InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court denies defendant summary judgment in data breach suit
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest information database—and that the breach caused that loss—should be admissible. As previously covered by InfoBytes, a consolidated class action suit was filed by consumers after they allegedly learned that the defendant took more than four years to discover the data breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted to provide data security services reported an anomaly pertaining to the defendant’s guest information database. In total, the breach impacted approximately 133.7 million guest records.
Last May, the court granted in part and denied in part certification of eight class actions against the defendant, noting that the plaintiffs did not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendant’s argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”
According to the recent opinion, the City of Chicago alleged that the defendant violated the city’s consumer protection ordinance by failing to safeguard the personal information of city residents and misrepresented that it had reasonable security safeguards in place. The defendant argued that the City of Chicago’s claims exceeded the limit of the city’s authority under the Illinois Constitution, because it attempted to apply its ordinance to a specific data-security incident. The court found that the Illinois Constitution permits the City of Chicago, a “home-rule unit,” to enforce its consumer protection ordinance against the defendant for harm and injuries arising from the data security incident. Additionally, the court found “in order to respect ’the constitutional design’ granting broad home rule authority and permitting concurrent local and state authority, ‘the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.’” The court also found that the City of Chicago has standing to bring claims for monetary fines, citing that “expert opinions establish, by a preponderance of the evidence, that Chicago suffered an injury-in-fact—the loss of tax revenue—that was traceable to the data breach, and that can be redressed by monetary fines paid by [the defendant].”
2nd Circuit requires second look at “design and content” of online user agreement
On September 14, the U.S. Court of Appeals for the Second Circuit reversed a district court’s order denying a credit union’s motion to compel arbitration in a case involving the “unique question” of “whether and how to address incorporation by reference in web-based contracts under New York law.” The plaintiff claimed that the credit union wrongfully assessed and collected overdraft and insufficient funds fees on checking accounts that were not actually overdrawn. After the credit union moved to compel arbitration pursuant to a mandatory arbitration clause and class action waiver provision contained in the account agreement, the plaintiff argued that she was not bound by these provisions because they were not included in the original agreement and the credit union did not notify her when it added them to the agreement. According to the credit union, the plaintiff was on inquiry notice of the modified agreement because she separately agreed to an internet banking agreement that incorporated the modified account agreement by reference, and because the modified account agreement was published on the credit union’s website, which the plaintiff used for online banking. The district court disagreed, finding, among other things, that the hyperlink and language related to the account agreement appeared to be “buried” in the internet banking agreement.
On appeal, the 2nd Circuit held that the district court “erred in engaging in the inquiry notice analysis, which requires an examination of the ‘design and content’ of the webpage, without reviewing the actual screenshots of the web-based contract.” Recognizing that the internet banking agreement was a “clickwrap” or a “scrollwrap” agreement, the appellate court explained that it has “consistently upheld such agreements because the user has affirmatively assented to the terms of the agreement by clicking ‘I agree’ or similar language.” While the plaintiff did not dispute that she signed up for internet banking, this did not end the court’s analysis; according to the 2nd Circuit, when addressing questions concerning digital contract formation, “courts also evaluate visual evidence that demonstrates ‘whether a website user has actual or constructive notice of the conditions.’” The credit union did not provide evidence showing how the internet banking agreement was presented to users—thereby preventing the district court from assessing whether the relevant language and hyperlink were clear and conspicuous. The 2nd Circuit, therefore, instructed the district court to consider on remand the design and content of the internet banking agreement “as it was presented to users” to determine whether the plaintiff agreed to its terms, and to assess whether the account agreements are “clearly identified and available to the users” based on applicable precedents regarding inquiry notice of terms in web-based contracts.
11th Circuit says wasted time, distress can confer FDCPA standing
On September 7, the U.S. Court of Appeals for the Eleventh Circuit vacated the dismissal of an FDCPA action after determining that wasted time and emotional distress can be sufficiently concrete as to confer Article III standing. After the plaintiff fell behind on his monthly condo association payments, the association referred the matter to a law firm (collectively, “defendants”). The defendant law firm eventually filed a claim of lien against the plaintiff’s condo and threatened foreclosure if the plaintiff did not pay more than $10,000 in past-due fees, interest, late fees, attorney’s fees, and costs. The plaintiff sued for violations of the FDCPA and state law, claiming, among other things, that the debt collection letters and claim of lien overstated the amount due by including interest, late fees, and other charges not permitted under Florida law. He also alleged that the law firm violated the FDCPA by filing the claim of lien in the public record, thereby communicating with a third party about his debt without permission. These actions, the plaintiff contended, caused him emotional distress and cost him time, money, and effort when “trying to ‘determine, verify, and dispute the amounts being sought against him.’” The plaintiff eventually voluntarily dismissed the claims against the association, and the law firm moved to dismiss for lack of jurisdiction. The district court determined that the plaintiff lacked standing because the law firm’s actions did not cause him any concrete injury and dismissed the suit.
On appeal, the 11th Circuit disagreed after finding that the time the plaintiff spent trying to determine the correct amount of debt and the emotion distress he suffered during the process were adequate to satisfy constitutional standing requirements. “[Plaintiff] presented evidence that he suffered injuries—including an inaccurate claim of lien against his property; time spent trying to determine the correct amount of his debt, resolve the lien, and avoid the threatened foreclosure; and emotional distress manifesting in a loss of sleep—which are sufficiently tangible to confer Article III standing,” the appellate court wrote. The 11th Circuit explained that while the time and money spent on the FDCPA lawsuit itself could not give rise to a concrete injury for standing purposes, the time and money spent by the plaintiff defending against a legal action taken by a debt collector was “separable” from the costs of bringing the FDCPA suit. Moreover, the appellate court determined that the defendants refusing to release the lien against the plaintiff’s home unless he paid more than what was actually owed “was a tangible harm sufficient to give [plaintiff] standing for his claims that the defendants’ conduct in filing the lien and threatening to foreclose on it violated the FDCPA.”
DFPI proposal would consider ISAs as student loans
On September 9, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking to adopt new regulations and amend current regulations implementing the Student Loan Servicing Act (Act), which provides for the licensure, regulation, and oversight of student loan servicers by DFPI (formerly the Department of Business Oversight) (previously covered by InfoBytes here). The proposed rulemaking also outlines new clarifications to the Student Loans: Borrower Rights Law, which was enacted in 2020 (effective January 1, 2021) to provide new requirements for student loan servicers (previously covered by InfoBytes here).
In its initial statement of reasons for the new regulations, DFPI noted that since the Act took effect five years ago, additional private student loan financing products have emerged, such as income share agreements and installment contracts, which use terminology and documentation distinct from traditional loans. DFPI commented that while lenders and servicers of these products have asserted that their products do not fall within the definition of a student loan and are not subject to the statute’s requirements, these education financing products serve the same purpose as traditional loans—“help pay the cost of a student’s higher education"—and are therefore student loans subject to the Act, and servicers of these products must be licensed and comply with all applicable laws. The proposed rulemaking, among other things, (i) defines the term “education financing products,” which now fall under the purview of the Act, along with other related terms; (ii) amends various license application requirements, including amended financial requirements for startup applicants; (iii) outlines provisions related to non-licensee (e.g., servicers that do not require a license but that are subject to the Student Loans: Borrower Rights Law) filing requirements; and (iv) specifies that servicers of all education financing products must submit annual aggregate student loan servicing reports to DFPI. The proposed rulemaking also removes certain unnecessary requirements based on DFPI’s experience in administering the Act to reduce the regulatory burden.
Comments on the notice of proposed rulemaking are due October 28.
District Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement, the plaintiff alleged that the defendant violated Illinois law by collecting fingerprint scan data from Illinois users of vending machine systems without written notice and consent. According to the settlement, class members include all individuals who scanned their finger(s) in one or more of defendants’ vending systems in Illinois between August 23, 2014 and November 2021, which totals approximately 63,450 individuals. Each class member will receive approximately $413, and the settlement includes roughly $2.2 million in attorney fees for class counsel.
States, Democrats urge card companies to create gun-store MCC
On September 2, the California and New York attorneys general sent a letter to the CEOs of three credit card companies asking for the establishment of a unique merchant category code (MCC) for gun store purchases, writing that a specially-designated MCC would help companies flag suspicious activity. The letter follows recent requests sent by several congressional Democrats to the same companies urging them to establish an MCC code for guns. According to the Democrats’ letter, MCCs are four-digit codes maintained by the International Organization for Standardization (ISO) that classify merchants by their purpose of business and are used “to determine interchange rates, assess transaction risks, and generally categorize payments.” The letter noted that according to ISO’s criteria, “a new MCC may be approved if (a) the merchant category is reasonable and substantially different from all other merchant categories currently represented in the list of code values; (b) the merchant category is separate and distinct from all other industries currently represented in the list of code values; (c) the proposal describes a merchant category or industry, and not a process; (d) the minimum annual sales volume of merchants included in the merchant category, taken as a whole is, US$10 million; and (e) sufficient justification for the addition of a new code is found.” The letter stated that a “new MCC code could make it easier for financial institutions to monitor certain types of suspicious activities including straw purchases and unlawful bulk purchases that could be used in the commission of domestic terrorist acts or gun trafficking schemes,” and could garner coordination between financial institutions and law enforcement to aid efforts across the federal government to identify and prevent illicit activity. The letters requested feedback to better understand the companies’ positions.
District Court says tech company not liable for app in crypto theft
On September 2, the U.S. District Court for the Northern District of California granted a defendant California tech company’s motion to dismiss a putative class action filed by users who claimed their cryptocurrency was stolen after they downloaded a “phishing” program that posed as a legitimate digital wallet. Plaintiffs alleged that the illegitimate app (developed by a third-party and not the defendant) caused them to lose thousands of dollars in cryptocurrency. Claiming that the app was a spoofing and phishing program that obtained consumers’ cryptocurrency account information and routed that information to hackers’ personal accounts, plaintiffs sued, asserting claims under the federal Computer Fraud and Abuse Act, Electronic Communications Privacy Act, California Consumer Privacy Act, California’s Unfair Competition Law, California Consumer Privacy Act, California Consumer Legal Remedies Act, Maryland Wiretap and Electronic Surveillance Act, Maryland Personal Information Protection Act, and Maryland Consumer Protection Act. The defendant moved to dismiss, arguing that it was immune from liability under § 230(c)(1) of the Communications Decency Act. The court agreed with the defendant, ruling that it is granted protection under the Act because it qualifies as an “interactive computer service provider” within the meaning of the statute, is treated as a publisher, and provides information from another information content provider. “Here, plaintiffs’ computer fraud and privacy claims are based on [defendant’s] reproduction of an app [] intended for public consumption, via the App Store,” the court wrote. “But, as [defendant] notes, its review and authorization of the [] app for distribution on the App Store is inherently publishing activity.” Moreover, the court concluded that, among other things, the defendant’s liability provision contained within its terms, which states that it is not liable for conduct of a third party, is valid and enforceable.
Real estate brokerages settle NY’s claims of discriminatory practices
On August 30, the New York attorney general and governor announced a joint action taken against three Long Island real estate brokerage firms for allegedly engaging in illegal and discriminatory housing practices. According to the announcement, the Office of the Attorney General and New York Department of State commenced parallel investigations into the brokerage firms, in which they discovered that agents were allegedly violating the Fair Housing Act and New York state law when they allegedly “steered prospective homebuyers of color away from white neighborhoods and subjected them to different requirements than white homebuyers, and otherwise engaged in biased behavior.” In certain instances, agents were allegedly shown to have given preferential treatment to white homebuyers, disparaged neighborhoods of color, and directed prospective homebuyers of color to homes in neighborhoods predominantly resided by communities of color.
Under the terms of the assurance of discontinuance, the brokerage firms agreed to stop the alleged conduct and will offer comprehensive fair housing training to all agents. Agents will also be required to enroll and take state-approved Fair Housing Act compliance courses. Two of the brokerage firms are also required to provide $25,000 to Suffolk County to promote enforcement and compliance with fair housing laws, while the third brokerage firm will pay $30,000 in penalties and costs to the Office of the Attorney General and $35,000 to Nassau County for fair housing testing.
WA Superior Court: Insurance commissioner overstepped in banning credit scoring in underwriting
On August 29, the Washington State Superior Court entered a final order declaring that the Washington Insurance Commissioner exceeded his authority when he issued an emergency rule earlier this year banning the use of credit-based insurance scores in the rating and underwriting of insurance for a three-year period. As previously covered by InfoBytes, several industry groups led by the American Property Casualty Insurance Association (APCIA) sued to stop the rule from taking effect. The rule was intended to prevent discriminatory pricing in private auto, renters, and homeowners insurance in anticipation of the end of the CARES Act, and specifically prohibited insurers from “us[ing] credit history to place insurance coverage with a particular affiliated insurer or insurer within an overall group of affiliated insurance companies.” The rule applied to all new policies effective, and existing policies processed for renewal, on or after June 20, 2021. Industry groups countered that the rule would harm insured consumers in the state who pay less for auto, homeowners, and renters insurance because of the use of credit-based insurance scores to predict risk and set rates.
According to a press release issued by APCIA, earlier this year the superior court issued a bench decision granting the trade group’s petition for a declaratory judgment and invalidating the rule. The superior court “held that the Commissioner could not rely on the more general rating standard statute that prohibited “excessive, inadequate, or unfairly discriminatory” rates to “eliminate all meaning from the more specific credit history statutes by which the legislature had authorized its use.” Calling the final order “an important victory for Washington consumers, particularly lower risk senior policyholders who were forced to pay more to subsidize higher risk policyholders because the rule eliminated the use of credit,” the trade groups said they were pleased that the court agreed with their position that the Commissioner “exceeded his authority when he acted contrary to the longstanding statute that authorized the use of credit in the property and casualty insurance space.”
District Court rules non-judicial foreclosure claims fail
On August 30, the U.S. District Court for the District of Oregon granted defendants’ motion for summary judgment in an action concerning an allegedly unlawful non-judicial foreclosure. Plaintiffs obtained a cash-out loan in 2005 and modified their mortgage terms. The plaintiffs stopped making payments after one of the defendant loan servicer’s agents allegedly informed them that “help was only available if they were in default,” and the defendant loan servicer threatened foreclosure. Following several years of bankruptcy proceedings and foreclosure mediation, plaintiffs sued to stop the foreclosure proceedings, claiming “that the deed of trust was void and that defendants committed fraud in attempting to foreclos[e] on the debt.” The initial non-judicial foreclosure proceedings were rescinded after the suit was dismissed with prejudice, and the defendant loan servicer was eventually allowed to proceed with a second non-judicial foreclosure under Oregon law. Plaintiffs sent a dispute letter demanding that the foreclosure be rescinded because the order in which several notices of default showing the amounts due and the amounts necessary to reinstate were sent did not comply with state law. After the notice was rescinded and a new notice of default was issued and recorded, plaintiffs sued again, seeking to enjoin the defendant trustee’s sale and filing several claims, including breach of contract and violations of the Oregon Unfair Trade Practices Act (OUTPA), RESPA, and FDCPA.
In granting summary judgment to the defendants on each of the claims, the court determined that the breach of contract claim fails because plaintiffs acknowledged that because “they have not substantially performed under the relevant contract,” they are precluded from seeking damages. The FDCPA claim against the defendant trustee also fails “because it is based on a perceived lack of authority under the relevant contract, but as explained in the breach of contract claim, that authority was not lacking.” Finally, the OUTPA and RESPA claims both fail “because there is no evidence that they incurred damages arising out of either claim”—a required element under both statutes, the court said. According to the court, plaintiffs failed “to support their drastic allegations with relevant evidence” and failed to “point to specific evidence supporting valid legal claims.”