InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB reaches $850,000 settlement with debt collectors
On October 26, the U.S. District Court for the District of Maryland entered a stipulated final judgment and order against defendants (a debt collection entity, its subsidiaries, and their owner) in an action alleging FCRA and FDCPA violations. As previously covered by InfoBytes, the Bureau filed a complaint against the defendants in 2019 with alleged violations that included, among other things, the defendants’ failure to ensure accurate reporting to consumer-reporting agencies (CRAs), failure to conduct reasonable investigations and review relevant information when handling indirect disputes, and failure to conduct investigations into the accuracy of information after receiving identity theft reports before furnishing such information to CRAs. The Bureau separately alleged that the FCRA violations constitute violations of the CFPA, and that the defendants violated the FDCPA by attempting to collect on debts without a reasonable basis to believe that consumers owed those debts.
Under the terms of the order, the defendants—who neither admitted nor denied any of the allegations except as specified in the order—are required to, among other things, (i) update existing policies and procedures to ensure information is accurate before it is furnished to a CRA or before commencing collections on an account; (ii) ensure policies and procedures are designed to address trends in disputes; and (iii) hire an independent consultant, subject to the CFPB Enforcement Director’s non-objection, to conduct a review to ensure management-level oversight and FCRA and FDCPA compliance. The defendants must also submit a compliance plan and pay an $850,000 civil money penalty.
11th Circuit’s new opinion says plaintiff still has standing to sue in outsourced debt collection letter action
On October 28, the U.S. Court of Appeals for the Eleventh Circuit issued a split opinion in Hunstein v. Preferred Collection & Management Services, vacating its April 21 decision but still finding that the plaintiff had standing to sue. As previously covered by InfoBytes, last April the 11th Circuit reviewed the district court’s dismissal of plaintiff’s claims that the disclosure of medical debt to a mail vendor violated the FDCPA’s third-party disclosure provisions. The 11th Circuit originally held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” At the time, the appellate court determined that communicating debt-related personal information with the third-party mail vendor is a concrete injury under Article III. Even though the plaintiff did not allege a tangible injury, the appellate court held, in a matter of first impression, that under the circumstances, the plaintiff alleged a communication “in connection with the collection of any debt” within the meaning of § 1692c(b).
In its most recent opinion, the majority wrote that it was vacating its prior opinion “[u]pon consideration of the petition for rehearing, the amicus curiae briefs submitted in support of that petition, and the Supreme Court’s intervening decision in TransUnion LLC v. Ramirez.” The appellate court first re-examined whether the plaintiff had standing to sue. Among other things, the majority held that while the plaintiff cannot demonstrate “a risk of real harm,” he was able to show standing “through an intangible injury resulting from a statutory violation.” Further, the majority determined that TransUnion reaffirmed its conclusion that the plaintiff “alleged a harm that bears a close relationship to a harm that has traditionally been recognized in American courts.” (In TransUnion, the Court concluded, among other things, that “[i]n looking to whether a plaintiff’s asserted harm has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts, we do not require an exact duplicate.”) The majority further concluded that Congress’s judgment also favors the plaintiff because Congress indicated that violations of § 1692c(b) constitute a concrete injury.
The appellate court next considered the merits of the case, with the majority concluding that the plaintiff adequately stated a claim that the transmittal of personal debt-related information to the vendor constituted a communication within the meaning of § 1692c(b)’s phrase “in communication with the collection of the debt.”
Judge Tjoflat dissented, arguing that the April decision was issued before TransUnion, and following the Supreme Court’s reasoning, the plaintiff did not have standing because he did not suffer a concrete injury, and that there is an important difference between a plaintiff’s statutory cause of action to sue over a violation of federal law and “a plaintiff’s suffering concrete harm because of the defendant’s violation of federal law.” Judge Tjoflat further added that a “simple transmission of information along a chain that involves one extra link because a company uses a mail vendor to send out the letters about debt is not a harm at which Congress was aiming.”
9th Circuit denies bid to block Arizona’s dealer data privacy law
On October 25, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a motion for preliminary injunction against enforcement of an Arizona statute designed to strengthen privacy protections for consumers whose data is collected by auto dealers. Under the Dealer Law, database providers are prohibited from limiting access to dealer data by dealer-authorized third parties and are required to create a standardized framework to facilitate access. The plaintiffs—technology companies that license dealer management systems (DMS)—sued the Arizona attorney general and the Arizona Automobile Dealers Association in an attempt to stop the Dealer Law from taking effect. The plaintiffs contended that the Dealer Law is preempted by the Copyright Act because it gives dealers the right to access plaintiff’s systems and create unlicensed copies of its dealer management system, application programming interfaces, and data compilations. The plaintiffs further claimed the Dealer Law is a violation of the U.S. Constitution’s contracts clause.
On appeal, the 9th Circuit agreed that the plaintiffs were not entitled to a preliminary injunction. The appellate court concluded that the Dealer Law was not preempted by the Copyright Act, because, among other things, the plaintiffs could comply with the Dealer Law without having to create a new copy of its software to process third-party requests. Moreover, the 9th Circuit noted that even if the plaintiffs had to create copies of their DMS on their servers to process third-party requests, they failed to established that those copies would infringe their reproduction right, and the copies the plaintiffs took objection to “would be copies of its own software running on its own servers and not shared with anyone else.” The appellate court further held that the Dealer Law was not a violation of the U.S. Constitution’s contracts clause because, among other things, plaintiffs did not show that complying with the Dealer Law prevented them from being able to keep dealer data confidential. “Promoting consumer data privacy and competition plainly qualify as legitimate public purposes,” the appellate court wrote. “[Plaintiffs] point[] out that the Arizona Legislature did not make findings specifying that those were the purposes motivating the enactment of the statute, but it was not required to do so. The purposes are apparent on the face of the law.”
2nd Circuit: Turkish bank not immune from sanctions
On October 22, the U.S. Court of Appeals for the Second Circuit upheld a district court’s ruling against a Turkish state-owned commercial bank (defendant) denying its bid for immunity based on its characterization of an “instrumentality” of a foreign service, which is not entitled to immunity from criminal prosecution at common law. The U.S. government alleged that the bank converted Iranian oil money into gold and hid the transactions as purchases of goods to avoid conflicting sanctions against Iran. The district court denied the defendant’s motion to dismiss and partially concluded that the defendant was not immune from prosecution because the Foreign Sovereign Immunities Act (FSIA) confers immunity on foreign services only in civil proceedings. Furthermore, the district court concluded that, “even assuming arguendo that FSIA did confer immunity to foreign sovereigns in criminal proceedings, [the defendant’s] conduct would fall within FSIA’s commercial activity exception.” Additionally, the district court rejected the defendant’s “contention that it was entitled to immunity from prosecution under the common law, noting that [the defendant] failed to cite any support for its claim on this basis.” The district court found that the defendant’s characterization of its activities as sovereign in nature “conflates the act with its purpose,” finding that the lender's alleged money laundering was the type of activity regularly carried out by private businesses. The fact that the defendant is majority-owned by the Turkish Government is irrelevant under FSIA even if it is related to Turkey’s foreign policy because “literally any bank can violate sanctions.”
On appeal, the 2nd Circuit noted that it was unnecessary to resolve a question presented in the case—if foreign governments can assert immunity against criminal, as well as civil, charges—since money laundering would qualify as a commercial activity exception. The appellate court noted that, “[t]he gravamen of the Indictment is not that [the bank] is the Turkish Government’s repository for Iranian oil and natural gas proceeds in Turkey,” but that “it is [the bank’s] participation in money laundering and other fraudulent schemes designed to evade U.S. sanctions that is the ‘core action.’” And, “because those core acts constitute ‘an activity that could be, and in fact regularly is, performed by private-sector businesses,’ those acts are commercial, not sovereign, in nature.” The opinion also notes that “[e]ven assuming the FSIA applies in criminal cases—an issue that we need not, and do not, decide today—the commercial activity exception to FSIA would nevertheless apply to [the defendant’s] charged offense conduct.” The appellate court agreed with the district court, concluding that the bank must face criminal charges in the U.S. for allegedly assisting Iran evade economic sanctions by laundering approximately $20 billion in Iranian oil and gas revenues.
District Court denies MSJ in FDCPA case
On October 19, the U.S. District Court for the Middle District of Florida denied a defendant’s motion for judgment without prejudice concerning allegations that it knowingly ignored cease-and-desist letters sent by an individual while the individual had a pending bankruptcy petition. The plaintiff allegedly incurred a debt that was placed with the defendant for collection. After, the plaintiff sought protection under the Bankruptcy Code. During the bankruptcy case, the defendant allegedly sent the plaintiff text messages to collect the debt, the plaintiff responded with a cease-and-desist letter, and then the defendant sent the plaintiff a collection letter. The plaintiff sent another cease and desist letter and the defendant sent four more collection letters. Based on the defendant’s post-petition actions, the plaintiff sued for FDCPA and Florida Consumer Collection Practices Act violations. The defendant argued that the plaintiff failed to disclose this lawsuit in her bankruptcy case, which would result in the FDCPA case being dismissed on judicial estoppel grounds. However, the court found that while the plaintiff omitted the name and specific circumstances of her claims against the defendant, she “put the Bankruptcy Court, trustee, and creditors on notice she had a claim against a creditor and properly sought approval from the Bankruptcy Court before retaining counsel to pursue it.” The court went on to state that if the plaintiff “intended to deceive creditors or others in bankruptcy, filing the Application strayed from that intent,” and that “the filing mitigates any prejudice claimed by [the defendant].”
District Court preliminarily approves $85 million class action privacy settlement
On October 21, the U.S. District Court for the Northern District of California preliminarily approved an $85 million class action settlement to resolve privacy and data security allegations against a video conferencing provider. Class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to class members, the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. The court’s preliminary approval certified a nationwide settlement class of individuals who, between March 30, 2016 and the settlement date, “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication.” Under the terms of the preliminarily approved settlement, the company will establish an $85 million non-reversionary cash fund to pay valid claims, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company must educate users about available security features, and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
District Court partially denies company’s motion to dismiss in data breach class action
On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The plaintiffs alleged that the defendant failed to comply with industry and regulatory standards by neglecting to implement proper security measures. According to the plaintiffs, after the ransomware attack, the defendant “launched a narrow internal investigation into the attack that analyzed a limited number of [the defendant's] systems and did not address the full scope of the attack.” The plaintiffs contended that the defendant also failed to provide timely and adequate notice of the attack and the extent of the resulting data breach.
The court ordered various phases of motions practice, and addressed certain common law claims against the defendant for negligence, negligence per se, gross negligence, and unjust enrichment. With respect to the negligence and gross negligence claims, the court denied the defendant’s motion to dismiss, finding that plaintiffs alleged sufficient facts to show that the defendant owed them a duty to protect the information. The court, however, granted defendant’s motion to dismiss the plaintiffs’ negligence per se claims premised on defendant’s alleged violations of the FTC Act, HIPAA, and COPPA, finding that the plaintiff failed to state such a claim as applied under South Carolina law. Finally, the court granted the defendant’s motion to dismiss the plaintiffs’ unjust enrichment claim because plaintiffs failed to allege facts to show that they conferred a benefit on defendant to support a claim for unjust enrichment.
CFPB and debt relief company agree to permanent injunction
On October 20, the U.S. District Court for the Northern District of Georgia entered a default judgment and order against five participants in an allegedly illegal debt collection scheme involving certain payment processors and a telephone broadcast service provider (collectively, “default defendants”) for their role in the operation. As previously covered by InfoBytes, in 2017, the U.S. District Court for the Northern District of Georgia dismissed claims brought by the CFPB against the default defendants. (See additional InfoBytes coverage here.) According to a complaint filed in 2015, the defendants “knew, or should have known” that the debt collectors were contacting millions of consumers in an attempt to collect debt that consumers did not owe or that the collectors were not authorized to collect by using threats, intimidation, and deceptive techniques in violation of the CFPA and the FDCPA.
The court entered a $5.1 million judgment against the default defendants, who are jointly and severally liable with the non-default defendants. The default defendants must pay civil monetary penalties ranging from $100,000 to $500,000 to the Bureau. The judgment also, among other things, permanently bans the default defendants from attempting collections on any consumer financial product or service and from selling any debt-relief service.
District Court approves non-party settlement in student debt-relief action
On October 20, the U.S. District Court for the Central District of California approved a settlement with two non-parties in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint asserted that the defendants violated the CFPA, the Telemarketing Sales Rule, and various state laws. Amended complaints (see here and here) also added new defendants and included claims for avoidance of fraudulent transfers under the FDCPA and California’s Uniform Voidable Transactions Act, among other things. A stipulated final judgment and order was entered against the named defendant in July (covered by InfoBytes here), which required the payment of more than $35 million in redress to affected consumers, a $1 civil money penalty to the Bureau, and $5,000 in civil money penalties to each of the three states. The court also previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants (covered by InfoBytes here, here, here, and here). The most recent settlement resolves a dispute between a court-appointed receiver and the two non-parties. The settlement requires the non-parties to pay $675,000 to the receiver.
Meal-kit delivery service reaches $14 million TCPA class action settlement
On October 15, the U.S. District Court for the District of Massachusetts granted final approval to a $14 million TCPA class action settlement, resolving allegations that a meal-kit delivery service (or its vendor) placed telemarketing calls to customers’ phone numbers. Class members consist of customers who (i) received one or more calls placed using a dialing platform; (ii) received at least two telemarketing calls during any 12-month time period where their phone numbers were on the National Do Not Call Registry for at least 31 days before the call was placed; and/or (iii) received one or more calls after registering their phone numbers with the company’s internal do-not-call list. As part of the $14 million settlement, class counsel will receive more than $3.4 million in attorneys’ fees and costs and the settlement administrator will receive $450,000. Two named plaintiffs will receive service payments of $10,000 each, while another seven named plaintiffs will each receive service payments ranging from $2,000 to $5,000.