InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Settles Suit Against Credit Score Site Schemers
On October 26, the FTC agreed to a settlement of $760,000 with two affiliate marketers of a credit score business who allegedly committed deceptive acts to lure consumers into signing up for their monthly credit monitoring service for $30.00.
The settlement partly resolves a suit the FTC filed in January against the credit score company, the owner, and the company’s affiliate marketers. The FTC alleged that the defendants posted fake rental ads on Craigslist and required persons responding to the ads to obtain a purportedly “free” credit report from the company’s websites before viewing the property. The defendants, however, used the credit or debit card information consumers entered to obtain the credit report and enrolled consumers for a negative option credit monitoring service with a $30.00 monthly fee.
The order suspended the balance of the total $6.8 million judgment on the condition that the affiliate marketers pay the FTC the settled amounts. The claims against the company and the owner are ongoing.
Coalition of State Attorneys General Urge Credit Reporting Agencies to Offer No-Fee Credit Freeze
On October 10, a coalition of 37 state attorneys general sent letters (here and here) to the CEOs of two major credit reporting agencies (CRAs), urging them to stop charging fees to consumers seeking credit freezes as a measure to protect against identity theft in light of a third CRA’s massive data breach. On September 15, as previously reported in InfoBytes, 34 state attorneys general sent a letter to the breached CRA’s legal counsel requesting it disable fee-based credit monitoring services. The October 10 letters note that currently seven states prohibit CRAs from charging fees to consumers for credit freezes and at least two other states have proposed legislation that would require CRAs to offer free credit freezes.
Senate Judiciary Tech Subcommittee to Hold Hearing on Data Breach; New Credit Reporting Agency CEO Speaks Out
On September 27, interim CEO, Paulino do Rego Barros Jr., spoke out for the first time since a major credit reporting agency (agency) appointed him to the role the previous day. In addition to issuing an apology, Barros stated that the agency is extending the deadline to sign up for their credit monitoring services and free credit freezes through the end of January 2018. He also made the commitment that by January 31, the agency will offer a new service for consumers to control access to their personal credit data. As previously reported in InfoBytes, the agency is still in the process of responding to the data breach that impacted approximately 143 million U.S. consumers.
On October 4, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on the agency’s data breach to continue to monitor data-broker cybersecurity. The hearing is scheduled for 2:30 pm in the Dirksen Senate Office Building 226.
Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled
The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.
Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair or deceptive acts or practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.
NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo directed NYDFS to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.
State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.
Delaware Governor Enacts Amendments to Computer Security Code
On August 17, Delaware Governor John Carney signed into law amendments (House Substitute No. 1) to the state’s code regarding computer security breaches involving personal information. Among other changes, the amendments include the following: (i) any person who conducts business in Delaware and maintains personal information must implement and maintain safeguard procedures to protect personal information; (ii) the definition of a “breach of security”—defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information”—eliminates “good faith acquisition” breaches where information is not used for unauthorized purposes, as well as instances where breached data is encrypted or protected by an unavailable encryption key; (iii) adds to the definition of “personal information” items such as passport numbers, email addresses and passwords, medical history information, health insurance and tax identification numbers, and biometric data; (iv) strengthens consumer protections, including requirements that notices to consumers must be sent no later than 60 days after it has been determined that a breach has occurred, a notification must be sent to the state Attorney General for breaches affecting more than 500 residents, and free credit monitoring services must be provided to residents involved in the breach of a social security number. The amendments become effective on April 14, 2018.
Data Breach Lawsuit Settled for $115 Million
On June 23, one of the nation’s largest health insurers agreed to pay $115 million to settle a data breach class action suit pending in the U.S. District Court for the Northern District of California. In 2015, the insurer announced that it had been hacked and that customer information had been compromised. On June 23, Plaintiffs submitted to the court a memorandum in support of the settlement. The settlement, if approved by the court, will provide almost 80,000 proposed class members with extended credit monitoring for at least two years. Additionally, the settlement will require the insurer to “implement or maintain meaningful, specific changes to its data security practices that directly address the security elements that Plaintiffs believe contributed to the breach,” including hiring independent consultants to perform annual IT risk assessments and compliance reviews, and providing the results of those audits to Plaintiffs’ counsel.
CFPB Monthly Complaint Snapshot Highlights Complaints from Older Consumers
On May 31, the CFPB released Vol. 23 of its Monthly Complaint Report. This month’s report highlights complaints from “older consumers” defined as those who voluntarily report their age as 62 or older. Since it began accepting complaints, the Bureau has received over 1 million complaints—more than 100,000 from older consumers. The report focuses on these complaints, with some of the most common in 2017 including:
- Reverse mortgage servicing issues, which are unique to this group of consumers. Many of the complaints surround older consumers attempting to stay in their home after the death of the borrowing spouse, occasionally ending in foreclosure;
- Financial scams and identity theft issues are often difficult to recover from—especially for consumers on fixed-incomes;
- Credit card issues such as introductory offers may cause confusion for older consumers in understanding credit terms and conditions or the difference between zero interest and deferred interest. Additionally, many older consumers struggle with billing disputes, unwanted subscription services and credit monitoring; and
- Escrow issues, especially when the consumer is trying to benefit from tax relief programs.
The graph shown in a blog on the Bureau’s website compares complaints from consumers 62 and older with complaints from consumers under 62. Although both groups of consumers reported complaints for many of the same products, the graph shows that mortgages, debt collection and credit cards, in that order, are the top three products for those 62 and older—whereas debt collection, mortgages and credit reporting are the top three for those under 62. Additionally, the report reveals that almost a quarter of all complaints from older consumers came from residents of California, Texas, and Florida.
Second Circuit Holds Purported Class Action Plaintiff Failed to Establish Article III Standing in Data Breach Case
In a summary order handed down May 2, the Second Circuit Court of Appeals held that a plaintiff in a purported class action lacked Article III standing to bring claims against a retailer for breach of an implied contract and for violation of New York General Business Law § 349 arising out of a data breach of the retailer’s systems. See Whalen v. Michaels Stores, Inc., __ Fed. App’x __, Nos. 16-260, 16-352 (2d Cir. May 2, 2017). The consumer-plaintiff had made purchases with her credit card at one of the defendant’s stores, and following the data breach, her credit card was physically presented to pay for two unauthorized charges in Ecuador. The fraudulent charges occurred on consecutive days, with the plaintiff canceling her card on the same day as the second charge. The defendant offered 12 months’ credit monitoring and there was no indication that personally identifying information such as plaintiff’s date of birth or social security number was stolen. Plaintiff argued that she was injured by: (i) the theft of her credit card information and the two fraudulent-purchase attempts, (ii) the risk of future identity fraud, and (iii) the time and money she spent resolving the attempted fraudulent charges and monitoring her credit.
Citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), the court concluded that plaintiff did not allege a concrete and particularized injury sufficient to confer Article III standing. As to plaintiff’s first argument, the Court reasoned that she was never “asked to pay, nor did pay, any fraudulent charge.” As to the second argument, the Court stated that there was no threat of future fraud because the plaintiff’s stolen credit card was “promptly canceled,” and “no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.” The third argument was likewise inadequate because the plaintiff “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”
The court also noted that these shortcomings distinguished the plaintiff from plaintiffs in other data breach cases held to have adequately established Article III standing. See Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App’x 384 (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015).
FTC Halts Scheme to Enroll Consumers in Credit Monitoring Service
On January 10, the FTC filed a complaint against an online company that owns three “free credit report” websites as well as three individuals connected to the company with claims that they illegally lured consumers to their websites. The scheme, as alleged in the complaint, made use of Craigslist ads promoting non-existent or unauthorized apartments and houses for rent as the means of encouraging consumers to request additional information, which would then prompt them to click on a link to one of the three websites owned by the company to get a “free” credit check. The consumers allegedly were then enrolled in a credit monitoring service, supposedly without their knowledge or consent. The company has purportedly accrued millions of dollars using this method. On January 11, the U.S. District Court for the Northern District of Illinois entered a temporary restraining order against the defendants.
CFPB Reaches $700 Million Settlement to Resolve Credit Card Ancillary Products Investigation
On July 21, the CFPB announced a nearly $700 million settlement against a leading financial institution and its subsidiaries. According to the consent order, the Bureau alleges that the entities engaged in deceptive marketing, billing, and collection practices related to various credit card ancillary products, including debt protection and credit monitoring services. Specifically, the Bureau alleges that the institution or its vendors marketing practices, consisting of telemarketing calls, online enrollment, point-of-sale application, and direct enrollment at retailers, mislead consumers into enrolling for certain ancillary products. The Bureau further alleges that, in some instances, telemarketers failed to accurately disclose the cost and fees associated with the ancillary products. With respect to the unfair billing allegations, the Bureau contends that the institution or its vendors improperly charged consumers, without authorization, for services that were not rendered, and failed to provide full product benefits of the services marketed to consumers. In addition, the Bureau alleges that the institution misrepresented payment fee information to consumers by failing to disclose the actual purpose of the fee associated with making payments by phone on delinquent credit card accounts. Under terms of the settlement, the institution and its subsidiaries agreed to (i) provide $479 million in consumer relief related to its marketing practices; (ii) pay roughly $220 million in restitution related to its payments collection practices and for consumers not receiving the full benefits of services promised; and (iii) pay a $35 million civil money penalty.
In a parallel enforcement action, the OCC imposed a separate $35 million civil money penalty against the institution for engaging in similar practices, and requires the institution to strengthen its oversight of third-party vendors and develop a comprehensive risk management program for ancillary products marketed or sold by the bank.