Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Appellate court reverses BIPA decision

    Privacy, Cyber Risk & Data Security

    On November 30, the Illinois Court of Appeal for the Fourth Appellate District reversed and remanded a trial court’s decision to grant a defendant plating company’s motion for summary judgment in a Biometric Information Privacy Act (BIPA) suit. The plaintiff began working for the defendant in 2014. From the beginning of his employment, the plaintiff clocked into his job using a fingerprint, but the defendant did not have a written retention-and-destruction schedule for biometric data until 2018. The plaintiff was subsequently terminated and then filed suit claiming that the defendant violated BIPA by failing to establish a retention-and-destruction schedule for the possession of biometric information until four years after it first possessed the plaintiff’s biometric data. The trial court granted the defendant’s motion for summary judgment, finding that section 15(a) of BIPA established no time limits by which a private entity must establish a retention-and-destruction schedule for biometric data. The plaintiff appealed.

    The appellate court reversed the trial court’s order, finding that Section 15(a) specified that a private entity “in possession of” biometric data must develop a written policy laying out its retention and destruction protocols, and the duty to develop a schedule is triggered by possession of the biometric data. The appellate court noted that its decision “is consistent with the statutory scheme, which imposes upon private entities the obligation to establish [BIPA]-compliant procedures to protect employees' and customers' biometric data.” The appellate court went on to note that it “can discern no rational reason for the legislature to have intended that a private entity ‘develop’ a ‘retention schedule and guidelines for permanently destroying’ (id. § 15(a)) biometric data at a different time from that specified in the notice requirement in section 15(b), which itself must inform the subject of the length of time for which the data will be stored (i.e., retained), etc.” The appellate court concluded “that the duty to develop a schedule upon possession of the data necessarily means that the schedule must exist on that date, not afterwards,” and stressed that this is “the only reasonable interpretation” in light of BIPA's “preventive and deterrent purposes.”

    Furthermore, the appellate court rejected the defendant’s argument that “the statutory duty is satisfied so long as a schedule exists on the day that the biometric data possessed by a defendant is no longer needed or the parties’ relationship has ended," stating that the statutory language “belies this interpretation.”

    Privacy, Cyber Risk & Data Security Courts Illinois BIPA Consumer Protection State Issues

    Share page with AddThis
  • California appellate court upholds judgment in RFDCPA suit


    On November 23, the California Court of Appeal for the Fourth Appellate District upheld a summary judgment ruling for a creditor over allegations that it violated the Rosenthal Fair Debt Collection Practices Act (RFDCPA). The plaintiff, the widow of a former patient of the defendant doctor, asserted claims against the doctor and his professional corporation (collectively, “defendants”) alleging that they were debt collectors within the meaning of the RFDCPA. The plaintiff alleged that the defendants violated the RFDCPA by sending “multiple bills and making incessant” phone calls seeking payment for services provided to her husband before he died. The plaintiff requested that the defendants stop contacting her and seek payment through insurance and the hospital. The defendants used two different companies for its third-party billing services, and those companies sent invoices to the plaintiff, who responded that payment inquiries for her deceased husband should only be submitted to the insurance company and the medical center. The trial court granted the defendants’ motion for summary judgment, ruling they did not meet the statute’s definition of a debt collector.

    The appellate court affirmed, finding that “a medical service provider that exclusively uses an unaffiliated, third-party billing service to collect payment for services rendered to patients” is not a “debt collector” within the meaning of the RFDCPA. The court found that although the RFDCPA “applies to those who collect debts on behalf of themselves,” the law still requires that a defendant “must regularly and in the ordinary course of business ‘engage in’ debt collection” for liability to attach. The appellate court emphasized that it was not holding that “a creditor may never be vicariously liable for the actions of a debt collector on an agency theory.” Instead, the plaintiff carried “the burden to demonstrate a triable issue of material fact on the existence of such an agency relationship, and she failed to do so on this record.”

    Courts State Issues Appellate California Debt Collection Rosenthal Fair Debt Collection Practices Act

    Share page with AddThis
  • Supreme Court asked to stay judgment holding that HEROES Act does not authorize the creation of the DOE’s student debt relief plan


    Recently, the DOJ filed an application on behalf of the Department of Education (DOE) asking the U.S. Supreme Court to stay a judgment entered by the U.S. District Court for the Northern District of Texas in an action related to whether the agency’s student debt relief plan violated the Administrative Procedure Act’s (APA) notice-and-comment rulemaking procedures. As previously covered by InfoBytes, the district court held that while the HEROES Act expressly exempts the APA’s notice-and-comment obligations, the district court stressed that the HEROES Act “does not provide the executive branch clear congressional authorization to create a $400 billion student loan forgiveness program,” and, moreover, does not mention loan forgiveness. On December 1, the U.S. Court of Appeals for the Fifth Circuit denied the DOE’s motion for stay pending appeal.

    In its application, the DOE argued that the plaintiffs never asserted that the debt relief plan exceeded the education secretary’s statutory authority. Instead, the DOE argued, the plaintiffs alleged only that they were improperly denied the opportunity to comment on the plan, stressing that while the district court recognized that the HEROES Act expressly exempts the APA’s notice-and-comment obligations, it went further by holding that the plan went beyond the secretary’s authority. “The district court profoundly erred by raising and deciding a claim that respondents did not assert and could not have asserted,” the DOE stressed, further adding that the plaintiffs did not claim that providing debt relief to other borrowers would inflict injury on them. Beyond this, the secretary’s plan “falls squarely within the plain text of his statutory authority,” the DOE asserted. The DOE requested that the Supreme Court stay the district court’s judgment, or in the alternative, defer the application pending oral argument and treat it as a petition for certiorari before judgment, grant the petition, and hear the case along with a second separate action, discussed below, involving a challenge to an injunction that temporarily prohibits the Secretary of Education from discharging any federal loans under the agency’s student debt relief plan.

    As previously covered by InfoBytes, on December 1, the Supreme Court agreed to hear the Biden administration’s appeal of an injunction entered by the U.S. Court of Appeals for the Eighth Circuit. The 8th Circuit held that “the equities strongly favor an injunction considering the irreversible impact the Secretary’s debt forgiveness action would have as compared to the lack of harm an injunction would presently impose,” and pointed to the fact that the collection of student loan payments and the accrual of interest have both been suspended. (Covered by InfoBytes here.) The 8th Circuit’s opinion followed a ruling issued by the U.S. District Court for the Eastern District of Missouri, which dismissed an action filed by state attorneys general from Nebraska, Missouri, Arkansas, Iowa, Kansas, and South Carolina for lack of Article III standing after concluding that the states—which attempted “to assert a threat of imminent harm in the form of lost tax revenue in the future”— failed to establish imminent and non-speculative harm sufficient to confer standing. In an unsigned order, the Supreme Court deferred the Biden administration’s application to vacate, pending oral argument.

    Courts Student Lending DOJ Department of Education Administrative Procedure Act Debt Relief Consumer Finance U.S. Supreme Court Appellate Fifth Circuit Eighth Circuit HEROES Act

    Share page with AddThis
  • 9th Circuit revives data breach class action against French cryptocurrency wallet provider

    Privacy, Cyber Risk & Data Security

    On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.

    On appeal, the 9th Circuit concluded that dismissal was improper because the French wallet provider’s contracts with California were sufficient to establish jurisdiction under the “purposeful availment” framework. The appellate court explained that because the French wallet provider sold roughly 70,000 wallets in the state, collected California sales tax, and shipped wallets directly to California addresses, the “facts suffice to establish purposeful availment because [the French wallet provider’s] contacts with the forum cannot be characterized as ‘random, isolated, or fortuitous.’” However, the 9th Circuit limited the claims to only those brought by California residents under the state’s consumer protection laws. A forum-selection clause in the French wallet provider’s privacy policy and terms of use documents provided that disputes would be subject to the exclusive jurisdiction of French courts, the appellate court said, which was enforceable except with respect to the class claims of California residents brought under California law “because it violated California public policy against waiver of consumer rights under California’s Consumer Legal Remedies Act.”

    The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”

    Privacy, Cyber Risk & Data Security Courts Data Breach Appellate Ninth Circuit Class Action State Issues California Of Interest to Non-US Persons Canada Digital Assets Cryptocurrency France

    Share page with AddThis
  • Hair clinic must pay $500,000 to resolve data breach


    On November 21, the U.S. District Court for the Central District of California granted final approval to a $500,000 class action settlement resolving allegations that a ransomware attack and data breach exposed the personal information of over 100,000 of the defendant hair-restoration clinic’s customers. According to the order, the plaintiffs alleged that defendant violated California's consumer protection statutes by failing to: (i) protect consumers' personal information; (ii) notify them quickly enough about the breach; and (iii) monitor its network for vulnerabilities and breaches. The order provided attorneys’ fees of $262,500, and awards of $1,250 each to the class representatives.

    Courts Privacy, Cyber Risk & Data Security Data Breach Class Action Settlement

    Share page with AddThis
  • District Court issues judgment against company for marketing fake high-yield CDs

    Federal Issues

    On December 1, the U.S. District Court for the Southern District of New York entered a stipulated final judgment and order against a Delaware financial-services company operating in Florida and New York along with its owner (collectively, “defendants”) for engaging in deceptive acts under the Consumer Financial Protection Act related to its misleading marketing representations when advertising high-yield healthcare savings CD accounts. As previously covered by InfoBytes, the Bureau’s 2020 complaint alleged that defendants engaged in deceptive acts or practices by: (i) falsely representing that consumers’ deposits into the high yield CD accounts would be used to originate loans for healthcare professionals, when in fact, the company never used the deposits to originate loans for healthcare professionals, never sold a loan to a bank or secondary-market investor, and never entered into a contract with a buyer or investor to purchase a loan; (ii) concealing the company’s true business model by falsely representing that the consumers’ deposits, when not being used to originate healthcare loans, would be held in an FDIC- or Lloyd’s of London-insured account or a “cash alternative” or “cash equivalent” account, when in reality, consumers’ deposits were, among other things, invested in securities; (iii) misleading consumers into believing that the accounts their funds were being deposited into functioned like traditional savings accounts when in fact, consumers’ deposits were actively traded in the stock market or used in securities-backed investments; and (iv) falsely representing that past high yield CD accounts allegedly paid interest at rates between 5 percent and 6.25 percent prior to 2019 when in fact, the company did not offer CDs until August 2019, and “consumers’ principals was neither guaranteed nor insured.” The complaint noted that since August 2019, the company took more than $15 million from at least 400 consumers.

    The proposed settlement, if approved, provides for a comprehensive consumer redress plan that would require defendants to refund approximately $19 million to approximately 400 depositors. Further, pursuant to the order, the defendants would be required to return the money that each affected consumer deposited into a certain account in a manner consistent with the advertised terms of the product, namely, the principal along with an average per year interest rate of about 6 percent. The proposed order also permanently bans the defendants from engaging or assisting others in any deposit taking activities and requires defendants to pay a civil money penalty to the Bureau in the amount of $391,530.

    Federal Issues Courts CFPB CFPA UDAAP Deceptive Enforcement Consumer Finance

    Share page with AddThis
  • FTC takes action against debt relief operation

    Federal Issues

    On November 30, the FTC announced an action against three individuals and their affiliated companies (collectively, “defendants”) for allegedly participating together in a credit card debt relief scheme since 2019. The FTC alleged in its complaint that the company violated the FTC Act and the Telemarketing Sales Rule (TSR) by using telemarketers to call consumers and pitch their deceptive scheme, falsely claiming to be affiliated with a particular credit card association, bank, or credit reporting agency and promising they could improve consumers’ credit scores after 12 to 18 months. The defendants also allegedly misrepresented that the upfront fee, which in some cases was as high as $18,000, was charged to consumers’ credit cards as part of the overall debt that would be eliminated, and therefore consumers would not actually have to pay this fee. The District Court for the Middle District of Tennessee granted the Commission’s request to temporarily shut down the scheme operated by the defendants and froze their assets. The complaint requests, among other things, a permanent injunction to prevent future violations of the FTC Act and the TSR by the defendants.

    Federal Issues Courts FTC Act Debt Collection Enforcement TSR Consumer Protection Credit Scores FTC Consumer Finance

    Share page with AddThis
  • District Court grants MSJ for plaintiff in FDCPA suit


    On November 21, the U. S. District Court for the Northern District of Illinois denied a defendant debt collection company’s motion for summary judgment and granted plaintiff’s motion for summary judgment in an FDCPA suit. According to the opinion, the plaintiff sent a letter to the defendant disputing the accuracy of the information being reported to the credit reporting agency, saying the amount of the debt was incorrect. The defendant received the letter on February 1, 2021, and on February 3, the defendant reported the debt to the CRA, but failed to note that the debt was disputed. The CRA then communicated information about plaintiff’s debt to additional third parties. The next reporting cycle for the plaintiff’s account closed on March 3, 2021. At that time, the defendant correctly reported that plaintiff’s debt was disputed. The defendant explained that although the servicer received the plaintiff’s dispute letter on February 1, 2021, “no one was able to analyze, process, and review” it until February 4, 2021, by which time it had already reported the debt to the CRA.

    The defendant argued that it can take up to seven business days for its credit review team to review a dispute letter that it receives, and information about a disputed debt may be communicated to third parties in the interim. The defendant also argued that the plaintiff lacked standing to sue because there was no negative impact on her credit score as a result of the dispute not being transmitted.

    According to the court, the defendant’s “system tolerates the communication of false information in cases where disputes arrive at its doorstep at the close of its monthly reporting periods, and it lacks procedures for promptly correcting information it later discovers was false at the time it was communicated to a third party.” The court also found that the plaintiff’s constitutional standing does not depend on proof of damage to her credit score.

    Courts Debt Collection Credit Reporting Agency Consumer Finance FDCPA

    Share page with AddThis
  • ECJ invalidates AML directive granting public access to beneficial ownership information

    Privacy, Cyber Risk & Data Security

    On November 22, the European Court of Justice (ECJ) announced a ruling invalidating a provision of the 2018 amended EU anti-money laundering directive that guaranteed public access to the beneficial ownership information of legal entities incorporated within member states. The case was referred to the ECJ by a Luxembourg court following two actions that disputed the compatibility of this directive with the beneficial owners’ fundamental right to privacy. The ECJ was asked to issue a preliminary ruling on a series of questions concerning the interpretation of “exceptional circumstances” and “disproportionate risk,” as well as the directive’s compatibility with the Charter of Fundamental Rights of the European Union (Charter) and the GDPR. Under the directive, member states are required to enter and maintain beneficial ownership information in registers that are accessible to the general public. The directive is intended to prevent the financial system from being exploited for the purposes of money laundering or terrorist financing, and requires, with limited exemptions, that member states provide information on “the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his or her beneficial interests.”

    In its announcement, the ECJ said that public access to beneficial ownership information “constitutes a serious interference with the fundamental rights to respect for private life and the protection of personal data” provided in Articles 7 and 8 of the Charter. “[T]he potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated,” the ECJ wrote in the judgment, adding that “in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.”

    While the ECJ found that, by the measure at issue, the EU legislature is pursuing “an objective of general interest capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter, and that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of that objective,” the “interference entailed by that measure is neither limited to what is strictly necessary nor proportionate to the objective pursued.” Additionally, the ECJ held that the amended “directive amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter” without being offset by any benefits that may result from the amended directive as compared to the previous version in terms of combating money laundering and terrorist financing. However, the ECJ did recognize that civil society and the press have a legitimate interest in accessing such information, given their role in the fight against money laundering.

    Privacy, Cyber Risk & Data Security Courts Financial Crimes Of Interest to Non-US Persons Anti-Money Laundering GDPR Beneficial Ownership EU

    Share page with AddThis
  • States say student loan trusts are subject to the CFPA’s prohibition on unfair debt collection practices

    State Issues

    On November 15, a bipartisan coalition of 23 state attorneys general led by the Illinois AG announced the filing of an amicus brief supporting the CFPB’s efforts to combat allegedly illegal debt collection practices in the student loan industry. As previously covered by InfoBytes, in February, the U.S. District Court for the District of Delaware stayed the Bureau’s 2017 enforcement action against a collection of Delaware statutory trusts and their debt collector after determining there may be room for reasonable disagreement related to questions of “covered persons” and “timeliness.” The district court certified two questions for appeal to the U.S. Court of Appeals for the Third Circuit related to (i) whether the defendants qualify as “covered persons” subject to the Bureau’s enforcement authority; and (ii) whether the case can be continued after the Supreme Court’s 2020 decision in Seila Law v. CFPB (which determined that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau—covered by a Buckley Special Alert). Previously, the district court concluded that the suit was still valid and did not need ratification because—pointing to the majority opinion in the Supreme Court’s decision in Collins v. Yellen (covered by InfoBytes here)—“‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[,]’” and therefore the Bureau’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” The district court later acknowledged, however, that Collins “is a very recent Supreme Court decision” whose scope is still being “hashed out” in lower courts, which therefore “suggests that there is room for reasonable disagreement and thus supports an interlocutory appeal here.”

    The states argued that they have a “substantial interest” in protecting state residents from unlawful debt collection practices, and that this interest is implicated by this action, which addresses whether the defendant student loan trusts are “covered persons” subject to the prohibition on unfair debt collection practices under the CFPA. Urging the 3rd Circuit to affirm the district court’s decision to deny the trusts’ motion to dismiss, the states contended among other things, that hiring third-party agencies to collect on purchased debts poses a large risk to consumers. These types of trusts, the states said, “profit only when the third parties that they have hired are able to collect on the flawed debt portfolios that they have purchased.” Moreover, “[d]ebt purchasing entities, including entities like the [t]rusts, are thus often even more likely than the original creditors to resort to unlawful tactics in undertaking collection activities,” the states stressed, explaining that in order to combat this growing problem, many states apply their prohibitions on unlawful debt collection practices “to all debt purchasers that seek to reap profits from these illegal activities, including those purchasers that outsource collection to third parties.” The Bureau’s decision to do the same is therefore appropriate under the CFPA, the states wrote, adding that “as a practical matter, these debt purchasers are as problematic as debt purchasers that collect on their own debt. The [t]rusts’ request to be treated differently because of their decision to hire third party agents to collect on the debts that they have purchased (and reap the profits on) should be rejected.”

    State Issues Courts State Attorney General Illinois CFPB Student Lending Debt Collection Consumer Finance Appellate Third Circuit Seila Law CFPA Unfair UDAAP Enforcement

    Share page with AddThis