Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court: California privacy laws do not absolve discovery obligations in federal litigation

    Privacy, Cyber Risk & Data Security

    Last month, the U.S. District Court for the Central District of California granted plaintiffs’ motion to compel defendants’ responses to a request for production of documents after determining that defendants may not rely on the California Consumer Protection Act (CCPA) or other state laws to avoid discovery obligations in federal litigation. In 2020, the plaintiffs brought numerous claims, including violations of the Computer Fraud and Abuse Act and several related state law claims, alleging the defendants took the plaintiffs’ client database, marketing software, and computer to start their own business. After being served with a request for production of documents, the defendants asserted that producing the information would violate various California privacy laws, including the CCPA, the California Information Privacy Act, the California Privacy Rights Act, and Article 1, Section 1 of the California Constitution. The plaintiffs countered that the defendants’ objection should be overruled, as they had failed to establish “that there exists a reasonable right of privacy to the information sought to be disclosed,” arguing, among other things, that the defendants’ privacy concern “is undermined by their failure to enter into, or otherwise seek, a protective order.”

    The court agreed with the plaintiffs, concluding that the defendants’ privacy objection is without merit. According to the court, the California privacy rights asserted by the defendants were not applicable in this discovery proceeding because “even to the extent the California constitution and these California statutes create a privilege—which this Court does not decide here—only federal law on privilege applies in cases, such as this one, involving federal question jurisdiction.” Although the court noted that a federal law counterpart to California’s privacy laws does not exist, it affirmed that “federal courts recognize a right of privacy implicit in Rule 26.” Nevertheless, the court stated that, “to the extent such a privacy interest exists, ‘corporations have a lesser right to privacy than human beings and are not entitled to claim a right to privacy in terms of a fundamental right, [although] some right to privacy exists.” Moreover, “[c]ourts routinely have found that a corporation’s privacy rights may give way where the information requested is material, not available from another source, and protected from disclosure by a protective order.” The court ultimately found that “a proper balancing of the competing interests weighs in favor of granting” the plaintiff’s discovery requests, adding that the defendants did not offer or suggest any alternative means by which the plaintiff could obtain the information and that a protective order would mitigate any risk of harm.

    Privacy/Cyber Risk & Data Security Courts Discovery CCPA State Issues California

  • District court requires bank to produce consultant’s data breach report

    Courts

    On May 26, a magistrate judge of the U.S. District Court for the Eastern District of Virginia ordered a national bank to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the bank’s 2019 data breach, concluding the report was not entitled to work product protection. As previously covered by InfoBytes, in July 2019, the national bank announced that an unauthorized individual had obtained personal information of credit card customers and people who had applied for credit card products. According to the order, after the data breach, the bank’s outside counsel directed a cybersecurity company, which had been engaging in periodic work with the bank since 2015, to prepare a report “‘detailing the technical factors that allowed the criminal hacker to penetrate [the bank]’s security.’” Plaintiffs, in a class action against the bank for the data breach, sought to obtain the report in discovery, but the bank opposed the production, arguing that the report was protected work product created under an agreement with outside counsel in anticipation of litigation.

    The court rejected the bank’s argument, concluding that the bank did not show the consultant’s scope of work under the outside counsel agreement “was any different than the scope of work for incident response services,” and that the bank had not shown the firm would not have performed the services “without the prospect of litigation.” Moreover, the court noted, “[t]he retention of outside counsel does not, by itself, turn a document into work product.” The court compelled production, holding that the report was not entitled to protection under the work product doctrine.

    Courts Discovery Data Breach Privacy/Cyber Risk & Data Security

  • Supreme Court holds FDCPA filing limit starts on date of violation

    Courts

    On December 10, the U.S. Supreme Court, in an eight-to-one decision, held that the one-year time limit for filing an FDCPA action starts on the date of the violation, and that no “discovery rule” applies. According to the opinion, the respondent law firm sued the petitioner seeking payment of credit card debt. The respondent attempted service on the petitioner at his old address, where the occupant accepted service. After the petitioner did not respond, a default judgment was entered against him in 2009. The petitioner claimed that he had no knowledge of the default judgement until 2014. He then sued the respondent in district court in 2015 alleging that the respondent “purposely served process in a manner that ensured he would not receive service,” and that the respondent violated the FDCPA by filing the debt collection suit against the petitioner “after the state-law limitations period expired,” and thus had no “lawful ability to collect.” The district court dismissed the action, rejecting the petitioner’s assertion of the U.S. Court of Appeals for the Ninth Circuit holding that a “discovery rule” exists, which delays the one-year limit to the date when the violation is discovered. The district court held that the FDCPA does not include a discovery rule, relying on the FDCPA’s “plain language.”

    On appeal, the U.S. Court of Appeals for the Third Circuit affirmed the district court’s decision, holding that “there is no default presumption” of a discovery rule in the FDCPA.

    Upon review by the Court, Justice Thomas, who penned the majority opinion, averred that the FDCPA explicitly provides a one-year limitation starting on “the date on which the violation occurs.” Moreover, the opinion points out that Congress would have added a provision to delay that limitation until after a violation was discovered if it meant for the FDCPA to have such a provision.

    According to Justice Ginsberg’s dissenting opinion, though she agreed with the one-year limitation for filing suit under the FDCPA, she added that the discovery rule should be observed when fraud prevents the petitioner from filing within the one-year period, distinguishing the “fraud-based discovery rule” from general “equitable tolling” principles.

    U.S. Supreme Court Courts FDCPA Discovery Consumer Finance

  • District Court rejects sampling-related expert discovery in RMBS action

    Courts

    On November 18, the U.S. District Court for the Southern District of New York denied an investment company’s request to use “sampling-related expert discovery” in its action against a trustee of five residential mortgage-backed securities (RMBS), concluding that the proposal was not proportional to the needs of the case. As previously covered by InfoBytes, the investment company filed suit against the trustee alleging the trustee “failed to fulfil certain contractual duties triggered by the discovery of breaches of ‘representations and warranties’” when the underlying mortgages allegedly were found not to be of the promised quality. The investment company also alleged that the trustee failed to exercise its rights to require the companies that sold the mortgages in question “to cure, substitute, or repurchase the breaching loans.” After being denied class certification by the court in February, the investment company preemptively moved for an order from the court allowing it to use sampling-related expert discovery—a process which “engage[s] experts to select samples of mortgage loans from each of the five trusts and to perform analyses on those samples of loans to extrapolate information about the quality of all of the loans in the trusts.”

    The court denied the request, calling the proposed sampling a “blind corner.” The court noted that the “breach rate evidence” that would be discovered by the sampling “only provides substantial probative value for [the investment company’s] claims if [the investment company] can demonstrate that [the trustee] was under an obligation to conduct an investigation of the loans in each of the trusts,” which the investment company has failed to do. Because “the probative value of that discovery hinges upon a factual theory that [the investment company] has yet to demonstrate is viable,” the court could not justify allowing the parties to expend hundreds of thousands of dollars on the proposed sampling.

    Courts RMBS Mortgages Securities Discovery

Upcoming Events