InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
7th Circuit: Time and money in responding to second verification request confers standing under FDCPA
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
7th Circuit: Time and money spent responding to second verification request is sufficient for standing
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
District Court puts hold on CFPB’s $2.7 billion request in telemarketer case
On June 7, the U.S District Court for the District of Utah denied the CFPB’s motion for an award of monetary and injunctive relief, assessment of civil money penalties, and final judgment in an action taken against a group of Utah-based credit repair telemarketers and their affiliates (collectively, “defendants”). As previously covered by InfoBytes, the CFPB sued the defendants in 2019 for allegedly committing deceptive acts and practices in violation of the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA) by charging consumers a fee for credit repair services when they signed up for the services through telemarketing, and then monthly thereafter. Certain defendants also allegedly made false and misleading claims guaranteeing, or ensuring the high-likelihood, that loans or rent-to-own housing offers would be available through affiliates after signing up for credit repair services when the products were not available. In March, the court granted the Bureau’s motion for partial summary judgment, ruling in favor of the agency on claims that the defendants violated the TSR’s prohibitions against charging upfront fees for credit repair services.
According to the June 7 order, the Bureau asked the court to award more than $2.7 billion in monetary relief, justifying the amount as “either a ‘refund of moneys’ or, alternatively, as legal (as opposed to equitable) ‘restitution.’” The Bureau also requested civil money penalties of $35.2 million and $17.6 million against different defendants, as well as extensive injunctive relief. Defendants argued that the maximum civil money penalty should fall within the range of $1 and $17.6 million as their alleged conduct “did not merit the maximum Tier 1 penalty,” and that, in any event, “the Tier 1 daily limit in the statute should apply to the aggregate penalty amount imposed on all [d]efendants collectively.” Defendants also asked the court to deny the requested injunction or clarify its requirements.
In denying the Bureau’s motion, the court wrote that “outstanding issues of fact” preclude it from entering the agency’s requested relief at this time. “Given the existence of these factual disputes, the court finds it will be most efficient to consolidate further discussions of relief with final pretrial proceedings,” the court said, denying the agency’s request without prejudice.
District Court: Plaintiff failed to prove damages in RESPA suit
The U.S. District Court for the Northern District of Texas recently granted summary judgment in favor of a defendant mortgage servicer related to alleged RESPA violations. Plaintiff obtained a refinanced loan that was serviced by the defendant. Plaintiff later sued the defendant after becoming frustrated by receiving repeated calls suggesting he refinance the loan. Once litigation commenced, the defendant began sending the monthly mortgage statements to plaintiff’s counsel. In 2021, plaintiff sent a request for information to the defendant seeking a range of monthly billing statements, which the defendant allegedly only partially provided. Plaintiff’s attorney further claimed to have received an escrow review statement from the defendant referencing an escrow surplus check that the plaintiff also claimed not to have received. The plaintiff claimed violation of RESPA by pointing to the defendant’s alleged failure to adequately respond to his requests for statements or to provide the surplus check. The defendant moved for summary judgment, arguing that neither the facts nor the law supported the plaintiff’s claims.
The plaintiff eventually conceded that there is no private right of action under RESPA’s escrow payment regulation and withdrew the claim. The court also took issue with his claim that the defendant failed to adequately respond to his request for information. Even if the defendant failed to adequately respond, the plaintiff could not plead or prove actual damages, the court said. “Neither party disputes that RESPA requires plaintiffs to plead and prove actual damages from an alleged violation,” the court wrote. “Instead, they focus their arguments on the sufficiency of the alleged damages. [Defendant] alleges that [plaintiff] provides no evidence to demonstrate how he suffered damages from the fact that it provided only three of the fourteen requested monthly statements.” Plaintiff tried to argue he was owed monetary damages due to being deprived of the escrow surplus funds and by being unfairly assessed convenience fees when making payments through the defendant’s online portal. He further claimed he suffered medical and mental anguish. However, the court concluded that evidence presented by the defendant refuted these claims (the convenience fee claim, the court said, could not be connected to the RESPA claim) and said plaintiff also failed to support his claims of medical and mental anguish. Further, plaintiff failed to present evidence supporting his claim for statutory damages, the court said, finding no genuine dispute of material fact in the record.
6th Circuit: Single RVM confers standing
The U.S. Court of Appeals for the Sixth Circuit recently held that receiving one ringless voicemail (RVM) was enough to confer standing upon a plaintiff under the TCPA. In that case, plaintiff asserted he received several RVMs to his cell phone but never consented to receiving the messages. He filed a putative class action suit for violations of the TCPA, alleging the defendant used an automated telephone dialing system (autodialer) to deliver multiple RVMs to his cell phone advertising its services. According to the plaintiff, the RVMs tied up his phone line, cost him money, and invaded his privacy. During discovery, an expert concluded that only one of the 11 voicemails plaintiff claimed to have received was from the defendant. The defendant moved to dismiss, arguing the plaintiff lacked standing because he did not suffer a concrete injury. The district court granted defendant’s motion, ruling that receiving a single RVM did not constitute a concrete harm sufficient for Article III standing, because, among other things, plaintiff could not recall what he was doing when the RVMs were sent, he was not charged for the RVM, the RVM did not tie up his phone line, and he spent a very small amount of time reviewing the message.
On appeal, the 6th Circuit noted that it had not previously considered whether receiving a single RVM for commercial purposes is sufficient to confer standing under the TCPA. To determine whether an intangible harm—such as receiving an unsolicited RVM—rises to the level of concrete injury, the appellate court reviewed U.S. Supreme Court rulings on standing. “[Plaintiff’s] receipt of an unsolicited RVM bears a close relationship to the kind of injury protected by the common law tort of intrusion upon seclusion; and his claimed harm directly correlates with the protections enshrined by Congress in the TCPA,” the 6th Circuit wrote, reversing and remanding the district court’s judgment and stating that “[plaintiff] suffered a concrete injury in fact sufficient for Article III standing purposes.”
District Court preliminarily approves $2.7 million FCRA settlement
On June 1, the U.S. District Court for the Eastern District of California preliminarily approved a class action settlement, which would require a corporate defendant to pay $2.7 million to resolve allegations that it provided false information on credit reports to auto dealers. The defendant sells credit reports to auto dealers to help dealers manage their regulatory compliance obligations, the order explained, noting that one of these obligations prohibits dealers from engaging in business with anyone designated on the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) list. The SDN list is comprised of persons and entities owned or controlled by (or acting for or on behalf of) a targeted company, or non-country specific persons, who are prohibited from conducting business in the U.S. The defendant would flag a consumer as an “OFAC Hit” if it matched a name on the SDN list.
The order explained that when using a “similar name” algorithm script to run the consumer’s name against the SDN list to check for a match, the defendant only ran first and last names and did not input other available information such as birth dates and addresses. The lead plaintiff filed a putative class action pleading claims under the FCRA and California’s Consumer Credit Reporting Agencies Act, alleging his name inaccurately came up as an OFAC hit on a credit report sold to an auto dealer. In turn, the plaintiff was denied credit and suffered emotionally, later learning that the defendant incorrectly matched him with an SDN. According to class members, the defendant failed to follow reasonable procedures to assure maximum possible accuracy when matching consumer information and failed to provide, upon request, all information listed in a consumer’s file. Moreover, the lead plaintiff claimed the defendant failed to investigate the disputed OFAC-related information sold to the dealer. The defendant moved for summary judgment on the premise that it was not acting as a consumer reporting agency and that OFAC check documents were not consumer reports, but the court denied the motion and later certified the class. If finalized, the settlement would provide $1,000 to each of the class members, attorneys fees and costs, and a service award to the lead plaintiff.
Bank to pay $1 billion to settle investors’ compliance claims
Last month, the U.S. District Court for the Southern District of New York preliminarily approved a securities litigation settlement that would require a national bank to pay $1 billion to resolve class claims that it misrepresented its progress in overhauling its internal controls and compliance processes. The required overhauls relate to consent orders entered between the bank and its regulators in 2018 concerning alleged improper banking practices and corporate oversight deficiencies. The settlement would resolve investors’ claims that the bank’s allegedly misleading statements artificially inflated the price of the bank’s common stock, which declined when additional information was revealed. The bank expressly denies that the lead plaintiffs “have asserted any valid claims,” and denies “any and all allegations of fault, liability, wrongdoing, or damages.” If granted final approval, the bank would be required to pay $1 billion into a fund to be distributed to certain affected investors.
FTC says COPPA does not preempt state privacy claims
The FTC recently filed an amicus brief in a case on appeal before the U.S. Court of Appeals for the Ninth Circuit, arguing that the Children’s Online Privacy Protection Act (COPPA) does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The full 9th Circuit is currently reviewing a case brought against a multinational technology company accused of using persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of COPPA and various state laws.
As previously covered by InfoBytes, last December the 9th Circuit reversed and remanded a district court’s decision to dismiss the suit after reviewing whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulation. At the time, the 9th Circuit examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The opinion further stated that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The defendant asked the full 9th Circuit to review the ruling. The appellate court in turn asked the FTC for its views on the COPPA preemption issue, specifically with respect to “whether the [COPPA] preemption clause preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA.”
In agreeing with the 9th Circuit that plaintiffs’ claims are not preempted in this case, the FTC argued that nothing in COPPA’s text, purpose, or legislative history supports the sweeping preemption that the defendant claimed. According to the defendant, plaintiffs’ state law claims are inconsistent with COPPA and are therefore preempted “because the claims were brought by plaintiffs who were not authorized to directly enforce COPPA, and would result in monetary remedies under state law that COPPA did not make available through direct enforcement.” Moreover, all state law claims relating to children’s online privacy are inconsistent with COPPA’s framework, including those brought by state enforcers, the defendant maintained. The FTC disagreed, writing that the 9th Circuit properly rejected defendant’s interpretation, which would preempt a wide swath of traditional state laws. Moreover, COPPA’s preemption clause only applies to state laws that are “inconsistent” with COPPA so as not to create “field preemption,” the FTC said, adding that plaintiffs’ claims in this case are consistent with the statute.