HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

123

“deleted”by the user. The FTC has advised that consumer information should be retained only for the period during

which it is actually needed, and then securely destroyed. Adopt and follow a strict consumer records retention

and destruction policy at your dealership. Also, the Disposal Rule requires due diligence and supervision of your

records disposal company as well. Records destruction procedures should be included as a part of a dealership’s

Information Security Program and followed systematically.

Additionally, the Fair Credit Reporting Act (“FCRA”) prohibits printing more than the last five digits of a credit or

debit card number or the card’s expiration date on any electronically printed card transaction receipt. Damages for

doing so are $100 - $1,000 per receipt for willful violations (generally a knowing or reckless violation) with no cap

on damages in a class action. MasterCard and Visa can also assess fines starting at $5,000 for the first violation and

going up from there. Make sure your card processing machines are set up to not print any more than the last five

numbers and do not print the card’s expiration date as this has been a source of many class actions.

STATE DATA SECURITY LAWS

States are also enacting strict data security laws that apply to all organizations that maintain information about

their residents. For example, some states:

•

Require the development of a comprehensive written information security program, and the encryption of

all personal information stored on laptops and portable devices or transmitted wirelessly or across public

networks. Employee access must be limited and paper records must be locked up.

•

Require compliance with the Payment Card Institute Data Security Standard (“PCI-DSS”) for credit and debit

card information and transactions.

Credit and Debit Cards

Card issuers have sued merchants who are breached to recover their cost of paying losses on stolen cards as well

as the cost of notice and reissuance of new cards. These costs will increase as, effective October 1, 2015, cards with

computer chips will begin replacing magnetic stripe cards – and the cost of producing a chip card well exceeds the

cost of producing a magnetic stripe card. The use of chip cards also requires more sophisticated card readers that

can read a random code generated by the device. If you do not have and use such a chip card reader after October

1, 2015, you face the risk of being liable for a fraudulent transaction committed using a chip card.

Plaintiffs in data breach cases have also been more successful recently in avoiding having class actions dismissed

at the outset. In one case in the federal Seventh Circuit, a merchant compromise of 350,000 cards was followed by

9,200 customers having incurred fraudulent charges to their accounts. The court indicated “there are identifiable

costs associated with the process of sorting things out”– the aggravation and loss of value of the time needed to

set things straight (get replacement cards, etc.), to reset payment associations after card numbers are changed,

and to pursue relief for unauthorized charges. With respect to the plaintiffs who have not yet seen fraudulent

charges on their accounts, the Seventh Circuit said those plaintiffs had standing because there was a “substantial

risk”of future harm. This alleged actual injury was enough to let the class action against the merchant go forward.

The remaining victims were also required to spend time and money replacing cards, fighting off fraudulent

charges, and monitoring their credit scores. This too was considered sufficient for the class action to proceed.