InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court grants SEC motion for default judgment
On November 2, the U.S. District Court for the Middle District of Georgia granted the SEC’s motion for default judgement in its suit accusing a Georgia-based investment firm and three of its officers of defrauding investors out of approximately $3 million. In July, the SEC filed a complaint against the defendants for allegedly defrauding investors through a prime bank scheme by falsely promising that their funds would remain in a purported escrow account and earn lucrative returns without any risk of loss, which violated the antifraud provisions of Section 17(a) of the Securities Act of 1933 and Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. In its memorandum of law in support of its motion for default judgment, the SEC alleged that none of the defendants filed answers or responsive pleadings with the district court and had “engaged in egregious misconduct, acted with scienter, failed to admit their wrongdoing, were thoroughly dishonest with authorities, and have not demonstrated their financial means.” The district court granted the motion, approved permanent injunctions barring the defendants from committing future violations of securities laws, and required the defendants to return the investors' money with interest, in addition to the profits obtained through the alleged scheme. According to the order, the defendants are required to pay approximately $2.7 million total in disgorgement, exclusive of prejudgment interest, and pay a civil penalty of approximately $192,000.
9th Circuit: Plaintiffs may proceed with citizenship status claims
On October 26, the U.S. Court of Appeals for the Ninth Circuit reversed a district court’s dismissal of civil rights claims for lack of standing, holding in an unpublished opinion that the plaintiffs satisfied Article III standing requirements by alleging that a bank discriminated against non-U.S. citizens in barring them from opening accounts online. The plaintiffs, lawful residents with valid Social Security numbers, filed a putative class action complaint claiming the bank allowed U.S. citizens to apply for new checking accounts online, but required the plaintiffs (based solely on their status as non-U.S. citizens) to apply in person at a branch office. The district court dismissed the claims, ruling that the plaintiffs failed to establish standing for their discrimination claims on the basis of citizenship status. The 9th Circuit disagreed, finding that “discrimination itself . . . can cause serious non-economic injuries to those persons who are denied equal treatment solely because of their membership in a disfavored group,” and concluding that the plaintiffs alleged a concrete injury-in-fact sufficient to confer Article III standing. “The fact that [p]laintiffs would have ultimately obtained the same checking account given to U.S. citizens does not vitiate the alleged discriminatory injury: that [the bank] imposes on non-U.S. citizens a requirement to apply in person that it does not impose on others,” the appellate court said. The 9th Circuit added that this injury was directly linked to the bank’s policy and reversed the dismissal but declined to rule on the substance of the claims.
District Court approves CCPA class action settlement
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’ personal and private information when defendants were the targets of security breach incidents where an unauthorized user’s access to the defendants’ network and computer systems resulted in unauthorized access of personal, private information (PII). According to the memorandum of law in support of the plaintiffs’ motion for preliminary approval, the plaintiffs sued after learning that the defendants were targeted by hackers in December 2020, which affected over 5.8 million customers, and again in March 2021, which affected more than 324,000 customers. This conduct, the plaintiffs contended, violated the California Consumer Privacy Act, the California Consumers Legal Remedies Act, California’s Unfair Competition Law, and various state common laws. While the defendants denied allegations of wrongdoing and liability, and asserted defenses to the individual and class claims, the parties reached a proposed settlement, in which class members (defined as “all natural persons residing in the United States who were sent notice letters notifying them that their PII was compromised in the Data Incidents announced by Defendants on or about March 16, 2021 and on or about May 25, 2021”) will be provided automatic access to 18 months of credit monitoring and financial account protection. Additionally, every class member can make a claim for up to $10,000 in reimbursement for out-of-pocket losses. The preliminarily approved settlement also provides for class counsel fees and expenses not to exceed roughly $2.5 million and class representative service awards of $1,500.
10th Circuit affirms TCPA statutory damages as uninsurable
On November 2, the U.S. Court of Appeals for the 10th Circuit affirmed a district court’s decision that under Colorado law, an insurance company (plaintiff) had no duty to indemnify and defend its insured against TCPA claims seeking statutory damages and injunctive relief. According to the appellate opinion, the states of California, Illinois, North Carolina, and Ohio sued a satellite television company for telemarketing violations of the TCPA (TCPA lawsuit). The TCPA lawsuit sought statutory damages of up to $1,500 per alleged violation and injunctive relief. The satellite company submitted a claim to its insurer for defense and indemnity of the TCPA claims pursuant to existing policies. The plaintiff filed a complaint seeking a declaratory judgment that it need not defend or indemnify the satellite company in the TCPA lawsuit. The district court, relying on ACE American Insurance Co. v. DISH Network (covered by InfoBytes here), determined that, under ACE, the claim for statutory damages in the telemarketing complaint sought a penalty and therefore was “uninsurable as a matter of Colorado public policy,” and that the policies did not cover the complaint’s claim for injunctive relief because, as in ACE, they did not cover the costs of preventing future violations. Additionally, the district court determined that “the allegations did not potentially fall within the Policies’ definitions of ‘Bodily Injury’ or ‘Property Damage.’” The 10th Circuit affirmed the district court’s rulings, concluding that no coverage existed.
District Court denies defendant’s motion to dismiss Illinois BIPA class action
On October 28, the U.S. District Court for the Northern District of Illinois denied a Delaware-based technology management service defendant’s motion to dismiss a putative class action that alleged it stored and collected biometric data from employees of companies that utilized the defendant’s timekeeping services. The court also granted the plaintiff’s motion to remand two of her three claims to state court because the plaintiff had not alleged an injury in fact sufficient to establish Article III standing in federal court for those claims.
The plaintiff alleged that the defendant violated the Illinois’ Biometric Information Privacy Act (BIPA) by selling time and attendance solutions to Illinois employers, including biometric-enabled hardware such as fingerprint and facial recognition scanners that collected and stored employee biometrics data. The plaintiff alleged that the defendant violated Section 15(a) of BIPA by failing to publish a retention schedule for the biometric data, violated Section 15(b) of BIPA by obtaining the plaintiff’s biometric data without first providing written disclosures and obtaining written consent, and violated section 15(c) of BIPA, by participating in the dissemination of her biometric data among servers. According to the district court, the plaintiff lacked standing regarding the Section 15(a) claim because the harm resulting from the defendant’s failure to publish a retention policy was not sufficiently particularized and the plaintiff had not otherwise alleged a concrete injury resulting from the violation. The district court concluded that the plaintiff’s Section 15(c) claim also lacked standing because, though she alleged that the defendant profits off its biometric data collection practices by marketing its biometric time clocks that utilize the software as “superior options” and “gains a competitive advantage”, the “complaint doesn't allege an injury in fact stemming from [the defendant’s] profiting off of [the plaintiff’s] biometric data.”
With regard to the Section 15(b) claim, the district court rejected the defendant’s argument that the requirement to inform clients regarding its biometric data collection and receiving written consent did not apply, noting that the defendant is right that it “doesn’t penalize mere possession of biometric information.” However, that does not help the defendant “because the complaint alleges that defendant did more than possess [the plaintiff’s] biometric information: it says that [the defendant] collected and obtained it.” Additionally, the district court rejected the defendant’s argument that it is not liable as a third-party vendor who lacks the power to obtain the required written releases from its clients’ employees. The district court stated that “while it’s probably true that [the defendant] wasn’t in a position to impose a condition of employment on its clients’ employees, the statutory definition of a written waiver doesn’t excuse vendors like [the defendant] from securing their own waivers before obtaining a person’s data.”
CFPB resolves UDAAP allegations with debt collection company
On November 1, the U.S. District Court for the Western District of Missouri ordered a Missouri-based company to pay a $30,000 civil money penalty to resolve allegations that it used district-attorney letterhead to threaten consumers with criminal prosecution. As previously covered by InfoBytes, the CFPB filed a complaint against the company claiming it allegedly engaged in deceptive and otherwise unlawful debt collection acts and practices in the course of operating “bad-check pretrial-diversion programs on behalf of more than 90 district attorneys’ offices throughout the United States.” The complaint claimed that the company not only failed to include required FDCPA disclosures in the letters it sent to consumers, it also failed to identify itself in the letters and did not inform consumers that it was a debt collector and not a district attorney. Moreover, in most cases the company did not refer cases for prosecution, even if the check writer failed to respond to the collection letter, did not pay the alleged outstanding debt and fees, or failed to complete the financial-education course. Under the terms of the settlement, the company is, among other things, permanently banned from engaging in debt collection activities and is prohibited from disclosing, using, or benefiting from customer information obtained before the order’s effective date in connection with a Pre-Trial Bad Check Diversion Program. Additionally, the company may not “attempt to collect, sell, assign, or otherwise transfer any right to collect payment from any consumer who purchased or agreed to purchase services or products in connection” with the company’s program. The company is ordered to pay more than $1.4 million in redress to harmed consumers; however, full payment of this amount is suspended upon satisfaction of certain obligations due to the company’s financial condition. The $30,000 penalty also reflects the company’s limited ability to pay.
CFPB reaches $850,000 settlement with debt collectors
On October 26, the U.S. District Court for the District of Maryland entered a stipulated final judgment and order against defendants (a debt collection entity, its subsidiaries, and their owner) in an action alleging FCRA and FDCPA violations. As previously covered by InfoBytes, the Bureau filed a complaint against the defendants in 2019 with alleged violations that included, among other things, the defendants’ failure to ensure accurate reporting to consumer-reporting agencies (CRAs), failure to conduct reasonable investigations and review relevant information when handling indirect disputes, and failure to conduct investigations into the accuracy of information after receiving identity theft reports before furnishing such information to CRAs. The Bureau separately alleged that the FCRA violations constitute violations of the CFPA, and that the defendants violated the FDCPA by attempting to collect on debts without a reasonable basis to believe that consumers owed those debts.
Under the terms of the order, the defendants—who neither admitted nor denied any of the allegations except as specified in the order—are required to, among other things, (i) update existing policies and procedures to ensure information is accurate before it is furnished to a CRA or before commencing collections on an account; (ii) ensure policies and procedures are designed to address trends in disputes; and (iii) hire an independent consultant, subject to the CFPB Enforcement Director’s non-objection, to conduct a review to ensure management-level oversight and FCRA and FDCPA compliance. The defendants must also submit a compliance plan and pay an $850,000 civil money penalty.
11th Circuit’s new opinion says plaintiff still has standing to sue in outsourced debt collection letter action
On October 28, the U.S. Court of Appeals for the Eleventh Circuit issued a split opinion in Hunstein v. Preferred Collection & Management Services, vacating its April 21 decision but still finding that the plaintiff had standing to sue. As previously covered by InfoBytes, last April the 11th Circuit reviewed the district court’s dismissal of plaintiff’s claims that the disclosure of medical debt to a mail vendor violated the FDCPA’s third-party disclosure provisions. The 11th Circuit originally held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” At the time, the appellate court determined that communicating debt-related personal information with the third-party mail vendor is a concrete injury under Article III. Even though the plaintiff did not allege a tangible injury, the appellate court held, in a matter of first impression, that under the circumstances, the plaintiff alleged a communication “in connection with the collection of any debt” within the meaning of § 1692c(b).
In its most recent opinion, the majority wrote that it was vacating its prior opinion “[u]pon consideration of the petition for rehearing, the amicus curiae briefs submitted in support of that petition, and the Supreme Court’s intervening decision in TransUnion LLC v. Ramirez.” The appellate court first re-examined whether the plaintiff had standing to sue. Among other things, the majority held that while the plaintiff cannot demonstrate “a risk of real harm,” he was able to show standing “through an intangible injury resulting from a statutory violation.” Further, the majority determined that TransUnion reaffirmed its conclusion that the plaintiff “alleged a harm that bears a close relationship to a harm that has traditionally been recognized in American courts.” (In TransUnion, the Court concluded, among other things, that “[i]n looking to whether a plaintiff’s asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts, we do not require an exact duplicate.”) The majority further concluded that Congress’s judgment also favors the plaintiff because Congress indicated that violations of § 1692c(b) constitute a concrete injury.
The appellate court next considered the merits of the case, with the majority concluding that the plaintiff adequately stated a claim that the transmittal of personal debt-related information to the vendor constituted a communication within the meaning of § 1692c(b)’s phrase “in communication with the collection of the debt.”
Judge Tjoflat dissented, arguing that the April decision was issued before TransUnion, and following the Supreme Court’s reasoning, the plaintiff did not have standing because he did not suffer a concrete injury, and that there is an important difference between a plaintiff’s statutory cause of action to sue over a violation of federal law and “a plaintiff’s suffering concrete harm because of the defendant’s violation of federal law.” Judge Tjoflat further added that a “simple transmission of information along a chain that involves one extra link because a company uses a mail vendor to send out the letters about debt is not a harm at which Congress was aiming.”
9th Circuit denies bid to block Arizona’s dealer data privacy law
On October 25, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a motion for preliminary injunction against enforcement of an Arizona statute designed to strengthen privacy protections for consumers whose data is collected by auto dealers. Under the Dealer Law, database providers are prohibited from limiting access to dealer data by dealer-authorized third parties and are required to create a standardized framework to facilitate access. The plaintiffs—technology companies that license dealer management systems (DMS)—sued the Arizona attorney general and the Arizona Automobile Dealers Association in an attempt to stop the Dealer Law from taking effect. The plaintiffs contended that the Dealer Law is preempted by the Copyright Act because it gives dealers the right to access plaintiff’s systems and create unlicensed copies of its dealer management system, application programming interfaces, and data compilations. The plaintiffs further claimed the Dealer Law is a violation of the U.S. Constitution’s contracts clause.
On appeal, the 9th Circuit agreed that the plaintiffs were not entitled to a preliminary injunction. The appellate court concluded that the Dealer Law was not preempted by the Copyright Act, because, among other things, the plaintiffs could comply with the Dealer Law without having to create a new copy of its software to process third-party requests. Moreover, the 9th Circuit noted that even if the plaintiffs had to create copies of their DMS on their servers to process third-party requests, they failed to established that those copies would infringe their reproduction right, and the copies the plaintiffs took objection to “would be copies of its own software running on its own servers and not shared with anyone else.” The appellate court further held that the Dealer Law was not a violation of the U.S. Constitution’s contracts clause because, among other things, plaintiffs did not show that complying with the Dealer Law prevented them from being able to keep dealer data confidential. “Promoting consumer data privacy and competition plainly qualify as legitimate public purposes,” the appellate court wrote. “[Plaintiffs] point[] out that the Arizona Legislature did not make findings specifying that those were the purposes motivating the enactment of the statute, but it was not required to do so. The purposes are apparent on the face of the law.”
2nd Circuit: Turkish bank not immune from sanctions
On October 22, the U.S. Court of Appeals for the Second Circuit upheld a district court’s ruling against a Turkish state-owned commercial bank (defendant) denying its bid for immunity based on its characterization of an “instrumentality” of a foreign service, which is not entitled to immunity from criminal prosecution at common law. The U.S. government alleged that the bank converted Iranian oil money into gold and hid the transactions as purchases of goods to avoid conflicting sanctions against Iran. The district court denied the defendant’s motion to dismiss and partially concluded that the defendant was not immune from prosecution because the Foreign Sovereign Immunities Act (FSIA) confers immunity on foreign services only in civil proceedings. Furthermore, the district court concluded that, “even assuming arguendo that FSIA did confer immunity to foreign sovereigns in criminal proceedings, [the defendant’s] conduct would fall within FSIA’s commercial activity exception.” Additionally, the district court rejected the defendant’s “contention that it was entitled to immunity from prosecution under the common law, noting that [the defendant] failed to cite any support for its claim on this basis.” The district court found that the defendant’s characterization of its activities as sovereign in nature “conflates the act with its purpose,” finding that the lender's alleged money laundering was the type of activity regularly carried out by private businesses. The fact that the defendant is majority-owned by the Turkish Government is irrelevant under FSIA even if it is related to Turkey’s foreign policy because “literally any bank can violate sanctions.”
On appeal, the 2nd Circuit noted that it was unnecessary to resolve a question presented in the case—if foreign governments can assert immunity against criminal, as well as civil, charges—since money laundering would qualify as a commercial activity exception. The appellate court noted that, “[t]he gravamen of the Indictment is not that [the bank] is the Turkish Government’s repository for Iranian oil and natural gas proceeds in Turkey,” but that “it is [the bank’s] participation in money laundering and other fraudulent schemes designed to evade U.S. sanctions that is the ‘core action.’” And, “because those core acts constitute ‘an activity that could be, and in fact regularly is, performed by private-sector businesses,’ those acts are commercial, not sovereign, in nature.” The opinion also notes that “[e]ven assuming the FSIA applies in criminal cases—an issue that we need not, and do not, decide today—the commercial activity exception to FSIA would nevertheless apply to [the defendant’s] charged offense conduct.” The appellate court agreed with the district court, concluding that the bank must face criminal charges in the U.S. for allegedly assisting Iran evade economic sanctions by laundering approximately $20 billion in Iranian oil and gas revenues.