Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Pelosi cites preemption concerns in federal privacy bill

    Federal Issues

    On September 1, Speaker of the House Nancy Pelosi (D-CA) released a statement commending the House Energy and Commerce Committee’s work on advancing the American Data Privacy and Protection Act (ADPPA) to the House floor (covered by InfoBytes here). However, Pelosi also recognized preemption concerns raised by the California governor, the California Privacy Protection Agency, and other top state leaders. “With so much innovation happening in our state, it is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” Pelosi said. “California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians—and states must be allowed to address rapid changes in technology.” Praising measures in the ADPPA that would give consumers the right, for the first time, to seek damages in court for violations of their privacy rights, Pelosi said the House “will continue to work with Chairman Pallone to address California’s concerns.” As previously covered by InfoBytes, the ADPPA also received criticism from several state attorneys general who argued, among other things, that “Congress should adopt a federal baseline, and continue to allow states to make decisions about additional protections for consumers residing in their jurisdictions,” instead of preempting areas of state privacy regulation.

    Federal Issues Privacy, Cyber Risk & Data Security Federal Legislation U.S. House American Data Privacy and Protection Act State Issues California Consumer Protection

  • Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023

    Privacy, Cyber Risk & Data Security

    The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.

    According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.

    As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.

    Privacy, Cyber Risk & Data Security State Issues State Legislation CCPA CPRA CPPA Agency Rule-Making & Guidance Consumer Protection

  • 11th Circuit says one-year statutory notice period cannot be varied

    Courts

    On August 26, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a district court’s summary judgment in favor of a bank after determining that the plaintiff-appellants’ claim for statutory repayment is not time-barred. Plaintiffs (Venezuelan citizens residing in Venezuela) maintained personal and commercial bank accounts at a Florida branch of the bank. According to the plaintiffs, a bank employee changed the email account associated with the bank accounts to a new fraudulent email. Identity thieves were later able to bypass security measures on the account, gave correct answers to security questions, and sent documents with signatures that matched ones the bank had on file, resulting in roughly $850,000 being transferred out of one of the accounts. Plaintiffs contended they were locked out of their accounts and struggled to contact the bank for months without success. After eventually regaining access to their accounts, plaintiffs discovered the stolen money and sued for a variety of claims, including fraud, negligence, and breach of contract. They also claimed that the bank was required to refund them for the fraudulent wire transfers under Florida Statutes § 670.202. The bank argued, among other things, that the plaintiffs’ claims were time-barred because they failed to notify the bank about the alleged fraud within 30 days of receiving a bank statement. Plaintiffs responded that the Florida Statutes provide a one-year time period to notify a bank of an unauthorized wire transfer and stated that the time-period could not be modified by agreement. The district court entered summary judgment for the bank, concluding “that the one-year period was modifiable and that the parties had modified it.” The district court also determined that because the bank’s procedures were “commercially reasonable” and followed “in good faith” it was not liable to the plaintiffs to repay the wire transfers.

    On appeal, the 11th Circuit held that the plaintiffs were still within their statutory one-year notification period when they notified the bank of the fraudulent wire transfers, and rejected the bank’s argument that it could shorten the notification period to 30 days. The 11th Circuit, in rejecting the bank’s argument determined that it cannot “shift the loss of an unauthorized order to the customer during the statutorily determined period,” adding that “if the one-year statutory notice period could be varied, then banks could insist that customers sign contracts that make the time to demand a refund of a fraudulent payment a day (or even less). That would impair the account holder’s right to a refund and defeat Florida’s intent that banks—not account holders— bear the risk of a fraudulent transfer for the first year following the transfer. And there’s no limiting principle in the text for how short banks could make the statutory refund period.” Pointing out that the bank was unable to identify a limiting principal at oral argument, the appellate court concluded that “if banks could modify the one-year period, there’s no principled way to draw the line as to how short of a refund period is too short.” On remand, the 11th Circuit also instructed the district court to review whether the bank’s security procedures are “commercially reasonable.”

    Courts State Issues Fraud Appellate Eleventh Circuit Privacy, Cyber Risk & Data Security

  • District Court denies request to reverse summary judgment in FDIA suit

    Courts

    On August 29, the U.S. District Court for the Eastern District of Pennsylvania denied a consumer plaintiff’s request to reconsider its summary judgment order against him in a Federal Deposit Insurance Act (FDIA) suit. According to the opinion, the plaintiff accrued debt to a federally-insured, state-chartered bank, which had then assigned that debt to defendants, who were not state-chartered, federally-insured banks. The plaintiff’s debt included interest charges that had accrued at an annual rate between 24.99 percent and 25.99 percent, which the plaintiff argued could not be collected by defendants because the interest exceeded the six percent allowed under Pennsylvania's usury law. The court ruled in favor of the defendants, relying on a recently promulgated FDIC rule that determined that state usury laws are preempted by section 27 of the FDIA in cases where state usury law interferes with state-chartered, federally-insured banks' ability to make loans or when they interfere with a state-chartered, federally-insured bank’s assignee’s efforts to collect on those loans. The plaintiff requested the reconsideration of the district court's summary judgment decision and filed a notice of appeal to the U.S. Court of Appeals for the Third Circuit. In his motion for reconsideration, the plaintiff argued that the court’s previous summary judgment decision was “erroneous” because: (i) the 3rd Circuit held in In re: Community Bank of Northern Virginia that “the FDIA unambiguously excludes non-bank purchasers of debt from its coverage and that deference to the FDIC’s contrary interpretation would, therefore, be inappropriate”; (ii) the FDIC’s rule cannot apply to his debts because such an application would be impermissibly retroactive; and (iii) LIPL fits within the FDIC rule’s exception for “licensing or regulatory requirements.”

    The court denied the plaintiff’s motion for reconsideration, holding that the plaintiff “failed to identify an appropriate basis for reconsideration,” as the consumer’s arguments are “either a new argument that could have been presented before judgment was entered or a reprisal of an argument that the Court addressed in its original decision.” The court further noted that it would be “inappropriate for the Court to grant a motion to reconsider under either of those circumstances.” The court went on to determine that the new arguments advanced by the plaintiff were unpersuasive in any event, finding that the 3rd Circuit had not held section 27 of the FDIA to be unambiguous in its meaning and that application of the FDIC’s rule did not create an impermissible retroactive effect.

    Courts State Issues Interest Deposit Insurance Usury Third Circuit Appellate Federal Deposit Insurance Act Pennsylvania Consumer Finance

  • District Court dismisses ransomware suit alleging negligence

    Courts

    On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.

    According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.

    The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.

    Courts Privacy, Cyber Risk & Data Security Ransomware Consumer Protection Data Breach State Issues Indiana

  • California bankruptcy court says a forbearance that modifies the original loan is subject to state usury laws in certain instances

    Courts

    Earlier this year, the United States Bankruptcy Court for the Northern District of California granted in part and denied in part cross-motions for summary judgment in an action concerning “piecemeal exemptions” to California’s usury law. Plaintiffs entered into a loan agreement secured by their residence carrying an interest rate of 11.3 percent and a default interest rate of 17.3 percent (plus late fees) with a then-unlicensed lender. They also signed a promissory note, which stated that should they fail to make a monthly payment within 10 days of the due date they would be assessed a late charge equal to 10 percent of the monthly payment. After plaintiffs struggled to make payments, the parties entered into an extension agreement to supplement and amend the original loan (but not replace it), which slightly lowered the initial interest rate but increased the monthly payments and default interest rate. The extension also included language adding a charge on the final balloon payment that was not part of the original loan. Plaintiffs again began to miss loan payments and sought to refinance the loan with a different lender. A payoff quote provided by the defendant included what was originally called a “prepayment penalty” but was later changed to represent a late charge on the principal balance in line with the extension.

    Plaintiffs sued the defendant and related parties in state court, seeking damages and alleging claims related to breach of contract, fraud, and intentional interference. After the court denied plaintiffs’ motion for preliminary injunction, plaintiffs filed an appeal on the same day one of the plaintiffs filed for bankruptcy. The defendant eventually filed a motion for summary judgment on the claims in the amended complaint, whereas plaintiffs sought partial summary judgment on several new claims, including that (i) the extension violated state usury law; (ii) the defendant “demanded an illegal acceleration penalty” from plaintiffs; and (iii) the defendant illegally charged multiple late fees on a single loan payment.

    In a case of first impression, the court held that under California law, a loan extension that modifies the original loan, including by extending the maturity date, is considered a forbearance subject to state usury laws because there was no other sale, lease, or other transaction involved. The court noted that the statute “provides a restricted definition of the term ‘arranged’ in relation to a forbearance,” and that it also “painstakingly sets forth the instances in which a forbearance negotiated by a real estate broker would be exempt under usury law: when that broker was previously involved in arranging the original loan and that loan was in connection with a sale, lease, or other transaction, or when that broker had previously arranged for the sale, lease or other transaction for compensation.” The court further stated that “[c]onspicuously absent from those instances is a scenario in which a forbearance is arranged on a simple loan of money secured by real estate, with no other sale, lease, or other transaction involved,” adding that it “cannot create an exemption here to save [the defendant].” In the subject transaction, the real estate broker involved when the original loan was made was not involved in the extension, the court said.

    The court also held that the loan forbearance violated California usury laws although the original loan was exempt from usury laws, disagreeing with the defendant’s position that “an originally non-usurious transaction cannot be transformed into a usurious transaction at a later point.” The court pointed out the distinction in this case from others cited by the defendant, stating that the “difference between a non-usurious loan and a loan subject to an exemption is slight but distinct. . . . Once the exemption (no real estate broker involved) ceased to apply, the exemption disappeared, and the transaction became subject to the full consequences of the usury law.” Because the extension’s interest rate and default interest rate both violated state usury law, the defendant is entitled only to the principal balance of the extension minus the amount of usurious interest paid.

    Additionally, the court determined that under California law, the liquidated damages provision of the loan extension was separate from the interest charged by the extension, and a late charge on top of a balloon payment under extension was an unenforceable penalty provision instead of a valid provision for liquidated damages. The court also declined to consider punitive or other damages and said it will make a determination in the future as to what the defendant is entitled to by way of reimbursements or costs, as well as any interest accrued and owed after the extension’s maturity date.

    Courts Mortgages Consumer Finance California Usury Interest Forbearance State Issues

  • FTC, states sue rental listing platform for fraud

    Federal Issues

    On August 30, the FTC announced a lawsuit, together with the attorneys general from New York, California, Colorado, Florida, Illinois, and Massachusetts, against a rental listing platform and its owners for allegedly charging consumers for false endorsements and fake listings. The complaint, which alleges violations of the FTC Act and various state laws, claims that the defendants used both fake reviews and fake listings to lure consumers to its platform and pay for access to so-called “verified and authentic living arrangement listings.” In particular, one of the individual defendants is alleged to have deceptively promoted the platform “by providing tens of thousands of fake four- and five-star reviews” to app stores. That individual defendant stipulated to the entry of a proposed stipulated final order on the same day, which requires the following: (i) cooperation with the FTC’s ongoing action; (ii) informing the app stores that he was paid to post reviews and identify the fake reviews and when they were posted; (iii) a permanent ban from selling or misrepresenting consumer reviews or endorsements; and (iv) payment of a total of $100,000 to the state AGs.

    The action is part of the FTC’s on-going efforts to address fake and deceptive reviews, which include a $4.2 million action taken against an online fashion retailer accused of suppressing negative reviews, and warnings issued in 2021 to more than 700 companies announcing that they may face fines over misleading online endorsements (covered by InfoBytes here and here).

    Federal Issues FTC Enforcement State Issues FTC Act UDAP Deceptive State Attorney General

  • California broadens DFPI commissioner’s enforcement authority

    State Issues

    On August 26, the California governor signed AB 2433, which broadens DFPI’s unlawful practices oversight and enforcement power over any person currently engaging in or having engaged in the past, in unlicensed activity. Among other things, the bill amends the DFPI commissioner’s enforcement of various laws, such as the California Commodity Law, Escrow Law, California Financing Law (CFL), Property Assessed Clean Energy (PACE), Student Loan Servicing Act, and California Residential Mortgage Lending Act. The bill establishes that the commissioner may act “upon having reasonable grounds to believe that a broker-dealer or investment advisor has conducted business in an unsafe or injurious manner.” The bill also permits the DFPI to “act upon having cause to believe that a licensee or other person has violated the CFL.” The CFL provides for the licensure and regulation of finance lenders, brokers, and specified program administrators by the Commissioner of Financial Protection and Innovation to issue a citation to the licensee or person and to assess an administrative fine, as specified, among other things. The CFL also regulates certain persons acting under the PACE program, including PACE solicitors and PACE solicitor agents. The new bill establishes that “if the commissioner, upon inspection, examination, or investigation, has cause to believe that a PACE solicitor or PACE solicitor agent is violating any provision of that law, or rule or order thereunder, the commissioner or their designee is required to exhaust a specified procedure before bringing an action.” Additionally, bill specifies that certain “procedures apply when the commissioner has cause to believe that a PACE solicitor or solicitor agent has violated any provision of that law or rule or order thereunder.” The bill also mentions the Student Loan Servicing Act, which “provides for the licensure, regulation, and oversight of student loan servicers by the commissioner,” and establishes that the commissioner is required, upon having reasonable grounds after investigation to believe that a licensee is conducting business in an unsafe or injurious manner, to direct, by written order, the discontinuance of the unsafe or injurious practices. This bill specifies “that these procedures also apply if, after investigation, the commissioner has reasonable grounds to believe that a licensee has conducted business in an unsafe or injurious manner.” The bill is effective immediately.

    State Issues State Legislation California Student Lending Student Loan Servicer PACE Licensing Mortgages Enforcement State Regulators

  • D.C. Department of Insurance, Securities and Banking says certain Bitcoin activity subject to money transmission laws

    Recently, the District of Columbia’s Department of Insurance, Securities and Banking (DISB) issued a bulletin informing industry participants engaging in or planning to engage in money transmission involving Bitcoin or other virtual currency “used as a medium of exchange, method of payment or store of value in the District” that such transactions require a money transmitter license. Specifically, the bulletin noted that DISB considers Bitcoin to be money for money transmission purposes. Relying on United States v. Larry Dean Harmon, DISB stated that while “money transmission is vaguely defined in DC Code,” the court’s decision “relied on the common use of the term “money” to mean a “medium of exchange, method of payment or store of value,” and that therefore Bitcoin functions like money. The bulletin also noted that the court found that while the D.C. Money Transmitters Act of 2000 specifically defined certain banking and financial terms, it did not define “money,” thereby reasoning “that the goal of the MTA is to regulate all kinds of transfers of funds, whether fiat currency, virtual currency or cryptocurrencies.”

    Additionally, DISB noted that “engaging in the business of ‘money transmission’” includes “transactions where entities receive for transmission, store, and/or take custody, of Bitcoin and other virtual currencies from consumers via kiosks (aka BTMs), mobile applications and/or online transactions.” However, transactions where entities propose to sell and buy Bitcoin and other virtual currencies from consumers in exchange for cash payments via kiosks and/or online transactions are not considered to be money transmission. Entities that plan to engage in covered activities are subject to money transmission licensing requirements, DISB stated, explaining that whether an entity is required to obtain a money transmitter license depends on the individual facts and circumstances of each applicant, which include but are not limited to an applicant’s proposed business plan and flow of funds, as well as an applicant’s business model. 

    Licensing State Issues Digital Assets State Regulators District of Columbia Money Service / Money Transmitters Bitcoin Virtual Currency

  • Connecticut fines collection agency $100,000 and revokes license

    On August 18, the Connecticut Banking Commissioner revoked a consumer collection agency’s license after finding that it failed to provide requested information during an examination. Following an examination in May, the commissioner issued a “Notice of Automatic Suspension, Notice of Intent to Revoke Consumer Collection Agency License, Notice of Intent to Issue Order to Cease and Desist, Notice of Intent to Impose Civil Penalty and Notice of Right to Hearing” to the collection agency warning that if it failed to request a hearing within 14 days “the allegations would be deemed admitted.” According to the order, due to the collection agency’s failure to respond to the notices, the commissioner was “unable to determine that the financial responsibility, character, reputation, integrity and general fitness of Respondent are such to warrant belief that the business will be operated soundly and efficiently.” The collection agency also allegedly failed to maintain a surety bond that ran in accordance with its consumer collection agency license. The commissioner revoked the collection agency’s license to operate in the state, ordered it to cease and desist from violating Section 36a-17(e) of the 2022 Supplement to the General Statutes which requires it to make its records available, and imposed a $100,000 civil penalty.

    Licensing State Issues State Regulators Connecticut Enforcement Consumer Finance

Pages

Upcoming Events