InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
7th Circuit: Time and money spent responding to second verification request is sufficient for standing
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
6th Circuit: Single RVM confers standing
The U.S. Court of Appeals for the Sixth Circuit recently held that receiving one ringless voicemail (RVM) was enough to confer standing upon a plaintiff under the TCPA. In that case, plaintiff asserted he received several RVMs to his cell phone but never consented to receiving the messages. He filed a putative class action suit for violations of the TCPA, alleging the defendant used an automated telephone dialing system (autodialer) to deliver multiple RVMs to his cell phone advertising its services. According to the plaintiff, the RVMs tied up his phone line, cost him money, and invaded his privacy. During discovery, an expert concluded that only one of the 11 voicemails plaintiff claimed to have received was from the defendant. The defendant moved to dismiss, arguing the plaintiff lacked standing because he did not suffer a concrete injury. The district court granted defendant’s motion, ruling that receiving a single RVM did not constitute a concrete harm sufficient for Article III standing, because, among other things, plaintiff could not recall what he was doing when the RVMs were sent, he was not charged for the RVM, the RVM did not tie up his phone line, and he spent a very small amount of time reviewing the message.
On appeal, the 6th Circuit noted that it had not previously considered whether receiving a single RVM for commercial purposes is sufficient to confer standing under the TCPA. To determine whether an intangible harm—such as receiving an unsolicited RVM—rises to the level of concrete injury, the appellate court reviewed U.S. Supreme Court rulings on standing. “[Plaintiff’s] receipt of an unsolicited RVM bears a close relationship to the kind of injury protected by the common law tort of intrusion upon seclusion; and his claimed harm directly correlates with the protections enshrined by Congress in the TCPA,” the 6th Circuit wrote, reversing and remanding the district court’s judgment and stating that “[plaintiff] suffered a concrete injury in fact sufficient for Article III standing purposes.”
FTC says COPPA does not preempt state privacy claims
The FTC recently filed an amicus brief in a case on appeal before the U.S. Court of Appeals for the Ninth Circuit, arguing that the Children’s Online Privacy Protection Act (COPPA) does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The full 9th Circuit is currently reviewing a case brought against a multinational technology company accused of using persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of COPPA and various state laws.
As previously covered by InfoBytes, last December the 9th Circuit reversed and remanded a district court’s decision to dismiss the suit after reviewing whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulation. At the time, the 9th Circuit examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The opinion further stated that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The defendant asked the full 9th Circuit to review the ruling. The appellate court in turn asked the FTC for its views on the COPPA preemption issue, specifically with respect to “whether the [COPPA] preemption clause preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA.”
In agreeing with the 9th Circuit that plaintiffs’ claims are not preempted in this case, the FTC argued that nothing in COPPA’s text, purpose, or legislative history supports the sweeping preemption that the defendant claimed. According to the defendant, plaintiffs’ state law claims are inconsistent with COPPA and are therefore preempted “because the claims were brought by plaintiffs who were not authorized to directly enforce COPPA, and would result in monetary remedies under state law that COPPA did not make available through direct enforcement.” Moreover, all state law claims relating to children’s online privacy are inconsistent with COPPA’s framework, including those brought by state enforcers, the defendant maintained. The FTC disagreed, writing that the 9th Circuit properly rejected defendant’s interpretation, which would preempt a wide swath of traditional state laws. Moreover, COPPA’s preemption clause only applies to state laws that are “inconsistent” with COPPA so as not to create “field preemption,” the FTC said, adding that plaintiffs’ claims in this case are consistent with the statute.
CFPB brief defends funding structure
On May 8, petitioner CFPB filed its brief with the U.S. Supreme Court, criticizing the U.S. Court of Appeals for the Fifth Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where the appellate court found that the Bureau’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here and a firm article here). The 5th Circuit’s decision also vacated the agency’s Payday Lending Rule on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding.
Earlier this year, the Bureau filed a petition for a writ of certiorari, which the Court granted (covered by InfoBytes here). The Bureau explained in its petition that the 5th Circuit’s decision would negatively impact its “critical work administering and enforcing consumer financial protection laws” and “threatens the validity of all past CFPB actions as well” as the decision vacates a past agency action based on the purported Appropriations Clause violation. Community Financial Services Association of America (CFSA) filed a conditional cross-petition, seeking review on other aspects of the 5th Circuit’s decision, including that the 5th Circuit’s decision does not warrant review because the appellate court correctly vacated the Payday Lending Rule, which, according to the respondents, has “multiple legal defects, including but not limited to the Appropriations Clause issue.” (Covered by InfoBytes here.)
In its opening brief, the Bureau expanded on why it believes the 5th Circuit erred in its holding. The Bureau argued that the text of the Appropriations Clause “does not limit Congress’ authority to determine the specificity, duration, and source of its appropriations.” The agency further explained that Congress has chosen similar funding mechanisms for many other financial regulatory agencies, including the FDIC, NCUA, FHFA, and the Farm Credit Administration (and agencies outside of the financial regulatory sector), where they are all funded in part through the collection of fees, assessments, and investments. The Bureau emphasized that the 5th Circuit and the CFSA failed “to grapple with the Appropriation Clause’s text, Congress’ historical practice, or [Supreme] Court precedent,” but instead asserted only that the funding mechanism was “unprecedented.” “Congress enacted a statute explicitly authorizing the CFPB to use a specified amount of funds from a specified source for specified purposes,” the Bureau emphasized. “The Appropriations Clause requires nothing more.” The 5th Circuit’s “novel and ill-defined limits on Congress’s appropriations authority contradict the Constitution’s text and congressional practice dating to the Founding.”
The Bureau also addressed the now-vacated Payday Lending Rule. Arguing that even if there were some constitutional flaw in 12 U.S.C. § 5497 (the statute creating the Bureau’s funding mechanism), the 5th Circuit should have looked for some cure to allow the remainder of the funding mechanism to stand independently instead of “adopting an unjustified and profoundly disruptive retrospective remedy” and presuming the funding mechanism created under Section 5497(a)-(c) was entirely invalid. The Bureau also stressed that vacatur of the agency’s past actions was not an appropriate remedy and is inconsistent with historical practice. Adopting a remedial approach, the Bureau warned, would inflict significant disruption by calling into question 12 years of past agency actions.
The Bureau urged the Court to at most grant only “prospective relief preventing the CFPB from enforcing the Payday Lending Rule against [CFSA] or their members until Congress provides the Bureau with funding from another source.” While such an approach could still “upend” the Bureau’s activities, “it would at least avoid the profoundly disruptive effect of unwinding already completed and concededly authorized agency actions like the Payday Lending Rule,” the Bureau wrote, adding that “[v]acatur of the CFPB’s past actions would be inappropriate in light of the significant disruption that such vacatur would produce.”
6th Circuit: Tennessee judicial foreclosure time-barred
On May 4, the U.S. Court of Appeals for the Sixth Circuit affirmed a lower court’s decision in a judicial foreclosure action, holding that a bank’s lawsuit was barred by Tennessee’s 10-year statute of limitations for actions to enforce liens on real property. The appellate court also refused to establish an equitable lien on the property in favor of the bank. According to the opinion, the home equity line of credit at issue in the case matured in 2007, requiring a final balloon payment, but the bank did not demand this payment, refinance the loan, or foreclose on the property. Instead, the bank continued to accept monthly interest payments totaling around $100,000 until 2017. The opinion reflected that the bank did not contend there to be a written instrument showing an extension of the loan or that such an extension was recorded. Rather, the bank raised several arguments, including that there was an oral modification to the loan and that it had the unilateral right to extend the loan based on “a future advances provision that could extend the maturity date for up to twenty years.” The bank further argued that the defendants’ monthly interest payments excused any writing requirement and evidenced an agreement to extend the loan’s maturity date. The appellate court disagreed, concluding that because the bank could not show, as a matter of law, that the loan’s maturity date was extended, its suit is untimely. The appellate court stated that the bank was aware that the loan “was in default as early as 2011 (well within the statute of limitations period) but took no action to foreclose or refinance.” The 6th Circuit further noted that if the bank had “simply memorialized an extension to the [l]oan’s maturity date in writing as required by Tenn. Code Ann. § 28-2-111(c), it would not be in this situation.”
11th Circuit: ECOA anti-discrimination provision against requiring spousal signature does not apply to defaulted mortgage during loan modification offer
On April 27, the U.S. Court of Appeals for the Eleventh Circuit affirmed a lower court’s decision to enter judgment in favor of a defendant national bank following a bench trial related to claims arising from foreclosure proceedings on the plaintiff’s home. The plaintiff executed a promissory note secured by a mortgage signed by both the plaintiff and her husband. After the borrowers defaulted on the mortgage, the defendant filed a foreclosure action and approved the plaintiff for a streamlined loan modification while the foreclosure action was pending. One of the conditions of the streamlined loan modification was that the plaintiff had to make required trial period plan payments and submit signed copies of the loan modification agreement within 14 days. Both individuals were expressly required to sign the modification agreement as borrowers on the mortgage. However, should one of the borrowers not sign, the bank required documentation as to why the signature is not required, as well as a recorded quit claim deed and a divorce decree. The plaintiff acknowledged that she refused to return a fully signed loan modification agreement or provide alternative supporting documentation, and during trial, both individuals admitted that the husband refused to sign. The borrowers eventually consented to final judgment in the foreclosure action and the property was sold.
The plaintiff then brought claims under ECOA and RESPA. The district court granted summary judgment to the defendant on the ECOA discrimination claim and the RESPA claim. After a bench trial on the ECOA notice claim, the district court determined that because the defendant gave proper notice to the plaintiff as required by ECOA (i.e., she was provided required written notices within 30 days after being verbally informed that her modification agreement was not properly completed), plaintiff’s claim failed on the merits.
On appeal, plaintiff argued, among other things, that the district court erred in granting summary judgment in favor of the defendant on her ECOA discrimination claim. The 11th Circuit explained that under ECOA it is unlawful for a creditor to discriminate against an applicant on the basis of marital status. However, ECOA and Regulation B also establish “exceptions for actions that are not considered discrimination, including when a creditor may require a spouse’s signature,” and include additional exceptions to creditor conduct constituting “adverse action” (i.e. “any action or forbearance taken with respect to an account that is delinquent or in default is not adverse action”). The appellate court held that because the plaintiff had defaulted on the mortgage at the time the loan modification was offered, ECOA and Regulation B’s anti-discrimination provision against requiring spousal signatures did not apply to her. Moreover, even if the provision was applicable in this instance, the appellate court held that “the district court correctly concluded that it was reasonable for [defendant] to require either [plaintiff’s] signature or a divorce decree in light of Florida’s homestead laws,” and that such a requirement does not constitute discrimination under ECOA.
As to the notice claim, the appellate court found no error in the district court’s conclusion that the defendant had satisfied applicable notice requirements by timely sending a letter to the plaintiff that (i) specified the information needed from the plaintiff; (ii) designated a reasonable amount of time within which to provide the information; and (iii) informed the plaintiff that failure to do so would result in cancellation of the modification. This letter satisfied the “notice of incompleteness” requirements of 12 C.F.R. § 202.9(c)(2).
2nd Circuit addresses preclusion standard in dismissal of RMBS actions
On April 26, the U.S. Court of Appeals for the Second Circuit upheld the dismissal of three residential mortgage-backed securities lawsuits tied to losses incurred during the 2008 financial crisis. The plaintiffs, issuers of collateralized debt obligations secured by RMBS certificates, sued several trust entities in separate lawsuits over the losses. According to the opinion, the district courts in each action assumed the plaintiffs had Article III standing but determined that they “were precluded from relitigating the issue of prudential standing” due to a related case they had previously brought against a different bank.
The 2nd Circuit explained that the district court in the related case had determined that the plaintiffs lacked standing because they had “conveyed all right, title, and interest in the RMBS certificates”—including the full power to file lawsuits—to third parties when issuing their notes, which were secured by certificates in RMBS trusts, among other assets. Following the decision, the third parties reassigned the litigation rights associated with the RMBS certificates back to the plaintiffs, but the court granted summary judgment in favor of the bank, holding that the plaintiffs lacked both Article III and prudential standing. The 2nd Circuit “affirmed on the ground that the assignments were champertous and that [p]laintiffs thus lacked prudential standing,” assuming but not deciding the issue of Article III standing.
With respect to the current lawsuits, the district court premised its dismissal on the finding that the plaintiffs were precluded from relitigating the issue of prudential standing by the holding in the related action. “In resolving an issue of first impression in this Circuit, we join the [9th] Circuit in concluding that the district courts permissibly bypassed the question of Article III standing to address issue preclusion, which offered a threshold, non-merits basis for dismissal,” the appellate court wrote. “In short, we fully agree with the district courts that [p]laintiffs were not entitled to a second bite at the prudential-standing apple after the [related] action. The district courts therefore did not err in taking this straightforward, if not ‘textbook,’ path to dismissal.”
CFPB says furnishers’ investigative duties include legal disputes
On April 20, the CFPB filed an amicus brief in a case before the U.S. Court of Appeals for the Eleventh Circuit arguing that the duty to investigate a consumer’s credit dispute applies not only to factual disputes but also to disputes that can be labeled as legal in nature. The plaintiffs entered into a timeshare agreement with the defendant hotel chain and made monthly payments for nearly two years but then stopped. The plaintiffs disputed the validity of, and attempted to rescind, the agreement. The defendant did not agree to the rescission and continued to record the deed under the plaintiffs’ names. The plaintiffs later obtained copies of their credit reports, which showed past-due balances with the defendant, and subsequently submitted letters to a credit reporting agency (CRA) disputing the credit reporting. After the defendant certified the information was accurate, the plaintiffs sued the defendant and the CRA alleging that the defendant violated the FCRA by failing to conduct a proper investigation. The defendant moved for summary judgment, arguing that the issue of whether the debt is owed—the basis of the plaintiffs’ FCRA claim—constitutes a legal dispute and is not a factual inaccuracy. The defendant further maintained that there was no legal error because the plaintiffs owed the money as a matter of law. Last December, the U.S. District Court for the Middle District of Florida granted partial summary judgment in favor the defendant after concluding, among other things, that because the plaintiffs’ dispute centered on the legal validity of their debt, rather than a factual inaccuracy, the investigation requirement was not triggered and the claim was “not actionable under the FCRA.”
The Bureau argued in favor of the plaintiffs-appellants. According to the Bureau, the district court “unduly narrow[ed] the scope of a furnisher’s obligations by holding that furnishers categorically need not investigate indirect disputes involving ‘legal’ inaccuracies.” This position, the Bureau maintained, contradicts the purpose of the FCRA’s requirement to conduct a reasonable investigation of consumer disputes and “could reduce the incentive of furnishers to resolve ‘legal’ disputes, and, in turn, could increase the volume of consumer complaints about credit reporting issues that the Bureau receives and devotes resources to address.”
Explaining that the FCRA does not distinguish between legal and factual disputes, the Bureau stated that the district court’s conclusion “is not supported by the statute, risks exposing consumers to more inaccurate credit reporting, conflicts with the decision of another circuit, and undercuts the remedial purpose of the FCRA.” The Bureau presented several arguments to support its position, including that a reasonable investigation is required under the FCRA, and that while the reasonableness of an investigation is case specific, it “can be evaluated by how thoroughly the furnisher investigated the dispute (e.g., how well its conclusion is supported by the information it considered or reasonably could have considered).”
The Bureau also claimed that the Congress did not intend to exclude disputes that involve legal questions. “[M]any inaccurate representations pertaining to an individual’s debt obligations arguably could be characterized as legal inaccuracies, given that determining the truth or falsity of the representation could require the reading of a contract,” the Bureau wrote. Moreover, an “atextual exception for legal inaccuracies will create a loophole that could swallow the reasonable investigation rule,” the Bureau stressed. The agency urged the court to “reject a formal distinction between factual and legal investigations because it will likely prove unworkable in practice” and said that allowing such a distinction would “curtail the reach of the FCRA’s investigation requirement in a way that runs counter to the purpose of the provision to require meaningful investigation to ensure accuracy on credit reports.”
As previously covered by InfoBytes, the CFPB and the FTC filed an amicus brief presenting the same arguments last December in a different FCRA case on appeal to the 11th Circuit involving the same defendant.