Photo of Lillian Macartney

Lillian specializes in government investigations, compliance and enforcement matters.

New York Attorney General Eric Schneiderman has introduced a bill that would expand that state’s existing data breach laws. This proposed legislation, called the Stop Hacks and Improve Electronic Data Security Act, or the SHIELD Act, is sponsored by two Democratic members of the state legislature (Senator David Carlucci and Assembly member Brian Kavanagh). Schneiderman stated in a press release: “It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl.”

The SHIELD Act would:

  • Expand the requirement for a breach that must be reported to the Attorney General. Currently, a breach is defined as the unauthorized acquisition of certain private information. The SHIELD Act would expand this to include any unauthorized access to the information. This means that the unauthorized viewing of private information would be considered a breach, even if there is no evidence that the data was actually extracted.
  • Expand the type of private information that triggers a breach notification. Currently, companies are not required to meet data security requirements if the information they possess and store does not include Social Security numbers. The new law includes HIPAA-covered health data, biometric information, and user name and password combinations.
  • Require that a company give notice to the Attorney General of a breach if the business owns or licenses data with private information pertaining to New York residents. Currently, the notification law only applies to companies conducting business within the state.

The law would allow the AG’s Office to seek penalties of either $5,000 or, alternatively, $20 per failed notification. The latter penalty option is capped at $250,000, an increase from the current $150,000 cap. The law includes a safe harbor provision for companies that receive an annual certification of their data security compliance by an independent third-party organization. The law would have a less demanding standard for small businesses with less than $3 million in annual gross revenue and fewer than 50 employees.  Entities that are already regulated by existing New York and federal data security requirements (including regulations under the Gramm-Leach-Bliley Act) are considered compliant with the SHIELD Act’s security requirements.

The bill is currently in committee. Troutman Sanders will continue to monitor the bill’s progress through the New York state legislature.

The Consumer Financial Protection Bureau recently released a Compliance Bulletin regarding fees that companies may charge consumers when they pay by phone.

The Bulletin highlights certain practices related to phone payment fees that may violate the Dodd-Frank Act’s prohibition on committing unfair, deceptive, or abusive acts and practices (UDAAPs), including:

  • Failing to disclose all available phone payment options when they carry materially different fees;
  • Misrepresenting the available payment options or that a fee will be applied if a person pays by phone;
  • Not disclosing that a phone fee will be added, or creating the impression that there is no service fee when, in fact, there is one; and
  • Not monitoring employees or service providers in a way that could lead to misrepresentations or failing to disclose all available payment and fee options.The bulletin echoes the CFPB’s previous guidance regarding the potential for consumer harm when companies have incentive programs for employees that process phone payment fees.  The CFPB cautions that when employees are given incentives to steer consumers towards certain payment methods, or even when employees are simply pressured to complete calls quickly, it can increase the risk that the company will violate a UDAAP law.
  • This guidance is applicable for any business or entity that solicits or offers payments over the telephone.  Companies should review their internal policies and procedures to ensure they align with the CFPB’s guidance.  The Bulletin does not require that companies disclose pay-by-phone fees in any particular fashion.  However, it does recommend that companies take certain proactive steps to ensure compliance, including:
  • This last point highlights an issue that is raised several times throughout the bulletin, which relates to entities that rely on phone representatives to disclose applicable fees.  Even if a company has adequate policies and procedures in place regarding fee disclosures, there is still the risk of a UDAAP violation if phone representatives deviate from standard call scripts.  The bulletin stresses the importance of adequate monitoring to ensure that both employees and third-party service providers appropriately disclose fees and make consumers aware of available options.
  • Reviewing state and federal law to confirm whether the company may charge phone payment fees;
  • Reviewing policies and procedures on pay-by-phone fees, both internal and those of service providers, including call scripts and training materials;
  • Incorporating pay-by-phone concerns into the monitoring or audits of consumer calls; and
  • Reviewing consumer complaints.

While Compliance Bulletins are non-binding statements of policy, they are important guidance that reflects the agency’s stance, and they indicate potential areas of enforcement.  Companies should carefully review these bulletins to ensure they are not risking an enforcement action.  Troutman Sanders’ attorneys have significant experience counseling companies on compliance methods, risks and strategies – before and after enforcement actions.

The Consumer Financial Protection Bureau recently released a “special edition” of its standard monthly complaint report.  The report gives statistics on the number and types of complaints received by the CFPB, both nationally and broken down by state.  By providing data on all fifty states and the District of Columbia, the CFPB gives consumers and businesses insight into the types and volume of complaints handled by the agency, and state-by-state variations in consumer concerns.

In a message given just prior to the report’s release, CFPB Director Richard Cordray stated, “By sharing complaint data publicly, we empower consumers with information they can use to make decisions and give public officials insight into issues affecting our communities.”

The report gives both a national and state-by-state snapshot look at:

  • Complaint totals – 1,163,156 complaints have been handled since July 2011.
  • How states compare – California, Florida, New York, and Texas had the highest volumes of total complaints.
  • Complaints submitted by “specialty populations” which includes service members, veterans and their families, and older consumers.
  • The top subject matter areas about which the CFPB receives complaints – Nationally, the top three complaint areas, by volume, were debt collection, mortgage and credit reporting-related issues.  The state-specific data shows how the number of complaints in a given subject matter area compares to the national average.
  • Complaint trends – The subject matter area with the largest change in complaints from last quarter was student loans, with complaints up 216%.
  • The percentage of timely company responses to complaints received by the CFPB – Nationally, companies have responded in a timely manner (within 15 days or less) 97% of the time since the CFPB began receiving complaints in 2011.

A copy of the report is available here.

The Acting Chairman of the Federal Trade Commission (FTC), Maureen Ohlhausen, has issued a statement that endorses a recent proposed rulemaking by the Federal Communications Commission (FCC).  The FCC rulemaking, proposed on May 18, is titled “Restoring Internet Freedom” and seeks to restore a “light-touch regulatory framework” by reversing a 2015 FCC decision that classified Internet Service Providers (ISPs) as telecommunications carriers under Title II of the Communications Act.  The proposed rulemaking would also reclassify mobile broadband internet access as a private mobile service.

The FCC’s press release announcing the proposed change referred to the 2015 decision as imposing “heavy-handed Title II utility-style government regulation on internet service providers” and states that the new rule would be a “return to the longstanding, successful light-touch framework under Title I of the Communications Act.”

Acting FTC Chairman Ohlhausen released her statement on the same day as the proposed FCC rulemaking, stating:

I welcome the adoption of this NPRM as further progress toward restoring the FTC’s ability to protect broadband subscribers from unfair and deceptive practices, including violations of their privacy. Those consumer protections were an unfortunate casualty of the FCC’s 2015 decision to subject broadband to utility-style regulation. This new proceeding offers an opportunity to undo that decision and thereby return broadband consumers to the expert protection of the FTC.

The statement indicates that the FTC could, at least partially, fill any enforcement gap left by a change in FCC rulemaking, and is a reminder of the overlapping enforcement efforts of the two agencies.

The FCC’s rulemaking is currently open for public comment.  Troutman Sanders will continue to monitor the progress of the rule.

A recent interview given to the Washington State Tri-City Herald highlights the increased focus of the Washington Attorney General’s office on consumer protection issues. 

In the interview, Attorney General Bob Ferguson explained that his focus is to recover money for consumers who have been harmed.  He told the paper that since he has taken office, the consumer protection section of the A.G.’s office has grown from eight lawyers to twenty-two (soon to be twenty-four), and the office is bringing in nearly twice the number of cases that it brought in just two years ago.  According to Ferguson, “The reason for that is not because there are more bad actors out there – I think that is relatively constant.  We simply have put more resources in it.” 

The article highlighted two recent actions by the officeThe first was the successful case against the makers of 5-Hour Energy, in which a Washington state court ordered nearly $4.3 million in penalties and attorneys’ fees and costs over claims that the makers of the product deceived consumers.  (We previously covered this case here).  The second is a pending case against Navient Corporation, the largest student loan servicer in the United States.  (Our write-up on the suit filed by the Washington Attorney General’s office, together with the Illinois Attorney General and the Consumer Financial Protection Bureau, can be found here).  

This interview highlights the continued emphasis on consumer issues by state attorneys general.  These efforts are unlikely to wane in the near future.  

Troutman Sanders will continue to monitor developments in this area.

 

On March 16, the Consumer Protection Division of the Maryland Attorney General’s Office announced a settlement with five California law firms and Mandip Purewal , the owner of the firms.  The Attorney General alleged that the firms illegally collected advance fees from consumers, ostensibly to settle the consumers’ debts.  In actuality, the firms typically did not settle the debts. 

The Maryland Debt Settlement Services Act (MD Code, Fin. Inst., § 12-1001 through § 12-10017), passed in 2011, prohibits a debt settlement company from charging a consumer any fees for services until the company has renegotiated, settled, reduced, or altered in some way the consumer’s debt.  In the press release announcing the settlement, Maryland Attorney General Brian E. Frosh stated, “Consumers should not pay up-front fees for debt-settlement or debt-management services, and shouldn’t end up worse off than when they started.” 

The Debt Settlement Services Act also requires any person offering debt settlement services in Maryland to register with the Maryland Commissioner of Financial regulation.  None of the firms involved with this settlement National Consumer Law Group, P.C.; U.S. Legal Services Group, P.C.; Imperial Law Group, P.C.; Apex Legal Group, P.C.; and Regis Law Group, P.C. were registered in Maryland. 

Under the terms of the settlement with the A.G.’s office, Purewal and the five firms must stop offering debt settlement services in Maryland, must return all payments to consumers for debts that were not settled, and must pay a $200,000 penalty and an additional $50,000 to cover costs of the investigation. 

On January 24, attorneys general for Massachusetts, Maine, Maryland, Illinois, New York, and the District of Columbia filed a motion to intervene in a case between the U.S. Department of Education and the Accrediting Council for Independent Colleges and Schools (“ACICS”). 

ACICS, which previously has come under federal scrutiny for its accreditation practices, filed the suit against the Department of Education in late December, challenging the Department’s decision to terminate ACICS as a federally recognized accreditor of postsecondary education programs.   

The motion filed by the attorneys general states that ACICS’s “accreditation failures are both systemic and extreme.  If ACICS is successful in its efforts to vacate the Secretary’s well-founded decision to terminate ACICS’s recognition as a federally recognized accreditor, the State Movants’ interests in protecting their students, ensuring the effectiveness of state regulations, and preserving finite state resources will be harmed.” 

The states note that they are one of the “long-established ‘triad’” of higher education authorities, including also the federal government and accrediting agencies.  They explain that states rely on the federal accreditation system to monitor the quality of higher education options being offered to the general public.  The states note that ACICS failed to identify issues at, or terminate accreditation of, a number of for-profit institutions that have either filed for bankruptcy or where government investigations have found misconduct for things such as fabricating job placement rates.  In a press release, Illinois Attorney General Lisa Madigan stated, “ACICS gave legitimacy to for-profit schools that have left millions of students with useless degrees, astronomical levels of debt and poor job prospects.” 

This case is one of several recent instances of Democratic attorneys general seeking to intervene in federal cases, perhaps indicating an increase in state action in response to the Trump administration.   

The U.S. District Court for the District of Columbia has not yet ruled on the motion to intervene.  Troutman Sanders LLP will continue to monitor this case as it proceeds.  

The Consumer Financial Protection Bureau has released a new tool designed to help the public track consumer lending trends as well as identify future risks.  The tool, available on the CFPB website, is called “Consumer Credit Trends,” and it currently tracks originations of mortgages, credit cards, auto loans and student loans.  Within each of those categories, a user can see the data broken down by origination activity, borrower risk profile (credit score levels), lending by neighborhood income level, and lending by borrower’s age.  The CFPB states that they will use this data to “monitor conditions in consumer credit markets, analyze the effects of regulatory interventions, and to conduct research into issues affecting consumers.”

Although the Bureau does not provide specifics as to the data itself, it states that the data is from a nationally representative sample of credit records from one of the top three national credit repositories.  Before providing the information to the CFPB, the repository stripped the data of any information that could identify a particular consumer’s identity.

The CFPB has stated that it plans to update the information in the tool regularly and provide analysis on trends and findings.  The CFPB’s findings in this first release of data include:

  • An increase in mortgage lending between August and October 2016, compared to one year previously;
  • An increase in credit card lending this year, including a large increase in low-income neighborhoods;
  • A slight decline in auto loans, as compared to the same period last year (however, this decline was predominantly among higher risk consumers);
  • Continued historically high percentages of auto lending to consumers over 65 years old; and
  • A slight decrease in originations of student loans, compared to the same period in 2015.

In a press release about the new tool, CFPB Director Richard Cordray stated, “This critical information will help us identify and act on trends that warn of another crisis or that show credit is too constricted.”  The CFPB plans to eventually expand the tool to include other consumer credit products as well as information on credit applications, delinquency rates, and consumer debt levels.

Troutman Sanders will continue to monitor this tool, as well as the CFPB’s analysis of this data.

In likely the final chapter of a case covered previously by this blog, the New York Attorney General recently announced settlements with daily fantasy sport companies Draft Kings, Inc. and FanDuel, Inc.  The companies will each pay $6 million in penalties and fees to the state of New York, in order to settle alleged false advertising violations.  The Office of Attorney General called the settlement agreements “the highest New York penalty awards for deceptive advertising in recent memory,” and Attorney General Eric T. Schneiderman stated, “DraftKings and FanDuel will now be required to operate with greater transparency and disclosure and to permanently end the misrepresentations they made to millions of consumers.”

These settlements resolve all remaining claims from the pair of lawsuits the New York Attorney General’s office filed in October 2015.  The parties reached a partial settlement in March 2016, when both companies agreed to stop accepting entry fees in New York unless and until New York expressly legalized paid daily fantasy sport games.  The New York legislature legalized (and regulated) daily fantasy sports contests in legislation passed in June 2016 and signed into law by Governor Cuomo in August.  Following this change in the law, the Attorney General’s office dismissed all claims against the companies, except the false and deceptive advertising claims which are the subject of this most recent pair of settlements.

In addition to the monetary payments, the settlement agreements require both companies to disclose on their websites the rate of success of users in their contests, including the percentage of winnings that are won by the top 1%, 5%, and 10% of site users.  Among the A.G.’s findings against the companies were that, while the companies advertised that the average player would win money in their contests, 89% of players on DraftKings lost money.  The Attorney General’s office cited a study by McKinsey & Company, which found that 91% of daily fantasy sports profits “were concentrated in the hands of just 1.3% of players.”  Both companies are also required to make resources available on their websites regarding gambling addictions.

These settlements are significant for both the penalty amounts and for the unusual path the case took, including the involvement of the New York legislature.  They also exemplify the growing regulatory interest in the daily fantasy sports arena.

 

The FTC has filed a complaint and secured a temporary injunction against five companies and their owners, alleging use of deceptive practices to trick consumers into purchasing unneeded technology services for their computers.

As detailed in the complaint, the FTC alleges that the scheme worked as follows: a pop-up ad would appear on a consumer’s computer screen, stating that the computer had been hacked or infected, and the ad would give a toll-free number to call for technical support services.

The ads were designed to appear as if they were from Microsoft, Apple, or the consumer’s internet service provider, and often consumers were unable to close or navigate away from the ads.  When a consumer called the phone number, he or she would be automatically connected to one of the companies’ telemarketers in India who would try to convince the person that their computer needed to be repaired and that they should pay for repair services at a cost of approximately $200 to $400.  Defendants told consumers, falsely, that they were certified by Microsoft and Apple, and they often remotely accessed consumers’ computers to demonstrate the supposed problems.  The FTC claims that these “series of purported diagnostic tests, … in reality, are nothing more than a high-pressured sales pitch designed to scare consumers … .”

The complaint details how, as a part of its investigation of the companies, the FTC conducted an “undercover transaction” with the company.  During that transaction the telemarketers claimed to show evidence of computer problems which, in reality, were standard, properly functioning features of the computer that was virus-free.

The FTC alleges that the five companies – Global Access Technical Support LLC, Global sMind LLC, Source Pundit LLC, Helios Digital Media LLC, and VGlobal ITES Private Limited – operated together in running a telemarketing scheme.  The complaint also names three individual owners as defendants.

On October 12, the U.S. District Court for the Eastern District of Missouri issued an order temporarily prohibiting the companies from, among other things, representing that they are part of a U.S. technology firm such as Microsoft or Apple or from claiming they have detected security or performance issues on consumers’ computers.

Troutman Sanders will continue to monitor the progress of this case.