InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Five agencies launch effort to address romance scams
On February 7, the CFTC, FinCEN, CFPB, ICE, and U.S. Postal Inspection Service launched the nationwide awareness effort “Dating or Defrauding?” to remind the public about the ongoing dangers of romance scams that target individuals through dating apps or social media. The agencies draw attention to new types of scams that have costs victims millions of dollars, and highlight recent FTC studies showing that 2020 was a record year for romance scams with the number of these types of complaints continuing to increase in 2021. According to a January FTC blog post (covered by InfoBytes here), more than 95,000 people reported about $770 million in losses to fraud initiated on social media platforms in 2021, with investment scams and romance scams having the most reported dollars lost. A recent FTC data spotlight showed that consumers reported losing $547 million to romance scams in 2021 alone. The agencies’ initiative provides guidance on how to recognize scams before individuals give away any money or assets, as well as measures to take if they have been victimized.
FTC reports on social media fraud
On January 27, the FTC released a blog post regarding scam data usage on social media. Reports to the FTC showed that social media is increasingly used by scammers and “that social media was far more profitable to scammers in 2021 than any other method of reaching people.” The blog post, Social media a gold mine for scammers in 2021, reported that more than 95,000 people reported about $770 million in losses to fraud initiated on social media platforms in 2021. Additionally, the FTC noted that investment scams and romance scams had the most reported dollars lost.
District Court grants summary judgment for defendant in TCPA case
On January 18, the U.S. District Court for the Western District of Washington granted a motion for summary judgment in favor of an insurance company (defendant) with respect to a plaintiff’s TCPA allegations. The plaintiff alleged that the defendant, among other things, violated the TCPA by placing telephone calls to him and the putative class members whose telephone numbers are on the National Do Not Call (DNC) Registry. The defendant countered that the plaintiff spoke with the defendant during a 26-minute phone call and provided his personal information and consent to be called by the defendant. The plaintiff alleged that he had not submitted any information, and suggested that hackers may have been involved, and that he had engaged in a lengthy and detailed conversation with the defendant because he was “investigating” the identity of the caller and the motive for calling. However, the court noted that “the personal information [the plaintiff] disclosed during the call supports the contention that he in fact was interested in obtaining a quote and otherwise submitted an internet request,” and that no evidence supported the plaintiff having “investigative” motives.
According to the opinion, a “reasonable jury” would find that the defendant had permission to call the plaintiff and that, even if there were questions about whether the plaintiff had requested or consented to the disputed call, the procedures that the defendant had put in place to comply with the law brought it under the purview of the TCPA's safe harbor provision. The court also found that the defendant “produced significant evidence that as part of its routine business practice, it complies with the standards required by the safe harbor provision and had substantially complied with the purpose of the TCPA, ‘to protect consumers from the unwanted intrusion and nuisance of unsolicited telemarketing phone calls and fax advertisements,’ by only calling those who have requested a life insurance quote and consented to be called.”
French data protection agency issues privacy fines over cookies
On January 6, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a multinational technology company 150 million euros and a global social media company 60 million euros (approximately $170 and $68 million USD respectively) for failure to comply with the French Data Protection Act related to the companies’ process for managing cookies. (See additional press releases here and here.) According to the CNIL, the companies provide a button allowing users to immediately accept cookies but do not provide an equivalent option to allow users to easily refuse the cookies through a single click. This process, CNIL stated, “influences [a user’s] choice in favor of consent” since a user “cannot refuse the cookies as easily as they can accept them,” and constitutes an infringement of Article 82 of the French Data Protection Act. In addition to the fines, the CNIL gave the companies three months “to provide […] users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent.” Failure to comply will come with the risk of an additional daily fine of 100,000 euros per day of delay.
FTC says robocall violations top consumers’ do-not-call complaints
On January 5, the FTC issued its National Do Not Call (DNC) Registry biennial report to Congress. According to the report, more than 244 million consumers have now placed their telephone numbers on the DNC Registry over the past two years. The report also highlighted that in FY 2021, the Commission received more than five million DNC complaints, the majority of which reported robocalls violations as opposed to live telemarketing. The FTC reported that the increased number of illegal telemarketing calls correlates with advancements in technology that make it easier for telemarketers to “spoof” the caller ID information accompanying a call. “[M]any telemarketers use automated dialing technology to make calls that deliver prerecorded messages (commonly referred to as ‘robocalls’), which allow violators to make very high volumes of illegal calls without significant expense,” the FTC said. Imposters posing as government representatives or legitimate business entities topped the complaint list, followed by calls related to warranties and protection plans, debt-reduction offers, and medical and prescription issues. Last month, in response to the consistently high level of impersonator scam complaints, the FTC issued an advanced notice of proposed rulemaking seeking comments on a wide-range of questions related to government and business impersonation fraud (covered by InfoBytes here). The FTC noted that these scammers are looking for information that can be used to commit identity theft or seek monetary payment and often request that funds be paid through wire transfer, gift cards, or cryptocurrency. Additionally, the FTC stated that since the beginning of the Covid-19 pandemic, it has received more than 18,000 Covid-related DNC complaints.
District Court temporarily halts enforcement of New York’s user data-sharing ordinances
On December 27, the U.S. District Court for the Southern District of New York issued a stipulation and order in a consolidated action, temporarily reprieving three delivery app companies from complying with New York City’s Administrative Code §§ 20-847.3 and 20-563.7 (collectively, “the ordinances”). The amended complaint contends that the ordinances “create an unconstitutional, privacy-infringing, data-disclosure requirement pursuant to which third-party food-ordering and delivery platforms. . . must divulge, against their will, sensitive, proprietary customer information,” including full names, phone numbers, email addresses, delivery addresses, and order contents to New York City restaurants “regardless of whether that restaurant maintains any security infrastructure, and regardless of whether the customer has expressly consented to their personal information being so shared.” According to the plaintiffs, the ordinances “state that customers are presumed to have consented to this dangerous flow of their information unless they specifically opt out for each and every order they place, contrary to the common view that opt-out requests should be valid for at least several months.” The plaintiffs allege, among other things, that the ordinances are preempted by New York State’s Right of Privacy and violate delivery app companies’ First Amendment rights.
Notably, while New York City “has agreed to stay enforcement of the Challenged Laws pending final determination by this Court resolving, or disposing of, this action in exchange for Plaintiff’s agreement not to file a motion for a preliminary injunction,” the stipulation and order is not an indefinite agreement to stop enforcement of the ordinances.
District Court preliminarily approves TCPA class action
On December 27, the U.S. District Court for the Eastern District of Washington granted class certification and preliminarily approved a putative class action settlement alleging two Washington cannabis companies violated the TCPA by sending unsolicited promotional text messages without consumer consent. According to the plaintiff’s unopposed motion for preliminary approval of the settlement, the plaintiff contended that she did not consent to receiving commercial texts from defendants, and alleged violations of the TCPA as well as Washington’s Consumer Protection Act predicated on the defendants’ alleged violations of Washington’s Commercial Electronic Mail Act. The preliminarily approved settlement would give affected consumers vouchers totaling up to $618,000. Class counsel also intends to move for a class representative award and attorneys’ fees and expenses. The proposed settlement class includes anyone in Washington who received at least one unsolicited commercial text message from or on behalf of the defendants after June 22, 2015, and through the date of class certification.
The court granted final approval to the settlement on April 11.
New Jersey settles CFA and HIPAA violations following 2019 data breach
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”
FTC proposes rule to combat impersonation fraud
On December 16, the FTC issued an advanced notice of proposed rulemaking (ANPR) seeking comments on a wide-range of questions related to government and business impersonation fraud. According to the FTC, reported losses due to impersonation fraud have spiked during the Covid-19 pandemic, with data from the Social Security Administration reporting $2 billion in total losses between October 2020 and September 2021. These impersonation scams include persons posing as government officials or employees or persons claiming they represent well-known businesses or charities, and may use “misleading domain names, URLs, and ‘spoofed’ contact information’” to create the illusion of legitimacy. The FTC added that scammers are looking for information that can be used to commit identity theft or seek monetary payment and often request that funds be paid through wire transfer, gift cards, or cryptocurrency. Government impersonators also often threaten consumers with severe consequences, while business impersonators regularly use ploys claiming they have identified suspicious activity on a consumer’s account or computer.
The ANPR - the FTC’s first action under its streamlined rulemaking procedures announced earlier this year (covered by InfoBytes here) - seeks feedback, data, and arguments from the public concerning the need for rulemaking to prevent this type of fraud.” Comments on the ANPR are due within 60 days of publication in the Federal Register.
Nebraska creates Consumer Affairs Response Team
On December 2, the Nebraska attorney general launched the Consumer Affairs Response Team (CART) to help state residents address complaints and identify scams related to a wide range of consumer-related issues, such as fraud, identity theft, scams, and unfair and deceptive business practices. CART will accept complaints after a consumer has first made a “good-faith-effort” to resolve any issues directly with a business. If CART determines that the consumer’s complaint falls within its authority, it will engage in the dispute resolution process by facilitating communications between the consumer and the business. CART was created after the AG’s office discovered a 65 percent increase in identity theft reports as well as a 27 percent increase in fraud and other types of consumer scams.