InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminarily approves $2.25 million settlement resolving credit card upgrade claims
On August 29, the U.S. District Court for the District of New Jersey preliminarily approved a class action settlement in which a national bank agreed to pay $2.25 million to resolve misleading credit card upgrade claims made to secured credit card holders. Plaintiffs alleged in their motion for preliminary approval that they each signed an agreement with the bank that said if they used and maintained a secured credit card account for seven consecutive billing months without defaulting they would be eligible to automatically “graduate” to an unsecured credit card. Transitioning to an unsecured credit card allows customers to regain control of the collateral deposits and receive a prorated refund of the annual fee they paid while they had secured cards, plaintiffs asserted. Plaintiffs claimed that while the bank’s “form contract and promotional materials promised a meaningful review of secured card accounts after seven months in good standing that review, in fact, did not occur in a fashion consistent with the parties’ contract.” The bank denied the claims. According to court documents, this past January the bank amended the graduation provision at issue in its agreement for secured credit cards to “more adequately disclose how a cardholder becomes eligible for an unsecured credit card.” The court deemed the proposed settlement to be “fair, adequate and reasonable to the settlement class,” and granted class certification. If granted final approval, class members would be awarded a portion of the annual fee paid on their secured credit card.
3rd Circuit vacates dismissal of FCRA lawsuit regarding sovereign immunity
On August 24, the U.S. Court of Appeals for the Third Circuit vacated the dismissal of an FCRA lawsuit, holding that the federal government does not have sovereign immunity under the statute and can be held liable for reporting requirement violations. The plaintiff sued the Department of Agriculture (USDA) and a student loan servicer for allegedly reporting two loans as past due even though he claimed both were closed with a $0 balance. The plaintiff notified the relevant consumer reporting agency who in turn notified the USDA and the servicer. When neither entity took action to investigate or correct the disputed information, the plaintiff sued all three parties for damages under Section 1681n and 1681o of the FCRA. The USDA moved to dismiss for lack of subject matter jurisdiction based on sovereign immunity claims, which the district court granted on the grounds that the United States and its agencies are not subject to liability under the FCRA—a decision in line with opinions issued by the 4th and 9th Circuits.
On appeal, the 3rd Circuit disagreed, instead siding with opinions issued by the D.C. and 7th Circuits that reached the opposite conclusion. According to the 3rd Circuit, the federal government and its agencies enjoy sovereign immunity from civil suits unless Congress unambiguously waives it within a statute. The FCRA provides that any “person” who either negligently or willfully violates the statute is liable to the consumer for civil damages, the appellate court wrote, noting that the term “person” is defined to include any “government or governmental subdivision or agency.” The appellate court stressed that Congress need not express its intent in any particular way, and that courts need only look at the statutory text to discern Congress’ intent. Where Congress wanted to use a narrower definition of “person” in the FCRA, it did so, the appellate court said, pointing to where the FCRA specifically excludes the federal government from the statutory obligations for persons who make adverse employment decisions based on credit reports. “We presume, therefore, that Congress’s failure to do so in §§ 1681n and 1681o was deliberate and intended to convey the full statutory definition,” the 3rd Circuit wrote, finding that Congress unambiguously waived the government’s sovereign immunity in enacting FCRA.
3rd Circuit: District Court erred in applying ascertainability precedent when denying class action certification
On August 24, the U.S. Court of Appeals for the Third Circuit vacated a ruling denying class certification in an action concerning inaccurate consumer reports, holding that the district court misinterpreted Section 1681g(a) of the FCRA and erred in applying the appellate court’s ascertainability precedent. According to the plaintiffs, the defendant, a consumer reporting agency (CRA), provided inaccurate consumer reports as part of a rental application process. The plaintiffs further alleged that the defendant refused to correct the information on the reports unless plaintiffs “obtained proof of the error from [the defendant’s] sources” despite failing to provide the identity of the sources to the plaintiffs. Plaintiffs responded by filed a putative class action alleging the defendant “violated its obligation under the FCRA to disclose on request ‘[a]ll information in the consumer’s file at the time of the request’ and ‘the sources of that information.’” However, the district court denied class certification on the grounds that class members “failed to satisfy Rule 23(b)(3)’s predominance and superiority requirements and that their proposed class and subclass were not, in any event, ascertainable.”
On appeal, the 3rd Circuit closely reviewed when the provisions of § 1681g(a) were applicable. The appellate court first determined the disclosure requirements of § 1681g(a) could only be triggered by a direct request from a consumer, and not a third-party request as the plaintiffs had argued. In so doing, the appellate court found that the district court was “right to distinguish between consumers who made direct requests under § 1681g and consumers who received courtesy copies of the property managers’ Rental Reports,” and affirmed the denial of the “All Requests” class sought by plaintiffs. The appellate court next determined that the district court incorrectly narrowed the disclosure requirements of § 1681g(a) to where a request was specifically made for a consumer’s “file” as opposed to a request for a “report.” The appellate court concluded that “[n]othing in the statute’s text, context, purpose, or history indicates that any magic words are required for a consumer to effect a ‘request’ under § 1681g(a) or that a consumer’s request for ‘my consumer report’ is any less effective at triggering the CRA’s disclosure obligations than a request for ‘my file.’” As a result, the appellate court vacated the district court’s finding as to the predominance requirement of class certification and remanded for the district court “to consider whether Rule 23(b)(3)’s predominance and superiority requirements are satisfied with respect to” consumers in a purported subclass who had made a direct request for a report or file.
The appellate court concluded by determining the district court had additionally errored in its analysis of ascertainability of the proposed class by requiring too high a standard for administrative feasibility. The district court had ruled that where identification of putative class members would require a file-by-file review, ascertainability was “not administratively feasible.” The appellate court disagreed, stating that ascertainability does not mean that “no level of inquiry as to the identity of class members can ever be undertaken,” as it “would make Rule 23(b)(3) class certification all but impossible.” The appellate court instead held that “a straightforward ‘yes-or-no’ review of existing records to identify class members is administratively feasible even if it requires review of individual records with cross-referencing of voluminous data from multiple sources.”
District Court approves class action settlement against securities trading platform and broker-dealer
On May 16, the U.S. District Court for the Northern District of California granted final approval of a settlement in a class action against a securities trading platform and broker-dealer (defendant) for allegedly allowing unauthorized users access to customers’ accounts. As described in plaintiffs’ motion for preliminary approval of settlement, class members alleged the defendant “lacked security measures used by other broker-dealer online systems,” which allowed “thousands of [the defendant’s] customer accounts [to be] accessed by unauthorized users.” Based on these allegations, class members brought claims for negligence, breach of contract, and violations of various state consumer privacy, competition, and advertising laws. Under the terms of the settlement, the defendant must provide cash payments of up to $260 each to settlement class members who submit a claim, up to a total amount of $500,000. Additionally, among other things, the defendant must “provide two years of credit monitoring and identity theft protection services to those who elect to receive it,” must “maintain improvements to its security protocols and policies to decrease the risk of unauthorized access to its customers’ accounts,” and must “respond effectively to instances of potential unauthorized access” in the future.
9th Circuit affirms $20.8 million disgorgement award
On August 24, the U.S. Court of Appeals for the Ninth Circuit affirmed a $20.8 million disgorgement award and agreed with a district court’s decision to hold the defendants jointly and severally liable. The defendants appealed the district court’s 2021 final judgment of disgorgement, which ordered them to disgorge more than $20.8 million in an action concerning money that was collected from investors for a cancer treatment center that was never built. As previously covered by InfoBytes, the district court’s order followed a 2020 U.S. Supreme Court ruling (covered by InfoBytes here), in which the high court examined whether the SEC’s statutory authority to seek “equitable relief” permits it to seek and obtain disgorgement orders in federal court. The Supreme Court ultimately held that the SEC may continue to collect disgorgement in civil proceedings in federal court as long as the award does not exceed a wrongdoer’s net profits, and that such awards for victims of the wrongdoing are equitable relief permissible under § 78u(d)(5). The Supreme Court vacated the original $26.7 million judgment and remanded to the lower court to examine the disgorgement amount in light of its opinion. Of the nearly $27 million raised, the SEC alleged the defendants misappropriated approximately $20 million of the funds through payments to overseas marketing companies and to salaries. To calculate the final disgorgement award, the court subtracted what it determined were “legitimate expenses,” including $2.2 million in administrative expenses and $3.1 million in business development expenses, from the nearly $27 million raised.
On appeal, the 9th Circuit reviewed the proper method of calculating disgorgement as an equitable remedy in an SEC enforcement action and found “no error with the district court’s factual findings as to the illegitimate expenses or with the district court’s disgorgement award.” In so finding, the 9th Circuit explicitly rejected appellants argument that disgorgement was improper because the venture resulted in “no revenues and no profit,” finding that such a result “would not produce an equitable remedy.” The appellate court also determined that because the common law “permit[s] liability for partners engaged in concerted wrongdoing,” the district court did not err in holding both defendants jointly and severally liable where there was evidence the appellant in question “played an integral role” in the fraudulent scheme.
California fines cosmetics chain for privacy violations
On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process user requests to opt-out of such sale via user-enabled global privacy controls, and failure to cure such violations within the 30-day period allowed by the California Consumer Privacy Act (CCPA). The action reaffirms the state’s commitment to enforcing the law and protecting consumers’ rights to fight commercial surveillance, AG Bonata said, emphasizing that “today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
According to a complaint filed in California Superior Court, third parties monitored consumers’ purchases and created profiles to more effectively target potential customers. The company’s arrangement with these third parties constituted a sale of consumer personal information under the CCPA, therefore triggering certain basic obligations, including telling consumers that it is selling their information and allowing consumers to easily opt-out of the sale of their information. According to the complaint, the company failed to take any of these measures.
Under the terms of the settlement, the company is required to pay a $1.2 million penalty and must disclose to California customers that it sells their personal data and provide a mechanism for consumers to opt out of a sale of their information, including through user-enabled global privacy controls like the Global Privacy Control (GPC). Additionally, the company must ensure its service provider agreements meet CCPA requirements and provide reports to the AG related to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.
The press release also announced that notices were sent to several businesses alleging non-compliance concerning their failure to process consumer opt-out requests made via user-enabled global privacy controls. The AG reiterated that under the CCPA, “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General.”
District Court preliminarily approves data breach class action settlement
On August 24, the U.S. District Court for the Southern District of New York preliminarily approved a putative consolidated class action settlement that would reimburse members for out-of-pocket costs or expenditures actually incurred in connection with a February 2020 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach may have exposed the personal financial information (PFI) of approximately 10,300 individuals, including names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information. Class members alleged that defendants failed to adequately protect the PFI of current and former employees and their beneficiaries, and that the resulting data breach “was a direct result of defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect PFI.” If granted final approval, the settlement will provide each class member the opportunity to make a claim for up to $3,500 in reimbursements for out-of-pocket expenses actually incurred, and compensation for up to four hours of lost time spent remedying issues fairly traceable to the data breach at $18 per hour. Additionally, class members will be given 18 months of credit monitoring protections.
District Court sends cryptocurrency hack suit to arbitration
On August 24, the U.S. District Court for the Eastern District of New York granted a motion to compel arbitration in an action claiming that a mobile communications company’s failure to protect the personal information of a cryptocurrency company founder allowed a hacker to steal $8.7 million in cryptocurrency. The cryptocurrency company and its founder sued the defendant citing violations of the Federal Communications Act and the New York Consumer Protection Act, along with numerous negligence claims. Plaintiff alleged that due to lack of safeguards, a hacker conducted an unauthorized “SIM swap” and used the plaintiff’s personal information to access his cryptocurrency wallets and exchange accounts. Plaintiff further claimed that even though it reported the SIM swap to the defendant, “[m]ore attacks continued to succeed over the following years.” The defendant moved to compel arbitration claiming that the plaintiff electronically signed receipts agreeing to terms and conditions which require the arbitration of disputes unless a customer opts-out. The plaintiff countered that “he was not shown the full terms and conditions to his service; that he could not conduct a ‘complete review and inspection’ of the digital receipt because of the screen’s small size, resolution, and inadequate backlighting; that the displayed receipt did not permit hyperlinked review of the full terms; that the display did not affirmatively seek his consent to arbitration by requiring he press a button or check a box; that the full terms were not separately provided in another form; and that his consent was not otherwise confirmed by [defendant] personnel.”
The court found that had the plaintiff “simply thought he was signing a receipt for equipment purchases–and had no idea that any terms and conditions were displayed on the digital device he signed–the court might have concluded that there remained a question of fact suitable for resolution by a jury.” However, the court found that the plaintiff “never claimed that he was unaware that his transactions with [defendant] carried terms and conditions” nor did he allege that he never received “a notice indicating the existence of the terms” even though the court specifically asked the parties to establish these facts in limited discovery. Accordingly, the court ruled that the plaintiff was on notice of defendant’s terms and agreed to them, thus compelling arbitration.
Court grants summary judgment in payday lender suit
On August 23, a Municipal Court in Ohio granted a defendant’s motion for summary judgment in a case involving payday lending. According to the order, the plaintiff’s complaint alleged that the defendant, in April 2019, executed a Line of Credit and Security Agreement with a lender in the amount of $1,101, and agreed to repay amounts advanced within a 30-day billing cycle pursuant to certain fees and a 24.99 percent interest rate. The complaint further alleged that defendant failed to make timely payment, and thereafter plaintiff, as assignee of the lender, sought to enforce the agreement. In her answer, the defendant denied entering any such agreement and characterized the transaction as “a $500 loan,” asserting that this case “involves an illegal scheme by [the short-term cash lender, the mortgage lender, and the plaintiff] to issue and collect illegal payday loans under a scheme to attempt to evade compliance with new state lending laws. The plaintiff asserted counterclaims for violations of the Short-Term Loan Act, the Mortgage Loan Act, Ohio Consumer Sales Practices Act, and for civil conspiracy.
On motion for summary judgment, the defendant argued that she was entitled to judgment on “Plaintiff's complaint because the parties’ April 2019 agreement ‘is void because it was made in violation of Ohio lending and consumer laws.’” The defendant presented two arguments: (i) the lender is not licensed under the Short-Term Loan Act to issue a loan less than $1000; and (ii) the lender is “prohibited from engaging in acts or practices to evade the prohibition against Mortgage Loan Act registrants issuing loans for $1,000 or less or that have a duration of one year or less.”
In granting summary judgment for the defendant, the court found that the underlying transaction was an “open-end loan under the plain language” of the Mortgage Loan Act, and that it was not a loan for $1,000 or less or one with a duration of one year or less under the Mortgage Loan Act, but that by using the security agreement framework, the lender engaged in an act or practice to evade the Mortgage Loan Act’s prohibition. The court found that the evidence showed defendant went to the lender for a simple loan under $1,000 and was provided on that day a check for $501. The court found further that, “it would appear [the lender] gave Defendant what she was seeking, namely a short-term loan … but without complying with any of the myriad restrictions applicable to such loans under the Short-Term Loan Act.” The court held that the security agreement framework did not stand because the “legally convoluted” structure did not benefit the parties in any meaningful way, and “the only explanation the Court can discern as to why that structure was used is that it was a stratagem for eluding the restrictions of the Short-Term Loan Act that would have otherwise applied to the parties’ transaction.”
CFPB “on track” to issue Section 1071 rulemaking by March 31
On August 22, the CFPB filed its tenth status report in the U.S. District Court for the Northern District of California, as required under a stipulated settlement reached in February 2020 with a group of plaintiffs, including the California Reinvestment Coalition, related to the collection of small business lending data. The settlement (covered by InfoBytes here) resolved a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071 of the Dodd-Frank Act, which requires the Bureau to collect and disclose data on lending to women and minority-owned small businesses. The current status report states that the Bureau is on track to issue the Section 1071 final rule by March 31, 2023—a deadline established by court order in July (covered by InfoBytes here).
Find continuing Section 1071 coverage here.