Computers, Privacy & the Constitution
Under Construction

The Certegy Data Misappropriation Case

Introduction

Created in 2001, Certegy sought to empower check users by insuring checks written to merchants. Certegy did not use credit or bank records, instead Certegy’s algorithm used artificial intelligence to predict whether a check would bounce. A merchant who subscribed to Certegy’s check verification service would enter the check information into a terminal and would receive notification as to whether this check was insured by Certegy. If the check was insured and bounced, Certegy reimbursed the merchant. The system was far from perfect; many customers had $10 checks declined with $100,000 in their bank accounts. Often, the reason was that no significant history had been established by the check writer.

On July 3, 2007, Certegy announced that one of its employees had misappropriated 8.4 million records over a five-year period. Certegy took immediate action to minimize the impact of the misappropriated consumer information. Even Certegy’s critics agreed that Certegy’s response was both swift and adequate. A class action lawsuit was brought against Certegy. In September 2008, a settlement was approved by a federal judge. The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen.

There are several caveats to the settlement. Most notably, Certegy has capped the total amount of money it will pay for identity theft claims at $4 million. That money is not likely to be disbursed at all, because to date there have been no cases of identity theft directly attributable to the data misappropriation. All that Certegy is required to pay under the terms of the settlement are the legal fees and credit and bank monitoring fees for qualifying members of the class. This amounts to less than $5 million.

Was Certegy guilty of any crime? If so, what crime? Was there negligence on their part? Most importantly, were there any damages?

Discussion

1. Was there any violation of law when the misappropriated data was sold to the marketers?

Surprisingly, there is no single source of privacy rights in the U.S. governing personal information in privately owned computer data banks. Instead, there is an extensive patchwork quilt of federal and state laws governing personal privacy. In 1999, President Clinton signed into law the Financial Services Modernization Act (otherwise known as the Gramm-Leach-Bliley Act). The act requires that financial institutions may not disclose a consumer's nonpublic personal information to nonaffiliated third parties, unless the consumer is given a clear and conspicuous notice of this possibility, and an opportunity to opt out of such disclosures before they occur.

Is a check writer a consumer of Certegy’s service? Technically, the merchant is Certegy's consumer. A contract exists between Macy’s and Certegy, not between John Doe and Certegy. Nevertheless, it is logical to assume that John Doe is a consumer of Certegy’s product; if not for John, Macy’s contract with Certegy would be meaningless. In essence, by shopping at Macy’s and paying by check, Macy’s is acting as a sales agent for Certegy and signing up John as a Certegy customer. Thus, Certegy has regular customers (John Doe), and corporate customers (Macy’s) who also act as sales agents.

2. Was Certegy negligent?

Normally, in cases of data misappropriation, the company is found to be negligent, because no matter how safe the company thought their network was, they had a responsibility to make sure it was impenetrable. That logic holds true when protecting against external threats. What about this incident that did not involve any outside intrusion into Certegy’s systems?

Clearly, Certegy was negligent on two counts. First, there was no need for any data to be stored on Certegy’s computers. Certegy’s algorithm based its decision on a number of factors, none of which had anything to do with this specific check writer’s history with Certegy. Thus, John Doe, a first time Certegy user, has the same chances of having his check approved as Jane Doe, a frequent check writing Certegy customer. The act of storing the information is per se negligent because Certegy should have anticipated that data might be misappropriated. The rebuttal to this argument – the data was saved automatically through no affirmative action of Certegy – is both weak and fatalistic. Computers do as they are told; if Certegy’s computers saved the data, that is because their programming told them to do so.

Second, Certegy was negligent by giving the keys to the kingdom to its employees. Although their network was secure from external threats, perhaps the overemphasis on external security caused them to neglect guarding against internal theft. Certegy should have ensured that a system of checks and balances existed. No one person should have had access to this data without oversight by some committee. The system Certegy had in place was insecure and was begging to be compromised.

3. What damages occurred?

In Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (2002), the court held that misappropriated data used to merely offer products and services to class members which they were free to decline did not qualify as actual harm. Moreover, no harm exists where a class member cannot prove that he suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail.

Although at first glance the Certegy case seems similar to Chase, a closer look at the facts in Certegy distinguish it from Chase. In Certegy, the data was sold to a company who in turn sold this data to other marketing firms that were being investigated by the FTC for marketing and telemarketing fraud. One of the companies was running a scam with the data it received where they would contact consumers with a compelling offer in exchange for accepting a 14-day free trial in a discount-shopping club. After tricking the consumers into providing their bank account numbers, the company would make unauthorized debits. The FTC says the company's free gifts were largely worthless.

Additionally, in Forbes v. Wells Fargo Bank, 420 F. Supp. 2d 1018 (D. Minn. 2006), plaintiffs claimed a variety of damages related to the theft, primarily to monitor their financial accounts against potential loss. The court found that the personal time and money spent by this purported class "was not the result of any present injury, but rather the anticipation of future injury that has not materialized."

Using the argument mentioned above, it would seem that the Certegy data theft was a ‘present injury’ unlike the future injury in Forbes. In the Certegy case, the data had been delivered to unscrupulous marketing corporations who used the data for their nefarious schemes. A possibility exists that these firms may in turn pass along this sensitive data to others who might attempt to take out bank loans or open credit cards with this information. Thus, the affected class members are not simply taking steps to avoid future injury; they were aware of a clear and present danger and are therefore entitled to seek reimbursement for their damages from defendant Certegy.

Conclusion

Although Certegy is a unique case of data misappropriation in that no actual financial fraud took place as a direct result of the data misappropriation, and that Certegy took a strong and forceful stand against those who had acquired the stolen data, had this case gone to trial, Certegy would have been found to have negligently violated the Financial Services Modernization Act.

-- DavidMehl - 26 Apr 2010

 

Navigation

Webs Webs

r2 - 27 Apr 2010 - 20:07:38 - DavidMehl
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM