Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 21, the U.S. District Court for the Northern District of Alabama reduced a consumer’s punitive damages award from $3 million to $490,000 in an action against a credit reporting agency for the alleged misreporting of credit information. According to the opinion, after the consumer had a debt dismissed by small claims court, he requested that the credit reporting agencies remove the trade line from his credit report. When one credit reporting agency refused to initiate a dispute investigation because it suspected fraud, the consumer filed a complaint alleging violations of the FCRA. In May 2018, a jury awarded the consumer $5,000 in compensatory damages and $3 million in punitive damages. The credit reporting agency moved to have the court enter judgment as a matter of law and/or have the judgment amended or altered. The court reviewed the award, noting that the punitive to compensatory damages ratio of 600 to 1 “suspiciously cocked” the “court’s eyebrows.” The court emphasized that a single-digit multiplier would not be sufficient to deter the credit reporting agency from future wrongdoing and instead, applied the 98 to 1 ratio used by the U.S. Court of Appeals for the 4th Circuit, bringing the punitive damages down to $490,000. In addition, the court applied the “one satisfaction” rule, concluding the credit reporting agency did not have to pay the compensatory damages, as the consumer already received settlement proceeds that exceed the jury award from other defendants, and “the injuries the [consumer] described are indivisible between [the credit reporting agency] and the settling defendants.”
On August 20, the U.S. Court of Appeals for the 9th Circuit held that the plaintiff bears the burden of establishing a defendant’s net worth when seeking an award of class statutory damages in an FDCPA action. The appeals court affirmed the lower court’s dismissal of the plaintiff’s class action, which alleged a law firm’s letters violated the FDCPA by using “false, deceptive, or misleading representation[s].” The panel found that the language of the FDCPA’s class statutory damages provision—"not to exceed the lesser of $500,000 or 1 per centum of the net worth of the debt collector"— makes it clear that a defendant’s net worth is a prerequisite to establishing statutory damages. The court noted that the FDCPA is silent as to which party bears the burden, but the “ordinary default rule” establishes the burden upon the party seeking relief and there is no reason to believe Congress intended otherwise under the FDCPA. The court rejected the plaintiff’s argument that because the defendant has “superior access” to the evidence of net worth, it must bear the burden because it is “not uniquely difficult for consumer plaintiffs to acquire the debt collector’s financial information.” Because the plaintiff failed to present evidence of the law firm’s net worth, the 9th Circuit concluded the lower court was correct in dismissing the action.
On July 30, a New Jersey state appeals court reversed a lower court’s judgment awarding consumers over $1.8 million in connection with allegations that a national bank’s predecessor violated the state’s Consumer Fraud Act (CFA) by misrepresenting information to the town’s planning board in order to secure approvals for a housing development. Specifically, the plaintiffs had argued that, because of misrepresentations to the town’s planning board, the construction of a housing development was approved and resulted in the flooding of their home. According to the plaintiffs, the national bank’s predecessor was aware that their housing section could be susceptible to groundwater runoff but concealed the information from the planning board, and that had the planning board been aware of the information, the board would have denied the plans and the plaintiffs’ home would not have flooded. A jury agreed, and the trial court ultimately awarded the plaintiffs almost $50,000 in treble damages under the CFA claim, and $1.8 million in fees and expenses, along with smaller amounts of damages for nuisance and trespass claims.
On appeal, the panel reversed the damages for the CFA claims, including the fee award, holding that “there is a complete lack of proof of a causal connection” between the predecessor’s misrepresentations and the plaintiffs’ decision to purchase their residence. The court rejected the plaintiffs’ arguments that had the misrepresentations not been made, the construction of the development would have been denied and their house would not have flooded. The court concluded the argument was “speculative and attenuated” and there was no proof the development “would not have been built by another developer.”
On June 25, the U.S. District Court for the District of Maryland dismissed a proposed class action alleging a national bank violated the Maryland Credit Grantor Closed End Credit (CLEC) law by charging “convenience fees” in connection with secured vehicle financing. According to the opinion, after the consumer defaulted on vehicle payments, the bank repossessed the consumer’s vehicle and demanded the consumer pay the deficiency balance. In August 2017, the consumer, on behalf of herself and others similarly situated, filed a class action against the bank for allegedly charging convenience fees in connection with over 500 retail installment sales contracts for vehicles governed under the CLEC. Upon removal to federal court, the consumer sought to amend her complaint to replace the CLEC claim with a breach of contract claim based on the same violation in her original complaint and the bank sought dismissal of the claim. The court granted the bank’s motion to dismiss, concluding that even if the bank did charge a convenience fee in violation of the CLEC, the bank (i) did not collect payments in excess of the original principle amount of the loan; and (ii) did not seek a deficiency judgment against the consumer. Additionally, the consumer did not seek injunctive or declaratory relief. Therefore, the court held that the consumer is not entitled to damages under CLEC and her corollary breach of contract claim is “futile and must be dismissed.”
On April 10, the U.S. Court of Appeals for the 7th Circuit affirmed the district court’s dismissal of a RESPA action because the plaintiff did not properly establish actual damages arising out of her non-receipt of a response to her Qualified Written Request (QWR) to the bank. The opinion explains that the plaintiff’s property was vandalized in 2014 and the bank received insurance money to escrow for repairs. In 2015, the bank released funds for the repairs and subsequently, the plaintiff’s contractor abandoned the job; the property was then vandalized twice more. On September 5, 2015, the plaintiff sent the bank a letter asking about the status of her loan, specifically regarding how insurance money was being handled. The bank sent a response to the letter on September 25, 2015, but the plaintiff alleges she never received the bank’s response and contends the bank’s failure to respond to her QWR caused her emotional distress and contributed to her divorce. The 7th Circuit agreed with the district court that the plaintiff failed to establish how a response to her QWR would have resolved her financial inability to make the required repairs since RESPA does not require the bank to pay money in response to a written request. Moreover, the Appeals Court held that some of the plaintiffs asserted injuries, such as her divorce, are outside the scope of RESPA.
On March 21, the South Dakota governor signed SB 62, which requires companies that hold consumers’ personal information to (i) notify consumers within 60 days of a data breach; and (ii) notify the state Attorney General if more than 250 consumers are affected. Notice must be provided to consumers either by mail; electronic notice; or, in certain circumstances, substitute notice (e.g., a posting on the company’s website or notification to statewide media). The law gives the state Attorney General the authority to prosecute a failure to disclose a data breach as a deceptive act or practice under South Dakota’s consumer protection laws, which can result in penalties of up to $10,000 a day per violation. A disclosure is not required if notice is given to the state Attorney General and following an “appropriate investigation,” the company determines that the breach “will not likely result in harm to the affected person.” The law is effective July 1.
A similar measure was signed by the Oregon governor on March 16. Effective on or about June 10, Oregon’s SB 1551 mandates that a person or entity that “owns, licenses, or otherwise possesses personal information” that suffered a security breach must notify the affected consumers within 45 days and, if more than 250 consumers were affected, must also notify the state Attorney General. The person or entity must also undertake reasonable measures to “determine scope of breach of security and to restore reasonable integrity, security and confidentiality of personal information.” Additionally, the law sets out guidelines regarding credit monitoring services and security freezes:
- Credit Monitoring Services. Among other things, SB 1551 provides that if a person or entity offers free credit monitoring services to affected consumers, the entity may not require a credit or debit card number as a condition for the service. If additional identity theft services are offered for a fee, the person or entity must “separately, distinctly, clearly and conspicuously” disclose the charging of the fee.
- Security Freezes. SB 1551 prohibits a consumer reporting agency from charging a fee for placing, temporarily lifting, or removing a security freeze. Moreover, it prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password. Recently, Michigan, Utah, Washington, and Virginia enacted similar prohibitions (previously covered by InfoBytes, here, here, and here).
California judge limits plaintiffs’ ability to seek certain punitive damages in internet data breach
On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (CRA). The consolidated litigation results from announcements that hackers had breached the defendant’s systems and accessed users’ personal information in multiple attacks between 2013 and 2016. While the court kept several claims alive, including one alleging company executives purposefully concealed the hacks and others related to good faith and fair dealing, the court found the plaintiffs had failed to establish when the company learned about the 2013 and 2014 hacks, which warranted dismissal of most of the claims brought under the CRA. With respect to the limit on punitive damages, the court held that there is no punitive remedy for the alleged breaches relating to the breach of contract and CRA claims. However, the court did allow the plaintiffs to seek punitive damages for concealment, negligence, and misrepresentation related to the executives’ alleged suppression of the breach.
On February 21, the U.S. Court of Appeals for the 10th Circuit affirmed a district court’s decision that under Colorado law, an insurance company had no duty to indemnify and defend its insured against TCPA claims seeking statutory damages and injunctive relief. According to the appellate opinion, the FTC and the states of California, Illinois, North Carolina, and Ohio sued a satellite television company for violations of the TCPA, Telemarking Sales Rule (TSR), and various state laws for telephone calls made to numbers on the National Do Not Call Registry (FTC lawsuit). The FTC lawsuit sought statutory damages of up to $1,500 per alleged violation and injunctive relief. The defendant requested that its insurer defend and indemnify it for the claims pursuant to existing policies. The insurance company filed a complaint for declaratory judgment, seeking a declaration that it need not defend or indemnify the company in the FTC lawsuit. The district court determined that there was no coverage for several reasons, including: (i) that the statutory TCPA damages were a “penalty,” rendering them uninsurable under Colorado law; and (ii) that the injunctive relief sought did not qualify as damages under the policies’ definition. The 10th Circuit Court of Appeals affirmed both holdings, concluding that no coverage existed.
- Buckley Webcast: Maintaining privilege in cross-border internal investigations
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Daniel P. Stipano to discuss "The state of the BSA 2019: What’s working, what’s not, and how to improve it" at the West Coast Anti Money-Laundering Forum
- Buckley Webcast: The future of the Community Reinvestment Act
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Buckley Webcast: Amendments to the CFPB's proposed debt collection
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- APPROVED Webcast: State and SAFE Act licensing requirements for banks
- John C. Redding to discuss "TCPA compliance in the era of mobile" at the Auto Finance Risk Summit
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: Data breach litigation and biometric legislation
- Buckley Webcast: Trends in e-discovery technology and case law
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program