Computers, Privacy & the Constitution

View   r6  >  r5  >  r4  >  r3  >  r2  >  r1
DavidMehlSecondPaper 6 - 17 Jan 2012 - Main.IanSullivan
Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="SecondPaper"
>
>
META TOPICPARENT name="SecondPaper2010"
 

The Certegy Data Misappropriation Case


DavidMehlSecondPaper 5 - 17 Jan 2012 - Main.IanSullivan
Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="WebPreferences"
>
>
META TOPICPARENT name="SecondPaper"
 

The Certegy Data Misappropriation Case


DavidMehlSecondPaper 4 - 12 May 2010 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="WebPreferences"

The Certegy Data Misappropriation Case

Line: 9 to 9
 On July 3, 2007, Certegy announced that one of its employees had misappropriated 8.4 million records over a five-year period and sold that data to marketers. A class action lawsuit was brought against Certegy. In September 2008, a settlement was approved by a federal judge. The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen. All that Certegy is required to pay under the terms of the settlement are the legal fees and credit and bank monitoring fees for members of the class, amounting to less than $5 million.
Changed:
<
<
Was Certegy guilty of any crime? If so, what crime? Was there negligence on their part? Most importantly, were there any damages?
>
>
Was Certegy guilty of any crime?
 
Added:
>
>
What has crime to do with it? Do you mean, are they civilly liable? Or are you actually raising a question of criminal liability, and on what basis?

If so, what crime? Was there negligence on their part?

Are you asking about the facts, or do you mean is negligence the relevant standard of care, or are you asking whether res ipsa loquitur when customer financial data is misappropriated by employees?

Most importantly, were there any damages?

Do you mean how does one prove actual harm in particular cases from identity theft, or that the mere creation of a risk without the occurrence of a fraud causes no harm?
 

Discussion

Line: 22 to 37
 Is a check writer a consumer of Certegy’s service? Technically, the merchant is Certegy's consumer; a contract exists between Macy’s and Certegy, not between John Doe and Certegy. Nevertheless, it is logical to assume that John Doe is also a consumer of Certegy’s product. John directly benefits from Certegy's service in that the merchant is now willing to accept his checks.
Added:
>
>
But this isn't the question unless the point is that only a regulatory liability could have created a duty of care to the merchant or its customers.
 

2. Was Certegy negligent?

Line: 30 to 49
 Second, Certegy was negligent by giving the keys to the kingdom to its employees. Although their network was secure from external threats, perhaps the overemphasis on external security caused them to neglect guarding against internal theft. Certegy should have ensured that a system of checks and balances existed. No one person should have had access to this data without oversight by some committee. The system Certegy had in place was insecure and was begging to be compromised.
Added:
>
>
I don't understand how or why one would come to a conclusion about negligence on a partial evaluation of some of the facts. And I don't know why this is the standard of inquiry.
 

3. What damages occurred?

Line: 38 to 61
 Although at first glance the Certegy case seems similar to Chase, a closer look distinguishes it from Chase. In Certegy, the data was sold to a company who in turn sold this data to other marketing firms that were being investigated by the FTC for marketing and telemarketing fraud. One of the companies was running a scam with the data it received where they would contact consumers with a compelling offer for some largely worthless gifts in exchange for accepting a free trial in a discount-shopping club. After tricking the consumers into providing their bank account numbers, the company would make unauthorized debits.
Changed:
<
<
In Forbes v. Wells Fargo Bank, although the court found that the personal time and money spent by the class in monitoring their financial accounts against potential loss due to data misappropriation "was not the result of any present injury, but rather the anticipation of future injury that has not materialized", using the argument mentioned above, it would seem that the Certegy data theft was a ‘present injury’ unlike the future injury in Forbes. In the Certegy case, the data had been delivered to unscrupulous marketing corporations who used the data for their nefarious schemes. A possibility exists that these firms may in turn pass along this sensitive data to others who might attempt to take out bank loans or open credit cards with this information. Thus, the affected class members are not simply taking steps to avoid future injury; they were aware of a clear and present danger and are therefore entitled to seek reimbursement for their damages from defendant Certegy.
>
>
Surely this just proves how pointless it is to keep asking these rhetorical questions of the reader about a case in which no facts are known until you pull them like rabbits from your hat.
 
Added:
>
>
In Forbes v. Wells Fargo Bank, although the court found that the personal time and money spent by the class in monitoring their financial accounts against potential loss due to data misappropriation "was not the result of any present injury, but rather the anticipation of future injury that has not materialized", using the argument mentioned above, it would seem that the Certegy data theft was a ‘present injury’ unlike the future injury in Forbes. In the Certegy case, the data had been delivered to unscrupulous marketing corporations who used the data for their nefarious schemes. A possibility exists that these firms may in turn pass along this sensitive data to others who might attempt to take out bank loans or open credit cards with this information. Thus, the affected class members are not simply taking steps to avoid future injury; they were aware of a clear and present danger and are therefore entitled to seek reimbursement for their damages from defendant Certegy.
 
Added:
>
>
Why is all this talk relevant to the discussion of a settlement. Are we supposed to have been deciding whether to bet on the favorite or the long shot?
 

Conclusion

Although no actual financial fraud took place as a direct result of the data misappropriation, had this case gone to trial, Certegy would have been found to have negligently violated the Financial Services Modernization Act.

Added:
>
>
Confidently predicting the outcome of a trial is just silly.
 -- DavidMehl - 26 Apr 2010
Added:
>
>
I don't understand the point of this essay. Without looking at the evidence in this matter, how can we know whether you are judging accurately what you purport to judge, and so what anyway?
 
 
<--/commentPlugin-->

DavidMehlSecondPaper 3 - 27 Apr 2010 - Main.DavidMehl
Line: 1 to 1
 
META TOPICPARENT name="WebPreferences"
Deleted:
<
<
Under Construction
 

The Certegy Data Misappropriation Case

Introduction

Changed:
<
<
Created in 2001, Certegy sought to empower check users by insuring checks written to merchants. Certegy did not use credit or bank records, instead Certegy’s algorithm used artificial intelligence to predict whether a check would bounce. A merchant who subscribed to Certegy’s check verification service would enter the check information into a terminal and would receive notification as to whether this check was insured by Certegy. If the check was insured and bounced, Certegy reimbursed the merchant. The system was far from perfect; many customers had $10 checks declined with $100,000 in their bank accounts. Often, the reason was that no significant history had been established by the check writer.

On July 3, 2007, Certegy announced that one of its employees had misappropriated 8.4 million records over a five-year period. Certegy took immediate action to minimize the impact of the misappropriated consumer information. Even Certegy’s critics agreed that Certegy’s response was both swift and adequate. A class action lawsuit was brought against Certegy. In September 2008, a settlement was approved by a federal judge. The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen.

>
>
Created in 2001, Certegy sought to empower check users by insuring checks written to merchants. Certegy did not use credit or bank records, instead Certegy’s algorithm used artificial intelligence to predict whether a check would bounce. A merchant who subscribed to Certegy’s check verification service would enter the check information and would receive notification as to whether this check was insured by Certegy. If the check was insured and bounced, Certegy reimbursed the merchant. The system was far from perfect; many customers had $10 checks declined with $100,000 in their bank accounts. Often, the reason was that no significant history had been established by the check writer.
 
Changed:
<
<
There are several caveats to the settlement. Most notably, Certegy has capped the total amount of money it will pay for identity theft claims at $4 million. That money is not likely to be disbursed at all, because to date there have been no cases of identity theft directly attributable to the data misappropriation. All that Certegy is required to pay under the terms of the settlement are the legal fees and credit and bank monitoring fees for qualifying members of the class. This amounts to less than $5 million.
>
>
On July 3, 2007, Certegy announced that one of its employees had misappropriated 8.4 million records over a five-year period and sold that data to marketers. A class action lawsuit was brought against Certegy. In September 2008, a settlement was approved by a federal judge. The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen. All that Certegy is required to pay under the terms of the settlement are the legal fees and credit and bank monitoring fees for members of the class, amounting to less than $5 million.
 Was Certegy guilty of any crime? If so, what crime? Was there negligence on their part? Most importantly, were there any damages?
Line: 20 to 15
 

Discussion

Changed:
<
<

1. Was there any violation of law when the misappropriated data was sold to the marketers?

>
>

1. Was there any violation of law when the data was sold to marketers?

 
Changed:
<
<
Surprisingly, there is no single source of privacy rights in the U.S. governing personal information in privately owned computer data banks. Instead, there is an extensive patchwork quilt of federal and state laws governing personal privacy. In 1999, President Clinton signed into law the Financial Services Modernization Act (otherwise known as the Gramm-Leach-Bliley Act). The act requires that financial institutions may not disclose a consumer's nonpublic personal information to nonaffiliated third parties, unless the consumer is given a clear and conspicuous notice of this possibility, and an opportunity to opt out of such disclosures before they occur.
>
>
Surprisingly, there is no single source of privacy rights in the U.S. governing personal information in privately owned computer data banks. Instead, there is an extensive patchwork quilt of federal and state laws governing personal privacy. In 1999, President Clinton signed into law the Financial Services Modernization Act (otherwise known as the Gramm-Leach-Bliley Act). The act requires that financial institutions may not disclose a consumer's nonpublic personal information to nonaffiliated third parties, unless the consumer is given clear notice of this possibility, and an opportunity to opt out of such disclosures before they occur.
 
Changed:
<
<
Is a check writer a consumer of Certegy’s service? Technically, the merchant is Certegy's consumer. A contract exists between Macy’s and Certegy, not between John Doe and Certegy. Nevertheless, it is logical to assume that John Doe is a consumer of Certegy’s product; if not for John, Macy’s contract with Certegy would be meaningless. In essence, by shopping at Macy’s and paying by check, Macy’s is acting as a sales agent for Certegy and signing up John as a Certegy customer. Thus, Certegy has regular customers (John Doe), and corporate customers (Macy’s) who also act as sales agents.
>
>
Is a check writer a consumer of Certegy’s service? Technically, the merchant is Certegy's consumer; a contract exists between Macy’s and Certegy, not between John Doe and Certegy. Nevertheless, it is logical to assume that John Doe is also a consumer of Certegy’s product. John directly benefits from Certegy's service in that the merchant is now willing to accept his checks.
 

2. Was Certegy negligent?

Changed:
<
<
Normally, in cases of data misappropriation, the company is found to be negligent, because no matter how safe the company thought their network was, they had a responsibility to make sure it was impenetrable. That logic holds true when protecting against external threats. What about this incident that did not involve any outside intrusion into Certegy’s systems?

Clearly, Certegy was negligent on two counts. First, there was no need for any data to be stored on Certegy’s computers. Certegy’s algorithm based its decision on a number of factors, none of which had anything to do with this specific check writer’s history with Certegy. Thus, John Doe, a first time Certegy user, has the same chances of having his check approved as Jane Doe, a frequent check writing Certegy customer. The act of storing the information is per se negligent because Certegy should have anticipated that data might be misappropriated. The rebuttal to this argument – the data was saved automatically through no affirmative action of Certegy – is both weak and fatalistic. Computers do as they are told; if Certegy’s computers saved the data, that is because their programming told them to do so.

>
>
Although the intrusion was not an external one, Certegy was negligent on two counts. First, there was no need for any data to be stored on Certegy’s computers. Certegy’s algorithm based its decision on a number of factors, none of which had anything to do with this specific check writer’s history with Certegy. Thus, John Doe, a first time Certegy user, has the same chances of having his check approved as Jane Doe, a frequent check writing Certegy customer. The act of storing the information is per se negligent because Certegy should have anticipated that data might be misappropriated. The rebuttal to this argument – the data was saved automatically through no affirmative action of Certegy – is both weak and fatalistic. Computers do as they are told; if Certegy’s computers saved the data, that is because their programming told them to do so.
 Second, Certegy was negligent by giving the keys to the kingdom to its employees. Although their network was secure from external threats, perhaps the overemphasis on external security caused them to neglect guarding against internal theft. Certegy should have ensured that a system of checks and balances existed. No one person should have had access to this data without oversight by some committee. The system Certegy had in place was insecure and was begging to be compromised.
Line: 41 to 34
 

3. What damages occurred?

Changed:
<
<
In Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (2002), the court held that misappropriated data used to merely offer products and services to class members which they were free to decline did not qualify as actual harm. Moreover, no harm exists where a class member cannot prove that he suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail.

Although at first glance the Certegy case seems similar to Chase, a closer look at the facts in Certegy distinguish it from Chase. In Certegy, the data was sold to a company who in turn sold this data to other marketing firms that were being investigated by the FTC for marketing and telemarketing fraud. One of the companies was running a scam with the data it received where they would contact consumers with a compelling offer in exchange for accepting a 14-day free trial in a discount-shopping club. After tricking the consumers into providing their bank account numbers, the company would make unauthorized debits. The FTC says the company's free gifts were largely worthless.

>
>
In Smith v. Chase Manhattan Bank, the court held that misappropriated data used to offer products and services to class members which they were free to decline, did not qualify as harm. Moreover, no harm exists where a class member cannot prove that he suffered actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail.
 
Changed:
<
<
Additionally, in Forbes v. Wells Fargo Bank, 420 F. Supp. 2d 1018 (D. Minn. 2006), plaintiffs claimed a variety of damages related to the theft, primarily to monitor their financial accounts against potential loss. The court found that the personal time and money spent by this purported class "was not the result of any present injury, but rather the anticipation of future injury that has not materialized."
>
>
Although at first glance the Certegy case seems similar to Chase, a closer look distinguishes it from Chase. In Certegy, the data was sold to a company who in turn sold this data to other marketing firms that were being investigated by the FTC for marketing and telemarketing fraud. One of the companies was running a scam with the data it received where they would contact consumers with a compelling offer for some largely worthless gifts in exchange for accepting a free trial in a discount-shopping club. After tricking the consumers into providing their bank account numbers, the company would make unauthorized debits.
 
Changed:
<
<
Using the argument mentioned above, it would seem that the Certegy data theft was a ‘present injury’ unlike the future injury in Forbes. In the Certegy case, the data had been delivered to unscrupulous marketing corporations who used the data for their nefarious schemes. A possibility exists that these firms may in turn pass along this sensitive data to others who might attempt to take out bank loans or open credit cards with this information. Thus, the affected class members are not simply taking steps to avoid future injury; they were aware of a clear and present danger and are therefore entitled to seek reimbursement for their damages from defendant Certegy.
>
>
In Forbes v. Wells Fargo Bank, although the court found that the personal time and money spent by the class in monitoring their financial accounts against potential loss due to data misappropriation "was not the result of any present injury, but rather the anticipation of future injury that has not materialized", using the argument mentioned above, it would seem that the Certegy data theft was a ‘present injury’ unlike the future injury in Forbes. In the Certegy case, the data had been delivered to unscrupulous marketing corporations who used the data for their nefarious schemes. A possibility exists that these firms may in turn pass along this sensitive data to others who might attempt to take out bank loans or open credit cards with this information. Thus, the affected class members are not simply taking steps to avoid future injury; they were aware of a clear and present danger and are therefore entitled to seek reimbursement for their damages from defendant Certegy.
 

Conclusion

Changed:
<
<
Although Certegy is a unique case of data misappropriation in that no actual financial fraud took place as a direct result of the data misappropriation, and that Certegy took a strong and forceful stand against those who had acquired the stolen data, had this case gone to trial, Certegy would have been found to have negligently violated the Financial Services Modernization Act.
>
>
Although no actual financial fraud took place as a direct result of the data misappropriation, had this case gone to trial, Certegy would have been found to have negligently violated the Financial Services Modernization Act.
 

-- DavidMehl - 26 Apr 2010


DavidMehlSecondPaper 2 - 27 Apr 2010 - Main.DavidMehl
Line: 1 to 1
 
META TOPICPARENT name="WebPreferences"
Under Construction
Line: 8 to 8
 

Introduction

Changed:
<
<
Created in 2001, Certegy sought to empower check users by ‘insuring’ checks written to merchants. This check verification system used ‘artificial intelligence’ to determine whether the check was ‘bad’. Certegy did not use credit or bank records to determine whether the check was bad, instead Certegy’s algorithm used other factors to predict whether the check would bounce. A merchant who subscribed to Certegy’s check verification service would enter the check information into a small terminal - similar to a credit card terminal – and would then receive notification as to whether or not this check was insured by Certegy. If the check was insured and bounced, Certegy would reimburse the merchant. The system was far from perfect. Many customers had $10 checks declined with $100,000 in their bank accounts. Often, the reason was that no significant history had been established by the check writer.
>
>
Created in 2001, Certegy sought to empower check users by insuring checks written to merchants. Certegy did not use credit or bank records, instead Certegy’s algorithm used artificial intelligence to predict whether a check would bounce. A merchant who subscribed to Certegy’s check verification service would enter the check information into a terminal and would receive notification as to whether this check was insured by Certegy. If the check was insured and bounced, Certegy reimbursed the merchant. The system was far from perfect; many customers had $10 checks declined with $100,000 in their bank accounts. Often, the reason was that no significant history had been established by the check writer.
 
Changed:
<
<
On July 3, 2007, Certegy announced that one of its employees, William Sullivan, had misappropriated 8.4 million records over a five-year period while working as a senior database administrator. Certegy took immediate action to minimize the impact of the misappropriated consumer information. Even Certegy’s critics agreed that Certegy’s response was both swift and adequate.

Despite going above and beyond what other companies had done in response to cases of data misappropriation, a class action lawsuit was brought against Certegy. In September 2008, a settlement was approved by a federal judge. The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen.

>
>
On July 3, 2007, Certegy announced that one of its employees had misappropriated 8.4 million records over a five-year period. Certegy took immediate action to minimize the impact of the misappropriated consumer information. Even Certegy’s critics agreed that Certegy’s response was both swift and adequate. A class action lawsuit was brought against Certegy. In September 2008, a settlement was approved by a federal judge. The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen.
 There are several caveats to the settlement. Most notably, Certegy has capped the total amount of money it will pay for identity theft claims at $4 million. That money is not likely to be disbursed at all, because to date there have been no cases of identity theft directly attributable to the data misappropriation. All that Certegy is required to pay under the terms of the settlement are the legal fees and credit and bank monitoring fees for qualifying members of the class. This amounts to less than $5 million.
Line: 25 to 23
 

1. Was there any violation of law when the misappropriated data was sold to the marketers?

Changed:
<
<
Surprisingly, there is no single source of privacy rights in the United States governing personal information in privately owned or operated computer data banks. Instead, there is an extensive patchwork quilt of federal and state laws governing personal privacy. In 1999, President Clinton signed into law the Financial Services Modernization Act (otherwise known as the Gramm-Leach-Bliley Act). The act requires that a financial institution may not disclose a consumer's nonpublic personal information to nonaffiliated third parties, unless the consumer is given a clear and conspicuous notice of this possibility, and an opportunity to opt out of such disclosures before the first time they occur.

Is a check writer a consumer of Certegy’s service? Technically, the merchant is the consumer of the check verification service. A contract exists between Macy’s and Certegy, not between John Doe and Certegy; Certegy takes a percentage of Macy’s sales, not Jane Doe’s income. Even so, it is logical to assume that John and Jane Doe are consumers of Certegy’s product. If not for John and Jane, Macy’s contract with Certegy would be meaningless. In essence, by shopping at Macy’s and paying by check, Macy’s is acting as a sales agent for Certegy and signing up John and Jane as Certegy customers. Certegy then stores information on John and Jane. Thus, Certegy has regular customers (The Does), and corporate customers (Macy’s) who are at the same time sales agents.

>
>
Surprisingly, there is no single source of privacy rights in the U.S. governing personal information in privately owned computer data banks. Instead, there is an extensive patchwork quilt of federal and state laws governing personal privacy. In 1999, President Clinton signed into law the Financial Services Modernization Act (otherwise known as the Gramm-Leach-Bliley Act). The act requires that financial institutions may not disclose a consumer's nonpublic personal information to nonaffiliated third parties, unless the consumer is given a clear and conspicuous notice of this possibility, and an opportunity to opt out of such disclosures before they occur.
 
Changed:
<
<
Thus, it is safe to say that by allowing the data of its consumers to be misappropriated, Certegy was in violation of the Financial Services Modernization Act.
>
>
Is a check writer a consumer of Certegy’s service? Technically, the merchant is Certegy's consumer. A contract exists between Macy’s and Certegy, not between John Doe and Certegy. Nevertheless, it is logical to assume that John Doe is a consumer of Certegy’s product; if not for John, Macy’s contract with Certegy would be meaningless. In essence, by shopping at Macy’s and paying by check, Macy’s is acting as a sales agent for Certegy and signing up John as a Certegy customer. Thus, Certegy has regular customers (John Doe), and corporate customers (Macy’s) who also act as sales agents.
 

2. Was Certegy negligent?

Changed:
<
<
Normally, in cases of data misappropriation, the company is found to be negligent, because no matter how safe the company thought their network was, they had a responsibility to make sure it was impenetrable. That logic holds true when protecting against external threats, but what about this incident that did not involve any outside intrusion into Certegy’s systems?
>
>
Normally, in cases of data misappropriation, the company is found to be negligent, because no matter how safe the company thought their network was, they had a responsibility to make sure it was impenetrable. That logic holds true when protecting against external threats. What about this incident that did not involve any outside intrusion into Certegy’s systems?
 
Changed:
<
<
Arguably, Certegy was negligent on two counts. First, there was no need for any data to be stored on Certegy’s computers. Certegy’s algorithm based its decision on a number of factors, none of which has anything to do with this specific check writer’s history with Certegy. Thus, John Doe, a first time Certegy user, has the same chances of having his check approved as Jane Doe, a frequent check writing Certegy customer. The act of storing the information is negligent because Certegy ought to have anticipated that data might be misappropriated. The rebuttal to this argument – the data was saved automatically through no affirmative action of Certegy – is both weak and fatalistic. Computers do as they are told. If Certegy’s computers saved the data, that is because their programming told them to do so.
>
>
Clearly, Certegy was negligent on two counts. First, there was no need for any data to be stored on Certegy’s computers. Certegy’s algorithm based its decision on a number of factors, none of which had anything to do with this specific check writer’s history with Certegy. Thus, John Doe, a first time Certegy user, has the same chances of having his check approved as Jane Doe, a frequent check writing Certegy customer. The act of storing the information is per se negligent because Certegy should have anticipated that data might be misappropriated. The rebuttal to this argument – the data was saved automatically through no affirmative action of Certegy – is both weak and fatalistic. Computers do as they are told; if Certegy’s computers saved the data, that is because their programming told them to do so.
 
Changed:
<
<
Second, Certegy was negligent by giving the keys to the kingdom to Sullivan. Although their network was secure from external threats, perhaps the overemphasis on external security caused them to neglect guarding against internal theft. Certegy should have ensured that a system of checks and balances existed. No one person should have had access to this private data without oversight by some committee. The system Certegy had in place was insecure and was just begging to be compromised.
>
>
Second, Certegy was negligent by giving the keys to the kingdom to its employees. Although their network was secure from external threats, perhaps the overemphasis on external security caused them to neglect guarding against internal theft. Certegy should have ensured that a system of checks and balances existed. No one person should have had access to this data without oversight by some committee. The system Certegy had in place was insecure and was begging to be compromised.
 

DavidMehlSecondPaper 1 - 26 Apr 2010 - Main.DavidMehl
Line: 1 to 1
Added:
>
>
META TOPICPARENT name="WebPreferences"
Under Construction

The Certegy Data Misappropriation Case

Introduction

Created in 2001, Certegy sought to empower check users by ‘insuring’ checks written to merchants. This check verification system used ‘artificial intelligence’ to determine whether the check was ‘bad’. Certegy did not use credit or bank records to determine whether the check was bad, instead Certegy’s algorithm used other factors to predict whether the check would bounce. A merchant who subscribed to Certegy’s check verification service would enter the check information into a small terminal - similar to a credit card terminal – and would then receive notification as to whether or not this check was insured by Certegy. If the check was insured and bounced, Certegy would reimburse the merchant. The system was far from perfect. Many customers had $10 checks declined with $100,000 in their bank accounts. Often, the reason was that no significant history had been established by the check writer.

On July 3, 2007, Certegy announced that one of its employees, William Sullivan, had misappropriated 8.4 million records over a five-year period while working as a senior database administrator. Certegy took immediate action to minimize the impact of the misappropriated consumer information. Even Certegy’s critics agreed that Certegy’s response was both swift and adequate.

Despite going above and beyond what other companies had done in response to cases of data misappropriation, a class action lawsuit was brought against Certegy. In September 2008, a settlement was approved by a federal judge. The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen.

There are several caveats to the settlement. Most notably, Certegy has capped the total amount of money it will pay for identity theft claims at $4 million. That money is not likely to be disbursed at all, because to date there have been no cases of identity theft directly attributable to the data misappropriation. All that Certegy is required to pay under the terms of the settlement are the legal fees and credit and bank monitoring fees for qualifying members of the class. This amounts to less than $5 million.

Was Certegy guilty of any crime? If so, what crime? Was there negligence on their part? Most importantly, were there any damages?

Discussion

1. Was there any violation of law when the misappropriated data was sold to the marketers?

Surprisingly, there is no single source of privacy rights in the United States governing personal information in privately owned or operated computer data banks. Instead, there is an extensive patchwork quilt of federal and state laws governing personal privacy. In 1999, President Clinton signed into law the Financial Services Modernization Act (otherwise known as the Gramm-Leach-Bliley Act). The act requires that a financial institution may not disclose a consumer's nonpublic personal information to nonaffiliated third parties, unless the consumer is given a clear and conspicuous notice of this possibility, and an opportunity to opt out of such disclosures before the first time they occur.

Is a check writer a consumer of Certegy’s service? Technically, the merchant is the consumer of the check verification service. A contract exists between Macy’s and Certegy, not between John Doe and Certegy; Certegy takes a percentage of Macy’s sales, not Jane Doe’s income. Even so, it is logical to assume that John and Jane Doe are consumers of Certegy’s product. If not for John and Jane, Macy’s contract with Certegy would be meaningless. In essence, by shopping at Macy’s and paying by check, Macy’s is acting as a sales agent for Certegy and signing up John and Jane as Certegy customers. Certegy then stores information on John and Jane. Thus, Certegy has regular customers (The Does), and corporate customers (Macy’s) who are at the same time sales agents.

Thus, it is safe to say that by allowing the data of its consumers to be misappropriated, Certegy was in violation of the Financial Services Modernization Act.

2. Was Certegy negligent?

Normally, in cases of data misappropriation, the company is found to be negligent, because no matter how safe the company thought their network was, they had a responsibility to make sure it was impenetrable. That logic holds true when protecting against external threats, but what about this incident that did not involve any outside intrusion into Certegy’s systems?

Arguably, Certegy was negligent on two counts. First, there was no need for any data to be stored on Certegy’s computers. Certegy’s algorithm based its decision on a number of factors, none of which has anything to do with this specific check writer’s history with Certegy. Thus, John Doe, a first time Certegy user, has the same chances of having his check approved as Jane Doe, a frequent check writing Certegy customer. The act of storing the information is negligent because Certegy ought to have anticipated that data might be misappropriated. The rebuttal to this argument – the data was saved automatically through no affirmative action of Certegy – is both weak and fatalistic. Computers do as they are told. If Certegy’s computers saved the data, that is because their programming told them to do so.

Second, Certegy was negligent by giving the keys to the kingdom to Sullivan. Although their network was secure from external threats, perhaps the overemphasis on external security caused them to neglect guarding against internal theft. Certegy should have ensured that a system of checks and balances existed. No one person should have had access to this private data without oversight by some committee. The system Certegy had in place was insecure and was just begging to be compromised.

3. What damages occurred?

In Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (2002), the court held that misappropriated data used to merely offer products and services to class members which they were free to decline did not qualify as actual harm. Moreover, no harm exists where a class member cannot prove that he suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail.

Although at first glance the Certegy case seems similar to Chase, a closer look at the facts in Certegy distinguish it from Chase. In Certegy, the data was sold to a company who in turn sold this data to other marketing firms that were being investigated by the FTC for marketing and telemarketing fraud. One of the companies was running a scam with the data it received where they would contact consumers with a compelling offer in exchange for accepting a 14-day free trial in a discount-shopping club. After tricking the consumers into providing their bank account numbers, the company would make unauthorized debits. The FTC says the company's free gifts were largely worthless.

Additionally, in Forbes v. Wells Fargo Bank, 420 F. Supp. 2d 1018 (D. Minn. 2006), plaintiffs claimed a variety of damages related to the theft, primarily to monitor their financial accounts against potential loss. The court found that the personal time and money spent by this purported class "was not the result of any present injury, but rather the anticipation of future injury that has not materialized."

Using the argument mentioned above, it would seem that the Certegy data theft was a ‘present injury’ unlike the future injury in Forbes. In the Certegy case, the data had been delivered to unscrupulous marketing corporations who used the data for their nefarious schemes. A possibility exists that these firms may in turn pass along this sensitive data to others who might attempt to take out bank loans or open credit cards with this information. Thus, the affected class members are not simply taking steps to avoid future injury; they were aware of a clear and present danger and are therefore entitled to seek reimbursement for their damages from defendant Certegy.

Conclusion

Although Certegy is a unique case of data misappropriation in that no actual financial fraud took place as a direct result of the data misappropriation, and that Certegy took a strong and forceful stand against those who had acquired the stolen data, had this case gone to trial, Certegy would have been found to have negligently violated the Financial Services Modernization Act.

-- DavidMehl - 26 Apr 2010

 
<--/commentPlugin-->

Revision 6r6 - 17 Jan 2012 - 17:48:22 - IanSullivan
Revision 5r5 - 17 Jan 2012 - 15:49:16 - IanSullivan
Revision 4r4 - 12 May 2010 - 01:18:54 - EbenMoglen
Revision 3r3 - 27 Apr 2010 - 21:08:50 - DavidMehl
Revision 2r2 - 27 Apr 2010 - 20:07:38 - DavidMehl
Revision 1r1 - 26 Apr 2010 - 21:35:22 - DavidMehl
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM