InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Illinois Supreme Court declines to reconsider BIPA accrual ruling
On July 18, the Illinois Supreme Court declined to reconsider its February ruling, which held that under the state’s Biometric Information Privacy Act (BIPA or the Act), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Three justices, however, dissented from the denial of rehearing, writing that the ruling leaves “a staggering degree of uncertainty” by offering courts and defendants little guidance on how to determine damages. The putative class action stemmed from allegations that the defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting plaintiff’s biometric data and disclosing the data to a third-party vendor without first obtaining her consent. While the defendant challenged the timeliness of the action, the plaintiff asserted that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.”
In February, a split Illinois Supreme Court held that claims accrue under BIPA each time biometric identifiers or biometric information (such as fingerprints) are scanned or transmitted, rather than simply the first time. (Covered by InfoBytes here.) The dissenting judges wrote that they would have granted rehearing because the majority’s determination that BIPA claims accrue with every transmission “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns.” The dissenting judges further maintained that the majority’s February decision is confusing and lacks guidance for courts when determining damages awards. While the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” it also said that it continues “to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature,” and that it “respectfully suggest[s] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
9th Circuit denies en banc hearing on COPPA preemption question
On July 13, a panel of the U.S. Court of Appeals for the Ninth Circuit entered an order amending an opinion filed on December 28, 2022 and denied a petition for rehearing en banc in a putative class action accusing a multinational technology company and search engine and its affiliated video-sharing platform of collecting children’s data and tracking their online behavior surreptitiously without parental consent in violation of state law and the Children’s Online Privacy Protection Act (COPPA). The panel unanimously voted against defendant’s en banc rehearing request, commenting that no other 9th Circuit judge has requested a vote on whether to consider the matter en banc.
Claiming the defendant used “persistent identifiers” — which the FTC’s regulations define as information “that can be used to recognize a user over time and across different Web sites or online services” — class members alleged state law claims arising under the constitutional, statutory, and common laws of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee. Last December, the three-judge panel reversed and remanded the district court’s dismissal of the suit, disagreeing that the allegations were squarely covered, and preempted, by COPPA (covered by InfoBytes here.) On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. The panel determined that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The panel further noted that the U.S. Supreme Court and others have long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted.”
The panel, however, amended its prior opinion to note that the FTC supports its conclusion that COPPA does not preempt the asserted state law privacy claims on the basis of either express preemption or conflict preemption. At the end of May, at the 9th Circuit’s request, the FTC filed an amicus brief (covered by InfoBytes here) arguing that COPPA does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The panel concluded that neither express preemption nor conflict preemption bar the plaintiffs’ claims.
11th Circuit orders reexamination of breach class boundaries
On July 11, a split U.S. Court of Appeals for the Eleventh Circuit partially vacated the greenlighting of two data breach class actions, holding that a district court must re-analyze the boundaries of the classes. Both the nationwide and California classes are individuals who sued a restaurant chain after their card data and personally identifiable information were compromised in a cyberattack. Plaintiffs claimed that information for roughly 4.5 million cards could be accessed on an online marketplace for stolen payment information. Two of the three named plaintiffs also said they experienced unauthorized charges on their accounts. Plaintiffs moved to certify two classes seeking both injunctive and monetary relief—a nationwide (or alternatively a statewide) class for negligence and a California class for claims based on the state’s unfair business practices laws. The district court certified a nationwide class and a separate California-only class. The restaurant chain’s parent company appealed, arguing that the certification violates court precedent on Article III standing for class actions, that the classes do not meet the commonality requirements for certification, and that the district court erred by finding that a common damages methodology existed for the class.
On appeal, the majority found that at the class certification stage, plaintiffs only had to show that a reliable damages methodology existed. The majority also determined that the district court correctly found that plaintiffs’ expert presented a sufficient methodology for calculating damages and that “it would be a ‘matter for the jury’ to decide actual damages at trial.” However, the majority remanded the case with instructions for the district court to clarify what it meant when it certified classes of individuals who had their “data accessed by cybercriminals.” According to the opinion, the district court meant for this term to encompass individuals who experienced fraudulent charges or whose credit card information was posted on the dark web. The majority expressed concerns that the phrase “accessed by cybercriminals” is broader than the two delineated categories provided by the district court and could include individuals who had their data taken but were otherwise uninjured. The majority also vacated the California class certification after determining that two of the three named plaintiffs lacked standing because they dined at the restaurant outside of the “at-risk” timeframe. The district court’s damages calculation methodology, however, was left undisturbed by the appellate court.
Partially dissenting, one of the judges wrote that while she agreed that one of the named plaintiffs had standing to sue, she disagreed with the majority’s concrete injury analysis. The judge also argued that the district court erred in its damage calculations by “impermissibly permit[ting] plaintiffs to receive an award based on damages that they did not suffer.”
CFPB, Maine say loan purpose determines whether TILA applies
On July 12, the CFPB and the State of Maine filed an amicus brief in the Maine Supreme Judicial Court arguing that determining whether a loan is covered by TILA requires an assessment of the borrower’s primary purpose in entering into the transaction. The action involves a couple who obtained a loan from the bank to purchase land for the construction of a home. Due to the 2008 financial crisis, the value of the property depreciated, resulting in insufficient proceeds from the sale of the home to fully pay off the loan. To cover the shortfall, the couple acquired a new loan from the bank and used a cabin they owned as collateral. When the loan’s term ended, the couple defaulted after being unable to make the required balloon payment. The bank sued, seeking to take possession of the cabin. At trial, the couple attempted to present evidence that the bank had not provided them with certain necessary disclosures mandated by TILA and did not assess their ability to repay the loan. The couple maintained “that the bank’s liability under TILA fully offset the amount they owed to the bank under the loan.” The court determined, however, that since the loan documents indicated a commercial purpose, TILA did not apply.
The couple attempted to introduce extrinsic evidence to show that even though the loan was labeled “commercial,” it was actually used for personal, family, or household purposes and therefore was a covered consumer loan. The court relied on a case (Bordetsky v. JAK Realty Trust) holding that, for purposes of determining the applicability of Maine’s notice of default statute for residential real estate foreclosures, “courts should not look to extrinsic evidence to determine whether the loan had a commercial or consumer purpose if the loan document states on its face that the loan has a commercial purpose.”
The brief explained that TILA generally applies to consumer loans (i.e., loans that are primarily for a personal, family, or household purpose) but not to loans made for a commercial purpose, and that the Maine Consumer Credit Code fully incorporates TILA. The brief argued that the borrower’s primary purpose for obtaining the loan should determine whether TILA and the Maine Consumer Credit Code apply, and presented three arguments as to why the trial court erred in concluding that TILA is not applicable on the sole basis that the loan is labeled as a “commercial loan.” First, statutory text provides that a loan is generally covered by TILA if a borrower obtained the loan primarily for a family, personal or household purpose. TILA “requires a substantive and fact-intensive inquiry into the reasons why the borrower entered into the transaction,” the brief explained. Second, judicial precedent has established that “determining whether a loan has a covered purpose requires looking beyond the four corners of the contract.” The trial court erred in relying on Bordetsky because it pertains to a different Maine statute and does not address the judicial precedent or administrative guidance that govern TILA coverage, the brief said. Finally, permitting creditors to evade TILA by labeling a loan as “commercial” is at odds with TILA’s remedial purpose, the brief maintained.
“Why the consumer borrowed the money—not the label that the company sticks on the loan—determines whether the loan is covered by the law,” Seth Frotman, general counsel and senior advisor to the CFPB director, said in a blog post.
CFPB, states sue company over deceptive student lending and collection
On July 13, the CFPB joined state attorneys general from Washington, Oregon, Delaware, Minnesota, Illinois, Wisconsin, Massachusetts, North Carolina, South Carolina, and Virginia in taking action against an education firm accused of engaging in deceptive marketing and unfair debt collection practices. California’s Department of Financial Protection and Innovation is participating in the action as well. Prior to filing for bankruptcy, the Delaware-based defendant operated a private, for-profit vocational training program for software sales representatives. The joint complaint, filed as an adversary proceeding in the firm’s bankruptcy case, alleges that the defendant charged consumers up to $30,000 for its programs. The complaint further alleges that the defendant encouraged consumers who could not pay upfront to enter into income share agreements, which required minimum payments equal to between 12.5 and 16 percent of their gross income for 4 to 8 years or until they had paid a total of $30,000, whichever came first.
The complaint asserts that the defendant engaged in deceptive practices by misrepresenting its income share agreement as not a loan and not debt, and mislead borrowers into believing that no payments would need to be made until they received a job offer from a technology company with a minimum annual income of $60,000. The defendant is also accused of failing to disclose important financing terms, such as the amount financed, finance charges, and annual percentage rates, as required by TILA and Regulation Z. The complaint also claims that the defendant hired two debt collection companies to pursue collection activities on defaulted income share loans. One of the defendant debt collectors is accused of engaging in unfair practices by filing debt collection lawsuits in remote jurisdictions where consumers neither resided nor were physically present when the financing agreements were executed. The complaint further alleges the two defendant debt collectors violated the FDCPA and the CFPA by deceptively inducing consumers into settlement agreements and falsely claiming they owed more than they did.
According to the Bureau and the states, after the Delaware Department of Justice and Delaware courts began scrutinizing the debt collection lawsuits, the defendant unilaterally changed the terms of its contracts with consumers to force them into arbitration even though none of them had agreed to arbitrate their claims. Additionally, the complaint contends that settlement agreements marketed as being “beneficial” to consumers actually released consumers’ claims against the defendant and converted income share loans into revised “settlement agreements” that obligated them to make recurring monthly payments for several years and contained burdensome dispute resolution and collection terms.
The complaint seeks permanent injunctive relief, monetary relief, consumer redress, and civil money penalties. The CFPB and states are also seeking to void the income share loans.
States urge Supreme Court to find CFPB funding unconstitutional
On July 10, the West Virginia attorney general, along with 26 other states, filed an amicus brief in support of respondents in Consumer Financial Protection Bureau v. Community Financial Services Association of America, arguing that the CFPB’s funding structure violates the Constitution and that by operating outside the ordinary appropriations process states are often left “out in the cold.” In their brief, the states urged the U.S. Supreme Court to uphold the U.S. Court of Appeals for the Fifth Circuit’s decision in which it found that the Bureau’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause (covered by InfoBytes here and a firm article here). The 5th Circuit’s decision also vacated the agency’s Payday Lending Rule on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding.
Arguing that the Bureau is operating beyond the boundaries established by the Constitution, the states maintained that the current funding mechanism limits Congress’s ability to oversee the agency. “Even if the CFPB has done some good—and some would even dispute that premise—it wouldn't matter,” the states said, warning that “sidelining Congress can greenlight an agency to wreak havoc,” especially if the “agency wields broad regulatory and enforcement powers over the entire U.S. financial system, acts under the control of a single powerful figure, and lacks other protections from meaningful oversight.”
The appropriations process plays a crucial role in enabling states to influence agency actions indirectly, the states maintained, explaining that when an agency initiates a new enforcement initiative or significant rulemaking endeavor, it is required to publicly outline its projected work in order to secure the necessary funding to carry it out. “Disclosure on the front end of the appropriations process can empower affected parties—including the [s]tates—to take quick, responsive actions beyond lobbying their representatives (up to suing to stop illegal action, if need be).” In contrast, the Bureau’s insulation from this process has allowed it to hide its actions from public view, the states wrote. As an example, the Bureau has repeatedly declined to interpret or provide further clarity on how the provisions governing unfair, deceptive, or abusive acts or practices work.
The brief also highlighted examples of when Congress used funding cuts through the appropriations process to curtail agencies’ powers. Additionally, unlike the challenges of amending authorizing statutes, appropriations bills must be passed by Congress each year to avoid a government shutdown, which can be “a painful pill to swallow for the sake of standing up for an agency’s policy choice,” the states noted, adding that “[b]ecause appropriations involves both oversight committees and appropriations committees, agencies may have ‘less flexibility to ally themselves with executive branch officials or interest groups.’”
The states also urged the Court to “ignore doomsaying” about the consequences of finding the funding structure unconstitutional. Should the Court agree to invalidate the funding structure, Congress can pass a proper appropriations bill for the Bureau, the states explained, adding that “a rebuke from this Court would no doubt grease the sticky wheels of the legislative process and move them a bit faster.” Moreover, states could also fill any gaps should Congress somehow pare back the CFPB’s funding, the brief stressed.
Several amicus briefs were also filed this week in support of CFSA, including an amici curiae brief filed by the U.S. Chamber of Commerce and several banking associations and an amici curiae brief filed by 132 members of Congress, including 99 representatives and 33 senators, which urged the Court to uphold the 5th Circuit’s decision.
7th Circuit affirms dismissal of FCRA claims against subservicer
On July 5, the U.S. Court of Appeals for the Seventh Circuit affirmed summary judgment in favor of a defendant data furnisher in an FCRA case, holding that the plaintiff failed to establish that the defendant provided “patently incorrect or materially misleading information” to a credit reporting agency (CRA). Defendant was the subservicer for plaintiff’s mortgage and was responsible for accepting and tracking payments and providing payment data to the CRAs. After plaintiff failed to make her monthly payments, she resolved the delinquency through a short sale of her home. Several years later, plaintiff noticed that the closed mortgage account appeared on her credit reports as delinquent. She disputed the information to several CRAs. To confirm the accuracy of its records on plaintiff’s mortgage, one of the CRAs sent the defendant data furnisher four automated consumer dispute verification (ACDV) forms. In the ACDV responses, the defendant amended or verified several contested data points, including the pay rate and account history. The CRA reported this amended data to indicate on plaintiff’s credit report that she was currently delinquent on the mortgage with missed payments in the months following the short sale. After plaintiff applied for and was denied a new mortgage based on the credit report, plaintiff sued the defendant data furnisher for alleged violations of the FCRA, alleging that the defendant failed to conduct a reasonable investigation of the disputed data and provided false and misleading information to CRAs. The district court granted summary judgment in favor of the defendant, finding that plaintiff failed to make a threshold showing that the defendant’s data was incomplete or inaccurate.
On appeal, the 7th Circuit disagreed with plaintiff that “completeness or accuracy” under the FCRA “must be judged based, not on the ACDV response the data furnisher provided, but on the credit report generated from it.” The court reasoned that the text of the statute “says nothing about a credit report, let alone a duty of a data furnisher with respect to credit reports produced using its amended data. To the contrary, the statute sets out the data furnisher’s duties to investigate disputes, correct incomplete or inaccurate information, and report results from an investigation” to the CRA. Holding that “context can play a large role in determining completeness or accuracy” in this situation, the appellate court agreed with the district court that the data provided by the defendant to the CRA was “not materially misleading” and that “no reasonable jury could find” that the data meant that plaintiff was currently delinquent on her debt, particularly because of strong “contextual evidence”—specifically, that the disputed data appeared directly beside a status code showing that the account was closed. The appeals court affirmed summary judgment for the data furnisher.
1st Circuit confirms standing for data breach victims
On June 30, the U.S. Court of Appeals for the First Circuit overruled a district court’s dismissal of a putative class action against a home delivery pharmacy service for allegedly failing to prevent a 2021 data breach that exposed the personally identifiable information (PII) of over 75,000 patients. The class action complaint alleged state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, and sought damages and injunctive relief. The putative class was comprised of U.S. residents whose PII was compromised in the data breach. The two named plaintiffs were former or current patients whose PII were compromised in the data breach, and one of the two named plaintiffs had her stolen PII used to file a fraudulent tax return. The district court dismissed the lawsuit for lack of Article III standing.
Affirming in part and reversing in part, the 1st Circuit held that the complaint “plausibly demonstrates” the plaintiffs’ standing to seek damages, applying the principles articulated by the Supreme Court in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here).
First, the court concluded that, with respect to the named plaintiff whose PII was used to file a fraudulent tax return, the complaint’s “plausible allegations of actual misuse” of the stolen PII constituted a “concrete injury in fact” for purposes of Article III standing. According to the 1st Circuit, there existed “an “obvious temporal connection” between the timing of the data breach and the filed return, among other facts. The appellate court also found that the fraudulent tax return could make it probable that more of the named plaintiff’s information could be further misused—changing the risk of future misuse from speculative to “imminent and substantial.”
Second, with respect to the named plaintiff for whom there was no allegation of actual misuse of PII, the court reasoned that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of [plaintiff’s] PII and a concrete harm caused by exposure to this risk.” The appellate court also found that, because the data here was compromised in a “targeted attack,” then “it stands to reason that [such data] is more likely to be misused…and the risk of future misuse is heightened when the compromised data is particularly sensitive.”
Third, the court concluded that the complaint plausibly alleged a “separate concrete, present harm” caused by exposure to the risk of future harm, “based on the allegations of the plaintiffs’ lost time spent taking protective measures [against further identity theft] that would otherwise have been put to some productive use.” “The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury,” the appellate court wrote, adding that it joins other circuits in holding that time spent responding to a data breach is sufficient to establish standing.
Finally, the court held that plaintiffs lacked standing to pursue injunctive relief “because their desired injunctions would not likely redress their alleged injuries” as any such relief would only safeguard against future breaches and would not protect “plaintiffs from future misuse of their PII by the individuals they allege now possess it.”
District Court orders crypto platform and its CEO to disgorge and pay penalty in SEC case
On July 5, the U.S. District Court for the Southern District of New York ordered a crypto platform and its CEO to each pay a civil money penalty of $141,410, as well as to jointly pay disgorgement in the same amount, in a case brought by the SEC. The SEC filed a complaint in February 2021 alleging that the defendants violated the registration provisions of the Securities Act of 1933 in connection with their offer and sale of digital asset securities. According to the SEC, the defendants sold digital asset securities to hundreds of investors, including investors based in the United States, but failed to file a registration statement for the offering. The complaint further charged the defendants with denying prospective investors the material information required for such an offering to the public. The SEC alleged that the defendants raised at least $141,410 through their offering.
Neither defendant responded to the complaint, and the court accordingly entered an order of default against the defendants, permanently enjoining the defendants from violating the registration provisions of the Securities Act. The court also referred the case to a magistrate judge to make a recommendation regarding disgorgement and penalties. The magistrate judge concluded—and the court agreed—that there were sufficient facts supporting the SEC’s allegations against the defendants and that disgorgement and civil monetary penalties were appropriate remedies. In addition to the civil monetary penalty of $141,410 per defendant, the court held the defendants jointly and severally liable for disgorgement of $141,410 plus pre-judgment interest.
District Court orders individual to pay $148 million in student debt-relief scam
On July 7, the U.S. District Court for the Central District of California entered a final judgment and order against an individual defendant accused of operating and controlling a deceptive student loan debt relief operation. As previously covered by InfoBytes, in 2019, the CFPB, along with the Minnesota and North Carolina attorneys general and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student loan borrowers. The Bureau and the states alleged that since at least 2015, the debt relief operation violated the Consumer Financial Protection Act (CFPA), Telemarketing Sales Rule (TSR), FDCPA, and various state laws by charging and collecting over $95 million in illegal advance fees from student loan borrowers. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by misrepresenting the purpose and application of the fees they charged and the nature and benefits of their services. Specifically, the debt relief operation allegedly failed to inform borrowers that, among other things, (i) they would request that the loans be placed in forbearance and interest would continue to accrue during the forbearance period, thereby increasing the borrowers’ overall loan balances; and (ii) it was their practice to submit false information about the borrowers to student loan servicers to try to qualify borrowers for lower monthly payments. The individual defendant was accused of owning, controlling, and managing the student loan debt relief operation, materially participating in the operation’s affairs, and providing substantial assistance or support while knowing or consciously avoiding knowledge that the operation was engaging in illegal conduct.
The individual defendant was held liable, jointly and severally, in the amount of approximately $95,057,757, for the purpose of providing redress to affected borrowers. Because the individual defendant was found to have recklessly violated the TSR and the CFPA, the court also imposed second-tier civil monetary penalties of $147,985,000 to the Bureau, of which $5,000 will be paid to each state. The final judgment also imposes various forms of injunctive relief, including permanent bans on engaging in consumer financial products or services and violating the TSR, CFPA, and similar laws in Minnesota, North Carolina, and California. The individual defendant is also prohibited from disclosing, using, or benefiting from customer information obtained in connection with the offering or providing of the debt relief services, and may not “attempt to collect, sell, assign, or otherwise transfer any right to collect payment from any consumer who purchased or agreed to purchase” a debt relief service from any of the defendants.