InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court denies MSJ in FDCPA case
On October 19, the U.S. District Court for the Middle District of Florida denied a defendant’s motion for judgment without prejudice concerning allegations that it knowingly ignored cease-and-desist letters sent by an individual while the individual had a pending bankruptcy petition. The plaintiff allegedly incurred a debt that was placed with the defendant for collection. After, the plaintiff sought protection under the Bankruptcy Code. During the bankruptcy case, the defendant allegedly sent the plaintiff text messages to collect the debt, the plaintiff responded with a cease-and-desist letter, and then the defendant sent the plaintiff a collection letter. The plaintiff sent another cease and desist letter and the defendant sent four more collection letters. Based on the defendant’s post-petition actions, the plaintiff sued for FDCPA and Florida Consumer Collection Practices Act violations. The defendant argued that the plaintiff failed to disclose this lawsuit in her bankruptcy case, which would result in the FDCPA case being dismissed on judicial estoppel grounds. However, the court found that while the plaintiff omitted the name and specific circumstances of her claims against the defendant, she “put the Bankruptcy Court, trustee, and creditors on notice she had a claim against a creditor and properly sought approval from the Bankruptcy Court before retaining counsel to pursue it.” The court went on to state that if the plaintiff “intended to deceive creditors or others in bankruptcy, filing the Application strayed from that intent,” and that “the filing mitigates any prejudice claimed by [the defendant].”
District Court preliminarily approves $85 million class action privacy settlement
On October 21, the U.S. District Court for the Northern District of California preliminarily approved an $85 million class action settlement to resolve privacy and data security allegations against a video conferencing provider. Class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to class members, the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. The court’s preliminary approval certified a nationwide settlement class of individuals who, between March 30, 2016 and the settlement date, “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication.” Under the terms of the preliminarily approved settlement, the company will establish an $85 million non-reversionary cash fund to pay valid claims, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company must educate users about available security features, and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
District Court partially denies company’s motion to dismiss in data breach class action
On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The plaintiffs alleged that the defendant failed to comply with industry and regulatory standards by neglecting to implement proper security measures. According to the plaintiffs, after the ransomware attack, the defendant “launched a narrow internal investigation into the attack that analyzed a limited number of [the defendant's] systems and did not address the full scope of the attack.” The plaintiffs contended that the defendant also failed to provide timely and adequate notice of the attack and the extent of the resulting data breach.
The court ordered various phases of motions practice, and addressed certain common law claims against the defendant for negligence, negligence per se, gross negligence, and unjust enrichment. With respect to the negligence and gross negligence claims, the court denied the defendant’s motion to dismiss, finding that plaintiffs alleged sufficient facts to show that the defendant owed them a duty to protect the information. The court, however, granted defendant’s motion to dismiss the plaintiffs’ negligence per se claims premised on defendant’s alleged violations of the FTC Act, HIPAA, and COPPA, finding that the plaintiff failed to state such a claim as applied under South Carolina law. Finally, the court granted the defendant’s motion to dismiss the plaintiffs’ unjust enrichment claim because plaintiffs failed to allege facts to show that they conferred a benefit on defendant to support a claim for unjust enrichment.
CFPB and debt relief company agree to permanent injunction
On October 20, the U.S. District Court for the Northern District of Georgia entered a default judgment and order against five participants in an allegedly illegal debt collection scheme involving certain payment processors and a telephone broadcast service provider (collectively, “default defendants”) for their role in the operation. As previously covered by InfoBytes, in 2017, the U.S. District Court for the Northern District of Georgia dismissed claims brought by the CFPB against the default defendants. (See additional InfoBytes coverage here.) According to a complaint filed in 2015, the defendants “knew, or should have known” that the debt collectors were contacting millions of consumers in an attempt to collect debt that consumers did not owe or that the collectors were not authorized to collect by using threats, intimidation, and deceptive techniques in violation of the CFPA and the FDCPA.
The court entered a $5.1 million judgment against the default defendants, who are jointly and severally liable with the non-default defendants. The default defendants must pay civil monetary penalties ranging from $100,000 to $500,000 to the Bureau. The judgment also, among other things, permanently bans the default defendants from attempting collections on any consumer financial product or service and from selling any debt-relief service.
District Court approves non-party settlement in student debt-relief action
On October 20, the U.S. District Court for the Central District of California approved a settlement with two non-parties in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint asserted that the defendants violated the CFPA, the Telemarketing Sales Rule, and various state laws. Amended complaints (see here and here) also added new defendants and included claims for avoidance of fraudulent transfers under the FDCPA and California’s Uniform Voidable Transactions Act, among other things. A stipulated final judgment and order was entered against the named defendant in July (covered by InfoBytes here), which required the payment of more than $35 million in redress to affected consumers, a $1 civil money penalty to the Bureau, and $5,000 in civil money penalties to each of the three states. The court also previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants (covered by InfoBytes here, here, here, and here). The most recent settlement resolves a dispute between a court-appointed receiver and the two non-parties. The settlement requires the non-parties to pay $675,000 to the receiver.
Meal-kit delivery service reaches $14 million TCPA class action settlement
On October 15, the U.S. District Court for the District of Massachusetts granted final approval to a $14 million TCPA class action settlement, resolving allegations that a meal-kit delivery service (or its vendor) placed telemarketing calls to customers’ phone numbers. Class members consist of customers who (i) received one or more calls placed using a dialing platform; (ii) received at least two telemarketing calls during any 12-month time period where their phone numbers were on the National Do Not Call Registry for at least 31 days before the call was placed; and/or (iii) received one or more calls after registering their phone numbers with the company’s internal do-not-call list. As part of the $14 million settlement, class counsel will receive more than $3.4 million in attorneys’ fees and costs and the settlement administrator will receive $450,000. Two named plaintiffs will receive service payments of $10,000 each, while another seven named plaintiffs will each receive service payments ranging from $2,000 to $5,000.
8th Circuit says website terms of use are unenforceable
On October 8, the U.S. Court of Appeals for the Eight Circuit overturned a district court’s ruling that a corporate defendant’s arbitration clause found in its website’s terms of use was unenforceable. The 8th Circuit disagreed holding that a triable issue of material fact existed as to whether the plaintiffs agreed to arbitrate. Relying on a notation on the back of the gift cards that directed purchasers to its website where the terms of use and arbitration agreement were located, the defendant argued that the plaintiffs had agreed to arbitration. The district court disagreed explaining that plaintiffs “could not assent to it. . .unless they saw it first. For that reason, there was no ‘need’ to hold ‘a trial on the question of arbitrability.’”
On the appeal, the 8th Circuit explained that the district court’s task was to determine if the defendant and the plaintiffs had an arbitration agreement, and, if so, what it covered; however, the district court improperly addressed the question of mutual consent, which was in dispute and “generally a factual question.” According to the 8th Circuit, where there is a material dispute of fact regarding whether there was an agreement to arbitrate, the Federal Arbitration Act requires the district court to proceed to a trial on the issue.
5th Circuit delays payday lending compliance until after resolution of appeal
On October 14, the U.S. Court of Appeals for the Fifth Circuit stayed the implementation of the payment provisions of the CFPB’s 2017 final rule covering “Payday, Vehicle Title, and Certain High-Cost Installment Loans” (2017 Rule) for 286 days after the resolution of the appeal. The appellate court’s order contrasts with an order issued last month by the U.S. District Court for the Western District of Texas, which denied a request by the two trade group appellants to stay the compliance date pending appeal (covered by InfoBytes here). The district court previously upheld the 2017 Rule’s payment provisions (covered by InfoBytes here), finding that the Bureau’s ratification “was valid and cured the constitutional injury caused by the 2017 Rule’s approval by an improperly appointed official,” and that the payment provisions were not arbitrary and capricious. The district court’s order regarding the stay granted the plaintiffs’ request to stay the compliance date, which had been set as August 19, 2019, until 286 days after final judgment. The 5th Circuit’s order, however, grants the trade groups’ motion to extend the stay of the compliance date until 286 days after resolution of the appeal.
District Court grants final approval in BIPA settlement
On October 13, the U.S. District Court for the Northern District of Illinois granted final approval to a $2.6 million class action settlement between a sports entertainment chain (defendant) and a class of former employees, resolving allegations that the defendant was responsible for improperly collecting and storing employees’ data in violation of Illinois’ Biometric Information Privacy Act (BIPA). According to the final settlement (which was preliminarily approved in June by the court), plaintiffs alleged that the defendant violated BIPA by collecting and disclosing Illinois employees’ biometric data through a finger-scan timekeeping system without following BIPA’s written disclosure and consent requirements. The gross settlement fund is approximately $2.6 million, with $22,000 awarded to the settlement administrator, approximately $865,000 allocated for attorney fees, and nearly $35,000 designated for litigation costs.
CFPB, FTC, and North Carolina argue public records website does not qualify for Section 230 immunity
On October 14, the CFPB, FTC, and the North Carolina Department of Justice filed an amicus brief in support of the consumer plaintiffs in Henderson v. The Source for Public Data, L.P., arguing that a public records website, its founder, and two affiliated entities (collectively, “defendants”) cannot use Section 230 liability protections to shield themselves from credit reporting violations. The case is currently on appeal before the U.S. Court of Appeals for the Fourth Circuit after a district court determined that the immunity afforded by Section 230 of the Communication and Decency Act applied to the FCRA and that the defendants qualified for such immunity and could not be held liable for allegedly disseminating inaccurate information and failing to comply with the law’s disclosure requirements.
The plaintiffs alleged, among other things, that because the defendants’ website collects, sorts, summarizes, and assembles public record information into reports that are available for third parties to purchase, it qualifies as a consumer reporting agency under the FCRA. According to the amicus brief, the plaintiffs’ claims do not seek to hold the defendants liable on the basis of the inaccurate data but rather rest on the defendants’ alleged “failure to follow the process-oriented requirements that the FCRA imposes on consumer reporting agencies.” According to plaintiffs, the defendants, among other things, (i) failed to adopt procedures to assure maximum possible accuracy when preparing reports; (ii) refused to provide plaintiffs with copies of their reports upon request; (iii) failed to obtain required certifications from its customers; and (iv) failed to inform plaintiffs they were furnishing criminal information about them for background purposes. The defendants argued that they qualified for Section 230 immunity. The 4th Circuit is now reviewing whether a consumer lawsuit alleging FCRA violations seeking to hold a defendant liable as the publisher or speaker of information provided by a third party is preempted by Section 230.
In their amicus brief, the CFPB, FTC, and North Carolina urged the 4th Circuit to overturn the district court ruling, contending that the court misconstrued Section 230—which they assert is unrelated to the FCRA—by applying its immunity provision to “claims that do not seek to treat the defendant as the publisher or speaker of any third-party information.” According to the brief, liability turns on the defendants’ alleged failure to comply with FCRA obligations to use reasonable procedures when reports are prepared, to provide consumers with a copy of their files, and to obtain certifications and notify consumers when reports are furnished for employment purposes. “As the consumer reporting system evolves with the emergence of new technologies and business practices, FCRA enforcement remains a top priority for the commission, the Bureau, and the North Carolina Attorney General,” the brief stated. “The agencies’ efforts would be significantly hindered, however, if the district court’s decision [] is allowed to stand.”
Newly sworn-in CFPB Director Rohit Chopra and FTC Chair Lina M. Khan issued a joint statement saying “[t]his case highlights a dangerous argument that could be used by market participants to sidestep laws expressly designed to cover them. Across the economy such a perspective would lead to a cascade of harmful consequences.” They further stressed that “[a]s tech companies expand into a range of markets, they will need to follow the same laws that apply to other market participants,” adding that the agencies “will be closely scrutinizing tech companies’ efforts to use Section 230 to sidestep applicable laws. . . .”