”15 millions of Americans lack
8. Stored Value Cards: An Alternative for the Unbanked?, FED. RESERVE BANK OF N.Y.
(July 2004), http://www.ny.frb.org/regional/stored_value_cards.html [hereinafter FED. RES. BANK
OF N.Y., Stored Value Cards].
9. Id.
10. See id.
11. See Walker, supra note 7.
12. See James Flanigan, As Credit Cards Falter, the Cash Variety Gains Popularity, N.Y.
TIMES, Mar. 19, 2009, at B9 (describing the rise in popularity of “the business of prepaid cash
cards”).
13. Electronic Fund Transfer Act of 1978, Pub. L. No. 95-630, 92 Stat. 3728 (1978) (codified
as amended at 15 U.S.C.).
14. Electronic Fund Transfers (Regulation E), 12 C.F.R. §§ 205.1–205.18 (2009).
15. FEDERAL DEPOSIT INSURANCE CORP., FDIC SURVEY OF BANKS’ EFFORTS TO SERVE THE
UNBANKED AND UNDERBANKED: EXECUTIVE SUMMARY OF FINDINGS AND RECOMMENDATIONS
3 (2009), available at http://www.fdic.gov/unbankedsurveys/unbankedstudy/FDICBankSurvey
_ExecSummary.pdf [hereinafter FDIC BANK SURVEY].
2010]
Protecting the Underserved
217
access to checking or savings accounts or do not fully participate in the
financial system.16 Few statistics accurately represent the number of
unbanked and underbanked families in the United States; however, one
recent study estimates that more than seven percent—or approximately nine
million—of U.S. households are unbanked,17 and at least 21 million
households are underbanked.18
“[R]easons [that] the underserved do not or cannot use traditional
banking [methods]” can generally be categorized as “demand-based” and
“supply-based.”19 Demand-based factors encompass the “preferences and
needs” of the underserved.20 There are several reasons the unbanked may
believe they are ill-suited for conventional banking.21 Regular checking
accounts may not be sensible for those that cannot afford “high overdraft . .
. [and] maintenance fees, prohibitive minimum balances . . . . [or] delays
associated with having deposited checks credited.”22 Despite increased
flexibility offered by banks, documentation requirements pose barriers to
account ownership for the working poor and immigrants.23 Physical
inaccessibility also poses an obstacle to account ownership, as banking
institutions are not as readily accessible in lower-income communities as
more affluent ones.24 The unbanked may also be barred from establishing
bank accounts due to unfavorable credit histories or prior failures in
managing bank accounts.25 Finally, a “lack of financial education” also
affects the demand for conventional banking among the unbanked.26
Conversely, supply-based factors, such as “cost or marketing
considerations,” have affected the way financial institutions engage the
16. Id.; see also CHENEY, PAYMENT CARDS AND THE UNBANKED, supra note 4, at 6; Walker,
supra note 7.
17. FDIC HOUSEHOLD SURVEY, supra note 2, at 10.
18. Id. at 10.
19. CHENEY, PAYMENT CARDS AND THE UNBANKED, supra note 4, at 7.
20. Id.
21. See Barr, supra note 1, at 124–25, 177–84 (listing a laundry list of factors that hinder the
underserved from obtaining bank accounts); see also CHENEY, PAYMENT CARDS AND THE
UNBANKED, supra note 4, at 7–8 (describing the difference between demand-based and supplybased barriers to banking access for the underserved).
22. CHENEY, PAYMENT CARDS AND THE UNBANKED, supra note 4, at 7; see also Barr, supra
note 1, at 177–81 (identifying “high minimum balances, monthly fees and the risk of bouncing
checks” as major reasons why banking accounts make little “economic sense” for low-income
families).
23. Barr, supra note 1, at 184. Fears that poorly documented immigrants would be unable to
access banking systems have led to various accommodations. Id. “[M]atricula consular cards are
widely accepted as a suitable form of identification for opening noninterest-bearing . . . checking
account[s]”; however, an “IRS-issued . . . taxpayer ID number or Social Security number is
required to open an interest-bearing account.” CHENEY, PAYMENT CARDS AND THE UNBANKED,
supra note 4, at 7 (citations omitted).
24. Barr, supra note 1, at 182–83; CHENEY, PAYMENT CARDS AND THE UNBANKED, supra
note 4, at 7.
25. Barr, supra note 1, at 181.
26. Id. at 183–84.
218
[Vol. 5
unbanked market.27 Because banking the poor is unlikely to produce high
returns,28 financial institutions may be reluctant—despite improvements in
technology that make it more affordable to offer “meaningful banking
products” to the poor29—to make the initial investments, such as “product
development, . . . marketing and [financial] education,” required to enter the
market. 30 As a result of these circumstances, an overwhelming number of
Americans have turned to the alternative financial sector and prepaid
products as substitutes for account ownership.31
II. THE PROLIFERATION OF THE PREPAID CARD INDUSTRY
A. WHAT IS A PREPAID CARD?
A prepaid card is a “credit-card sized” product that represents an
amount of “pre-loaded value.”32 Prepaid cards differ from credit cards
“which draw their value from a line of credit, [and] debit cards, which draw
their value from a [personal] checking account, [because] the value on a
prepaid card” is derived from funds that have been pre-loaded.33
Transactions involving prepaid cards require accessing a remote database
for account information and payment authorization.34 Prepaid cards employ
“magnetic stripe” technology and have a card number associated with an
28. Michael S. Barr, Banking the Poor: Policies to Bring Low-Income Americans Into the
Financial Mainstream 4 (Univ. of Michigan Law Sch. Law & Economics Working Paper Series,
Paper No. 48, 2004), available at http://law.bepress.com/cgi/viewcontent.cgi?article=1048&
context=umichlwps.
29. See CHENEY, PAYMENT CARDS AND THE UNBANKED, supra note 4, at 7–8.
30. Barr, supra note 1, at 183.
31. See Walker, supra note 7; see also Barr, supra note 1, at 177.
32. Mark Furletti, Prepaid Card Markets & Regulation 2 (Fed. Reserve Bank of Phila.
Payment Card Center, Discussion Paper No. DP04-01, 2004), available at
http://www.phil.frb.org/payment-cards-center/publications/discussion-papers/2004/Prepaid_0220
04.pdf [hereinafter Furletti, Prepaid Card Markets]; Mark Furletti & Stephen Smith, The Law,
Regulations, and Industry Practices That Protect Consumers Who Use Electronic Payment
Systems: ACH E-Checks & Prepaid Cards 13 (Fed. Reserve Bank of Phila. Payment Cards
Center, Discussion Paper No. DR05-04, 2005), available at http://www.phil.frb.org/paymentcards-center/publications/discussion-papers/2005/ConsumerProtection.pdf.
Although most sources use the terms “prepaid cards” and “stored-value cards,”
interchangeably, the Federal Reserve Board has distinguished these terms. A Summary of the
Roundtable Discussion on Stored-Value Cards and Other Prepaid Products, FED. RESERVE
BOARD OF PHILA., http://federalreserve.gov/paymentsystems/storedvalue/#fn3r (last visited Oct.
24, 2009) [hereinafter Summary of Roundtable Discussion]. The Board associates the term
“stored-value” with “products for which prefunded value is recorded on the payment instrument.”
Id. These cards typically have an embedded microchip that stores information about the card’s
value on the card. Furletti, Prepaid Card Markets, supra at 2 n. 2. The Board associates the term
“prepaid” with “products for which the prefunded value is recorded on a remote database, which
must be accessed for payment authorization.” Summary of Roundtable Discussion, supra. The
term stored-value card will not be used in this note.
33. Furletti, Prepaid Card Markets, supra note 32, at 2.
34. Summary of Roundtable Discussion, supra note 32.
2010]
219
account maintained by the issuing financial institution.35 The card,
therefore, functions as an access device to the consumer’s funds.36
“[P]repaid describes most of the products on the market today.”37
The prepaid card industry provides an array of products.38 Prepaid
cards, however, can generally be divided into two categories: closed-loop
and open-loop cards.39 Closed-loop cards, such as prepaid gift, phone, or
transit cards, can be used only for the particular merchant’s or issuer’s
products.40 Open-loop cards, on the other hand, can be used for multiple
purposes and at multiple points of sale.41 These cards can be used for
making purchases, paying bills, or making ATM withdrawals, and some,
including prepaid debit cards, have the ability to be reloaded.42 Open-loop
cards include payroll, government benefit, and prepaid debit cards.43
B. HISTORY OF THE PREPAID CARD INDUSTRY
Compared with traditional payment methods, “the prepaid card industry
is still in [its] early stages of development.”44 Historically, prepaid cards
emerged as a replacement for “paper-based” and related payment devices,
such as gift certificate and transit tokens.45 Closed-loop prepaid products
were first introduced by transit systems and college campuses in the
35.
36.
37.
38.
See Furletti, Prepaid Card Markets, supra note 32, at 2 n. 2.
Id. at 2.
See Summary of Roundtable Discussion, supra note 32.
While prepaid cards are often referred to, interchangeably, as stored-value cards, these
terms can be distinguished. See Summary of Roundtable Discussion, supra note 32 (distinguishing
between the two terms by indicating that unlike stored-value cards, that the value of prepaid cards
is recorded “on a remote database”). “Stored value cards are a form of prepaid card . . . .”
NATIONAL COMMUNITY INVESTMENT FUND, DEMYSTIFYING PREPAID CARDS: AN OPPORTUNITY
FOR THE COMMUNITY DEVELOPMENT BANKING INSTITUTION SECTOR 1 (2009), available at
http://www.ncif.org/images/uploads/20090921_NCIF_DemystifyingPrePaidCards.pdf [hereinafter
DEMYSTIFYING PREPAID CARDS].
39. See, e.g., FED. RES. BANK OF N.Y., Stored Value Cards, supra note 8; Furletti, Prepaid
Card Markets, supra note 32, at 2 (listing prepaid card systems into “closed, semi-closed, semiopen, and open” categories); Julia S. Cheney & Sherrie L.W. Rhine, Prepaid Cards: An Important
Innovation in Financial Services 2 (Fed. Reserve Bank of Phila. Payments Cards Center,
Discussion Paper No. DP06-07, 2006), available at http://www.phil.frb.org/payment-cardscenter/publications/discussion-papers/2006/D2006JulyPrepaidCardsACCIcover.pdf.
40. FED. RES. BANK OF N.Y., Stored Value Cards, supra note 8; Furletti, Prepaid Card
Markets, supra note 32, at 2.
43. Summary of Roundtable Discussion, supra note 32; Furletti, Prepaid Card Markets, supra
note 32, at 8.
44. DOVE CONSULTING, FED. RESERVE SYSTEM, THE ELECTRONIC PAYMENTS STUDY: A
SURVEY OF ELECTRONIC PAYMENTS FOR THE 2007 FEDERAL RESERVE PAYMENTS STUDY 28
(2008) [hereinafter DOVE CONSULTING, ELECTRONIC PAYMENTS STUDY].
220
[Vol. 5
1970s.46 In the 1980s, prepaid telephone cards emerged in the prepaid
market.47 The prepaid industry expanded exponentially in the mid-1990s
when national retailers introduced closed-loop gift cards to replace gift
certificates.48 In the early-1990s, EBT cards became the first open-loop
cards introduced to replace paper-based food stamps.49 Since the mid1990s, a number of open-loop prepaid cards have been introduced to
consumers.50 Today, prepaid cards have a wide range of purposes. Anyone
calling family abroad with a prepaid phone card, purchasing clothing at a
retailer with a gift card, or buying groceries and paying monthly bills with a
prepaid debit card is taking advantage of the variety of prepaid products
now available to consumers.51
Prepaid cards have become one of the fastest growing products in the
financial industry.52 As a result of the industry’s continuous growth and
ever-changing prepaid product applications, the size of the prepaid market
is unclear.53 However, the most recent study performed by the Federal
Reserve Board estimated that prepaid transactions in 2006 totaled about
$49.9 billion, including $13.3 billion in open-loop transactions.54
C. TYPES OF PREPAID CARDS
1. Prepaid Debit Cards
Like other forms of prepaid cards, prepaid debit cards differ from
traditional card-based products in that they require users to pay early for
purchases that will be made in the future rather than paying at the time or
after purchases are made.55 Prepaid debit cards are, however, similar to
traditional credit and debit cards in that both allow customers to “withdraw
funds from ATMs . . . [and] . . . make retail purchases or pay bills, in
person, online or over the phone.”56 The cards can also be reloaded with
additional funds in a variety of ways, including “direct deposit, money wire
transfer, money order,” or by paying cash at retail locations.57 Typically, the
46. Kathleen L. DiSanto, Down the Rabbit Hole: An Adventure in the Wonderland of StoredValue Card Regulation, 12 J. CONSUMER & COM. L. 22, 23 (2008).
47. Id.
48. See Summary of Roundtable Discussion, supra note 32; DiSanto, supra note 46, at 23.
National retailers such as Blockbuster and Kmart are credited with introducing these cards.
Cheney & Rhine, supra note 39, at 2.
50. See id.
51. See, e.g., FED. RES. BANK OF N.Y., Stored Value Cards, supra note 8; Summary of
Roundtable Discussion, supra note 32.
52. See FED. RES. BANK OF N.Y., Stored Value Cards, supra note 8.
53. See DOVE CONSULTING, ELECTRONIC PAYMENTS STUDY, supra note 44, at 27–30.
54. Id. at 39; DEMYSTIFYING PREPAID CARDS, supra note 38, at 1.
55. Cheney & Rhine, supra note 39, at 2.
57. FED. RES. BANK OF N.Y., Stored Value Cards, supra note 8.
2010]
221
consumer’s pre-loaded funds are stored in and drawn from a “pooled
account” or “cardholder sub-account” held by the issuing financial
institution.58
The infrastructure that makes prepaid debit cards available and
functional for consumers is immense. The industry’s hierarchy is comprised
of issuers, providers, processors, brand networks, debit networks, ATM
networks, reload networks, and retailers.59 Recognizing the potential of the
underserved market, financial institutions have integrated prepaid debit
cards into their product lines, serving as issuers and providers of cards as
well as holders of pre-loaded fund accounts.60 However, retailers are
increasingly competing against banks as providers of prepaid debit cards.61
For example, Wal-Mart has been rather successful in the market since it
began selling prepaid debit cards in June 2007.62 The growing number of
retailers that provide such cards—coupled with their ability to conduct
financial transactions in their stores—has blurred the line, particularly for
the underserved, as to what constitutes traditional banking.63 Processors
authorize payments, clear transactions, and provide a variety of services for
financial institutions that issue prepaid cards.64 Brand networks, such as
Visa, MasterCard, Discover, and American Express, “provide connections
between the merchant’s bank and the issuing financial [institution].”65 Debit
networks “allow PIN Debit transactions [to take place] at the point of sale,”
and ATM transactions are made possible by ATM networks.66 Reload
networks, such as Green Dot, MasterCard repower, MoneyGram, Visa
ReadyLink, NetSpend, and nFinanSe, provide the computer servers,
software, and customer service that allow prepaid debit cardholders to
reload money at a growing network of retail locations.67 Prepaid debit cards
can be obtained in numerous retail locations, including convenience, drug
and grocery stores, via phone or Internet, and at check cashing services.68
58. Cheney & Rhine, supra note 39, at 8.
59. DEMYSTIFYING PREPAID CARDS, supra note 38, at 4.
60. See id. at 1. Banks that are interested in offering prepaid debit cards can choose from three
models: hire companies to develop a prepaid card program, build a program in-house or outsource
some functions while retaining control of others. Id. at 6.
61. Id. at 2.
62. Id. (quoting Ann Zimmerman, Wal-Mart User Fees for its Prepaid Visa Debit card,
WALL. ST. J., Feb. 18, 2009, http://online.wsj.com/article/SB123496685897511383.html).
64. DEMYSTIFYING PREPAID CARDS, supra note 38, at 4.
65. Id.
66. Id.
67. Id. at 4; James Flanigan, supra note 12.
68. SHERRIE L. W. RHINE ET AL., THE CENTER FOR FINANCIAL SERVICES INNOVATION,
CARDHOLDER USE OF GENERAL SPENDING PREPAID CARDS: A CLOSER LOOK AT THE MARKET 5
(2007), available at http://cfsinnovation.com/system/files/imported/managed_documents/general
_spending_prepaid_cards.pdf.
222
[Vol. 5
Issuers of prepaid debit cards have developed a “two-step process for
distributing prepaid general spend cards.”69 “[C]onsumers purchase
temporary, instant issue [] cards [that provide] immediate access to their
funds.”70 Consumers are then issued a permanent card bearing the same
account number and often embossed with the card bearer’s name, only after
the temporary card has been loaded and additional personal information
provided to the issuing institution.71
These days, access to prepaid debit cards is as easy as shopping for
groceries.72 In 2008, transactions on prepaid debit cards totaled more than
$4 billion.73 This number was expected to increase to $7.2 billion in 2009
and $10.8 billion in 2010.74 Prepaid debit cards have become one of the
fastest growing products in the consumer banking industry.75
2. Gift Cards
A gift card—the modern incarnation of paper-based gift certificates—
can be used to purchase goods or services from merchants. Although gift
cards represent the majority of prepaid products issued, they actually
“account for proportionately less of the total value loaded onto [prepaid]
cards.”76 Currently, two types of gift cards dominate the market: closedloop, merchant issued gift cards and branded or open-system gift cards.77
Merchant issued gift cards—those that can be used only at the merchant’s
locations78—were the first widely distributed prepaid product.79 Branded
gift cards, on the other hand, are “redeemable . . . anywhere the network
brand on the card is accepted.”80 Recently, a competitive struggle has
69.
70.
71.
72.
Id.
Id.
Id.
See Andrew Martin, Prepaid, but Not Prepared for Debit Card Fees, N.Y. TIMES, Oct. 6,
2009, at A1.
73. Flanigan, supra note 12.
74. Id.
75. Martin, supra note 72.
76. Julia S. Cheney, Prepaid Card Models: A Study in Diversity 6 (Fed. Reserve Bank of
Phila. Payments Card Center, Discussion Draft No. DP05-04, 2005), available at
http://www.phil.frb.org/payment-cards-center/publications/discussion-papers/2005/PrepaidCard
Models_Palmer_FINAL.pdf [hereinafter Cheney, Prepaid Card Models].
77. See MARK FURLETTI, FED. RESERVE BANK OF PHILA. PAYMENT CARDS CENTER,
CONFERENCE SUMMARY: PREPAID CARDS: HOW DO THEY FUNCTION? HOW ARE THEY
REGULATED?
7,
14 (2004),
available at http://www.phil.frb.org/payment-cardscenter/events/conferences/2004/PrepaidCards_062004.pdf [hereinafter FURLETTI, HOW DO THEY
FUNCTION?].
78. Id. at 7.
79. See DOVE CONSULTING, ELECTRONIC PAYMENTS STUDY, supra note 44, at 28 (citing
Blockbuster and Kmart as the pioneers in developing prepaid gift certificates).
80. Cheney, Prepaid Card Models, supra note 76, at 5–6.
2010]
223
ensued between these two products;81 however, closed-loop gift cards still
continue to dominate the overall prepaid card market.82
3. Payroll Cards
Payroll card programs are a cost-saving replacement to paper payroll
checks, allowing employers to translate paychecks into card-based value.83
Similar to the process of direct deposit, the value loaded onto payroll cards
is done automatically by transferring the payroll amount from the
employer’s account to the employee’s payroll card account.84 Like prepaid
debit cards, payroll card accounts are usually managed via a “third-party
processor.”85 Payroll cards are similar to debit cards linked to a checking
account and provide many similar functions, including ATM functionality,
the ability to purchase goods and services and receive cash back from a
transaction, and access to “real-time balance information.”86
Payroll cards have become quite attractive to the underserved
population. In 2004, payroll cards were issued to at least 1.8 million
unbanked households,87 and many expect significant growth within the
underserved market.88 Payroll cards appeal to underserved consumers
because they eliminate check cashing lines and fees, “offer immediate
access to pay,” and provide consumers with the ability to withdraw as much
money as desired.89 The increase in the popularity of payroll cards is also,
in large part, attributable to the branding of payroll cards by Visa and
MasterCard.90 The Visa or MasterCard brand provides payroll cards with
debit card-like functionality and prestige.91
4. Electronic Benefit Transfers
“Electronic benefit transfer (EBT) programs are designed to deliver
government benefits such as food stamps, supplemental security income
(SSI), and social security.”92 EBT programs function similarly to payroll
cards; “[e]ligible recipients receive magnetic-stripe cards and personal
81. FURLETTI, HOW DO THEY FUNCTION?, supra note 77, at 7.
82. DOVE CONSULTING, ELECTRONIC PAYMENTS STUDY, supra note 44, at 30.
83. See Payroll Cards: An Innovative Product for Reaching the Unbanked and Underbanked,
COMMUNITY DEVELOPMENTS (Comptroller for the Currency, Washington, D.C.), June 2005, at 1,
available at http://www.occ.gov/static/community-affairs/insights/payrollcards.pdf [hereinafter
Payroll Cards: An Innovative Product].
84. Cheney, Prepaid Card Models, supra note 76, at 7.
85. Id.
86. Id.
87. Payroll Cards: An Innovative Product, supra note 83, at 2.
88. See id. at 10 (discussing bankers who recommend payroll cards to employers).
89. Id. at 4.
90. Id.
91. See id.
92. Electronic Fund Transfers, 62 Fed. Reg. 43,467, 43,467 (Aug. 14, 1997) (to be codified at
12 C.F.R. pt. 205).
224
[Vol. 5
identification numbers” that access their benefits electronically.93 In recent
years, government use of EBT programs has become increasingly popular,
as states embrace the cost-effectiveness and speed of electronic
disbursement of benefit funds.94 “Currently all states use EBT cards to
[dispense] food stamps and TANF program benefits,” and many states have
started issuing child support payments and unemployment benefits through
prepaid cards.95 In early 2008, the Treasury Department announced that it
would begin issuing Social Security benefits through prepaid cards.96
III. THE ADVANTAGES AND DISADVANTAGES TO PREPAID
DEBIT CARD USE
Prepaid debit cards have been heavily marketed to the underserved for a
variety of reasons.97 Prepaid cards provide the underserved with a more
convenient way of accessing funds and making transactions without the
obstacles of account ownership.98 Despite notable conveniences, however,
underserved consumers are often uneducated about the array of features, fee
structures, and lack of protections attributed to prepaid debit cards.99
A. WHY THE UNDERSERVED USE PREPAID DEBIT CARDS
Prepaid debit cards can be “irresistible” to the underserved for many
reasons.100 First, prepaid debit cards provide a limited form of safety and
security compared to other alternative financial products,101 because they
allow consumers to make purchases and pay bills without carrying cash.102
Second, prepaid debit cards offer immediate liquidity, making loaded funds
available instantaneously, rather than the delays associated with traditional
93.
94.
95.
96.
Id.
DOVE CONSULTING, ELECTRONIC PAYMENTS STUDY, supra note 44, at 31.
Id.
Eleanor Laise, Treasury Plans Social Security Debit Card; A Bid for Payments to Become
Cheaper and More Secure, WALL ST. J., Jan. 4, 2008, at A4.
98. CENTER FOR FINANCIAL SERVICES INNOVATION, PREPAID CARD VS. CHECKING ACCOUNT
PREFERENCES (2008), http://cfsinnovation.com/system/files/imported/managed_documents/pre
paid_sept9_0001.pdf.
100. See MICHAEL J. HERMANN & RACHEL SCHNEIDER, CENTER FOR FINANCIAL SERVICES
INNOVATION, NONPROFIT DISTRIBUTION OF PREPAID CARDS 5–6 (n.d), available at
http://cfsinnovation.com/system/files/imported/managed_documents/cfsi_nonprdistprepaid_mar08
.pdf.
101. Alternative financial service providers include check cashing outlets, payday lenders,
money transmitters, and pawnshops. Financial Access Options for the Underserved, FED.
RESERVE BANK OF DALLAS BANKING & COMMUNITY PERSP., no. 3, 2009 at 2, available at
http://www.dallasfed.org/ca/bcp/2009/bcp0903.pdf.
102. SARAH GORDON, ET. AL., CENTER FOR FINANCIAL SERVICES INNOVATION, A TOOL FOR
GETTING BY OR GETTING AHEAD? CONSUMERS’ VIEWS ON PREPAID CARDS 6 (n.d), available at
http://cfsinnovation.com/system/files/imported/managed_documents/voc-prepaidfinal.pdf.
2010]
225
check cashing.103 Furthermore, unlike traditional bank accounts, prepaid
debit cards are easily accessible and impose no identification or credit
history requirements.104 For example, one card advertises, “‘No Credit
Check. Safer Than Cash. No Bank Account Needed.’”105 Consumers can
simply purchase a prepaid debit card at a checkout register and begin
performing transactions.106
An indirect advantage to prepaid debit card use is that other options in
the alternative financial sector are extremely costly. The underserved rely
heavily on check cashing outlets, which often charge between 1.5 and 3.5
percent of face value.107 It has been estimated that the check cashing
industry earns about $1.5 billion in fees each year processing 180 million
checks with a face value of $55 billion.108 These fees are extraordinarily
high “both in absolute terms and relative to the customer’s income.”109
B. POTENTIAL OF PREPAID DEBIT CARDS TO FINANCIALLY
EMPOWER THE UNDERSERVED
Many industry participants acknowledge that prepaid debit cards can
serve as a vehicle towards greater financial empowerment of the
underserved.110 Russell Simmons, a contributing creator of the Prepaid Visa
RushCard, was inspired by his belief that prepaid debit cards can provide
the underserved with “access to the American dream.”111 Despite the
alarming number of Americans that remain unbanked or underbanked,112
research shows that the underserved are not opposed to using banks.113
Rather, these individuals have been unable to overcome an “intimidation
factor” to gain access.114 Prepaid debit cards, however, are widely believed
to be the entry-level products that can help the underserved overcome this
fear.115 Recognizing this potential, banks are beginning to adapt cards and
practices to meet the needs of the underserved, offering credit-building
features116 and developing distribution relationships with third-party
103.
104.
105.
106.
107.
108.
109.
110.
111.
112.
113.
114.
115.
116.
See HERMANN & SCHNEIDER, supra note 100, at 5.
Id. at 6.
See Martin, supra note 72 (quoting language from Visa’Green Dot Prepaid Card).
Id.
CHENEY, PAYMENT CARDS AND THE UNBANKED, supra note 4, at 8.
Id.
Id.
See id. at 15–16.
Walker, supra note 7.
See FDIC HOUSEHOLD SURVEY, supra note 2.
CHENEY, PAYMENT CARDS AND THE UNBANKED, supra note 4, at 15.
Id.
See FED. RES. BANK OF N.Y., Stored Value Cards, supra note 8.
Id.
226
[Vol. 5
providers connected to underserved communities.117 Financial institutions
have seized the opportunity to use prepaid debit cards as an opening to the
underserved market,118 and the results could be significant for banks and the
underserved.
C. THE RISKS ASSOCIATED WITH PREPAID DEBIT CARDS
Despite their convenience and appeal, financially uneducated
consumers are often unaware of the risks associated with the use of prepaid
debit cards. First, users are susceptible to an array of hidden fees generated
through the cards’ use.119 Banks that offer prepaid debit cards to consumers
make money from a number of fees that are commonly incurred with card
usage, including entrance or activation fees, maintenance fees, point of sale
fees, and ATM transaction fees.120 Potential additional fees include
transaction limit fees, bill payment fees, phone or online transaction fees,
reload fees, inactivity fees, overdraft and overdraft protection fees, and even
fees to call customer service.121 For consumers, this astounding range of
fees122 only serves to increase the complexity of the fee structure for each
117. See CHENEY, PAYMENT CARDS AND THE UNBANKED, supra note 4, at 16 (advancing the
“need to develop distribution relationships with third-party providers that have direct relationships
with [the underserved]”).
118. See DEMYSTIFYING PREPAID CARDS, supra note 38, at 1.
119. See, e.g., Martin, supra note 72.
121. Id. Fees vary widely among the numerous cards marketed to consumers. For example, the
MiCash Prepaid MasterCard charges a $9.95 activation fee, $1.75 for ATM withdrawals, $1 for
ATM balance inquiries, $0.50 for purchases, $4 for monthly maintenance, $2 for inactivity over
60 days, and $1 for calls placed to customer service. See Walker, supra note 7. The Millennium
Advantage Prepaid MasterCard requires an application fee up to $99. Id. “The Silver Prepaid
Mastercard . . . [has] the option of charging a $25 shortage fee if customers exceed their balance,”
despite advertising that it does not charge for overdrafts. Id. The Prepaid Visa RushCard costs
$19.99, charges $1 per transaction, has ATM fees of $1.95 plus fees charged by the ATM’s
owner, and charges fees to add money in the form of cash. Id.
122. The following chart displays the relevant fee categories and ranges of fees associated with
prepaid debit cards:
Fee Type
Fee Range
Entrance/Activation
$0 to $39.95
Maintenance
Monthly
$0 to $9.95
Annual
$0 to $99.95
Point of Sale
$0 to $2.00
2010]
227
card,123 leaving one spokesman for a consumer advocacy group asking,
“[h]ow are consumers supposed to keep the fees straight if the companies
can’t?”124 The costs make prepaid debit cards “a very expensive way to
bank,” causing some to question whether it is right to give “people their pay
on a card that has fees on it.”125
Second, prepaid debit cards lack some of the basic legislative and
regulatory protections extended to other payment devices.126 Only recently
have fee limitations been imposed,127 but these laws do not apply to prepaid
debit cards.128 Presently, there is no legislatively mandated error resolution
procedure when funds are stolen from the card’s account or unauthorized
charges are made.129 Unlike credit and debit cards, prepaid debit cards are
not protected by consumer liability caps130 or a right of recredit.131 Nor do
prepaid debit cards have a statutory chargeback right, which allows a
consumer to reverse a payment when the goods ordered are not delivered.132
Finally, not all prepaid debit cards may have federal deposit insurance to
protect funds in the event of bank failure.133
IV. FEDERAL LAWS CURRENTLY APPLYING TO THE PREPAID
INDUSTRY
The myriad of products and laws in the payment products market is
complex and confusing.134 The EFTA and Regulation E provide the legal
Domestic ATM Transaction
(within network)
$0 to $2.50
FED. RES. BANK OF N.Y., Stored Value Cards, supra note 8.
123. See id.
125. Id.
126. See generally Gail Hillebrand, Before the Grand Rethinking: Five Things to do Today with
Payments Law and Ten Principles to Guide New Payments Products and New Payments Law, 83
CHI.-KENT L. REV. 769 (2008).
127. See Credit CARD Act of 2009 § 102, 15 U.S.C.A. §§ 1637(j)–(k), 1661 (West 2010).
128. Philip Keitel, The Credit CARD Act of 2009 and Prepaid Cards, FED. RESERVE BANK OF
PHILA. PCC NOTE PAYMENT CARDS CENTER, (Aug. 2009), http://www.philadelphiafed.org/
payment-cards-center/publications/pcc-note/2009/pcc-note_credit-card-act-2009.pdf.
129. See Hillebrand, supra note 126, at 772 (“[A] consumer who pays by debit card . . . does
not have a statutory right to reverse the charge.”).
130. Id. at 775–77. When money is taken from an account or an unauthorized charge is made to
a payment device, a consumer liability cap provides a limit on the amount of money a cardholder
can lose before the problem is discovered and reported. Id. at 775.
131. Id. at 779. A right of prompt recredit protects cardholders by returning money to their
account after money has been unlawfully taken or the card has been charged without the account
holder’s consent. Id.
132. Id. at 781.
134. Mark Furletti, Payment System Regulation and How it Causes Consumer Confusion 1
(Fed. Reserve Bank of Phila. Payment Cards Center, Discussion Paper No. DP04-05, 2004),
available at http://www.phil.frb.org/payment-cards-center/publications/discussion-papers/2004/
228
[Vol. 5
framework governing the movement of electronic funds, including debit
and several prepaid products.135 For simplicity’s sake, uniformity would be
beneficial to all market participants—consumers, the card industry, and
regulators.136
A. EFTA AND REGULATION E
In 1978, Congress passed the EFTA to “provide a basic framework
establishing the rights, liabilities, and responsibilities of participants in
electronic fund transfer systems,” with the “provision of individual
consumer rights” as the primary objective.137 The EFTA requires “financial
institutions to send consumers monthly statements [detailing] transaction
activity,” implement procedures to resolve erroneous transfers, and “limit
consumer liability for unauthorized transfers.”138 In the EFTA, Congress
delegated to the Board of Governors of the Federal Reserve System (the
Board) the responsibility for promulgating regulations to carry out its
purposes.139 Regulation E was originally enacted by the Board in part to
extend the protections of the EFTA to debit cards.140 Today, the protections
of the EFTA and Regulation E apply to several prepaid payment methods,
including government benefits141 and payroll cards,142 and were most
recently expanded to gift cards and general-purpose prepaid cards.143
1. Protections of the EFTA and Regulation E
The EFTA and Regulation E provide important protections for
consumers who use electronic fund transfer services, 144 which include debit
and some prepaid card users. These protections include a liability cap and
the right to prompt recredit when money is taken out of an account or a
charge is made without the account holder’s authorization,145 limitations on
financial institutions’ ability to assess overdraft fees,146 and disclosure
PaymentSystemRegulation_112004.pdf (last visited Oct. 24, 2009) [hereinafter Furletti, Payment
System Regulation].
135. Furletti, Prepaid Card Markets, supra note 32, at 13–14.
136. Furletti, Payment System Regulation, supra note 134, at 7.
137. Electronic Fund Transfer Act of 1978, Pub. L. No. 95-630, § 902, 92 Stat. 3728, 3728
(1978).
138. Christopher B. Woods, Update on Prepaid Cards Laws and Regulations, 61 CONSUMER
FIN. L. Q. REP. 815, 815 (2007).
139. 15 U.S.C. § 1693b(a) (2006).
140. See Electronic Fund Transfers (Regulation E), 12 C.F.R. §§ 205.1(a)–(b) (2009).
141. Id. § 205.15.
142. Id. § 205.18.
143. Credit CARD Act of 2009 § 401, 15 U.S.C.A. § 1693l (West 2010).
144. 15 U.S.C. § 1693b(a); 12 C.F.R. § 205.1(b).
145. 15 U.S.C. §§ 1693f–1693g; 12 C.F.R. § 205.6 (2009).
146. In November 2009, the Board announced final rules that prohibit financial institutions
from charging overdraft fees on ATM or one-time debit transactions unless a consumer consents.
Press Release, Board of Governors of the Federal Reserve System, Federal Reserve Announces
Final Rules Prohibiting Institutions from Charging Fees for Overdrafts on ATM and One-Time
2010]
229
requirements that inform consumers about how these protections apply.147
However, consumers purchasing cards that have the appearance of debit
cards may be surprised to discover that these look-a-likes are treated rather
differently.148
The EFTA and Regulation E provide two protections for consumers
whose accounts are victimized by unauthorized electronic fund transfers
(i.e., withdrawals or charges against the account “initiated by a person other
than the consumer without actual authority to initiate the transfer and from
which the consumer receives no benefit.”)149 First, the laws provide a
liability cap that sets the amount a consumer can be held responsible for to
$50, $500, or unlimited liability depending upon when the consumer
discovers and reports the loss or theft.150 The laws also require that financial
institutions investigate an alleged error or unauthorized transaction and
promptly recredit a consumer’s account if the investigation reveals an
error.151 Brand networks, like Visa and MasterCard, also provide
“additional voluntary protection, with significant loopholes in coverage.”152
A recent development was the Board’s announcement that Regulation E
will limit financial institutions’ ability to charge overdraft fees for ATM
transactions and one-time transactions that overdraw a consumer’s account
unless the consumer consents to these fees.153 This amendment, which took
effect in summer 2010, will undoubtedly curb the growth of overdraft fees,
which cost consumers $23.7 billion in 2008.154 Not surprisingly, lowerincome Americans pay the majority of these fees.155 Overdraft fees,
however, are not the only type of fees targeted by Congress and the Board;
the Credit Card Accountability Responsibility and Disclosure Act of 2009
(Credit CARD Act) prohibits the assessment of dormancy fees, inactivity
charges, or service fees with respect to the covered forms of payment.156
The EFTA and Regulation E also require a financial institution to make
disclosures when the “consumer contracts for the electronic fund transfer
service”157 or “before the first electronic fund transfer is made involving the
Debit Card Transactions (Nov. 12, 2009), http://www.federalreserve.gov/newsevents/press/bcreg/
20091112a.htm [hereinafter Overdraft Fees Press Release].
147. 12 C.F.R § 205.7(b) (2009).
148. Anita Ramasastry, Confusion and Convergence in Consumer Payments: Is Coherence in
Error Resolution Appropriate?, 83 CHI.-KENT L. REV. 813, 836 (2008).
149. 15 U.S.C. § 1693a(11) (2006); 12 C.F.R. § 205.2(m) (2009).
150. 15 U.S.C. § 1693g(a).
151. Id. § 1693f(a)–(b).
152. Hillebrand, supra note 126, at 777.
153. Overdraft Fees Press Release, supra note 146.
154. The Overdraft Protection Act of 2009: Hearing on H.R. 3904 Before the H. Comm. on
Financial Services, 111th Cong. 136 (2009) (statement of Eric Halperin, Director, Center for
Responsible Lending).
155. Id. at 137 (citation omitted).
156. Credit CARD Act of 2009, 15 U.S.C.A. § 1693l-l(b)(1) (West 2010).
157. 15 U.S.C. § 1693c(a)(1) (2006).
230
[Vol. 5
consumer’s account.”158 These disclosures include, among other things, a
summary of the consumer’s liability for unauthorized fund transfers,159 “the
consumer’s right to stop payment of a preauthorized electronic fund
transfer,”160 “[a]ny fees imposed by the financial institution for electronic
fund transfers or for the right to make transfers,”161 “notice that a fee may
be imposed by an [ATM] operator”—and “any network used to complete
the transaction”—when the consumer makes an ATM withdrawal or a
balance inquiry.162
2. Prepaid Payment Methods Protected by the EFTA and
Regulation E
The protections of the EFTA and Regulation E apply only to
“account[s]” as defined therein. Regulation E defines an “account” as “a
demand deposit (checking), savings, or other consumer asset . . . held
directly or indirectly by a financial institution and established primarily for
personal, family, or household purposes.”163 As one author has noted, the
scope of this definition and the implications it has on protecting prepaid
debit cards are quite unclear.164 The Board has added to this confusion by
expressing its own uncertainty as to whether prepaid debit cards fall within
the definition of a consumer asset account.165 However, the historical
development of congressional and Board efforts to regulate the prepaid
industry is rather convincing evidence that neither the EFTA nor Regulation
E currently regulate prepaid debit cards.166
a. Electronic Benefits
There have been several attempts to expand the coverage of Regulation
E. In 1994, the Board amended the regulation to bring EBT programs
within its coverage.167 These provisions applied many of Regulation E’s
158.
159.
160.
161.
162.
163.
164.
Electronic Fund Transfers (Regulation E), 12 C.F.R. § 205.7(a) (2009).
Id. § 205.7(b)(1).
Id. § 205.7(b)(7).
Id. § 205.7(b)(5).
Id. § 205.7(b)(11).
Id. § 205.2(b)(1).
Hillebrand, supra note 126, at 790 (maintaining that it is unclear whether the EFTA
currently applies to prepaid debit cards); but see Ramasastry, supra note 148, at 836 (“At present,
if a consumer uses a prepaid or stored-value card, there is no legislatively-mandated error
resolution procedure (with the exception of payroll cards).”); Martin, supra note 72 (stating that
“prepaid cards have not undergone . . . Congressional and regulatory scrutiny”).
165. See Electronic Fund Transfers, 61 Fed. Reg. 19,696, 19,698–99 (May 2, 1996) (to be
166. See supra Part IV.A.1–2. For example, the Board explicitly expanded Regulation E only to
payroll cards in 2007, and Congress specifically exempted prepaid debit cards from the Credit
CARD Act of 2009. See 15 U.S.C.A. § 1693l-1(a)(2)(D) (West 2010); 12 C.F.R. § 205.18 (2006).
167. Electronic Fund Transfers, 59 Fed. Reg. 10,768, 10,768 (Mar. 7, 1994).
2010]
231
protections, including a liability cap168 and error resolution procedures.169
The Board, however, exempted government agencies from furnishing
periodic statements of account activity if the agency made recipients’
account balances available via telephone and electronic terminals and
provided written account histories upon request.170 The Board’s rationale
for these amendments was that all consumers using EFT services should
uniformly receive the protections under the EFTA and Regulation E.171
b. Consideration of Prepaid Cards, in General
In 1994, the Board also first considered whether all prepaid cards
should receive the protections of Regulation E.172 After receiving
comments, the Board proposed amendments to Regulation E in May
1996.173 These proposed rules would have imposed modified requirements
on three classes of prepaid products: “off-line accountable stored-value
systems,” “off-line unaccountable stored-value systems, and “on-line
stored-value systems.”174 The Board defined “on-line stored-value systems”
as the following:
[B]alance of funds that may be accessed only through the use of a card
that a consumer may use at electronic terminals to obtain cash or purchase
goods or services, where the record of such balance is maintained on a
separate database, and not on the card, and where on-line authorization of
transactions is required to access the funds.175
This category of prepaid cards, which the Board considered to be “the
functional equivalent of a deposit account accessed by a debit card,” closely
resembles the prepaid debit card; however, the Board recognized that not all
on-line stored-value cards are reloadable.176 Therefore, this definition
presumably included products such as branded or open-looped gift cards in
addition to prepaid debit cards.
The proposed rule would have applied to several prepaid products that
were not exempted by a de minimis exception for cards issued for below
$100.177 However, the prepaid industry protested that these protections
would stifle product development,178 and, in response, Congress directed
168.
169.
170.
171.
Electronic Fund Transfers (Regulation E), 12 C.F.R. § 205.15(d)(3) (2009).
Id. § 205.15(d)(4).
Id. § 205.15(c).
Electronic Fund Transfers, 62 Fed. Reg. 43,467, 43,467 (August 14, 1997) (codified at 12
C.F.R. pt. 205).
172. Ramasastry, supra note 148, at 835.
173. Id. (citations omitted); Electronic Fund Transfers, 61 Fed. Reg. 19,696, 19,696 (May 2,
1996) (codified at 12 C.F.R. pt. 205).
174. Electronic Fund Transfers, 61 Fed. Reg. at 19,699 (emphasis in the original).
175. Id. at 19,704.
176. Id. at 19,702.
177. Id. at 19,703 (emphasis in the original).
178. Furletti, Prepaid Card Markets, supra note 32, at 11.
232
[Vol. 5
the Board to evaluate whether the EFTA or Regulation E “could be applied
to electronic stored-value products without adversely affecting the cost,
development, and operation of such products.”179 The Board issued its
response in 1997, concluding that these regulations might suppress
innovation and development of prepaid products.180 Nevertheless, the Board
conceded that compliance with Regulation E requirements would not be “a
significant problem” for these cards.181
c. Payroll Cards
The Board’s stance on prepaid cards remained stagnant until September
2004, when it published proposed rules to extend Regulation E to payroll
cards.182 The Board’s primary justification for this expansion was the
acknowledgment that payroll cardholders needed basic legal protections
because their livelihoods depended on the funds loaded on to such cards.183
This proposal was followed by an announcement of the approval of a final
rule extending Regulation E to payroll cards in August 2006.184
This extension was implemented by amending the definition of
“account” to include “payroll card account[s],” defined as:
An account that is directly or indirectly established through an employer
and to which electronic fund transfers of the consumer’s wages, salary, or
other employee compensation . . . are made on a recurring basis, whether
the account is operated or managed by the employer, a third-party payroll
processor, a depository institution or any other person.185
The Board modified the requirements for furnishing periodic statements
for payroll card accounts—similar to those modifications for electronic
benefits186—by exempting financial institutions from providing account
transaction information to card users as long as it makes available the
179. BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM, REPORT TO THE CONGRESS
ON THE APPLICATION OF THE ELECTRONIC FUND TRANSFER ACT TO ELECTRONIC STOREDVALUE PRODUCTS 1 (1997), available at http://www.federalreserve.gov/boardDocs/rptcongress/
efta_rpt.pdf.
180. Ramasastry, supra note 148, at 836.
181. Electronic Fund Transfers, 61 Fed. Reg. at 19,699, 19,702. The Board recognized that
“because [this] system operate[s] on-line,” the system was already “designed to [protect] against
unauthorized access, and compliance with limitations on consumer liability” would be similar to
those for “traditional deposit account[s] accessed by debit card[s].” Id.
182. Woods, supra note 138, at 815–16.
183. Mark E. Budnitz, Developments in Payments Law 2008: Creative Consumer Lawsuits and
Robust Government Enforcement, 12 J. CONSUMER & COM. L. 2, 4 (2008).
184. Press Release, Board of Governors of Federal Reserve System, Approval of Final Rule
Covering Payroll Card Accounts Under Regulation E and a Request for Public Comment on an
Interim Final Rule (Aug. 24, 2006), http://www.federalreserve.gov/newsevents/press/bcreg/
20060824a.htm. “According to the [Board], ‘[t]he broad characteristics of payroll card accounts
led the FRB to conclude that payroll card accounts are appropriately classified as [deposit]
accounts.’” Woods, supra note 138, at 815.
185. Electronic Fund Transfers (Regulation E), 12 C.F.R. § 205.2(b)(2) (2009).
186. 12 C.F.R. § 205.15(c) (2009).
2010]
233
consumer’s account balance via telephone, a 60-day electronic history of
account transactions, and a 60-day written history of the consumer’s
transactions upon the consumer’s request.187
B. THE CREDIT CARD ACT AND REGULATION E SECTION 205.20
In May 2009, President Barack Obama signed the Credit CARD Act
into law.188 Although primarily aimed at regulation of credit card issuing
practices, several provisions focus on prepaid cards.189 Title IV of the Credit
CARD Act, titled “Gift Cards,” amended the EFTA.190 When the Act took
effect in early 2010, it significantly impacted segments of the prepaid card
industry, notably those that fell within the “[A]ct’s definition of ‘generaluse prepaid card,’ ‘gift certificate,’ and ‘store gift card.’”191 The Act defines
“general-use prepaid card” as a:
[C]ard or other payment code or device issued by any person that is –
(i) redeemable at multiple, unaffiliated merchants or service providers, or
automatic teller machines;
(ii) issued in a requested amount, whether or not that amount may, at the
option of the issuer, be increased in value or reloaded if requested by the
holder;
(iii) purchased or loaded on a prepaid basis;
(iv) and honored, upon presentation, by merchants for goods and services,
or at automated teller machines.192
The Act, however, specifically exempts prepaid debit cards.193 Section
915(a)(2)(D) provides “the term[] ‘general-use prepaid card’ . . . do[es] not
include an electronic promise, plastic card, or payment code or device that
187. Id. § 205.18(b)(1).
188. Credit CARD Act of 2009, Pub. L. No. 111-24, 123 Stat. 1734 (codified as amended in
scattered sections of 15 U.S.C.).
189. Keitel, supra note 128.
190. 15 U.S.C.A. § 1693l-1 (West 2010).
192. 15 U.S.C.A. § 1693l-1(a)(2)(A). A store gift card was further defined as:
[A]n electronic promise, plastic card, or other payment code or device that is—
(i) redeemable at a single merchant or an affiliated group of merchants that share the
same name, mark, or logo;
(ii) issues in a specified amount, whether or not that amount may be increased in value
or reloaded at the request of the holder;
(iii) purchased on a prepaid basis in exchange for payment; and
(iv) honored upon presentation by such single merchant or affiliated group of merchants
for goods or services.
Id. § 16931l-1(a)(2)(C).
193. See id. § 1693l-1(a)(2)(D).
234
[Vol. 5
is . . . (ii) reloadable and not marketed or labeled as a gift card or gift
certificate.”194 Furthermore, the corresponding amendments to Regulation
E issued by the Board in April 2010,195 also make clear that prepaid debit
cards are not protected by these changes.196 Section 205.20(b)(2) states
“[t]he terms ‘gift certificate,’ ‘store gift card,’ and ‘general-use prepaid
card’ . . . do not include any card, code, or other device that is . . .
reloadable and not marketed or labeled as a gift card or gift certificate.”197
Nevertheless, Title IV and Regulation E now provide several important
protections for general-use prepaid cards and gift cards, including
limitations on fees and expiration and disclosure requirements.198 The Act
makes it unlawful, except as otherwise provided, to impose “a dormancy
fee, an inactivity charge or fee, or a service fee with respect to [covered
forms of payment].”199 The Act also requires disclosure, demanding that the
certificate or card clearly and conspicuously inform consumers of
applicable fees and how and when these fees will apply.200 The Credit
CARD Act and the amendments to Regulation E are the most recent actions
taken to protect consumer rights in the prepaid card industry,201 but as
prepaid debit cards become increasingly popular,202 Congress and the Board
must consider extending protections further.
V. ENSURING THE FINANCIAL SECURITY OF UNDERSERVED
PREPAID DEBIT CARD USERS THROUGH UNIFORM
FEDERAL REGULATION
Congress passed the EFTA after determining that a major void existed
in consumer protection laws covering electronic fund transfers, “leaving the
rights and liabilities of consumers, financial institutions, and intermediaries
in electronic fund transfers undefined.”203 The intent of Congress was
exceptionally clear; its primary objective was the “provision of individual
consumer rights” for Americans who had placed their trust in electronic
194. Id.
195. Electronic Funds Transfer, 75 Fed. Reg. 16,580, 16,582 (Apr. 1, 2010) (codified at 12
C.F.R. § 205.20) (2010) (amending Regulation E to adopt reforms made to gift cards, gift
certificates, and general-use prepaid card under the Credit CARD Act).
196. See id. at 16,592–94.
197. Id. at 16,614.
198. See 15 U.S.C.A. § 1693l-1(b)–(c); see also Electronic Funds Transfer, 75 Fed. Reg. at
16,614–15 (codified at 12 C.F.R. § 205.20(c), (d), (f)).
199. 15 U.S.C.A. § 1693l-1(b)(1); Electronic Funds Transfer, 75 Fed. Reg. at 16,614–15
(codified at 12 C.F.R. § 205.20(d)) (disallowing dormancy, inactivity, and service fees under
certain conditions).
200. 15 U.S.C.A. § 1693l-1(b)(3); Electronic Funds Transfer, 75 Fed. Reg. at 16,614–15
(codified at 12 C.F.R. § 205.20(c)–(d)).
202. See Walker, supra note 7.
203. Electronic Fund Transfer Act of 1978 § 902, 15 U.S.C. § 1693(a) (2006).
2010]
235
fund transactions.204 In setting out to achieve this goal, Congress granted the
Board comprehensive regulatory authority.205
Over the last several years, Congress and the Board have taken notice
of the growing popularity and practicality of the prepaid industry as a
modern payment method for the underserved and population at large.206 In
response, Congress and the Board have regulated several popular prepaid
products, including EBT transfers,207 payroll card accounts,208 and gift
cards.209
However, uncertainty about whether the EFTA and Regulation E
currently apply to prepaid debit cards has caused considerable confusion.210
In fact, the Board has even suggested that prepaid debit cards may already
fall within the purview of Regulation E.211
To ensure the security and support the legitimacy of this growing
financial industry, the Board must provide clarification. The most effective
way to achieve this result is to explicitly extend Regulation E to prepaid
debit cards. Specifically, the Board should amend the definition of
“account,” as was most recently done to incorporate payroll accounts, and
adopt a new section to Regulation E that specifies the protections and
modified requirements for prepaid debit cards.
A. EXTENDING REGULATION E TO PREPAID DEBIT CARDS
Amending Regulation E to redefine “account” to include “prepaid debit
account” would provide much needed clarity as to how prepaid debit cards
are protected by Regulation E and the EFTA.212 Gail Hillebrand has
suggested amending the definition of “account” to include:
[A] ‘spending account,’ which is an account that is directly or indirectly
established by the consumer and to which prepayments on behalf of the
consumer by the consumer or by others, including but not limited to loan
204. Id. § 1693(b).
205. See id. § 1693b. The Board has determined that the legislative history of the EFTA
provides broad guidance as to the Board’s regulatory authority for determining issues of coverage
of prepaid cards. See Electronic Fund Transfers, 61 Fed. Reg. 19,696, 19,696 (May 2, 1996).
206. Woods, supra note 138, at 815.
207. Electronic Fund Transfers (Regulation E), 12 C.F.R. § 205.15 (2009).
208. Id. § 205.18.
209. Credit CARD Act of 2009, 15 U.S.C.A. § 1693l-1 (West 2010); 12 C.F.R. §§ 205.15,
205.18.
210. Ramasastry, supra note 148, at 815–16.
211. See Electronic Fund Transfers, 61 Fed. Reg. at 19,699. In proposed rules issued in 1996,
the Board considered extending Regulation E to three categories of prepaid cards, including “online” stored value cards, which operate through on-line access to a remote database to access
account data and authorize transactions. Id. At that time, the Board believed that these cards
“me[t] the definition of a consumer asset account, and thus [were] covered by Regulation E.” Id.
Nevertheless, the Board proposed modified rules for these cards that were never adopted. Id. at
19,702.
236
[Vol. 5
proceeds or tax refunds, of an amount greater than $250 in any calendar
year may be made or to which recurring electronic fund transfers may be
made by or at the discretion of the consumer, or from which electronic
fund transfers may be made at the discretion of the consumer. . . . This
definition shall include all accounts into which funds are placed at the
discretion of the consumer that meet the conditions of this definition,
whether or not the account is held in the name of the consumer or the
name of another entity. For purposes of this definition, a spending account
is an account that holds funds that are transferred into the account by the
consumer or by an entity who owes those funds to the consumer, even if
the funds in the account are held in a pooled fashion in the name of
another.213
Ms. Hillebrand’s proposal is closely based on the amendment to
Regulation E incorporating payroll accounts.214 This hypothetical definition
extends the protections of Regulation E to a broad range of “prepaid storedvalue cards.”215
However, a narrower definition of account—focused specifically on
prepaid debit card accounts—is more likely to win the support of the Board.
First, the Board has regularly chosen to make incremental modifications to
Regulation E rather than comprehensive changes.216 Second, regulation of
prepaid debit cards is more urgent as the industry continues to grow,
particularly among underserved users.217 Finally, discretion should be left
to the Board to determine the dollar threshold that triggers the protections
of Regulation E. Accordingly, the proposed amendment to the definition of
“account” in hypothetical 12 C.F.R. § 205.2(b)(4) should be:
The term ‘account’ includes a ‘prepaid debit card account’ which is an
account that is established by a consumer and to which electronic fund
transfers, constituting prefunded value, are made on a recurring basis by or
on behalf of the consumer that may be accessed only through use of a card
at the discretion of the consumer, whether the account is held directly or
indirectly by a financial institution.
The Board should also amend the definition of “financial institution” to
include “any person that, directly or indirectly, holds a [prepaid debit
account], or that issues a card to a consumer for use in obtaining cash or
purchasing goods or services by accessing such an account.”218
213.
214.
215.
216.
217.
218.
Id. at 796.
Id.; see also 12 C.F.R. § 205.2(b)(2) (2009).
Hillebrand, supra note 126, at 795.
See supra Part IV (discussing amendments made by the Board to other prepaid products).
See Walker, supra note 7.
Electronic Fund Transfers, 61 Fed. Reg. 19,696, 19,704 (May 2, 1996).
2010]
237
Certain fee limitations, similar to those that now cover gift cards, gift
certificates, and general-use prepaid cards,219 should also be adopted by the
Board and applied to prepaid debit cards.
Furthermore, issuing financial institutions should be permitted to
provide modified disclosures, similar to exceptions adopted for EBT
transfers, payroll card accounts, and gift cards, gift certificates, and generaluse prepaid cards, including account information disclosure and error
resolution notice.220
Finally, in adopting a new section of Regulation E, the Board should
exempt prepaid debit cards from particular compliance requirements to
address concerns about the economic costs of regulatory compliance.221
Rather than requiring periodic statements that detail account activity, an
issuer should be required to provide account balances and account histories
online or by telephone, and provide written histories only upon consumers’
request.222
B. OPPOSITION TO BOARD ACTION
The Board has been reluctant to extend the protections of Regulation E
to prepaid debit cards despite considering action several times.223 Rather,
the Board has acceded to the opposition of issuers, brand networks, and
other industry participants—those profiting from prepaid debit cards rather
than those consuming them.224 Today’s arguments against regulating
prepaid debit cards are not novel. In fact, these arguments have been raised
219. See 12 C.F.R. § 205.2(d).
220. See id. §§ 205.15(d), 205.18(c), Appendix A-7(a)–(b).
221. See Ramasastry, supra note 148, at 842. In the 1996 proposed rules, the Board
recommended to exempt on-line stored value systems completely from coverage if the maximum
amount that could be prefunded on the card was limited to $100. Electronic Fund Transfers, 61
Fed. Reg. at 19,703. The justification for this de minimis exemption was quite practical. If the
value associated with a card is limited to a small amount, the cost of Regulation E compliance
would be disproportionately greater. See id. at 19,701 (“For a stored value product limited to a
relatively small amount of funds, the amount at risk would be sufficiently minimal that application
of even modified Regulation E prosecutions appears unnecessary.”). However, this proposal was
based upon the Board’s determination that on-line stored value systems included non-reloadable
products. Id. at 19,702 (“In some on-line stored-value systems, cards are not reloadable. . . .”).
Since it would be an impossibility to determine whether a consumer would, over the course of a
prepaid debit cards use, pre-load at least $100 on the card, it is impractical to apply this de
minimis exemption for prepaid debit cards.
222. The Board proposed an exemption from the periodic statement requirement for all
reloadable on-line stored-value cards based on the assumption that since the value is only
accessible through the card itself, period statements are not necessary because the consumer will
receive a receipt for each transaction. Electronic Fund Transfers, 61 Fed. Reg. at 19,702. A similar
modification has been adopted for EBT transfers and payroll card accounts, and therefore, seems
appropriate and not unduly burdensome for issuers of prepaid debit cards as well. See 12 C.F.R. §
205.15.
223. Ramasastry, supra note 148, at 835–36.
224. See Furletti, Prepaid Card Markets, supra note 32, at 14.
238
[Vol. 5
for over a decade, since the Board first considered widespread regulation of
the prepaid industry.225
The linchpin of the prepaid industry’s argument against extending
federal regulation has been on the grounds that compliance with Regulation
E will be too costly and will stifle product development.226 In particular,
issuers are concerned that Regulation E’s account balance and history
statements requirements are unduly burdensome.227 However, issuers’ fears
may be quelled by the fact that any previous extensions implemented by the
Board applied modified disclosure requirements.228 In addition to concerns
about cost, the industry has voiced strong opposition on the grounds that
regulation will curb development of this relatively young product.229 This
argument is enhanced by a belief that regulations developed in a different
time and context cannot be appropriately applied to regulate prepaid debit
cards.230
Nevertheless, regulation is crucial at this time. Although prepaid debit
cards are considered to be in their infancy—particularly when compared to
closed-loop systems, which date back to the 1970s231 and the initial openloop systems introduced in the mid-1990s232—the prepaid debit card
industry has flourished, and according to industry researchers, will have
more than doubled in volume in 2010 from 2008 totals.233 The industry is
ripe for regulation.
Issuers and providers also often assert that regulation is unnecessary
because the brand networks, like Visa and MasterCard, have “voluntarily”
adopted “zero liability” policies and error resolution procedures that protect
prepaid debit card consumers.234 However, these voluntary policies are
arbitrarily applied, limited in scope, and provide less than adequate
225. See id.
226. See FURLETTI, HOW DO THEY FUNCTION?, supra note 77, at 16 (“The industry argued
against the proposal for fear that it would halt the development of prepaid products.”).
227. See Furletti, Prepaid Card Markets, supra note 32, at 14 (“If issuers were forced to adhere
to certain sections of Regulation E and . . . mail monthly statements to prepaid card customers and
provide liability protections . . . [then] many current prepaid business models [might not] be
profitable.”).
228. See 12 C.F.R § 205.15(d) (applying modified disclosure requirements to EBT transfers of
government benefits); 12 C.F.R. § 205.18(b) (2009) (applying modified disclosure requirements to
Payroll Accounts).
229. See Consumer Advisory Council, Transcript of the Consumer Advisory Council Meeting
48 (Mar. 30, 2006), available at http://www.federalreserve.gov/aboutthefed/cac/cac_2006033
0.htm#efta (testimony of member Joshua Peirez).
230. See id. (“[T]aking regulation set that’s developed in one context and applying it wholesale
to brand new products that were not even envisioned at the time that the regulation was written is
not always the best way to go.”).
231. DiSanto, supra note 46, at 23.
232. Id.
233. Flanigan, supra note 12.
234. See Letter from Gail Hillebrand et al., Consumer Union, to Jennifer L. Johnson, Sec’y, Bd.
of Governors of the Fed. Reserve Sys. (Oct. 28, 2004), available at http://www.consumers
union.org/pdf/payroll1004.pdf.
2010]
239
protection for consumers affected by lost or stolen cards and unauthorized
use.235
Along a similar vein, some industry officials have argued that fees have
been declining.236 A recent industry-sponsored study found that some cards,
including those marketed by Green Dot, Wal-Mart, and NetSpend, compare
favorably against the costs of traditional checking accounts, defying many
of the negative misconceptions associated with prepaid debit cards.237
Nevertheless, a failure to regulate has left consumers paying arbitrary and
egregious fees that they neither expect nor understand.238
C. CONGRESSIONAL ACTION: AMENDING THE EFTA
Despite the Board’s powerful grant of regulatory authority, it has
continued to succumb to industry pressures,239 taking a piecemeal approach
to regulating the prepaid card industry.240 Therefore, it may become
necessary for Congress to reconsider its original objective in passing the
EFTA—protecting consumer rights241—and take matters into its own hands.
This is a course of action it recently followed in passing the Credit CARD
Act. Congressional reluctance to regulate some forms of prepaid payment
methods may be clear from the narrow definition attributed to “general-use
prepaid cards” in the Credit CARD Act.242 However, Congress may still
determine that prepaid debit cards must be regulated, particularly in light of
their increasing popularity and attention. Congressional action should come
in the form of amending the EFTA’s definition of “account.” Under this
amendment, “account” should include “all methods of holding funds that a
consumer has provided, or directed to be provided, for the purpose of
funding a card or other payment device similar in function to a debit
card.”243 Congress has clearly indicated its concern for the protection of
consumers’ use of electronic fund transfer system.244 If Congress takes this
235. Id. For example, MasterCard’s policy limits protections only to customers who have an
account in good standing, “have exercised reasonable care in safeguarding [their] card [against]
any unauthorized use,” and it does not apply if there are more than two instances of theft or
unauthorized use of a card in one year. MasterCard Zero Liability: Zero Liability Protection for
Lost & Stolen Cards, MASTERCARD.COM, http://www.mastercard.com/us/personal/en/cardholder
services/zeroliability.html (last visited Dec. 19, 2009).
237. BRETTON WOODS, INC., PAYMENT SYSTEMS EVOLUTION AND BRANDED PREPAID CARD
ANALYSIS © 5 (2009), available at http://wenku.baidu.com/view/a4ad971ec5da50e2524d7ff
9.html.
239. See Furletti, Prepaid Card Markets, supra note 32, at 14.
240. See supra Part IV (discussing current regulatory approaches to regulating the prepaid card
industry).
241. Electronic Fund Transfer Act of 1978, 15 U.S.C. 1693(a) (2006).
242. See Credit Card Act of 2009, 15 U.S.C.A. § 1693l-1(a)(2)(A) (West 2010).
244. See 15 U.S.C. § 1693(a).
240
[Vol. 5
action, the Board will be forced, under the EFTA, to comply and issue
conforming amendments to Regulation E.
VII. CONCLUSION
The prepaid debit card industry is “at an inflection point.”245
Unfortunately, consumers—particularly the underserved—who purchase
such cards as an account substitute remain unaware that this “prepaid
product may be distinctly second rate in terms of the clarity, and perhaps
the existence, of [] essential consumer protections.”246 As the underserved
population multiplies in the current economic crisis and the marketplace for
prepaid debit cards continues to reflect this growth, the need for consumer
protection resounds even more. In light of the increasing popularity of
prepaid debit cards, federal laws and regulations must be extended to
protect the nation’s most vulnerable consumers.
Ari M. Cohen
245. Flanigan, supra note 12 (quoting Mark Troughton, President of Cards and Networks at
Green Dot).
 B.A., University of Michigan, 2005; J.D., Candidate, Brooklyn Law School, 2011;
Executive Notes and Comments Editor, Brooklyn Journal of Corporate, Financial & Commercial
Law. I am grateful to the members of the Brooklyn Journal of Corporate, Financial & Commercial
Law, particularly Robert Marko and Steven Bentsianov for their work on this note. I wish to thank
Angie for her support and patience throughout this process and law school. Finally, I wish to
thank my parents, Alan and Joni Cohen, for their love, encouragement, and inspiration.
BANKRUPTCY SECTION 363(b) SALES:
MARKET TEST PROCEDURES AND
HEIGHTENED SCRUTINY OF EXPEDITED
SALES MAY PREVENT ABUSES AND
SAFEGUARD CREDITORS WITHOUT
LIMITING THE POWER OF THE COURTS
INTRODUCTION
On April 30, 2009, Chrysler LLC filed for Chapter 11 bankruptcy
protection after failing to reach an agreement with lenders to restructure its
debt.1 President Barack H. Obama promised a quick bankruptcy process,
with one senior official predicting that the process could be completed
within thirty to sixty days.2 The government’s promises were fulfilled on
May 31, 2009, when Southern District of New York Bankruptcy Court
Judge Arthur Gonzalez issued a decision approving a sale of the
corporation’s main business assets to a newly formed entity, “New
Chrysler.”3 After an expedited appeal, the Second Circuit Court of Appeals
issued a bench decision affirming the Bankruptcy Court on June 5, 2009,
and released a full written decision two months later.4 Later that year,
Chrysler’s “Big Three”5 brother, General Motors, Corp., filed for Chapter
11.6 Similar to Chrysler, General Motor’s path through bankruptcy took
approximately one month.7 As was the case in Chrysler,8 the debtor in
General Motors, with the approval and order of the Court, used Bankruptcy
Code (the Code) § 363(b)9 to sell the General Motors assets to a new entity,
“New General Motors.”10 Further, in both cases, the federal government
was highly involved, with the Treasury Department (Treasury) providing
financing for the bankruptcies and the government—along with the United
Auto Workers Union—acquiring ownership of a large portion of the new
entities.11
1. See In re Chrysler LLC (Chrysler I), 405 B.R. 84, 87–88 (Bankr. S.D.N.Y. 2009).
2. Chris Isidore, Chrysler Files For Bankruptcy, CNNMONEY.com, May 1, 2009,
http://money.cnn.com/2009/04/30/news/companies/chrysler_bankruptcy/index.html.
3. In re Chrysler I, 405 B.R. at 84–92, 113.
4. In re Chrysler LLC (Chrysler II), 576 F.3d 108, 109, 127 (2d Cir. 2009).
5. The “Big Three” refers to the three major American automotive companies: General
Motors, Ford, and Chrysler.
6. In re General Motors Corp., 407 B.R. 463, 479 (Bankr. S.D.N.Y. 2009) (“On June 1, 2009
. . . GM filed its chapter 11 petition in this court.”).
7. See id. at 520 (approving the 363(b) sale of the assets of General Motors to a purchaser
“New GM” on Sunday, July 5, 2009).
8. See Chrysler I, 405 B.R. at 87.
9. 11 U.S.C. § 363(b) (2006); discussion infra Part II.
10. In re General Motors, 407 B.R. at 473.
11. Mike Ramsey & Lizzie O’Leary, Fiat Said to Buy Chrysler Assets Today to Form New
Automaker, BLOOMBERG.COM, June 10, 2009, http://www.bloomberg.com/apps/news?pid=news
archive&sid=aAB9jCmPBUQU (“Chrysler Group LLC, will be owned 20 percent by Turin, Italy-
242
[Vol. 5
In all likelihood, neither General Motors nor Chrysler could have
survived a long, drawn-out bankruptcy process.12 Some commentators
argue the short processes and use of § 363(b) sales were vital to prevent the
companies’ collapse and a resulting loss of the production, jobs, and
stability that they provide.13 However, even if the quick sale of the two auto
giants was the correct and legal course of action, questions remain as to
whether the Chrysler and General Motors cases will serve as precedent for
a more liberal use of these expedited sales procedures.14 Further, if the use
of § 363(b) sales does increase, what consequences await? And if these
consequences are negative or undesirable, can anything be done to mitigate
them while preserving the flexibility and benefits the use of such sales
provides bankruptcy judges and filers alike?
Despite the many conveniences and benefits of § 363(b) sales,
additional procedural safeguards should be put in place to prevent abuses
from occurring. This note proposes a robust market test for § 363(b) sales
that requires: 1) disclosure of sales terms; 2) adequate time for market
based Fiat, 9.85 percent by the U.S., 2.46 percent by Canada and 67.69 percent by a United Auto
Workers union retiree health care trust fund. The U.S. and Canadian governments financed the
sale with $2 billion.”); Emily Chasan & Phil Wahba, GM Asks for Bankruptcy Sale in 30 Days,
REUTERS, June 1, 2009, available at http://www.reuters.com/article/businessNews/idUSTRE
5507X420090601 (“Under a government-backed restructuring plan, the Obama administration
would take a 60 percent stake in the newly-formed company made up of GM’s most profitable
assets. The UAW would have a 17.5 percent stake, the Canadian government would own about 12
percent and GM bondholders would receive about 10 percent.”).
12. See generally Stephen J. Lubben, No Big Deal: The GM and Chrysler Cases in Context, 83
AM. BANKR. L.J. 531, 544 (2009) (noting that “liquidating a company the size of Chrysler would
have cost millions of dollars”). The U.S. Treasury and Canadian government officials also wanted
an “expedited” process to “preserve the value of the business, restore consumer confidences, and
avoid the costs of a lengthy chapter 11 process.” Id. at 536–37.
13. See A. Joseph Warburton, Understanding the Bankruptcies of Chrysler and General
Motors: a Primer, 60 SYRACUSE L. REV. 531, 567–68 (2010) (discussing the rapid erosion of
assets and “going concern value” of Chrysler LLC in the Chrysler case). As of early 2009,
“General Motors employed approximately 235,000 employees worldwide” and had assets of $82
billion. In re General Motors, 407 B.R. at 475. Chrysler employed approximately 55,000
employees and had revenue of nearly $50 billion for the year prior to its bankruptcy petition. In re
Chrysler LLC (Chrysler I), 405 B.R. 84, 88–89 (Bankr. S.D.N.Y. 2009).
14. Multiple commentators have questioned the state of bankruptcy law after General Motors
and Chrysler. See, e.g., Barry E. Adler, A Reassessment of Bankruptcy Reorganization After
Chrysler and General Motors, 18 AM. BANKR. INST. L. REV. 305, 305 (2010).
The recent bankruptcy cases of Chrysler and General Motors were successful in that
they quickly removed assets from the burden of unmanageable debt amidst a global
recession, but the price of this achievement was unnecessarily high because the cases
established or buttressed precedent for the disregard of creditor rights. As a result, the
automaker bankruptcies may usher in a period where the threat of insolvency will
increase the cost of capital in an economy where affordable credit is sorely needed.
Id.; Robert M. Fishman & Gordon E. Gouveia, What's Driving Section 363 Sales After Chrysler
and General Motors?, 19 NORTON. J. BANKR. L. & PRAC. 4, Art. 2 (2010) (“Do the Chrysler and
General Motors cases represent a new paradigm in which preserving going concern value and jobs
take precedence over the protections that Chapter 11 has traditionally afforded to creditors?”)
(citations omitted).
2010] 363(b) Sales: Market Test Procedures & Heightened Scrutiny
243
players to bid on the asset; and 3) centralized review of competing bids.
Additionally, where “time is of the essence” and a market test is either
impossible or impractical, heightened judicial review should substitute for
such a test. Part I of this note provides the history of pre-confirmation asset
sales in bankruptcy proceedings. Part II compares § 363(b) sales with
bankruptcy reorganization plan confirmations and analyzes the benefits and
detriments of each. Part III proposes a robust market test procedure to be
implemented in § 363(b) sales and heightened scrutiny for “time is of the
essence” sales, where a robust market test is impossible. The note concludes
by explaining the significance and drawbacks of this proposal and what
future problems may arise in § 363(b) sales.
I. HISTORY OF THE BANKRUPTCY PRE-CONFIRMATION
ASSET SALE
Section 363(b), used in both Chrysler and General Motors, provides a
means by which a bankruptcy judge can order a company to sell assets
before a bankruptcy plan confirmation is reached.15 The procedure involves
a showing of cause for the sale and courts allow creditors the opportunity to
object.16 The use of these pre-confirmation sales is expressly provided for in
11 U.S.C. § 363(b), enacted in 1978.17 The provisions of this section of the
Code apply equally to a debtor in possession (DIP or debtor) as they do to a
trustee.18 Additionally, the “other than in the ordinary course of business”
clause has been read broadly to allow sales of entire business entities.19
Section 363(b) sales have been used in some of the largest and most
well-known bankruptcies, including those of Enron and the two recent
15. 11 U.S.C. § 363(b) (2006).
16. Id.
17. 11 U.S.C. § 363(b)(1) states the following:
(b)(1) The trustee, after notice and a hearing, may use, sell, or lease, other than in the
ordinary course of business, property of the estate, . . .
(B) after appointment of a consumer privacy ombudsman in accordance with
section 332, and after notice and a hearing, the court approves such sale or
such lease—
(i) giving due consideration to the facts, circumstances, and conditions of
such sale or such lease; and
(ii) finding that no showing was made that such sale or such lease would
violate applicable nonbankruptcy law.
Id.
18. For the purposes of § 363, the debtor in possession enjoys the same rights and benefits
under the Code as those prescribed to the trustee. See 11 U.S.C. §§ 363, 1107, 1108 (2006).
19. See, e.g., In re General Motors Corp., 407 B.R. 463, 489–90 (Bankr. S.D.N.Y. 2009); In re
Chrysler LLC (Chrysler I), 405 B.R. 84, 94 (Bankr. S.D.N.Y. 2009); In re Torch Offshore, Inc.,
327 B.R. 254 (E.D. La 2005).
244
[Vol. 5
automotive manufacturer bankruptcies.20 Academic appraisal of § 363(b)
sales has varied, with some advocating for their use as a model to which all
large bankruptcies should aspire,21 while others have criticized the use of
such sales, claiming that they subvert the bankruptcy system and are ripe
for abuse.22
Expedited pre-confirmation sales procedures have a long history in
American bankruptcy law, with statutory authority for such sales enacted as
early as 1867.23 The evolution of § 363(b) sales since that time provides
meaningful insight into the drafters’ purpose and intent in crafting the
procedures for these sales.
A. PRE-CONFIRMATION SALE OF ASSETS IN
BANKRUPTCY PRIOR TO THE 1978 BANKRUPTCY CODE
The Bankruptcy Act of 1867 provided that the court may order the sale
of the estate of the debtor if it finds that it “is of a perishable nature, or
liable to deteriorate in value . . . .”24 The Second Circuit, in 1913, held that
the concept of “perishable” was not only limited to the physical nature of
the object but also to the price of the object.25 The Ninth Circuit, using as a
standard for determining the validity of a sale the deterioration of monetary
value as well as physical deterioration, reached the same result twenty years
later in Hill v. Douglas, upholding the sale of road-making equipment to
prevent repossession.26
20. See, e.g., Chrysler I, 405 B.R. at 113, In re General Motors, 407 B.R. at 520, In re Enron
Corp., 291 B.R. 39, 40 (S.D.N.Y. 2003); see also The 10 Largest U.S. Bankruptcies,
http://money.cnn.com/galleries/2009/fortune/0905/gallery.largest_bankrup
CNNMONEY.COM,
tcies.fortune/index.html (last visited Dec. 30, 2010).
21. See, e.g., Harvey R. Miller & Shai Y. Waisman, Does Chapter 11 Reorganization Remain
a Viable Option for Distressed Businesses for the Twenty-First Century?, 78 AM. BANKR. L.J. 153
(2004); Bryant P. Lee, Note, Chapter 18? Imagining Future Uses of 11 U.S.C. § 363 to
Accomplish Chapter 7 Liquidation Goals in Chapter 11 Reorganizations, 2009 COLUM. BUS. L.
REV. 520.
22. E.g., Lynn M. LoPucki & Joseph W. Doherty, Bankruptcy Fire Sales, 106 MICH. L. REV.
1, 13 (2007); Chad P. Pugatch, Craig A. Pugatch & Travis Vaughan, The Lost Art of Chapter 11
Reorganization, 19 U. FLA. J.L. & PUB. POL’Y 39, 58 (2008); Craig A. Sloane, The Sub Rosa Plan
of Reorganization: Side-Stepping Creditor Protections in Chapter 11, 16 BANKR. DEV. J 37, 63
(1999); Elizabeth B. Rose, Note, Chocolate, Flowers, and § 363(b): The Opportunity for
Sweetheart Deals Without Chapter 11 Protections, 23 EMORY BANKR. DEV. J. 249, 249 (2006)
(citing Administration of Large Business Bankruptcy Reorganizations: Has Competition for Big
Cases Corrupted the Bankruptcy System?: Hearing Before the Subcomm. on Commercial and
Admin. Law of the H. Comm. on the Judiciary, 108th Cong. 15 (2004) (statement of Lynn M.
LoPucki)).
23. See Bankruptcy Act of 1867, ch. 176, 14 Stat. 517, 528 (1867).
24. Id.
25. In re Pedlow, 209 F. 841, 842 (2d Cir. 1913).
26. Hill v. Douglass, 78 F.2d 851, 854 (9th Cir. 1935).
It will be conceded that road-making equipment is not within the ordinary concept of
perishable property. Yet the courts have been liberal in their construction of this term
245
In the Chandler Act of 1938 (the Chandler Act), the immediate
precursor to the current Code, § 116(3) provided that a sale could be
ordered “upon cause shown.”27 This standard was generally read as an
extension of the “perishable” concept that existed prior to the Chandler Act
and pre-confirmation sales persisted as the exceptional remedy.28 The
circuit courts split in their approach to the validity of sales pursuant to §
116(3) of the Chandler Act.29 The Second Circuit took a broad view of the
statute and, in Frank v. Drinc-O-Matic, Inc., gave the bankruptcy judge
wide discretion in ordering such sales by adopting an abuse of discretion
standard.30 In subsequent cases, the court found that varying conditions
such as inability of a debtor to redeem property, failure to pass a plan of
reorganization, and the wasting away of an asset were appropriate
conditions for the ordering of a pre-confirmation sale.31
Not all circuits liberally interpreted the Chandler Act.32 The Third
Circuit, in In re Solar Mfg. Corp., limited the use of § 116(3) procedures to
“emergency” situations, involving an “imminent” loss of assets.33 That
reasoning was even adopted, albeit for only a short period of time, by the
Second Circuit in In re Pure Penn Petroleum Co., where the court required
a showing of imminent loss to effectuate a sale.34 However, from the 1950s
and have held it to include not only that which may deteriorate physically, but that
which is liable to deteriorate in price and value.
Id. (citing In re Pedlow, 209 F. 841 (2d Cir. 1913); In re Inter-City Trust, 295 F. 495, 497 (9th
Cir. 1924)).
27. See In re Lionel Corp., 722 F.2d 1063, 1067–68 (2d Cir. 1983) (citing the Chandler Act of
1938, ch. 575, 52 Stat. 883 (1938)).
28. See id. at 1066–67.
29. Compare In re Sire Plan Inc., 332 F.2d 497, 499 (2d Cir. 1964) (approving a sale where
the hotel, at the time a skeletal frame, was wasting away), In re Marathon Foundry and Machine
Co., 228 F.2d 594, 598 (7th Cir. 1955) (approving the sale of stock where trustee had insufficient
assets to redeem the stock), and Frank v. Drinc-O-Matic, 136 F.2d 906, 906 (2d Cir. 1943)
(approving sale of vending machines where machines were encumbered by liens and trustee had
insufficient funds to redeem machines), with In re Solar Mfg. Corp., 176 F.2d 493, 494 (3d Cir.
1949) (denying the sale of business despite record losses and deterioration of real estate values
because the sale did not meet “emergency” requirements).
30. See Frank, 136 F.2d at 906.
31. See In re Equity Funding Corp. of America, 492 F.2d 793, 794 (9th Cir. 1974) (“[T]he
market value of Liberty was likely to deteriorate in the near future . . . .”); In re Sire, 332 F.2d at
499 (“[T]he Trustees’ evidence demonstrated at hearing [that] the partially constructed building is
a ‘wasting asset.’”); In re Marathon, 228 F.2d at 594 (“The trustees had not sufficient funds with
which to redeem the pledged stock.”); Frank, 136 F.2d at 906 (“The trustee had no funds with
which to redeem the machines, and after six months no plan of reorganization had been
proposed.”).
32. See, e.g., Solar Mfg., 176 F.2d at 494–95.
33. Id.
34. In re Pure Penn Petroleum Co., 188 F.2d 851, 854 (2d Cir. 1951) (“The debtor here,
therefore, was obliged to allege and had the burden of proving the existence of an emergency
involving imminent danger of loss of the assets if they were not promptly sold.”). The emergency
requirement was then replaced only thirteen years later by the “best interest” test. In re Sire, 332
F.2d at 497.
246
[Vol. 5
on, courts began to uphold more sales in which the sale was justified as in
the “best interest of the [] estate”;35 circumstances that warranted the order
of a sale included a likely fall in market value, heavy interest charges and
deteriorating stock value.36
Despite the removal of the “perishability” term from the Bankruptcy
Act, the circumstances of the above cases indicated that the “perishability”
standard remained in place after the adoption of the Chandler Act, whether
through the “emergency” or “best interest of the estate” standards.37
B. 1978 BANKRUPTCY CODE, SECTION 363(b) SALES
PROCEDURES
The current Bankruptcy Code was enacted in 1978 and became
effective for all cases filed after October 1, 1979.38 The Code amended and
replaced the Bankruptcy Act.39 The Code provided a bankruptcy judge with
the power to order a sale of the debtor’s assets under §§ 363(b) and 363(f).40
Section 363(b) gave statutory strength to the use of such sales without the
“perishable” standard of the 1867 act or the “upon cause shown” standard
of the Chandler Act, requiring only “notice and a hearing” to effectuate a
sale.41 This language, which was more relaxed than the prior enactments,
provided little guidance as to the circumstances under which a sale may be
approved, or what the procedural safeguards of “notice and a hearing”
provided for creditors opposed to the sale actually required.42
C. IN RE WHITE MOTOR CREDIT CORP. AND THE
“EMERGENCY” DOCTRINE
In In re White Motor Credit Corp., the bankruptcy court interpreted the
newly promulgated Code43 as not authorizing a “sale of all or substantially
all assets of the estate.”44 However, the court “left the [former] ‘emergency’
35. See, e.g., In re Equity Funding, 492 F.2d at 794 (“[T]he proposed sale would be in the best
interest of the bankrupt estate. Based upon these findings, which are not clearly erroneous, the
trial court could properly conclude that there was ‘cause shown’ for the approval pursuant to 11
U.S.C. § 516(3).”); Frank, 136 F.2d at 906 (approving sales after concluding that it was “desirable
for debtor”).
36. See In re Sire, 332 F.2d at 499 (wasting asset likely to deteriorate in value); In re Equity
Funding, 492 F.2d at 794 (declining value of stock held by trustee); In re Marathon, 228 F.2d at
598–99 (discussing how interest charges prevented debtor from being able to redeem stock).
37. In re Lionel Corp., 722 F.2d 1063, 1069 (2d Cir. 1983).
38. Bankruptcy Reform Act of 1978, Pub. L. No. 95-598, 92 Stat. 2549 (codified as amended
at 11 U.S.C.).
39. See id.
40. See 11 U.S.C. § 363(b), (f) (2006).
41. Id.
42. See, e.g., In re Lionel, 722 F.2d at 1069; In re Braniff Airways, Inc., 700 F.2d 935, 940
(5th Cir. 1983).
43. See 11 U.S.C. § 363(b).
44. In re White Motor Credit Corp., 14 B.R. 584, 590 (Bankr. N.D. Ohio 1981).
247
exception45 in tact . . . .”46 The court concluded that an imminent loss of $40
million in the value of assets of the estate provided the necessary showing
of an “emergency” to approve a sale of the assets.47 This decision appeared
to severely limit courts’ ability to order pre-confirmation sales and to
undermine the broad language of the Code.48 However, subsequent opinions
would expand and more clearly define the extent to which bankruptcy
courts could approve pre-confirmation sales.49
D. IN RE LIONEL CORP. AND THE “GOOD BUSINESS
REASON” STANDARD
Despite the absence of guiding language in § 363(b), the Second
Circuit, in In re Lionel Corp., found that the Code’s legislative history
suggested that the framers intended to require a trustee or debtor to justify
the use of a pre-confirmation sale.50 However, the court stated that the
“perishability” and “emergency” standards that were formerly employed
were no longer required.51 The court held that to properly order a sale
pursuant to § 363(b), a “good business reason” for such an order must be
provided before the confirmation of a plan of reorganization.52 The court
listed the following factors as persuasive in finding a business justification
for the sale of assets:
[T]he proportionate value of the asset to the estate as a whole, the amount
of elapsed time since the filing, the likelihood that a plan of reorganization
will be proposed and confirmed in the near future, the effect of the
proposed disposition on future plans of reorganization, the proceeds to be
obtained from the disposition vis-a-vis any appraisals of the property,
which of the alternatives of use, sale or lease the proposal envisions and,
most importantly perhaps, whether the asset is increasing or decreasing in
value.53 The court found that the underlying asset in the case—stock owned by
the corporation—was not wasting, nor was there an “emergency” requiring
its sale.54 The panel held the sale improper, even though it applied the
45.
46.
47.
48.
49.
See discussion supra Part I.A.
See In re White Motor, 14 B.R. at 590.
See id.
See generally In re White Motor, 14 B.R. 584; see also 11 U.S.C. § 363(b).
See In re Lionel Corp., 722 F.2d 1063, 1071 (2d Cir. 1983); In re Braniff Airways, Inc.,
700 F.2d 935, 940 (5th Cir. 1983).
50. See In re Lionel, 722 F.2d at 1069 (“the statute requires notice and a hearing, and these
procedural safeguards would be meaningless absent a further requirement that reasons be given
for whatever determination is made . . . .”).
51. See id.
52. Id. at 1071.
53. Id.
54. See id. at 1071–72.
248
[Vol. 5
highly deferential abuse of discretion standard.55 The court continued that
although it sympathized with the bankruptcy court’s desire to expedite the
proceedings, “‘[t]he need for expedition, however, is not a justification for
abandoning proper standards.’”56 Although the Lionel court found no
business justification in the case, the decision’s central holding—that a
debtor or trustee attempting to use a § 363(b) sale must provide business
justification for the sale57—has provided precedential support for a
broadening of the bankruptcy courts’ power to authorize such sales.58 Lionel
is currently the standard under which proposed § 363(b) sales are judged.
In the Chrysler bankruptcy, the court justified the § 363(b) sale by
finding that Chrysler was an asset wasting away in bankruptcy.59 Chrysler
was shutting down factories and required immense funding merely to
sustain operations, and Fiat—the only available purchaser for Chrysler—
insisted that the sale be completed within a certain period of time.60 In
General Motors, the fact that the government predicated its financing on the
consummation of a quick § 363(b) sale provided a sufficiently “good
business reason” to justify the sale.61 This type of “time is of the essence”
justification may be invoked by a debtor requesting that the court approve a
sale before the purchaser is able to pull out of the agreement.62
55. See id.
56. Id. at 1071 (quoting Protective Comm. for Indep. Stockholders of TMT Trailer Ferry, Inc.
v. Anderson, 390 U.S. 414, 450 (1968)).
57. Id.
58. See, e.g., In re General Motors, 407 B.R. 463 (Bankr. S.D.N.Y. 2009); In re Chrysler LLC
(Chrysler I), 405 B.R. 84 (Bankr. S.D.N.Y. 2009); In re Global Crossing Ltd., 295 B.R. 726
(Bankr. S.D.N.Y. 2003); In re Medical Software Solutions, 286 B.R. 431 (Bankr. S.D.N.Y. 2002).
59. See Chrysler I, 405 B.R. at 96.
60. See id. at 96–97.
The Governmental Entities, the funding sources for the Fiat Transaction, have
emphasized that the financing offered is contingent upon a sale closing quickly.
Moreover, if a sale has not closed by June 15th, Fiat could withdraw its commitment.
Thus, the Debtors were confronted with either (a) a potential liquidation of their assets
which would result in closing of plants and layoffs, impacting suppliers, dealers,
workers and retirees, or (b) a government-backed purchase of the sale of their assets
which allowed the purchaser to negotiate terms with suppliers, vendors, dealerships and
workers to satisfy whatever obligations were owed to these constituencies.
Id.
61. See In re General Motors, 407 B.R. at 480.
To facilitate the process, the U.S. Treasury and the governments of Canada and
Ontario (through their Export Development Canada (‘EDC’)) agreed to provide DIP
financing for GM through the chapter 11 process. But they would provide the DIP
financing only if the sale of the purchased assets occurred on an expedited basis.
Id. (emphasis in original).
62. See Michael J. de la Merced, U.S. Court of Appeals Upholds Chrysler Sale to Fiat, N.Y.
TIMES, June 6, 2009, at B2 (“Lawyers for Chrysler and the government argued that the sale to Fiat
needed to be completed as quickly as possible to preserve its viability and to save thousands of
jobs. Fiat can walk away if no agreement is struck by June 15.”).
249
E. IN RE BRANIFF AIRWAYS, INC. AND THE SUB ROSA
OBJECTION
Decided the same year as Lionel, In re Braniff provided that a § 363(b)
sale that distributes assets among creditors was inappropriate and
constituted a sub rosa plan that attempted to bypass the protections of
Chapter 11 plan confirmation proceedings.63 In Braniff, the debtor
attempted to sell its property—which included airplane leases, equipment,
terminal leases, airport slots, and other assets—to a new entity, PSA,64 in
exchange for right to travel on PSA that would be allocated to former
creditors, employees, and shareholders.65 Of particular importance, the
Braniff court held that a release of claims or payment of prepetition debts is
not a “‘use, sale or lease’ and is not authorized by § 363(b).”66 The court did
state that “certain adjustments in the rights of creditors” are permitted in §
363(e) “to assure ‘adequate protection’” of the interests of secured
creditors.67 The court went on to hold that “[i]n any future attempts to
specify the terms whereby a reorganization plan is to be adopted, the parties
and the district court must scale the hurdles erected in Chapter 11.”68
This ban on sub rosa plans has been extended from § 363(b) sales to
settlement agreements in which assets of the estate are distributed.69 In In re
Iridium, the Second Circuit held that a settlement in the course of the
bankruptcy proceeding was inappropriate because it distributed assets to
prepetition creditors as part of the agreement.70 The court found that the
settlement allowed the negotiating parties to sidestep the “fair and
equitable” standard as well as the “absolute priority rule” of bankruptcy
plan confirmations.71 Although the Iridium court did not label the
settlement as a sub rosa plan, it stated that a settlement cannot be offered to
avoid the “strictures of the Bankruptcy Code.”72
63. See In re Braniff Airways, Inc., 700 F.2d 935, 940 (5th Cir. 1983) (“The debtor and the
Bankruptcy Court should not be able to short circuit the requirements of Chapter 11 for
confirmation of a reorganization plan by establishing the terms of the plan sub rosa in connection
with a sale of assets.”) (emphasis in the original). Many courts find that the use of such tools is
improper. See In re Westpoint Stevens Inc., 333 B.R. 30, 51–52 (S.D.N.Y. 2005).
64. See In re Braniff, 700 F.2d at 939. The PSA was an entity formed as part of the Braniff
Bankruptcy that took possession of the Braniff Airway’s assets in exchange for payoff of debts
and allocation of rights to travel on the new airline. See id.
65. Id. at 939–40.
66. See id. at 940.
67. Id. at 940 n.2. (“[The court] is aware that the Code provides for certain adjustments
pursuant to a valid § 363 transaction in order to provide ‘adequate protection’ to secured
creditors.”) (citing 11 U.S.C. §§ 361; 363(e) (1982)).
68. Id. at 940 (listing the applicable hurdles as “disclosure requirements” in 11 U.S.C. § 1125,
“voting” in 11 U.S.C. § 1126, “best interest of creditors test” in 11 U.S.C. § 1129(a)(7), and the
“absolute priority rule” in 11 U.S.C. § 1129(b)(2)(B)).
69. See In re Iridium Operating LLC, 478 F.3d 452 (2d Cir. 2007).
70. See id. at 464.
71. Id. at 462–65.
72. Id. at 464.
250
[Vol. 5
In both the General Motors and Chrysler bankruptcies, payouts to
prepetition creditors were part of the § 363(b) sales.73 In both cases, the
unions received significant shares of the “new” corporations without
providing new capital input.74 These actions were justified in both cases
because the workforce was necessary for the businesses to succeed and the
unions would provide significant value to the new corporations.75 However,
the payouts to the former pension funds in Chrysler and General Motors,
and the shares of the new enterprises given before other creditors were paid
out in both cases,76 could be interpreted as hallmarks of a sub rosa plan, in
which the unions, capable of scuttling the new businesses, gained
preferential treatment.77 In fact, in the Chrysler case, this was one basis
upon which the Indiana pension fund creditors challenged the propriety of
the sale.78
73. See In re General Motors, 407 B.R. 463, 484 (Bankr. S.D.N.Y. 2009) (discussing the fact
that as part of § 363 sale, “New GM” infused capital into retirement fund of union auto workers);
In re Chrysler LLC (Chrysler I), 405 B.R. 84, 92 (Bankr. S.D.N.Y. 2009) (discussing how the
U.S. government provided funding for workers’ pension fund through infusion of capital and
equity in reorganized company).
74. See In re General Motors, 407 B.R. at 497–98; Chrysler I, 405 B.R. at 99–100.
75. See Adler, supra note 14, at 310 (“[T]he payment to VEBA was . . . a prospective expense
that assured the company a needed supply of UAW workers, with the union thus portrayed as a
critical vendor of labor.”).
76. See id.
[In Chrysler,] the purchaser, “New Chrysler”—an affiliation of Fiat, the U.S. and
Canadian governments, and the United Auto Workers (“UAW”)—took the assets
subject to specified liabilities and interests. More specifically, New Chrysler assumed
about $4.5 billion of Chrysler's obligations to, and distributed 55% of its equity to, the
UAW's voluntary beneficiary employee association (“VEBA”) in satisfaction of old
Chrysler's approximately $10 billion unsecured obligation to the VEBA (which is a
retired workers benefit fund) . . . .
Id. at 306.
In General Motors' case, the purchaser, “New GM,” owned largely by the United States
Treasury, agreed to satisfy General Motors' approximately $20 billion pre-bankruptcy
obligation to the VEBA with a new $2.5 billion note as well as $6.5 billion of the new
entity's preferred stock, 17.5% of its common stock, and a warrant to purchase up to an
additional 2.5% of the equity; depending on the success of New GM, the VEBA claim
could be paid in full. As in Chrysler, the sale was to take place quickly, within weeks,
and the sale procedures required that, absent special exemption, any bidder who wished
to compete with government-financed entity was to assume liabilities to the UAW as a
condition of the purchase.
Id. at 312.
77. See id. at 313–15 (sale of underlying assets and distribution to unions deprived creditors of
the protections that they enjoy in a traditional reorganization).
78. See Chrysler I, 405 B.R. at 97–100.
251
II. SECTION 363(b) COMPARED TO BANKRUPTCY PLAN
CONFIRMATION
A. BANKRUPTCY PLAN CONFIRMATIONS
A Chapter 11 plan confirmation is a relatively democratic process,
requiring a debtor to propose a reorganization/distribution plan and work
with creditors to obtain their willing approval.79 Sales of the entire business
or sales of major business units may be part of the proposed plan.80 The
debtor has a period of exclusivity during which it alone may propose plans
to the creditors,81 and this period may be extended by petition to the trial
judge.82 During the plan confirmation period, the debtor may obtain exit
financing83 or an alternative to financing,84 divide creditors into classes,85
propose a viable post-bankruptcy business organization,86 and endeavor to
achieve consensus among creditors to support the plan.87 Through this
process, the debtor attempts to propose a plan that will satisfy the creditors
while providing the emerging business with an opportunity for a healthy
start.88
One path through which a plan may be confirmed is by having a
majority—defined as greater than half in number and two thirds in value of
all classes—approve it.89 The debtor is required to submit extensive
79. See 11 U.S.C. § 1129 (2006).
80. Id. § 1129(a)(11) (“Confirmation of the plan is not likely to be followed by the liquidation,
or the need for further financial reorganization, of the debtor or any successor to the debtor under
the plan, unless such liquidation or reorganization is proposed in the plan.”).
81. Id. § 1121(b) (“Except as otherwise provided in this section, only the debtor may file a
plan until after 120 days after the date of the order for relief under this chapter.”).
82. Id. § 1121(d)(1) (“[O]n request of a party in interest made within the respective periods
specified in subsections (b) and (c) of this section and after notice and a hearing, the court may for
cause reduce or increase the 120-day period or the 180-day period referred to in this section.”).
83. See id. § 1129(a)(11) (requiring the reorganization to be viable, which in turn requires that
a reorganizing business in need of capital secure financing in order to have the plan confirmed).
84. See supra note 80 and accompanying text. A debtor may thus propose a sale of the
business entity as part of the reorganization, eliminating the need for further financing. See supra
note 80 and accompanying text.
85. 11 U.S.C. § 1122 (2006).
86. Id. § 1129(a)(11).
87. Id. § 1129(a).
88. Williams v. U.S. Fidelity & Guaranty Co., 236 U.S. 549, 555 (1915).
It is the purpose of the bankrupt act to convert the assets of the bankrupt into cash for
distribution among creditors, and then to relieve the honest debtor from the weight of
oppressive indebtedness, and permit him to start afresh free from the obligations and
responsibilities consequent upon business misfortunes.
Id.
89. 11 U.S.C. § 1126(c) (2006). Classes are defined by the debtor in the plan proposal. See id.
§ 1122. However, creditors may object to these classifications if they are not related to business
differences among the creditors. See, e.g., In re Briscoe Enterprises, Ltd., 994 F.2d 1160, 1166–67
(5th Cir. 1991). Differentiation among creditors has been held appropriate based on how the
claims were incurred, the ongoing business relationships between the creditors, and the post-
252
[Vol. 5
documentation about the business, its valuation, and its prospects to the
creditors before a vote is taken on the plan.90
If the debtor is unable to achieve a consensual plan, it may force a
“cramdown” plan confirmation.91 A cramdown must meet all the
requirements of a consensual plan—absent the agreement of all classes—
and at least one impaired class must consent to the plan.92 Further, the plan
must be “fair and equitable”93 and abide by the “absolute priority rule.”94
The “fair and equitable” and “absolute priority rule” standards require that
the plan pay secured creditors for the full value of their collateral and
market interest before unsecured creditors receive any value.95 Unsecured
creditors, generally, must also be paid in full before equity holders receive
anything.96 These requirements assure that equity holders will receive no
value unless the higher priority credit classes are paid in full.97
confirmation relationships between the creditors. See, e.g., id. at 1167 (concluding that separation
of unsecured claims is permitted for a “good business reason”).
90. See 11 U.S.C. § 1125 (2006); see also In re Malek, 35 B.R. 443 (Bankr. E.D. Mich. 1983)
(outlining the requirements of adequate disclosure as part of a plan confirmation including
“financial information,” “liquidation analysis,” and “transactions with insiders”).
91. See, e.g., In re Briscoe, 994 F.2d at 1168–70 (describing a “cramdown” as a plan
confirmation under 11 U.S.C. § 1129(b) where a plan is ordered despite a lack of approval by all
impaired classes).
92. 11 U.S.C. § 1129(a)(10) (2006) (“If a class of claims is impaired under the plan, at least
one class of claims that is impaired under the plan has accepted the plan, determined without
including any acceptance of the plan by any insider.”).
93. Id. § 1129(b)(1).
[T]he court, on request of the proponent of the plan, shall confirm the plan
notwithstanding the requirements of such paragraph if the plan does not discriminate
unfairly, and is fair and equitable, with respect to each class of claims or interests that is
impaired under, and has not accepted, the plan.
Id.
94.
95.
96.
97.
Id. § 1129(b)(2)(A)–(C).
See id.
Id. § 1129(b)(2)(B).
See Peter C.L. Roth, Comment, Bankruptcy Law—The Absolute Priority Rule
Reasserted—No Equity Participation Without Tangible Capital Contribution, 23 SUFFOLK U. L.
REV. 857, 861 (1989) (citing Northern Pac. R.R., v. Boyd, 228 U.S. 482, 501–04 (1913) (“One of
the original purposes of the [absolute priority] rule was to prevent senior secured creditors from
entering into collusive arrangements with friendly management to squeeze out the unsecured
debt.”)). However, there remains a way for “old equity” to become “new equity”: an old equity
holder may give an infusion of new capital and receive a payout less than or equal to that value in
equity in the reorganized business. See Bank of America Nat’l Trust and Sav. Ass’n v. 203 N.
LaSalle St. P’ship, 526 U.S. 434, 453–54 (1999) (“A truly full value transaction, on the other
hand, would pose no threat to the bankruptcy estate not posed by any reorganization, provided of
course that the contribution be in cash or be realizable money’s worth . . . .”). However, strong
limitations have been placed on this “new equity” exception including that the new ownership
cannot be “on account of” the antecedent debt. See id. at 451–53. Also, new capital, and not a
promise to work, must be infused into the business. Norwest Bank Worthington v. Ahlers, 485
U.S. 197, 203–05 (1988) (holding that debtor farmer’s promise to work on farm and provide
“labor, experience, and expertise” in exchange for equity in reorganized entity was inappropriate).
253
Regardless of whether a plan’s confirmation is consensual or a
cramdown, any non-consenting creditor may object that the plan is either
not in her best interest98 or is unfeasible.99 For a plan to be in her “best
interest,” the creditor must receive at least as much as she would have in a
Chapter 7 liquidation.100 For example, if a fully secured creditor objects, she
must receive the full value of her claim with market interest rates applied.
Second, for a plan to be feasible, its proponent must show that the business
will remain viable and will not be liquidated shortly after confirmation—
unless that is part of the plan.101 The proponent must show this with
reasonable likelihood, though it need not be a certainty;102 however,
inadequate capitalization, and lack of a viable business plan are grounds
upon which a plan may be rejected as unfeasible.103
These elements demonstrate that the plan confirmation process gives a
much greater level of participation and protection to creditors than does a §
363(b) sale.104 Even though both processes will likely involve negotiations
between the debtor and creditors—and a resolution may be achieved over
the objections of certain creditors—the plan confirmation process provides
many avenues for a creditor to object and encourages consensus among
parties.105 Although having a plan confirmation does not ensure absolutely
against abuse or self-dealing, the definitive nature of the “absolute priority
rule” and the extensive required disclosures are likely to reduce the
possibility of insiders or equity holders receiving a payout at the expense of
creditors.106
However, there are certain indelible drawbacks of a plan confirmation.
First, the debtor will likely require exit financing in order for the business to
be viable post-bankruptcy—a problem that may be especially acute in
markets, such as the current one, in which credit is tight.107 The plan
98. 11 U.S.C. § 1129(a)(7) (2006).
99. See id. § 1129(a)(11). Feasibility may be raised by any non-consenting creditor or the court
may analyze it sua sponte. See In re Malkus, Inc., No. 03-07711-GLP, 2004 WL 3202212, at *4
(Bankr. M.D. Fla. Nov. 15, 2004).
100. 11 U.S.C. § 1129(a)(7) (2006).
101. Id. § 1129(a)(11); see In re Malkus, 2004 WL 3202212, at *4.
102. See Malkus, 2004 WL 3202212, at *4 (“Pursuant to § 1129(a)(11) a plan of reorganization
must be feasible. ‘Although success does not have to be guaranteed, the Court is obligated to
scrutinize a plan carefully to determine whether it offers a reasonable prospect of success and is
workable.’”) (quoting In re Yates Development, 258 B.R. 36, 44 (Bankr. M.D. Fla. 2000)).
103. See, e.g., id.
104. See Rose, supra note 22, at 256–58 (discussing the voting, classification and good faith
requirements as hallmarks of the Bankruptcy Code’s protection of creditors).
105. See discussion supra Part II.A.
106. See Sloane, supra note 22, at 39–45.
107. See Melvin Richardson, How Does a Tight Credit Market Affect the Economy?,
ASSOCIATED CONTENT FROM YAHOO (Oct. 30, 2008), http://www.associatedcontent.com/
article/1138008/how_does_a_tight_credit_market_affect.html.
254
[Vol. 5
confirmation period may take an inconveniently long time.108 During this
period, the debtor’s business, being tied up in court proceedings,109 may
suffer significant reputational damage.110 This reputational damage, coupled
with the debtor’s inability to obtain financing and the costs of running the
bankruptcy itself—including legal fees—may strain the business to the
point of collapse, causing the case to be converted to Chapter 7111 and the
creditors to lose the “going concern value” that Chapter 11 is intended to
preserve.112
B. SCHOLARLY DEBATE OVER § 363(b) SALES: PANACEA
FOR LARGE BUSINESS REORGANIZATIONS OR AN
ALTERNATIVE VULNERABLE TO ABUSE?
Many academics have supported the use of § 363(b) sales.113 One
argument is that they insulate the sales of going concern businesses,
whereby sums of money are guaranteed and parties will determine
distributions after the sale from long confirmation processes.114 In a plan
reorganization, the business entity is kept within the bankruptcy estate for a
substantial period of time, where it incurs significant legal and
administrative costs, must secure operating capital, and suffers reputational
damage.115 In a § 363(b) sale, the debtor need not obtain DIP financing,116
108. See generally Miller & Waisman, supra note 21. Bankruptcy cases may take years to
complete whereas a § 363(b) sale may be consummated in a few months, or even significantly
less. See generally id.
109. Id. at 187–89 (arguing that bankruptcy proceedings may evolve into a confrontation of
wills, where a creditor may prolong the process in hopes of forcing a concession).
110. Lynn M. LoPucki & Sara D. Kalin, The Failure of Public Company Bankruptcies in
Delaware and New York: Empirical Evidence of a “Race to the Bottom”, 54 VAND. L. REV. 231,
235–36 (2001) (describing reputation damage along with other distractions that companies suffer
from bankruptcies, which leads to reorganized public companies filing repeatedly for bankruptcy
protection).
111. 11 U.S.C. § 1112 (2006) (listing the requirements that allow a party of interest, “after
notice and a hearing,” to petition the court for conversion of the case to a chapter 7 liquidation).
112. See In re 15375 Memorial Corp., 400 B.R. 420, 427 (D. Del. 2009) (“preserving a going
concern” or “maximizing the value of the debtor’s estate” are goals of filing for bankruptcy
protection) (citation omitted).
113. See, e.g., Lee, supra note 21; Miller & Waisman, supra note 21; Paul N. Silverstein &
Harold Jones, The Evolving Role of Bankruptcy Judges Under the Bankruptcy Code, 51 BROOK.
L. REV. 555 (1985).
114. See generally Miller & Waisman, supra note 21 (discussing the many obstacles that have
entered the reorganization plan confirmation process, including strategic objections, employee and
key vendor benefits and greater costs).
115. See generally id. Greater sophistication by creditors and an increasingly service based
economy has turned the Chapter 11 landscape into a more contentious process that may no longer
yield the “going concern” premium that formerly existed in the railroad bankruptcies. See id. at
182 (“[D]istressed debt traders' entry into the reorganization paradigm has transformed Chapter 11
reorganizations from primarily rehabilitative processes to dual-purpose processes that stress
maximum enhancement of creditor recovery in addition to rehabilitation of the debtor entity.”).
116. See generally David A. Skeel, Jr., The Past, Present and Future of Debtor-In-Possession
Financing, 25 CARDOZO L. REV. 1905 (2004) (describing the history and current use of “DIP
255
which may be unavailable or only available at a substantial rate.117 The sale,
it is argued, provides a level of certainty that a plan confirmation cannot: it
ensures that a level of assets that will be split among creditors and obviates
the need for a time-consuming and expensive valuation finding during plan
confirmation.118 Creditors also need not focus on the workings of the
business or fear that the business will leak losses, implode, and require
liquidation.119 The sale of the assets, if performed correctly, would also
likely yield a more reliable price than expert valuations presented to a
bankruptcy judge,120 a result in line with the Code’s policy of preferring
market valuation when possible.121
financing”). DIP financing refers to financing made available to a debtor during the course of its
bankruptcy proceedings in order to finance the ongoing restructuring as well as a viable
reorganization. See generally id.; see also 11 U.S.C. § 364 (2006) (providing courts with power to
approve financing for the debtor in possession).
117. See Lee, supra note 21, at 546. A quick sale of assets may be necessary where a business
runs out of cash collateral financing and DIP financing is unavailable. See id.
118. See George W. Kuney, Let's Make It Official: Adding an Explicit Preplan Sale Process as
an Alternative Exit From Bankruptcy, 40 HOUS. L. REV. 1265, 1270 (2004) (“[T]he insolvency
community has embraced the nonplan sale of substantially all the assets of a debtor's business as
an efficient alternative to the costly and lengthy plan confirmation process.”) (internal citations
omitted). 363(b) sales secure a price for a firm’s assets and allow creditors to focus on achieving a
plan to distribute assets. See id.
Further, by reducing the assets of the estate to cash, a note secured by the assets sold,
the stock of the purchaser, or some other similar form of fungible valuable
consideration, the tasks and costs of postsale management and administration of a
debtor and its estate can be dramatically reduced.
Id. at 1270–71 (internal citations omitted). This will reduce monitoring cost as the creditors no
longer must analyze market conditions or the managerial decisions of the debtor. See id.
In turn, this allows for a reduction in the amount of a debtor's value that is redistributed
from prepetition creditors to postpetition administrative claimants as a case drags on. It
takes little in the way of a management team to preside over an estate comprised solely
of liquid assets.
Id. at 1271 (internal citations omitted).
119. See 11 U.S.C. § 1112 (2006) (requiring that a company that is unable to emerge from
chapter 11 as a viable entity will either be converted to chapter 7 liquidation or the bankruptcy
case will be dismissed).
120. See Barry E. Adler & Ian Ayres, A Dilution Mechanism for Valuing Corporations in
Bankruptcy, 111 YALE L.J. 83, 90 (2001) (“Not only do judges lack the business expertise of
individual capital investors, but also a judicial valuation cannot benefit from the collective
wisdom of market investors in the aggregate. As a result, even unbiased judges make mistakes that
a market process would not permit.”). An open and populated market should yield efficient
outcomes, demonstrating the true value of the asset. See Oversight of TARP Assistance to the
Automobile Industry: Field Hearing Before the Congressional Oversight Panel, 111th Cong. 97–
108 (2009) (statement of Barry E. Adler, Professor of Law, New York University School of Law)
(advocating putting all large § 363(b) sales through a stringent market test to ensure fair price and
prevent abuses) [hereinafter Automotive Field Hearings Memorandum].
121. See In re Iridium Operating LLC, 373 B.R. 283, 293 (Bankr. S.D.N.Y. 2007) (“[T]he
public trading market constitutes an impartial gauge of investor confidence and remains the best
and most unbiased measure of fair market value and, when available to the Court, is the preferred
standard of valuation.”) (citing VFB LLC v. Campbell Soup Co., 482 F.3d 624 (3d Cir. 2007)).
256
[Vol. 5
Looking at these benefits—including shorter time in bankruptcy,
certainty, fewer resources used—as a whole, it may be difficult to dispute
the use of these sales procedures. In fact, some academics believe that the §
363(b) sale is the future of bankruptcy and that few if any large
bankruptcies benefit from a drawn out confirmation plan.122 Others, while
not ruling out the usefulness of the plan confirmation process, contend that
the process is no longer viable for large distressed businesses and that,
absent major revisions to the Code, the § 363(b) sale may be, in certain
circumstances, a useful and prudent solution.123
While there is major support for the use of § 363(b) sales, there are
critics who argue that the procedure is fraught with possibilities for abuse
and enables parties to effectuate sweetheart deals.124 These critics argue that
the use of § 363(b) sales increases the ability of insiders to engage in selfdealing, given the lighter scrutiny to which the sales are subjected.125 They
argue further that benefits to insiders such as continued employment,
assignment of liability, and even payment may be provided by the
purchaser in exchange for the debtor supporting and obtaining approval of
the sale, and that this may be particularly true in § 363(b) sales in which a
parent company or former equity holders acquire the business.126
Imperfections in valuation and the auction procedures used by various
bankruptcy courts may allow a creditor or third party to purchase a business
at well below value.127 Commentators argue that because insiders do not
usually gain in the distribution of assets, it may be worthwhile for them to
sell to a third party at below market value while receiving an outside
benefit, such as those described in the previous paragraph.128 Further, if the
debtor has special knowledge about the business and is in the best position
to value the company, she may also be in the best position to argue for a
low valuation and provide the benefit to a purchaser at the cost of
creditors.129 Commentators have responded differently to this problem of
valuation. Some have responded by arguing for a market test, whereby
market forces will dictate the fair price for the asset and prevent abuses that
stem from undervaluation.130 Other commentators argue that a market test
122.
123.
124.
125.
See, e.g., Lee, supra note 21, at 562.
See Miller & Waisman, supra note 21, at 199–200.
See generally Rose, supra note 22.
See id. at 277–80 (arguing that the debtor in possession may have conflicts of interest that
encourage selling to insiders or affiliated companies and may yield deals that provide a windfall
for third parties at the expense of creditors).
126. See id.
127. See id. at 277–78 (discussing how manipulation of valuations and auction procedures can
lead to depressed pricing).
128. See LoPucki & Doherty, supra note 22, at 30–31.
129. See Rose, supra note 22, at 277–78 (describing how insiders profited when Polaroid was
sold for $465 million despite $1.8 billion in assets).
130. See Automotive Field Hearings Memorandum, supra note 120 (discussing how open
auctions will reveal when parties are receiving unduly favorable terms).
257
cannot cure the abuses and inappropriate outcomes that flow from the speed
and absence of disclosure in § 363(b) sales.131
There also exists the possibility that a § 363(b) sale will be used to
effectuate a sub rosa plan in which the purchaser can gain significant
returns at the expense of other creditors.132 As part of a sale, ownership of
the traded asset may be distributed; in General Motors, for example, both
the employee pension fund and the union received significant portions of
the new company without a commensurate contribution of capital.133
Although such transactions meet the technical definition of a sub rosa plan,
they are not always labeled as such, effectively allowing the debtor to
distribute assets without complying with the plan confirmation
requirements of § 1129 of the Code.134 Commentators have been especially
wary of these kinds of sales, as creditors will not only lose in their payout
but are also locked out of the process.135
Those opposing the current proliferation of § 363(b) sales do not
necessarily contest its use in all circumstances or deny its appeal; instead,
they argue for increased procedural safeguards or limitations.136 They claim
that these procedures should be subject to a more stringent inquiry into
whether the plan does, in fact, constitute a sub rosa plan bypassing the
safeguards of a plan confirmation process.137 Additionally, some
commentators argue for a market test for § 363(b) sales so as to ensure that
insiders are not effecting “sweetheart deals,”138 whereas others argue for a
heightened “business justification” standard.139 These concerns highlight
the procedural disadvantages of § 363(b) sales despite acknowledging the
great benefits that may accrue from their use. From this, it becomes clear
that availability of § 363(b) sales procedures should be preserved—and
possibly encouraged—but that precautions must be taken to prevent the
types of abuses to which they are currently susceptible.
III. PROPOSED SOLUTION
This note has focused on two areas of abuse that exist in § 363(b) sales:
1) the ability of insiders or other parties to purchase the company at below
131.
132.
133.
134.
See, e.g., LoPucki & Doherty, supra note 22, at 40–45.
See Sloane, supra note 22, at 60–63.
In re General Motors Corp., 407 B.R. 463, 482–83 (Bankr. S.D.N.Y. 2009).
See Sloane, supra note 22, at 51 (discussing how decisions applying Braniff have generally
allowed § 363(b) sales to go through, which alleviates the debtor’s need to make disclosure or
gather consenting creditor votes).
135. See id. at 62.
136. See, e.g., Automotive Field Hearings Memorandum, supra note 120, at 106–08; LoPucki &
Doherty, supra note 22, at 44–45; Rose, supra note 22, at 283–84.
137. See Sloane, supra note 22, at 62.
138. See Automotive Field Hearings, supra note 120 (advocating for a true market test to ensure
that sale value is maximized and that the sale does not deprive creditors’ of the safeguards that the
Bankruptcy Code provides them).
139. See Rose, supra note 22, at 283–84.
258
[Vol. 5
market value; and 2) the ability of the debtor or insiders to compel a sale in
order to secure a benefit for themselves at the expense of creditors. These
abuses can be significantly reduced by employing a robust market test that
includes disclosure of all terms of the sale, adequate time for bidders to
respond, and a centralized forum to receive—and notify all affected parties
of—purchase bids.140
Additionally, where a quick sale is required and a meaningful market
test cannot be implemented, the standard for justifying the sale should be
heightened.141 These changes will provide fairness and credibility, and will
limit uses of § 363(b) sales to subvert the Code’s protection of creditors.142
A. A ROBUST MARKET TEST
Academics and practitioners have proposed that § 363(b) sales should
require a market test to ensure that the price paid for assets in the sale is
fair, and to provide interested bidders with a forum to purchase the
property.143 Proponents of a market test argue that it provides safeguards
necessary to ensure fairness and prevent abuse.144 First—assuming the
existence of an efficient and populated market—arbitrageurs, speculators,
and other participants should theoretically raise the company’s value to its
“market price.”145 This would prevent insiders from colluding with a
purchaser to sell the company at an artificially low price in exchange for
side benefit.146 Similarly, the market test may attract purchasers who can
significantly raise the returns of the company, possibly through synergies or
economies of scale.147 If details of the sale are made public and scrutinized,
140. See generally Adler, supra note 14, at 317–18 (proposing the “sort of process that state law
would provide shareholders of a solvent firm”).
141. See Rose, supra note 22, at 283 (“The complexities of a § 363 sale require intensified
scrutiny because of the dangers of debtor manipulation of market forces.”).
142. See discussion supra Part II.A (detailing the protections afforded to creditors in a
bankruptcy plan reorganization).
143. See generally Rachael M. Jackson, Note, Responding to Threats of Bankruptcy Abuse in a
Post-Enron World: Trusting the Bankruptcy Judge as the Guardian of Debtor Estates, 2005
COLUM. BUS. L. REV. 451; see also, Rose, supra note 22.
144. See Douglas G. Baird & Robert K. Rasmussen, The End of Bankruptcy, 55 STAN. L. REV.
751, 786–88 (2002); Lee, supra note 21, at 536–37.
145. See Daniel R. Fischel, Market Evidence in Corporate Law, 69 U. CHI. L. REV. 941, 942
(2002) (“The fair market value of an asset is generally defined as the price at which the asset
would change hands in a transaction between a willing buyer and a willing seller when neither is
under any compulsion to buy or sell and both are reasonably informed.”).
146. See id. at 947 (acknowledging that a price below fair value will attract other purchasers).
147. See Bernard S. Black, Bidder Overpayment in Takeovers, 41 STAN. L. REV. 598, 608
(1989).
An important source of potential gain from takeovers is synergy between buyer and
seller that permits the merged company to be run more efficiently. Three sources of
synergy can be distinguished: (i) operating synergy resulting from economies of scale
or scope; (ii) improved management of the target; and (iii) financial or managerial
synergy due to more efficient use of capital or management talent.
259
proponents of the sale will, in theory, be deterred from engaging in fraud or
side deals. Thus, the market test may also provide a level of certainty and
fairness simply from its procedure.148
This model of market arbitrage and an effective market test may be
criticized as simple and overly optimistic as it assumes a populated market,
low transaction costs, and complete information.149 Although such
conditions, or even conditions approaching these, are unlikely, bankruptcy
courts may foster a more favorable environment for bidders to produce a
populated auction and thereby increase possible revenue.150 To emulate
such optimal market conditions, a robust effective market test should
require: 1) full disclosure of proposed bids; 2) adequate time to respond to
the bids by all parties and purchasers; and 3) creditor and judicial review of
competing bids.
1. FULL DISCLOSURE OF SALE TERMS
A debtor loses many privacy protections that it had outside of
bankruptcy, including required post-petition disclosure when proposing the
confirmation plan.151 Also, a debtor is required to accept better bids, if
offered, in a § 363(b) sale.152 However, these alone may be insufficient to
ensure an effective market test.
Under the current regime, the complete details of a sale are not always
provided, made public, or even available.153 While requiring a purchasing
company to reveal all elements of its purchase and act as a “stalking horse”
may be harsh, the protections that the bankruptcy sale will provide them—
including the ability to purchase “free and clear” of encumbrances154 and
the limited appealability of § 363(b) sales155—should make for a fair
Id.
149. See Fischel, supra note 145, at 944–47 (discussing unrealistic assumptions underlying
analysis of fair market price).
150. See generally Steven B. Katz, Note, Designing and Executing a “Fair” Revlon Auction,
17 FORDHAM URB. L.J. 163, 183 (1989) (“[I]ncreasing the number of bidders in an auction
increases the probability of a particular bidder having the highest valuation, thereby usually
raising the seller's revenue.”).
151. See 11 U.S.C. § 1125 (2006).
152. See In re Gulf States Steel, Inc. of Ala., 285 B.R. 497, 517 (Bankr. N.D. Ala. 2002) (citing
In re Lionel, 722 F.2d 1063 (2d Cir. 1983)) (“In a liquidation case it is ‘legally essential’ to
approve the highest offer . . . .”); see generally Revlon Inc. v. MacAndrews & Forbes Holdings,
Inc., 506 A.2d 173 (Del. 1986) (requiring the Board of Directors, in a sale of control context, to
maximize shareholder’s equity).
153. See Rose, supra note 22, at 260 (“With a § 363 sale, fewer people receive less information,
and the lack of a disclosure requirement weakens creditor leverage . . . .”).
154. 11 U.S.C. § 363(f) (2006).
155. Id. § 363(m).
The reversal or modification on appeal of an authorization under subsection (b) or (c) of
this section of a sale or lease of property does not affect the validity of a sale or lease
under such authorization to an entity that purchased or leased such property in good
260
[Vol. 5
tradeoff. By making details of the transaction and proposals public,
potential purchasers will be able to assess the fairness of current proposals,
and may outbid current offers that undervalue the company, in an attempt to
receive a profit.156
Additionally, companies do not necessarily submit bids that only differ
in price or in a limited number of provisions; quite the opposite, bids for
distressed companies often vary widely.157 One purchaser may provide a
higher price but will dismantle the company for its assets and consumer
base,158 while another plan may infuse capital and expertise into expanding
the business but at a lower price.159 Depending on the particular
circumstances of the distressed business, either plan may prove to be a
better solution for the creditors and for the public at large.
Only by making full disclosure of the bids submitted can interested and
official parties effectively evaluate which of multiple proposals to accept.160
Increasing the availability of information will serve two purposes for
potential purchasers. First, it will lower transaction costs to bidders,
enabling them to base their offers on a better evaluation of the company.161
Second, because an offer will serve as an indicator of the selling company’s
value,162 hesitant market participants may be reassured of the soundness of
an investment in the company, thus increasing the likelihood of a
competitive auction.163
faith, whether or not such entity knew of the pendency of the appeal, unless such
authorization and such sale or lease were stayed pending appeal.
Id.
156. See generally Katz, supra note 150, at 184–85 (describing “Revlon” type auctions where
“[b]y increasing his bid, the bidder decreases his potential profit, but increases his probability of
winning. . . . [which forces the bidder to] close the gap between his bid and his honest valuation”).
157. Compare In re Chrysler LLC (Chrysler I), 405 B.R. 84 (Bankr. S.D.N.Y. 2009) (approving
a sale of a business for ownership and infusion of capital and expertise in a transaction between
Fiat and Chrysler); with In re Enron Corp., 291 B.R. 39, 40 (S.D.N.Y. 2003) (approving a straight
sale of a business entity for cash or its equivalent).
158. See, e.g., Enron, 291 B.R. at 40 (approving the sale of Enron Wind Corp., a subsidiary of
Enron Corp., to General Electric Co. for a combination of cash and assumption of liabilities).
159. See, e.g., Chrysler I, 405 B.R. at 96 (approving the sale following consideration the
synergies that Fiat could provide Chrysler, including new technologies and an international
network, in ordering the § 363(b) sale).
160. Theodore N. Mirvis & Andrew J. Nussbaum, Mergers and Acquisitions and Takeover
Preparedness, 907 PLI/CORP. HANDBOOK SERIES 501, 536–37(1995) (the board of directors in a
change of control context must analyze all factors of a bid including price, feasibility and identity
of the bidder in calculating the “best value” for its shareholders).
161. See generally David E. Van Zandt, The Market as a Property Institution: Rules for the
Trading of Financial Assets, 32 B.C. L. REV. 967, 985–86 (1991).
162. See generally id.
163. See Katz, supra note 150, at 187–88 (“[An] advantage of the seller publicizing information
is that the cost of preparing a bid is lowered. Lower bid preparation costs may entice additional
bidders to enter the auction, thereby creating a more competitive auction and increasing the seller's
expected return.”).
261
Full disclosure would also reveal and deter fraud or insider dealing as it
does in federal securities law.164 There are three categories of entities that
have an incentive to find self-dealing, fraud, or other problems in the plan.
Official entities, such as the court or a United States trustee, will be
attentive to these problems as part of their official duty.165 Second, creditors
that stand to be impaired by the sale have the incentive to scrutinize and
oppose it for such imperfections.166 Finally, competing purchasers are also
in a position to analyze the plan for faults and may profit by outbidding for
what they deem to be an undervalued asset.167 Full disclosure will provide
all of these parties the means to analyze bids and ferret out abuse.
Requiring the parties proposing a § 363(b) sale to make full disclosure
should encourage market participants to bid on the asset in question.168
Competitive bids such as these are more likely to result in a fair market
valuation of the sale asset.169 Ultimately, disclosure is beneficial because it
disincentivizes the proposing parties from engaging in fraud, self-dealing,
or other abuses that they would not want exposed to the public.
2. ADEQUATE TIME FOR MARKET PLAYERS TO
RESPOND TO THE SALE.
In addition to requiring disclosure of the details of the § 363(b) sales,
the court should provide sufficient time to market players to respond to the
test and bid on the company. In order for a market test to reveal whether a
price is fair or if other purchasers can provide better terms, there needs to be
a sufficient opportunity for bidders to research, plan, and draft competing
proposals.170 Potential purchasers must be provided with enough time to
formulate bids and be assured that their bids will be given proper
164. See generally Richard E. Mendales, Looking Under the Rock: Disclosure of Bankruptcy
Issues Under the Securities Laws, 57 OHIO ST. L.J. 731, 738–39 (1996) (explaining how
disclosure in securities law serves a regulatory purpose allowing interested private parties to
monitor themselves).
165. U.S. Trustee Program, Strategic Plan & Mission, U.S. DEP’T OF JUSTICE,
http://www.justice.gov/ust/eo/ust_org/mission.htm (“The USTP's mission is to promote integrity
and efficiency in the nation’s bankruptcy system by enforcing bankruptcy laws, providing
oversight of private trustees, and maintaining operational excellence.”).
166. See Barry L. Zaretsky, Fraudulent Transfer Law as the Arbiter of Unreasonable Risk, 46
S.C. L. REV. 1165, 1172–73 (1995) (arguing that “impaired debtors who receive less than
reasonably equivalent value may unfairly or improperly harm creditors even when the debtor did
not have intention to cause harm to its creditors[,]” thereby incentivizing creditors to scrutinize
debtor activities).
167. See generally Katz, supra note 150, at 181–88.
168. See id. at 187.
169. See id.
170. See LoPucki & Doherty, supra note 22, at 25–26, 41–42 (finding that there were
significant costs, in the range of $5 million, in formulating a bid in a § 363(b) sale and recovery
rates in such sales increased with the length of the market test).
262
[Vol. 5
attention.171 A sale that does not provide sufficient time for market players
to respond to proposals will be ineffective and merely pro forma.172
To ensure that adequate notice for market participation exists, the court
can publish the terms of the sale and an invitation for competing bids. This
type of publication should be tailored to the target audience and costs can
vary with the value of the asset being sold.173 Thus, while taking out a
newspaper ad for a large corporation—such as General Motors or
Chrysler—is worthwhile, it would be unreasonable to require it for a small
asset, as the cost of publication would significantly reduce payouts to
creditors.174
This notice should provide a timeline in which offers will be accepted
and evaluated.175 The period must be clear as the parties that will expend
resources on preparing and submitting a bid will need assurance that their
bids will be adequately reviewed and considered against the current sale
agreement.176
It is reasonable for investors to be wary of participating in a market test.
The drafters of the sale may argue that losing their initial agreement may
cause uncertainty, and that subsequent bids may change terms that have
already been considered and accepted.177 However, for the market test to be
effective, new bids must be evaluated on equal footing with the proposed
agreement.178 A period in which all proposals are considered—along with
the requirement that bids be considered by both the court and impaired
creditors179—is a proper solution to this problem because it ensures that if a
new and better offer is proposed with a reasonable time frame, it may
replace the agreed upon sale.
171. See id. at 26 (finding that although “the recovery ratio for a reorganized company
decreases with time in bankruptcy[,] . . . the recovery ratio of a sold company increases with time
in bankruptcy”).
172. Publication and adequate time to formulate a bid are factors that should foster greater
bidder participation in order to maximize price. See generally Katz, supra note 150, at 183, 187.
173. See Automotive Field Hearings Memorandum, supra note 120, at 107 (proposing that
auction procedures should not apply to small businesses as they would be unable to recoup the
costs).
174. See id. (arguing that publication of terms and market tests may not be feasible for smaller
assets).
175. But see id.
176. Proponents of a § 363(b) sale are however reluctant to entertain competing offers and stifle
true bidding through selecting a “stalking horse” and implementing short bidding periods once the
“stalking horse” has been selected. See LoPucki & Doherty, supra note 22, at 35–36.
177. See Mark J. Roe & David Skeel, Assessing the Chrysler Bankruptcy, 108 MICH. L. REV.
727, 747–51 (2010) (describing the bidding process in Chrysler and how there was a requirement
that new bids be approved by multiple committees and conform to standards enacted by the
proponent, which demonstrates a sale proponent’s desire to consummate an existing offer so as
not to lose its proverbial “bird in the hand”).
178. See Katz, supra note 150, at 175 (arguing that sellers need to be committed to the auction
process for bidders to put forth their best offers).
179. See discussion infra Part III.A.3.
263
Finally, the adequate time provision must give investors sufficient time
to formulate and propose a competing bid.180 The amount of time necessary
should depend on the size of the asset, current market conditions, liquidity
of the asset, and prior shopping for purchasers, among other factors.181 For
example, a large asset such as an automotive manufacturer may require that
purchasing companies seek outside funding, thus raising the time necessary
to form a bid. Similarly, in tight capital conditions, such as those of the
current economy, bidders may require more time to secure the capital for
the purchase. A court implementing a market test must be cognizant of
these factors to ensure that the market test is an effective one.
3. CREDITOR AND JUDICIAL REVIEW OF COMPETING
BIDS
A third requirement that will provide for an effective market test is
review of competing bids by the court and by impaired creditors. This
requirement is important because: 1) it will provide for impartial review of
bids that benefit creditors as a class and incentivize the bidding process;182
2) it will deter insiders from proposing “sweetheart” or self-interested
deals;183 and 3) it will create a centralized forum to receive and evaluate
bids.
The first benefit of requiring review by parties other than the proponent
of the § 363(b) sale184 is that potential bidders will have more confidence
that their bids will be reviewed and that their diligence will not go to
waste.185 As with the adequate time provision, this element facilitates the
environment necessary for a competitive bidding process.186
180. See Warburton, supra note 13, at 567.
363 sales proceeded at an unnecessarily fast pace. The bankruptcy courts in each case
required that any competing bid be submitted within a matter of days. Critics cite the
short amount of time permitted for competing 363 bids as an additional constraint
imposed on the bidding process. In other words, the speed of the process purportedly
discouraged the submission of competing bids, impeding a true market valuation of the
assets.
Id.
181. See Automotive Field Hearings Memorandum, supra note 120, at 107 (advocating for
market test to conform to state law requirements and provide bidders with adequate time to
formulate their bids).
182. See Katz, supra note 150, at 178 (describing how bidders will be disincentivized from
participating in an auction if there is a significant risk that their bid will fail).
184. This could include either the creditors, perhaps through a committee of unsecured
creditors, or by the court.
185. See generally Robert U. Sattin, Finality in Auction Sales: It Ain't Over Till It's Over, 23
AM. BANKR. INST. J., 52, 53 (2004) (describing the finality of auctions as a necessary element that
ensures that bidders are confident that their bids will receive due consideration and will not be
upset by subsequent events); see also generally Katz, supra note 150.
186. See generally Katz, supra note 150 (creating an auction that entices bidders will draw
more bidders and in turn increase the probability of obtaining a higher bid price).
264
[Vol. 5
The second benefit of third party review of competing bids is that it
should deter proponents from proposing plans with an unfairly low price or
that retain benefits to themselves.187 If a party realizes that its attempt at
deceiving the system will likely be caught, it is less likely to engage in the
devious conduct.188
The test will also provide a centralized forum for the receipt of bids,
affording some measure of assurance and cost savings to bidding parties.189
Although not as significant as the other elements described, requiring
creditors and the court to consider all bids will provide an auction
atmosphere in which parties may compete with each other in the open. This
will ensure that the debtor cannot unfairly discriminate among purchasers
and will also lower the transaction costs for bidding parties of obtaining
information.190 Finally, and optimistically, such a centralized forum may
facilitate a bidding war that will increase the purchase price to the benefit of
all creditors.191
The elements of the robust market test are designed to mimic a
competitive market and provide the protections similar to those of a
reorganization plan confirmation. They are also meant to ensure a proper
review of the sale, and to give outsiders and creditors leverage over a selfinterested sale proponent as well as provide them with more satisfaction
from the process.
4. A ROBUST MARKET TEST CAN BE EFFECTIVE
Some current commentary contends that market sales are either
ineffective, difficult to implement, cost prohibitive, or some combination of
all three.192 While it is not argued that the steps outlined above will provide
an optimal solution, this note’s proposal takes these arguments into account.
It is conceded that a market test may not be possible under all
circumstances, nor is it feasible that all market tests should be equally
187. See generally LoPucki & Doherty, supra note 22 (discussing the side dealings and abuses
that occur in an undervalued § 363(b) sale); see also Rose, supra note 22.
188. See generally Gary S. Becker, Crime and Punishment: an Economic Approach, 76 J. POL.
ECON. 169, 176–78 (1968) (outlining the deterrence effect and arguing that criminals take costs of
their actions into account when committing crimes, that costs are measured by the sanction for the
act, and are multiplied by the chance of being caught). Under the deterrence theory, raising either
the sanction or the probability of being caught makes the action less valuable and hence deters a
potential actor from engaging in the act. Id.
189. See LoPucki & Doherty, supra note 22, at 5 (“[T]he high costs of evaluating companies,
combined with the low probability of success for competing bidders, discourages competitive
bids.”).
190. See Katz, supra note 150, at 187–88.
191. See id. at 183.
192. See, e.g., LoPucki & Doherty, supra note 22, at 41–45 (reporting results from a study of
recent § 363(b) sales that yielded results that found that sales undervalue the company as
compared to a plan reorganization and failed to bring in competing bids).
265
stringent.193 The type and duration of the market test, the form of marketing
devices to be used, and the choice between a formal bidding process and an
auction, should all be determined on a case-by-case basis.194
Criticisms that a market test would prove ineffective are based on faults
with the procedures currently in use, not with the market test concept
itself.195 It has been argued that market tests fail to bring in bidders and do
little to no good in raising § 363(b) sale prices or deterring abuse.196
However, the three elements of the proposed robust market test would
alleviate such problems. First, requiring greater disclosure would give
potential bidders greater access to the information they need to formulate a
bid that they believe will be successful.197 Second, an adequate period of
time would allow more players to enter the bidding process and provide
them with more incentive to prepare and submit bids.198 Third, an impartial
weighing of bids would provide outside bidders a greater opportunity to
present their case and have their bids considered.199 While this may not
entirely eliminate the problems of the current § 363(b) market test, they will
make the market tests more effective and provide greater certainty as to
adequacy of price while deterring abuse.
B. HEIGHTENED SCRUTINY OF THE “TIME IS OF THE
ESSENCE” SALE
One important and controversial justification for the use of § 363(b)
sales and their quick implementation is the “time is of the essence”
rationale.200 This justification relies on an extrinsic factor—usually a backout date in a sale agreement—to require the quick ordering of a sale before
the purchaser pulls out and/or the business implodes.201 Both the Chrysler
and General Motors cases employed this justification for their expedited
193. See Automotive Field Hearings Memorandum, supra note 120, at 107.
194. See id. A market test must be tailored to the asset being sold as well as the prospective
market. See id. Particularly, the cost of the auction must not be so large in comparison with
projected proceeds as to make the auction unreasonable. See id.
195. See, e.g., LoPucki & Doherty, supra note 22, at 41 (debtors often offer bid incentives to
the stalking horse making subsequent offers harder to obtain); Rose, supra note 22, at 282 (“The
market cannot correct deal protection fees, credit bidding, and disparity in bidders' information.
Additionally, the debtor's ability to limit participants even with open auctions makes the courts'
use of market exposure as an objective standard insufficient as well.”).
196. LoPucki & Doherty, supra note 22, at 41–42.
197. See discussion supra Part III.A.1.
200. See, e.g., In re Thomson McKinnon Sec., Inc., 120 B.R. 301, 307 (Bankr. S.D.N.Y. 1990).
201. See, e.g., In re General Motors Corp., 407 B.R. 463, 480 (Bankr. S.D.N.Y. 2009); In re
Titusville Country Club, 128 B.R. 396, 397 (Bankr. W.D. Pa. 1991); Equity Funding Corp. of Am.
v. Financial Assocs., 492 F.2d 793, 793 (9th Cir. 1974).
266
[Vol. 5
sales202 and it has been established as a valid justification in a variety of
circumstances.203
“Time is of the essence” has been criticized by certain academics. One
argument against the justification is that it is difficult, if not impossible, to
determine whether the purchaser will actually back out of the deal204 or if
the back-out date is being used to subvert the bankruptcy process and avoid
scrutiny.205 Another argument is that it provides perverse incentives to the
management of an ailing business to only declare bankruptcy when a “drop
dead date” is imminent and the business is unable to withstand a lengthy
bankruptcy.206
A solution must deter purchasers from abusing the bankruptcy system
while providing the court with the flexibility needed to address novel and
drastic situations. Because a quick sale will preclude an effective market
test and the safeguards that the test ensures, courts should require the
proponents of a “time is of the essence” § 363(b) sale to face heightened
scrutiny.207 Those invoking the justification should be required to provide
compelling reason for the necessity of the sale and the deadline. The court
should also analyze the substance of deals for insider benefit and selfdealing.208 Further, because the market test and this heightened scrutiny are
designed to combat abuse, the court may lower the level of scrutiny
involved where time for a market test is provided, even though truncated,
while heightening scrutiny of sales with imminent sale dates.
202. See In re Chrysler LLC (Chrysler I), 405 B.R. 84, 96–97 (Bankr. S.D.N.Y. 2009)
(considering the timeline set out by Fiat for the Chrysler merger in ordering the sale); General
Motors, 407 B.R. at 480 (considering the United State Government’s requirement that the sale be
consummated quickly as justification for ordering the sale).
203. See, e.g., In re Thomson McKinnon, 120 B.R. at 307.
Time is of the essence because the contracts with the key employees will expire by
January 2, 1991, whereas the trustees of the Funds have threatened to terminate their
arrangements with the Partnership if a prospective purchaser is not promptly approved
who could offer investment management services which would meet with their
approval.
Id.; In re Oneida Lake, Inc., 114 B.R. 352, 355–57 (Bankr. N.D.N.Y. 1990) (ordering a sale based
on rapidly decreasing market value and an open sale, despite not using “time of the essence”
language).
204. See Sloane, supra note 22, at 60–61.
205. See id. (arguing that expedited sales procedures may be used to disenfranchise creditor
voting and “short circuit” bankruptcy safeguards).
206. See General Motors, 407 B.R. at 480; see also LoPucki & Doherty, supra note 22, at 37
(discussing the probable effect of a drop dead date on the sale price).
207. See Roe & Skeel, supra note 177, at 749 (noting that the bidding process in Chrysler
occurred in a little more than a week, giving bidders insufficient time to perform due diligence or
obtain financing, thereby circumventing the protection that the market test is intended to provide).
208. See, e.g., Rose, supra note 22, at 280–83 (discussing the ability of the debtor to circumvent
an effective market test and to distort valuation requiring “intensified scrutiny”).
267
1. THE NECESSITY OF THE SALE/DEADLINE ANALYSIS
Courts, following Lionel, require the proponent of a § 363(b) sale to
provide “good business justification” for implementing the sale.209 In “time
is of the essence” cases, the need to effect a sale before the termination date
of purchase contract along with a showing that the sale is in the best
interests of the creditors has been sustained as sufficiently good
justifications for the § 363(b) sale.210 This analysis requires that the sale
provide at least as much as to creditors as a liquidation of the company’s
assets.211 Further, it must be shown that it is unlikely that a market test
would fetch a higher price for the company.212 Courts also require that the
sale be necessary, either by showing that the company will be unable to
secure financing to fund its bankruptcy213 or that the company is wasting
away in the bankruptcy process.214
When a “time is of the essence” justification is used, courts may lower
the scrutiny given to the factors provided in Lionel.215 The need to
implement a sale while there is a willing purchaser may pressure the parties
or the court to accept a sale.216 Further, due to the speed of many § 363(b)
sales, full inquiry into the facts of the bankruptcy or the terms of the sale
may not be possible.217 For these reasons, parties may invoke the
justification so their agreement will be subject to more relaxed review and
the sale will be more likely to proceed.
Research has shown that unsecured creditors and equity holders are
often placed in a worse position in a § 363(b) sale than they would be in a
plan confirmation.218 At the same time secured creditors and priority
creditors are often placed in a superior position, possibly due to their
involvement in the drafting of the sale agreement and also due to the money
saved by averting a drawn out bankruptcy.219 Because of the quick timeline,
209. In re Lionel Corp., 722 F.2d 1063, 1071 (2d Cir. 1983).
210. See, e.g., In re Chrysler LLC (Chrysler I), 405 B.R. 84, 96 (Bankr. S.D.N.Y. 2009)
(discussing how proponents of the sale made a showing that the sale was necessary for the
preservation of the estate, that no other purchasers were available even after extensive search and
that the creditors were receiving a large portion of the distribution just like in a liquidation).
211. 11 U.S.C. § 1129(7)(A)(ii) (2006).
212. See Chrysler I, 405 B.R. 84 (showing was made that there was an extensive search made
for purchasers and only Fiat was willing to be involved); In re General Motors Corp., 407 B.R.
463, 480–81 (Bankr. S.D.N.Y. 2009) (showing was made that there were no other purchasers
available and willing to acquire the company).
213. See, e.g., Chrysler I, 405 B.R. at 480.
214. See, e.g., Lionel, 722 F.2d at 1071.
215. See Rose, supra note 22, at 270–71 (“[T]he court is reluctant to scrutinize quick
transactions since a denial would risk irreparable diminished payouts to creditors.”).
216. See id. at 271.
217. See George W. Kuney, Misinterpreting Bankruptcy Code 363(f) and Undermining the
Chapter 11 Process, 76 AM. BANKR. L.J. 235, 279–80 (2002).
218. See id. at 275–80 (indicating that secured and priority creditors benefit from expedited
sales while other creditors are placed at a disadvantage).
219. See id.
268
[Vol. 5
limited access to information, and lack of involvement in the drafting of the
sale, it is questionable whether impaired parties can meaningfully object in
a “time is of the essence” § 363(b) sale hearing.220
The other major problem with a “time is of the essence” sale is that it
precludes an effective market test.221 Where urgency is present, market
participants either cannot formulate a bid or their offers will be rejected to
maintain a current secured offer.222
“Time is of the essence” sales are appealing for the purchasing party
because of this limited scrutiny and likely sale.223 However, the sale is
susceptible to abuse and increases the likelihood of “sweetheart” deals
accruing unfair benefits to the purchaser and insiders.224 A requirement that
the proponent of a “time is of the essence” sale show a compelling necessity
is needed to counteract the lack of a market test and limited ability of
creditors to object;225 the need for a quick sale should heighten scrutiny not
diminish it.
Courts should inquire into the efforts made to sell the company and
require disclosure of any offers for its purchase. This will be necessary to
not only analyze whether better offers are available but also what actions
were taken to sell the company and whether future offers are likely.226 If the
“drop dead date” is sufficiently far in the future, the market test should
supplement this showing. To make this showing, the proponent should
show that the debtor engaged in bidder shopping and establish that despite
the special privileges of § 363(b), a new purchaser would not come forward.
Review of the reason for the impending deadline, while not
dispositively establishing the credibility of the threat, may reveal an attempt
to subvert the system.227 If a “drop dead date” does not relate to a valid
business reason, the court should engage in or strengthen the substantive
review of the sale.
220.
221.
222.
223.
See Rose, supra note 22, at 260.
See discussion supra Part III.A.2.
See discussion supra Part III.A.2.
See, e.g., In re Enron Corp., 291 B.R. 39, 43 (S.D.N.Y. 2003) (vacating sale order of
Bankruptcy Court because it failed to adequately scrutinize the sales procedure and relied on the
“debtors' business judgment”).
224. See George W. Kuney, Hijacking Chapter 11, 21 EMORY BANKR. DEV. J. 19, 108–09
(2004).
225. See Rose, supra note 22, at 284 (analyzing the shortened timeframe and limited disclosure
in § 363(b) sales that hinder the ability of creditors to effectively object to the sale).
226. See, e.g., In re Chrysler LLC (Chrysler I), 405 B.R. 84, 90 (Bankr. S.D.N.Y. 2009)
(considering whether Chrysler was in discussions and negotiations for an alliance with multiple
manufacturers).
227. See Rose, supra note 22, at 280 (analyzing how debtor’s claim in Polaroid case received
the “maximum value” from the initial bid and that bidding should have been closed was debunked
by subsequent bids for nearly twice the value, thereby indicating possible insider and unfair
dealings).
269
2. INDEPENDENT COURT REVIEW FOR FRAUD AND
SELF-DEALING
In “time is of the essence” § 363(b) sales, review by creditors is limited,
full disclosure is ineffective or impossible, and a market test is effectively
avoided.228 As such, procedural impediments to abuse are rendered
ineffective. In order to instill credibility and deter abuse, the sale agreement
must be subject to review by the courts; this provides a reasonable, though
imperfect, substitute for a market test.229
The court or the United States trustee should independently review
“time is of the essence” sales to ensure against fraud. Finding that the terms
are fair and not the product of abuse will prevent insiders selling to the
purchaser for below market value in return for side benefits.230 The mere
fact of the review may also deter parties from engaging in side dealing or
“sweetheart deals” because the court will be aware of and look for such
favorable terms.
First, in much the same way that disclosure requirements in areas such
as securities law deter fraud and self-dealing, court review should deter
proponents of § 363(b) sales from engaging in abuse.231 This “substantive
fairness”232 review will not likely affect results that are at the margin of
reasonable purchases, but it may reveal abuse in egregious cases.
Second, the substantive review may provide insight into the bidding
process and increase the likelihood that another purchaser will come
forward.233 This information can be evaluated along with the record
provided by the § 363(b) proceedings to supplement an analysis of the
sale’s necessity. If a plan seems “too good to be true,” the court may require
the sale to be pushed back and a market test ordered.
228. See discussion Part III.B (discussing how shortened time frame of “time is of the essence”
sales precludes meaningful opposition).
229. Courts have, on occasion, instituted substantive review of § 363(b) sales to ensure against
self dealing, undervaluation and other abuses. See, e.g., In re Enron Corp., 291 B.R. 39, 41–43
(S.D.N.Y. 2003); In re Bidermann Indus. U.S.A., Inc., 203 B.R. 547, 552–54 (Bankr. S.D.N.Y.
1997) (finding that leveraged buyout agreement could not be approved due to conflicts of interest,
self-dealing, and improper bidding procedures).
230. See LoPucki & Doherty, supra note 22, at 32–33 (finding that in eleven out of thirty
studied reorganizations, the CEO of the selling company was able to secure a side benefit, such as
severance payments, continued employment or a paid consulting position).
231. See generally Bernard S. Black, The Legal and Institutional Preconditions for Strong
Securities Markets, 48 UCLA L. REV. 781, 808–09 (2001) (discussing disclosure requirements
that facilitate discovery, review, and regulation of self-dealing transactions).
232. See id. (discussing how in securities regulation, review by independent parties such as
independent corporate directors, regulators, and judges deters self-dealing and illicit transactions
and promotes correction through channels such as shareholder derivative suits).
233. See Rose, supra note 22, at 281–82 (discussing how the ability of debtors or purchasers to
manipulate market forces through deal protection fees, limited release of information, and limited
bidder participation requires judicial oversight to ensure proper valuation of assets).
270
[Vol. 5
While such review cannot replace a market test, this heightened
scrutiny will facilitate the bankruptcy judge’s power in such emergency
situations to prevent or at least limit abuse.
CONCLUSION
The Chrysler and General Motors cases indicate that the use of §
363(b) sales is important and relevant.234 The impact of these sales will be
felt widely in bankruptcy proceedings, out-of-court workouts, and in
corporate meetings throughout America.235
Commercial transactions operate in the “shadow of the law”236 and
remains unclear what impact the automotive bankruptcies will have on
commercial decisions in the future. However, lenders—such as those that
were negatively impacted by the two companies filing for bankruptcy and
resorting to § 363(b) sales—are vital to a thriving economy;237 they take
into account the risks associated with businesses filing for bankruptcy and
allocate future capital accordingly.238 Even assuming that creditors in the
General Motors and Chrysler cases were provided with as large of a payout
as they would have received in a plan confirmation, their loss of control
over the process may have had a negative impact on lenders generally and
may chill lending to distressed or even healthy businesses.239 This, coupled
with concerns over abuse, fraud, and self-dealing, provides a compelling
reason to safeguard creditors and curtail the use of § 363(b) sales.240
234. See Adler, supra note 14, at 305–06 (discussing the precedential impact of the Chrysler
and General Motors cases).
235. See Roe & Skeel, supra note 177, at 770 (“The unevenness of the compensation to prior
creditors [in Chrysler] raised considerable concerns in capital markets.”).
236. See generally Robert H. Mnookin & Lewis Kornhauser, Bargaining in the Shadow of the
Law: The Case of Divorce, 88 YALE L.J. 950 (1979) (discussing divorce law, providing an in
depth analysis of the effect of laws on private decisions, and detailing the phenomenon of society
functioning in the “shadow of the law”).
237. Barack H. Obama, President, United States, Remarks to Joint Session of Congress (Feb.
24, 2009), http://www.whitehouse.gov/the_press_office/Remarks-of-President-Barack-ObamaAddress-to-Joint-Session-of-Congress.
[T]he flow of credit is the lifeblood of our economy. The ability to get a loan is how
you finance the purchase of everything from a home to a car to a college education;
how stores stock their shelves, farms buy equipment, and businesses make payroll. . . .
When there is no lending, families can’t afford to buy homes or cars. So businesses are
forced to make layoffs. Our economy suffers even more, and credit dries up even
further.
Id.
238. See generally Robert K. Rasmussen, Behavioral Economics, the Economic Analysis of
Bankruptcy Law and the Pricing of Credit, 51 VAND. L. REV. 1679 (1998).
239. See Adler, supra note 14, at 311 (“[W]hen the bankruptcy process deprives a creditor of its
promised return, the prospect of a debtor's failure looms larger in the eyes of future lenders to
future firms.”).
240. See Rose, supra note 22, at 284.
271
On the other hand, § 363(b) sales provide undeniable benefits to
struggling businesses and their stakeholders.241 A solution that combines
these benefits—such as speed and efficiency—with the plan confirmation’s
democratic protections can improve the system by protecting creditors
without limiting the bankruptcy judge’s discretion.242 Providing a
meaningful robust market test will contribute such improvement. The
market test helps to ensure that the price paid for the business is fair, that
there is no inside dealing, and that creditors are benefited by the sale.243 If a
market test is impractical because “time is of the essence,” heightened
scrutiny of the sale will safeguard against the same factors and work to
prevent the abuse of creditors.244
While this proposal is not presented as a panacea for the bankruptcy
system, or even for all of the problems associated with § 363(b) sales, it
intends to demonstrate that the debate between proponents of Chapter 11
plan confirmations and those of § 363(b) sales should not be viewed as an
either/or conflict. Both processes have a great deal to offer a distressed
business and its creditors; both also have significant drawbacks, not only to
the debtor and creditors, but to the system.245 By crafting a solution that
attempts to take advantage of the best aspects from each, the parties, the
system, and the community at large all benefit.
However, such a solution raises problems and questions of its own.
How does a court determine whether the period for the market test is
adequate? When proposed sales differ by terms other than price, who
decides which plan is superior and what criterion are used? Under what
circumstances should a market test be found to be cost prohibitive? Further
inquiry is also necessary to assess whether the tradeoffs of disclosure—
including deterring possible purchasers—will be outweighed by the benefits
of deterring abuse and having parties analyze the transaction. Nor is a
judge’s inquiry into the risk of, or fear of denying a “time is of the essence”
sale, alleviated. Further, such a proposal will not prevent parties from
Fraudulent § 363 preplan business sales undermine the principles and policies that
govern our bankruptcy system. In evaluating the impact of these § 363 preplan business
sales, we must recognize what is at stake. The finality of the sales, the integrity of the
bankruptcy system, and the people that are harmed by sweetheart deals and
management's greed justify a substantial limitation on the process and opportunity of §
363 preplan business sales.
Id.
241. See discussion supra Part II.
242. Multiple provisions in the Bankruptcy Code demonstrate the necessity of granting
bankruptcy judges wide discretion in their duties, including the ability to order a sale with limited
appealability under § 363 or the inherent equitable powers granted to the court in § 105. See 11
U.S.C. §§ 105, 363 (2006).
243. See discussion supra Part III.A.
244. See discussion supra Part III.B.
245. See discussion supra Part II.
272
[Vol. 5
attempting to “game the system”246 by creating innovative solutions to
benefit themselves at the expense of others.
Even if a perfect solution is unattainable, the project is still a worthy
one. Improving the bankruptcy system and what it stands for, as attorneys,
academics, Congress, and the courts have been doing for two centuries, is
reason enough to continue to search for solutions for new problems as they
arise. Perhaps by improving the system, perfection may be achieved, for in
the words of Sir Winston Churchill, “[t]o improve is to change; to be
perfect is to change often.”247
Gennady Zilberman*
246. See JAMES B. RIELEY, GAMING THE SYSTEM: HOW TO STOP PLAYING THE
ORGANIZATIONAL GAME, AND START PLAYING THE COMPETITIVE GAME xii–xiii (2001). Gaming
the system refers to a process in which an individual uses the rules and procedures of a system for
self benefit and in a way in which they were not intended. See id. (describing how players
attempting to subvert the system by following the letter of the law while going against its spirit
provides for detrimental long term effects).
247. STEPHEN MANSFIELD, NEVER GIVE IN: THE EXTRAORDINARY CHARACTER OF WINSTON
CHURCHILL 118 (George Grant ed., 1995).
* B.A., New York University, 2007; M.A., New York University, 2008; J.D. candidate,
Brooklyn Law School, 2011. All my thanks to Joseph Antignani, Allegra M. Selvaggio, Samuel J.
Gordon, and Daniel R. Wohlberg for their guidance throughout the research and writing process.
Special thanks to Professor Edward Janger and Dean Michael Gerber for their inspiration and
assistance. I would also like to extend my appreciation to Steven Bentsianov, Robert Marko and
the entire Brooklyn Journal of Corporate, Financial & Commercial Law editorial staff. And
finally, to my family, thank you all for your unwavering support.

articles private disordering? payment card fraud liability rules

Transcription

Similar documents

Sportsmen`s Bash - Hollywood Volunteer Fire Department

Sunday, September 25th from 1pm - 5pm Kurtz`s Beach 2070 Kurtz

Thursday April 26 Meek Mill

April 11, 2015 Ole Zim`s Wagon Shed

GATEWAY GRIZZLIES VS - Kellsie`s Hope Foundation

Cobra Starship - Old St. Patrick`s Church

MOVIE DAY

2016 Marching Band Performance Guidelines

PGCRC Baysox 2016

Summer 2015 - Heritage Federal Credit Union