Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

Gift Card and Security Breach Notification Update

Tennessee enacted a new gift certificate law (H.B. 2574) which will take effect July 1, 2006. The law prohibits expiration dates less than 2 years after issuance and prohibits charging a fee to issue a gift certificate. In addition, no service charges, including dormancy fees and latency fees, or any charge that reduces the total amount of the gift certificate are allowed within 2 years after issuance of the certificate. A gift certificate without an expiration date is valid until redeemed or replaced.

The restriction on expiration dates and on fees charged to issue a gift certificate do not apply to several types of certificates, including the following:

  1. A certificate distributed to a consumer pursuant to an awards, loyalty, or promotional program without any money or anything of value being given in exchange for the gift certificate;
  2. A certificate that is given to an employee by an employer if use of the gift certificate is limited to the employer's business establishment, which may include a group of merchants that are affiliated with the business establishment; and
  3. A certificate that is usable with multiple, unaffiliated sellers of goods or services.

The term gift certificate does not include a prepaid calling card used to make telephone calls.

The Office of Thrift Supervision recently issued an opinion letter on state gift card laws in response to a savings association’s questions about the applicability of five kinds of restrictions on gift cards issued by federal savings associations and their operating subsidiaries. The Office of Thrift Supervision (OTS) stated that the following types of state laws are pre-empted by federal law: laws requiring licensing; restrictions on fees; restrictions on expiration dates; disclosure requirements; and laws requiring an issuer to redeem a gift card for cash when the balance falls below a certain amount.

The letter also states that pre-emption of the state laws does not create a regulatory vacuum, as federal savings associations issuing gift cards “are subject to a host of federal requirements and protections,” among them the following: OTS’s Funds Transfer Service rules (requiring the activity to conform to applicable laws and established commercial practices), OTS’s Electronic Operations rule (requiring numerous risk and security measures), OTS’s Advertising rule (prohibiting savings associations from using any advertising or promotional material that misrepresents the services offered), the Bank Secrecy Act and its implementing regs, and Section 5 of the Federal Trade Commission Act (prohibiting unfair or deceptive acts or practices).

The OTS letter applies only to the specific gift cards described in the letter which are cards issued by a federal savings association or its operating subsidiaries, usable at multiple retailers, issued in predetermined amounts and cannot be reloaded, and for which the terms and conditions including fees and expiration dates are prominently disclosed.

New Security Breach Notification Laws
Eleven more states – Arizona, Colorado, Hawaii, Idaho, Kansas, Maine, Nebraska, North Carolina, Utah, Vermont and Wisconsin – have enacted new laws requiring a company to notify individuals if personal information is lost or stolen. At least 30 states have enacted such laws and Congress is still considering several data security bills (some of which would pre-empt state laws).

Although the new state laws generally mirror California’s law, each one has important differences. For example, Hawaii’s law (SB 2290) does not contain a safe harbor for a company that follows its own notification procedure; Nebraska’s law (LB 876) provides for a modified type of notice for small businesses; North Carolina’s law (SB 1048) creates a private right of action if a person is injured as a result of a violation of the law. Indiana amended its law which now applies to businesses as well as government agencies. The Indiana law also imposes data destruction requirements and provides criminal penalties for failure to comply. The Indiana and North Carolina laws are not limited to computerized data.

As the state laws become more varied, it becomes more likely that a federal security breach notification law that pre-empts state laws will be enacted. Numerous such bills are currently pending.

This client alert is a publication of Loeb & Loeb and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.