Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy laws. According to the complaint filed in the Superior Court for the County of San Francisco, the company’s app allegedly failed to adequately safeguard and preserve the confidentiality of medical information by, among other things, (i) allowing access to user information without the user’s consent, by failing to “authenticate the legitimacy of the user to whom the medical information was shared”; (ii) allowing a password-change vulnerability to permit unauthorized access and disclosure of information stored in the app without the user’s consent; (iii) making misleading statements concerning implemented security measures and the app’s ability to protect consumers’ sensitive personal and medical information from unauthorized disclosure; and (iv) failing to implement and maintain reasonable security procedures and practices.
Under the terms of the settlement, the company—which does not admit liability—is required to pay a $250,000 civil penalty and incorporate privacy and security design principles into its mobile apps. The company must also obtain affirmative authorization from users before sharing or disclosing sensitive personal and medical information, and must allow users to revoke previously granted consent. Additionally, the company is required to provide ongoing annual employee training concerning the proper handling and protection of sensitive personal and medical information, in addition to training on cyberstalking awareness and prevention. According to the AG’s press release, the settlement also includes “a first-ever injunctive term that requires [the company] to consider how privacy or security lapses may uniquely impact women.”
On September 17, the U.S. Court of Appeals for the Eleventh Circuit reversed and vacated a district court judgment awarding an “incentive payment” to a TCPA class action representative, concluding it violates a U.S. Supreme Court decision prohibiting such awards. Additionally, the 11th Circuit remanded the case so that the district court could adequately explain its findings on the fees and costs issues. According to the opinion, a consumer initiated a TCPA class action against a collection agency for allegedly calling phone numbers that had originally belonged to consenting debtors but were subsequently reassigned to non-debtors. The action quickly moved to settlement and one class member objected, challenging “the district court’s decision to set the objection deadline before the deadline for class counsel to file their attorneys’-fee petition.” Additionally, among other things, the objector argued that the proposed $6,000 incentive award to the class action representative violates the 1880s Supreme Court decisions in Trustees v. Greenough and Central Railroad & Banking Co. v. Pettus. The district court overruled the class member’s objections.
On appeal, the 11th Circuit concluded that the district court “repeated several errors” that “have become commonplace in everyday class-action practice.” Specifically, the appellate court held that the district court “violated the plain terms of Federal Rule of Civil Procedure 23(h)” by setting the settlement objection date more than two weeks before the date class counsel had to file their attorneys’ fee petition. The appellate court also concluded that the district court violated the Supreme Court’s rule from Greenough and Pettus, which provides that “[a] plaintiff suing on behalf of a class can be reimbursed for attorneys’ fees and expenses incurred in carrying on the litigation, but he cannot be paid a salary or be reimbursed for his personal expenses.” The 11th Circuit noted that modern day incentive awards pose even more risks than the concerns from Greenough, promoting “litigation by providing a prize to be won.” Thus, according to the appellate court, although incentive awards may be “commonplace” in class action litigation, they are not lawful and therefore, the district court’s decision must be reversed.
On September 15, the U.S. Court of Appeals for the Second Circuit affirmed the district court’s denial of arbitration, concluding that a national sandwich chain’s website did not provide sufficient notice of the terms and conditions. According to the opinion, a consumer filed a TCPA action against the sandwich chain relating to unsolicited text messages he received after he entered his phone number on a promotional page of the company’s website in order to receive a free sandwich at his next visit. After entering his number, the consumer clicked a button stating “I’M IN,” which the sandwich chain argued “constituted assent to the terms and conditions contained on a separate webpage that was accessible via a hyperlink on the promotional page.” The terms and conditions included an agreement to arbitrate. The sandwich chain moved to compel arbitration of the consumer’s TCPA action and the district court denied the motion, finding that no arbitration agreement existed because “the terms and conditions were not reasonably clear and conspicuous on the promotional page itself.”
On appeal, the 2nd Circuit agreed with the district court, noting that the webpage “was relatively cluttered.” Specifically, the appellate court noted that the webpage lacked language “informing the user that by clicking ‘I’M IN’ the user was agreeing to anything other than the receipt of a coupon.” Moreover, the appellate court held that the link to the terms and conditions was not conspicuous to a reasonable user as it was in small font at the bottom of the page and was “introduced by no language other than the shorthand ‘T & Cs.’” Because the company did not provide sufficient evidence demonstrating the consumer’s knowledge of the terms and conditions, the appellate court affirmed the denial of arbitration.
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of customer accounts from a series of cyberattacks. As previously covered by InfoBytes, the AG claimed that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in more than 20,000 compromised accounts and “tens of thousands” of dollars stolen. Following the attacks, the AG alleged that the company failed to take steps to protect the affected customers or to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. The settlement, subject to court approval, would require the company to (i) notify affected customers, reset their passwords, and refund any stored value cards used without permission; (ii) pay $650,000 in penalties and costs; (iii) maintain safeguards to protect against similar attacks in the future; and (iv) develop and follow appropriate incident response procedures.
On September 11, the U.S. District Court for the Central District of California ordered a California-based investment training operation to pay $362 million to resolve FTC allegations that the operation used deceptive claims to sell costly “training programs” targeting older consumers. As previously covered by InfoBytes, the FTC argued that the operation violated the FTC Act and the Consumer Review Fairness Act by using false or unfounded claims to market programs that purportedly teach consumers investment strategies designed to generate substantial income from trading in the financial markets “without the need to possess or deploy significant amounts of investable capital.” Additionally, the FTC alleged the operation required that dissatisfied customers requesting refunds sign agreements barring them from posting negative comments about the operation or its personnel, and prohibited customers from reporting potential violations to law enforcement agencies.
The district court agreed with the FTC, approving an order that requires the operation to pay a partially suspended judgment of $362 million, with three individual defendants required to pay $8.3 million, $158,000, and $736,300, respectively, and to surrender various assets. The remainder of the total judgment is suspended upon the completion of the individuals’ respective payments and surrender of assets, conditioned on the “truthfulness, accuracy, and completeness” of the sworn financial representations. Moreover, among other things, the order prohibits the operation from (i) making misleading claims of potential earnings or misrepresenting the time or effort required by consumers to “attain proficiency” in the operation’s trading strategy; and (ii) restricting customers from communicating with law enforcement or posting negative reviews. Additionally, the operation must notify all clients of their rights to post honest reviews and to file complaints.
On September 11, the U.S. Court of Appeals for the Ninth Circuit, in a split decision, upheld the district court order requiring a publisher and conference organizer and his three companies (defendants) to pay more than $50.1 million to resolve allegations that the defendants made deceptive claims about the nature of their scientific conferences and online journals and failed to adequately disclose publication fees in violation of the FTC Act. As previously covered by InfoBytes, in an action filed in the U.S. District Court for the District of Nevada, the FTC alleged the defendants misrepresented that their online academic journals underwent rigorous peer reviews; instead, according to the FTC, the defendants did not conduct or follow the scholarly journal industry’s standard review practices and often provided no edits to submitted materials. Additionally, the FTC alleged that the defendants failed to disclose material fees for publishing authors’ work when soliciting authors and that the defendants falsely advertised the attendance and participation of various prominent academics and researchers at conferences without their permission or actual affiliation. The district court agreed with the FTC and, among other things, ordered the defendants to pay more than $50.1 million in consumer redress.
On appeal, the split 9th Circuit agreed with the district court, concluding that the defendants violated the FTC Act, noting that the despite the “overwhelming evidence against them,” the defendants “made only general denials” and did not “create any genuine disputes of material fact as to their liability.” The appellate court emphasized that the misrepresentations made by the defendants were “material” and “did in fact, deceive ordinary customers.” Moreover, among other things, the appellate court held that the defendants failed to meet their burden to show that the FTC “overstated the amount of their unjust gains by including all conference-related revenue.” Specifically, the appellate court determined that conferences were “part of a single scheme of deceptive business practices,” even though the conferences were individual, discrete events. Because the marketing was “widely disseminated,” the court determined that the FTC was entitled to a rebuttable presumption that “all conference consumers were deceived.”
In partial dissent, a judge asserted the FTC “did not reasonably approximate unjust gains” by including all conference-related revenue, because “the FTC’s own evidence indicates that only approximately 60% of the conferences were deceptively marketed.” Thus, according to the dissent, the case should have been remanded to the district court to determine whether the FTC can meet its initial burden.
On September 9, the U.S. Court of Appeals for the Fifth Circuit affirmed a district court’s dismissal of a plaintiff’s FCRA claims against two consumer reporting agencies (CRAs), holding that omitting a favorable credit item does not render a credit report misleading. The plaintiff filed a lawsuit after the CRAs stopped reporting a favorable item—a timely paid credit card account—and refused to restore it, alleging that the refusal to include the item on his consumer report violated section 1681e(b), which requires CRAs to follow “reasonable procedures to assure maximum possible accuracy” of consumer information. As a result, the plaintiff claimed his creditworthiness was harmed, which caused him to be denied a credit card and rejected for a mortgage. The district court dismissed the suit.
In affirming the dismissal, the 5th Circuit found that the omission of a single credit item does not render a report ”inaccurate” or “misleading.” According to the appellate court, a “credit report does not become inaccurate whenever there is an omission, but only when an omission renders the report misleading in such a way and to such an extent that it can be expected to adversely affect credit decisions.” As such, “[b]usinesses relying on credit reports have no reason to believe that a credit report reflects all relevant information on a consumer.” The 5th Circuit further held, among other things, that the plaintiff failed to state a claim for violations of section 1681i(a), which requires agencies to conduct an investigation if consumers dispute “the completeness or accuracy of any item of information contained in a consumer’s file.” The court held that because the plaintiff “disputed the completeness of his credit report, not of an item in that report,” the statute did not require an investigation.
On September 9, the U.S. Court of Appeals for the Eleventh Circuit affirmed summary judgment in favor of a cable satellite company, concluding that the company had a “legitimate business purpose” under the FCRA to obtain a consumer’s credit report. According to the opinion, in 2016, following an identity theft, the consumer entered into a settlement agreement with the cable satellite company after the consumer’s personal information was used to fraudulently open two accounts for television services. As part of the agreement, the company put the consumer’s personal information into an internal mechanism designed to flag and prevent unauthorized accounts. In 2017, an unknown individual applied for an account online using some of the consumer’s information. The company’s automated systems sent the information to a consumer reporting agency (CRA), which matched the information to the consumer and resulted in the cable satellite company blocking the account from being opened. Upon request by the company, the CRA deleted the inquiry from the consumer’s credit file. The consumer filed an action alleging that the company breached the settlement agreement and “negligently and willfully obtained the January 2017 consumer report without a ‘permissible purpose’” in violation of the FCRA. While the action was pending, two more attempts were made to use the consumer’s information to open accounts and the satellite company blocked both. The district court granted summary judgment in favor of the satellite company.
On appeal, the 11th Circuit agreed with the district court, concluding that the satellite company had a “legitimate business purpose” to access the credit report. Specifically, the appellate court noted that the “FCRA does not explicitly require a user of consumer reports to confirm beyond doubt the identity of potential consumers before requesting a report.” Moreover, the satellite company was dependent on the credit report to access the consumer’s full social security number and “cross-check that information via its internal mechanisms.” Additionally, the appellate court rejected a claim for breach of the settlement agreement, noting that the company satisfied the terms of the agreement by flagging the social security number in its internal systems and using that system to block the fraudulent application for an account.
On September 8, the U.S. District Court for the Central District of California entered a stipulated final judgment against two additional defendants in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint alleged that the defendants violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. Four defendants settled in August, with a total suspended judgment of over $95 million due to the defendants’ inability to pay and total payments of $90,000 to Minnesota, North Carolina, and California, and $1 each to the CFPB, in civil money penalties.
The new final judgment holds the two relief defendants liable for nearly $7 million in redress; however, the judgment is suspended based on an inability to pay. The defendants are not subject to any civil money penalties, but are required to relinquish certain assets and submit to certain reporting requirements.
On September 4, the U.S. Court of Appeals for the Second Circuit affirmed in part and vacated in part a summary judgment ruling in favor of a debt collector, concluding that the debt collector was not entitled to the FDCPA’s bona fide error defense as a matter of law when it erroneously sent communications to a consumer with the same name as the actual debtor. According to the opinion, a debt collector sent collection notices to a consumer with the same first name, middle initial, and last name as the actual debtor. The consumer informed the debt collector that he was not the debtor and provided the last two digits of his social security number, which were different than the debtor’s social security number on file with the debt collector. The debt collector continued to send communications, including a subpoena duces tecum, to the consumer and the consumer filed suit, alleging various violations of the FDCPA. The district court granted summary judgment in favor of the debt collector, concluding that the debt collector did not violate certain provisions of the FDCPA and noting that while it violated others, the FDCPA’s bona fide error defense applied making the debt collector not liable for the violations.
On appeal, the 2nd Circuit agreed with the district court that the debt collector did not violate Section 1692e(5) or Section 1692f of the FDCPA because it did not intend to send the communications to a non-debtor, nor did the debt collector’s actions constitute “unfair or unconscionable means” of collection because the consumer was not forced to respond to the information subpoena or attend a debtor’s examination. However, the appellate court determined that the district court erred in granting summary judgment on the bona fide error defense because a reasonable jury could conclude that the debt collector “did not maintain procedures reasonably adapted to avoid its error.” The appellate court also noted that the debt collector was “in possession of more than enough evidence” that the consumer was not the debtor, including different social security numbers and birth years, and a reasonable jury could conclude the mistake “was not made in good faith.” Additionally, the appellate court emphasized that the debt collector had “no written policies” to address situations in which employees are uncertain about whether a debtor may live at a particular address. Thus, the debt collector was not entitled to summary judgment on the outstanding FDCPA claims, and the appellate court remanded the case to the district court.
- Daniel P. Stipano to discuss "High standards: Best practices for banking marijuana-related businesses" at the ACAMS AML & Anti-Financial Crime Conference
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Matthew P. Previn and Walter E. Zalenski to discuss "Is valid when made ... valid?" at the Women in Housing & Finance Partner Series webinar
- Warren W. Traiger and Caroline K. Eisner to discuss "CRA modernization and the OCC final rule" at CBA Live
- Daniel R. Alonso to discuss "Transnational corruption: A chat with former U.S. federal prosecutors in New York" at Marval Live Talks
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute