InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court enters final judgment in 2016 CFPB structured settlement action
On November 18, the U.S. District Court for the District of Maryland entered a stipulated final judgment and order against one of the individual defendants in an action concerning allegedly unfair, abusive, and deceptive structured settlement practices. As previously covered by InfoBytes, the Bureau claimed the defendants violated the CFPA by employing abusive practices when purchasing structured settlements from consumers in exchange for lump-sum payments. According to the Bureau, the defendants encouraged consumers to take advances on their structured settlements and falsely represented that the consumers were obligated to complete the structured settlement sale, “even if they [later] realized it was not in their best interest.” In July 2021, the court considered the defendants’ motion to dismiss the Bureau’s amended complaint, as well as the defendants’ motion for judgment on the pleadings on the grounds that the enforcement action was barred by the U.S. Supreme Court’s decision in Seila Law LLC v. CFPB, which held that that the director’s for-cause removal provision was unconstitutional (covered by a Buckley Special Alert), and that the ratification of the enforcement action “came too late” because the statute of limitations on the CFPA claims had already expired (covered by InfoBytes here). The court’s opinion allowed the Bureau to pursue its amended 2016 enforcement action, which alleged unfair, deceptive, and abusive acts and practices and sought a permanent injunction, damages, disgorgement, redress, civil penalties, and costs.
Under the terms of the settlement, the individual defendant—“an attorney who provided purportedly independent professional advice for almost all Maryland consumers who made structured-settlement transfers with [the defendants]” and who has neither admitted nor denied the allegations—is prohibited from, among other things, (i) participating or assisting others in participating in any structured-settlement transactions; (ii) owning, being employed by, or serving as an agent of any structured-settlement-factoring company; or (iii) providing independent professional advice concerning any structured-settlement transactions. The individual defendant is also prohibited from disclosing, using, or benefiting from affected consumers’ information, and must pay $40,000 in disgorgement and a $10,000 civil money penalty.
11th Circuit to rehear Hunstein v. Preferred Collection & Management Services
On November 17, the U.S. Court of Appeals for the Eleventh Circuit vacated an opinion in Hunstein v. Preferred Collection & Management Services, ordering an en banc rehearing of the case. The order vacates an 11th Circuit decision to revive claims that the defendant’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. As previously covered by InfoBytes, in April, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” According to the order issued sua sponte by the 11th Circuit, an en banc panel of appellate judges will convene at a later date to rehear the case.
4th Circuit: Tribal lenders must face usury claims
On November 16, the U.S. Court of Appeals for the Fourth Circuit upheld a district court’s ruling denying defendants’ bid to dismiss or compel arbitration of a class action concerning alleged usury law violations. The plaintiffs—Virginia consumers who defaulted on short-term loans received from online lenders affiliated with a federally-recognized tribe—filed a putative class action against tribal officials as well as two non-members affiliated with the tribal lenders, alleging the lenders violated the Racketeer Influenced and Corrupt Organizations Act (RICO) and Virginia usury laws by charging interest rates between 544 and 920 percent. The defendants moved to compel arbitration under a clause in the loan agreements and moved to dismiss on various grounds, including that they were exempt from Virginia usury laws. The district court denied the motions to compel arbitration and to dismiss, ruling that the arbitration provision was unenforceable as a prospective waiver of the borrowers’ federal rights and that the defendants could not claim tribal sovereign immunity. The district court also “held the loan agreements’ choice of tribal law unenforceable as a violation of Virginia’s strong public policy against unregulated lending of usurious loans.” However, the district court dismissed the RICO claim against the tribal officials, ruling that RICO only authorizes private plaintiffs to sue for money damages and not injunctive or declaratory relief.
On appeal, the 4th Circuit concluded that the arbitration clauses in the loan agreements impermissibly force borrowers to waive their federal substantive rights under federal consumer protection laws, and contained an unenforceable tribal choice-of-law provision because Virginia law caps general interest rates at 12 percent. As such, the appellate court stated that the entire arbitration provision is unenforceable. “The [t]ribal [l]enders drafted an invalid contract that strips borrowers of their substantive federal statutory rights,” the appellate court wrote. “[W]e cannot save that contract by revising it on appeal.” The 4th Circuit also declined to extend tribal sovereign immunity to the tribal officials, determining that while “the tribe itself retains sovereign immunity, it cannot shroud its officials with immunity in federal court when those officials violate applicable state law.” The appellate court further noted that the “Supreme Court has explicitly blessed suits against tribal officials to enjoin violations of federal and state law.” The 4th Circuit ultimately affirmed the district court’s judgment, noting that the loan agreement provisions were unenforceable because “tribal law’s authorization of triple-digit interest rates on low-dollar, short-term loans violates Virginia’s compelling public policy against unregulated usurious lending.”
The appellate court also agreed with the district court that RICO does not permit private plaintiffs to seek an injunction. “Congress’s use of significantly different language” to define the scope of governmental and private claims under RICO “compels us to conclude” that “private plaintiffs may sue only for treble damages and costs,” the appellate court stated. While plaintiffs “urge us to consider by analogy the antitrust statutes,” provisions outlined in the Clayton Act (which explicitly authorize injunction-seeking private suits) have “no analogue in the RICO statute,” the appellate court wrote, adding that “nowhere in the RICO statute has Congress explicitly authorized private actions for injunctive relief.”
District Court grants defendant’s motion in FCRA, FDCPA case
On November 10, the U.S. District Court for the Western District of New York granted a defendant debt agency’s motion for judgment resolving FCRA and FDCPA allegations. A father allegedly co-signed an apartment lease for his daughter (collectively, “plaintiffs”), which included a provision that allowed the plaintiffs to terminate the lease if another individual took over the lease. The plaintiffs allegedly did not move in but identified two replacement tenants to take over the lease. The owner of the apartment allegedly signed separate leases with the identified replacement tenants and “thwarted [plaintiffs’] efforts to have someone take over [the] [l]ease.” The owner placed the debt with the defendant for collection, who reported the debt to three credit reporting agencies. The plaintiffs disputed the debt, but the defendant confirmed the accuracy of the information. The plaintiffs sued, alleging the defendant violated the FCRA for not conducting a proper investigation of the dispute, and the FDCPA for attempting to collect the allegedly invalid debt, which allegedly negatively impacted the plaintiffs’ credit scores, their ability to obtain a car loan, and efforts to apply for an apartment.
With respect to the FCRA claim, the district court found that the plaintiffs’ allegation regarding an inaccurate debt “turns on an unresolved legal question, a section 1681s-2(b) claim that a furnisher failed to conduct a reasonable investigation of disputed credit information cannot stand.” Additionally, since the claim was “tethered to a legal dispute,” the district court found that it cannot form the basis of an FCRA claim. With respect to the FDCPA allegations, the district court dismissed the claim finding that the plaintiffs did not adequately state a claim because the plaintiffs’ claim was based on “nothing more than their conclusory and self-serving allegations that they do not owe the [d]ebt.”
District Court approves e-commerce platform data breach settlement
On November 4, the U.S. District Court for the District of Massachusetts granted final approval to a settlement in a class action against an alcohol e-commerce platform stemming from a data breach that allegedly compromised customers’ personally identifiable information. The plaintiffs’ memorandum of law requested approval of the class action settlement, which included a settlement class of 2.5 million individuals whose information was compromised. Class members claimed that the company did not publicly report the data breach until July 2020, and that customers’ information was available for purchase on the dark web. A complaint was filed against the defendant asserting claims of negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of several state consumer protection statutes. The defendant moved to compel arbitration, citing a provision in its terms of service, as well as a class action waiver that required customers to arbitrate their claims individually. However, the parties entered into settlement discussions and agreed to mediate their dispute. Under the terms of the settlement, which is valued between $3.35 million and $7.1 million, the defendant has agreed to pay all associated administration costs, attorneys’ fees and expenses, and incentive awards. Class members will receive individual cash payments and will also receive a pro rata portion of a pool of up to $447,750 in the form of a credit against the cost of service fees for future orders on the defendant’s platform. The defendant will also implement certain data security measures for two years.
District Court grants tech company’s motion to arbitrate smartphone data monitoring claims
On November 9, the U.S. District Court for the Northern District of California issued an order granting, among other things, a global technology company defendant’s motion to compel individual arbitration in a privacy class action and dismissing the action without prejudice. As outlined in a May order issued by the court, which granted in part and denied in part defendant’s motion to dismiss plaintiff’s first amended complaint, the plaintiff alleged that the defendant failed to disclose it was (i) monitoring and collecting Android smartphone users’ sensitive personal data while users interacted with apps not owned by the defendant; or (ii) generally collecting “sensitive personal data to obtain an unfair economic advantage.” While the court dismissed the plaintiff’s California Invasion of Privacy Act claims, it allowed claims brought under the California Consumers Legal Remedies Act (which “prohibits ‘unfair methods of competition and unfair or deceptive acts or practices’”) to proceed based on the reasoning that if the defendant had disclosed these material facts, the plaintiff would have acted differently.
The defendant moved to compel arbitration, claiming the plaintiff was using a smartphone that was bound by an arbitration provision. The plaintiff countered in both the complaint and first amended complaint, as well as in his initial disclosures, that the phone he originally purchased was never subject to an arbitration agreement. However, the court noted that account information later showed that the smartphone used by the plaintiff at the time he filed suit, as well as the smartphone he later switched to, both came with individual arbitration provisions and class waivers, subject to user opt out. The court stated that the plaintiff did not opt out of arbitration for either smartphone, and further denied the plaintiff’s motion for leave to file a second amended complaint, dismissing the action without prejudice.
5th Circuit stays OSHA mandate
On November 12, the U.S. Court of Appeals for the Fifth Circuit issued a nationwide stay on the emergency temporary standard (ETS), which mandates that all employers with 100 or more employees require employees to be fully vaccinated or be subject to a weekly Covid-19 test. As previously covered by InfoBytes, the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) published a rule in the Federal Register requiring employers to develop, implement, and enforce a mandatory Covid-19 vaccination policy, unless they adopt a policy requiring employees to choose between vaccination or regular testing for Covid-19 and wearing a face covering at work. The 5th Circuit stay, which was in response to a legal challenge filed by several states along with private entities and individuals, affirmed the court’s initial stay. According to the appellate opinion, OSHA’s enforcement of this ETS is illegitimate, calling it “unlawful” and “likely unconstitutional.” Furthermore, the 5th Circuit ordered OSHA to “take no steps to implement or enforce the Mandate until further court order.”
District Court dismisses data breach claims due to lack of jurisdiction
On November 8, the U.S. District Court for the Northern District of California dismissed a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor after determining that the court does not have jurisdiction over the companies. Plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of vendor customers. Plaintiffs contended that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach. Plaintiffs also alleged that an unauthorized third party gained access to the wallet provider’s e-commerce database and obtained the email addresses of one million customers as well as physical contact information for 9,500 customers. According to the plaintiffs, the wallet provider did not disclose that the attack on its website and the vendor’s data theft were connected, and it downplayed the seriousness of the attack. As a result, plaintiffs were allegedly subject to “phishing scams, cyber-attacks, and demands for ransom and threats.” Plaintiffs claimed that the companies failed to implement appropriate security measures to protect customer data, and brought claims against the companies for injunctive relief and other remedies under California’s unfair competition law, Georgia’s Fair Business Practices Act, and New York’s General Business Law. The defendant companies moved to dismiss, arguing that the court lacked personal jurisdiction and that plaintiffs failed to state a claim.
The court determined that it does not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The court further held that the fact that the vendor was headquartered in California at the time the breach occurred is not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the court wrote, dismissing the case with prejudice.
District Court denies EFTA safe harbor in overdraft class action
On November 8, the U.S. District Court for the District of New Hampshire denied a credit union’s motion to dismiss claims concerning its overdraft fees and policies. Plaintiffs filed a putative class action alleging that the defendant failed to properly disclose how it assessed overdrafts in violation of EFTA and implementing Regulation E. According to the plaintiffs, the defendant’s overdraft fee opt-in disclosure did not provide a “clear and readily understandable” explanation of the meaning of “enough money,” nor did it specify whether overdrafts are calculated based on the actual balance or the available balance. The defendant moved to dismiss, arguing that the opt-in disclosure should be read in conjunction with a separate membership agreement that outlines the account terms and discloses the defendant’s use of the “available balance” method to determine when an account is overdrawn. The defendant further contended that it did not violate Regulation E and that it qualifies for EFTA’s safe harbor provision. The court disagreed, ruling that the plaintiffs had plausibly alleged a violation of Regulation E, as it requires the opt-in disclosure to be “segregated from all other information.” Among other things, the court stated that “[c]ountless courts examining virtually identical language have agreed” that language similar to the phrase “enough money” can plausibly amount to a violation of Regulation E’s “clear and readily understandable” explanation of overdraft fees.
With respect to defendant’s safe harbor claim, the court observed that EFTA may provide safe harbor to banks using an appropriate CFPB model clause (15 U.S.C. § 1693m(d)(2)) or a disclosure form “substantially similar” to the Bureau’s Model Form A-9, which states “[a]n overdraft occurs when you do not have enough money in your account to cover a transaction, but we pay it anyway.” The court agreed, however, with the reasoning of several courts that using language identical to that in the A-9 does not necessarily provide safe harbor defeating plaintiffs’ claims where, as here, the plaintiffs “have plausibly stated a claim that the clause from Model Form A-9 was not ‘appropriate’ because the language did not describe [defendant’s] overdraft policy in a ‘clear and readily understandable’ way.”
9th Circuit: Israeli company is not entitled to foreign sovereign immunity over malware claims
On November 8, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a private Israeli company’s motion to dismiss claims based on foreign sovereign immunity. The Israeli company (defendant) designs and licenses surveillance technology to governments and government agencies for national security and law enforcement purposes. According to the opinion, the defendant markets and licenses a product that allows law enforcement and intelligence agencies to covertly intercept messages, take screenshots, or extract information such as a mobile device’s contacts or history. The plaintiffs (a messaging company and global social media company) sued the defendant claiming it sent malware through the messaging company’s server system to approximately 1,400 mobile devices to gather users’ information in violation of state and federal law, including the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act. The defendant moved to dismiss, claiming foreign sovereign immunity protected it from the suit. The defendant further contended that even if the plaintiffs’ allegations were true, it was “acting as an agent of a foreign state, entitling it to ‘conduct-based immunity’—a common-law doctrine that protects foreign officials acting in their official capacity.” The district court disagreed, ruling that common-law foreign official immunity does not protect the defendant in this case because the defendant “failed to show that exercising jurisdiction over [the defendant] would serve to enforce a rule of law against a foreign state.”
Although the 9th Circuit agreed with the district court that the defendant, as a private company, is not entitled to immunity, the panel affirmed on separate grounds. The 9th Circuit based its determination instead on the fact that “the Foreign Sovereign Immunity Act (FSIA or Act) occupies the field of foreign sovereign immunity as applied to entities and categorically forecloses extending immunity to any entity that falls outside the FSIA’s broad definition of ‘foreign state.’” Among other things, the 9th Circuit rejected the defendant’s claim that because governments use its technology it is entitled to the immunity extended to sovereigns. “Whatever [the defendant’s] government customers do with its technology and services does not render [the defendant] an ‘agency or instrumentality of a foreign state,’ as Congress has defined that term,” the appellate court wrote. In contrast to the district court, the 9th Circuit rejected the defendant’s argument that it could claim foreign sovereign immunity under common-law immunity doctrines that apply to foreign officials (i.e., natural persons), finding that “Congress [had] displaced common-law sovereign immunity doctrine as it relates to entities.”