InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
11th Circuit affirms denial of title company’s cyber fraud claim
On September 6, the U.S. Court of Appeals for the Eleventh Circuit upheld a district court’s decision to deny insurance coverage to a Florida title company under its Cyber Protection Insurance Policy after it was allegedly “fraudulently induced—by an unknown actor impersonating a mortgage lender—to wire funds to an incorrect account.” The insurance company denied coverage on the basis that the title company did not meet the policy’s requirements. The title company submitted a claim under the cybercrime endorsement of its insurance policy, which includes a deceptive transfer fraud insurance clause that grants coverage provided certain criteria are met, including that the loss resulted from intentionally misleading actions, was done by a person purporting to be an employee, customer, client or vendor, and the authenticity of the wire transfer instructions was verified according to the title company’s internal procedures. The insurance company denied coverage, claiming that: (i) the mortgage lender to whom the funds were intended was not an employee, customer, client or vendor of the title company; and (ii) that the title company failed to verify the transfer request according to its procedures. The district court granted summary judgment in favor of the insurance company, agreeing that coverage did not exist under the plain language of the policy.
On appeal, the 11th Circuit determined that the mortgage lender was not listed as an entity under the plain language of the policy. It further disagreed with the title company’s position that under Florida law, insurance coverage clauses must “be construed as broadly as possible to provide the greatest amount of coverage,” and that the deceptive transfer fraud clause should also include “persons and entities involved in the real estate transaction.” The appellate court noted that “[a]s attractive as that proposition may be, it is simply not what the clause provides,” adding that because the clause “limits coverage to misleading communications ‘sent by a person purporting to be an employee, customer, client or vendor’” it must interpret these terms according to their plain meaning and may not “alter[] the terms bargained to by parties to a contract.”
District Court says tech company not liable for app in crypto theft
On September 2, the U.S. District Court for the Northern District of California granted a defendant California tech company’s motion to dismiss a putative class action filed by users who claimed their cryptocurrency was stolen after they downloaded a “phishing” program that posed as a legitimate digital wallet. Plaintiffs alleged that the illegitimate app (developed by a third-party and not the defendant) caused them to lose thousands of dollars in cryptocurrency. Claiming that the app was a spoofing and phishing program that obtained consumers’ cryptocurrency account information and routed that information to hackers’ personal accounts, plaintiffs sued, asserting claims under the federal Computer Fraud and Abuse Act, Electronic Communications Privacy Act, California Consumer Privacy Act, California’s Unfair Competition Law, California Consumer Privacy Act, California Consumer Legal Remedies Act, Maryland Wiretap and Electronic Surveillance Act, Maryland Personal Information Protection Act, and Maryland Consumer Protection Act. The defendant moved to dismiss, arguing that it was immune from liability under § 230(c)(1) of the Communications Decency Act. The court agreed with the defendant, ruling that it is granted protection under the Act because it qualifies as an “interactive computer service provider” within the meaning of the statute, is treated as a publisher, and provides information from another information content provider. “Here, plaintiffs’ computer fraud and privacy claims are based on [defendant’s] reproduction of an app [] intended for public consumption, via the App Store,” the court wrote. “But, as [defendant] notes, its review and authorization of the [] app for distribution on the App Store is inherently publishing activity.” Moreover, the court concluded that, among other things, the defendant’s liability provision contained within its terms, which states that it is not liable for conduct of a third party, is valid and enforceable.
District Court preliminarily approves TCPA class action settlement
On March 3, the U.S. District for the Central District of California granted final approval of a TCPA class action settlement with a satellite TV company. According to a memorandum in support of plaintiff’s motion for preliminary approval of class action settlement and certification, the plaintiff class alleged that the defendant violated the TCPA by using an artificial or prerecorded voice to call cell phones without the prior express consent of class members, consisting of about 22,000 individuals. The settlement class includes all people who received non-emergency calls from the defendant and four of its debt collection companies “regarding a debt allegedly owed to [the defendant], to a cellular telephone through the use of an artificial or prerecorded voice, and who has not been a [defendant] customer at any time since October 1, 2004.” The settlement requires the defendant to pay an all-cash non-reversionary sum of $17 million. The settlement could also approach or exceed $500 in damages per call for class members who make claims and includes an award of attorney fees of up to $5.61 million, or 33 percent of the settlement fund, in addition to litigation costs. Specifically, the settlement would provide $606.06 per call for settlement class members who received calls from two of the defendant’s debt collectors, and those members will get two shares of the pro rata distribution. Settlement class members who received calls from two other of the defendant’s debt collectors will get $303.03 per call and one share of the pro rata distribution.
District Court grants final approval in TCPA class action
On September 1, the U.S. District Court for the Central District of California granted final approval of a class action settlement in a TCPA suit. According to the plaintiffs’ motion for preliminary approval of the class action settlement, the plaintiffs are non-customers who the defendant contacted as part of its efforts to collect on the account of a defendant’s customer and who had not consented to calls from the defendant. The plaintiffs further alleged that the defendant used its autodialer to place those calls and conveyed prerecorded messages to third parties who had not consented to receive such calls, and that through analysis of the defendant’s records, broad notice to class members, and a robust claims verification procedure, it was possible to provide notice to non-customer class members. According to the settlement, the class includes any customer in the U.S. who received automated, non-emergency calls from the defendant on their cell phones from March 2012 through March 2022, and was not a party to an agreement with the defendant. The settlement noted that class members are expected to get between $75 and $250 per person, stating that “this estimated settlement range compares very favorably with other 'wrong number' settlements . . . , and with the $500 penalty for violation of the TCPA.”
8th Circuit affirms decision in FDCPA case
On September 6, the U.S. Court of Appeals for the Eighth Circuit affirmed a district court’s order to grant a defendant’s motion for judgment on the pleadings in an FDCPA suit. According to the opinion, the defendant sent the plaintiff a debt collection letter identifying the plaintiff as the attorney for a consumer named in the letter. The consumer was not the plaintiff’s client, the consumer had never identified the plaintiff as her attorney to anyone, and the plaintiff had never identified himself as the consumer’s attorney. When the plaintiff was unable to recognize the consumer’s name, he engaged in an extensive search of his files and records to determine if he had ever represented the consumer, and “found nothing to indicate that she was a past or present client.” The plaintiff filed suit, asserting that the defendant violated § 1692c(b) of the FDCPA when it contacted him regarding the debt of a consumer whom he did not represent and without the consumer’s consent. The plaintiff alleged that he suffered injury as a result of the violation, because his search for the consumer’s records cost him “valuable time and resources that he could have spent working on matters for actual clients.” The district court ruled that the defendant’s letter violated § 1692c(b) but said that the plaintiff lacked standing to sue under the statute and entered judgment on the pleadings against the plaintiff.
On appeal, the 8th Circuit agreed with the district court that the defendant violated the FDCPA when it sent the letter to the attorney, but also agreed with other circuit courts that non-consumers cannot bring § 1692c(b) claims. The appellate court noted that “[b]ecause the purpose of § 1692c(b) is to protect consumers alone, we conclude that [the plaintiff] falls outside § 1692c(b)’s ‘zone of interests’ and thus cannot invoke the protection afforded by it.” The 8th Circuit rejected the plaintiff’s argument that the proper course of action was to remand the case back to state court, where it was originally filed, and affirmed that the decision “was a ruling on the merits of [the plaintiff’s] claim, not on the district court’s jurisdiction.”
3rd Circuit: Arbitration valid despite questions about loan assignment
On September 1, the U.S. Court of Appeals for the Third Circuit concluded that a district court erred in finding that it had the authority to adjudicate the question of arbitrability based on questions concerning the underlying legality of an assignment of a consumer’s loan. The plaintiff took out a personal loan, which included an arbitration clause in the underlying agreement that delegated questions of arbitrability to an arbitrator. The plaintiff’s charged-off debt was assigned to the defendant who filed a lawsuit to recover the unpaid balance but later dismissed the suit rather than litigating. The plaintiff later contended that the defendant reported his loan delinquency to credit agencies in “an unlawful attempt to collect the [l]oan,” and sued, claiming that because the defendant was not licensed in Pennsylvania during the time period at issue it was not lawfully permitted to purchase the debt. The defendant filed a motion to compel arbitration under the purchase agreement with the loan originator. Focusing on the validity of the assignment, the district court denied the defendant’s motion to compel arbitration.
On appeal, the 3rd Circuit concluded that the district court’s only responsibility was to determine whether the parties to the underlying loan “clearly and unmistakably” expressed an agreement to arbitrate the issue of arbitrability, and, if so, the district court was required to send questions about arbitrability to the arbitrator. The appellate court reasoned that even if the underlying assignment is invalidated later, it would not affect whether the initial agreement to arbitrate was valid. The appellate court vacated the district court’s order denying arbitration and remanded with instructions to grant the motion to stay and refer the matter to arbitration. A dissenting judge countered that the plaintiff never signed an arbitration agreement with the defendant, and that because the underlying assignment was invalid, the plaintiff never consented to arbitration with the assignee of the contract.
WA Superior Court: Insurance commissioner overstepped in banning credit scoring in underwriting
On August 29, the Washington State Superior Court entered a final order declaring that the Washington Insurance Commissioner exceeded his authority when he issued an emergency rule earlier this year banning the use of credit-based insurance scores in the rating and underwriting of insurance for a three-year period. As previously covered by InfoBytes, several industry groups led by the American Property Casualty Insurance Association (APCIA) sued to stop the rule from taking effect. The rule was intended to prevent discriminatory pricing in private auto, renters, and homeowners insurance in anticipation of the end of the CARES Act, and specifically prohibited insurers from “us[ing] credit history to place insurance coverage with a particular affiliated insurer or insurer within an overall group of affiliated insurance companies.” The rule applied to all new policies effective, and existing policies processed for renewal, on or after June 20, 2021. Industry groups countered that the rule would harm insured consumers in the state who pay less for auto, homeowners, and renters insurance because of the use of credit-based insurance scores to predict risk and set rates.
According to a press release issued by APCIA, earlier this year the superior court issued a bench decision granting the trade group’s petition for a declaratory judgment and invalidating the rule. The superior court “held that the Commissioner could not rely on the more general rating standard statute that prohibited “excessive, inadequate, or unfairly discriminatory” rates to “eliminate all meaning from the more specific credit history statutes by which the legislature had authorized its use.” Calling the final order “an important victory for Washington consumers, particularly lower risk senior policyholders who were forced to pay more to subsidize higher risk policyholders because the rule eliminated the use of credit,” the trade groups said they were pleased that the court agreed with their position that the Commissioner “exceeded his authority when he acted contrary to the longstanding statute that authorized the use of credit in the property and casualty insurance space.”
District Court rules non-judicial foreclosure claims fail
On August 30, the U.S. District Court for the District of Oregon granted defendants’ motion for summary judgment in an action concerning an allegedly unlawful non-judicial foreclosure. Plaintiffs obtained a cash-out loan in 2005 and modified their mortgage terms. The plaintiffs stopped making payments after one of the defendant loan servicer’s agents allegedly informed them that “help was only available if they were in default,” and the defendant loan servicer threatened foreclosure. Following several years of bankruptcy proceedings and foreclosure mediation, plaintiffs sued to stop the foreclosure proceedings, claiming “that the deed of trust was void and that defendants committed fraud in attempting to foreclos[e] on the debt.” The initial non-judicial foreclosure proceedings were rescinded after the suit was dismissed with prejudice, and the defendant loan servicer was eventually allowed to proceed with a second non-judicial foreclosure under Oregon law. Plaintiffs sent a dispute letter demanding that the foreclosure be rescinded because the order in which several notices of default showing the amounts due and the amounts necessary to reinstate were sent did not comply with state law. After the notice was rescinded and a new notice of default was issued and recorded, plaintiffs sued again, seeking to enjoin the defendant trustee’s sale and filing several claims, including breach of contract and violations of the Oregon Unfair Trade Practices Act (OUTPA), RESPA, and FDCPA.
In granting summary judgment to the defendants on each of the claims, the court determined that the breach of contract claim fails because plaintiffs acknowledged that because “they have not substantially performed under the relevant contract,” they are precluded from seeking damages. The FDCPA claim against the defendant trustee also fails “because it is based on a perceived lack of authority under the relevant contract, but as explained in the breach of contract claim, that authority was not lacking.” Finally, the OUTPA and RESPA claims both fail “because there is no evidence that they incurred damages arising out of either claim”—a required element under both statutes, the court said. According to the court, plaintiffs failed “to support their drastic allegations with relevant evidence” and failed to “point to specific evidence supporting valid legal claims.”
3rd Circuit vacates dismissal of data breach suit
On September 2, the U.S. Court of Appeals for the Third Circuit vacated the dismissal of a class action alleging that a defendant pharmaceutical research company’s negligence led to a data breach. According to the opinion, the plaintiff, who is a former employee of the defendant’s subsidiary, provided her sensitive personal and financial information in exchange for the defendant’s agreement, pursuant to the plaintiff’s employment agreement, to “take appropriate measures to protect the confidentiality and security” of this information. After plaintiff ended her employment with the company, a hacking group accessed the defendant’s servers through a phishing attack and stole sensitive information pertaining to current and former employees. In addition to exfiltrating the data, the hackers installed malware to encrypt the data stored on the defendant’s servers and held the decryption tools for ransom. The defendant informed current and former employees of the breach and encouraged them to take precautionary measures. To mitigate potential harm, the plaintiff took immediate action by conducting a review of her financial records and credit reports for unauthorized activity, among other things. As a result of the breach, the plaintiff alleged that she has sustained a variety of injuries—primarily the risk of identity theft and fraud—in addition to the investment of time and money to mitigate potential harm. The district court granted the defendant's motion to dismiss based on lack of Article III standing, concluding “that [the plaintiff's] risk of future harm was not imminent, but ‘speculative,’ because she had not yet experienced actual identity theft or fraud.”
On the appeal, the 3rd Circuit noted that the district court “erred in dismissing [the plaintiff’s] contract claims, which are raised in Counts III (breach of implied contract) and IV (breach of contract),” arising from her employment agreement. The appellate court wrote that the plaintiff “has alleged an injury stemming from the breach—the risk of identity theft or fraud—that is sufficiently imminent and concrete,” because the defendant “expressly contracted to ‘take appropriate measures to protect the confidentiality and security’ of plaintiff’s information in [the plaintiff’s] employment agreement.” The appellate court also noted that in an “increasingly digitalized world, an employer's duty to protect its employees’ sensitive information has significantly broadened.” The 3rd Circuit vacated the judgment on all counts and remanded the dispute to the district court for consideration of the merits of the claims.
District Court grants summary judgment for defendant in FDCPA suit
On August 25, the U.S. District Court for the Southern District of Indiana granted a defendant’s motion for summary judgment in an FDCPA case, finding that the plaintiff did not suffer a concrete injury after receiving two collection letters from the defendant’s attorneys on the same day. According to the order, the plaintiff had a medical debt that was placed with the defendant for collection. The defendant sent a bill to the plaintiff, but because the plaintiff was unemployed when she received it, she did not make a payment, and “planned on setting up a payment plan once she obtained a ‘steady income.’” A month after sending the bill, the defendant called the plaintiff, and during the call, the plaintiff noted that she was considering filing for bankruptcy. The plaintiff subsequently retained an attorney to assist with a bankruptcy filing. Later that year, the plaintiff received two letters on the same day from the defendant, from two separate attorneys, both requesting that she pay the bill. The plaintiff sued the defendant, alleging that the collection letters violated the FDCPA because they falsely implied that the defendant’s attorneys were personally involved in the collection of her debt. The plaintiff claimed that she experienced concrete harm after receiving the letters in the form of emotional stress and confusion, which affected her decision whether to repay the debt or file for bankruptcy protection. The court granted the defendant summary judgment, deciding that the plaintiff lacked standing because she did not provide “evidence of specific facts showing that the collection letters caused her to take any action to her detriment, including making a payment on the debt or filing bankruptcy.” The court also found that “’[p]sychological states induced by a debt collector’s letter’—including emotional distress and confusion—are not concrete injuries.”