InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for preliminary approval of class action settlement and supporting memorandum, in December 2021, the defendant determined that an unauthorized third party gained access to and gathered data from its computer network in June 2021. The plaintiffs further alleged that, “if [the defendant] ‘properly monitor[ed] … [its] computer network and systems that housed the … [PII],’ [the defendant] ‘would have discovered the intrusion sooner.’” Furthermore, the plaintiffs alleged that the defendant failed to provide “timely and adequate notice” to the plaintiff class, and filed claims for negligence, breach of implied contract, and invasion of privacy by intrusion. The settlement also includes a provision for the defendant to pay directly for credit monitoring and identity theft protection services, not limited by the $475,000 cap, along with about $51,000 for settlement administration costs. The plaintiffs would also be able to seek up to $210,000 for attorney fees and costs, and a total $5,000 for service awards to the named plaintiffs.
District Court grants FDCPA defendant’s motion for summary judgment
On October 18, the U.S. District Court for the Eastern District of Pennsylvania granted a second summary judgment motion by a debt collection agency (defendant) in an FDCPA suit, after the plaintiff filed a motion for reconsideration, ruling that a collection letter sent to the plaintiff was not false, deceptive, misleading, unfair or unconscionable. According to the order, the plaintiff received two bills after being treated at a hospital for an automobile accident: one in the amount of $675, which was adjusted from $900 because the plaintiff lacked insurance, and a second bill from a doctor’s network for $468. The hospital placed the unpaid account with the defendant who in turn sent a collection letter to the plaintiff, which was the only contact between the plaintiff and the defendant. The plaintiff filed suit, alleging that under Pennsylvania’s Motor Vehicle Financial Responsibility Law the defendant was permitted to attempt to collect only $141.15, and that its failure to do so violated the FDCPA. This value was based on the Current Procedural Terminology (CPT) code associated with the doctor’s network bill, but the hospital’s bill did not contain a CPT code. The district court found that the plaintiff did not demonstrate any material issue of disputed fact that the services provided by the hospital were or should have been billed under the same CPT code as the doctor’s network bill, nor did the plaintiff provide sufficient evidence to prove that the amount billed by the hospital violated state law, and therefore, granted the defendant’s motion for summary judgment.
7th Circuit: Plaintiff lacks standing to bring FCRA claim on credit report disputes
On October 18, the U.S. Court of Appeals for the Seventh Circuit affirmed dismissal of an FCRA action in favor of a defendant bank. According to the opinion, the plaintiff real estate investor obtained a loan secured by a mortgage from the defendant bank. The mortgage required the plaintiff to maintain a certain level of hazard insurance or the defendant bank could lender-place such insurance, with the cost of the lender-placed insurance amounts becoming additional debt secured by the mortgage. After the plaintiff underpaid on his flood insurance premiums, the defendant bank obtained lender-placed insurance. When the plaintiff did not pay the increased monthly payment associated with the lender-placed insurance amounts in full, the defendant bank informed the plaintiff that he was in default and that the entire amount of the loan would be accelerated if the default was not cured. While the plaintiff continued to submit partial payments, the defendant began reporting certain 2011 payments as 60 days or more late to the credit reporting agencies (CRAs). In 2012, the plaintiff disputed these purportedly late payments with the CRAs.
The plaintiff sued claiming, among other things, that the defendant violated the FCRA by failing to responsibly investigate the 2012 disputes. On appeal, after determining that the district court did not abuse its discretion by failing to rely on unsupported statements in the plaintiff's affidavit, the 7th Circuit found that the district court erred in requiring the plaintiff to prove damages as an element of his FCRA claim. However, the appellate court held that the plaintiff ultimately lacked standing to bring a claim under the FCRA because, as the appellate court highlighted, the injury that the plaintiff alleged—a decrease in his credit score in November 2011—could not be fairly traced to the defendant’s alleged action—a failure to reasonably investigate credit reporting disputes in January 2012.
9th Circuit says district court must reassess statutory damages in TCPA class action
On October 20, the U.S. Court of Appeals for the Ninth Circuit ordered a district court to reassess the constitutionality of a statutory damages award in a TCPA class action. Class members alleged the defendant (a multi-level marketing company) made more than 1.8 million unsolicited automated telemarketing calls featuring artificial or prerecorded voices without receiving prior express consent. The district court certified a class of consumers who received such a call made by or on behalf of the defendant, and agreed with the jury’s verdict that the defendant was responsible for the prerecorded calls at the statutorily mandated damages of $500 per call, resulting in total damages of more than $925 million. Two months later, the FCC granted the defendant a retroactive waiver of the heightened written consent and disclosure requirements, and the defendant filed post-trial motions with the district court seeking to “decertify the class, grant judgment as a matter of law, or grant a new trial on the ground that the FCC’s waiver necessarily meant [defendant] had consent for the calls made.” In the alternative, the defendant challenged the damages award as being “unconstitutionally excessive” under the Due Process Clause of the Fifth Amendment.
On appeal, the 9th Circuit affirmed most of the district court’s ruling, including upholding its decision to certify the class. Among other things, the appellate court determined that the district court correctly held that the defendant waived its express consent defense based on the retroactive FCC waiver because “no intervening change in law excused this waiver of an affirmative defense.” The appellate court found that the defendant “made no effort to assert the defense, develop a record on consent, or seek a stay pending the FCC’s decision,” even though it knew the FCC was likely to grant its petition for a waiver. While the 9th Circuit did not take issue with the $500 congressionally-mandated per call damages figure, and did not disagree with the total number of calls, it stressed that the “due process test applies to aggregated statutory damages awards even where the prescribed per-violation award is constitutionally sound.” Recognizing that Congress “set a floor of statutory damages at $500 for each violation of the TCPA but no ceiling for cumulative damages, in a class action or otherwise,” the appellate court explained that such damages “are subject to constitutional limitation in extreme situations,” and “in the mass communications class action context, vast cumulative damages can be easily incurred, because modern technology permits hundreds of thousands of automated calls and triggers minimum statutory damages with the push of a button.” Accordingly, the 9th Circuit ordered the district court to reassess the damages in light of these concerns.
Special Alert: Fifth Circuit finds CFPB funding unconstitutional — Now what?
The Fifth Circuit ruled last night in CFSA v. CFPB that the Consumer Financial Protection Bureau’s funding structure is unconstitutional, triggering a potential wave of implications discussed below.
The holdings
A panel of three Fifth Circuit judges unanimously held that the CFPB funding structure created by Congress violated the Appropriations Clause of the Constitution, which provides that “no money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law.” It ruled that, although the CFPB spends money pursuant to a validly enacted statute, the structure violates the Appropriations Clause because the CFPB obtains its funds from the Federal Reserve (not the Treasury), the CFPB maintains funds in a separate account, the Appropriations Committees do not have authority to review the agency’s expenditures, and the bureau exercises broad authority over the economy. The court rejected the bureau’s arguments that the funding structure was necessarily constitutional because it was created by and subject to Congress, and distinguished other agencies that are funded outside of the annual appropriations process.
District Court rules FCRA allegation filed before expiration of 30-day investigation period is not ripe
On October 14, the U.S. District Court for the District of South Carolina adopted a magistrate judge’s report and recommendation to grant summary judgment in favor of a defendant accused of violating the FCRA. According to the plaintiff’s amended complaint, the plaintiff opened a loan with the defendant and later entered into a modified agreement that reduced his monthly payments and the future projected balance. He later noticed that his credit report showed (i) the reported balance for his account to be higher than it should have been under the terms of the modified agreement, and (ii) three months of late payments. The plaintiff filed a dispute with the credit reporting agency (CRA) arguing, among other things, that the balance was being misstated. The plaintiff filed another dispute with the CRA regarding the late payments. Plaintiff filed the instant action before the end of the 30-day investigation period for disputes regarding the late payments. The magistrate judge recommended summary judgment be granted to defendant related to claims alleging violation of Section1681s-2b for both (i) the claim predicated on the restated balance, and (ii) the claim predicted on the late payments, but for different reasons. The “late payment” claim “was not ripe when the action was filed” because the 30-day investigation period had not yet expired when the plaintiff filed his amended complaint. For the “restated balance” claim, the magistrate judge’s report found that the parties had a genuine legal dispute over their interpretations of the modified agreement—whether the balance due should be reduced at the time of the modification agreement or at the end of the modification term, which was not a factual inaccuracy: “the Report found violations of 15 U.S.C. 1681a-2(b) must be based on factual inaccuracies, not legal disputes, and as Plaintiff bases his claim on a legal dispute, he cannot prevail on his FCRA claim.” This district court agreed noting that the plaintiff did not appear to object to the legal determination that “as a matter of a law a violation of a §1681s-2(b) could not be based on a legal dispute over the terms of a contract[.]” The report also noted that the plaintiff failed to demonstrate that he is entitled to actual damages—a requirement for a negligent violation of the FCRA—nor did he show that the defendant willfully violated the FCRA in order to be entitled to statutory or punitive damages. The district court agreed with the report and recommendations and dismissed the case with prejudice.
9th Circuit says telemarketing texts sent to mixed-use cells phones fall under TCPA
On October 12, a split U.S. Court of Appeals for the Ninth Circuit reversed a district court’s dismissal of a TCPA complaint, disagreeing with the argument that the statute does not cover unwanted text messages sent to businesses. Plaintiffs (who are home improvement contractors) alleged that the defendants used an autodialer to send text messages to sell client leads to plaintiffs' cell phones, including numbers registered on the national do-not-call (DNC) registry. The plaintiffs contented they never provided their numbers to the defendants, nor did they consent to receiving text messages. The defendants countered that the plaintiffs lacked Article III and statutory standing because the TCPA only protects individuals from unwanted calls. The district court agreed, ruling that the plaintiffs lacked statutory standing and dismissed the complaint with prejudice.
On appeal, the majority disagreed, stating that the plaintiffs did not expressly consent to receiving texts messages from the defendants and that their alleged injuries are particularized. In determining that the plaintiffs had statutory standing under sections 227(b) and (c) of the TCPA, the majority rejected the defendants’ argument that the TCPA only protects individuals from unwanted calls. While the defendants claimed that by operating as home improvement contractors the plaintiffs fall outside of the TCPA’s reach, the majority determined that all of the plaintiffs had standing to sue under § 227(b), “[b]ecause the statutory text includes not only ‘person[s]’ but also ‘entit[ies].’” With respect to the § 227(c) claims, which only apply to “residential” telephone subscribers, the appellate court reviewed whether a cell phone that is used for both business and personal reasons can qualify as a “residential” phone. Relying on the FCC’s view that “a subscriber’s use of a residential phone (including a presumptively residential cell phone) in connection with a homebased business does not necessarily take an otherwise residential subscriber outside the protection of § 227(c),” and “in the absence of FCC guidance on this precise point,” the majority concluded that a mixed-use phone is “presumptively ‘residential’ within the meaning of § 227(c).”
Writing in a partial dissent, one judge warned that the majority’s opinion “usurps the role of the FCC and creates its own regulatory framework for determining when a cell phone is actually a ‘residential telephone,’ instead of deferring to the FCC’s narrower and more careful test.” The judge added that rather than “deferring to the 2003 TCPA Order which extended the protections of the national DNC registry to wireless telephones only to the extent they were similar to residential telephones, a reasonable interpretation of the TCPA, the majority has leaped over the FCC’s limitations to provide its own, much laxer, regulatory framework and procedures that broadly allow anybody who owns a cell phone to sue telemarketers under the TCPA.”
District Court rules model validation is not required under FDCPA
On October 13, the U.S. District Court for the Central District of Illinois granted a debt collector’s motion to remand a case back to state court in an FDCPA suit. According to the order, the plaintiff collected unpaid debts for a hospital (defendant) for approximately 15 years. The terms of the formalized agreement established a one-year term that was set to renew automatically so long as the parties agreed to its terms. The agreement required the plaintiff to comply with various laws and regulations, including the FDCPA, and regulations by the CFPB. In November 2021, Regulation F, promulgated by the CFPB, took effect, which clarified a provision of the FDCPA by requiring debt collectors to convey in their initial communications with debtors the debtors’ right to dispute the debt. The order further noted that after the Bureau “provided notice of its intent to enact Regulation F and the public comment period ended, [the plaintiff] ‘began working with its third-party software provider and third-party letter printer to modify [the plaintiff’s] initial contact letter to reflect the safe harbor model in Regulation F.’” However, the defendant was not able to ensure the changes were made before the regulation took effect. The defendant sent the plaintiff a letter declaring that it was in breach of the agreement since it failed to use the safe-harbor model language. The defendant asserted that the plaintiff’s “failure to use the safe-harbor model amounted to a violation of Regulation F and the FDCPA.” The letter requested that the plaintiff terminate all collection activity on the defendant’s accounts. The plaintiff filed suit, seeking a declaratory judgment that the letter it was using complied with the FDCPA. The defendant removed the case to federal court, and the plaintiff filed a motion to remand. The court found that using model notice language is not required under the FDCPA or Regulation F. The court noted that “[a] debt collector may comply by using a different form so long as the required information is provided in a clear and conspicuous manner.” The court further noted that the alleged federal issue in the claim “is not substantial enough” to warrant keeping the case in federal court and granted the plaintiff’s motion to remand the case back to state court.
District Court enters $228 million judgment in BIPA class action
On October 12, the U.S. District Court for the Northern District of Illinois entered a judgment for $228 million after a jury found that a defendant railway company committed 45,600 reckless or intentional violations of the Illinois Biometric Information Privacy Act (BIPA). The jury’s judgment, which does not include pre-judgment interest, was entered against the defendant in the amount of $228 million (BIPA provides for statutory damages of $5,000 for every willful or reckless violation and $1,000 for every negligent violation). Class members consisting of more than 44,000 truck drivers alleged in their second amended complaint that the defendant violated BIPA when it collected, captured, and stored their biometric identifiers and biometric information without obtaining their informed written consent or providing written disclosures explaining the purpose and duration of such use. The defendant countered that it should not be held liable for biometric data collection conducted on its behalf by a third-party contractor because BIPA does not impose liability for the acts of a third party. The court disagreed, ruling, among other things, that BIPA’s language “makes clear that [the defendant] need not have ‘collected’ the data itself to be liable,” and that there is evidence that the defendant “ultimately called the shots on whether and how biometric information is collected.”
Bank agrees to pay $1.8 billion to settle RMBS bond insurance claims
On October 7, a national bank announced in a regulatory filing that it has agreed to pay $1.84 billion to settle claims brought by a bond insurer concerning policies provided on residential mortgage-backed securities before the 2008 financial crisis. According to the regulatory filing, the agreement will “resolve all pending [bond insurer] lawsuits” (containing damages claims of more than $3 billion) against the bank and its subsidiaries, will cause all pending litigation to be dismissed with prejudice, and will release the bank and its subsidiaries from “all outstanding claims” related to bond insurance policies for certain securitized pools of residential mortgage loans.