New York Appellate Division Limits Bank Liability For Sharing Confidential Information

In Smith v. Chase Manhattan Bank, USA, N.A., et al., 741 N.Y.S.2d 100 (N.Y. App. Div., 2d Dep't, April 15, 2002), the New York Appellate Division affirmed dismissal of a class action alleging that Chase Manhattan Bank USA, N.A. and its parent, Chase Manhattan Corporation (collectively, Chase) breached a written promise not to share confidential customer information with unrelated third parties. The decision limits and clarifies when, under New York law, a bank can be held liable for selling customer data.

Trial Court Dismisses Claim that Bank Violated Its Own Confidentiality Regulations

The plaintiff class in Smith, holders of mortgages and credit cards issued by Chase, alleged that the bank unlawfully sold customer data (such as names, addresses, telephone numbers, account or loan numbers, credit card usage and other financial information) to vendors unaffiliated with Chase, without providing the bank customers an opportunity to opt-out of the disclosure. These vendors, in turn, provided the information to telemarketers and direct mail representatives who used it solicit the bank's customers. The vendors paid Chase a commission of up to 24% of the sales for such information.

The plaintiffs alleged that Chase's "Customer Information Principles" prohibited such information-sharing and sued for:

  • breach of New York's consumer protection laws against deceptive acts and practices (General Business Law §349),
  • breach of contract,
  • unjust enrichment and
  • violation of certain New York civil rights laws (Civil Rights Law § 50-51). Id. at 101.

The Supreme Court dismissed the complaint in its entirety.

Finding No "Actual Injury", Appellate Court Affirms Dismissal

On appeal, the Appellate Division affirmed, holding for Chase on all claims. Although finding that the complaint adequately alleged deception under New York's consumer protection laws, the court concluded that neither being offered products and services which the plaintiffs were free to decline nor receiving unwanted telephone solicitations or junk mail qualifies as actionable consumer injury. Id. at 102.

The appellate court next held that the commissions Chase earned on the purchases made by class members did not support a claim for unjust enrichment. The court reasoned that those plaintiffs that elected to make purchases actually benefited from Chase's sale of the customer data; those that did not make purchases did not generate any commissions for Chase. Thus, Chase was not unjustly enriched. Id. at 103.

The court also affirmed dismissal of the breach of contract count, reasoning that no pecuniary damages were alleged and emotional distress damages arising from unsolicited telephone calls do not give rise to a claim for breach of contract. Id. Finally, the court rejected the civil rights claim, stating that such laws were never intended to address the wrongs complained of by the plaintiffs.

Notwithstanding Smith, Numerous Information-Sharing Regulations Limit Disclosures By Financial Institutions

Although the Smith case imposes some limits on private rights of action, financial institutions must, of course, remain vigilant about complying with increased government regulation of information-sharing practices.

In particular, Congress, in 1999, restricted the sharing of nonpublic personal information through Title V of the Gramm-Leach-Bliley Financial Modernization Act (GLBA). Among other things, banking regulators, pursuant to GLBA, now require banks:

  • to inventory the institution's information collection and disclosure practices;
  • to ensure that consumers can opt-out of otherwise permitted disclosures;
  • to deliver privacy notices in a manner that increases the likelihood of customer review;
  • to take steps to ensure that permitted disclosures are not used by third parties for unintended purposes;
  • to implement employee training programs; and
  • to set target dates for all features of the compliance program.

Bank examiners will assess the reliability of a bank's compliance management system as part of the examination process. Banks may also be subject to more stringent privacy protections enacted by state legislatures.

Insurance companies are also subject to the GLBA and can face state privacy laws and regulations – many based on a 1980 model law adopted by the National Association of Insurance Commissioners -- that exceed the protections afforded by the GLBA. Some states have announced that insurance company privacy practices will become part of on-site examinations conducted by insurance authorities.

Smith Does Not Extinguish All Private Causes Of Actions For Sharing Confidential Information

The Smith case leaves the door open for financial institutions to face similar private suits in the future for at least two reasons: First, the court did not limit "actual injury" to pecuniary harm. Thus, future plaintiffs are free to plead that non-pecuniary harm constitutes actual injury, provided the non-pecuniary harm is something more than an unwanted solicitation. Second, Smith implies that a financial institution may be liable for unjust enrichment if it receives fees for selling information related to customers that do not, when solicited, purchase the product or service.

Thus, while Chase prevailed in the Smith case, the issues left unresolved by the dispute highlight the importance of privacy compliance programs for financial institutions. Further, given increasing oversight and enforcement actions by federal and state regulators, financial institutions and insurance companies would be well-advised to review their information-sharing practices to ensure compliance with existing requirements.