InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
9th Circuit denies bid to block Arizona’s dealer data privacy law
On October 25, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a motion for preliminary injunction against enforcement of an Arizona statute designed to strengthen privacy protections for consumers whose data is collected by auto dealers. Under the Dealer Law, database providers are prohibited from limiting access to dealer data by dealer-authorized third parties and are required to create a standardized framework to facilitate access. The plaintiffs—technology companies that license dealer management systems (DMS)—sued the Arizona attorney general and the Arizona Automobile Dealers Association in an attempt to stop the Dealer Law from taking effect. The plaintiffs contended that the Dealer Law is preempted by the Copyright Act because it gives dealers the right to access plaintiff’s systems and create unlicensed copies of its dealer management system, application programming interfaces, and data compilations. The plaintiffs further claimed the Dealer Law is a violation of the U.S. Constitution’s contracts clause.
On appeal, the 9th Circuit agreed that the plaintiffs were not entitled to a preliminary injunction. The appellate court concluded that the Dealer Law was not preempted by the Copyright Act, because, among other things, the plaintiffs could comply with the Dealer Law without having to create a new copy of its software to process third-party requests. Moreover, the 9th Circuit noted that even if the plaintiffs had to create copies of their DMS on their servers to process third-party requests, they failed to established that those copies would infringe their reproduction right, and the copies the plaintiffs took objection to “would be copies of its own software running on its own servers and not shared with anyone else.” The appellate court further held that the Dealer Law was not a violation of the U.S. Constitution’s contracts clause because, among other things, plaintiffs did not show that complying with the Dealer Law prevented them from being able to keep dealer data confidential. “Promoting consumer data privacy and competition plainly qualify as legitimate public purposes,” the appellate court wrote. “[Plaintiffs] point[] out that the Arizona Legislature did not make findings specifying that those were the purposes motivating the enactment of the statute, but it was not required to do so. The purposes are apparent on the face of the law.”
2nd Circuit: Turkish bank not immune from sanctions
On October 22, the U.S. Court of Appeals for the Second Circuit upheld a district court’s ruling against a Turkish state-owned commercial bank (defendant) denying its bid for immunity based on its characterization of an “instrumentality” of a foreign service, which is not entitled to immunity from criminal prosecution at common law. The U.S. government alleged that the bank converted Iranian oil money into gold and hid the transactions as purchases of goods to avoid conflicting sanctions against Iran. The district court denied the defendant’s motion to dismiss and partially concluded that the defendant was not immune from prosecution because the Foreign Sovereign Immunities Act (FSIA) confers immunity on foreign services only in civil proceedings. Furthermore, the district court concluded that, “even assuming arguendo that FSIA did confer immunity to foreign sovereigns in criminal proceedings, [the defendant’s] conduct would fall within FSIA’s commercial activity exception.” Additionally, the district court rejected the defendant’s “contention that it was entitled to immunity from prosecution under the common law, noting that [the defendant] failed to cite any support for its claim on this basis.” The district court found that the defendant’s characterization of its activities as sovereign in nature “conflates the act with its purpose,” finding that the lender's alleged money laundering was the type of activity regularly carried out by private businesses. The fact that the defendant is majority-owned by the Turkish Government is irrelevant under FSIA even if it is related to Turkey’s foreign policy because “literally any bank can violate sanctions.”
On appeal, the 2nd Circuit noted that it was unnecessary to resolve a question presented in the case—if foreign governments can assert immunity against criminal, as well as civil, charges—since money laundering would qualify as a commercial activity exception. The appellate court noted that, “[t]he gravamen of the Indictment is not that [the bank] is the Turkish Government’s repository for Iranian oil and natural gas proceeds in Turkey,” but that “it is [the bank’s] participation in money laundering and other fraudulent schemes designed to evade U.S. sanctions that is the ‘core action.’” And, “because those core acts constitute ‘an activity that could be, and in fact regularly is, performed by private-sector businesses,’ those acts are commercial, not sovereign, in nature.” The opinion also notes that “[e]ven assuming the FSIA applies in criminal cases—an issue that we need not, and do not, decide today—the commercial activity exception to FSIA would nevertheless apply to [the defendant’s] charged offense conduct.” The appellate court agreed with the district court, concluding that the bank must face criminal charges in the U.S. for allegedly assisting Iran evade economic sanctions by laundering approximately $20 billion in Iranian oil and gas revenues.
District Court denies MSJ in FDCPA case
On October 19, the U.S. District Court for the Middle District of Florida denied a defendant’s motion for judgment without prejudice concerning allegations that it knowingly ignored cease-and-desist letters sent by an individual while the individual had a pending bankruptcy petition. The plaintiff allegedly incurred a debt that was placed with the defendant for collection. After, the plaintiff sought protection under the Bankruptcy Code. During the bankruptcy case, the defendant allegedly sent the plaintiff text messages to collect the debt, the plaintiff responded with a cease-and-desist letter, and then the defendant sent the plaintiff a collection letter. The plaintiff sent another cease and desist letter and the defendant sent four more collection letters. Based on the defendant’s post-petition actions, the plaintiff sued for FDCPA and Florida Consumer Collection Practices Act violations. The defendant argued that the plaintiff failed to disclose this lawsuit in her bankruptcy case, which would result in the FDCPA case being dismissed on judicial estoppel grounds. However, the court found that while the plaintiff omitted the name and specific circumstances of her claims against the defendant, she “put the Bankruptcy Court, trustee, and creditors on notice she had a claim against a creditor and properly sought approval from the Bankruptcy Court before retaining counsel to pursue it.” The court went on to state that if the plaintiff “intended to deceive creditors or others in bankruptcy, filing the Application strayed from that intent,” and that “the filing mitigates any prejudice claimed by [the defendant].”
District Court preliminarily approves $85 million class action privacy settlement
On October 21, the U.S. District Court for the Northern District of California preliminarily approved an $85 million class action settlement to resolve privacy and data security allegations against a video conferencing provider. Class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to class members, the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. The court’s preliminary approval certified a nationwide settlement class of individuals who, between March 30, 2016 and the settlement date, “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication.” Under the terms of the preliminarily approved settlement, the company will establish an $85 million non-reversionary cash fund to pay valid claims, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company must educate users about available security features, and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
District Court partially denies company’s motion to dismiss in data breach class action
On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The plaintiffs alleged that the defendant failed to comply with industry and regulatory standards by neglecting to implement proper security measures. According to the plaintiffs, after the ransomware attack, the defendant “launched a narrow internal investigation into the attack that analyzed a limited number of [the defendant's] systems and did not address the full scope of the attack.” The plaintiffs contended that the defendant also failed to provide timely and adequate notice of the attack and the extent of the resulting data breach.
The court ordered various phases of motions practice, and addressed certain common law claims against the defendant for negligence, negligence per se, gross negligence, and unjust enrichment. With respect to the negligence and gross negligence claims, the court denied the defendant’s motion to dismiss, finding that plaintiffs alleged sufficient facts to show that the defendant owed them a duty to protect the information. The court, however, granted defendant’s motion to dismiss the plaintiffs’ negligence per se claims premised on defendant’s alleged violations of the FTC Act, HIPAA, and COPPA, finding that the plaintiff failed to state such a claim as applied under South Carolina law. Finally, the court granted the defendant’s motion to dismiss the plaintiffs’ unjust enrichment claim because plaintiffs failed to allege facts to show that they conferred a benefit on defendant to support a claim for unjust enrichment.
CFPB and debt relief company agree to permanent injunction
On October 20, the U.S. District Court for the Northern District of Georgia entered a default judgment and order against five participants in an allegedly illegal debt collection scheme involving certain payment processors and a telephone broadcast service provider (collectively, “default defendants”) for their role in the operation. As previously covered by InfoBytes, in 2017, the U.S. District Court for the Northern District of Georgia dismissed claims brought by the CFPB against the default defendants. (See additional InfoBytes coverage here.) According to a complaint filed in 2015, the defendants “knew, or should have known” that the debt collectors were contacting millions of consumers in an attempt to collect debt that consumers did not owe or that the collectors were not authorized to collect by using threats, intimidation, and deceptive techniques in violation of the CFPA and the FDCPA.
The court entered a $5.1 million judgment against the default defendants, who are jointly and severally liable with the non-default defendants. The default defendants must pay civil monetary penalties ranging from $100,000 to $500,000 to the Bureau. The judgment also, among other things, permanently bans the default defendants from attempting collections on any consumer financial product or service and from selling any debt-relief service.
District Court approves non-party settlement in student debt-relief action
On October 20, the U.S. District Court for the Central District of California approved a settlement with two non-parties in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint asserted that the defendants violated the CFPA, the Telemarketing Sales Rule, and various state laws. Amended complaints (see here and here) also added new defendants and included claims for avoidance of fraudulent transfers under the FDCPA and California’s Uniform Voidable Transactions Act, among other things. A stipulated final judgment and order was entered against the named defendant in July (covered by InfoBytes here), which required the payment of more than $35 million in redress to affected consumers, a $1 civil money penalty to the Bureau, and $5,000 in civil money penalties to each of the three states. The court also previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants (covered by InfoBytes here, here, here, and here). The most recent settlement resolves a dispute between a court-appointed receiver and the two non-parties. The settlement requires the non-parties to pay $675,000 to the receiver.
Meal-kit delivery service reaches $14 million TCPA class action settlement
On October 15, the U.S. District Court for the District of Massachusetts granted final approval to a $14 million TCPA class action settlement, resolving allegations that a meal-kit delivery service (or its vendor) placed telemarketing calls to customers’ phone numbers. Class members consist of customers who (i) received one or more calls placed using a dialing platform; (ii) received at least two telemarketing calls during any 12-month time period where their phone numbers were on the National Do Not Call Registry for at least 31 days before the call was placed; and/or (iii) received one or more calls after registering their phone numbers with the company’s internal do-not-call list. As part of the $14 million settlement, class counsel will receive more than $3.4 million in attorneys’ fees and costs and the settlement administrator will receive $450,000. Two named plaintiffs will receive service payments of $10,000 each, while another seven named plaintiffs will each receive service payments ranging from $2,000 to $5,000.
8th Circuit says website terms of use are unenforceable
On October 8, the U.S. Court of Appeals for the Eight Circuit overturned a district court’s ruling that a corporate defendant’s arbitration clause found in its website’s terms of use was unenforceable. The 8th Circuit disagreed holding that a triable issue of material fact existed as to whether the plaintiffs agreed to arbitrate. Relying on a notation on the back of the gift cards that directed purchasers to its website where the terms of use and arbitration agreement were located, the defendant argued that the plaintiffs had agreed to arbitration. The district court disagreed explaining that plaintiffs “could not assent to it. . .unless they saw it first. For that reason, there was no ‘need’ to hold ‘a trial on the question of arbitrability.’”
On the appeal, the 8th Circuit explained that the district court’s task was to determine if the defendant and the plaintiffs had an arbitration agreement, and, if so, what it covered; however, the district court improperly addressed the question of mutual consent, which was in dispute and “generally a factual question.” According to the 8th Circuit, where there is a material dispute of fact regarding whether there was an agreement to arbitrate, the Federal Arbitration Act requires the district court to proceed to a trial on the issue.
District Court: News reports cannot reverse dismissal of sanctions suit
On October 13, the U.S. District Court for the Southern District of New York denied a relator’s motion seeking indicative relief, ruling that post-ruling news reports were insufficient to reverse the dismissal of a qui tam suit accusing a UK-based bank and related entities (collectively, “defendants”) of violating U.S. sanctions against Iran. In 2020, the court dismissed the complaint after finding that the government “had articulated multiple valid purposes served by dismissal, and that relator had not carried its burden to show that a dismissal would be ‘fraudulent, arbitrary or capricious, or illegal.’” The relator’s appeal to the U.S. Court of Appeals for the Second Circuit is pending. At the district court, the relator moved for indicative relief based on the premise that if the court had jurisdiction, it would have vacated the dismissal based on disclosures in post-dismissal media reports.
According to the opinion, the defendants entered into a deferred prosecution agreement (DPA) with the DOJ in 2012 following a multi-year, multi-agency investigation concerning allegations that defendants deceptively facilitated U.S. dollar transactions by Iranian clients between 2001 and 2007 in violation of U.S. sanctions and various New York and federal banking regulations. The defendants admitted to the violations and paid hundreds of millions of dollars in fines and penalties. The relator subsequently filed a qui tam action alleging the defendants misled the government in negotiating the DPA. A government investigation found no support for the allegations. In 2019, the DOJ entered a new DPA with defendants. The relator amended its complaint alleging improper conduct related to the 2019 DPA, which the court dismissed.
The relator then filed the instant motion to reopen the case, arguing that news reports published in 2020 showed that the defendants engaged in transactions with sanctioned Iranian entities after 2007, which was contrary to the government’s representations when it moved to dismiss the case. The relator claimed that the government incorrectly asserted that it closely examined records before seeking dismissal and failed to honestly conclude that the allegations were meritless. In denying the relator’s motion, the court explained that the relator failed to show that the news reports would be admissible or were important enough to change the outcome of the earlier motion to dismiss. The court held that news reports are inadmissible and further concluded that none of the suspicious activity reports discussed in the news reports contradicted the government’s representations in its motion to dismiss.