InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District court requires bank to produce consultant’s data breach report
On May 26, a magistrate judge of the U.S. District Court for the Eastern District of Virginia ordered a national bank to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the bank’s 2019 data breach, concluding the report was not entitled to work product protection. As previously covered by InfoBytes, in July 2019, the national bank announced that an unauthorized individual had obtained personal information of credit card customers and people who had applied for credit card products. According to the order, after the data breach, the bank’s outside counsel directed a cybersecurity company, which had been engaging in periodic work with the bank since 2015, to prepare a report “‘detailing the technical factors that allowed the criminal hacker to penetrate [the bank]’s security.’” Plaintiffs, in a class action against the bank for the data breach, sought to obtain the report in discovery, but the bank opposed the production, arguing that the report was protected work product created under an agreement with outside counsel in anticipation of litigation.
The court rejected the bank’s argument, concluding that the bank did not show the consultant’s scope of work under the outside counsel agreement “was any different than the scope of work for incident response services,” and that the bank had not shown the firm would not have performed the services “without the prospect of litigation.” Moreover, the court noted, “[t]he retention of outside counsel does not, by itself, turn a document into work product.” The court compelled production, holding that the report was not entitled to protection under the work product doctrine.
District court: Unilateral imposition of post-judgment interest violates FDCPA
On May 19, the U.S. District Court for the District of Connecticut granted in part and denied in part parties’ motions for summary judgment in an FDCPA action concerning post-judgment interest. According to the ruling, the defendants—a debt buyer and an attorney who represents creditors, including the debt buyer, in collection actions—obtained a judgment from the Connecticut State Superior Court (state court) for the plaintiff’s unpaid credit card debt. The judgment awarded the defendant $33,921.25 plus post judgment interest under state law. While the complaint requested post-judgment interest of 10 percent—the maximum amount allowed by state law—the judgment did not reference a specific interest rate. After the defendants began charging post-judgment interest at 10 percent, the plaintiff filed suit alleging the defendant violated the FDCPA by using false, deceptive, or misleading representations or means in connection with the collection of any debt. The defendants sought clarification of the rate of post-judgment interest from the state court and received a clarification order stating that the state court “intended that the interest rate be set at the allowable rate of ten percent per year in accordance with the statute.” In its defense, the defendants asserted a bona fide error defense under the FDCPA, arguing, among other things, that they “erroneously believed that application of post-judgment interest at a rate of ten percent was neither false nor misleading because they relied on the state court’s judgment and Clarification Order, which explicitly provided for post-judgment interest at a rate of ten percent.”
The court partially granted summary judgment in favor of the plaintiff on her FDCPA claim, stating that the unilateral imposition of post-judgment interest at a rate of 10 percent per year, which was not awarded in the judgment, is a “clear violation” of the FDCPA that is not subject to the bona fide error defense. The court stated that the bona fide error defense does not apply in this situation because “the FDCPA violation resulted from the defendants’ mistaken belief that, absent a rate of post-judgment interest expressly set by the state court, defendants were entitled to set a rate at the maximum amount allowed under the statute.” According to the court, when a state court “fails to include a specific rate of interest based on the state law,” a debt collector may not apply a default interest rate. In holding that the FDCPA’s bona fide error defense is inapplicable here, the court extended the holding of the U.S. Supreme Court in Jerman v. Carlisle, McNellie, Rini, Kramer & Ulrich, L.P.A. that the “bona fide error defense . . . is not available to debt collectors who misinterpret the legal requirements of the FDCPA,” to include misinterpretations of state law as well.
The court did, however, partially grant the defendant’s motion for summary judgment with respect to the application of pre-judgment interest.
Credit repair trade association sues CFPB over TSR six-month waiting period
On May 21, a credit repair trade association filed a complaint against the CFPB in the U.S. District Court for the Southern District of Florida alleging the Bureau violated the credit repair organizations’ First Amendment rights under the Constitution by enforcing a six-month payment waiting period in the FTC’s Telemarketing Sales Rule (TSR). The association is challenging Section 310.4(a)(2)(ii) of the TSR, which prohibits credit repair organizations from requesting or receiving payment for services rendered for a minimum of six months after the services have been performed. The complaint alleges that the prohibition (i) exceeds the FTC’s statutory authority under the Telemarketing and Consumer Fraud and Abuse Prevention Act; (ii) conflicts with the Credit Repair Organizations Acts (CROA); and (iii) is an infringement on the First Amendment rights of credit repair organizations by improperly impairing fully protected speech. Specifically, the association argues that the TSR is only applicable to credit repair organizations in certain situations, and the CROA—which does not require the six-month waiting period nor proof that “results were achieved”—is “the final and decisive law concerning credit repair organizations, including the time and manner of their billing practices.” Moreover, the complaint argues that the Bureau does not have the authority to enforce the TSR against credit repair organizations, as the Dodd-Frank Act did not explicitly transfer the authority from the FTC. The complaint is seeking a declaratory judgment that the TSR is unenforceable, invalid, and unlawful.
District court: Initial debt collection communication via email does not violate FDCPA
On May 19, the U.S. District Court for the Northern District of California granted a debt collector’s motion to dismiss a lawsuit with prejudice brought by a plaintiff alleging violations of the Electronic Signatures in Global Commerce (E-SIGN) Act and the FDCPA. The defendant sent an email to the plaintiff attempting to collect an unpaid debt that contained a validation notice. The plaintiff argued that the email violated the E-SIGN Act because she did not consent to receive email from the defendant, and that it also violated the FDCPA “because the email referred to ‘send[ing]’ a copy of the verification of the debt whereas § 1692g(a)(4) specifies that a copy of the verification will be ‘mailed.’” Among other arguments, the plaintiff claimed that the email’s subject line, which stated “This needs your attention,” violated the FDCPA because it did not convey that the message was seeking to collect a debt, and that she received several more emails during the validation period, which confused her and “overshadowed” the validation notice in the initial communication.
The court disagreed, stating that because there are “no express restrictions” within the FDCPA about how the initial communication must be made, allowing it to be made electronically is a “reasonable argument.” Specifically, the court noted that the CFPB has recognized that certain communication technologies such as email did not exist when the FDCPA was passed, and referred to the Bureau’s commentary on its proposed debt collection rule that stated “a validation notice as part of an initial communication can be conveyed via email.” [Emphasis in the original.] The court also determined that the plaintiff lacked standing with respect to her claim that the initial email’s subject line violated the FDCPA since she opened the email and clicked on the link. Furthermore, the court noted that using the word “send” instead of “mailed” in the initial communication would not have confused the least sophisticated debtor because the “debtor, if concerned about getting a verification of debt via email, could always ask for a copy to be sent via physical mail instead.”
District court allows class autodialer claims to proceed against mortgage lender
On May 18, the U.S. District Court for the Eastern District of Michigan denied a request to dismiss a putative class action concerning alleged violations of the TCPA, ruling that the plaintiff plausibly alleged the mortgage lender (defendant) sent unsolicited texts through the use of an automatic telephone dialing system (autodialer). The plaintiff claimed, among other things, that (i) the texts came by way of SMS short codes, which are “reserved for automatically made text messages”; (ii) the messages were generic and non-personal; (iii) the messages followed a similar calling pattern; and (iv) the plaintiff continued to receive them after opting out. The defendant countered that the claims should be dismissed because the plaintiff’s argument is “devoid of plausible allegations” under the TCPA that it used an autodialer that has the capacity to produce telephone numbers using a random or sequential number generator. However, the court determined that, in the absence of direction from the U.S. Court of Appeals for the Sixth Circuit “as to the kind of supporting factual allegations that must be included to sufficiently allege the [autodialer] element of a TCPA case,” the court will follow other district courts that have allowed TCPA suits to continue if the plaintiff sufficiently alleges facts to plausibly support a finding that an autodialer was used.
Financial institutions, CRA reach settlement over 2017 data breach
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”
The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.
District court compels arbitration of biometric privacy suit
On May 15, the U.S. District Court for the Northern District of Illinois granted an online photography company’s motion to compel arbitration in a biometric privacy lawsuit, notwithstanding the company’s unilateral modification of arbitration terms after the lawsuit was filed. According to the opinion, the plaintiffs created an account on the company’s website in August 2014. In May 2015, the company added an arbitration provision to its Terms of Use. In June 2019, the plaintiffs filed the proposed class action alleging the company violated the Illinois Biometric Information Privacy Act (BIPA) “by using facial-recognition technology to extract biometric identifiers for ‘tagging’ individuals and by ‘selling, leasing, trading, or otherwise profiting from Plaintiffs’…biometric information.’” In September 2019, the company sent an email to all of its users that its account Terms of Use were updated, including provisions regarding arbitration. The email stated that if users continued to use the website or did not close their account by October 1, 2019, they were deemed to have accepted the updated terms. The plaintiffs’ account remained open as of October 2, 2019. The company moved to compel arbitration of the plaintiffs’ claims. The plaintiffs argued that the September 2019 email did not create a binding agreement to arbitrate and that it should not apply retroactively to the June 2019 claim.
The court rejected the plaintiffs’ arguments, concluding that they were already bound to arbitration by the 2015 update to the company’s terms of use, because the terms accepted in 2014 included a “change-in-terms” provision, allowing the company to revise terms from time to time by posting revisions. Moreover, the court disagreed with the plaintiffs that the September 2019 email was “an attempt by [the company] to ‘surreptitiously’ bind unwitting putative class members to arbitration agreements,” noting that the 2019 modifications did not significantly alter users’ rights under the arbitration agreement and the court would “not rely on the 2019 email to find that any putative class members agreed to arbitrate.”
7th Circuit: CRAs not required to determine legal validity of disputed debt
On May 11, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court’s dismissal of a putative class action, holding that the FCRA does not compel a consumer reporting agency (defendant) to determine the legal validity of a debt when investigating a dispute. The plaintiffs alleged that they obtained payday loans with allegedly usurious interest rates from online entities affiliated with Native American tribes. After both plaintiffs stopped making monthly payments, the lenders reported the delinquent amounts to the defendant. One of the plaintiffs disputed the accuracy of his credit report, arguing that because the loan was “illegally issued” he was not obligated to make payments. The defendant conducted an investigation and verified the furnished information was accurate. However, the defendant did not investigate whether the debt was legal. The plaintiffs filed suit, alleging two FCRA violations: (i) Section 1681e(b) which requires consumer reporting agencies “to assure maximum possible accuracy of the information” contained in credit reports; and (ii) Section 1681i(a) which “requires consumer reporting agencies to reinvestigate disputed items.” According to the plaintiffs, the defendant’s credit reports “contained ‘legally inaccurate’ information because they posted ‘legally invalid debts.’” The district court granted judgment on the pleadings to the defendant, ruling that the plaintiffs’ FCRA claims fell short because they never alleged that the information that was reported was factually inaccurate and, “until a formal adjudication invalidates the plaintiffs’ loans,” the reported information would not be factually inaccurate.
On appeal, the 7th Circuit held, among other things, that only furnishers—“such as banks, credit lenders, and collection agencies”—are required under the FCRA to correctly report liability, stating it is not the defendant’s responsibility to determine the enforceability of the debt because the “power to resolve these legal issues exceeds the competencies of consumer reporting agencies.” Moreover, the appellate court determined that the defendant cannot be liable under either of the plaintiffs’ FCRA claims if it did not report inaccurate information.
District court grants debt collector’s arbitration request
On May 11, the U.S. District Court for the District of New Jersey granted a debt collector’s renewed motion to compel arbitration, concluding that the previously-ordered discovery demonstrated that the plaintiff’s FDCPA claim fell within the bounds of the arbitration clause in the underlying credit card agreement. As previously covered by InfoBytes, the plaintiffs filed a proposed class action alleging that the debt collection company’s collection letters violated the FDCPA because they did not “properly identify the name of the current creditor to whom the debt is owed.” The debt collectors filed an initial motion to compel arbitration, arguing that the debts described in the plaintiffs’ amended complaint arose pursuant to credit card agreements that include an arbitration clause. In February 2019, the court denied the motion concluding that discovery was needed in order to determine whether an arbitration clause applied to the plaintiffs’ claims regarding FDCPA violations. After the parties engaged in discovery, the plaintiff argued that only the card issuer has a right to compel arbitration under the agreement. The court rejected this argument, concluding that the collection agency was an agent of the creditor and as an agent, the collector may enforce the arbitration agreement. Moreover, the court determined that the debt collection letter relates to the consumer’s credit account as the debt is a result of the credit card use and the FDCPA claim “is statuary, as explicitly provided for in the card agreement.”
California Supreme Court: No jury trial for UCL and FAL claims seeking civil penalties in addition to injunctive or other equitable relief
On April 30, the California Supreme Court issued an opinion holding that under the state’s Unfair Competition Law (UCL) and the False Advertising Law (FAL), government enforcement actions seeking civil penalties in addition to injunctive or other equitable relief should be decided by a judge instead of by a jury. The decision overturns a Court of Appeal decision holding that a jury must weigh in when civil penalties are involved. The decision stems from a suit filed in 2015 by the California Department of Business Oversight and several district attorneys (collectively, “People”) against a national debt payment service operation for alleged violations of the UCL and FAL. While the debt payment service operation demanded a jury trial, the People filed a motion to strike, which the trial court granted. The Court of Appeal overturned the trial court decision, holding that under certain provisions of the California Constitution the debt payment service operation had a right to a jury trial.
The California Supreme Court disagreed with the Court of Appeal concluding that, among other things, (i) the causes of action established by the UCL and FAL at issue in this case are equitable rather than legal actions, which should be tried by a court rather than by a jury; and (ii) the U.S. Supreme Court’s decision in Tull v. United States, relied upon by the Court of Appeal, does not govern this case for various reasons, including that the U.S. Supreme Court’s interpretation of the civil jury trial provision of the Seventh Amendment of the U.S. Constitution applies only to federal court proceedings—not state court proceedings—and that the “constitution right to a jury trial in state court civil proceedings is governed only by the civil jury trial provisions of each individual state’s own state constitution.” (Emphasis in the original.)