Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 11, a split U.S. Court of Appeals for the Eleventh Circuit partially vacated the greenlighting of two data breach class actions, holding that a district court must re-analyze the boundaries of the classes. Both the nationwide and California classes are individuals who sued a restaurant chain after their card data and personally identifiable information were compromised in a cyberattack. Plaintiffs claimed that information for roughly 4.5 million cards could be accessed on an online marketplace for stolen payment information. Two of the three named plaintiffs also said they experienced unauthorized charges on their accounts. Plaintiffs moved to certify two classes seeking both injunctive and monetary relief—a nationwide (or alternatively a statewide) class for negligence and a California class for claims based on the state’s unfair business practices laws. The district court certified a nationwide class and a separate California-only class. The restaurant chain’s parent company appealed, arguing that the certification violates court precedent on Article III standing for class actions, that the classes do not meet the commonality requirements for certification, and that the district court erred by finding that a common damages methodology existed for the class.
On appeal, the majority found that at the class certification stage, plaintiffs only had to show that a reliable damages methodology existed. The majority also determined that the district court correctly found that plaintiffs’ expert presented a sufficient methodology for calculating damages and that “it would be a ‘matter for the jury’ to decide actual damages at trial.” However, the majority remanded the case with instructions for the district court to clarify what it meant when it certified classes of individuals who had their “data accessed by cybercriminals.” According to the opinion, the district court meant for this term to encompass individuals who experienced fraudulent charges or whose credit card information was posted on the dark web. The majority expressed concerns that the phrase “accessed by cybercriminals” is broader than the two delineated categories provided by the district court and could include individuals who had their data taken but were otherwise uninjured. The majority also vacated the California class certification after determining that two of the three named plaintiffs lacked standing because they dined at the restaurant outside of the “at-risk” timeframe. The district court’s damages calculation methodology, however, was left undisturbed by the appellate court.
Partially dissenting, one of the judges wrote that while she agreed that one of the named plaintiffs had standing to sue, she disagreed with the majority’s concrete injury analysis. The judge also argued that the district court erred in its damage calculations by “impermissibly permit[ting] plaintiffs to receive an award based on damages that they did not suffer.”
On July 12, the CFPB and the State of Maine filed an amicus brief in the Maine Supreme Judicial Court arguing that determining whether a loan is covered by TILA requires an assessment of the borrower’s primary purpose in entering into the transaction. The action involves a couple who obtained a loan from the bank to purchase land for the construction of a home. Due to the 2008 financial crisis, the value of the property depreciated, resulting in insufficient proceeds from the sale of the home to fully pay off the loan. To cover the shortfall, the couple acquired a new loan from the bank and used a cabin they owned as collateral. When the loan’s term ended, the couple defaulted after being unable to make the required balloon payment. The bank sued, seeking to take possession of the cabin. At trial, the couple attempted to present evidence that the bank had not provided them with certain necessary disclosures mandated by TILA and did not assess their ability to repay the loan. The couple maintained “that the bank’s liability under TILA fully offset the amount they owed to the bank under the loan.” The court determined, however, that since the loan documents indicated a commercial purpose, TILA did not apply.
The couple attempted to introduce extrinsic evidence to show that even though the loan was labeled “commercial,” it was actually used for personal, family, or household purposes and therefore was a covered consumer loan. The court relied on a case (Bordetsky v. JAK Realty Trust) holding that, for purposes of determining the applicability of Maine’s notice of default statute for residential real estate foreclosures, “courts should not look to extrinsic evidence to determine whether the loan had a commercial or consumer purpose if the loan document states on its face that the loan has a commercial purpose.”
The brief explained that TILA generally applies to consumer loans (i.e., loans that are primarily for a personal, family, or household purpose) but not to loans made for a commercial purpose, and that the Maine Consumer Credit Code fully incorporates TILA. The brief argued that the borrower’s primary purpose for obtaining the loan should determine whether TILA and the Maine Consumer Credit Code apply, and presented three arguments as to why the trial court erred in concluding that TILA is not applicable on the sole basis that the loan is labeled as a “commercial loan.” First, statutory text provides that a loan is generally covered by TILA if a borrower obtained the loan primarily for a family, personal or household purpose. TILA “requires a substantive and fact-intensive inquiry into the reasons why the borrower entered into the transaction,” the brief explained. Second, judicial precedent has established that “determining whether a loan has a covered purpose requires looking beyond the four corners of the contract.” The trial court erred in relying on Bordetsky because it pertains to a different Maine statute and does not address the judicial precedent or administrative guidance that govern TILA coverage, the brief said. Finally, permitting creditors to evade TILA by labeling a loan as “commercial” is at odds with TILA’s remedial purpose, the brief maintained.
“Why the consumer borrowed the money—not the label that the company sticks on the loan—determines whether the loan is covered by the law,” Seth Frotman, general counsel and senior advisor to the CFPB director, said in a blog post.
On July 13, the CFPB joined state attorneys general from Washington, Oregon, Delaware, Minnesota, Illinois, Wisconsin, Massachusetts, North Carolina, South Carolina, and Virginia in taking action against an education firm accused of engaging in deceptive marketing and unfair debt collection practices. California’s Department of Financial Protection and Innovation is participating in the action as well. Prior to filing for bankruptcy, the Delaware-based defendant operated a private, for-profit vocational training program for software sales representatives. The joint complaint, filed as an adversary proceeding in the firm’s bankruptcy case, alleges that the defendant charged consumers up to $30,000 for its programs. The complaint further alleges that the defendant encouraged consumers who could not pay upfront to enter into income share agreements, which required minimum payments equal to between 12.5 and 16 percent of their gross income for 4 to 8 years or until they had paid a total of $30,000, whichever came first.
The complaint asserts that the defendant engaged in deceptive practices by misrepresenting its income share agreement as not a loan and not debt, and mislead borrowers into believing that no payments would need to be made until they received a job offer from a technology company with a minimum annual income of $60,000. The defendant is also accused of failing to disclose important financing terms, such as the amount financed, finance charges, and annual percentage rates, as required by TILA and Regulation Z. The complaint also claims that the defendant hired two debt collection companies to pursue collection activities on defaulted income share loans. One of the defendant debt collectors is accused of engaging in unfair practices by filing debt collection lawsuits in remote jurisdictions where consumers neither resided nor were physically present when the financing agreements were executed. The complaint further alleges the two defendant debt collectors violated the FDCPA and the CFPA by deceptively inducing consumers into settlement agreements and falsely claiming they owed more than they did.
According to the Bureau and the states, after the Delaware Department of Justice and Delaware courts began scrutinizing the debt collection lawsuits, the defendant unilaterally changed the terms of its contracts with consumers to force them into arbitration even though none of them had agreed to arbitrate their claims. Additionally, the complaint contends that settlement agreements marketed as being “beneficial” to consumers actually released consumers’ claims against the defendant and converted income share loans into revised “settlement agreements” that obligated them to make recurring monthly payments for several years and contained burdensome dispute resolution and collection terms.
The complaint seeks permanent injunctive relief, monetary relief, consumer redress, and civil money penalties. The CFPB and states are also seeking to void the income share loans.
On July 10, the West Virginia attorney general, along with 26 other states, filed an amicus brief in support of respondents in Consumer Financial Protection Bureau v. Community Financial Services Association of America, arguing that the CFPB’s funding structure violates the Constitution and that by operating outside the ordinary appropriations process states are often left “out in the cold.” In their brief, the states urged the U.S. Supreme Court to uphold the U.S. Court of Appeals for the Fifth Circuit’s decision in which it found that the Bureau’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here and a firm article here). The 5th Circuit’s decision also vacated the agency’s Payday Lending Rule on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding.
Arguing that the Bureau is operating beyond the boundaries established by the Constitution, the states maintained that the current funding mechanism limits Congress’s ability to oversee the agency. “Even if the CFPB has done some good—and some would even dispute that premise—it wouldn't matter,” the states said, warning that “sidelining Congress can greenlight an agency to wreak havoc,” especially if the “agency wields broad regulatory and enforcement powers over the entire U.S. financial system, acts under the control of a single powerful figure, and lacks other protections from meaningful oversight.”
The appropriations process plays a crucial role in enabling states to influence agency actions indirectly, the states maintained, explaining that when an agency initiates a new enforcement initiative or significant rulemaking endeavor, it is required to publicly outline its projected work in order to secure the necessary funding to carry it out. “Disclosure on the front end of the appropriations process can empower affected parties—including the [s]tates—to take quick, responsive actions beyond lobbying their representatives (up to suing to stop illegal action, if need be).” In contrast, the Bureau’s insulation from this process has allowed it to hide its actions from public view, the states wrote. As an example, the Bureau has repeatedly declined to interpret or provide further clarity on how the provisions governing unfair, deceptive, or abusive acts or practices work.
The brief also highlighted examples of when Congress used funding cuts through the appropriations process to curtail agencies’ powers. Additionally, unlike the challenges of amending authorizing statutes, appropriations bills must be passed by Congress each year to avoid a government shutdown, which can be “a painful pill to swallow for the sake of standing up for an agency’s policy choice,” the states noted, adding that “[b]ecause appropriations involves both oversight committees and appropriations committees, agencies may have ‘less flexibility to ally themselves with executive branch officials or interest groups.’”
The states also urged the Court to “ignore doomsaying” about the consequences of finding the funding structure unconstitutional. Should the Court agree to invalidate the funding structure, Congress can pass a proper appropriations bill for the Bureau, the states explained, adding that “a rebuke from this Court would no doubt grease the sticky wheels of the legislative process and move them a bit faster.” Moreover, states could also fill any gaps should Congress somehow pare back the CFPB’s funding, the brief stressed.
Several amicus briefs were also filed this week in support of CFSA, including an amici curiae brief filed by the U.S. Chamber of Commerce and several banking associations and an amici curiae brief filed by 132 members of Congress, including 99 representatives and 33 senators, which urged the Court to uphold the 5th Circuit’s decision.
On July 5, the U.S. Court of Appeals for the Seventh Circuit affirmed summary judgment in favor of a defendant data furnisher in an FCRA case, holding that the plaintiff failed to establish that the defendant provided “patently incorrect or materially misleading information” to a credit reporting agency (CRA). Defendant was the subservicer for plaintiff’s mortgage and was responsible for accepting and tracking payments and providing payment data to the CRAs. After plaintiff failed to make her monthly payments, she resolved the delinquency through a short sale of her home. Several years later, plaintiff noticed that the closed mortgage account appeared on her credit reports as delinquent. She disputed the information to several CRAs. To confirm the accuracy of its records on plaintiff’s mortgage, one of the CRAs sent the defendant data furnisher four automated consumer dispute verification (ACDV) forms. In the ACDV responses, the defendant amended or verified several contested data points, including the pay rate and account history. The CRA reported this amended data to indicate on plaintiff’s credit report that she was currently delinquent on the mortgage with missed payments in the months following the short sale. After plaintiff applied for and was denied a new mortgage based on the credit report, plaintiff sued the defendant data furnisher for alleged violations of the FCRA, alleging that the defendant failed to conduct a reasonable investigation of the disputed data and provided false and misleading information to CRAs. The district court granted summary judgment in favor of the defendant, finding that plaintiff failed to make a threshold showing that the defendant’s data was incomplete or inaccurate.
On appeal, the 7th Circuit disagreed with plaintiff that “completeness or accuracy” under the FCRA “must be judged based, not on the ACDV response the data furnisher provided, but on the credit report generated from it.” The court reasoned that the text of the statute “says nothing about a credit report, let alone a duty of a data furnisher with respect to credit reports produced using its amended data. To the contrary, the statute sets out the data furnisher’s duties to investigate disputes, correct incomplete or inaccurate information, and report results from an investigation” to the CRA. Holding that “context can play a large role in determining completeness or accuracy” in this situation, the appellate court agreed with the district court that the data provided by the defendant to the CRA was “not materially misleading” and that “no reasonable jury could find” that the data meant that plaintiff was currently delinquent on her debt, particularly because of strong “contextual evidence”—specifically, that the disputed data appeared directly beside a status code showing that the account was closed. The appeals court affirmed summary judgment for the data furnisher.
On June 30, the U.S. Court of Appeals for the First Circuit overruled a district court’s dismissal of a putative class action against a home delivery pharmacy service for allegedly failing to prevent a 2021 data breach that exposed the personally identifiable information (PII) of over 75,000 patients. The class action complaint alleged state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, and sought damages and injunctive relief. The putative class was comprised of U.S. residents whose PII was compromised in the data breach. The two named plaintiffs were former or current patients whose PII were compromised in the data breach, and one of the two named plaintiffs had her stolen PII used to file a fraudulent tax return. The district court dismissed the lawsuit for lack of Article III standing.
Affirming in part and reversing in part, the 1st Circuit held that the complaint “plausibly demonstrates” the plaintiffs’ standing to seek damages, applying the principles articulated by the Supreme Court in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here).
First, the court concluded that, with respect to the named plaintiff whose PII was used to file a fraudulent tax return, the complaint’s “plausible allegations of actual misuse” of the stolen PII constituted a “concrete injury in fact” for purposes of Article III standing. According to the 1st Circuit, there existed “an “obvious temporal connection” between the timing of the data breach and the filed return, among other facts. The appellate court also found that the fraudulent tax return could make it probable that more of the named plaintiff’s information could be further misused—changing the risk of future misuse from speculative to “imminent and substantial.”
Second, with respect to the named plaintiff for whom there was no allegation of actual misuse of PII, the court reasoned that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of [plaintiff’s] PII and a concrete harm caused by exposure to this risk.” The appellate court also found that, because the data here was compromised in a “targeted attack,” then “it stands to reason that [such data] is more likely to be misused…and the risk of future misuse is heightened when the compromised data is particularly sensitive.”
Third, the court concluded that the complaint plausibly alleged a “separate concrete, present harm” caused by exposure to the risk of future harm, “based on the allegations of the plaintiffs’ lost time spent taking protective measures [against further identity theft] that would otherwise have been put to some productive use.” “The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury,” the appellate court wrote, adding that it joins other circuits in holding that time spent responding to a data breach is sufficient to establish standing.
Finally, the court held that plaintiffs lacked standing to pursue injunctive relief “because their desired injunctions would not likely redress their alleged injuries” as any such relief would only safeguard against future breaches and would not protect “plaintiffs from future misuse of their PII by the individuals they allege now possess it.”
On July 5, the U.S. District Court for the Southern District of New York ordered a crypto platform and its CEO to each pay a civil money penalty of $141,410, as well as to jointly pay disgorgement in the same amount, in a case brought by the SEC. The SEC filed a complaint in February 2021 alleging that the defendants violated the registration provisions of the Securities Act of 1933 in connection with their offer and sale of digital asset securities. According to the SEC, the defendants sold digital asset securities to hundreds of investors, including investors based in the United States, but failed to file a registration statement for the offering. The complaint further charged the defendants with denying prospective investors the material information required for such an offering to the public. The SEC alleged that the defendants raised at least $141,410 through their offering.
Neither defendant responded to the complaint, and the court accordingly entered an order of default against the defendants, permanently enjoining the defendants from violating the registration provisions of the Securities Act. The court also referred the case to a magistrate judge to make a recommendation regarding disgorgement and penalties. The magistrate judge concluded—and the court agreed—that there were sufficient facts supporting the SEC’s allegations against the defendants and that disgorgement and civil monetary penalties were appropriate remedies. In addition to the civil monetary penalty of $141,410 per defendant, the court held the defendants jointly and severally liable for disgorgement of $141,410 plus pre-judgment interest.
On July 7, the U.S. District Court for the Central District of California entered a final judgment and order against an individual defendant accused of operating and controlling a deceptive student loan debt relief operation. As previously covered by InfoBytes, in 2019, the CFPB, along with the Minnesota and North Carolina attorneys general and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student loan borrowers. The Bureau and the states alleged that since at least 2015, the debt relief operation violated the Consumer Financial Protection Act (CFPA), Telemarketing Sales Rule (TSR), FDCPA, and various state laws by charging and collecting over $95 million in illegal advance fees from student loan borrowers. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by misrepresenting the purpose and application of the fees they charged and the nature and benefits of their services. Specifically, the debt relief operation allegedly failed to inform borrowers that, among other things, (i) they would request that the loans be placed in forbearance and interest would continue to accrue during the forbearance period, thereby increasing the borrowers’ overall loan balances; and (ii) it was their practice to submit false information about the borrowers to student loan servicers to try to qualify borrowers for lower monthly payments. The individual defendant was accused of owning, controlling, and managing the student loan debt relief operation, materially participating in the operation’s affairs, and providing substantial assistance or support while knowing or consciously avoiding knowledge that the operation was engaging in illegal conduct.
The individual defendant was held liable, jointly and severally, in the amount of approximately $95,057,757, for the purpose of providing redress to affected borrowers. Because the individual defendant was found to have recklessly violated the TSR and the CFPA, the court also imposed second-tier civil monetary penalties of $147,985,000 to the Bureau, of which $5,000 will be paid to each state. The final judgment also imposes various forms of injunctive relief, including permanent bans on engaging in consumer financial products or services and violating the TSR, CFPA, and similar laws in Minnesota, North Carolina, and California. The individual defendant is also prohibited from disclosing, using, or benefiting from customer information obtained in connection with the offering or providing of the debt relief services, and may not “attempt to collect, sell, assign, or otherwise transfer any right to collect payment from any consumer who purchased or agreed to purchase” a debt relief service from any of the defendants.
On July 3, the Community Financial Services Association of America (CFSA) and the Consumer Service Alliance of Texas filed their brief with the U.S. Supreme Court, urging the high court that the CFPB’s independent funding structure is “unprecedented and must be stopped before it spreads without limit.” Respondents asked the Court to affirm the U.S. Court of Appeals for the Fifth Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where the appellate court found that the Bureau’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here and a firm article here). The 5th Circuit’s decision also vacated the agency’s Payday Lending Rule on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding.
The Bureau expanded on why it believes the 5th Circuit erred in its holding in its opening brief filed with the Court in May (covered by InfoBytes here), and explained that even if there were some constitutional flaw in the statute creating the agency’s funding mechanism, the 5th Circuit should have looked for some cure to allow the remainder of the funding mechanism to stand independently instead of presuming the funding mechanism created under Section 5497(a)-(c) was entirely invalid. Vacatur of the agency’s past actions was not an appropriate remedy and is inconsistent with historical practice, the Bureau stressed.
In their brief, the respondents challenged the Bureau’s arguments, writing that the “unconstitutionality of the CFPB’s funding scheme is confirmed by both its unprecedented nature and lack of any limiting principle. Whether viewed with an eye toward the past or the future, the threat to separated powers and individual liberty is easy to see.” Disagreeing with the Bureau’s position that the Constitution gives Congress wide discretion to exempt agencies from annual appropriations and that independent funding is not uncommon for a financial regulator, the respondents stated that Congress gave up its appropriations power to the Bureau “without any temporal limit.” The respondents further took the position that the Bureau “can continue to set its own funding ‘forever’” unless both chambers agree and can persuade or override the president. Moreover, because the Federal Reserve Board is required to transfer “the amount determined by the Director to be reasonably necessary to carry out the [CFPB’s] authorities, . . . it ‘foreclose[s] the application of any meaningful judicial standard of review.’”
The respondents also argued that the Bureau’s funding structure is clearly distinguishable from other assessment-funded agencies in that these financial regulators are held to “some level of political accountability” since “they must consider the risk of losing funding if entities exit their regulatory sphere due to imprudent regulation.” Additionally, the respondents claimed that the fundamental flaws in the funding statute cannot be severed, reasoning, among other things, that courts “cannot ‘re-write Congress’s work’” and are not able to replace the Bureau’s self-funding discretion with either a specific sum or assessments from regulated parties.
With respect to the vacatur of the Payday Lending Rule and the potential for unintended consequences, the respondents urged the Court to affirm the 5th Circuit’s rejection of the rule, claiming it was unlawfully promulgated since a valid appropriation was a necessary condition to its rulemaking. “Lacking any viable legal argument, the Bureau resorts to fear-mongering about ‘significant disruption’ if all ‘the CFPB’s past actions’ are vacated,” the respondents wrote, claiming the Bureau “grossly exaggerates the effects and implications of setting aside this Rule.” According to the respondents, the Bureau does not claim that any harm would result from setting aside the rule, especially since no one has “reasonably relied” on the rule as it has been stayed and never went into effect. As to other rules issued by the agency, the respondents countered that Congress could “legislatively ratify” some or all of the agency’s existing rules and that only “‘timely’ claims can lead to relief” in past adjudications. Additionally, the respondents noted that many of the Bureau’s rules were issued outside the six-year limitations period prescribed in 28 U.S.C. § 2401(a). This includes a substantial portion of its rules related to mortgage-related disclosure. Even for challenges filed within the time limit, courts can apply equitable defenses such as “laches” to deny retrospective relief and prevent disruption or inequity, the respondents said.
The Superior Court for the County of Sacramento adopted a ruling during a hearing held June 30, granting the California Chamber of Commerce’s (Chamber of Commerce) request to enjoin the California Privacy Protection Agency (CPPA) from enforcing its California Privacy Rights Act (CPRA) regulations until March 2024. Enforcement of the CPRA regulations was set to begin July 1.
The approved regulations (which were finalized in March and took effect immediately) update existing California Consumer Privacy Act regulations to harmonize them with amendments adopted by voter initiative under the CPRA in November 2020. (Covered by InfoBytes here.) In February of this year, the CPPA acknowledged that it had not finalized regulations regarding cybersecurity audits, risk assessments, and automated decision-making technology and posted a preliminary request for comments to inform this rulemaking. (Covered by InfoBytes here.) The June 30 ruling referred to a public statement issued by the CPPA, in which the agency explained that enforcement of those three areas would not commence until after the applicable regulations are finalized. However, the CPPA stated it intended to “enforce the law in the other twelve areas as soon as July 1.”
In March, the Chamber of Commerce filed a lawsuit in state court seeking a one-year delay of enforcement for the new regulations. The Chamber of Commerce argued that the CPPA had finalized its regulations in March 2023 (rather than the statutorily-mandated completion date of July 1, 2022), and as a result businesses were not provided the required one-year period to come into compliance before the CPPA begins enforcement. The CPPA countered that the text of the statute “is not so straightforward as to confer a mandatory promulgation deadline of July 1, 2022, nor did the voters intend for impacted business to have a 12-month grace period between the [CPPA’s] adoption of all final regulations and their enforcement.”
The court disagreed, finding that the CPPA’s failure “to timely pass final regulations” as required by the CPRA “is sufficient to grant the Petition.” The court stated that because the CPRA required the CPPA to pass final regulations by July 1, 2022, with enforcement beginning one year later, “voters intended there to be a gap between the passing of final regulations and enforcement of those regulations.” The court added that it was “not persuaded” by the CPPA’s argument “that it may ignore one date while enforcing the other.” However, staying enforcement of all the regulations for one year until after the last of the CPRA regulations have been finalized would “thwart the voters’ intent.” In striking a balance, the court stayed the CPPA’s enforcement of the regulations that became final on March 29 and said the agency may begin enforcing those regulations on March 29, 2024. The court also held that any new regulations issued by the CPPA will be stayed for one year after they are implemented. The court declined to mandate any specific date by which the CPPA must finalize the outstanding regulations.