InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court dismisses ransomware suit alleging negligence
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.
According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.
The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.
California bankruptcy court says a forbearance that modifies the original loan is subject to state usury laws in certain instances
Earlier this year, the United States Bankruptcy Court for the Northern District of California granted in part and denied in part cross-motions for summary judgment in an action concerning “piecemeal exemptions” to California’s usury law. Plaintiffs entered into a loan agreement secured by their residence carrying an interest rate of 11.3 percent and a default interest rate of 17.3 percent (plus late fees) with a then-unlicensed lender. They also signed a promissory note, which stated that should they fail to make a monthly payment within 10 days of the due date they would be assessed a late charge equal to 10 percent of the monthly payment. After plaintiffs struggled to make payments, the parties entered into an extension agreement to supplement and amend the original loan (but not replace it), which slightly lowered the initial interest rate but increased the monthly payments and default interest rate. The extension also included language adding a charge on the final balloon payment that was not part of the original loan. Plaintiffs again began to miss loan payments and sought to refinance the loan with a different lender. A payoff quote provided by the defendant included what was originally called a “prepayment penalty” but was later changed to represent a late charge on the principal balance in line with the extension.
Plaintiffs sued the defendant and related parties in state court, seeking damages and alleging claims related to breach of contract, fraud, and intentional interference. After the court denied plaintiffs’ motion for preliminary injunction, plaintiffs filed an appeal on the same day one of the plaintiffs filed for bankruptcy. The defendant eventually filed a motion for summary judgment on the claims in the amended complaint, whereas plaintiffs sought partial summary judgment on several new claims, including that (i) the extension violated state usury law; (ii) the defendant “demanded an illegal acceleration penalty” from plaintiffs; and (iii) the defendant illegally charged multiple late fees on a single loan payment.
In a case of first impression, the court held that under California law, a loan extension that modifies the original loan, including by extending the maturity date, is considered a forbearance subject to state usury laws because there was no other sale, lease, or other transaction involved. The court noted that the statute “provides a restricted definition of the term ‘arranged’ in relation to a forbearance,” and that it also “painstakingly sets forth the instances in which a forbearance negotiated by a real estate broker would be exempt under usury law: when that broker was previously involved in arranging the original loan and that loan was in connection with a sale, lease, or other transaction, or when that broker had previously arranged for the sale, lease or other transaction for compensation.” The court further stated that “[c]onspicuously absent from those instances is a scenario in which a forbearance is arranged on a simple loan of money secured by real estate, with no other sale, lease, or other transaction involved,” adding that it “cannot create an exemption here to save [the defendant].” In the subject transaction, the real estate broker involved when the original loan was made was not involved in the extension, the court said.
The court also held that the loan forbearance violated California usury laws although the original loan was exempt from usury laws, disagreeing with the defendant’s position that “an originally non-usurious transaction cannot be transformed into a usurious transaction at a later point.” The court pointed out the distinction in this case from others cited by the defendant, stating that the “difference between a non-usurious loan and a loan subject to an exemption is slight but distinct. . . . Once the exemption (no real estate broker involved) ceased to apply, the exemption disappeared, and the transaction became subject to the full consequences of the usury law.” Because the extension’s interest rate and default interest rate both violated state usury law, the defendant is entitled only to the principal balance of the extension minus the amount of usurious interest paid.
Additionally, the court determined that under California law, the liquidated damages provision of the loan extension was separate from the interest charged by the extension, and a late charge on top of a balloon payment under extension was an unenforceable penalty provision instead of a valid provision for liquidated damages. The court also declined to consider punitive or other damages and said it will make a determination in the future as to what the defendant is entitled to by way of reimbursements or costs, as well as any interest accrued and owed after the extension’s maturity date.
FTC, states sue rental listing platform for fraud
On August 30, the FTC announced a lawsuit, together with the attorneys general from New York, California, Colorado, Florida, Illinois, and Massachusetts, against a rental listing platform and its owners for allegedly charging consumers for false endorsements and fake listings. The complaint, which alleges violations of the FTC Act and various state laws, claims that the defendants used both fake reviews and fake listings to lure consumers to its platform and pay for access to so-called “verified and authentic living arrangement listings.” In particular, one of the individual defendants is alleged to have deceptively promoted the platform “by providing tens of thousands of fake four- and five-star reviews” to app stores. That individual defendant stipulated to the entry of a proposed stipulated final order on the same day, which requires the following: (i) cooperation with the FTC’s ongoing action; (ii) informing the app stores that he was paid to post reviews and identify the fake reviews and when they were posted; (iii) a permanent ban from selling or misrepresenting consumer reviews or endorsements; and (iv) payment of a total of $100,000 to the state AGs.
The action is part of the FTC’s on-going efforts to address fake and deceptive reviews, which include a $4.2 million action taken against an online fashion retailer accused of suppressing negative reviews, and warnings issued in 2021 to more than 700 companies announcing that they may face fines over misleading online endorsements (covered by InfoBytes here and here).
California broadens DFPI commissioner’s enforcement authority
On August 26, the California governor signed AB 2433, which broadens DFPI’s unlawful practices oversight and enforcement power over any person currently engaging in or having engaged in the past, in unlicensed activity. Among other things, the bill amends the DFPI commissioner’s enforcement of various laws, such as the California Commodity Law, Escrow Law, California Financing Law (CFL), Property Assessed Clean Energy (PACE), Student Loan Servicing Act, and California Residential Mortgage Lending Act. The bill establishes that the commissioner may act “upon having reasonable grounds to believe that a broker-dealer or investment advisor has conducted business in an unsafe or injurious manner.” The bill also permits the DFPI to “act upon having cause to believe that a licensee or other person has violated the CFL.” The CFL provides for the licensure and regulation of finance lenders, brokers, and specified program administrators by the Commissioner of Financial Protection and Innovation to issue a citation to the licensee or person and to assess an administrative fine, as specified, among other things. The CFL also regulates certain persons acting under the PACE program, including PACE solicitors and PACE solicitor agents. The new bill establishes that “if the commissioner, upon inspection, examination, or investigation, has cause to believe that a PACE solicitor or PACE solicitor agent is violating any provision of that law, or rule or order thereunder, the commissioner or their designee is required to exhaust a specified procedure before bringing an action.” Additionally, bill specifies that certain “procedures apply when the commissioner has cause to believe that a PACE solicitor or solicitor agent has violated any provision of that law or rule or order thereunder.” The bill also mentions the Student Loan Servicing Act, which “provides for the licensure, regulation, and oversight of student loan servicers by the commissioner,” and establishes that the commissioner is required, upon having reasonable grounds after investigation to believe that a licensee is conducting business in an unsafe or injurious manner, to direct, by written order, the discontinuance of the unsafe or injurious practices. This bill specifies “that these procedures also apply if, after investigation, the commissioner has reasonable grounds to believe that a licensee has conducted business in an unsafe or injurious manner.” The bill is effective immediately.
D.C. Department of Insurance, Securities and Banking says certain Bitcoin activity subject to money transmission laws
Recently, the District of Columbia’s Department of Insurance, Securities and Banking (DISB) issued a bulletin informing industry participants engaging in or planning to engage in money transmission involving Bitcoin or other virtual currency “used as a medium of exchange, method of payment or store of value in the District” that such transactions require a money transmitter license. Specifically, the bulletin noted that DISB considers Bitcoin to be money for money transmission purposes. Relying on United States v. Larry Dean Harmon, DISB stated that while “money transmission is vaguely defined in DC Code,” the court’s decision “relied on the common use of the term “money” to mean a “medium of exchange, method of payment or store of value,” and that therefore Bitcoin functions like money. The bulletin also noted that the court found that while the D.C. Money Transmitters Act of 2000 specifically defined certain banking and financial terms, it did not define “money,” thereby reasoning “that the goal of the MTA is to regulate all kinds of transfers of funds, whether fiat currency, virtual currency or cryptocurrencies.”
Additionally, DISB noted that “engaging in the business of ‘money transmission’” includes “transactions where entities receive for transmission, store, and/or take custody, of Bitcoin and other virtual currencies from consumers via kiosks (aka BTMs), mobile applications and/or online transactions.” However, transactions where entities propose to sell and buy Bitcoin and other virtual currencies from consumers in exchange for cash payments via kiosks and/or online transactions are not considered to be money transmission. Entities that plan to engage in covered activities are subject to money transmission licensing requirements, DISB stated, explaining that whether an entity is required to obtain a money transmitter license depends on the individual facts and circumstances of each applicant, which include but are not limited to an applicant’s proposed business plan and flow of funds, as well as an applicant’s business model.
Connecticut fines collection agency $100,000 and revokes license
On August 18, the Connecticut Banking Commissioner revoked a consumer collection agency’s license after finding that it failed to provide requested information during an examination. Following an examination in May, the commissioner issued a “Notice of Automatic Suspension, Notice of Intent to Revoke Consumer Collection Agency License, Notice of Intent to Issue Order to Cease and Desist, Notice of Intent to Impose Civil Penalty and Notice of Right to Hearing” to the collection agency warning that if it failed to request a hearing within 14 days “the allegations would be deemed admitted.” According to the order, due to the collection agency’s failure to respond to the notices, the commissioner was “unable to determine that the financial responsibility, character, reputation, integrity and general fitness of Respondent are such to warrant belief that the business will be operated soundly and efficiently.” The collection agency also allegedly failed to maintain a surety bond that ran in accordance with its consumer collection agency license. The commissioner revoked the collection agency’s license to operate in the state, ordered it to cease and desist from violating Section 36a-17(e) of the 2022 Supplement to the General Statutes which requires it to make its records available, and imposed a $100,000 civil penalty.
California issues remote work guidance to CFL licensees
On August 26, the California governor signed AB 2001, which amends the California Financing Law (CFL) regarding remote work. According to the bill, a licensee would be authorized “under the CFL to designate an employee, when acting within the scope of employment, to perform work on the licensee’s behalf at a remote location, as defined, if the licensee takes certain actions, including that the licensee prohibits a consumer’s personal information from being physically stored at a remote location except for storage on an encrypted device or encrypted media.” Currently, the CFL provides that a licensee cannot engage in loan business or administer a PACE program in any office, room, or place of business that any other business is solicited or engaged in, or in association or conjunction therewith, under certain circumstances. Additionally, “a finance lender, broker, mortgage loan originator, or program administrator licensee shall not transact the business licensed or make any loan or administer any PACE program provided for by this division under any other name or at any other place of business than that named in the license except pursuant to a currently effective written order of the commissioner authorizing the other name or other place of business.”
Colorado issues remote work guidance to collection agencies
On August 19, the Colorado attorney general published updated guidance on remotely working for employees of entities regulated by the Consumer Credit Unit. Memorandum HB 22-1410, which was signed by the governor on June 7, amended Colorado’s Uniform Consumer Credit Code so that a supervised lender licensee may permit its employees to work from a remote location, so long as the licensee complies with certain requirements. The memorandum also provided that the March 2020 guidance issued by the Consumer Credit Unit Administrator for employees of regulated entities during the COVID-19 pandemic “remains in effect for regulated entities not covered by HB22-1410, including collection agencies, debt management providers, and student loan servicers, and will remain in effect until the last day of the 2023 legislative session of the 74th General Assembly, May 10, 2023.” The memorandum also noted that “due to concerns regarding the COVID-19 outbreak, individuals who work for regulated entities may be required, or wish, to work from home to avoid further spread of the outbreak, even though their homes are not licensed as branches.”
The memorandum also disclosed that the state will not take any administrative, disciplinary, or enforcement actions for individuals working at home in what are technically unlicensed branches as long as certain criteria are met: (i) “The Colorado activity is conducted from the home location of an individual working on behalf of an entity who is licensed, registered, or files notification with the Administrator”; (ii) “The individual is working from home due to a reason connected to the Covid-19 outbreak and has informed the regulated entity in writing”; (iii) “None of the Colorado activity will be conducted in person with members of the public at the home location”; (iv) “Individuals working from home will not advertise, receive official mail directly, or permanently store any books or records at their remote location”; (v) “The Colorado licensee shall at all times exercise reasonable supervision of the licensable activity being performed at the home office and ensure sufficient safeguards to protect consumer information and data security”; and (vi) “The individual ceases conducting the activity from the home location as soon as reasonably possible, consistent with recommendations from the CDC, CDPHE, and applicable state health departments.”
Colorado reminds collection agencies about medical law
On August 16, the Colorado attorney general published a memorandum reminding collection agency licensees and interested parties that HB21-1198 becomes effective September 1. HB21-1198, among other things, amends the Colorado Fair Debt Collection Practices Act to add a new unfair practice—attempting to collect a debt that violates certain HB21-1198 requirements. The bill also creates requirements for notice and certain limitations on collections of medical debt. Specifically, the bill enacts healthcare billing requirements for indigent patients who are treated, but not reimbursed, through the state’s indigent care program and sets forth requirements before any collection proceeding may be initiated against an indigent patient.
California fines cosmetics chain for privacy violations
On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process user requests to opt-out of such sale via user-enabled global privacy controls, and failure to cure such violations within the 30-day period allowed by the California Consumer Privacy Act (CCPA). The action reaffirms the state’s commitment to enforcing the law and protecting consumers’ rights to fight commercial surveillance, AG Bonata said, emphasizing that “today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
According to a complaint filed in California Superior Court, third parties monitored consumers’ purchases and created profiles to more effectively target potential customers. The company’s arrangement with these third parties constituted a sale of consumer personal information under the CCPA, therefore triggering certain basic obligations, including telling consumers that it is selling their information and allowing consumers to easily opt-out of the sale of their information. According to the complaint, the company failed to take any of these measures.
Under the terms of the settlement, the company is required to pay a $1.2 million penalty and must disclose to California customers that it sells their personal data and provide a mechanism for consumers to opt out of a sale of their information, including through user-enabled global privacy controls like the Global Privacy Control (GPC). Additionally, the company must ensure its service provider agreements meet CCPA requirements and provide reports to the AG related to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.
The press release also announced that notices were sent to several businesses alleging non-compliance concerning their failure to process consumer opt-out requests made via user-enabled global privacy controls. The AG reiterated that under the CCPA, “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General.”