Consumer Finance Law Blog : Washington D.C. Consumer Finance Lawyer & Attorney : Kelley Drye & Warren Law Firm : Financial Privacy & Security

Recently, the United States Supreme Court, in its decision styled Andrew M. Cuomo v. The Clearing House Association, L.L.C., No. 08-453, reaffirmed that federal banking regulations do not pre-empt states from enforcing their own fair-lending laws against national banks.

This dispute arose following the New York State Attorney General’s attempt to investigate several banks’ residential real-estate lending practices in 2005. The Attorney General’s office had suspected discriminatory lending practices after reviewing reports that showed minority borrowers received a larger percentage of high-interest home loans than white borrowers. As part of that probe, the Attorney General sent letters to several national banks, in lieu of a subpoena, requesting that they provide certain non-public information regarding their mortgage lending practices. In response, the federal Office of the Comptroller of the Currency (“OCC,” the chartering authority and federal regulator of national banks) and the Clearing House Association (a banking trade group) sued to block the Attorney General’s investigation, claiming that an OCC regulation promulgated under the National Bank Act pre-empted any state regulation or enforcement against national banks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week , the Federal Trade Commission, jointly with other federal agencies that regulate financial institutions, released "frequently asked questions" designed to provide additional assistance to companies required to comply with new identity theft rules pursuant to the Fair and Accurate Credit Transactions Act ("FACTA") . 

Those rules were issued in November 2007. Under the regulations, financial institutions are required to develop and implement written programs to detect and respond to possible identity theft as indicated by certain "red flags." These newly required programs were to be in place on or before November 1, 2008.

The FAQs are the latest step in a number of efforts by the FTC and others to assist companies in complying with the new FACTA rules. For instance, in July 2008, the FTC launched an outreach program to explain the rules in greater detail, to clarify the types of institutions to which the rules apply, and to offer guidance as to how these institutions can comply. That outreach effort included an alert providing information relating to definitions and terms used in the rules, including the definitions of “financial institution,” “creditor,” “transaction account,” and “covered account.” In addition, the alert addressed five categories of “red flag” activities.

Financial institutions should continue to monitor for guidance from the federal agencies, and/or consult with counsel, regarding their compliance with the new FACTA rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If your company collects customers’ personal data in the course of its business, be aware of the wave of class actions that have recently been filed arising out of data security breaches. Finkelstein Thompson, a DC-based law firm, over the past year has filed a series of class actions against businesses that have fallen victim to such data breaches.

One such suit, filed in the Northern District of Georgia, asserts claims against RBS WorldPay, Inc. for negligence, breach of implied contracts, and violation of state unfair trade law, after hackers allegedly gained access to the personal information of approximately 1.5 million RBS cardholders. In an incident apparently related to this security breach, Fox News reported -- citing FBI sources-- that thieves, using cloned ATM cards with the stolen data, withdrew $9 million from ATMs in a coordinated attack in 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong. This incident has garnered considerable media attention and will likely result in similar suits being filed against RBS across the country as a result of the security breach.

While this sort of case is extremely difficult to sustain given the absence of actual harm, the litigation and reputational costs associated with them are significant for businesses targeted by this litigation, particularly given the resulting media attention. Therefore, be forewarned, and regularly evaluate your data collection, data use, and data maintenance procedures and infrastructure with both your IT personnel and legal counsel.

For further discussion of this case, see our recently published piece in the ABA “Secure Times” newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

(Kelley Drye & Warren LLP Associate Veronica D. Jackson contributed to this post.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A number of class action lawsuits recently have been filed in California state court in San Diego County against a wide range of merchants as well as gift card issuers alleging, among other things, that the defendants have violated the California Civil Code by issuing gift cards that bear either an obscured expiration date, or an expiration date that is not as prominently displayed as is required under California state law. Section 1749.5 of the California Civil Code makes it unlawful to sell gift certificates or gift cards that contain an expiration date unless the expiration date appears in capital letters in at least 10-point font on the front of the gift card. So far retailers such as Saks, Staples, Borders, Visa, and American Express, among others, have been sued in separate class actions alleging violations of Section 1749.5, as well as the Business and Professions Code and the California Consumer Legal Remedies Act.

For example, in Michaelson v. Staples, Inc., Case No. 37-2009-00083487 (Cal. Super. Ct., San Diego Cty.), plaintiff alleges that an expiration date on a Staples gift card, mailed to the plaintiff as part of a promotion, was in less than 10-point font. Plaintiff alleges the card expired before he noticed the expiration date. In Robert Loiseau v. Visa U.S.A. Inc., Case No. 37-2009-00085443 (Cal. Super. Ct., San Diego Cty.), plaintiff alleges that a gift card, purchased for its face value, improperly contained an obscured expiration date, charged a processing fee, and required other allegedly unreasonable terms and conditions.

Gift cards are a tricky business when it comes to complying with the patchwork quilt of state-by-state regulations (as well as FTC oversight) over them. The permissibility of expiration dates, redemption in cash once a minimum balance has been reached, disclosures of terms and conditions, and escheatment of remaining balances are just some of the issues that businesses must confront and address. This new wave of lawsuits serves as a reminder to merchants and gift card issuers of the need to monitor state and federal regulations, as well as to periodically evaluate their gift card programs with counsel.

(Kelley Drye & Warren LLP Associate Elissa O. Tomanda contributed to this post.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Several weeks ago, we discussed how most courts were rejecting lawsuits where the plaintiffs claimed “damages” in the form of an increased risk of identity theft, generally stemming from allegations of an accidental loss or theft of personal confidential information. Since we last blogged on this issue, two recent decisions highlight how that trend is continuing, and that courts increasingly require more than speculation about future harm to sustain a lawsuit over the loss of confidential information.

The first notable decision involved a court which was clearly aware of this growing body of case law. In Belle Chasse Automotive Care, Inc. v. Advanced Auto Parts, Inc., United States District Court Judge Kurt Engelhardt of the Eastern District of Louisiana dismissed a claim stemming from a security breach involving confidential information. The plaintiff in Belle Chasse alleged that this breach only had caused an increased risk of identity theft, not an actual identity theft. The court granted defendants’ Rule 12(b)(6) motion, and cited to the growing body of case law from around the nation supporting the position that these allegations amount only to “speculative damages for which [Louisiana] law provides no remedy.” Notably, the Court cited to the Pinero decision we referenced in our prior post and found United States District Court Judge Sarah Vance’s analysis in that case to be “directly on point.”

The second notable decision provides an example of a Court reversing course on this issue, citing this line of cases as authority. The Ruiz v. Gap, Inc. case already was notable in that United States District Court Judge Samuel Conti, in March 2008, had previously ruled  that allegations of a potentially increased risk of future identity theft were sufficient to make out a viable negligence claim under California law. At that time, Judge Conti denied the defendant’s motion to dismiss under Rule 12(b)(6) and held that the plaintiff had alleged an injury in fact, even though he noted that it was unclear what damages the plaintiff would be able to recover even if the plaintiff were to prevail on the merits. Compared to the many cases holding to the contrary, the Ruiz case was generally viewed as an outlier, as one of the few rulings to have held that an allegation of the mere increased risk of identity theft was sufficient to defeat a Rule 12(b)(6) motion.

But just this month, Judge Conti granted summary judgment to the defendants on this same issue. In doing so, the court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” The court expressly rejected parallels to medical monitoring claims in the toxic tort context, and expressly noted similar cases from other jurisdictions – namely Louisiana, Ohio, and Minnesota – none of which were referenced in the court’s 2008 opinion denying the defendants’ motion to dismiss. The decision appears to reflect a reconsideration of sorts by the court – the evidence obtained during depositions seemed to be no different from what the plaintiff alleged in his Complaint, so if those allegations were adequate to defeat a motion to dismiss, testimony to the same effect should have also been adequate to defeat summary judgment. This is merely our own speculation, but it could be that the court became aware, over the course of the past year, of the growing and substantial body of case law which has been rejecting these types of speculative claims.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The current economic climate has had many consequences, including an apparent increase in economic crimes such as credit card fraud. In recent months, numerous credit card scams involving restaurant chains have been reported. For example, the Washington Examiner reported on March 29 that wait staff at several high-end restaurants in Washington, DC, including M&S Grill, 701 Restaurant, Clyde’s of Gallery Place and Bowie’s Carrabba’s Italian Restaurant, stole credit card numbers from customers and ran up a $750,000 tab at various luxury retail stores. In addition, the article references a similar scam recently uncovered in New Orleans, in which a waitress at Bubba Gump Seafood Company used a skimming device to capture customers’ credit card information. “Skimming” devices, which can easily be purchased over the Internet, are small enough for wait staff to carry in their pockets or aprons, and within a second can capture the electronic information stored in a credit card’s magnetic strip.

While such scams obviously cost consumers, merchants are also victims due to loss of consumer trust, the time and expense of cooperating with authorities and, if applicable, notifying potentially affected customers, and potential lawsuits under negligence and/or negligent hiring theories. Although merchants can never be completely assured that rogue employees will not engage in theft, they should consider the following steps to mitigate their risk:

(1) Handle credit cards in view of the customer. If the customer never loses sight of the credit card, theft is more difficult if not impossible. Retailers, restaurants and other businesses may wish to consider switching to portable credit card processing devices that allow customers to pay at the table.

(2) Carefully screen job applicants. Simple background checks can identify applicants with prior criminal histories.

(3) Educate and monitor employees. Ensure that employees are aware of the risks and consequences of credit card fraud (e.g., mere possession of a skimming device is a felony in many states), and adopt policies for employees handling customer credit cards. Monitor employees and encourage them to report any suspicious activity on behalf of their coworkers.

(Kelley Drye & Warren LLP Associate Joanna Baden-Mayer contributed to this post)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In order to avoid the substantial risks of class action litigation, many financial service providers – both traditional and non traditional – require that customer agreements contain an arbitration clause and a waiver of the customer’s right to bring a class action. However, recent court decisions and pending legislation suggest that certain types of these arbitration clauses may no longer be viable.

The overwhelming body of case law upholds the enforceability of such arbitration and class waiver provisions. See Adler v. Dell, Inc., No. 08-CV-13170, 2008 WL 5351042 (E.D. Mich. Dec. 18, 2008) (enforcing consumer arbitration provision with class waiver); Jenkins v. First Am. Cash Advance of Ga., LLC, 400 F.3d 868 (11th Cir. 2005) (class waiver in borrowers’ payday loan agreements did not render arbitration agreements unconscionable or unenforceable); and Snowden v. CheckPoint Check Cashing, 290 F.3d 631 (4th Cir. 2002) (rejecting argument that arbitration agreement was unenforceable as unconscionable due to class waiver).

However, recently some courts have taken issue with these provisions and deemed them unconscionable. A recent example of such a case is Homa v. American Express Co., No. 06-02985, 2009 WL 440912 (3rd Cir. Feb. 24, 2009).

In Homa, plaintiff brought a putative class action suit against American Express and its Centurion unit, alleging that they misrepresented the actual terms of the Blue Cash card rewards program and that defendants failed to award him the promised amount of cash back in violation of the New Jersey Consumer Fraud Act. However, the credit card member agreement that accompanied the Blue Cash card contained an arbitration and class waiver provision. Further, the agreement contained a choice-of-law provision indicating that any disputes arising out of the agreement would be governed by Utah law. Defendants argued that the plaintiff should be required to arbitrate his claims on an individual basis, because Utah law expressly allows arbitration and class waiver provisions in consumer credit agreements. On the other hand, the plaintiff argued that New Jersey law applied, because, as the application of Utah law would violate New Jersey’s public policy against certain class-arbitration waivers, New Jersey choice-of-law principles dictated that the agreement’s choice of Utah law was invalid. The district court sided with the defendants and dismissed plaintiff’s complaint.

The Third Circuit Court of Appeals reversed the trial court’s decision. In the opinion, the Third Circuit held that that the Federal Arbitration Act (“FAA”), 9 U.S.C. §§ 1-16, did not preclude the district court from applying New Jersey unconscionability principles to void the arbitration and class waiver clause, and therefore, plaintiff was entitled to pursue a class action against defendants in federal court in New Jersey. In so doing, the Court relied on the holding in a New Jersey state court decision styled Muhammad v. County Bank of Rehoboth Beach, Delaware, 912 A.2d 88 (N.J. 2006), that “‘[t]he public interest at stake in . . . consumers[’] [ability to effectively] pursue their statutory rights under [New Jersey’s] consumer protection laws’ constituted the ‘most important’ reason for holding a similar class-arbitration waiver unconscionable.” Further, the Third Circuit held that this interest “overrides” a defendant’s right to seek enforcement of a class-arbitration waiver in an agreement, particularly where the claims at issue are of such a low value as effectively to preclude relief if pursued individually. The case is now back in the district court.

Furthermore, this issue may be resolved by pending federal legislation that seeks to ban certain types of arbitration provisions. The Arbitration Fairness Act of 2009 would ban provisions requiring arbitration of (1) an employment, consumer, or franchise dispute, or (2) a dispute arising under any statute intended to protect civil rights. See H.R. 1020   The bill, which was referred to the House Judiciary Committtee on Feb. 12, 2009, currently has 43 co-sponsors, including that Committee Chairman Conyers (D-MI). A recent Legal Times report noted the plaintiffs bar's efforts to push the arbitration legislation on Capitol Hill. If enacted, the Act could start a wave of litigation in the consumer financial services sector.

The bottom line is that businesses should re-examine their customer agreement’s arbitration and class waiver provisions, paying particular attention to any choice of law provisions, and monitor these legal developments on a state-by-state basis. Homa tells us that the same arbitration and class waiver provision, while being upheld in one state, could be rejected in another.

Stay tuned for future posts analyzing cases decided in the wake of Homa and reporting on further developments with the Arbitration Fairness Act of 2009….

(Kelley Drye & Warren LLP Associate Veronica Gray contributed to this post)
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

You may have noticed that premiums for Directors and Officers Liability (“D&O”) insurance are skyrocketing, largely as a result of the subprime lending crisis, stock market volatility, and the ensuing financial uncertainty. According to the American Banker, since 2008 D&O premiums, depending on the coverage type, have increased between 15% to 40% since last year. This trend shows no sign of abating. Other reports, including a recent analysis by Aon, confirm this trend.  Similar increases are forecast for the next several years as claims stemming from the current financial crisis are litigated and resolved. In fact, directors and officers of certain troubled businesses, particularly of financial institutions, may soon find that they are uninsurable at any reasonable price.

Higher premiums, however, are only one of the insurance industry’s reactions to the current financial conditions. Insurers also are instituting more restrictive terms and conditions, lower limits of liability, higher deductibles, and in some cases, specifically tailored exclusions that eliminate coverage for liability resulting from bankruptcy, bank failures, or claims brought by the Federal Deposit Insurance Corporation. In light of these developments, many financial institutions may find it difficult to retain and attract talented directors and officers at the very moment when such leadership is most needed. In fact, this current talent drain is a continuation of a trend that began in 2002 with the passage of the Sarbanes-Oxley Act.

One factor impacting rates and the availability of D&O insurance is the uncertainty surrounding AIG’s financial condition and future viability. AIG has long been the dominant underwriter of D&O insurance. As banks turn away from AIG for their D&O coverage, they are not finding the competition for their business that one might expect when an industry leader appears vulnerable. On the contrary, banks are facing a shrinking D&O market as several smaller carriers have decided to stop underwriting such coverage, especially for banks and other financial institutions, because the premiums are no longer perceived as worth the potential risk. In turn, those smaller insurers’ withdrawal from the market should only exacerbate the rate at which D&O insurance premiums increase in the ensuing months and years.

Faced with higher premiums for less D&O coverage, companies and their directors and officers should aggressively negotiate the most favorable coverage for their money. To that end, when negotiating new policies or renewals, they should carefully gauge their risk and exposure, and closely review proposed D&O policies, including exclusions, for provisions that could potentially eliminate coverage. If the proposed coverage is insufficient, or if sufficient coverage is only available at unreasonable rates, policyholders should consider alternative ways to maximize coverage and/or minimize risk going forward.

(Kelley Drye & Warren LLP Associate Justin F. Lavella contributed to this post.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Over the last few years, incidents involving disclosures of personal information by consumer financial service providers have been big news, ranging from the theft of laptop computers containing social security numbers, to hacker attacks on computer networks containing confidential information, to the more "vanilla" theft of personal documents. Not surprisingly, the plaintiffs' bar has been attempting to turn all of this worry about identity theft into big money - even where no identity theft has occurred. However, courts around the nation have been considering such claims, and responding with a virtually uniform voice to state that, however the claim may be styled, a plaintiff's speculative fear of potential future identity theft does not constitute "actual damages" under the law, and accordingly reject such lawsuits.

In the latest court opinion to address this issue, Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535, 2009 U.S. Dist. LEXIS 660, (E.D. La. January 7, 2009), Chief Judge Sarah S. Vance dismissed various statutory and tort claims, including negligence, breach of contract, violations of a Louisiana data breach notification statute, and claims under the Tax Reform Act of 1976, against a national franchisor of income tax preparation services and its local independent franchisee. In the Pinero case, the plaintiff contended that the independent franchisee had failed to dispose of certain documents properly, which allegedly contained personal information. However, the plaintiff neither contended that her documents fell into the hands of a wrong-doer, nor that she had suffered any actual identity theft. Her damages claims were largely based on alleged emotional injuries and mental anguish, and theoretical consequential damages about steps she might need to take to deal with potential identity theft.

The Court rejected this theory of damages, and dismissed 6 of 7 claims, including negligence, breach of contract, and violations of the Louisiana data breach notification statute, holding that this type of speculative “injury” does not meet the required damages element. Also, in a holding of first impression, Judge Vance dismissed the federal claim for statutory penalties under the Tax Reform Act of 1976, ruling that commercial tax preparers are simply not subject to the provisions of the law governing disclosure of tax return information by the I.R.S. or its agents. The Court further ruled that the Louisiana data breach notification statute did not apply to paper documents – notably, Louisiana is not alone in this regard. Judge Vance also dismissed claims for fraudulent inducement and the Louisiana unfair trade practice law for a failure to adequately allege an intent to defraud. The Court only let the invasion of privacy claim survive, albeit noting skepticism about whether such a claim could succeed on the merits.

For further discussion of this case, see our recently published piece in the ABA "Secure Times" newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

(Donna L. Wilson, Andrew S. Wein, and Veronica D. Gray represent Jackson Hewitt Tax Service in this case.)
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link