Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 22, two members of the U.S. House of Representatives, Katie Porter (D-Calif.) and Nydia Velázquez (D-N.Y.), sent a letter to the U.S. Department of Treasury requesting that the Financial Stability Oversight Council (FSOC) consider designating the three leading providers of cloud-based storage systems for the financial industry as systemically important financial market utilities. The letter is in response to the recent data breach announcement by a national bank (covered by InfoBytes here), where an alleged former employee of the bank’s cloud-based storage system gained unauthorized access to the personal information of credit card customers and people who had applied for credit card products. According to the Congresswomen, 57 percent of the cloud services market is “cornered by” three main providers, and “a lack of substitutability for the services provided by these very few firms creates systemic risk.” The letter argues that cloud services are not currently subject to an enforced regulatory regime and, “[w]ithout a dedicated regulatory regime proportional and tailored to their very unique structure and risks, cloud comparing companies will continue to evade supervision.”
On August 20, the U.S. District Court for the District of New Jersey dismissed without prejudice a proposed class action alleging consumer fraud claims. Specifically, in 2017, the plaintiffs filed a complaint alleging that smart televisions manufactured by the defendants surreptitiously collected consumer data such as programs viewed and when they were viewed, along with certain identifying information including IP addresses and zip codes. This information, the plaintiffs contended, was sold to third parties who used the data to advertise to the same consumers, in violation of the (i) New Jersey Consumer Fraud Act (NJCFA); (ii) Florida's Deceptive and Unfair Trade Practices Act (FDUTPA); (iii) the Video Privacy Protection Act; (iv) the Wiretap Act; and (v) common law negligent misrepresentation. In response to the defendants’ motion to dismiss, the court held that the claims were pled with sufficient particularity under the Federal Rules of Civil Procedure to withstand a motion to dismiss, but dismissed the state consumer fraud claims, reasoning that the plaintiffs failed to adequately allege their damages. The court ruled that the FDUTPA and NJCFA claims failed because the plaintiffs had not alleged actual damages, rejecting plaintiffs’ assertions that the invasion of their privacy counted as damages because there was no out-of-pocket loss. Additionally, the court dismissed the plaintiffs’ federal Video Privacy Protection Act, reasoning that the information allegedly collected did not constitute personally identifiable information under 3rd Circuit precedent. By contrast, the court allowed the Wiretap Act allegations to proceed after determining the plaintiffs “adequately alleged that their ‘content’ was intercepted.” Finally, with respect to the common law negligent misrepresentation claim, the court agreed with the defendants that the plaintiffs failed to allege that a special relationship existed between the plaintiffs and the defendants that could support a negligent misrepresentation claim.
On August 22, North Carolina Attorney General Josh Stein announced a bipartisan agreement between 51 state attorneys general and 12 voice service providers, adopting eight principles for fighting illegal robocalls and preventing consumer fraud. Under the principles, the voice providers will: (i) offer no-cost call-blocking technology, including easy-to-use call blocking and labeling tools; (ii) implement STIR/SHAKEN call authentication (as previously covered by InfoBytes, in June the FCC adopted a Notice of Proposed Rulemaking requiring voice providers to implement the caller ID authentication framework); (iii) analyze and monitor high-volume voice network traffic for robocall patterns; (iv) investigate suspicious calls and calling patterns and take appropriate action; (v) confirm identities of new commercial customers; (vi) require traceback cooperation in new and renegotiated contracts; (vii) provide for timely and comprehensive law enforcement efforts through cooperation in traceback investigations; and (viii) communicate with state attorneys general about recognized robocall scams and trends and potential solutions. AG Stein noted that the principles will also “make it easier for attorneys general to investigate and prosecute bad actors.”
On August 21, the U.S. District Court for the Central District of California issued an order granting final approval of a settlement reached between a class of California consumers and a mortgage company. The approval of the settlement resolves allegations that the company contacted delinquent borrowers and had conversations involving personal and confidential financial information without first informing the consumers that the conversations would be recorded. The plaintiffs filed a complaint in 2015 alleging that the company violated sections of the California Penal Code that prohibit the intentional recording of conversations without obtaining the knowledge or consent of the other party. According to the plaintiffs, the company used scripts that instructed its agents to carry on discussions with consumers prior to providing the call recording advisory. Among other provisions, the settlement terms award $1.6 million in attorneys’ fees, approximately $25,046 in reimbursement of litigation expenses, service awards of $10,000 to each class representative, and up to $200,000 to the settlement claims administrator for its work in distributing settlement money to class members (the company is required to establish a settlement fund in the amount of $6.5 million).
On August 21, the Conference of State Bank Supervisors (CSBS) launched three online tools designed to assist financial institutions navigate the state regulatory landscape and protect against cyber risks. The tools are: (i) a portal of state agency guidance for nonbank financial services companies; (ii) an interactive map of agent-of-the-payee exemptions, which identifies the states that do not require a money transmitter license for receiving a payment on behalf of a third party; and (iii) a cybersecurity 101 resource center for banks and nonbanks that features a guide to help financial institutions develop comprehensive cybersecurity programs. The tools were created as part of the CSBS Vision 2020, which is geared towards streamlining the state regulatory system to support business innovation and harmonize licensing and supervisory practices, while still protecting the rights of consumers.
On August 19, the U.S. District Court for the Western District of Michigan held that a Pennsylvania-based student loan servicing agency violated the TCPA by calling the plaintiffs’ cell phones over 350 times using an automatic telephone dialing system (autodailer) after consent was revoked. According to the opinion, after revoking consent to receive calls via an autodialer, two plaintiffs asserted that the servicer called their cell phones collectively over 350 times in violation of the TCPA and moved for summary judgment seeking treble damages for each violation. In response, the loan servicer argued that the system used to make the calls does not meet the statutory definition of an autodialer under the TCPA and disputed the appropriateness of treble damages.
The court, in disagreeing with the loan servicer, concluded that the system used by the loan servicer to make the calls qualified as an autodialer. The court applied the logic of the U.S. Court of Appeals for the 9th Circuit in Marks v. Crunch San Diego, LLC (covered by InfoBytes here), stating that it was not bound by the FCC’s interpretations of an autodialer, based on the D.C. Circuit’s ruling in ACA International v. FCC, and therefore, “‘only the statutory definition of [autodialer] as set forth by Congress in 1991 remains.’” The court noted that there was “no question” that the system used by the loan servicer “stores telephone numbers to be called and automatically dials those numbers,” which qualifies the system as an autodialer. However, the court determined that the loan servicer did not violate the statute “willfully or knowingly,” noting that at the time of the calls it was not clear from the FCC whether the system being used was an autodialer. As a result, the court awarded statutory damages, but not the treble damages sought by the plaintiffs.
On August 9, the Illinois governor signed SB 1624, which requires that a single data breach involving the personal information of more than 500 Illinois residents must be reported to the state attorney general. The notice must include: (i) a description of the nature of the breach of security or unauthorized acquisition or use; (ii) the number of Illinois residents affected by such incident at the time of notification; and (iii) any steps the data collector has taken or plans to take relating to the incident. Notification is required to be made “in the most expedient time possible and without unreasonable delay,” but no later than when the data collector informs consumers of the breach under current law. The bill is effective January 1, 2020.
On August 15, the U.S. District Court for the Northern District of California entered a final approval order and judgment to resolve class action allegations claiming a security system company and its third-party dealer violated the TCPA through the use of an automatic telephone dialing system and prerecorded messages. According to the claims, consumers—including those on the do-not-call registry—allegedly received telemarketing calls at their residences or on cellphones from the dealer or the dealer’s sub-dealers promoting goods or services offered by the company. The company argued it was not responsible for calls the dealer made on its behalf, but the district court denied summary judgment and set a trial date. However, prior to the trial’s commencement, the parties reached a settlement. Under the terms of the settlement, the company agreed to implement changes to its practices to ensure TCPA compliance and banned the dealer from marketing or activating new accounts for the company. The company also agreed to pay $28 million into a settlement fund for consumer redress, no more than $1.4 million towards settlement administrator costs and expenses, $30,000 total in service awards to class representatives, and combined attorneys’ fees and litigation costs of approximately $7.5 million.
On August 8, the U.S. Court of Appeals for the 9th Circuit affirmed a district court order certifying a class action suit that alleged a social media company’s face-scanning practices violated the Illinois Biometric Information Privacy Act (BIPA). The court found that the plaintiffs alleged a sufficiently concrete injury necessary to establish Article III standing as defined in the U.S. Supreme court’s decision in Spokeo, Inc. v. Robins. The plaintiffs contended that the defendant’s use of the facial-recognition technology did not comply with Illinois law designed to regulate “the collection, use, safeguarding and storage of biometrics”—which, under BIPA, includes the scanning of face geometry. The district court denied the defendant’s motion to dismiss for lack of standing and certified the class. The defendant appealed, arguing, among other things, that even if the plaintiffs have standing to sue, (i) BIPA is not intended to be applied extraterritorially; (ii) the collection of biometric data occurred on servers located outside of Illinois; and (iii) it is unclear that the alleged privacy violations “occurred ‘primarily and substantially within’” within the state. Additionally, the defendant argued that the district court abused its discretion by certifying the class because the state’s “extraterritoriality doctrine precludes the district court from finding predominance,” and that a class action was not superior to individual actions due to the potential for a large statutory damages award.
On appeal, the 9th Circuit held that the plaintiffs’ claims met the standing requirement of Spokeo because the defendant’s alleged development of a face template that uses facial-recognition technology without users’ consent constituted an invasion of an individual’s private affairs and concrete interests. “Because we conclude that BIPA protects the plaintiffs’ concrete privacy interests and violations of the procedures in BIPA actually harm or pose a material risk of harm to those privacy interests, the plaintiffs have alleged a concrete and particularized harm, sufficient to confer Article III standing,” the appellate court stated. The 9th Circuit also dismissed the defendant’s extraterritoriality argument, stating that predominance is not defeated because the threshold questions of exactly which consumers BIPA applies to can be decided on a classwide basis.
On August 1, the FCC announced the adoption of new rules that will extend the Truth in Caller ID’s prohibitions against robocalls to caller ID spoofing of text messages and international calls, and implement measures passed last year in the RAY BAUM’s Act. As previously covered by InfoBytes, the rules are supported by a bipartisan group of more than 40 state attorneys general, and will allow the FCC to bring enforcement actions and assess fines on international players who try to defraud U.S. residents. However, while Commissioner Michael O’Rielly voted in favor of the measure, he raised concerns that the FCC may encounter problems when trying to enforce the rules across international borders. “As I expressed before, the expanded extraterritorial jurisdiction may prove difficult to execute in uncooperative nations and come back to bite us in other contexts,” O’Rielly stated. “In addition, the definitions of text messaging and voice services are broader than my liking and may cause future unintended consequences.” However, his statement did not specify what these unintended consequences might be.
- Daniel R. Alonso to discuss "The international compliance situation and new challenges" at the World Compliance Association Covid Compliance Conference
- Benjamin W. Hutten to discuss "Understanding OFAC sanctions" at a NAFCU webinar
- Garylene D. Javier to discuss "Navigating workplace culture in 2020" at the DC Bar Conference