InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Pennsylvania Attorney General sues ride-sharing company for 2016 data breach
On March 5, Pennsylvania Attorney General filed a lawsuit against a ride-sharing company for violating Pennsylvania’s Breach of Personal Information Notification Act (BPINA) because of its failure to disclose a 2016 data breach caused by hackers. The complaint alleges that after the company became aware of the breach, it “paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet.” According to the complaint, the breached data included the private information of at least 13,500 Pennsylvania drivers. The Attorney General asserts that, under the BPINA, the company must provide notice to the affected residents without unreasonable delay. Instead, the company waited until November 2017 to disclose the incident. Among other things, the complaint seeks civil penalties in the amount of $1,000 or $3,000, depending on the consumer’s age, for each individual BPINA violation.
The Pennsylvania lawsuit follows similar lawsuits by the City of Chicago and Washington State, previously covered by InfoBytes here.
Virginia Attorney General sues pension sale lender who targeted retired veterans and government employees; obtains full restitution for customers of online lender
On March 7, the Virginia Attorney General took action against Delaware- and Nevada-based installment lenders (defendants) for allegedly making illegal loans with excessive annual interest rates that were disguised as “lump sum” cash payouts to Virginia consumers, in violation of the Virginia Consumer Protection Act (VCPA). According to the complaint, the defendants disguised the high interest loans to Virginia pensioners as “Purchase and Sale Agreements” involving a “sale” or “pension advance” in an effort to bypass consumer lending laws, including TILA and Regulation Z disclosure requirements. Furthermore, the complaint alleges that the loans charged interest rates as high as 183 percent, far exceeding the state’s 12 percent annual usury cap, but because they were misrepresented as sales, defendants avoided potential private actions brought by consumers to recover excessive interest payments. The complaint seeks injunctive and monetary relief.
Separately, on February 23, the Virginia Attorney General announced a settlement with a group of affiliated online lenders and debt collectors (defendants) to resolve violations of the VCPA through the offering of unlawful open-end credit plan loans and engaging in illegal debt collection practices. According to the Assurance of Voluntary Compliance approved earlier in February, between January 2015 through mid-June 2017, the defendants (i) offered open-end credit plan loans and imposed bi-monthly “service fees” that—when calculated with the advertised interest—greatly increased the loan’s cost and exceeded the state’s 12 percent annual limit; (ii) imposed illegal finance charges and other service fees on borrowers during the required 25-day grace period; (iii) contacted consumers in an effort to collect on these loans; and (iv) contacted the consumers' employers to implement wage assignments and garnish wages from consumers' paychecks. Under the terms of the settlement, defendants will provide nearly $150,000 in restitution and debt forgiveness, pay $105,000 in civil penalties and attorneys’ fees, and are permanently enjoined from consumer lending and debt collection activities in the state.
California district court rules social media company cannot dismiss non-users’ facial scan privacy claims
On March 2, the U.S. District Court for the Northern District of California denied a motion to dismiss an action for lack of standing in a lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA) against a social media company (defendant) for allegedly collecting and storing non-user facial scans. The action was similar to a consolidated class action lawsuit brought by users of the site in 2016. The court found that the factual difference between the two cases (one involving users and one involving non-users) was irrelevant for its Article III analysis. Citing to his February 26 decision (February decision) in the related case, the judge concluded that the abrogation of the plaintiffs’ procedural rights under BIPA, which allow users to control their biometric information, amounted to a concrete injury under Article III. As the court noted in the February decision: “BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent,” and that there is “equally little doubt . . . that a violation of BIPA’s procedures would cause actual and concrete harm.” The court rejected the defendant’s argument that it did not store non-users’ biometric information, stating that such factual evidence, which is disputed by the plaintiffs, goes to the merits of the case and cannot be weighed or resolved at the motion to dismiss stage.
New York Attorney General settles HIPAA allegations with a health insurance company
On March 6, the New York Attorney General announced a settlement with a healthcare provider for an alleged violation of the Health Insurance Portability Accountability Act (HIPAA) concerning a mailing error, which resulted in the disclosure of over 80,000 social security numbers. According to the announcement, in October 2016, the healthcare provider discovered that its mailing envelopes for certain health policies inadvertently included the customers’ social security numbers as part of the “Health Insurance Claim Number” printed on the envelope. Under the terms of the settlement, the healthcare provider is required to pay a $575,000 fine, review its policies and procedures, and implement a corrective action plan which includes an analysis of the security risks associated with the mailing of policy documents.
International bank settles with New York Attorney General for $500 million for RMBS misconduct
On March 6, the New York Attorney General announced a $500 million settlement with an international bank to resolve allegations of misrepresentations in the sale of residential mortgage-backed securities (RMBS), in violation of New York’s Martin Act and Section 63(12) of New York’s Executive Law. According to the settlement agreement, the investigation focused on 44 securitizations sold by the bank between 2006 and 2007. In addition to the alleged misrepresentations in the offering documents, the bank also included loans in the sales portfolio that due diligence vendors warned did not comply with underwriting guidelines. The $500 million settlement includes $100 million in damages to New York State and $400 million to consumer relief programs.
As previously covered by InfoBytes, the bank recently settled with the California Attorney General for misrepresentations while selling RMBS to California’s public employee and teacher pension fund.
Nebraska, South Dakota enact legislation relating to security breaches and credit freezes
On March 1, the governor of South Dakota signed House Bill 1078 to revise certain provisions addressing the removal of credit security freezes. The amended act states that a security freeze will remain in place until a consumer requests the removal from the consumer reporting agency. The consumer reporting agency is then required to remove the freeze within three business days. Separately, on February 27, the governor signed House Bill 1127 (HB 1127) to revise certain provisions concerning fees charged for security freezes. Among other things, HB 1127 prohibits consumer reporting agencies from charging a fee for placing or removing a security freeze, and stipulates that a consumer reporting agency may advise a third party that a consumer’s credit report has been frozen.
On February 28, the governor of Nebraska approved Legislative Bill 757 strengthening certain provisions of the state’s Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006. Among other things, the amendments state that (i) any individual or commercial entity in the state that possesses computerized data containing personal information of Nebraska residents must maintain reasonable security and disposal procedures and practices; (ii) nonaffiliated third-parties with access to personal information must also maintain reasonable security and disposal procedures; and (iii) consumer reporting agencies must provide services free-of-charge for the placement or removal of a credit security freeze. The legislation also outlines additional violations under which the Nebraska Attorney General can enforce protection of consumer privacy in the event of a data breach.
Florida judge rules borrower failed to establish RESPA private right of action
On February 20, a federal judge for the U.S. District Court for the Southern District of Florida issued an opinion and order against a borrower after a two-day bench trial, finding that the borrower failed to establish a private right of action for any of her alleged RESPA violations. According to the opinion, one of the defendants, a mortgage company, initiated foreclosure proceedings against the borrower for failing to pay required insurance and tax associated with her reverse mortgage. During this period, the mortgage company purchased force-placed insurance through an insurance intermediary company to protect its collateral for the reverse mortgage. When the borrower later brought the account current, the mortgage company dismissed the foreclosure complaint. However, the borrower filed a suit against the mortgage company for failing to “advance insurance premiums on her behalf through an escrow account” and against the second defendant, an insurance company, for procuring a policy that “tortiously interfered” with her business relationship with the mortgage company. Specifically, the borrower alleged the procedure used to obtain the force-placed rates violated Florida Insurance Code Section 626.916, and were, therefore, “not bona fide and reasonable under RESPA.”
However, the judge ruled that none of the borrower’s claims created a private right of action under RESPA, and furthermore, the borrower could not “bootstrap Section 626.916 through another cause of action.” Additionally, the judge noted that counsel for the borrower was unable to provide case law authority to support the “proposition that [the borrower’s] RESPA claim could be premised on a Florida statue which lacked a private right of action.” Concerning the borrower’s allegations of tortious interference against the insurance company, the judge concluded that the claim failed to show that the insurance company “intentionally or unjustifiably” interfered with her relationship with the mortgage company.
Texas State Securities Board issues order halting unregistered cryptocurrency trading operation
On February 26, the Texas State Securities Board (Board) issued an emergency cease and desist order (order) to an unregistered cryptocurrency trading operation for allegedly targeting investors through fraudulent and materially misleading online advertisements and offering unregistered securities for sale. According to the order, the company purportedly—in addition to intentionally seeking to mislead the public by promoting high-return investment opportunities—failed to disclose risks associated with cryptocurrency mining, promised investors it would comply with “all relevant laws and regulations,” and claimed that its fund directors were regulated by the Cayman Islands. The Board further asserted the company failed to disclose the true identities of its Code of Ethics Association members responsible for “contract law, due diligence and corporate law,” and instead, created the impression it was associated with attorneys and judges, including U.S. Supreme Court Justice Ruth Bader Ginsburg. Under the terms of the order, the company, among other things, is prohibited from engaging in the sale of securities in the state until the security is registered with the SEC or exempt from registration under the Texas Securities Act, and cannot act as a securities dealer until it complies with the same.
Alabama extends right of redemption period
On February 22, Alabama enacted HB 90, which amends the Code of Alabama section relating to the right of redemption on residential property. The amendment provides for a one-year right of redemption period after the foreclosure sale date. Alabama requires a mortgagee to mail a notice of a mortgagor’s right of redemption at least 30 days prior to the foreclosure sale, and the amendment allows the mortgagee to use the proof of mailing of the notice as an affirmative defense to any notice requirement action. Finally, the amendment reduces the time all actions related to the notice requirement must be brought from two years to one year after the date of foreclosure.
Virginia district judge holds RESPA early intervention requirements confer private right of action
On February 20, a judge for the U.S. District Court for the Western District of Virginia ruled that the early intervention requirements of RESPA allow for a private right of action to pursue claims against loan servicers. According to the opinion, consumers filed a complaint against a mortgage servicer for allegedly violating RESPA’s early intervention requirements under Regulation X, Section 1024.39, which require the servicer to “establish or make good faith efforts to establish live contact with a delinquent borrower not later than the 36th day of the borrower’s delinquency” and promptly inform the borrower of potential loss mitigation options. The servicer filed a motion to dismiss the action for failure to state a claim, arguing that Section 1024.39 does not provide a private right of action. In denying the motion to dismiss, the court concluded that the CFPB adopted Section 1024.39 pursuant to Section 6 of RESPA, which expressly provides a private right of action and therefore, Section 1024.39 had been intended to convey a private right of action as well.