California Court Rejects Class Action Based on Data Collection for PII Aggregation Purposes
On Friday, the California Court of Appeal, Fourth Appellate District, certified for publication its October 8 opinion in Pineda v. Williams-Sonoma, the most recent in a string of decisions regarding California's Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08. On first glance, Pineda appears uneventful. The Court merely reiterated its December 2008 holding in Party City v. Superior Court, 169 Cal.App.4th 497 (2008), that zip codes are not personal identification information for purposes of the Act, right? Not so fast. In fact, the Pineda court added a couple of new wrinkles that are worth a second look. First, the court reaffirmed its Party City holding even though Pineda specifically alleged that Williams-Sonoma collected the zip code for the purpose of using it and the customer's name to obtain even MORE personal identification information, the customer's address, through the use of a "reverse search" database. Second, the court held that a retailer's use of a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of a consumer's privacy under California law.
The Song-Beverly Credit Card Act prohibits retailers that accept credit cards from requesting and recording "personal identification information" concerning the cardholder. The statute defines "personal identification information" (sometimes referred to as "pii") as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." Cal. Civ. Code § 1747.08(b). As noted above, the Fourth Appellate District held last December that zip codes are not, as a matter of law, pii for purposes of the Act. So, why the need for a new published opinion on the subject?
Here, Pineda alleged that the retailer at issue collected zip codes in order to search databases and gather even more pii about the individual. Specifically, Pineda alleged Williams-Sonoma used "customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, residential telephone numbers and residential addresses, and are indexed in a manner that resembles a reverse telephone book," and that the software matched her name, zip code or other personal information with her previously unknown address. Pineda further alleged that Williams-Sonoma then maintained all this information in a database.
Pineda filed what has become the typical Song-Beverly Credit Card Act putative class action, alleging claims for violation of California's infamous Business & Professions Code section 17200 (California's unfair business practices act) and for invasion of privacy.
The Fourth Appellate District affirmed the trial court's ruling sustaining Williams-Sonoma's demurrers to Pineda's claims.
First, with respect to the Song-Beverly Credit Card Act, the court rejected Pineda's argument that Party City was distinguishable because there was no evidence in that case showing that the defendant used the collected zip codes to obtain its customers' addresses:
. . . the Party City court was well aware of the allegation that the defendant used the collected zip codes to locate individuals before it concluded, as a matter of law, that a zip code did not constitute "personal identification information" within the meaning of the Act.
Simply put, the Act either allows a retailer to ask customers for a zip code or it prohibits this conduct. The Party City court concluded, and we agree, that the Act does not prohibit this conduct. Although Pineda asserts a zip code should be covered by the Act because existing technology allows any company or person to locate an individual based on the individual's name and zip code, this argument is best presented to the Legislature.
(Italics in original; emphasis added.)
Second, the court examined and rejected plaintiff's claim that Williams-Sonoma's conduct constituted an illegal intrusion into her privacy, finding no allegations (a) that her home address was not otherwise publicly available or (b) of any efforts she made to keep her address private:
Without such facts, using a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of her privacy.
. . . Even assuming Pineda had [alleged Williams-Sonoma had sold her home address to third parties for profit], we fail to see how selling an address that is otherwise publicly available amounts to "an egregious breach of the social norms underlying the privacy right." . . .
Additionally, . . . the complaint contains absolutely no facts showing the extent and gravity of the alleged invasion of privacy. Under the facts alleged, the disclosure of Pineda's address amounted to a trivial invasion of her assumed privacy interest.
(Emphasis added.)
Bottom line - it is not surprising that, given the extent of already publicly available information about individuals (including home address, phone number, etc.) available in databases and online, and the difficulty of establishing harm, plaintiffs continue to encounter difficulty in pursuing purported claims for invasion of privacy beyond the demurrer, motion to dismiss, or summary judgment stage.
The more difficult question, and the subject of a future blog post, is the extent to which individuals understand that the information they regularly share online or in other contexts becomes forever public (see, e.g., NPR's recent interview with Professor Viktor Mayer-Schonberger about social media and what he calls the "temporal Panopticon"). Stay tuned for more on that front.
Merchant Liability for "Time and Effort" Following Security Breach?
The Hannaford saga continues, with possible civil liability implications for retailers.
Earlier this year, a federal judge in Maine dismissed almost all claims in the consolidated class action lawsuit against Hannaford Brothers Co. (In re Hannaford Bros. Co. Customer Data Security Breach Litigation, MDL No. 2:08-MD-1954, USDC Maine). Hannaford had millions of payment card records hacked in 2007 and 2008. Judge Hornby ruled that the common law in Maine allows consumers to seek restitution only for unreimbursed fraudulent charges on their credit or debit cards. Since the card issuers reversed the fraudulent charges under their “zero-liability” policies, the cardholders suffered only “collateral consequences” such as the time and effort involved in changing cards and accounts, monitoring for fraud, and dealing with banks, merchants, and others following notice of the breach. Judge Hornby did not believe such collateral harms were cognizable injuries under state law.
This week the judge reversed that decision and certified to the Maine Law Court (the highest court in the state) the following question:
“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”
That question might well be raised in many states that, like Maine, require some form of “economic loss” to sustain an action for negligence. The answer from the Maine Law Court could be an important precedent. So far, plaintiffs in the United States have generally been unsuccessful in pursuing claims against merchants based on fear of identity theft and incidental expenses to protect against it, following a security breach incident. “Lost time and effort” may not be worth a great deal in damages to any single cardholder, but if Maine allows such claims to proceed, a class action with millions of class members could make “time and effort” claims daunting, as well as allowing plaintiffs to sustain an action in which emotional distress can also be asserted as grounds for damages.
This development should serve as an additional spur for retailers to take precautions against the kinds of attacks that resulted in Hannaford’s data losses. Adherence to applicable security guidelines, prominently the Payment Card Industry Digital Security Standard (PCI DSS), will go far to avoid such incidents and protect a company from fines and civil liability as well. The Hannaford hackers, one of whom is now in jail, used SQL injection to plant malware in the merchant’s servers. This is hardly a new technique, and it is one that retailers may be held accountable for neglecting.
In 2008 Hannaford, which operates more than 150 grocery stores in New York and New England, announced that its payment card processing servers had been hacked for several months, exposing millions of payment card records and resulting in thousands of fraud investigations in the Northeast. In August this year, a federal grand jury in Newark, New Jersey indicted a 28-year-old Florida hacker named Albert Gonzalez (formerly an informant for the US Secret Service) and two unnamed persons living “in or near Russia” as conspirators who allegedly carried out the Hannaford hack and several others, including massive attacks on Heartland Payment Systems and the 7-11 retail chain. Gonzalez is already awaiting trial on charges in connection with the TJX hack in 2007. Altogether, the ring is accused of stealing data on more than 130 million credit cards and debit cards. According to the TJX and Hannaford/Heartland indictments, the hackers used several methods, but primarily SQL injection, to gain access to the target networks and install sniffer malware that intercepted card details and transmitted them to computers controlled by the hackers.
The Federal Trade Commission has publicly taken the position that SQL attacks are “commonly known or reasonably foreseeable” (see, for example, the FTC Complaint against Guess?, Inc., and the FTC’s press release concerning Life is good, Inc.). Thus, the FTC has fined retailers following such attacks and in some cases entered consent orders imposing additional sanctions and requirements. This makes it relatively easy to assert negligence in a civil action on behalf of a class of cardholders following a successful SQL attack.
