InfoBytes Blog

CFPB To Collect Information on Compliance Costs, Hold Hearing on Prepaid Cards

On May 15, the CFPB published a notice and request for comment regarding its collection of information concerning the costs expected to be incurred by institutions required to comply with CFPB rules. The notice identifies specifically the need to collect information about costs to mortgage and remittance industry participants in connection with upcoming CFPB rules. The notice further states that the CFPB seeks to understand the effect of compliance costs on financial service providers and consumers, but that it is particularly interested in the impact of regulations on the unit costs of delivering specific consumer products and services. The CFPB plans to use structured interviews, focus groups, written questionnaires, and other methods to collect the needed information, and will attempt to collect a representative sample of providers from affected markets. The public is invited to comment on the notice through June 19, 2012. On May 17, the CFPB announced that it will hold a public hearing to discuss issues in the prepaid cards market. The hearing is scheduled to take place on May 23, 2012 inDurham,NC, and will include remarks from Director Cordray.

CFPB Prepaid Cards

FTC Settles Privacy Claims Against Myspace

On May 8, the FTC announced an agreement with Myspace to settle government allegations that the social networking service misrepresented the protections offered by its privacy policy. The policy promised consumers that Myspace would not share users’ personally identifiable information or use that information for purposes inconsistent with those for which the information was submitted without first giving notice to users and receiving their permission. The FTC alleged that the privacy policy was deceptive because, without user notice or consent, Myspace provided advertisers with certain user information that allowed the advertisers to identify additional personal information. Under the terms of the settlement, Myspace must (i) establish a comprehensive privacy program, (ii) obtain biennial independent privacy program assessments, and (iii) avoid misrepresenting the scope of its privacy policy protections.

FTC Privacy/Cyber Risk & Data Security

Tennessee Supreme Court Relies on UETA to Uphold Contract Formed by E-Mail Signatures

On April 24, the Supreme Court of Tennessee upheld an appellate court decision enforcing a settlement agreed upon by an e-mail exchange between the parties’ attorneys. Waddle v. Elrod, No. M2009-02142-SC-R11CV, 2012 WL 1406451 (Tenn. Apr. 24, 2012). The case involved a family dispute over an interest in real property. After counsel exchanged email setting forth terms of the settlement (which included agreement to transfer a property interest), one party recanted and refused to sign the written settlement documents. In the ensuing litigation, the trial court enforced the settlement agreement, but failed to address arguments that Tennessee’s Statute of Frauds (the Statute) precluded enforcement or that the state’s Uniform Electronic Transactions Act (UETA) satisfied the Statute. In addressing both questions, the Tennessee Supreme Court rejected a lower appellate court’s reasoning that the Statute only applied to land sale contracts, and held that the Statute also applied to agreements to transfer land. The court nonetheless opined that that the exchanged e-mails were sufficiently definite writings for purposes of the Statute, and were validated as such by UETA; the court also found that the parties “through their counsel evidenced an intent to finalize the settlement by electronic means,” that UETA “obviate[d] the need for a handwritten signature[,]” and that counsel’s “typed name at the end of the e-mail constitute[d] an ‘electronic signature[,]’” thereby satisfying the signature requirement of the Statute.

Electronic Signatures

Federal Reserve Releases Interchange Fee Comparison Results

On May 1, the Federal Reserve Board released a comparison of interchange fees by payment network for 2011. The Federal Reserve Board plans to publish this information annually to assists card issuers and merchants in choosing payment card networks. The results, which also are expected to assist policymakers in evaluating the impact of the interchange fee regulations that took effect in October 2011, show each network provider’s average fee per transaction and the portion of each transaction value attributable to the fee. On an aggregate level, the average interchange fee declined substantially for non-exempt issuers from 43 cents to 24 cents following implementation of the regulation. For exempt issuers, the average fee remained at 43 cents.

Federal Reserve Debit Cards

Seventh Circuit Dismisses FACTA Truncation Class Action

On April 18, the U.S. Court of Appeals for the Seventh Circuit dismissed a class action seeking damages against Shell under the Fair and Accurate Credit Transactions Act (FACTA) for displaying four digits of customers’ credit card numbers on receipts printed at Shell gas stations. Van Straaten v. Shell Oil Products Co. LLC, No. 11-8031, 2012 WL 1340111 (7th. Cir. Apr. 18, 2012). FACTA requires that such receipts truncate card numbers to display no more than the last five digits of the card number. Shell’s practice was to print the last four digits of what it calls the “primary account number,” which is the number appearing before the last five digits of the sequence of numbers appearing on the front of the credit card. The plaintiffs did not allege that Shell’s practice created a risk of identity theft, but that Shell violated FACTA by printing the wrong four numbers. Writing for a three-judge panel, Chief Judge Frank Easterbrook indicated that FACTA does not define the term “card number,” but the panel did not have to define the term, “because we can’t see why anyone should care how the term is defined.” He added that ”[a] precise definition does not matter as long as the receipt contains too few digits to allow identity theft.” As to FACTA’s authorization of $100 to $1,000 for each willful violation, Judge Easterbrook noted that “[a]n award of $100 to everyone who has used a Shell Card at a Shell station would exceed $1 billion, despite the absence of a penny’s worth of injury.”  Because Shell now prints no such digits on its receipts, “the substantive question in this litigation will not recur for Shell or anyone else; it need never be answered.”

Credit Cards Class Action FACTA

New York Appellate Court Holds that Federal Law Does Not Preempt State Contract and Consumer Protection Laws in Gift Card Suit

On April 17, 2012, the Appellate Division of the New York Supreme Court held that federal laws and regulations do not preempt state contract and consumer protection laws, reversing an earlier trial court decision dismissing a lawsuit concerning gift card expiration dates and renewal fees. Sharabani v. Simon Property Group, Inc., No. 2010-07552, 2012 WL 1320067 (N.Y. App. Div. Apr. 17, 2012). The plaintiff filed an action based on New York state law to recover damages arising out of a gift card that required a “reactivation fee” for use after its expiration date. The defendant, a federally chartered thrift that managed the gift card program, and its co-defendant moved to dismiss the lawsuit on various grounds, including that all of the plaintiff’s state law claims were preempted by federal law. The court held that although Office of Thrift Supervision (OTS) regulations permitted the issuance of gift cards with administrative fees, the OTS has explicitly stated that its regulations do not preempt state contract law, commercial law, tort law, or criminal law to the extent those laws are consistent with the OTS’s intent to occupy the field of federal savings associations’ deposit-related regulations. Based on this regulatory guidance, the court determined that only the claim based on New York’s abandoned property law was preempted by federal law because the OTS has specific regulations regarding abandoned accounts. The court affirmed dismissal of the abandoned property claim and remanded the remaining claims based on state contract and consumer protection laws to the trial court for evaluation under the remaining prongs of the defendants’ motion to dismiss.

Class Action Gift Cards

Tenth Circuit Finds Emails Provide Sufficient Evidence of a Contract

On April 12, the U.S. Court of Appeals for the Tenth Circuit held that a series of emails taken as a whole provided sufficient evidence that the parties intended to form a contract. Republic Bank, Inc. v. West Penn Allegheny Health Sys., Inc., No 10-4145, 2012 WL 1223933 (10th Cir. Apr. 12, 2012). In this case, a Utah bank that acquired certain medical equipment after a borrower defaulted on an equipment lease identified a hospital as a potential buyer. The hospital subsequently made an offer via email to purchase certain pieces of equipment. A bank representative accepted the offer, also by email, and subsequently agreed to prepare a written agreement. Eventually the hospital informed the bank that it would not be able to make the purchase and the bank was forced to auction the equipment. The bank then sued the hospital for breach of contract. The court applied the Uniform Commercial Code to uphold the district court’s ruling that a contract had been formed and breached. The UCC standard relies on “objective, observable manifestations of intent to contract.”  Evidence of intent requires a signed writing that need only contain the essential terms of the agreement. In this case, an email from the hospital offering to purchase the items and an email from the bank accepting that offer, combined with multiple, subsequent references to a binding agreement by the bank that the hospital did not refute, as a whole, provided sufficient evidence of a contract.

Suit Challenging Charges for Minors' In-App iTunes Purchases Survives Motion to Dismiss

On March 31, the U.S. District Court for the Northern District of California denied, in large part, a motion to dismiss claims brought by parents of children who made in-app purchases from the parents’ iTunes accounts. In re Apple In-App Purchase Litigation, No. 11-1758, 2012 WL 1123548 (N.D. Cal. Mar. 31, 2012). The parent plaintiffs sued Apple on behalf of a putative class claiming that apps provided by Apple and advertised as free allowed children, without the parents’ knowledge, to make in-app purchases of online game supplies during a 15-minute window following the parent’s initial account authentication. The parents alleged that each purchase by a minor under these circumstances constituted separate, voidable contracts with Apple that may be disaffirmed by a parent or guardian. Apple countered that the only contracts at issue are those between it and the iTunes account holders, and the terms and conditions of those contracts provide that account holders are “solely responsible for maintaining the confidentiality and security of [their] Account and for all activities that occur on or through [their] Account.” In denying the motion to dismiss, the court held that the complaint can not be dismissed as a matter of law because Apple offered no case law to support its contention that the terms and conditions constitute a relational contract that governs each subsequent transaction. Further, the court allowed to proceed (i) claims under California’s Consumer Legal Remedies Act because allegations that Apple omitted material facts to induce minors into buying additional gaming products were actionable, and (ii) Unfair Competition Law claims because plaintiffs alleged all three prongs of the UCL, properly pleading that Apple’s actions were unlawful, unfair, and fraudulent business acts or practices.

Mobile Commerce

Key Considerations in Drafting Mobile Disclosures

Recent developments at the FTC and CFPB provide some guidance on how regulators may approach disclosures on smartphones and other mobile devices.

The recent CFPB Remittance Rule on international remittance transfers indicates some flexibility in the provision of disclosures in the remittances context via a mobile device. Additionally, the FTC’s recent report on best practices in consumer data privacy notes the difficulty in providing privacy notices on the smaller screens of mobile devices and encourages shorter, more effective privacy policies as a result.

These developments raise a series of questions for corporate counsel to consider when advising on the drafting and delivery of mobile disclosures. Specifically, questions include:

1. Is the length of the mobile disclosure document as brief and succinct as it can be? Does it use concrete, everyday words and the active voice? Do the disclosures avoid multiple negatives, technical jargon and ambiguous language?
2. Are the mobile disclosures presented in a logical sequence? Are they laid out in clear, concise sentences, paragraphs and sections? Are they placed in equal prominence to each other, absent any other specific regulatory format or placement requirements? Is the content placed on a particular page appropriate for the sizing of the page on the mobile screen? If not, are textual or visual cues used to encourage scrolling?
3. Does the mobile disclosure "call attention to itself?" Is it on a screen the mobile user must access or will likely access frequently? If not, is it behind a hyperlink on an introductory screen that is clearly labeled so as to convey the importance of the linked disclosure? Is it presented with a clear, visible heading and an easy-to-read typeface and typesize?
4. Have various technical and other applicable industry standards been consulted in the process of designing, developing and displaying mobile disclosures?

Payment Systems Mobile Banking Privacy/Cyber Risk & Data Security

Federal District Court Holds Allegations of Failure to Protect Data Insufficient to Support Stored Communications Act Claim

Last month, the U.S. District Court for the Northern District of Illinois held that a company’s failure to protect personal information does not violate the Stored Communications Act (SCA) because the company did not knowingly divulge the personal information. Worix v. MedAssets Inc., No. 11-8088, 2012 WL 787210 (N.D. Ill. Mar. 8, 2012). In this case, a computer hard drive belonging to the defendant, a firm that provides financial services for health care providers and as such handles the personal and confidential information of individuals, was stolen. The plaintiff, one of the individuals whose personal information was stored on the hard drive, alleged on behalf of a putative class that the defendant violated the SCA when it failed to adequately secure the protected personal information. The court held that the plaintiff could only support allegations that the defendant knowingly failed to protect the data and  the plaintiff failed to offer the proof required by the SCA that the defendant knowingly divulged protected information. The court also dismissed the plaintiff’s common law negligence claims and statutory fraud claims, holding that the plaintiff failed to allege actual damages when claiming an increased risk of identity theft and monitoring costs.

Privacy/Cyber Risk & Data Security