InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ and FTC find UDAPs in handling of women’s health data
On June 23, the DOJ and FTC announced the government has obtained substantial injunctive relief, and that the department will collect $100,000 in civil penalties, from an Illinois-based healthcare corporation pursuant to a stipulated federal court order. In the complaint, the United States claimed that the corporation violated Section 5 of the FTC Act, in which the defendant engaged in unfair and deceptive acts in connection with its period and ovulation tracking mobile app. The government alleged that the corporation shared consumers’ persistent identifiers and sensitive personal information to third-party companies without user notice or consent. Additionally, the corporation allegedly failed to disclose how those third-party companies would use consumers’ personal information. The complaint also alleges the corporation failed to take “reasonable measures” surrounding data and privacy risk when they integrated third-party software into the mobile application, and that they violated the HBNR.
The order entered by the court requires that the corporation: (i) “implement a comprehensive privacy and data security program with safeguards to protect consumer data”; (ii) “hire an independent third-party to regularly assess its compliance with the privacy program for a period of 20 years”; (iii) “[is] enjoined from sharing health information with third-parties for advertising purposes, from sharing health information with third-parties for other purposes without obtaining users’ affirmative express consent, and from making misrepresentations about [the corporation’s] privacy practices”; and (iv) comply with the HBNR’s notification provisions in any future breach of Security.
CFPB, FTC, and consumer advocates ask 7th Circuit to review redlining dismissal
The CFPB recently filed its opening brief in the agency’s appeal of a district court’s decision to dismiss the Bureau’s claims that a Chicago-based nonbank mortgage company and its owner violated ECOA by engaging in discriminatory marketing and consumer outreach practices. As previously covered by InfoBytes, the Bureau sued the defendants in 2020 alleging fair lending violations predicated, in part, on statements made by the company’s owner and other employees during radio shows and podcasts. The agency claimed that the defendants discouraged African Americans from applying for mortgage loans and redlined African American neighborhoods in the Chicago area. The defendants countered that the Bureau improperly attempted to expand ECOA’s reach and argued that ECOA “does not regulate any behavior relating to prospective applicants who have not yet applied for credit.”
In dismissing the action with prejudice, the district court applied step one of the Chevron framework (which is to determine “whether Congress has directly spoken to the precise question at issue”) when reviewing whether the Bureau’s interpretation of ECOA in Regulation B is permissible. The court concluded, among other things, that Congress’s directive does not apply to prospective applicants.
In its appellate brief, the Bureau argued that the long history of Regulation B supports the Bureau’s interpretation of ECOA, and specifically provides “that ‘[a] creditor shall not make any oral or written statement, in advertising or otherwise, to applicants or prospective applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application.” While Congress has reviewed ECOA on numerous occasions, the Bureau noted that it has never challenged the understanding that this type of conduct is unlawful, and Congress instead “created a mandatory referral obligation [to the DOJ] for cases in which a creditor has unlawfully ‘engaged in a pattern or practice of discouraging or denying applications for credit.’”
Regardless, “even if ECOA’s text does not unambiguously authorize Regulation B’s prohibition on discouraging prospective applicants, it certainly does not foreclose it,” the Bureau wrote, pointing to two perceived flaws in the district court’s ruling: (i) that the district court failed to recognize that Congress’s referral provision makes clear that “discouraging . . . applications for credit” violates ECOA; and (ii) that the district court incorrectly concluded that ECOA’s reference to applicants “demonstrated that Congress foreclosed prohibiting discouragement as to prospective applicants.” The Bureau emphasized that several courts have recognized that the term “applicant” can include individuals who have not yet submitted an application for credit and stressed that its interpretation of ECOA, as reflected in Regulation B’s discouragement prohibition, is not “arbitrary, capricious, or manifestly contrary to the statute.” The Bureau argued that under Chevron step two (which the district court did not address), Regulation B’s prohibition on discouraging prospective applicants from applying in the first place is reasonable because it furthers Congress’ efforts to prohibit discrimination and ensure equal access to credit.
Additionally, the FTC filed a separate amicus brief in support of the Bureau. In its brief, the FTC argued that Regulation B prohibits creditors from discouraging applicants on a prohibited basis, and that by outlawing this type of behavior, it furthers ECOA’s purpose and prevents its evasion. In disagreeing with the district court’s position that ECOA only applies to “applicants” and that the Bureau cannot proscribe any misconduct occurring before an application is filed, the FTC argued that the ruling violates “the most basic principles of statutory construction.” If affirmed, the FTC warned, the ruling would enable creditor misconduct and “greenlight egregious forms of discrimination so long as they occurred ‘prior to the filing of an application.’”
Several consumer advocacy groups, including the National Fair Housing Alliance and the American Civil Liberties Union, also filed an amicus brief in support of the Bureau. The consumer advocates warned that “[i]nvalidating ECOA’s longstanding prohibitions against pre-application discouragement would severely limit the Act’s effectiveness, with significant consequences for communities affected by redlining and other forms of credit discrimination that have fueled a racial wealth gap and disproportionately low rates of homeownership among Black and Latino households.” The district court’s position would also affect non-housing credit markets, such as small business, auto, and personal loans, as well as credit cards, the consumer advocates said, arguing that such limitations “come at a moment when targeted digital marketing technologies increasingly allow lenders to screen and discourage consumers on the basis of their protected characteristics, before they can apply.”
CFPB opposes Texas bankers’ request to delay small biz lending rule
The CFPB recently asked a district court in the 5th Circuit to deny a proposed injunction which would delay the implementation of its small-business lending data collection rule, arguing that plaintiffs have failed to establish standing or meet the requirements for preliminary relief. As previously covered by InfoBytes, plaintiffs (including a Texas banking association and a Texas bank) sued the Bureau, challenging the agency’s final rule on the collection of small business lending data. The small business lending rule, which implements Section 1071 of the Dodd-Frank Act, requires financial institutions to collect and provide to the Bureau data on lending to small businesses with gross revenue under $5 million in their previous fiscal year.
Plaintiffs explained in their complaint that the goal of invalidating the final rule is premised on the argument that it will drive from the market smaller lenders who are not able to effectively comply with the final rule’s “burdensome and overreaching reporting requirements” and decrease the availability of products to customers, including minority and women-owned small businesses. Plaintiffs also argued that the final rule is invalid because the Bureau’s funding structure is unconstitutional and that certain aspects of the final rule allegedly violate various requirements of the Administrative Procedure Act. Last month, plaintiffs filed a preliminary injunction motion asking the court to enjoin the final rule and stay the compliance deadlines.
Claiming plaintiffs failed to establish standing for preliminary relief, the Bureau argued that the Texas bank has not demonstrated that it would even have to comply with the final rule. The Bureau further maintained plaintiffs have also not satisfied all four factors required for preliminary relief, including that plaintiffs “have not shown that irreparable harm is imminent or that the balance of equities favors the requested relief,” which would lead to the postponement of reporting requirements mandated by Congress more than ten years ago. With respect to the funding structure constitutionality concerns raised by plaintiffs, the Bureau argued that “even assuming that [p]laintiffs have shown a likelihood of ultimately succeeding on the merits … that factor standing alone would not be enough to warrant preliminary relief.” The Bureau asked the court to, at a minimum, tailor any relief to apply only to plaintiffs and members who would face imminent harm absent such relief.
7th Circuit: Insurer required to cover BIPA defense
On June 15, the U.S. Court of Appeals for the Seventh Circuit upheld a district court’s ruling requiring an insurance company to defend an Illinois-based IT company against two putative class actions alleging violations of the Illinois Biometric Information Privacy Act (BIPA). The insurance company sued for a declaration that, under its business liability insurance policy, it has no obligation to indemnify or defend the IT company in the two class actions. Class members alleged the IT company acted as a vendor for a company that “scraped” more than 3 billion facial scans and converted them into biometric facial recognition identifiers, which were then paired to images on the internet and sold via a database to the Chicago Police Department, in violation of BIPA.
The insurance company’s policy bars coverage for any distribution of material in violation of certain specific statutes or in violation of “[a]ny other laws, statutes, ordinances, or regulations” and asserted that this catch-all provision includes BIPA. The district court disagreed, ruling that the language of the policy’s statutory violations exclusion was “intractably ambiguous” and did not explicitly bar coverage of the underlying suits.
On appeal, the 7th Circuit agreed that the district court was correct in determining that a plain-text reading of the insurance policy’s “broad” and ambiguous catch-all coverage exclusion for “personal or advertising injury” would “swallow a substantial portion of the coverage that the policy otherwise explicitly purports to provide.” The 7th Circuit held that “the broad language of the catch-all exclusion purports to take away with one hand what the policy purports to give with the other in defining covered personal and advertising injuries.”
Although the 7th Circuit considered whether there was a “common element” related to privacy in the enumerated statutes that could be read to include BIPA, ultimately the appellate court determined that nothing in the exclusion language “points to privacy as the focus of the exclusion.”
7th Circuit: No causation in FCA claims against mortgage servicer
On June 14, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court’s grant of summary judgment in favor of a defendant mortgage servicer, holding that while the plaintiff had sufficient proof of materiality with respect to alleged violations of the False Claims Act (FCA), plaintiff failed to meet her burden of proof on the element of causation. Plaintiff (formerly employed by the defendant as an underwriter) alleged the defendant made false representations to HUD in the course of certifying residential mortgage loans for federal insurance coverage. She maintained that HUD would not have endorsed the loans for federal insurance if it had known defendant was not satisfying the agency’s minimum underwriting guidelines. Defendant moved for summary judgment after the district court excluded the bulk of plaintiff’s “expert opinion,” arguing that plaintiff could not meet her evidentiary burden on the available record. The district court sided with defendant, ruling that as a matter of law, plaintiff could not prove either materiality (due to the lack of evidence that would allow “a reasonable factfinder to conclude that HUD viewed the alleged underwriting deficiencies as important”) or causation (the false statement caused the government’s loss).
On appeal, the 7th Circuit explained that to show proximate causation, plaintiff was required to identify evidence indicating that the alleged false certifications in reviewed loans were the foreseeable cause of later defaults, as defaults trigger HUD’s payment obligations. The appellate court noted that “it is not clear how a factfinder would even spot the alleged false statement in each loan file, let alone evaluate its seriousness and scope.” Without further evidence indicating how defendant’s alleged misrepresentations caused subsequent defaults, the plaintiff’s claims could not survive summary judgment.
However, the 7th Circuit disagreed with the district court’s reasoning with respect to materiality under the FCA. Although the district court held that plaintiff had failed to establish materiality, the appellate court determined that because HUD’s regulations “provide some guidance, in HUD’s own voice, about the false certifications that improperly induce the issuance of federal insurance, and those are precisely the false certifications present here” there was enough evidence to “clear the summary judgment hurdle” on this issue.
District Court: Servicer’s QWR responses did not violate RESPA
The U.S. District Court for the Western District of Washington recently granted summary judgment in favor of a defendant mortgage servicer related to alleged RESPA violations concerning qualified written requests and notices of error. Plaintiff entered into a permanent loan modification for which she made timely payments until she applied for new financing. One year later, plaintiff noticed a deferred principal balance that she claimed was not listed on her 2019 loan modification agreement. Plaintiff asserted that she called seeking to have the deferred principal balance removed and sent a notice of error (NOE) letter to the defendant, claiming, among other things, that the loan documentation did not mention the deferred amount. Defendant acknowledged the NOE and timely responded that the modification agreement included the deferred principal balance.
In granting defendant’s motion for summary judgment, the court held that while plaintiff’s allegations “are framed as a RESPA violation … [p]laintiff’s true concern is that [defendant] misrepresented the terms of the 2019 loan modification.” The defendant, however, complied with RESPA by providing “a statement of the reasons for which the servicer believes the account of the borrower is correct as determined by the servicer,” and plaintiff’s “disagreement with the servicer’s determination does not create a claim under RESPA.” Further, the court found that the deferred principal balance was in fact included on the executed loan modification agreement, and that the plaintiff did not suffer any actual harm under RESPA or otherwise.
CFTC shuts down illegal trading platform
The U.S. District Court for the Northern District of California recently granted the CFTC’s motion for default judgment in an action accusing a decentralized autonomous organization of violating the Commodity Exchange Act (CEA) by operating an illegal trading platform and unlawfully acting as a futures commission merchant. (See also CFTC press release here.) The CFTC maintained that the organization’s platform and its blockchain-based software “protocol” enables users to engage in retail commodity transactions but does not provide protections or other requirements mandated under the statute. In addition to unlawfully offering leveraged and margined retail commodity transactions outside of a registered exchange, the organization is charged with failing to comply with Bank Secrecy Act obligations applicable to future commission merchants, including implementing a customer information program or conducting know your customer procedures. The default judgment requires the organization to shutter its website and remove its content from the internet, and orders permanent trading and registration bans. The organization also must pay a $643,542 civil money penalty and is enjoined from future violations of the CEA.
District Court says MLA’s statute of limitations begins upon discovery of facts
The U.S. District Court for the Eastern District of Virginia recently granted an installment lender’s motion to dismiss, ruling that most of the class members’ claims are time-barred by the Military Lending Act’s (MLA) two-year statute of limitations. Plaintiffs are active duty servicemembers who entered into installment loans with the defendant. Claiming four violations of the MLA, plaintiffs alleged the defendant (i) extended loans with interest rates exceeding the MLA’s 36 percent interest rate cap; (ii) extended loans that involved roll overs of prior loans; (iii) required plaintiffs to agree to repayment by allotment (with a backup preauthorized electronic fund transfer) as a condition to receiving a loan; and (iv) required plaintiffs to provide a security interest in their bank accounts as a condition for receiving a loan. Plaintiff sought to certify a class covering the five years preceding the date the complaint was filed. Defendant moved to dismiss, arguing that plaintiffs have only been harmed by technical violations of the MLA and did not suffer a concrete injury. Plaintiffs countered that the defendant’s MLA violations caused them to sustain injuries from making payments, including interest payments, “on loans that were ‘void from [their] inception’ [] due to their unlawful refinancing, allotment, and security interest requirements.”
The court reviewed a significant issue raised by the parties’ differing interpretations of the MLA’s statute of limitations and its applicability to plaintiffs’ loans. Specifically, the parties disagreed as to whether “discovery by the plaintiff of the violation,” which triggers the two-year limitations period, requires that a plaintiff only discover the facts constituting the basis for the violation, as argued by the defendant, or instead requires that a plaintiff also know that the MLA was violated, as the plaintiffs argued. While acknowledging that the text in question is inconclusive, the court stated that since the MLA “does not require ‘discovery’ of both the ‘violation’ and ‘liability’ but only the ‘violation that is the basis for such liability,’ the text appears to support the interpretation that only discovery of the violative conduct is required, and
not discovery of the actionability of that conduct.” The court also reviewed other federal statutory discovery rules where other courts “have consistently found that ‘discovery’ requires that a plaintiff have knowledge only of the facts constituting the violation and not the legal implications of those facts.” Relying on this, as well as other court interpretations, the court determined that “the two-year limitations period is triggered when a plaintiff discovers the facts
constituting the basis for the MLA violation and not when the plaintiff recognizes that these facts
support a legal claim.” Thus, the court found that most of the loans underlying the claims are time-barred.
However, for loans that fell within the applicable limitations period, the court granted defendant’s motion to dismiss for failure to state a claim, concluding, among other things, that a creditor is not prohibited from taking a security interest in a plaintiff’s bank account by way of a preauthorized electronic fund transfer provided the military annual percentage rate does not exceed the allowable 36 percent (a claim, the court noted, plaintiffs dismissed and did not otherwise address). Moreover, the court determined that plaintiffs failed to allege that the defendant was a “creditor” under the narrower definition used by the MLA in its refinancing and roll-over prohibition or that the defendant’s “characterization of the convenience of repayment by allotment amounted to a misrepresentation or concealment of facts giving rise to plaintiffs’ MLA claim.”
7th Circuit: Time and money in responding to second verification request confers standing under FDCPA
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.