Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court denies payment company’s request to set aside judgment

    Courts

    On March 12, the U.S. District Court for the Northern District of California denied a company’s post-trial motions to set aside September 2017 judgments in a lawsuit brought by the CFPB for alleged violations of the Consumer Financial Protection Act (CFPA). Specifically, the bi-weekly payments company requested that the court set aside its injunction and reconsider a $7.93 million penalty in light of “new evidence” that demonstrated the company’s inability to pay the penalty. As previously covered by Infobytes, the CFPB filed the lawsuit in 2015, alleging, among other things, that the company made misrepresentations to consumers about its bi-weekly payment program by overstating the savings provided by the program and creating the impression the company was affiliated with the consumers’ lender. In denying the company’s motion, the court held that the company failed to present new evidence that would justify the relief. Additionally, the court rejected the argument that the permanent injunction placed on the company was overly burdensome, stating “in light of the evidence of defendants[’] prior practices…the limitations of the injunction reflect appropriate safeguards ‘to avoid deception of the consumer.’”

    Courts CFPB Payment Processors UDAAP CFPA

  • California judge limits plaintiffs’ ability to seek certain punitive damages in internet data breach

    Privacy, Cyber Risk & Data Security

    On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (CRA). The consolidated litigation results from announcements that hackers had breached the defendant’s systems and accessed users’ personal information in multiple attacks between 2013 and 2016. While the court kept several claims alive, including one alleging company executives purposefully concealed the hacks and others related to good faith and fair dealing, the court found the plaintiffs had failed to establish when the company learned about the 2013 and 2014 hacks, which warranted dismissal of most of the claims brought under the CRA. With respect to the limit on punitive damages, the court held that there is no punitive remedy for the alleged breaches relating to the breach of contract and CRA claims. However, the court did allow the plaintiffs to seek punitive damages for concealment, negligence, and misrepresentation related to the executives’ alleged suppression of the breach. 

    Privacy/Cyber Risk & Data Security Courts Damages Data Breach

  • 9th Circuit reinstates class action data breach lawsuit against online retailer

    Courts

    On March 8, the U.S. Court of Appeals for the 9th Circuit reinstated a putative class action lawsuit against an online retailer, concluding that the increased risk of identity theft resulting from a 2012 data breach affecting over 24 million shoppers gave consumers Article III standing to sue. The three-judge panel held that the district court erred in dismissing claims brought by consumers who did not allege financial losses as a result of the data breach because the stolen information provided hackers the “means to commit fraud or identity theft.” The panel noted that evidence that another group of consumers had suffered financial losses from the same data breach undermined the argument that the data stolen would not lead to fraud or identity theft. In addition, although the defendant asserted that too much time had passed since the data breach for any harm to be considered imminent, the panel found that determining jurisdiction requires an assessment of a plaintiff’s standing at the time the suit was filed, and that the risk of harm was sufficiently imminent at the time of filing. The 9th Circuit remanded the case back to the lower court for review.

    The panel also addressed a separate appeal by the class on the district court’s decision not to enforce a purported settlement agreement, affirming the lower court’s decision “because the parties did not have a meeting of the minds on all essential terms of the agreement.”

    Courts Ninth Circuit Appellate Privacy/Cyber Risk & Data Security Data Breach Class Action

  • District Court recognizes CFTC authority to regulate virtual currency as commodities

    Fintech

    On March 6, the U.S. District Court for the Eastern District of New York granted the CFTC’s request for preliminary injunction against defendants alleged to have misappropriated investor money through a cryptocurrency trading scam, holding that the CFTC has the authority to regulate virtual currency as commodities. The decision additionally defined virtual currency as a “commodity” within the meaning of the Commodity Exchange Act (CEA) and gave the CFTC jurisdiction to pursue fraudulent activities involving virtual currency even if the fraud does not directly involve the sale of futures or derivative contracts. However, the court noted that the “jurisdictional authority of CFTC to regulate virtual currencies as commodities does not preclude other agencies from exercising their regulatory power when virtual currencies function differently than derivative commodities.” Under the terms of the order, the defendants are restrained and enjoined until further order of the court from participating in fraudulent behavior related to the swap or sale of any commodity, and must, among other things, provide the CFTC with access to business records and a written account of financial documents.

    Find continuing InfoBytes coverage on virtual currency oversight here.

    Fintech Digital Assets Virtual Currency Courts CFTC Cryptocurrency Commodity Exchange Act

  • 2nd Circuit finds bankruptcy claim non-arbitrable

    Courts

    On March 7, the U.S. Court of Appeals for the 2nd Circuit denied a bank’s motion to compel arbitration, holding that arbitration of the debtor’s claims would present an inherent conflict with the intent of the Bankruptcy Code because the dispute concerns a core bankruptcy proceeding. The debtor’s claims against the bank relate to a purported refusal to remove a “charge-off” status on the debtor’s credit file after the debtor was released from all dischargeable debts through a Chapter 7 bankruptcy. The bankruptcy court allowed the debtor to reopen the proceeding in order to file a putative class action complaint against the bank alleging that the designation amounted to coercion to pay a discharged debt. The bank moved to compel arbitration, based on a clause in the debtor’s cardholder agreement, and the court denied the motion. On appeal, the district court affirmed the bankruptcy court’s decision. In affirming both lower courts’ decisions, the 2nd Circuit reasoned that a claim of coercion to pay a discharged debt is an attempt to undo the effect of the discharge order and, therefore, “strikes at the heart of the bankruptcy court’s unique powers to enforce its own orders.” The circuit court found the debtor’s complaint to be non-arbitrable based on a conclusion that it would create an inherent conflict with the intent of the bankruptcy code.

    Courts Second Circuit Arbitration Bankruptcy Appellate

  • Pennsylvania Attorney General sues ride-sharing company for 2016 data breach

    State Issues

    On March 5, Pennsylvania Attorney General filed a lawsuit against a ride-sharing company for violating Pennsylvania’s Breach of Personal Information Notification Act (BPINA) because of its failure to disclose a 2016 data breach caused by hackers. The complaint alleges that after the company became aware of the breach, it “paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet.”  According to the complaint, the breached data included the private information of at least 13,500 Pennsylvania drivers. The Attorney General asserts that, under the BPINA, the company must provide notice to the affected residents without unreasonable delay. Instead, the company waited until November 2017 to disclose the incident. Among other things, the complaint seeks civil penalties in the amount of $1,000 or $3,000, depending on the consumer’s age, for each individual BPINA violation.

    The Pennsylvania lawsuit follows similar lawsuits by the City of Chicago and Washington State, previously covered by InfoBytes here.

    State Issues Privacy/Cyber Risk & Data Security Data Breach State Attorney General Courts

  • Judge orders student loan servicer to comply with CFPB CID

    Courts

    On February 28, the U.S. District Court for the Western District of Pennsylvania granted the CFPB’s petition to enforce a Civil Investigative Demand (CID) issued against a student loan servicer. According to the opinion, the student loan servicer filed a petition with the CFPB to set aside a June 2017 CID because the statutorily-mandated Notification of Purpose did not comply with the Bureau’s notice requirements under 12 U.S.C. § 5562(c)(2). The loan servicer argued that the CID’s list of activities under investigation—i.e., processing payments, charging fees, transferring loans, maintaining accounts, and credit reporting—failed to provide the servicer with fair notice as to the nature of the investigation because it “merely categorize[s] all aspects of a student loan servicing operation.” The CFPB denied the petition, and in November 2017, filed a petition in court to enforce the CID. In granting the Bureau’s petition, the court found that the Notification of Purpose met the statutory notice requirements because nothing in the law bars the CFPB “from investigating the totality of a company’s business operations.” Moreover, the court also found that the CID’s Notification of Purpose met the necessary requirements regarding administrative subpoenas set forth by the U.S. Court of Appeals for the 3rd Circuit, concluding that the investigation is for a “legitimate purpose,” the information requested is relevant and not already known by the Bureau, and the request is not unreasonably broad or burdensome.

    Courts CFPB Student Lending CIDs Appellate Third Circuit

  • California district court rules social media company cannot dismiss non-users’ facial scan privacy claims

    Courts

    On March 2, the U.S. District Court for the Northern District of California denied a motion to dismiss an action for lack of standing in a lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA) against a social media company (defendant) for allegedly collecting and storing non-user facial scans. The action was similar to a consolidated class action lawsuit brought by users of the site in 2016. The court found that the factual difference between the two cases (one involving users and one involving non-users) was irrelevant for its Article III analysis. Citing to his February 26 decision (February decision) in the related case, the judge concluded that the abrogation of the plaintiffs’ procedural rights under BIPA, which allow users to control their biometric information, amounted to a concrete injury under Article III. As the court noted in the February decision: “BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent,” and that there is “equally little doubt . . . that a violation of BIPA’s procedures would cause actual and concrete harm.” The court rejected the defendant’s argument that it did not store non-users’ biometric information, stating that such factual evidence, which is disputed by the plaintiffs, goes to the merits of the case and cannot be weighed or resolved at the motion to dismiss stage.

    Courts Privacy/Cyber Risk & Data Security Class Action State Issues

  • Pennsylvania judge partially dismisses action against investors of an online lending scheme

    Courts

    On January 26, the U.S. District Court for the Eastern District of Pennsylvania partially dismissed an action brought by the Pennsylvania Attorney General against out-of-state investors of an online payday lender and the lender for violating Pennsylvania’s Corrupt Organizations Act (COA). The Attorney General alleged that an online payday lender and the investors “designed, implemented, and profited from a consumer lending scheme to circumvent the usury laws of states.” The alleged conduct, which the court referred to generally as “rent-a-bank” and “rent-a-tribe” schemes, involved the online lender partnering with an out-of-state bank and later with tribal nation to act as the nominal lenders of the loans. The investors moved to dismiss the claims against them, arguing that the court lacked personal jurisdiction over them and that the Attorney General failed to plead sufficient allegations with respect to the investors’ involvement in the “rent-a-bank” scheme. The court rejected the jurisdictional arguments, holding that even though the investors were a Delaware LLC with no physical connection to the state, their participation in a scheme targeting Pennsylvania consumers constituted sufficient minimum contacts. However, the court dismissed the “rent-a-bank” aspects of the complaint as to the investors because it found that the Attorney General failed to allege that they were anything more than passive investors in the scheme.

    Courts Payday Lending State Attorney General Jurisdiction Lending

  • 9th Circuit reverses lower court’s dismissal of TCPA claim

    Courts

    On February 28, the U.S. Court of Appeals for the 9th Circuit reinstated a consumer’s lawsuit against two banks on charges that the nearly 300 calls she received seeking payment of a debt may have violated the Telephone Consumer Protection Act (TCPA). The three-judge panel stated that the district court’s decision to dismiss the case on standing grounds was incorrect in light of a subsequent 9th Circuit ruling in a different case, which held that “a violation of the TCPA is a concrete, de facto injury.” The court further held that the TCPA is not limited to telemarketing calls, and that the unsolicited contact—“regardless of caller or content”—is evidence of “concrete harm” that can be traced back to the conduct at issue. Additionally, the panel also held that the district court erred in granting the banks’ request for summary judgment on the plaintiff’s claim under California’s Rosenthal Fair Debt Collection Practices Act and her claim for “intrusion upon seclusion,” finding that the banks’ actions “allegedly caused harm” to the plaintiff’s solitude. The court reversed and remanded the case for further proceedings.

    Courts Appellate Ninth Circuit TCPA Debt Collection

Pages

Upcoming Events