Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Court denies plaintiff’s motion for summary judgment in TCPA action, questions accuracy of report citing number of robocalls

    Courts

    On May 21, the U.S. District Court for the Southern District of California denied a plaintiff’s motion for summary judgment against a solar company that she claimed made multiple unwanted robocalls to her cell phone, holding that questions remained about the accuracy of a report identifying the number of illegal calls the company allegedly placed. The plaintiff filed a putative class action complaint asserting that the company, in order to market products and services, violated the Telephone Consumer Protect Act (TCPA) when it used a “predictive dialer” to contact cell phone numbers the company bought from third parties. The plaintiff further claimed that none of the alleged call recipients had provided prior express consent to receive the calls, and that an expert retained by the plaintiff found that the company had made 897,534 calls to 220,007 unique cell phones. After the class was certified, the plaintiff moved for summary judgment, requesting that class members be awarded damages available under the TCPA of $1,500, or $500 per call.

    While the court determined that there is no argument as to the plaintiff’s TCPA claim concerning whether the company made telemarketing calls (and failed to receive prior express consent), a dispute remained over whether the plaintiff had “carried its burden of demonstrating” that the high number of calls cited in the report were actually made. First, the court stated that, because the company “stipulated that the [p]laintiff’s expert in fact reached a certain conclusion, it does not follow that [the company] stipulated to the accuracy of the conclusion.” Second, the court held that, since a reasonable jury could find the report’s “conclusions are flawed for any number of reasons,” a fact issue as to the report’s accuracy remained. A settlement conference has been set for June 6.

    Courts TCPA Class Action Robocalls Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Vermont legislation regulates data brokers and provides consumer protections

    Privacy, Cyber Risk & Data Security

    On May 22, a Vermont bill, established to regulate data brokers and provide consumers with protections against companies that collect, analyze, and sell their personal information, was enacted without the governor’s signature. Among other things, H.764: (i) requires data brokers to pay a $100 fee to register annually with the Vermont Secretary of State and publicly disclose information about data collection practices and opt-out policies; (ii) requires companies to implement measures to ensure they have “adequate security standards” to safeguard against data breaches; (iii) prohibits the “acquisition of personal information with the intent to commit wrongful acts”; and (iv) prohibits credit reporting agencies from charging consumers fees for the placement, removal, or temporary lift of a security freeze. The credit freeze provisions became effective upon passage. The data broker provisions take effect January 1, 2019.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Data Brokers

    Share page with AddThis
  • Minnesota prohibits security freezes fees, authorizes security freezes for protected persons

    State Issues

    On May 19, the Minnesota governor signed HF1243, which, effective immediately, prohibits credit reporting agencies for charging a fee for the placement, removal, or temporary lift of a security freeze. The law previously allowed for a fee of $5.00. Additionally, effective January 1, 2019, the law authorizes the placement of a security freeze for a protected person – defined by the law as an individual under the age of 16 – if a consumer reporting agency receives a request by the protected person’s representative and certain authentication standards are met. The law also outlines the requirements for removing a security freeze for a protected person.

    State Issues Credit Reporting Agency Security Freeze State Legislation Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Maryland and Georgia prohibit security freeze fees

    State Issues

    On May 15, the Maryland governor signed SB 202, which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of up to $5.00 for each placement, temporary lift, or removal. The law takes effect October 1.

    On May 3, the Georgia governor signed SB 376, which amends Georgia law to prohibit consumer reporting agencies from charging a fee for placing or removing a security freeze on a consumer’s account. Previously, Georgia law allowed for a fee of no more than $3.00 for each security freeze placement, removal, or temporary lift, unless the consumer was a victim of identity theft or over 65 years old. Under SB 376, consumer reporting agencies may not charge a fee to any consumer at any time for the placement or removal of a security freeze. This law takes effect July 1.

    State Issues State Legislation Credit Reporting Agency Security Freeze Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Court holds text message advertisements sent by internet domain provider do not violate TCPA

    Courts

    On May 14, the U.S. District Court for the District of Arizona granted an internet domain provider’s motion for summary judgment, holding that the platform used by the company to send text message advertisements did not qualify as an “autodialer” under the Telephone Consumer Protection Act (TCPA). The plaintiff filed a putative class action in 2016 asserting that the company, without his consent, sent him a single text message offering a discount on new products in violation of the TCPA. The company filed for summary judgment arguing that the platform it uses to send messages is not an “autodialer.” Citing to the recent D.C. Circuit decision in ACA International v. the FCC (covered by a Buckley Sandler Special Alert) which narrowed the FCC’s 2015 interpretation of “autodialer”, the Court agreed with the company. The Court held that the text was not sent automatically or without human intervention because the company had to “log into the system, create a message, schedule a time to send it, and perhaps most importantly, enter a code to authorize its ultimate transmission.”

    As covered by InfoBytes, the FCC’s Consumer and Governmental Affairs Bureau released a notice seeking comment on the interpretation of the Telephone Consumer Protection Act (TCPA) in light of the recent D.C. Circuit decision in ACA International.

    Courts TCPA Privacy/Cyber Risk & Data Security Autodialer

    Share page with AddThis
  • D.C. Circuit rejects challenge to FTC’s 2016 staff letter on soundboard technology

    Courts

    On April 27, the U.S. Court of Appeals for the D.C. Circuit dismissed a challenge to a November 2016 FTC staff letter, which announced the FTC would treat calls using soundboard technology as robocalls. According to the D.C. Circuit opinion, the FTC’s 2016 staff letter rescinded a 2009 staff letter, which reached the conclusion that soundboard technology was not subject to robocall regulation. The Soundboard Association filed suit, seeking to enjoin the rescission of the 2009 letter, arguing that the 2016 staff letter violated the Administrative Procedures Act (APA) by issuing a legislative rule without notice and comment and that it unconstitutionally restricted speech in violation of the First Amendment. The lower court granted summary judgment for the FTC holding that the 2016 letter did not violate the First Amendment and that the letter was an interpretive rule and therefore not subject to the notice and comment requirements of the APA. Upon appeal, the D.C. Circuit vacated the lower court’s decision and dismissed the action in its entirety, holding that the 2016 letter was not a “final agency action” and therefore, the plaintiffs failed to state a cause of action under the APA.

    Courts D.C. Circuit Appellate FTC Robocalls Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Court preliminarily approves $80 million settlement for shareholders after global internet company data breach

    Privacy, Cyber Risk & Data Security

    On May 9, the U.S. District Court for the Northern District of California granted a preliminary approval of a settlement between a global internet media company and its shareholders over alleged securities law violations related to cybersecurity breaches in 2013 and 2014. The $80 million settlement resolves a consolidated shareholder action accusing the company of making misleading statements to shareholders about the company’s data security. According to the order, the settlement applies to all shareholders who acquired the company’s securities between April 30, 2013 and December 14, 2016. As previously covered by InfoBytes, the company was recently ordered by the SEC to pay $35 million to resolve allegations related to the same cybersecurity incidents.

    Privacy/Cyber Risk & Data Security Securities Data Breach Settlement SEC

    Share page with AddThis
  • Maryland expands authority over credit reporting agencies

    State Issues

    On May 8, Maryland governor Larry Hogan signed HB848, which expands Maryland’s authority over Credit Reporting Agencies (CRAs) by requiring CRAs to develop a secure system to process electronic requests for placing, lifting, or removing a security freeze. Additionally, the law expands the definition of “protected consumer” for purposes of free security freezes to include persons age 85 or older, certain members of the military, and incarcerated individuals. The law also (i) codifies an existing requirement that CRAs register with the Office of the Commissioner of Financial Regulation (OCFR); (ii) allows the OCFR to investigate written consumer complaints against CRAs; and (iii) increases the maximum civil monetary penalty to $1,000 for the first violation and $2,500 for each subsequent violation. The law is effective October 1.

    State Issues Credit Reporting Agency Security Freeze Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • FTC settles with cellphone manufacturer over data security issues

    Privacy, Cyber Risk & Data Security

    On April 30, the FTC and a Florida cellphone manufacturer entered into a settlement over allegations that the manufacturer allowed third party data collection from customer phones after falsely claiming data collection was limited only to information needed by the third parties to perform requested services. According to the complaint, released at the same time as the settlement, the manufacturer contracted with a Chinese technology company to issue security and operating system updates to the manufacturer’s devices. When issuing those updates, the Chinese company collected and transferred personal information about the device owners without their consent or knowledge, including text messages, call logs, and contact lists. In November 2016, the public became aware of this practice and the manufacturer issued a notice informing its customers that the Chinese company changed its software to no longer collect the personal information. However, the manufacturer allegedly continued to allow this practice on older devices. The FTC alleges that the manufacturer failed to perform adequate due diligence in the selection of the Chinese company and failed to adopt and implement written security standards for their third-party providers. Under the settlement, the manufacturer, among other things, is (i) prohibited from future misrepresentations about security and privacy; (ii) required to establish and implement a comprehensive data security program; and (iii) subject to data security assessments every two years by a third party for the next 20 years.

    Privacy/Cyber Risk & Data Security Federal Issues FTC Third-Party

    Share page with AddThis
  • Senators release report on credit reporting agency from data in CFPB’s public complaint database

    Federal Issues

    On April 30, three Democratic Senate Banking Committee members released a report addressing publicly available complaints the CFPB received regarding the 2017 data breach announcement by a national credit reporting agency. In a letter to the CFPB, which accompanied the release of the report, the Senators encouraged the Bureau to “hold [the credit reporting agency] accountable and act quickly and decisively to protection the millions of consumers harmed by the breach.” Additionally, the Senators make a plea for the CFPB to continue to keep consumer complaints public, citing to recent remarks by Mulvaney that the database would soon be removed from public view. According to the report, within six months of the data breach announcement—which reportedly affected 143 million American consumers—the CFPB received over 20,000 complaints against the company. Of the 20,000 complaints, the issues consumers mentioned include (i) “improper use of a credit report after the breach”; (ii) “incorrect information on credit report”; (iii) “[Company]’s inadequate assistance in resolving problems after the breach”; and (iv) “[Company]’s credit monitoring services, fraud alerts, security freezes, and other identity theft protection products.” The report also cites to specific narratives from consumer complaints that were available through the CFPB’s consumer complaint database.

    Federal Issues CFPB Consumer Complaints Data Breach Privacy/Cyber Risk & Data Security Credit Reporting Agency

    Share page with AddThis

Pages