Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 22, the CFPB, FTC, and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. According to the complaints (see here and here) filed in the U.S. District Court for the Northern District of Georgia, the company allegedly engaged in unfair and deceptive practices by, among other things, (i) failing to provide reasonable security for the sensitive personal information stored within its network; (ii) deceiving consumers about its data security program capabilities; and (iii) failing to patch its network after being alerted in 2017 to a critical security vulnerability.
Under the terms of the proposed settlements (see here and here), pending final court approval, the company will pay up to $425 million in monetary relief to consumers and provide credit monitoring to affected individuals, as well as six free credit reports each year for seven years to all U.S. consumers. The company must also pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil money penalty to the Bureau. The $425 million fund will also compensate consumers who bought credit- or identity-monitoring services from the company and paid other expenses as a result of the breach. The company must also, among other things, implement a comprehensive information security program that will require annual assessments of security risks and safeguard measures, obtain third-party information security assessments, and acquire annual certifications from the board of directors that the company has complied with the settlements.
On July 12, it was reported that the FTC has approved a $5 billion penalty against the world’s largest social media company for allegedly mishandling its users’ personal information. The reported settlement would be the largest privacy penalty ever levied by the agency. According to reports, the settlement, which was approved in a 3-2 vote, resolves allegations that the company allowed a British consulting firm access to 87 million users’ personal data for political consulting purposes in violation of a 2012 privacy settlement with the FTC. Neither the FTC nor the social media company have commented on the reported settlement, which is still pending approval from the Department of Justice.
On July 17, the FTC released a notice seeking comment on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA Rule). The FTC last amended COPPA in 2013, and while the FTC usually reviews its rules every 10 years, the FTC notes that “[r]apid changes in technology, including the expanded use of education technology, reinforce the need to re-examine the COPPA Rule at this time.” The notice seeks comment on all major provisions of the COPPA Rule, including definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and the safe harbor provision. Additionally, the notice seeks responses to specific questions, including (i) has the Rule affected the availability of websites or online services directed to children?; (ii) does the Rule correctly articulate the factors to consider in determining whether a website or online service is directed to children, or should additional factors be considered?; and (iii) what are the implications for COPPA enforcement raised by technologies such as interactive television, interactive gaming, or other similar interactive media? Comments must be received within 90 days after publication in the Federal Register.
On July 16, the U.S. Court of Appeals for the 9th Circuit affirmed summary judgment in favor of the FTC in an action alleging two attorneys controlled or participated in a mortgage relief scheme, which falsely told consumers they could join “mass joinder” lawsuits that would save them from foreclosure and provide additional financial awards. In September 2017, the district court granted summary judgment against both defendants, concluding that the defendants knowingly deceived consumers when they falsely marketed that consumers could expect to receive $75,000 in damages or “a judicial determination that the mortgage lien alleged to exist against their particular property is null and void ab initio” if they agreed to join mass joinder lawsuits against their mortgagors. The operation resulted in over $18 million in revenue from the participating consumers.
On appeal from one defendant, the 9th Circuit agreed with the district court, determining the FTC provided “sufficient undisputed facts to hold [the defendant] individually liable for injunctive relief at summary judgment.” Specifically, the appellate court agreed that the FTC sufficiently proved three separate legal entities, one of which the defendant was the co-owner and corporate officer, “operate[d] together as a common enterprise,” which violated the FTC Act and Mortgage Assistance Relief Services Rule with their mortgage relief operation. Moreover, the appellate court determined that the defendant was “at least recklessly indifferent to [the other entities’] misrepresentations,” based on his knowledge of previous schemes operated by the other owners and reliance on a non-lawyer’s assurance that the marketing materials had been “legally approved,” making him “jointly and severally liable for restitution for the corporation’s unjust gains in violation of the FTC Act.”
On July 11, the FTC announced it was charging a student loan debt relief operation with violations of the FTC Act and the Telemarketing Sales Rule for allegedly engaging in deceptive practices when marketing and selling their debt relief services. The complaint alleges the operators of the scheme allegedly, among other things, (i) charged borrowers illegal advance fees; (ii) falsely claimed they would service and pay down their student loans; and (iii) obtained borrowers’ credentials in order to change consumers’ contact information and prevent communications from loan servicers. According to the FTC, the defendants allegedly collected more than $23 million from consumers, and when asked why their payments were not being applied to their loans, the defendants “informed consumers that their entire payments had been collected as ‘handling’ or ‘management’ fees.” On July 10, the U.S. District Court for the Central District of California issued a temporary restraining order and asset freeze at the FTC’s request. The FTC seeks a permanent injunction against the defendants to prevent future violations, as well as redress for injured consumers through “rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies.”
On July 1, the FTC announced, together with the New York attorney general, a settlement with two New York-based phantom debt operations and their principals (collectively, “defendants”) resolving allegations that the operations bought, placed for collection, sold lists of, and collected on fake debts that consumers did not owe. As previously covered by InfoBytes, the June 2018 complaint alleged that the defendants ran a deceptive and abusive debt collection scheme in violation of the FTC Act, the FDCPA, and New York state law. The settlement order against one company and its owners bans the defendants from debt collection activities, including buying, placing for collection, and selling debt. The order requires the defendants to pay a combined $676,575, suspending the total judgment of $6.75 million, due to inability to pay. The settlement order against the other company and its owner prohibits the defendants from engaging in unlawful collection practices and requires the payment of $118,000, suspending the total judgment of $4.94 million, due to inability to pay.
On June 27, the FTC held its fourth annual PrivacyCon, which hosted research presentations on a wide range of consumer privacy and security issues. Following opening remarks by FTC Chairman Joseph Simons, the one-day conference featured four plenary sessions covering a number of hot topics:
- Session 1: Privacy Policies, Disclosures, and Permissions. Five presenters discussed various aspects of privacy policies and notices to consumers. The panel discussed current trends showing that privacy notices to consumers have generally become lengthier in recent years, which helps cover the information regulators require, but often results in information overload for consumers more generally. One presenter advocated the concept of a condensed “nutrition label” for privacy, but acknowledged the challenge of distilling complicated activities into short bullets.
- Session 2: Consumer Preferences, Expectations, and Behaviors. This panel addressed research concerning consumer expectations and behaviors with regard to privacy. Among other anecdotal information, the presenters noted that many consumers are aware that personal data is tracked, but consumers are generally unaware of what data collectors ultimately do with the personal data once collected. To that end, one presenter advocated prescriptive limits on data collection in general, which would take the onus off consumers to protect themselves. Separately, with regard to the Children’s Online Privacy Protection Act (COPPA), one presenter noted that the law generally aligns with parents’ privacy expectations, but the implementing regulations and guidelines are too broad and leave too much room for implementation variations.
- Session 3: Tracking and Online Advertising. In the third session, five presenters covered various topics, including privacy implications of free versus paid-for applications to the impact of the EU’s General Data Protection Regulation (GDPR). According to the presenters, current research suggests that the measurable privacy benefits of paying for an app are “tenuous at best,” and consumers cannot be expected to make informed decisions because the necessary privacy information is not always available in the purchase program on a mobile device such as a phone. As for GDPR, the panel agreed that there are notable reductions in web use, with page views falling 9.7 percent in one study, although it is not clear whether such reduction is directly correlated to the May 25, 2018 effective date for enforcement of GDPR.
- Session 4: Vulnerabilities, Leaks, and Breach Notifications. In the final presentation, presenters discussed new research on how companies can mitigate data security vulnerabilities and improve remediation. One presenter discussed the need for proactive identification of vulnerabilities, noting that the goal should be to patch the real vulnerabilities and limit efforts related to vulnerabilities that are unlikely to be exploited. Another presenter analyzed data breach notifications to consumers, noting that all 50 states have data breach notification laws, but there is no consensus as to best practices related to the content or timing of notifications to consumers. The presenter concluded with recommendations for future notification regulations: (i) incorporate readability testing based on standardized methods; (ii) provide concrete guidelines of when customers need to be notified, what content needs to be included, and how the information should be presented; (iii) include visuals to highlight key information; and (iv) leverage the influence of templates, such as the model privacy form for the Gramm-Leach-Bliley Act.
On June 24, the FTC finalized the “Free Electronic Credit Monitoring for Active Duty Military Rule,” which implements the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty military consumers. The proposed rule, issued in November 2018 (covered by InfoBytes here), defined the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify active duty military consumers within 24 hours of any material change. The proposal noted that CRAs may require that active duty military provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibited CRAs from requiring active duty military consumers to purchase a product in order to obtain the free service.
In response to comments on the proposal, the final rule refers to the definition of “active duty military consumer” in the FCRA, which requires that the servicemember be assigned to service away from their usual duty station, or be a member of the National Guard, regardless of whether the National Guard member is stationed away from their normal duty station. The FTC noted that commenters requested the requirement that the servicemember be stationed away from their normal duty station be eliminated but “the statutory language limit[ed] the Commission’s discretion on [the] topic.” However, the FCRA does not apply the same duty station requirement to the National Guard. Additionally, the final rule, among other things (i) requires CRAs to provide free access to a credit file when it notifies an active duty military consumer about a material change to the file; (ii) extends the amount of time the CRAs have to notify an active duty military consumer of a material change from 24 hours to 48 hours; and (iii) prohibits CRAs from requiring that active duty military consumers agree to terms or conditions as a requirement to obtain their free credit file, unless the terms or conditions are necessary to comply with certain legal requirements.
While the final rule goes into effect three months after publication in the Federal Register, CRAs will be allowed to comply with certain portions of the final rule by offering existing credit monitoring services to active duty military consumers for free, for a period of up to one year from the effective date.
On June 25, the FTC announced a major crackdown on illegal robocalls named “Operation Call it Quits,” which includes 94 enforcement actions from around the country brought by the FTC and 25 other federal, state, and local agencies. In addition to actions targeting the actors, the operation also includes a consumer education initiative and promotion of the development of technology-based solutions to block robocalls and fight caller ID spoofing. In addition to the 87 other enforcement actions brought under the initiatives, the FTC announced four new actions, some of which were filed by the DOJ on the FTC’s behalf, and three new settlements targeting robocallers for violations of the FTC Act and the Telemarketing Sales Rule (TSR), among other things. The FTC alleges many of the actors used illegal robocalls to contact financially distressed consumers regarding interest rate reductions, sell fraudulent money-making opportunities, pitch free medical alert systems, or develop leads for solar energy companies. The affected consumers in these actions were often listed on the Do Not Call Registry. The FTC provided a complete list of the 94 actions brought under Operation Call it Quits.
State Attorneys General participating in the initiative are: Alabama, Arizona, Colorado, Florida, Illinois, Indiana, Michigan, Missouri, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Texas, and Virginia. Additionally, local agencies include: the Consumer Protection Divisions of the District Attorneys for the Counties of Los Angeles, San Diego, Riverside, and Santa Clara, California; the Florida Department of Agriculture and Consumer Services; and the Los Angeles City Attorney.
On June 21, the FTC announced that the U.S. District Court for the District of Connecticut temporarily halted the operation of an alleged credit repair scheme based on allegations the company charged illegal upfront fees and falsely claimed to substantially improve consumers’ credit scores in violation of the FTC Act, the Credit Repair Organizations Act, the Telemarketing Sales Rule (TSR), the Consumer Review Fairness Act, TILA, and the EFTA. According to the complaint, since 2014, the company, among other things, (i) claims they can improve consumers’ credit scores by removing negative items and hard inquiries from credit reports; (ii) charges advance fees for their services; (iii) does not provide the required disclosures for its services, including credit transaction disclosures related to the financing of the service fees; (iv) engages in electronic funds transfers from consumers’ bank accounts without proper authorization; and (v) threatens consumers with legal action after consumers complain about the lack of results. The court order requires the company to temporarily cease its operations and ensures the company’s assets are frozen.
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at an American Bar Association webinar
- Kari K. Hall and Christopher M. Walczyszyn to speak on the "Understanding updates to Regulation CC to ensure effective check processing" at a National Association of Federal Credit Unions webinar
- Daniel P. Stipano to discuss "ACAMS Moneylaundering.com Year-End Compliance Review and 2020 Outlook" at an ACAMS webinar
- APPROVED Webcast: Periodic reporting made easier
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference