Consumer financial services companies are hopeful that the Supreme Court’s pending decision in Timbs v. Indiana will provide a Constitutional basis for challenging fines and penalties levied by state attorneys general and regulators.  The Supreme Court heard oral argument on November 28 on the issue of whether the Excessive Fines Clause has been (or should be) made applicable to the states through the Fourteenth Amendment.

Petitioner Tyson Timbs pled guilty to dealing a controlled substance and received a six-year sentence of mixed home detention and probation.  In addition, Timbs agreed to pay fines and court costs.  At the time of his conviction, the State of Indiana allowed a maximum fine of $10,000 for the underlying offense.  However, several months after Timbs’ sentencing, the State filed a case seeking civil forfeiture of a vehicle worth approximately $40,000 that Timbs drove at the time of his arrest.  After an evidentiary hearing on the State’s request, the Indiana trial court determined the forfeiture was grossly disproportionate to the underlying crime and therefore unconstitutional under the Eighth Amendment’s Excessive Fines Clause.  On appeal, the Indiana Supreme Court unanimously reversed on the basis that the U.S. Supreme Court has not held that the Excessive Fines Clause applies to the states.

The questions posed by the justices at oral argument suggest a consensus among the bench that the Excessive Fines Clause of the Eighth Amendment is applicable to the states under the Fourteenth Amendment.  However, the questions during oral argument suggest some disagreement on the scope of the rights protected by the Excessive Fines Clause.

Many state attorneys general and state regulators have heightened their supervisory and enforcement activity over consumer financial services companies in the wake of a perceived slackening of enforcement at the federal level, particularly from the Bureau of Consumer Financial Protection.  The industry is hopeful that a Timbs v. Indiana decision applying the Eighth Amendment Excessive Fines Clause against the states could provide significant protection from fines and penalties sought by states.

The Pennsylvania Supreme Court has ruled that employers have a legal duty to use reasonable care to safeguard the sensitive personal information of employees stored on an Internet-accessible computer system.

In Dittman v. UPMC, former and present employees of the University of Pittsburgh Medical Center filed a putative class action against UPMC arising from a data breach in which the personal and financial information – including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information – of all 62,000 employees and former employees were accessed and stolen from UPMC’s computer systems.

The employees alleged that the stolen data, which consisted of information UPMC required employees to provide as a condition of employment, was used to file fraudulent tax returns on behalf of victimized employees, resulting in actual damages. Based on these allegations, the employees asserted claims for negligence and breach of implied contract against UPMC. The employees further alleged that UPMC undertook a duty of care to ensure the security of their information in light of the special relationship between the university and its employees, whereby UPMC required them to provide the information as a condition of their employment.

The Court reversed the Superior Court’s grant of UPMC’s preliminary objections, holding that UPMC had an existing duty of reasonable care to safeguard the employees’ data from the foreseeable risk of a data breach. The Court found that the personal and financial information was stored without the use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol.

While the Court noted that generally there is not a duty to protect someone who is at risk due to circumstances that a defendant did not create, the employees alleged sufficiently that UPMC’s affirmative conduct created the risk of a data breach. Therefore, by collecting and storing the employees’ data on its computer systems, UPMC owed the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising from those actions.

Significantly, the Court rejected UPMC’s argument that the presence of third-party criminality eliminates the duty it owed to the employees. The Court found that cybercriminal activity was within the scope of the risk created by UPMC and, therefore, did not alleviate UPMC of its duty to protect employees’ personal and financial information from that breach.

The Court also rejected UPMC’s economic loss argument, holding that under Pennsylvania law, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish that the breach of a legal duty arising under common law is independent of any duty assumed pursuant to contract.

Typically, if a duty owed arises under a contract between the parties, a tort action cannot be brought arising out of a breach of that duty. However, if the duty arises independently of any contractual duties between the parties, then a breach of that duty may support a tort action. The Court in this case held that UPMC’s legal duty to act with reasonable care in collecting and storing its employees’ personal and financial information on its computer systems exists independently from any contractual obligations between the parties. Therefore, the economic loss doctrine did not bar the employees’ claim.

This is a significant ruling by the Pennsylvania Supreme Court as courts generally are reluctant to expand duties of care. But in this interconnected world and given well-known risks of cyber-intrusions, the Court found that an employer has a duty to exercise reasonable care to safeguard employees against the foreseeable risk of a data breach. This ruling may open the floodgates to lawsuits involving data breaches in Pennsylvania, and other plaintiffs will likely test the theory in other jurisdictions. Companies should conduct cybersecurity audits, engage in comprehensive reviews of cybersecurity insurance policies, and exercise vigilance in protecting sensitive data and personal information.

In A-1 Premium Acceptance, Inc. v. Hunter, the Missouri Supreme Court upheld the circuit court’s order denying counterclaim defendant A-1’s motion to compel arbitration because the plain language of the consumer arbitration agreement limited the arbitrator to the National Arbitration Forum (NAF).  After the parties executed the arbitration agreement, NAF entered into a consent decree with the Minnesota Attorney General requiring NAF immediately to stop providing arbitration services for consumer claims nationwide.

The parties’ arbitration agreement stated that claims “shall be resolved by binding arbitration by the National Arbitration Forum, under the Code of Procedure then in effect.”  The applicable Code of Procedure provides that only NAP may administer the Code.  Thus, even though the arbitration agreement did not expressly state that arbitration can proceed “only” before NAF, the Court explained that the parties agreed to arbitrate only before NAF because the language identifying NAF was coupled with the reference to a Code of Procedure that mandates only NAF can administer the Code.  The fact that A-1 drafted the agreement and could have included language contemplating the unavailability of NAF precludes any inference that the parties intended to arbitrate before another arbitrator in the event NAF became unavailable.  Accordingly, the Court ruled the parties had agreed to arbitrate “before NAF and no other arbitrator.”

The Missouri Supreme Court’s decision in A-1 Premium may have far-reaching implications for lenders based on NAF’s agreement to withdraw from arbitration services for consumer claims nationwide.  As the Court noted, however, courts are split on whether NAF’s unavailability renders an arbitration agreement unenforceable.

On December 10, the Bureau of Consumer Financial Protection issued proposed revisions to its 2016 Policy on No-Action Letters and proposed a BCFP Product Sandbox.

The proposed new policy has two parts: Part I is a revision of a 2016 policy on No-Action Letters, and Part II is a description of the BCFP Product Sandbox. The revised No-Action policy would eliminate the data-sharing requirement of the 2016 Policy, which required applicants to commit to sharing data about the product or service. The revisions to the 2016 Policy would also speed up the time in which the BCFP would grant or deny an application for a No-Action Letter to 60 days.

The BCFP Product Sandbox would grant companies similar relief under Part I of the proposed rule but would also provide two forms of additional exemption relief: “1. Approvals by order under three statutory safe harbor provisions (approval relief); and 2. Exemptions by order from statutory provisions under statutory exemption-by-order provisions (statutory exemptions), or from regulatory provisions that do not mirror statutory provisions under rulemaking authority or other general authority (regulatory exemptions).” The Product Sandbox approval relief and exemption relief would be for a period of two years; however, to take advantage of the Product Sandbox, applicants are required to commit to sharing data with the BCFP with respect to the products or services offered.

The proposed policy has the following goals: “1. Streamlining the application process; 2. Streamlining the BCFP’s processing of applications; 3. Expanding the types of statutory and regulatory relief available; 4. Specifying procedures for an extension where the relief initially provided is of limited duration; and 5. Providing for coordination with existing or future programs offered by other regulators designed to facilitate innovation.” The Product Sandbox will help foster innovation and gain insight into how regulations may need to adapt to allow pro-consumer innovation.

This proposed policy may be of particular interest to the fintech world in the business-to-consumer context, given the innovation and energy to adapt delivery of products and services over the Internet and the sometimes awkward fit between the remote delivery model and some regulations. Comments on the revised policy are due no later than 60 days after the proposals are published in the Federal Register.

The district court in the Northern District of Illinois granted summary judgment to the defendant in a TCPA case on the grounds that its dialing system no longer fit the definition of an automatic telephone dialing system (“ATDS”) because it dialed numbers from a stored list.  In doing so, the Court reversed its previous decision on summary judgment and clearly rejected the FCC’s previous guidance on the issue. 

The case is Johnson v. Yahoo!, Inc., No. 14-cv-2028 (N.D. Ill. November 29, 2018).  A copy of the opinion can be found here. 

Plaintiff Rachel Johnson alleged the defendant’s text messaging services caused text messages to be sent to her by pulling her number from its address book and automatically sending text messages to her cell phone, violating the Telephone Consumer Protection Act, 47 U.S.C. § 227, et seq. (“TCPA”).  In first denying the defendant’s motion for summary judgment in 2014, the Court reluctantly relied on FCC decisions from 2003, 2008, and 2012 that interpreted ATDS to include systems that dialed numbers from a stored list without human intervention.  The Court noted its disagreement with this expansive interpretation but concluded that it was bound to follow the FCC guidance. 

However, after ACA International v. FCC, 885 F.3d 687, 695 (D.C. Cir. 2018) overturned the FCC’s 2015 Order, which reaffirmed the previous orders, the defendant filed a motion for reconsideration and the Court jumped at the chance to revisit its previous ruling.  The Court first considered whether ACA International left the previous FCC Orders intact – a question that has divided courts since March.  It found that ACA International had “wiped the slate clean” because the 2015 Order “brought the entire agency definition of ATDS up for review in the D.C. Circuit.”  The court in ACA International “was telling the agency to start over.” 

No longer bound to apply the “more expansive interpretation” of the FCC, the Court turned to the text of the statute.  Finding the statute “is not ambiguous,” the Court determined an ATDS must store or produce numbers using a random or sequential number generator and dial those numbers.   Although the Court relied on the Ninth Circuit’s decision in Marks v. Crunch San Diego, LLC for the proposition that the previous orders no longer had effect, it took a more commonsense approach to its reading of the statute and did not adopt the expansive interpretation in Marks.  Therefore, the Court granted the defendant’s motion for reconsideration and granted summary judgment in its favor because its system did not meet the definition of an ATDS. 

In the wake of ACA International, courts have split on a number of questions, including the effect of the decision on prior FCC Orders and what the proper definition of an ATDS is now.  The Court in Johnson joined a number of courts that have found the prior FCC rulings to be eviscerated.  Likewise, many courts considering the definition of an ATDS have found that a system must have the capacity to dial numbers that have been randomly or sequentially generated to qualify, including published opinions from the Second Circuit in King v. Time Warner Cable, Inc. and the Third Circuit in Dominguez v. Yahoo, Inc.  However, some courts, such as Marks, have read the statute to include the expansive definition previously embraced by the FCC, even though the D.C. Circuit rejected that expansive definition. 

Fortunately, the FCC appears poised to resolve this uncertainty and issue guidance on the definition of what constitutes an ATDS.  Currently before it is a petition for a declaratory ruling on the definition of an ATDS and it has sought comment on the issue.  Most industry insiders expect a ruling from the FCC soon, and many expect it to adopt a similar definition as the court in Johnson.  Troutman Sanders will continue to monitor the TCPA landscape in the meantime.


On November 29, the Third Circuit Court of Appeals reversed a district court’s grant of summary judgment to Drexel University in a Fair Debt Collection Practices Act case brought by a former student.  

In Tiene v. Law Office of J. Scott Watson PC, No. 18-1221 (3d Cir. Nov. 29, 2018), Philip Tiene, a former Drexel University student, argued that the district court erred in granting summary judgment to the University on his FDCPA claims. 

After Tiene failed to pay $7,881.73 in tuition and fees, Drexel University sent a series of collection letters to Tiene through its attorney—Law Office of J. Scott Watson PC—and a collection agency. When Tiene did not respond to the letters, Drexel filed suit in Philadelphia Municipal Court to seek recovery of the debt. Although Tiene provided an updated billing address to Drexel at the start of its collection efforts, the letters and court filings were served at Tiene’s previous billing address. 

After a default judgment was entered against Tiene for failing to appear at a hearing on the complaint, he filed a motion to vacate the default on the grounds that Drexel “knowingly served process at the wrong, out of state address, where [Tiene] does not reside.” Although the Municipal Court judge found that Drexel did not engage in intentional misconduct when it served Tiene at an incorrect address, it nonetheless vacated the default judgment. It later entered judgment for Drexel in full. 

In his federal lawsuit, Tiene alleged that Drexel violated the FDCPA by its false and deceptive service of the Municipal Court complaint and by making false and deceptive statements in a letter notifying Tiene of the default judgment and attempting to collect on the judgment. The District Court granted summary judgment to Drexel on Tiene’s FDCPA claims, finding that his service of process allegations were precluded by the vacatur of the default judgment by the Municipal Court and the collection letter did not misrepresent the amount of the judgment. 

The Third Circuit reversed the District Court’s grant of summary judgment on both of Tiene’s FDCPA claims. In particular, the Third Circuit held that Tiene’s deceptive service of process claim was not barred by collateral estoppel because the District Court’s determination that Drexel did not intentionally serve Tiene at the wrong address was not essential to the vacatur of the default judgment.  

In addition, the Third Circuit held that the District Court failed to consider all of Tiene’s collection letter allegations – although it addressed Tiene’s claim that that the collection letter misrepresented the amount of the judgment against Tiene, the District Court failed to consider Tiene’s claim that the letter contained erroneous information about the Municipal Court’s default judgment.  

Troutman Sanders will continue to monitor and report on developments in this area of the law.


The Bureau of Consumer Financial Protection has continued its series of guidelines specifically addressing servicemembers’ purchases of automobiles.  Recent posts on the Bureau’s blog have provided advice for servicemembers on shopping for auto financing, options for buying new cars versus used cars, as well as recommendations on how to trade in a vehicle.

With regard to auto finance, the BCFP advises servicemembers to shop around for financing terms rather than only considering the financing options offered by dealerships.  Instead, the BCFP suggests that servicemembers contact multiple banks and credit unions, and that they ask about specific military discounts that might be available.  The BCFP also highlights the importance of the annual percentage rate and the length of financing available.

In the new versus used car debate, the BCFP suggests that servicemembers consider buying a used car rather than new.  The BCFP outlined the following factors to consider before buying:

  • How a vehicle responds under varied road conditions;
  • Researching the availability of Certified Pre-Owned (“CPO”) vehicles;
  • The vehicle’s maintenance record;
  • The value of the vehicle based on the Kelley Blue Book, Consumer Reports, and the National Automobile Dealers Association’s guides;
  • Upkeep costs; and
  • Unrepaired recalls.

The BCFP also encourages buyers to rely on the Buyers Guide, required under the FTC’s Used Car Rule.  Notably, the FTC recently updated the Buyers Guide and mandates that all used motor vehicles display the form.  Additionally, the BCFP encourages any servicemember who plans to buy a new car to shop around, negotiate on price, and order a car if a dealership does not have a car that meets their needs.

Finally, for those who intend to trade in their vehicles, the BCFP advises servicemembers to know the value of their cars, noting that dealerships are open to negotiating a trade-in value.  However, the BCFP cautions against trade-ins where a servicemember has negative equity, recommending that they consider postponing purchases until they are in a positive equity position or consider selling their vehicles themselves.  For those members of the military who decide to proceed with a negative equity trade-in, the BCFP suggests that they ask how negative equity would affect their financing and to keep the length of the new financing term as short as possible

On December 4, the Federal Trade Commission announced that it is seeking comment on whether the agency should make changes to rules requiring that financial institutions and creditors take certain steps to detect signs of identity theft that may affect their customers.

In a press release, the FTC stated that as part of its periodic review of its rules and guidelines, it is seeking comment on whether modifications should be made to the Red Flags Rule and the Card Issuers Rule.

The Red Flags Rule requires financial institutions and certain creditors to not only implement a written identity theft prevention program aimed at detecting “red flags” of identity theft in their daily operations, but also take steps to prevent identity theft and mitigate its damage.

Similarly, the Card Issuers Rule requires debit or credit card issuers to implement policies and procedures to validate a change of address request if, within a short period of time after receiving the request, the issuer receives a request for an additional or replacement card for the same account.  The Card Issuers Rule prevents a card issuer from issuing another card until it has notified the cardholder about the request or otherwise assessed the validity of the address change.

In the Press Release, the FTC noted that identity theft was one of the largest areas of consumer complaints in 2017 and 2018.

Some of the questions on which the FTC seeks comment include the following:

  • What are the costs and the benefits of the Rules to consumers?
  • What significant costs, if any, have the Rules imposed on businesses, including small businesses?
  • Are there any types of creditors that are not currently covered by the Red Flags Rule but should be, because they offer or maintain accounts that could be at risk of identity theft?

Any changes in the Rules may have far-reaching implications by imposing additional regulations on financial institutions and creditors.  Already, the definition of “creditor” under the Red Flags Rule is defined broadly to include third-party debt collectors.

The request for comments, along with instructions on how to submit comments, will be published in the Federal Register shortly.  The deadline for submitting comments is February 11, 2019.

On November 21, in Sweely Holdings LLC v. SunTrust Bank et al., the Supreme Court of Virginia issued an opinion that is beneficial to the mortgage industry in Virginia because it upheld a bank’s right to foreclose, even if it could have pursued other options under a forbearance agreement.  In doing so, the Court affirmed settled principles of contract interpretation, where provisions are understood in light of their plain language and place within the contract as a whole. 

The case involved multiple parcels of real property as well as personal property, default on an $18.3 million loan, and the borrower’s allegation of breach of contract on a forbearance agreement, among other claims.  The bank demurred, the trial court sustained, and the Supreme Court of Virginia affirmed. 

The relevant facts are as follows:  The parties entered the forbearance agreement after the borrower’s default on a loan and threat of bankruptcy.  The agreement called for the borrower to make a set number of payments, and in the event the borrower failed to make the payments on the turnover date, the borrower would convey deeds to the parcels of real property as credit to the overall debt.  When the borrower failed to make one of the payments and the bank chose to foreclose on the parcel extinguishing a junior lien, litigation arose. 

At issue was whether the contract required the bank to accept these deeds in lieu of foreclosure or whether the bank had the discretion to proceed with the contract provisions on friendly foreclosure to protect its interest. 

The Court unanimously affirmed that the bank had discretion to proceed with foreclosure and did not breach the forbearance agreement by electing that route.  In reaching this conclusion, the Court noted that the forbearance agreement did not waive the bank’s right to foreclose but instead simply provided for a non-contested “friendly foreclosure” procedure.  Further, when interpreted as a whole, the contract provisions that required conveyance of the deeds plainly allowed the bank to pursue foreclosure, extinguishing previously undisclosed junior liens. 

The Court’s opinion is beneficial to the mortgage industry in Virginia where breach of contract claims sometimes arise out of forbearance agreements.

On November 28, Senators Dianne Feinstein (D-Calif.) Richard Blumenthal (D-Conn.), and Amy Klobuchar (D-Minn.) introduced the REAL PEACE Act, short for “Robocall Elimination At Last Protecting Every American Consumer’s Ears.”  The goal of the legislation is to provide the Federal Trade Commission with the power to regulate companies that facilitate robocalls and, of particular importance, end the common carrier exemption in the Federal Trade Commission Act that purports to enable illegal robocalling.

With respect to the REAL PEACE Act, Sen. Feinstein noted in her official press release that, “[i]llegal robocalls are a nuisance to every person with a phone number” and “[t]echnology advances have helped robocallers hide their true identity and location, making it easier for them to relentlessly target and harass Americans.  Our bill will close an FTC loophole so we can finally put illegal robocallers out of business.”

Relatedly, Sen. Blumenthal stated that “[t]his bill would close an outdated loophole that enables scammers and spammers to make intrusive and illegal robocalls to millions of unsuspecting American households, without suffering any consequences.”  Further, Sen. Blumenthal offered that “[t]hese calls are not just unsolicited and disruptive—they are often dangerous and used to defraud consumers.  Telecommunication companies should be doing everything they can to protect their customers from illegal robocalls. The REAL PEACE Act will give long neglected enforcement authority to the FTC that allows them to more aggressively crack down on these calls and finally hold bad actors accountable.”

Based on the comments surrounding the purpose of the REAL PEACE Act, it is clear that lawmakers—specifically, Democratic lawmakers—are focused on trying to find different ways to regulate “robocallers” generally, as well as expand regulatory oversight of various communications that are directed at consumers.