InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Ex-NFL players no longer part of CFPB, New York suit on high-cost loans
On June 27, the CFPB and New York attorney general filed an amended complaint in the U.S. District Court for the Southern District of New York, removing references to a New Jersey-based finance company’s arrangements with seven former NFL players in an action concerning whether the company and its affiliates (collectively, “defendants”) mischaracterized high-cost loans as assignments of future payment rights. As previously covered by InfoBytes, the agencies filed a lawsuit in 2017 claiming, among other things, that the defendants misled World Trade Center attack first responders and professional football players in selling expensive advances on benefits to which they were entitled and mischaracterized extensions of credit as assignments of future payment rights, thereby misleading their victims into repaying far more than they received. Specifically, the initial filing in 2017 alleges that the defendants (i) used “confusing contracts” to prevent the individuals from understanding the terms and costs of the transactions; (ii) lied to the individuals by telling them the companies could secure their payouts more quickly; (iii) misrepresented how quickly they would receive payments from the companies, and (iv) collected interest at an illegal rate. The amended complaint removes all references to defendants’ arrangements with the ex-NFL players, but maintains claims related to financing deals signed with first responders to the World Trade Center attack.
The court issued an order on June 28 accepting the agencies’ unopposed motion to file the amended complaint to “remove references to NFL player consumers and to remove allegations in Count VIII” related to alleged violations of New York General Obligations Law § 13-101 concerning personal injury claims. No additional details on the reasons for the removals are provided.
The amended complaint follows a March order issued by the district court (covered by InfoBytes here) in which it ruled that the CFPB could proceed with its 2017 enforcement action. In 2020, the U.S. Court of Appeals for the Second Circuit vacated the district court’s 2018 order (covered by InfoBytes here), which had dismissed the case on the grounds that the Bureau’s single-director structure was unconstitutional, and that, as such, the agency lacked authority to bring claims alleging deceptive and abusive conduct by the company. The 2nd Circuit remanded the case to the district court, determining that the U.S. Supreme Court’s ruling in Seila Law LLC v. CFPB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert) superseded the 2018 ruling.
Insurers consider biometric exclusions as privacy cases increase
According to sources, some insurers are considering adding biometric exclusions to their insurance policies as privacy lawsuits increase. An article on the recent evolution of biometric privacy lawsuits noted an apparent increase in class actions claiming violations of the Illinois Biometric Information Privacy Act (BIPA), as “more courts began ruling that individuals need not show actual injury to allege BIPA violations.” The article explained that insurance carriers now “argue that general liability policies, with their lower premiums and face values, don’t insure data privacy lawsuits and can’t support potentially huge BIPA class action awards and settlements.” This issue is poised to become increasingly important to carriers and policyholders as additional states seek to regulate biometric privacy. The article noted that in the first quarter of 2022, seven states (California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York) introduced biometric laws generally based on Illinois’ BIPA. Texas and Washington also have biometric laws, but without a private right of action.
District Court says Massachusetts law will apply in choice-of-law privacy dispute
On June 28, the U.S. District Court for the District of South Carolina ruled that it will apply Massachusetts law to negligence claims in a putative class action concerning a cloud-based services provider’s allegedly lax data-security practices. The plaintiffs claimed that the defendant’s “security program was inadequate and that the security risks associated with the Personal Information went unmitigated, allowing [] cybercriminals to gain access.” During discovery, the defendant (headquartered in South Carolina) stated that its U.S. data centers are located in Massachusetts, Texas, California, and New Jersey, and that the particular servers that housed the plaintiffs’ data (and were the initial entry point for the ransomware attack) are physically located in Massachusetts. While both parties stipulated to the application of South Carolina choice-of-law principles generally, the plaintiffs specifically requested that South Carolina law be applied to their common law claims of negligence, negligence per se, and invasion of privacy since it was the state where defendant executives made the cybersecurity-related decisions that allegedly allowed the data breach to occur. However, the defendant countered that the law of each state where a plaintiff resides should apply to that specific plaintiff’s common law tort claims because the “damages were felt in their respective home states.” Both parties presented an alternative argument that if the court found the primary choice-of-law theory to be unfounded, then Massachusetts law would be appropriate as “Massachusetts was the state where the last act necessary took place because that is where the data servers were housed.”
In determining which state’s common-law principles apply, the court stated that even if some of the cybersecurity decisions were made in South Carolina, the personal information was stored on servers in Massachusetts. Moreover, the “alleged decisions made in South Carolina may have contributed to the breach, but they were not the last act necessary to establish the cause of action,” the court wrote, noting that in order for the defendant to be potentially liable, the data servers would need to be breached. The court further concluded that “South Carolina’s choice of law rules dictate that where an injury occurs, not where the result of the injury is felt or discovered is the proper standard to determine the last act necessary to complete the tort.” As such, the court stated that Massachusetts law will apply as that is where the data breach occurred.
CFPB says states may regulate credit reporting markets
On June 28, the CFPB issued an interpretive rule addressing states’ authority to pass consumer-reporting laws. Specifically, the Bureau clarified that states “retain broad authority to protect people from harm due to credit reporting issues,” and explained that state laws are generally not preempted unless they conflict with the FCRA or “fall within narrow preemption categories enumerated within the statute.” Under the FCRA, states have flexibility to enact laws involving consumer reporting that reflect challenges and risks affecting their local economies and residents and are able to enact protections against the abuse and misuse of data to mitigate these consequences.
Stating that the FCRA’s express preemption provisions have a narrow and targeted scope, the Bureau’s interpretive rule provided several examples such as (i) if a state law “were to forbid consumer reporting agencies [(CRA)] from including information about medical debt, evictions, arrest records, or rental arrears in a consumer report (or from including such information for a certain period of time), such a law would generally not be preempted; (ii) a state law that prohibits furnishers from furnishing such information to a CRA would generally not be prohibited; and (iii) if a state law requires a CRA to provide information required by the FCRA at the consumer’s requests in a language other than English, such a law would generally not be preempted. The interpretive rule is effective upon publication in the Federal Register.
The issuance of the interpretive rule arises from a notice received by the Bureau from the New Jersey attorney general concerning pending litigation that involves an argument that the FCRA preempted a state consumer protection statute. The Bureau stated that it “will continue to consider other steps to promote state enforcement of fair credit reporting along with other parts of federal consumer financial protection law,” including “consulting with states whenever interpretation of federal consumer financial protection law is relevant to a state regulatory or law enforcement matter, consistent with the State Official Notification Rule." As previously covered by InfoBytes, the Bureau issued an interpretive rule last month, clarifying states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA.
NYDFS imposes $5 million fine against cruise line for cybersecurity violations
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.
The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).
FTC, Florida file complaint against grant funding operation
On June 27, the FTC and the Florida attorney general filed a complaint against a Florida-based grant funding company and its owner (collectively, “defendants”) alleging that the defendants violated the Consumer Protection Act, the FTC Act, and the Florida Deceptive Unfair Trade Practices Act. According to the complaint, the defendants deceptively marketed grant writing and consulting services to minority-owned small businesses by, among other things, (i) promising grant funding that did not exist and/or was never awarded; (ii) misleading customers about the status of grant awards; and (iii) failing to honor a “money-back guarantee” and suppressing customer complaints. The complaint also alleged that the owner relied on funds that she acquired through the federal Paycheck Protection Program Covid-19 stimulus program to start the company. The U.S. District Court for the Middle District of Florida issued a restraining order with asset freeze, appointment of a temporary receiver, and other equitable relief order against the defendants, which also prohibits them from engaging in grant funding business activities.
DFPI seeks to regulate commercial financial products and services under the CCFPL
Recently, the California Department of Financial Protection and Innovation (DFPI) issued a notice of proposed rulemaking (NPRM) to adopt regulations to implement certain sections of the California Consumer Financial Protection Law (CCFPL) related to commercial financial products and services. (See also text of the proposed regulations here.) As previously covered by a Buckley Special Alert, the CCFPL became law in 2020 and, among other things, (i) establishes UDAAP authority for the DFPI; (ii) authorizes the DFPI to impose penalties of $2,500 for “each act or omission” in violation of the law without a showing that the violation was willful (thus going beyond both Dodd-Frank and existing California law); (iii) provides the DFPI with broad discretion to determine what constitutes a “financial product or service” within the law’s coverage; and (iv) provides that enforcement of the CCFPL will be funded through the fees generated by the new registration process as well as fines, penalties, settlements, or judgments. While the CCFPL exempts certain entities (e.g., banks, credit unions, certain licensees), the law expands the DFPI’s oversight authority to include debt collection, debt settlement, credit repair, check cashing, rent-to-own contracts, retail sales financing, consumer credit reporting, and lead generation.
The NPRM proposes new rules to implement sections 22159, 22800, 22804, 90005, 90009, 90012, and 90015 of the CCFPL related to the offering and provision of commercial financing and other financial products and services to small businesses, nonprofits, and family farms. According to DFPI’s notice, section 22800 subdivision (d) authorizes the Department to define unfair, deceptive, and abusive acts and practices in connection with the offering or provision of commercial financing. Section 90009, subdivision (e), among other things, authorizes the Department’s rulemaking to include data collection and reporting on the provision of commercial financing or other financial products and services.
Among other things, the NPRM:
- Clarifies that the CCFPL makes it unlawful for covered providers, as defined, to engage in unfair, deceptive, or abusive acts or practices;
- Provides standards for determining whether an act or practice is unfair, deceptive, or abusive;
- Defines small business, nonprofit, and family farm, among other terms;
- Clarifies DFPI's ability to enforce the regulation’s provisions;
- Requires covered providers to submit annual reports containing information about their provision of commercial financing or other financial products and services to small businesses, nonprofits, and family farms;
- Identifies persons excluded from the reporting requirement;
- Specifies the information required in the reports, as well as provide guidance on calculating or determining certain information;
- Clarifies the obligations of those also submitting annual reports to DFPI as licensees under the California Financing Law.
Written comments on the NPRM are due by August 8.
District Court grants defendant’s judgment in FDCPA suit over dispute response
On June 21, the U.S. District Court for the Western District of North Carolina granted a defendant’s motion for judgment on the pleadings in an FDCPA case concerning dispute responses over a debt. According to the order, the defendants—who represented a bank—sent a letter to the plaintiff attempting to collect an unpaid credit card debt. The letter included information about the creditor, the outstanding balance, and a validation notice. The plaintiff disputed the debt and requested validation of charges, payments, and credits on the account. The defendants responded with another letter, providing information about the original creditor and the balance of the unpaid debt. The plaintiff then sent another letter to the defendants requesting the original account agreement, all original account level documentation, and a “wet ink signature of the contractual obligation.” The defendants filed a collection suit against the plaintiff. The plaintiff filed suit in response, alleging the collection lawsuit violated the FDCPA and North Carolina state law because it “unjustly” condemned and vilified plaintiff for his non-payment of the alleged debt.
The court found that the “[p]laintiff’s allegations misconstrue the obligations of the debt collector in verifying the debt.” The court also noted that the FDCPA did not require the defendants provide “account level documentation,” stating that “[v]erification only requires a showing that the amount demanded ‘is what the creditor is claiming is owed,’ not conclusive proof of the debt.”
Hawaii enacts licensing legislation
On June 17, the Hawaii governor signed two bills into law. HB 2113 permits money transmitter license applicants to submit to either a state or federal criminal history record check, rather than both, upon application. SB 1105 establishes that, in addition to application fees, and any fees required by NMLS, a mortgage loan originator licensee must pay a mortgage loan recovery fund fee of $200, and upon application for renewal of a license, a mortgage loan originator licensee must pay $100. The bill also permits a person aggrieved by the fraud, misrepresentation, or deceit of a mortgage loan originator company licensee to receive restitution payment upon a final court order. The bills are effective July 1.
District Court approves $1.4 million FCRA settlement
On June 17, the U.S. District Court for the Southern District of California granted final approval of a class action settlement resolving claims that a hospitality company violated the FCRA and various California laws. According to the order, plaintiffs filed a putative class action alleging that the company violated the FCRA by failing to make proper disclosures and obtain proper authorization during its hiring process. Additionally, the plaintiffs claimed that the company’s background check forms were allegedly defective because they “contained information for multiple states for whom background checks were run” in violation of California’s Investigative Consumer Reporting Agencies Act and other California laws. Under the terms of the settlement, the defendant will pay nearly $1.4 million, of which class members will receive $821,714 in total ($63.29 per class member), $10,127 will go towards settlement administration costs, $349,392 will cover attorneys’ fees, and $5,000 will be paid to each of the two named plaintiffs.