InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Tennessee amends its Consumer Protection Act
Recently, the Governor of Tennessee signed into law HB 2711 (the “Act”) which amends, among other things, the state’s Consumer Protection Act. In particular, the Act establishes the factors that a court may consider when determining a civil penalty for violation of the Consumer Protection Act. The court may consider (i) the defendant’s participation in the attorney’s general complaint resolution process; (ii) and the defendant’s restitution efforts prior to the action; (iii) whether there was good or bad faith; (iv) injury to the public; (v) one’s ability to pay; (vi) the public’s interest in eliminating the benefits derived by the violator; and (vii) the state’s interest. Additionally, the Act expands its protection of elderly people to “specially targeted consumers” which includes persons who are at least 60 years old, persons under 18, and current and former military service members. Persons who are found to have targeted specially targeted consumers can be liable for penalties up to $10,000. Furthermore, the Act makes other changes such as procedural requirements for actions brought by the attorney general. The Act is effective immediately.
Washington State Attorney General obtains civil penalties against debt collection agency for medical debt collection practices
On March 19, the Washington State Attorney General (AG) obtained an order from the King County Superior Court providing that a debt collection agency must pay civil penalties for allegedly failing to comply with the Washington Collection Agency Act and Consumer Protection Act when collecting medical debts, specifically by failing to provide the required disclosures in its consumer communications. The court found that the debt collection agency sent 82,729 debt collection notices to medical debtors without the necessary disclosures, which included notification of the debtor’s right to request the original or redacted account number assigned to the debt, the date of last payment, and an itemized statement. The notices also did not inform the debtor that the debtor may be eligible for charity care from the hospital or provided contact information for the hospital. According to the AG’s Office, the collection agency “unlawfully collected payments from … patients without providing critical information about their rights when faced with medical debt. By excluding the legally required disclosures about financial assistance in its collection letters, [the collection agency] created barriers that kept patients who likely qualified for financial assistance from learning about and accessing help with their hospital bills.”
The court ordered a civil penalty of $10 per violation for the debt collection agency’s 82,729 alleged violations of the state Consumer Protection Act, totaling $827,290. Additionally, the court ordered the debt collection agency to reimburse the AG’s office for the costs of bringing the case, which is estimated to exceed $400,000 and to update its practices to comply with Washington law. In determining the civil penalty amount, the court found, among other things, that the debt collection agency acted in bad faith by “fail[ing] to take basic compliance steps,” and “fail[ing] to obtain the correct license … maintain an office in the state, and … include the mandatory disclosures on medical and hospital debt.”
As previously covered by InfoBytes, the AG successfully sued the nonprofit health system in early February, entering a consent decree pursuant to which the health system must pay $158 million in patient refunds, debt forgiveness, and AG costs.
NYDFS circulates advisory on file transfers
On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).
Agencies crack down on deceptive Covid-19 treatment claims
On March 3, the FTC, along with the DOJ and FDA, filed a lawsuit against a New York-based marketer of herbal tea for allegedly claiming its tea was clinically proven to treat, cure, and prevent Covid-19. The announcement reiterated the agencies’ commitment to cracking down on companies that unlawfully market unproven Covid-19 treatments. According to the joint agency complaint, the defendants’ deceptive marketing claims that their herbal tea product is capable of preventing or treating Covid-19 (and is more effective than Covid-19 vaccines) are not supported by competent or reliable scientific evidence and pose “a significant risk to public health and safety.” Moreover, the defendants have allegedly repeatedly ignored FTC and FDA warnings that their deceptive advertising and misrepresentations violate the FTC Act, the Covid-19 Consumer Protection Act, and the Federal Food, Drug, and Cosmetic Act. The complaint seeks permanent injunctive relief, civil penalties, and other remedies to prevent the harms caused by the defendants’ deceptive misrepresentations.
FTC says ISPs provide limited protections for consumer data
On October 21, the FTC reported that internet service providers (ISPs) are able to gather and share large pools of sensitive consumer data while providing limited privacy protections. According to an FTC staff report, ISPs’ data collection and use practices allow them to monitor and record their customers’ every online move, granting them the ability to collect large amounts of information without their customers’ knowledge. The FTC launched the internet privacy study in 2019 under Section 6(b) of the FTC Act and analyzed information from six major ISPs, which comprise roughly 98 percent of the mobile internet market. Three advertising affiliates associated with the ISPs were also asked to provide information on their data collection and use practices. The report found, among other things, that ISPs typically collect and share more customer information than is necessary to provide ISP services. According to the report, some ISPs collected personal information to market products and services, serve targeted ads on behalf of third parties, or share insights into customers’ behaviors with other businesses. The report also found that customers are often placed into categories by “race, ethnicity, sexual orientation, economic status, political affiliations, or religious beliefs,” and that ISPs often share real-time location data with third parties.
Additionally, the report found that while several ISPs tell customers their personal information will not be sold, the companies’ privacy notices obscure other ways personal data can be used, transferred, or monetized by other parties, and “often bury[] such disclosures in the fine print of their privacy policies.” The report further explained that many customers are often confused about how to opt-out of or limit ISPs’ data collection, adding that while several ISPs promise to retain data only for as long as needed for a business reason, the definition of what constitutes a “business reason” varies widely.
Chair Lina M. Khan issued separate remarks, emphasizing that the report’s finding are “striking” and “underscore deficiencies of the ‘notice-and-consent’ framework for privacy, especially in markets where users face highly limited choices among service providers.”
FTC brings first action under Covid-19 Consumer Protection Act
On April 15, the FTC announced a civil complaint filed by the DOJ on its behalf, against a St. Louis-based company and its owner for violating the Covid-19 Consumer Protection Act and the FTC Act by making deceptive marketing health claims about their products. (See also DOJ press release here.) This is the first action the FTC has brought under the new law, which makes it unlawful under Section 5 of the FTC Act “for any person, partnership, or corporation to engage in a deceptive act or practice in or affecting commerce . . . that is associated with the treatment, cure, prevention, mitigation, or diagnosis of COVID–19” or “a government benefit related to COVID–19.” The FTC’s complaint alleges that the defendants deceptively marketed their products as being an effective treatment for Covid-19 based on the results of certain scientific studies, even though they “lacked any reasonable bases” for their claims. According to the FTC’s announcement, the defendants also allegedly advertised—without scientific support—that their products were equally, or more, effective than the currently available vaccines. The FTC seeks an injunction against the defendants, along with monetary penalties and other civil remedies to prevent harm caused by the defendants’ misrepresentations.