Consumer Finance Law Blog : Consumer Finance Lawyer & Attorney : Kelley Drye & Warren Law Firm : Financial Privacy & Security

Allison v. Aetna, Inc., a recent opinion out of the Eastern District of Pennsylvania, adds to the burgeoning area of law that holds when a plaintiff fails to allege an actual injury resulting from a data breach, but instead only alleges an enhanced risk of identity theft, an injury-in-fact does not exist and the suit must be dismissed for lack of standing.

In Allison, Plaintiff alleged that he and others submitted their personal information to Aetna’s job application website. Soon after, Plaintiff alleged that he began receiving “phishing” emails requesting additional personal information, as the result of an alleged security breach of Aetna’s website. Plaintiff, other applicants, and over 65,000 current and former Aetna employees were sent notification letters advising them of the breach, stating that their email addresses had been accessed but that it was unclear whether additional information had been accessed.

Plaintiff then filed his class action suit alleging that Aetna had failed to “adequately protect the personal information of its current, former, and potential employees….” Plaintiff described the various remedial measure that he and potential class members had been forced to undertake, including time spent to monitor various accounts for signs of identity theft and out-of-pocket expenses for identity theft protection services. The complaint did not allege that Plaintiff, or anyone else, had suffered identity theft, but rather that they were subject to an “a significant risk of identity theft.” The suit asserted various claims including negligence, breach of implied contract, breach of express contract, negligent misrepresentation, and invasion of privacy. Aetna moved to dismiss all claims pursuant to Federal Rules of Civil Procedure 12(b)(1), arguing that Plaintiff lacked injury-in-fact standing., and 12(b)(6), arguing that Allison had failed to state a claim. 

The court held that Plaintiff’s increased risk of harm did not create an injury-in-fact because his chance of suffering from identity theft was not imminent and was too speculative. Despite Plaintiff’s conclusory allegations to the contrary, the court found that Plaintiff had merely alleged that unidentified hackers had accessed his email address, thus making actual identity theft unlikely. The court dismissed Allison’s claims based on a lack of standing. 

Compared to other recent opinions that address the risk of identity theft, this opinion stops short of addressing the heart of this issue -- namely, does a demonstrated risk of identity theft create an injury upon which relief can be granted? Would the court have ruled differently if Allison's social security number, as opposed to just his email address, had been accessed? Future plaintiffs are likely to attempt to distinguish their claims from Allison by contending that their claims are more fully and adequately plead to demonstrate a more imminent risk of identity theft. However, that does not mean a claim survives a motion to dismiss. In fact, as we discussed just last year, certain courts have held that while the increased risk of harm may be sufficient to satisfy the initial injury-in-fact element for standing, it may not suffice to show "actual damage" to support a claim for damages under negligence and other liability principles.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Updating a previous post regarding the rise last year in the number of data breaches involving customers’ personal information in the general business sector, the numbers of these breaches for the first third of 2010 reflect a similarly troubling trend. According to the Identity Theft Resource Center (“ITRC”), the total number of reported data breaches as of today stands at 245, or nearly half of the 498 total breaches reported for the entire year in 2009. The general business sector (not including companies in the more heavily-regulated financial and medical sectors) continues to experience the highest percentage of these data breaches, with a reported 38.8% of reported breaches thus far this year. These statistics underscore the urgency with which your company should act to ensure that adequate measures are in place to protect private data, or risk being subject to costly litigation. Stay tuned for further updates as additional data becomes available.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a significant class action decision, Shady Grove Orthopedic Associates, P.A. v. Allstate Insurance Co., No. 08-1008, 559 U.S. -- (Mar. 31, 2010), the U.S. Supreme Court recently held that federal rules on class actions preempt state laws restricting a case from proceeding as a class action.

In the complaint, Shady Grove Orthopedic Associates, P.A. alleged that Allstate failed to pay or dispute claims within the time allotted, entitling it to statutory interest. Shady Grove filed a putative class action on behalf of all those who had not received the statutorily-mandated interest on late payments. Because New York CPLR § 901 prohibits class actions in suits seeking statutory damages, Shady Grove filed in federal court in the Eastern District of New York under diversity jurisdiction. The district court dismissed the action for lack of jurisdiction and the Second Circuit affirmed. The U.S. Supreme Court granted certiorari on the issue of whether a state statute restricting class actions can prohibit a case from proceeding under Rule 23 of the Federal Rules of Civil Procedure as a class in federal court under diversity jurisdiction. The Court held that it cannot. According to the plurality opinion written by Justice Scalia, Rule 23, which empowers a federal court to certify a class if certain conditions are met, cannot be limited by state laws. Because Rule 23 and New York CPLR § 901 are both “preconditions for maintaining a class action,” § 901 is validly pre-empted by Rule 23 where state law claims are brought in federal court.

The impact of Shady Grove is already being felt. This week, the Supreme Court applied Shady Grove in Holster v. Gatco, Inc., No. 08-1307, 559 U.S. -- (Apr. 19, 2010), another putative class action filed in the Eastern District of New York. There, the issue presented was whether New York CPLR § 901 divested federal courts of jurisdiction over a Telephone Consumer Protection Act class action brought under diversity jurisdiction. The Supreme Court vacated the judgment dismissing the suit for lack of jurisdiction, remanded the case to the Second Circuit, and instructed it to further consider its decision in light of Shady Grove.

Read expansively, this decision could be used as a way around other similar state laws that seek to limit class actions, potentially resulting in a wave of costly class actions being filed in federal court, rather than forcing individuals to sue for statutory damages one at a time.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, the Supreme Court issued a decision in Jerman v. Carlisle, McNellie, Rini, Kramer & Ulrich LPA (“Jerman”) (Docket 08-1200) that resolves a circuit split regarding the scope of the Fair Debt Collection Practices Act’s bona fide error defense and disposes of a key defense to FDCPA liability for debt collector defendants.

The FDCPA’s “bona fide error” defense allows a debt collector defendant to avoid liability for FDCPA violations if it “shows by a preponderance of evidence that the violation was not intentional and resulted from a bona fide error notwithstanding the maintenance of procedures reasonably adapted to avoid any such error.” 15 U.S.C. §1692k(c). While the majority view has been that this defense is available for clerical and factual errors only, a number of circuits, including the Sixth Circuit, have held that it also applies to mistakes of law so long as the debt collector had reasonable procedures in place to avoid such mistakes, such as ongoing FDCPA training, procuring the most recent case law, and/or having lawyers dedicated to ensuring FDCPA compliance.

In 2006, Jerman brought a class action complaint against the defendant debt collector, a law firm, alleging that the firm’s debt validation notice violated the FDCPA by misinforming debtors that any dispute of a debt must be made in writing. The firm moved to dismiss, arguing that debt disputes do need to be in writing and that the notice was therefore accurate. The district court, while acknowledging some divergence of authority on the issue, held that the FDCPA does not require disputes to be in writing and that the notice was deceptive in violation of the Act. The firm then moved for summary judgment, arguing that its violation was the result of an honest mistake of law and thus a bona fide error. The firm provided evidence of procedures reasonably adapted to avoid such mistakes, including a firm lawyer dedicated to ensuring FDCPA compliance, regular attendance of debt collection CLE’s, and subscriptions to relevant legal periodicals. The district court entered summary judgment in the firm’s favor, and the Sixth Circuit affirmed, holding that a mistake of law can qualify as a bona fide error under the FDCPA.

The Supreme Court’s decision in Jerman reverses the Sixth Circuit, holding that a mistake of law, no matter how genuine, can never qualify as a bona fide error. The Court cited the long recognized legal maxim that that “ignorance of the law will not excuse any person, either civilly or criminally.”

The decision should be a warning to all debt collectors and law firms regularly engaged in debt collection. As Justice Kennedy noted in his dissenting opinion, “[a]fter [yesterday’s] ruling, attorneys can be punished for advocacy reasonably deemed to be in compliance with the law or even required by it.” No matter what procedures such firms have in place to ensure accurate FDCPA compliance, mistakes of law will not be excused. Debt collectors and lawyers for debt collectors should take special care to keep abreast of FDCPA case law and legal developments, and where there are splits of authority, err on the side of caution.
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

If your company is one of the many companies that participates in originating, guaranteeing or servicing student loans made under the Federal Family Education Loan Program (“FFELP”) you should be aware of a recent putative class action filed in the United States District Court for the Northern District of California. In Sharon Cheslow v. Wells Fargo Bank, N.A., 3:10-cv-593, defendant Wells Fargo Bank N.A. is alleged to have improperly capitalized interest on various types of FFELP loans in violation of numerous California consumer protection and false advertising laws. The putative class consists of residents and non-residents of California who borrowed FFELP loans from Wells Fargo. 

According to U.S. Department of Education, approximately 95 million FFELP loans, including the Stafford Loan, the unsubsidized Stafford Loan, the PLUS Loan and the Consolidation Loan, were made from 2001-2009 for about $436 billion. (Click here for a listing of the top 100 originators of FFELP loans for FY09 AND FY08). The federal government serves as the ultimate guarantor of payment on FFELP loans. See, e.g., 34 C.F.R. § 682.100. In certain instances, interest that accrues on FFELP loans can be capitalized. See, e.g., 34 C.F.R. § 682.202(b).

To date, the exposure of companies participating in FFELP to lawsuits by loan borrowers has been limited by repeated holdings that the federal Higher Education Act (“HEA”), as amended, 20 U.S.C. §§ 1001-1155, of which FFELP is a part, does not provide borrowers with a private right of action. See College Loan Corp. v. SLM Corp., 396 F.3d 588, 593 (4th Cir. 2005) (cataloging decisions). Second, it has recently been held that the HEA preempted a FFELP borrower’s state breach of contract and statutory claims. See Chae v. SLM Corp., 593 F.3d 936 (9th Cir. 2010). It is expected that both propositions will be tested in Cheslow.

It is also anticipated that Wells Fargo, relying on Chae, will contend that the HEA preempts the plaintiff’s claims. The plaintiff may counter that Chae is inapplicable because her state law claims differ from those in Chae. The plaintiffs in Chae, FFELP borrowers, asserted California state law claims against their loan servicer for allegedly improperly calculating interest, assessing late fees and setting their loan repayment start-date. While the Ninth Circuit in Chae distinguished the Fourth Circuit’s decision in College Loan Corp., the plaintiff in Cheslow may attempt to argue that College Loan Corp. should steer the outcome on the preemption issue, not Chae. In College Loan Corp., 396 F.3d at 599, the Fourth Circuit held that the HEA and regulations promulgated thereunder regarding FFELP did not preempt the breach of contract and other state law claims brought by a FFELP loan originator against other FFELP loan originators and servicers and that the plaintiff could rely on violations of the HEA and related regulations to establish its state law claims against the defendants.

Wells Fargo may also try to limit the scope of the class by arguing that non-California residents cannot sue Wells Fargo on California state law claims in light of the restriction imposed by the Due Process Clause on the extraterritorially reach of a state’s laws.

Wells Fargo has not yet responded to the complaint; its response is due May 10th. We intend to monitor the docket and report on any developments. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The recent decision in Carter v. Welles-Bowen Realty, Inc., No. 3:09-cv-400 (N.D. Ohio Mar. 11, 2010), two consolidated cases involving alleged kickbacks to “sham” title insurance companies, in violation of the Real Estate Settlement Procedures Act (“RESPA”), is consistent with numerous other decisions of federal courts nationwide that have denied class certification of RESPA kickback claims on the grounds that a class action is not a superior method of adjudication.

In Carter, the lead plaintiffs made payments, in connection with the purchase of residential real estate, to the defendant companies, which merely referred all of the work to defendant Chicago Title Insurance Company. These purchases were funded in part by federally related mortgages, subjecting them to regulation under RESPA. The anti-kickback provisions of RESPA prohibit the payment or acceptance of fees or kickbacks in exchange for referrals of settlement service business involving a federally related mortgage. Almost all loans made for residential property qualify as federally related mortgages. The penalties for violating the anti-kickback provisions are severe, including the recovery of up to three times the amount paid for the services.

The plaintiffs sought certification of two classes consisting of hundreds of members. The district court denied the motion for class certification on the grounds that the named plaintiffs could not satisfy the superiority and predominance requirements of Federal Rule of Civil Procedure 23(b)(3). In doing so, the court found that a class action is not a superior method for litigating this case given RESPA’s provision of attorneys’ fees and costs, on top of treble damages, to prevailing plaintiffs, which the court found provided “adequate incentive for individual plaintiffs to bring these types of claims.” In addition, the court found that common questions did not predominate the proposed classes’ claims because there were “substantial individualized issues,” including whether each class member had a federally-related mortgage covered by RESPA.

Companies sued in putative class actions alleging violations of RESPA's anti-kickback provision may look to the holding in Carter, and similar decisions of numerous other federal courts nationwide, as support for an argument in their case that class certification should be denied for failure to satisfy the superiority and predominance requirements of Rule 23.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last month, two subsidiaries of American International Group (“AIG”) agreed to pay $7.1 million to settle claims by the United States Department of Justice (“DOJ”) that the companies unlawfully charged African American borrowers higher mortgage fees over a period of three years as compared to white borrowers. In United States of America v. AIG Federal Savings Bank, 99-mc-09999 (D. Del.), DOJ alleged that from 2003 to 2006, AIG Federal Savings Bank (“AIG FSB”) and Wilmington Finance, Inc. (“WFI”) failed to cap the fees which affiliated brokers could charge to borrowers, and failed to monitor the fee amounts charged. DOJ further alleged that during this time, African American borrowers were charged fees on average 20 basis points higher than total broker fees paid by similarly situated white borrowers. In some metropolitan areas, DOJ alleged the discrepancy rose to the level of 75 basis points.

The consent order requires AIG FSB and WFI to pay $6.1 million to compensate roughly 2,500 African American borrowers who were overcharged, and to contribute at least $1 million towards programs designed to provide financial education to consumers. AIG FSB and WFI also represented that they have exited the wholesale-lending business and agreed that if they seek to return, they must notify the government and change their business practices.

 The AIG settlement is the largest monetary settlement ever obtained by DOJ for the compensation of victims of lending discrimination. Thomas Perez, the DOJ assistant attorney general for civil rights, stated that this is the first time DOJ has held a lender accountable for allegedly discriminatory conduct by its affiliated brokers, and warned that if need be, this will not be the last time. He further remarked that the prior administration made no meaningful effort to crack down on racially discriminatory lending, which contributed to the current national housing and economic crisis. Mr. Perez announced that there are 45 pending cases along the same lines, and that "lenders who ignored the discriminatory practices of brokers must be held accountable."

Other federal and state regulators are expected to take similar steps. For example, Robb Adkins, executive director of the Obama Administration's Financial Fraud Enforcement Task Force (FFETF), stated that the settlement should be seen as a "warning shot" to those who would engage in fraud or discrimination, and that the FFETF, comprised of representatives from a variety of federal and state regulatory and law enforcement bodies, is redoubling its efforts to prosecute similar conduct.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent study released by the Identity Theft Resource Center (“ITRC”), a non-profit organization dedicated exclusively to the prevention of identity theft, suggests that in 2009, while the government appeared to be improving data security, the protection of customers’ private information by some businesses may have worsened. The annual ITRC study is funded by the U.S. Department of Justice’s Office of Victims of Crime and tracks how a data breach occurs and identifies the breach by sector – including general business, medical and health, financial institutions, government/military, and educational.

The highlights of the 2009 ITRC study include the following:

• Breaches within the general business sector (not including companies in the more heavily-regulated financial and medical sectors) climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far.                   
• Paper breaches increased 46% from 2008 and now account for nearly 26% of known breaches.
• The number of breaches caused by a malicious attack surpassed the number resulting from human error for the first time in three years.
• In only six of the total 498 breaches reported was encryption or other strong security feature protecting the exposed data utilized.

These statistics highlight the importance of consistently evaluating the measures your company takes to secure private data. Otherwise, your company runs the risk of being sued for breach of privacy, including in the individual and class action context, or becoming the subject of investigation by state and/or federal regulators, who are becoming increasingly aggressive about investigating privacy breaches. Your company may also find itself liable to third-parties with whom it does business, including credit card issuers and merchant banks, especially if your company’s privacy protections fail to meet the industry standard. [Click here for a post from the Kelley Drye Advertising Group’s “Ad Law Access Blog” regarding a recent law passed in the state of Washington that establishes such liability.]

Click here for more information about ITRC’s 2009 Data Breach study.

• Email This
• Print
• Comments
• Trackbacks
• Share Link