9th Circuit: SB-1 Is Either Preempted...Or Not
California’s Financial Information Privacy Act (Fin. Code §4050) (better known as "SB-1") departed from the Gramm-Leach-Bliley Act because it required customer "opt-in" consent when financial institutions share nonpublic customer information with non-affiliates, and "opt-out" choice to share such information with affiliates. In June, the Ninth Circuit held that SB-1 is preempted as to affiliate sharing. (See American Bankers Associationv.Gould, 412 F.3d 1081 (9th Cir. 2005).) Or did it? Let’s take a look.
On the one hand, the court held that SB-1 is preempted to the extent the law applies to information shared between affiliates concerning consumers’ "credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living" that is used, expected to be used, or collected for the purpose of establishing eligibility for "credit or insurance," employment, or other authorized purpose." That goes further than the district court, which had ruled that SB-1 was not preempted in any respect. On the other hand, the Ninth Circuit remanded, and instructed the district court to decide which SB-1 affiliate-sharing provisions survive preemption. The plaintiffs have now moved for judgment, arguing that there is nothing in SB-1 that isn’t preempted. Hearing is set for mid-September.
Practice Tip: ABA v. Gould could be a compliance headache. An institution might have different "bundles" of customer information, each subject to a different privacy regime. Some financial institutions have identified hundreds of bundles. Until the district court sorts this out (and maybe not until after another appeal), or until the FACT Act affiliate marketing rules become effective, financial institutions with California customers face a challenge in determining what information is subject to federal affiliate sharing rules and what is subject to SB-1 affiliate sharing rules.
FCRA Doesn’t Require ID Theft Notification
The Fair Credit Reporting Act doesn’t require that a creditor contact the victim of an identity theft where the debtor disputes the charge on a credit report and claims fraud, so says the Seventh Circuit. In Westrav.Credit Control of Pinellas, 409 F.3d 825 (7th Cir. 2005), a credit union’s failure to contact the victim was reasonable under FCRA. To contact every single individual who disputes a charge would be "terribly inefficient and such action is not required by the FCRA."
Data Breach Class Actions
"Who pays?" following a data loss is something Congress is trying to sort out. But class action lawyers aren’t waiting. Suits have been filed in California against ChoicePoint, LexisNexis, CardSystems, and dozens of others. It’s not just private lawyers either. In June, the Ohio Attorney General sued a discount shoe retailer to force it to notify some 700,000 customers following a data breach. Ohio law doesn’t even require notification. The suit is based on an unfairness or implied warranty theory ("when a consumer gives personal information, there’s an implied warranty that the company will protect it").
Practice Tip: Companies can’t predict when or how breaches will occur, but they can protect themselves in other ways. Some insurers, for example, offer cybersecurity insurance. Some banks are even offering their customers ID theft products for a monthly subscription fee. The Firm is currently defending several data loss class actions and is counseling companies in different industries on ways to protect themselves.
For more information, contact Tom Scanlon (firstname.lastname@example.org).
Is Notification Worth It?
Are the costs of notification worth it? Businesses already spend $50 billion a year on ID theft and antifraud programs. But the benefit to consumers is only around $7.50 to $10 per individual whose data has been compromised. Why? Most ID theft doesn’t involve a data security breach, only 2% of consumers whose data is compromised become victims of fraud and, of these, most are victims of credit card theft, for which consumers have limited liability and, in the Visa and MasterCard systems, no liability at all for fraud transactions. Consider this: Even the best notification will eliminate only 10-20% of the costs.