Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.
According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.
The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.
On August 12, the U.S. District Court for the Southern District of Indiana issued an order denying plaintiffs’ motion for partial summary judgment and granting defendants’ cross-motion for summary judgment in an action concerning alleged violations of TILA, ECOA, and FHA disparate impact claims. According to the court’s determination, the defendant corporate entity was not a “creditor” during the leasing portion of the underlying rent-to-buy (RTB) agreements, and the plaintiffs lacked standing on certain claims because the wrong parties were targeted.
The defendant realty group purchases, sells, and manages real estate. The plaintiffs all entered into RTB agreements with the realty group that allowed the renter to make 24 payments and then execute a sales contract for the property. The agreements carried interest rate terms between 9.87 and 18 percent. According to the plaintiffs, the defendants, among other things, did not provide TILA-required disclosures for high-cost mortgages, did not require written certifications that tenants had obtained counseling prior to entering into the transaction, and did not provide property appraisals to tenants.
The plaintiffs sued alleging several claims under TILA for failure to provide required information. However, the court concluded that during the 24-month rental period, the realty group was not a “creditor” but was instead a “landlord.” Moreover, the court determined that “the only entities that could arguably be considered creditors are the Individual Land Trusts as the sellers and parties to the Conditional Sales Contract.” These trusts were not named as defendants, the court observed, adding that the plaintiffs failed to meet the burden of showing that the land trusts were sufficiently related to the named defendants to allow the court to “pierce the corporate veil” and hold the named defendants liable for actions conducted by the non-party individual land trusts.
With respect to the plaintiffs’ ECOA claims, which claimed that the realty group’s policies and practices were intentionally discriminatory and had a disparate impact on the basis of race, color, and/or national origin, the court applied the same rationale as it did to the TILA claims and again ruled that the realty group was not a “creditor.” In terms of plaintiffs’ FHA claims, the court said that “the racial disparity must have been created by the defendant.” In this action, the court determined that the realty group did not create the condition, reasoning that “the fact that lower-priced homes are more likely to exist in minority neighborhoods is not of Defendants’ making and existed before, and without, the RTB Program.”
However, the court’s order does allow certain individual and class claims related to disparate treatment under the FHA to proceed, as well as certain claims regarding Indiana law related to standard contract terms and the condition of homes in the RTB program.
District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.
In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”
On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security. The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.
On March 18, the Indiana governor signed HB 1092, which amends the provisions regarding loan brokers that include requirements for licensing, as well as contract for the services of a loan broker. Among other things, the bill establishes that a loan processing company notice filing must be made on a form prescribed by the commissioner and include the: (i) loan processing company's business name, address, and state of incorporation or business registration; (ii) names of the owners, officers, members, or partners who control the loan processing company; and (iii) name of each individual who is employed by the loan processing company, including the unique identifier from the Nationwide Multistate Licensing System (NMLS) of each loan processor. Additionally, when a contract for the services of a loan broker is assigned, the loan broker shall provide a copy of the signed contract and a written disclosure of any agreement entered into by the loan broker to procure loans exclusively from one lender to each party to the contract. The bill is effective July 22.
On January 28, the Indiana governor issued Executive Order 21-03, which renews the public health disaster emergency, originally set forth in Executive Order 20-02 (previously discussed here), for an additional 30-day period beyond January 30, 2021. As a result, all executive orders issued since March 6, 2020, that provide that they are supplements to Executive Order 20-02 are also renewed for the same 30-day period, except to the extent that they have been rescinded, superseded, or specify that they end or expire at another specific date.
Indiana governor renews public health disaster emergency and extends some executive orders issued since March 6, 2020
On July 30, the Indiana governor issued Executive Order 20-38, which renews the public health disaster emergency, originally set forth in Executive Order 20-02, for an additional 30-day period until September 2, 2020. As a result, all executive orders issued since March 6, 2020, that provide that they are supplements to Executive Order 20-02 are also renewed for the same 30-day period, except to the extent that they have been rescinded, superseded, or specify that they end or expire at another specific date.
On July 13, the Indiana Secretary of State, Securities Division, issued a compliance alert providing temporary relief from annual branch examination requirements. In light of the restrictions on travel caused by the pandemic, broker-dealers are not required to conduct an annual compliance examination in each branch office located in Indiana. However, a firm with the ability to conduct a remote branch examination during 2020 is encouraged to do so. Registrants are also reminded of their obligation to properly supervise agents and employees.
On June 3, the Indiana governor issued Executive Order 20-31, which extends regulatory relief related to Covid-19. Among other things, state agency-issued licenses, certifications or permits that have expired, or are set to expire, during the public health emergency were extended to June 30, 2020. This extension applies to, among other things, occupational and professional licenses.
Indiana Secretary of State Connie Lawson issued an announcement highlighting new laws and regulations regarding continuing education for notaries public, remote notary authorization, and criminal history record checks for notaries public. As of March 31, active notaries public can receive authorization to conduct remote notarizations if they submit an application, complete an educational course, pay a $100 fee, and contract with an approved technology vendor. The new laws relating to continuing education and criminal history record checks take effect on July 1.
- Jedd R. Bellman to provide an “Attorney exemption/medical debt update” at the North American Collection Agency Regulatory Association annual conference
- Kathryn L. Ryan to discuss “What should crypto regulation look like: Legislation, regulation and consumer issues” at WCL's First Annual Virtual Currency Law Institute
- Elizabeth E. McGinn to discuss “How to mitigate and manage third-party risks: Leveraging tools and best practices” at The Knowledge Group’s webcast
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The evolving regulatory landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- Sherry-Maria Safchuk to discuss “For your eyes only: Privacy updates for 2022-2023” at CCFL’s Annual Consumer Financial Services Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference