InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Deputy Attorney General Rod Rosenstein Issues Remarks on Individual Accountability for Corporate Wrongdoing
Deputy Attorney General Rod Rosenstein recently issued remarks highlighting the importance of the DOJ’s consistency in enforcing policies “hold[ing] individuals accountable for corporate wrongdoing.” In particular, Deputy AG Rosenstein stated that the agency should focus on improving the recent track record of bringing criminal proceedings against company employees and commented that “consistency promotes fairness and enhances respect for the rule of law.” His remarks also touched on the Yates Memo and the FCPA Pilot Program, noting the appropriateness of focusing on individual officer or director liability.
The comments are yet another in the steady drumbeat of calls, both internal and external to the DOJ, for DOJ enforcement strategy to hold individual corporate employees accountable for FCPA violations, although how much that strategy is being implemented remains to be seen. A recent review of DOJ corporate FCPA enforcement actions notes that the last 20 such actions have lacked related criminal charges against company employees, and going back to 2008, approximately 80% of DOJ corporate FCPA enforcement actions have lacked related criminal charges against company employees. As Deputy AG Rosenstein’s comments concluded: “When we are serious about wanting people to follow rules, it does no good merely to post them. We need to make clear our intent to enforce the rules, with sufficient vigor that people fear the consequences of violating them.”
FTC, State AGs Announce Nationwide Crackdown Against Student Loan Debt Relief Scams
On October 13, in partnership with 11 states and the District of Columbia, the FTC announced a federal-state law enforcement initiative to combat deceptive student loan debt relief scams. According to the FTC, “Operation Game of Loans” targets companies that engage in practices that harm student loan borrowers, such as allegedly (i) charging illegal upfront fees; (ii) making false or misleading statements promising, among other things, debt relief, loan forgiveness, reduced interest rates, and credit repair services; (iii) pretending to be affiliated with the government or loan servicers; (iv) engaging in deceptive marketing practices; (v) pocketing consumer fees rather than applying the money towards student loan balances; and (vi) charging consumers for document preparation services that are readily available to consumers for free. According to a press release issued by the FTC, the initiative “encompasses 36 actions by the FTC and state attorneys general against scammers alleged to have used deception and false promises of relief to take more than $95 million in illegal upfront fees from American consumers over a number of years.”
That same day, as part of “Operation Game of Loans,” Attorney General Lisa Madigan announced a lawsuit against a pair of entities (defendants) accused of allegedly violating Illinois law by charging upfront fees for services guaranteed to “lower monthly student loan payments, improve credit scores, get students out of default, and negotiate tax and student loan debt adjustments.” The complaint further alleges that not only do the defendants lack the ability to provide the advertised services, they also allegedly impersonate students to gain access to students’ Federal Student Aid IDs (the federal government prohibits entities from accessing federal student aid websites even if authorized by the borrower), and fail to refund consumers—as promised—if they fail to provide debt relief. The complaint seeks injunctive relief, restitution, and civil penalties.
New York AG, Auto Dealers Reach Settlement Over Advance Fee Allegations That Triggered Inflated Vehicle Prices
On October 12, New York Attorney General Eric T. Schneiderman announced separate settlements (here and here) with two auto dealer groups to resolve allegations that they violated state and federal law by charging upfront fees for “after-sale” credit repair and identity theft protection services, which were provided by a third party, and bundling those fees into vehicle sale or lease prices. According to the settlements, the groups—which have neither admitted nor denied the allegations—are required to pay affected consumers more than $900,000 in restitution and pay a $135,000 fine to the state. The settlements also prohibit the groups from selling or marketing credit repair or identity theft protection services and require that consumers be informed—both orally and in writing—of any other “after-sale” products.
Coalition of State Attorneys General Urge Credit Reporting Agencies to Offer No-Fee Credit Freeze
On October 10, a coalition of 37 state attorneys general sent letters (here and here) to the CEOs of two major credit reporting agencies (CRAs), urging them to stop charging fees to consumers seeking credit freezes as a measure to protect against identity theft in light of a third CRA’s massive data breach. On September 15, as previously reported in InfoBytes, 34 state attorneys general sent a letter to the breached CRA’s legal counsel requesting it disable fee-based credit monitoring services. The October 10 letters note that currently seven states prohibit CRAs from charging fees to consumers for credit freezes and at least two other states have proposed legislation that would require CRAs to offer free credit freezes.
Senate Special Committee Hearing Focuses on Continuing Efforts to Combat Illegal Robocalls
On October 4, the Senate Special Committee on Aging (Committee) held a hearing entitled “Still Ringing Off the Hook: An Update on Efforts to Combat Robocalls” to discuss efforts to combat illegal robocalls. Committee Chairman Susan M. Collins (R-Me.) opened the hearing by reinforcing the importance of utilizing technology not only to block robocalls but to better understand the scams that continue to impact consumers. Sen. Collins also stressed the positive impact “aggressive law enforcement” has had on these efforts.
According to a hearing-related press release issued by the FTC, the Commission received more than 3.4 million robocall complaints from consumers in 2016 and at least another 3.5 million complaints between January and August 2017. The FTC’s ongoing efforts to address these complaints include: (i) initiating enforcement actions targeting robocall violators; (ii) cooperating with law enforcement at the state, federal, and international level to develop solutions to prevent and detect calls; and (iii) as previously discussed in InfoBytes, publicly posting robocall numbers received from consumer complaints to help enable industry groups develop call-blocking solutions. The following four witnesses offered testimony on industry and state efforts to protect consumers from scams and increase education efforts.
- Ms. Lois C. Greismann, Associate Director of the Division of Marketing Practices, Bureau of Consumer Protection, FTC (testimony);
- The Honorable Josh Shapiro, Pennsylvania Attorney General (testimony);
- Mr. Kevin Rupy, Vice President for Law and Public Policy, USTelecom (testimony); and
- Ms. Genie Barton, President, BBB Institute for Marketplace Trust (testimony).
AG Coalition Urges Department of Education to Reconsider Termination of MOUs With CFPB
On September 26, Pennsylvania Attorney General Josh Shapiro, along with 18 other state attorneys general (state AGs) and the Executive Director of the Hawaii Office of Consumer Protection, issued a letter to U.S. Department of Education (Department) Secretary Betsy DeVos in reaction to the Department’s August 31 letter to the CFPB, which terminated two Memoranda of Understanding (MOUs) that previously permitted the sharing of information in connection with the oversight of federal student loans. (See previous InfoBytes coverage regarding the MOUs here.) The letter to Secretary DeVos urges the Department to reconsider the termination of the MOUs and offers support for the work the CFPB has done—often in partnership with the Department and state AGs—to protect the millions of students and families that are repaying student loans. The State AGs contend the Department “falsely asserted it has exclusive jurisdiction over companies that service federal student loans when, in fact, student loan servicers are under the jurisdiction of the CFPB, [FTC], [DOJ], [state AGs] and other law enforcement agencies.” The state AGs further claim that the termination of the MOUs removes “critical protections” that were in place to “streamline the supervision of student loan servicers” and assist borrowers trying to resolve complaints related to their student loans. The letter cites several actions initiated by state AGs against the Department for allegedly abandoning its responsibility to protect student loan borrowers over the past seven months, including the Department’s decision to delay the Borrower Defense Rule and roll back the Borrower Defense and Gainful Employment Rules.
Massachusetts AG Takes Action Against Auto Dealer for Deceptive Marketing and Sales Tactics
On September 26, Massachusetts Attorney General Maura Healey announced a lawsuit against a large auto dealership and its in-house lender for allegedly misleading consumers into purchasing unfavorable sale packages. According to the Commonwealth’s complaint, filed in the Suffolk County Superior Court, the auto dealer purportedly (i) sold consumers cars priced at more than double their retail value; (ii) extended loans to consumers with an APR of 20 percent, regardless of credit qualifications; and (iii) combined these sales with an expensive and limited service contract. The complaint further alleges that because of these sales practices and a faulty underwriting process, more than half of the auto dealer’s sales fail or end in repossession. The complaint seeks injunctive relief, restitution, civil penalties, and attorney fees.
Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled
The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.
Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair or deceptive acts or practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.
NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo directed NYDFS to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.
State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.
Legislators, State Attorneys General, and Consumers React to Credit Reporting Agency Data Breach
As previously reported in InfoBytes, a major credit reporting agency suffered a data breach from mid-May through the end of July that impacted approximately 143 million U.S. consumers. Shortly after the agency disclosed the breach, several Republican and Democratic lawmakers promised legislative action. Senator Brian Schatz (D-Haw.) reintroduced the Stop Errors in Credit Use and Reporting (SECURE) Act to address these issues. In addition, two committees—the House Financial Services Committee and the House Energy and Commerce Committee—both announced plans to hold hearings on the breach (dates still to be released). Separately, Representative Ted Lieu (D-Cal.) sent a letter to the House Judiciary Committee requesting a hearing to investigate how and why the data breach occurred, and what measures can be taken to prevent future incidents.
At least two class action lawsuits have been filed—in Georgia and Oregon—as a result of the breach, and several state attorneys general, including New York Attorney General Eric T. Schneiderman, have launched investigations into the matter. The CFPB also released a blog post for consumers on ways to identify signs of fraud or identity theft.
Notably, on September 11, the agency issued an update for consumers announcing that “in response to consumer inquiries,” the arbitration clause and class action waiver included in its terms of use will not “apply to this cybersecurity incident.” The CFPB’s final arbitration rule, which prohibits the use of mandatory pre-disputer arbitration clauses, has been a point of considerable debate this summer, with the House voting to repeal the proposed rule and the Senate introducing a similar measure (see InfoBytes post here), while a coalition of state attorneys general have issued support for the proposed rule (see InfoBytes post here).
FTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security
On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a complaint filed by the FTC, as well as complaints filed by the state attorneys general (see New Jersey Attorney General’s complaint), the manufacturer allegedly began selling the preloaded laptops beginning in August 2014. The software program—using a technique known as a “man-in-the-middle”—was able to access and collect consumers’ personal information that was transmitted over the internet, including login credentials, social security numbers, financial details, medical information, and email communications, without the consumers’ permission. The process entailed replacing the security certificates of visited encrypted websites with the software’s own certificates that could be easily compromised. The digital certificate substitution created multiple security vulnerabilities, which, among other issues, prevented consumers’ browsers from warning users if they visited “potentially spoofed or malicious websites with invalid digital certificates.” The FTC noted in its complaint that “[t]his practice violated basic encryption key management principles because attackers could exploit this vulnerability to issue fraudulent digital certificates that would be trusted by consumers' browsers.”
According to the complaints, the manufacturer allegedly (i) did not disclose to consumers prior to purchase that the problematic software had been installed; (iii) failed to warn consumers about the security vulnerability; and (iii) unfairly preinstalled software, which acted as a “man-in-the-middle” between consumers and visited websites—all of which are violations of state consumer protection laws and the Federal Trade Commission Act. The complaints further alleged that the manufacturer failed to provide consumers with an easy way to effectively opt out of the preinstalled software.
The terms of the FTC consent order stipulate the following: (i) the manufacturer is prohibited from making misleading representations about any software feature; (ii) consumers must affirmatively grant consent before this type of software may be installed, and the manufacturer must provide instructions for consumers to revoke consent or opt out; and (iii) a comprehensive software security program must be developed and implemented to address new and existing software security risks and will be subject to third-party biennial assessments for the next 20 years. The judgment reached with the state attorneys general also imposes a $3.5 million settlement to be divided between the states.