InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California modifying CCPA regs again
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on August 14, the regulations went into effect after being approved by the Office of Administrative Law (OAL). Highlights of the proposed modifications include:
- The addition of Section 999.306, subd. (b)(3), which provides illustrative examples of the methods businesses can use to provide the notice of right to opt-out of the sale of personal information through an offline method, when the business collects personal information in the course of interacting with consumers offline. Examples include: posting signage in the area where personal information is collected or providing the notice orally during calls where information is collected;
- The addition of Section 999.315, subd. (h), which provides illustrative examples of right to opt-out methods that are designed with the purpose or have the substantial effect of subverting or impairing a consumer’s choice to opt-out. Examples include: using double negatives or requiring consumers to click through a list of reasons why they should not opt-out before confirming their request;
- Amending Section 999.326, subd. (a), which clarifies what proof a business may require from an authorized agent and consumer when a consumer uses an agent to submit a request to know or a request to delete; and
- Amending Section 999.332, subd. (a), which clarifies that businesses subject to § 999.330 (consumers under 13 years of age) and/or § 999.331 (consumers 13 to 15 years of age) must include a description of the processes set forth in those section in its privacy policy for consumers under 16 years of age.
Comments on the proposed modifications are due on October 28 by 5:00 p.m.
Health insurer to pay $48 million to resolve 2014 data breach
On September 30, a multistate settlement was reached between a health insurance company and a collation of 42 state attorneys general and the District of Columbia to resolve a 2014 data breach that allegedly comprised the personal information of more than 78 million customers nationwide. According to the states, cyber attackers infiltrated the company’s systems using malware installed through a phishing email. The data breach resulted in the exposure of consumers’ social security numbers, birthdays, and other personal data. Under the terms of the settlement, the health insurer must pay $39.5 million in penalties and fees, and is required to (i) not misrepresent the extent of its privacy and security protections; (ii) implement a comprehensive information security program, including “regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO”; (iii) implement specific security requirements, including “anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training”; and (iv) schedule third-party assessments and audits for three years.
Separately, the California AG reached a $8.69 million settlement, subject to court approval, in a parallel investigation, which requires the health insurer to, among other things, implement changes to its information security program and fix vulnerabilities to prevent future data breaches.
Previously in 2018, the health insurer reached a $115 million class action settlement, which provided for two years of credit monitoring, reimbursement of out-of-pocket costs related to the breach, and alternative cash payment for credit monitoring services already obtained (covered by InfoBytes here).
Virginia AG reaches $1.2 million settlement with internet lender
On September 29, the Virginia attorney general announced a roughly $1.2 million settlement with a Nashville-based online lender to resolve allegations that it violated the Virginia Consumer Protection Act by misrepresenting the method through which consumer disputes would be resolved. According to the AG, the lender offers short-term loans in the form of open-end cash advances carrying periodic interest rates as high as 360 percent. The contracts borrowers sign require the lender to resolve disputes through either arbitration or small claims court; however, the AG claimed that the lender hired counsel, filed nearly 2,000 collection cases against borrowers in general district courts throughout Virginia, and obtained default judgments and accepted payments from garnishees. Under the terms of the settlement, the lender—which does not admit liability—is required to (i) pay restitution of approximately $359,000; (ii) credit “attorney’s fees and costs awarded as part of the judgments, which total in excess of $830,000”; and (iii) pay $10,000 in civil penalties and $10,000 in attorney’s fees. The lender has also agreed to a permanent injunction to prevent the occurrence of future violations.
New York AG takes action against debt collection operation
On September 25, the New York attorney general announced a temporary restraining order was granted against a debt collection operation (consisting of a leader and at least six other individuals and entities) for allegedly contacting consumers using deceptive and abusive collection tactics. According to the press release, the operation allegedly contacted consumers by spoofing phone numbers to appear associated with the local court house or sheriff’s office in order to impersonate government officials and threaten the consumers with false legal action in order to collect debts, in violation of the state laws, the FDCPA, and the Truth in Caller ID Act of 2009. The temporary restraining order prohibits the operation from engaging in debt collection practices and freezes the corporate defendants’ assets. The operations’ leader is also allegedly in breach of a 2014 Assurance of Discontinuance with the AG for previous violations of the FDCPA.
The AG is seeking a permanent injunction, disgorgement, restitution, and civil penalties.
California AG, former FTC chairs argue about federal privacy law preemption during Senate committee hearing
On September 23, the Senate Committee on Commerce, Science, and Transportation held a hearing titled, “Revisiting the Need for Federal Data Privacy Legislation.” The hearing examined the current state of consumer data privacy and legislative efforts to provide baseline data protections for American consumers, and examined the lessons learned from the EU’s Global Data Protection Regulation (GDPR) and recently enacted state privacy laws. Witnesses included a number of former chairs and commissioners of the FTC, along with California Attorney General Xavier Becerra.
Becerra discussed the California Consumer Privacy Act (CCPA), which sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information, and provides California residents several rights, including the right to know what data companies have collected on them and the right to ask to delete data or opt-out of its sale. (See continuing InfoBytes coverage on the CCPA here.) Concerning future federal privacy legislation, Becerra stressed that any such legislation should not preempt the work happening at the state level, and he urged the Committee “to favor legislation that sets a federal privacy-protection floor rather than a ceiling,” in order to allow states the opportunity to provide tailored protections for their residents. Becerra also stressed that the ideal federal legal framework would “recognize[] that privacy protections must keep pace with innovation,” and further addressed the need for a meaningful enforcement regime that respects the work undertaken by the states.
Former FTC chairs Jon Leibowitz and Maureen Ohlhausen, however, argued (see here and here) in favor of federal preemption. They suggested that a single national comprehensive privacy standard would be stronger and more comprehensive than existing regimes such as the CCPA and GDPR, and could better serve consumers even if it replaces state regulations. Both stressed that preempting state laws should not mean weakening protections for consumers. Moreover, both Leibowitz and Ohlhausen emphasized that federal privacy legislation should be technology- and industry-neutral, with rigorous standards backed by tough enforcement. Leibowitz also urged Congress to provide the FTC with the ability to impose civil penalties on violators for first-time offenses, and recommended that the FTC be granted the primary authority to administer the law and be given continued authority to provide redress directly to consumers. Former chair William Kovacic presented a different approach, which would establish a domestic privacy network to promote cooperation and coordination between federal and state privacy regulators to improve policy formation.
Other topics covered in the hearing included Chairman Roger Wicker’s (R-MS) recently introduced bill (S. 4626), known as the SAFE DATA Act, which would require businesses to be more transparent about their data collection, processing, and transfer activities, and give consumers more choices and control over their data. Among other things, the bill would preempt privacy laws in California and other states, except in regard to data breaches, and would not include a private right of action allowing consumers to sue over privacy violations.
FTC settles first consumer protection case against a VoIP service provider
On September 22, the FTC and the Ohio attorney general announced several proposed stipulated final orders against a Voice over Internet Protocol (VoIP) service provider, along with an affiliated company, the VoIP service provider’s former CEO and president, and a number of other subsidiaries and individuals, to settle allegations concerning their facilitation of a credit card interest rate reduction scheme. This marks the FTC’s first consumer protection case against a VoIP service provider. According to the FTC and the AG, the VoIP service provider provided one of the defendants with the ability to place illegal robocalls in order to market “phony credit card interest rate reduction services.” Both of these defendants were controlled by the VoIP service provider’s former CEO who was also named in the lawsuit. In addition, the defendant that placed the illegal calls, along with four additional defendants, are accused of managing the overseas call centers and other components used in the credit card interest rate reduction scheme.
One of the settlements will prohibit the former CEO, along with two corporations under his control, from (i) participating in any telemarketing in the U.S.; (ii) marketing any debt relief products or services; and (iii) making misrepresentations when selling or marketing any products or services. These defendants will collectively be subject to a $7.5 million judgment, which is mostly suspended due to their inability to pay.
The settlement with the VoIP service provider and the affiliated company will require a payment of $1.95 million. The VoIP service provider and its U.S.-based subsidiaries will also be prohibited from hiring the former CEO or any of his immediate family members, as well as from hiring two of the other defendants. These defendants will also be required to follow client screening and monitoring provisions, and are prohibited from providing VoIP and related services to clients who pay with stored value cards or cryptocurrency, or to clients who do not maintain public-facing websites or a social media presence. Additionally, the defendants will be required to block calls that may appear to come from certain suspicious phone numbers, block calls that use spoofing technology, and terminate certain high-risk relationships.
The settlements (see here, here, and here) reached with the defendant that placed the illegal calls and four additional defendants include prohibitions similar to those issued against the former CEO, and will require the payment of a total combined judgment of $10.3 million, which will be largely suspended due to their inability to pay.
All settlements are subject to court approval.
California AG enters into privacy settlement with fertility-tracking mobile app
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy laws. According to the complaint filed in the Superior Court for the County of San Francisco, the company’s app allegedly failed to adequately safeguard and preserve the confidentiality of medical information by, among other things, (i) allowing access to user information without the user’s consent, by failing to “authenticate the legitimacy of the user to whom the medical information was shared”; (ii) allowing a password-change vulnerability to permit unauthorized access and disclosure of information stored in the app without the user’s consent; (iii) making misleading statements concerning implemented security measures and the app’s ability to protect consumers’ sensitive personal and medical information from unauthorized disclosure; and (iv) failing to implement and maintain reasonable security procedures and practices.
Under the terms of the settlement, the company—which does not admit liability—is required to pay a $250,000 civil penalty and incorporate privacy and security design principles into its mobile apps. The company must also obtain affirmative authorization from users before sharing or disclosing sensitive personal and medical information, and must allow users to revoke previously granted consent. Additionally, the company is required to provide ongoing annual employee training concerning the proper handling and protection of sensitive personal and medical information, in addition to training on cyberstalking awareness and prevention. According to the AG’s press release, the settlement also includes “a first-ever injunctive term that requires [the company] to consider how privacy or security lapses may uniquely impact women.”
Joint settlement requires forgiveness on $330 million of student loans
On September 15, the CFPB filed a complaint and proposed stipulated judgment against a trust, along with three banks acting in their capacity as trustees to the trust, for allegedly providing substantial assistance to a now defunct for-profit educational institution in engaging in unfair acts and practices in violation of the Consumer Financial Protection Act. The Bureau asserted that the trust owned and managed private loans for students attending the defunct institution, even though the trust “allegedly knew or was reckless in not knowing that many student borrowers did not understand the terms and conditions of those loans, could not afford them, or in some cases did not even know they had them.” The Bureau alleged that the defunct institution induced students to take out loans through several unfair practices, including “using aggressive tactics, and in some cases, gaining unauthorized access to student accounts to sign students up for loans without permission.” These loans, the Bureau contended, carried default rates well above what was expected for student loans. According to the Bureau, the trust was allegedly actively involved in the servicing, managing, and collection of these student loans.
If approved by the court, the Bureau’s proposed settlement would require the trust to (i) cease collection efforts on all outstanding loans owned and managed by the trust; (ii) discharge all outstanding loans owned and managed by the trust; (iii) ask all consumer reporting agencies to delete information related to the trust’s loans; and (iv) notify all affected consumers of these actions. The Bureau estimated that the total amount of loan forgiveness is roughly $330 million.
This settlement is the third reached by the Bureau in relation to the defunct institution’s private loan programs. In 2019, the defunct institution reached a settlement with the Bureau (covered by InfoBytes here), which required the payment of a $60 million judgment. Additionally, the Bureau entered into another settlement in 2019 with a different company that managed student loans for the defunct institution’s students, which required the loan management company to comply with similar requirements as the trust (covered by InfoBytes here).
Also on September 15, attorneys general from 47 states plus the District of Columbia reached a national settlement with the trust.
New York AG settles with student loan debt collector for $600k
On September 11, the New York attorney general announced one of the nation’s largest debt collectors will pay $600,000 in restitution to student loan borrowers and will make significant changes to its debt collection practices in order to resolve allegations that it made false, misleading, and deceptive statements in lawsuits and in communications with borrowers. According to the AG, the debt collector, among other things, (i) filed complaints that falsely identified trusts, which hold the defaulted loans, as the borrower’s “original creditor,” when in fact, the trusts are the assignees of the original financial institutions that originated the loans; (ii) filed various misleading sworn affidavits; (iii) filed complaints that represented borrowers applied for loans from a “servicing agent” when, in fact, borrowers never dealt with the entity; (iv) filed lawsuits beyond the applicable three-year statute of limitations; and (v) threatened legal action against borrowers even though the trusts “could not or would not sue because the statute of limitations for suing on the debt had expired.”
The assurance of discontinuance requires the debt collector to stop identifying the trusts as the original creditor and to cease using misleading language in communications with borrowers. In addition, the debt collector must (i) provide enhanced staff training; (ii) stop filing lawsuits beyond the statute of limitations, and voluntarily dismiss all wrongfully-filed lawsuits; (iii) voluntarily release “all pending garnishments, levies, liens, restraining notices, attachments, or any other judgment enforcement mechanism” obtained as a result of judgments obtained in wrongfully-filed lawsuits where the statute of limitations has expired; (v) take steps to vacate any judgment obtained in any of these wrongfully-filed lawsuits; and (vi) pay restitution to certain borrowers or to the state to be disbursed as appropriate.
Court approves additional settlements in CFPB student debt relief action
On September 8, the U.S. District Court for the Central District of California entered a stipulated final judgment against two additional defendants in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint alleged that the defendants violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. Four defendants settled in August, with a total suspended judgment of over $95 million due to the defendants’ inability to pay and total payments of $90,000 to Minnesota, North Carolina, and California, and $1 each to the CFPB, in civil money penalties.
The new final judgment holds the two relief defendants liable for nearly $7 million in redress; however, the judgment is suspended based on an inability to pay. The defendants are not subject to any civil money penalties, but are required to relinquish certain assets and submit to certain reporting requirements.