Friday, December 16, 2011

Store’s Inadequate Data Security Could Be Unfair Practice Under Illinois Law

This posting was written by Jody Coultas, Editor of CCH State Unfair Trade Practices Law.

A customer of Michaels Stores stated an Illinois Consumer Fraud and Deceptive Business Practices Act claim against the craft store for engaging in an unfair business practices relating to the failure to implement adequate security at its PIN pads, according to the federal district court in Chicago.

Michaels’ PIN pads, used by consumers to pay by debit/credit cards, were replaced by a modified PIN pad that captured consumers’ debit and credit information. A properly operating PIN pad encrypts the cardholder’s PIN (personal identification number), temporarily stores the encrypted PIN, and transmits the information to a transaction manager, and a card company or bank for verification. “Skimming” is the unauthorized capture of debit or credit card information by unauthorized persons called “skimmers.”

Michaels reported that—between February 8 and May, 2011—“skimmers” placed approximately 90 fraudulent PIN pads in 80 of its stores in 20 states. At the time, Michaels was not in compliance with VISA’s global mandate for encrypted PIN pad terminals or other security requirements.

Failure to Protect Information, Notify Customers

Several customers filed suit on behalf of all customers whose financial information was stolen from Michaels. They alleged that Michaels failed to adequately protect their financial information and failed to notify the customers of the security breach in violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (CFA), 815 Ill. Comp. Stat. 505/1.

To state a claim under the CFA, the customer must allege that Michaels engaged in a deceptive or unfair practice, intended for the customer to rely on the deception, the deception occurred in the course of conduct involving trade or commerce, the customer suffered actual damages, and the damages were proximately caused by the deception.

Unfair Practices

A business practice is unfair under the CFA if it offends public policy, is immoral, unethical, oppressive, or unscrupulous, or caused substantial injury to consumers.

Because the skimmers substituted legitimate devices with counterfeit devices, the store ignored its obligation to implement procedures and practices preventing criminal conduct. This lack of action constituted a CFA violation, according to the court.

Customers also must allege a purely economic injury in order to state a CFA claim. A customer does not suffer actual damage simply because of the increased risk of future identity theft. Here, the customer sufficiently alleged that they suffered actual injuries when they lost money from unauthorized withdrawals and/or bank fees, the court decided.

Deceptive Practices

The customer, however, failed to show that Michaels engaged in a deceptive practice, according to the court. To state a CFA claim based on deceptive practices, a plaintiff must show there was either a communication containing a deceptive misrepresentation or a deceptive omission. There was no evidence that Michaels made any statements to customers.

The decision is In re: Michaels Stores Pin Pad Litigation, CCH State Unfair Trade Practices Law ¶32,379.

Further information regarding CCH State Unfair Trade Practices Law appers here.

No comments: