In connection with a class action lawsuit filed against Michaels Stores Inc., the United States District Court for the District of Massachusetts certified to the Supreme Judicial Court of Massachusetts three questions: (1) whether a ZIP code constitutes personal identification information; (2) whether, under the Massachusetts statute prohibiting collection of personal identification information during a credit card transaction, a plaintiff may pursue a claim without any evidence of identity theft; and (3) whether, under the statute a "credit card transaction form" includes an electronic transaction form. Earlier this week, the Supreme Court answered "yes" to all three of these questions. A copy of the Court's opinion is attached here. The Supreme Court's decision will likely open the door to more lawsuits against retailers in Massachusetts. Plaintiffs may now file actions against retailers who collect ZIP code information during a credit card transaction and, consistent with the Supreme Court's broad interpretation of personal identification information, plaintiffs may try to expand the definition of personal identification information even further to include other types of information. In addition, the Supreme Court's decision has lowered the bar for plaintiffs who struggle to prove that they have been injured in these cases. Under the Supreme Court's ruling, a plaintiff no longer needs to demonstrate that he or she has suffered identity theft in order to maintain a cause of action. Significantly, the Court stated that receipt of unwanted marketing materials or the sale of a consumer's personal identification information to a third-party can constitute an injury sufficient to maintain an action. As a result of the Supreme Court's decision, retailers in Massachusetts should review and evaluate their data collection practices.
The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.
The proposed regulations can be found here (PDF). A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC). Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.
Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.
Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:
• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.
One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.
Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.