Most Read Contributor in United States, April 2016
In connection with a class action lawsuit filed against Michaels
Stores Inc., the United States District Court for the District of
Massachusetts certified to the Supreme Judicial Court of
Massachusetts three questions: (1) whether a ZIP code constitutes
personal identification information; (2) whether, under the
Massachusetts statute prohibiting collection of personal
identification information during a credit card
transaction, a plaintiff may pursue a claim without any
evidence of identity theft; and (3) whether, under the statute a
"credit card transaction form" includes an electronic
transaction form. Earlier this week, the Supreme
Court answered "yes" to all three of these
questions. A copy of the Court's opinion is attached
here. The Supreme Court's decision
will likely open the door to more lawsuits against retailers in
Massachusetts. Plaintiffs may now file actions against
retailers who collect ZIP code information during a credit
card transaction and, consistent with the Supreme Court's
broad interpretation of personal identification information,
plaintiffs may try to expand the definition of personal
identification information even further to include other types
of information. In addition, the Supreme Court's decision
has lowered the bar for plaintiffs who struggle to prove that they
have been injured in these cases. Under the Supreme
Court's ruling, a plaintiff no longer needs to demonstrate that
he or she has suffered identity theft in order to maintain a cause
of action. Significantly, the Court stated that receipt of
unwanted marketing materials or the sale of a consumer's
personal identification information to a third-party can constitute
an injury sufficient to maintain an action. As a result of
the Supreme Court's decision, retailers in Massachusetts should
review and evaluate their data collection practices.
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).