Consumer Data Violations
Transcription
Consumer Data Violations
Presenting a live 90‐minute webinar with interactive Q&A Emerging Class Action Threat: Consumer g g Personal Identification Data Violations Strategies to Minimize Litigation Risks and Maximize Insurance Coverage THURSDAY, MAY 26, 2011 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific T d ’ faculty Today’s f l features: f Donna L. Wilson, Partner, Buckley Sandler, Santa Monica, Calif. Patrick N. Keegan, Member, Keegan Baker, Carlsbad, Calif. Linda D. Kornfeld, Partner, Jenner & Block, Los Angeles The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10. Conference Materials If you have not printed the conference materials for this program, please complete the following steps: • Click on the + sign next to “Conference Materials” in the middle of the lefthand column on your screen. screen • Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. • Print the slides by clicking on the printer icon. Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: • Close the notification box • In the chat box, type (1) your company name and (2) the number of attendees at your location • Click the blue icon beside the box to send Tips for Optimal Quality SSound d Quality Q lit If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-869-6667 and enter your PIN when prompted prompted. Otherwise Otherwise, please send us a chat or e-mail e mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again. again Legal Counsel to the Financial Services Industry Emerging Class Action Threat: Consumer Personal Identification Data Violations: Strategies to Minimize Litigation Risks and Maximize Insurance Coverage D Donna L L. Wilson Wil May 26, 2010 THE PRESENTERS 6 Donna L L. Wilson of BuckleySandler LLP with the defense perspective dwilson@buckleysandler com [email protected] (424) 203-1010 Patrick N. Keegan of Keegan & Baker, LLP with ith th the plaintiff l i tiff perspective ti [email protected] (858) 558 558-9400 9400 ABOUT DONNA L. WILSON Donna L. Wilson is a partner in the Los Angeles office of BuckleySandler LLP, where she leads the Firm’s West Coast litigation practice. Ms. Wilson represents all forms of traditional and non-traditional financial services providers, including banks, mortgage companies, national retailers, franchisors, telecommunications and media companies, in a variety of privacy and information security, fair credit and state unfair and deceptive trade practice matters. In addition, Ms. Wilson assists corporate and individual policyholders in obtaining coverage in disputes ranging from individual directors/officers f defense for f costs, claims for f coverage for f alleged privacy and data breaches, as well as defense and liability costs for mass torts such as lead pigment and asbestos. Regardless of the context, Ms. Wilson’s unique experience litigating on behalf of plaintiffs -- including class action and corporate plaintiffs – leads to a non-linear litigation approach that offers efficiency and creativity. Ms. Wilson writes and lectures extensively on class action litigation, privacy and data breach issues, and insurance coverage. P i tto jjoining Prior i i B BuckleySandler, kl S dl M Ms. Wil Wilson was th the co-chair h i off the th Consumer C Financial Fi i l Services group at Kelley Drye & Warren LLP, and a litigator in its Privacy and Data Security Group. She also was a founding partner of that firm’s Insurance Recovery Group. 7 ABOUT PATRICK N. KEEGAN Patrick Keegan, the co-founder and managing partner of Keegan & Baker, LLP, has worked on numerous class actions in which he acted as lead or co-lead counsel on behalf of a p plaintiff class resulting g in significant g recoveries. He has specialized in complex commercial litigation, including securities, antitrust and consumer fraud litigation, and has successfully handled numerous complex commercial litigation matters. For example, Mr. Keegan was retained as post-trial defense counsel several days after a jury verdict was rendered against our client in the amount of approximately $24 million dollars (an $18 million dollar jury award and an attorneys fees motion for approximately $6 million dollars dollars, which we were successfully able to avoid) avoid). The award in that matter, entitled FF Orthotics Corp, Inc., et al. v. Good Feet, et al., Case No. GIC 791494, California Superior Court, San Diego County, (Judge Fredric Link) was grounded in antitrust violations, franchise law violations and unfair business practices violations. By virtue of the post trial work and the subsequent settlement negotiations (which included 11 plaintiffs), we were able to reduce the judgment to $4.25 million, paid over time, which allowed the individual defendants/shareholders to retain ownership of the defendant corporations p and ultimately y remove the defendant corporations p from receivership. p The defendant entities are currently again selling franchises nationwide and are in the process of expanding globally. Mr. Keegan has also acted as co-class counsel and co-trial counsel, in a class action entitled Jason A. Park v. Cytodyne Technologies, Inc., Case No. GIC 768364, California Superior Court, San Diego County, (Judge Ronald L. Styn), asserting false advertising claims under the Unfair Competition Laws (Ca Business and Professions Code Sections 17200 and 17500) and the Consumer Legal Remedies Act (Ca (Ca. Code Civil Section 1750), brought a successful motion for class certification and obtained a judgment of $12,536,820.00 in restitution and additional prohibitive injunctive relief on behalf of the certified class after a 7 week trial in 2003. Mr. Keegan has also represented numerous parties in arbitrations before the National Association of Securities Dealers and American Arbitration Association. 8 THE SONG-BEVERLY CREDIT CARD ACT Cal Civ Cal. Civ. Code § 1747.08: 1747 08: – – – – – What is the purpose? What does it forbid? What is “personal identification information”? Civil penalties up to $1 $1,000 000 per violation: No aggregate cap Exceptions p 9 Bona fide error Others EVOLUTION OF SONG-BEVERLY Enacted in 1971 Prior to 1991: only prohibited requiring cardholder to provide personal identification information as a condition to accepting a credit card – 10 Did not forbid requesting personal information from a credit card user, and the user voluntarily providing the information EVOLUTION OF SONG-BEVERLY (cont ) (cont.) 1991 amendment: added language prohibiting requesting consumer personal information “as a condition to” accepting p g the credit card as payment for goods or services – – 11 Amendment designed g to “clean up” p and “clarify” y the statute, not exponentially expand its reach Purpose was to clarify that persons “may neither require nor request, request as a condition to accepting the credit card, the taking or recording of personal identification information from the cardholder” EVOLUTION OF SONG-BEVERLY (cont ) (cont.) Threshold issue: Does Song-Beverly g y apply pp y to mere requests for information, even where the consumer is told that the information is not required? – The “misplaced” misplaced comma: Plaintiffs contend that the 1991 amendment expanded scope of liability by prohibiting the requiring of information “as a condition to accepting the credit card” card AND any and all requests for personal identification information from cardholders – Florez v. Linens n’ Things, 108 Cal. App. 4th 447 (2003) – But see the Florez court’s note that nothing prevents a retailer from soliciting a customer’s address and telephone number for a store’s mailing list, if that information is provided voluntarily 12 EVOLUTION OF SONG-BEVERLY (cont ) (cont.) Plaintiff’s view is contrary to: – Legislative history – First Amendment rights to free speech and free association – Statutory interpretation Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008) TJX Companies, Inc. v. Sup. Ct., 163 Cal. App. 4th 8 (2008) Notably other state statutes prohibit requests for personal Notably, information only as a condition to credit card transactions. For example: – DC Code § 47-3153 47 3153 – 11 Del. Code § 914 – Minn. Stat. Ann. § 325F.982 13 CERTAIN KEY DECISIONS UNDER SONG-BEVERLY No right g to jjury y trial ((Shabaz v. Polo Ralph p Lauren Corp., p, 586 F. Supp. 2d 1205 (C.D. Cal. 2008)) No private right of action for injunctive relief (Korn v. Polo Ralph Lauren Corp., 644 F. Supp. 2d 1212 (E.D. Cal. 2008)) Range of penalty could span between “the the proverbial peppercorn” to the maximum amounts authorized by the statute (TJX Companies) One year statute of limitations (TJX Companies) Does not apply to return or Internet transactions 14 IS A ZIP CODE PII? Party City Corp. v. Sup. Ct., 169 Cal. App. 4th 497 (2008): – Pineda v. Williams-Sonoma Stores,, Inc.,, 178 Cal. App. pp 4th 714 (2009): Followed Party City – 15 ZIP code is “group identifier about location,” not “ “personalized li d or iindividual di id l id identification tifi ti iinformation f ti within ithi the statutory terms” ZIP code is not personal identification information within th meaning the i off § 1747.08(b) 1747 08(b) even where h it iis requested t d for the purpose of reverse data mining to obtain customer’s address IS A ZIP CODE PII? (cont.) Pineda v. Williams-Sonoma Williams Sonoma Stores, Inc., 51 Cal. 4th 524 (2011): – – – – – 16 A Zip code constitutes PII and, thus, “requesting and recording di a cardholder’s dh ld ’ ZIP code, d without ith t more, violates” i l t ” § 1747.08 § 1747.08 is remedial, and should be liberallyy construed A ZIP code is similar to specified types of PII in § 1747.08(b) (telephone and address) Is unnecessary to sales transaction Construction of §1747.08 is retroactive THE EXPLOSION OF CLASS ACTIONS AFTER PINEDA Well over 100 cases filed in California courts since Pineda alleging § 1747.08 1747 08 violations based on ZIP code requests, including actions against: -Alin Party Supply Co. -Crate & Barrel -Lamps Plus -Pier 1 Imports -Tesoro -Anna Anna’s s Linens Destination Maternity -Destination Lenscrafters -Lenscrafters Pottery Barn -Pottery Thrifty Oil -Thrifty -Anthropologie -The Dressbarn -Lids/Hat Zone -Radio Shack -Tiffany and Company -Avenue -Estee Lauder -Lowe’s -REI -T.J. Maxx -Bath and Body Works -Eurostar -Macy’s -Redbox -Toys “R” Us/Babies “R” Us -Bed Bath & Beyond y -ExxonMobil -Maidenform -Restoration Hardware -Trader Joe’s -Bedrock Oil -Fry’s Electronics -Marshalls -Ross Stores -Urban Outfitters -Best Buy -GNC -Michaels Stores -Sephora -Victoria’s Secret -Big 5 Sporting Goods -Genesco -Nike -Shell -Vons -Big Lots Stores -Home Depot -Nordstrom -Sport Chalet -Wal-Mart -Body Shop -Homegoods -Oakley -Sunglass Hut -Whole Foods Market -Brookstone -IKEA -Office Depot -Sur La Table -Williams-Sonoma -Chevron -J.C. Penney Co. -Officemax -Target -West Elm -Coach -Journey -Old Navy -The Children’s Place -Wolverine Worldwide -Cole C l Hahn H h -Kmart K t P t A American/Party i /P t City Cit -Party Th Container C t i Store St -The -ConocoPhillips -Kohl’s -Paypal -The Gap -Cost Plus -Lacoste -Pearle Vision -The Pepboys 17 AFTER PINEDA New actions extend beyond traditional person-to-person transactions: – “Pay Pay at the Pump” Pump Machines – Self Service Kiosks Self-Service 18 Flores v. Chevron Corp. et al. Dulce v. Bedrock Oil, Inc. et al. Schiff v. Redbox Automated Retail LLC AFTER PINEDA (cont.) What about use of Zip codes for anti-fraud purposes? – Potential legislative limitation on Pineda: 19 AB 1219 is intended to amend § 1747.08 1747 08 to “recognize recognize . . . legitimate business practices designed to address the increased potential for identity theft that results if the cardholder is not present or if the credit card does not function correctly” Would expand the exclusions enumerated in § 1747.08(c) to include when information is used “solely solely for prevention of fraud, theft, or identity theft” WHAT’S NEXT? Does Section 1747.08 apply to e-mail addresses? – How about to on-line transactions? – – 20 See Meherens v. Redbox Automated Retail, LLC., No. BC455418 (Sup. Ct. Los Angeles) (alleging defendant “requested and/or required Plaintiff to provide his ZIP code and e-mail address . . . .”)) Boorstein v. Paypal, Inc. and Boorstein v. Amazon.com, Inc. (using Pineda to argue § 1747.08 applies to online transactions if the retailer requests information “unnecessary unnecessary to the sales transaction” that, alone or together with other data (e.g., cardholder’s name or credit card number) can be used for the retailer’s business purposes) B t see Saulic But S li v. S Symantec t C Corp., 596 F F. Supp. S 2d 1323 (C.D. (C D Cal. 2009) (holding that because, like a refund transaction, an “online transaction raises fraud concerns,” online transactions are not encompassed within §1747.08) WHAT’S NEXT? (cont.) 21 Has Pineda created a colorable claim that reverse data mining and similar practices alone constitute an invasion of privacy outside of the Song-Beverly context? Does a phone look up during a transaction constitute a violation of § 1747.08? How should a retailer proceed with respect to a loyalty or disco nt program? discount What is a transaction and when does it begin and end? What can a retailer do to achieve its business objectives j and minimize its compliance and litigation risks? Consumer P C Personall ID D Data t Violations: Vi l ti Class Action Threats—Insurance Considerations May 26, 2011 Linda Kornfeld Jenner & Block [email protected] (213) 239-5176 WHICH POLICIES MAY APPLY? • Critical first step: p collect and review ppotentiallyy applicable policies – General Liability – Errors & Omissions Coverage – Directors & Officers Liability 23 24 24 CGL Policies: Is There a Potential For C Coverage? ? • Most courts that have dealt with coverage for use, collection or distribution of “personal information” have done so in FACTA context under CGL policies. • Is the “personal injury” or “advertising injury” g ppotentiallyy triggered? gg coverage 25 What is Covered? • “Oral or written publication, in any manner, of material that violates a person’s right of privacy.” • Does the claim involve some form of “publication”? • Does the claim involve a “privacy” violation? 26 “Publication”? Publication ? • What is required to constitute “publication”? – Some form of public dissemination? – Term not defined in many policies. – “in any manner” language allows for broad interpretation—courts p have concluded that credit card receipts provided only to customers constituted “publication.” 27 Violation of a “Right Right of Privacy”? Privacy ? • “Privacy” often is not defined in CGL policies • “Where Where an insurance policy does not define privacy privacy” policy can be broadly interpreted “to include aspects of privacy protected by…privacy by privacy statutes statutes.” – Song Beverly intended to protect “privacy” interests – In FACTA context “privacy” requirement satisfied even though g customer voluntarilyy pprovided information. 28 Song Beverly Claims Should “Trigger” Coverage • Prima facie, coverage should be triggered – “Publication” Publication by making customer ZIP code information available both internally and potentially to other businesses. – Such “publications” allegedly violate customer “privacy interests ” interests. – Many complaints include an express cause of action for invasion of privacy 29 CGL POLICY EXCLUSIONS “Statutory” Statutory Exclusions • Typically exclude “Personal Injury… arising directly or indirectly out of any action or omission that violates or is alleged to violate: …any statue, ordinance or regulation…that prohibits or limits the sending transmitting sending, transmitting, communicating comm nicating or distribution distrib tion of material or information.” • Insurers assert as a broad-based excuse to avoid coverage 31 Statutory Exclusion, Exclusion Con Con’tt • Carefully read the underlying complaint – What if it solely alleges that you “requested requested and recorded” customer’s zip code information? – Does that constitute “sending, transmitting communicating or distributing”? – What if in addition to alleged statutory violations the complaint also contains a common law privacy claims? 32 “Knowing” Infliction of Personal or Ad ti i Injury Advertising I j Exclusion E l i • Excludes “personal and advertising injury” “arising out of an offense committed by . . . the insured with the expectation of inflicting personal and advertising injury.” • Requires a fact-based analysis. • What level of “expectation” or “intent” is sufficient? • Argue against impact on payment of defense fees. fees 33 Amounts Spent for “Excluded” Excluded Claims • What happens to the duty to defend when the complaint includes both covered and excluded claims? What if multiple lawsuits are filed and some include covered claims and others do not? • If some claims or complaints are covered and p to address allegedly g y “excluded” claims moneyy spent “benefits” covered claims, you may have coverage for all defense fees expended in all actions. 34 Errors & Omissions Coverage • Policyholders should also review E&O policies – Cover “claims” for allegations of “professional” misconduct – Must act within “professional” capacity as defined by p y policy – Some cover “damages arising from violation of ‘privacy laws laws” 35 What constitutes a “claim”? claim ? • Need a demand for “something,” often money. • Lawsuit clearly meets the standard. standard 36 Duty to “advance” advance defense fees • “Potentiality” standard • “Prior Prior to final adjudication adjudication”—the the “timing” timing question 37 “Penalty” Penalty Exclusions • Some E&O ppolicies exclude “fines” or “penalties.” p • Review underlying complaint: does it also seek “damages”? Attorney’ss fees? Pre or post judgment interest? Attorney • What is the true nature of the claimed “fine” or “penalty”? • Argue that, in privacy context, statutory damages are not a “penalty,” but rather a recognition that damage caused by privacy violation is difficult to calculate. Therefore, legislature uses statutory damages to act as a proxy. 38 Directors & Officers Coverage • Covers certain claims for “wrongful acts, errors or omissions” by company and its executives • If executives are claimed to have known that there was an issue before Pineda court ruled and did not modify behavior, coverage may apply • If executives are not sued, policy must have “entity coverage” that applies beyond “securities” claims 39 • In light of Pineda and other lawsuits is there potential lawsuits, exposure requiring notice? • Do prior policies have less restrictive exclusions? 40 Conclusion • Carefully read complaints • Carefully read all policies • Perform ppolicyy audits at time of renewal and attempt p to negotiate to increase protection 41