Cyber Security, Information Governance & Privacy

The United States District Court for the Central District of California recently granted summary judgment to Sirius XM Radio, Inc. in a putative class action under the Driver’s Privacy Protection Act (“DPPA”).

As background, plaintiff James Andrew alleged on behalf of himself and a putative class that Sirius sent solicitation letters using personal information obtained from motor vehicle records in violation of the DPPA’s limits on marketing uses.  Prior to the filing of Sirius’ motion for summary judgment, counsel for Sirius explained to Andrew’s counsel that the satellite radio broadcaster had not obtained the “personal information” of Andrew or any other class members from the state’s Department of Motor Vehicles but instead obtained Andrew’s name, address, telephone number, and vehicle information from a combination of Auto Source, the dealer from which Andrew purchased the vehicle, and the United States Postal Service’s change of address database.  Despite Sirius providing Andrew’s counsel with declarations supporting these facts, Andrew refused to dismiss the suit.

In his opposition brief to Sirius’ motion for summary judgment, Andrew argued that “the DPPA extends beyond information obtained from a state’s DMV and includes Defendant’s use of information obtained from the driver license Plaintiff provided to Auto Source and the information Auto Source input [into a computer program] to prepare and submit a DMV change of ownership form for the vehicle Plaintiff purchase[d].”

In granting Sirius’ motion, the Court held that “[l]ike the Supreme Court and the vast majority of other courts to have analyzed the issue, this Court interprets the DPPA’s definition of ‘motor vehicle record’ as requiring that the DMV be the source of the ‘record.’”  The Court further held that “[i]nterpreting the statute as Plaintiff suggests and construing a ‘motor vehicle record’ to include a driver license would render the definition’s use of both ‘record’ and ‘pertains to’ as surplusage because the driver license would be ‘pertaining’ to itself and ignore the requirement that it also be a ‘record.’”  Further, Andrew’s “reasoning would criminalize the conduct of, and create civil liability for, the Good Samaritan who finds a lost wallet and uses the name and address found on the driver license found in the wallet to return the wallet to its owner.  Acknowledging that a driver license is not itself a ‘motor vehicle record’ ‘contained in the records’ of the DMV avoids such absurd results.”

The Court ultimately concluded “that the undisputed facts establish that Defendant did not ‘use’ ‘personal information’ ‘from a motor vehicle record’ when it obtained Plaintiff’s name, address, phone number, and vehicle information from Auto Source’s [computer program] and the Postal Service’s change of address database.”  As such, the DPPA’s limits on marketing uses did not apply.

The case is Andrews v. Sirius XM Radio, Inc., No. 5:17-cv-01724 (C.D. Cal.).

2017 was a transformative year for the consumer financial services world. As we navigate an unprecedented volume of industry regulation and forthcoming changes from the Trump Administration, Troutman Sanders is uniquely positioned to help its clients find successful resolutions and stay ahead of the compliance curve.

In this report, we share developments on consumer class actions, background screening, bankruptcy, credit reporting and consumer reporting, debt collection, payment processing and cards, mortgage, auto finance, the consumer finance regulatory landscape, cybersecurity and privacy, and the Telephone Consumer Protection Act (“TCPA”).

We hope you find this helpful as you navigate the evolving consumer financial services landscape.

ACCESS THE REPORT HERE

One of the largest data breaches in U.S. history, the Equifax breach has reverberating implications not only for the big three consumer credit reporting agencies, but for all organizations maintaining and transmitting protected information. Talks of universal data breach law immediately grew louder and within weeks, state Attorney Generals from Massachusetts to California, the U.S. Congress, the Federal Trade Commission, and private litigants, have launched investigations or filed lawsuits.

Join us for a complimentary webinar on January 30, 2018 from 3-4 p.m. ET featuring Troutman Sanders attorneys Mark Mao and Melanie Witte as they explore legal ramifications of Equifax’s breach, focusing on what every company should be asking and doing post-Equifax.

Scheduling conflict? Register to receive the recording after the event.

To register, click here.

 

On December 8, the United States Supreme Court agreed to decide whether the tolling rule adopted in American Pipe & Construction Co. v. Utah i.e., that the filing of a class action tolls the limitations period for a purported class member’s individual claims – permits a previously absent class member to bring a subsequent and otherwise untimely class action.

The federal appellate courts have split on that question.  The First, Second, Third, Fifth, Eighth, and Eleventh circuits have held that American Pipe tolling only permits subsequent individual actions.  However, the Sixth, Seventh, and Ninth circuits have held that American Pipe tolling also permits subsequent class actions.

In the case before the Supreme Court, China Agritech Inc. v. Resh, shareholders of China Agritech filed a putative class action alleging that the company committed securities fraud.  China Agritech moved to dismiss, arguing that the putative class action was filed after the applicable two-year limitations period had lapsed and was thus untimely.  In response, the plaintiffs argued that, under American Pipe, the action was timely because the limitations period was tolled during the pendency of two earlier-filed but defective class actions against the same defendants based on the same underlying events.

The district court granted China Agritech’s motion to dismiss, finding that the putative class action was untimely, but the Ninth Circuit reversed the district court’s decision.

The Ninth Circuit noted that the American Pipe tolling rule was adopted to “promote economy in litigation” and that, absent tolling, “[p]otential class members would be induced to file protective motions to intervene or to join in the event that a class was later found unsuitable.”  Relying in large part on that rationale, the Ninth Circuit then held that “once the statute of limitations has been tolled, it remains tolled for all members of the putative class until class certification is denied,” and that, at that point, members of the putative class are entitled to bring individual suits “either separately or jointly.”

In urging the Court to grant certiorari, China Agritech argued that the Ninth Circuit’s decision would lead to forum shopping.  The U.S. Chamber of Commerce agreed, arguing that the Ninth Circuit’s decision “erroneously extends a judicially created tolling doctrine to effectively eliminate Congressionally mandated statutes of limitations.”

The Court is expected to issue a decision in the case before the end of its term in June 2018.

On Tuesday, December 12, from 3-4 p.m. ET, Join Troutman Sanders for a webinar focused on a practical issue of great importance to mortgage loan originators and servicers: how to ensure confidential information is protected, when faced with an investigation by state or federal regulators.

The webinar will (1) outline the common law principles and statutory provisions implicating confidentiality for companies being investigated by federal and state regulators; (2) provide practical guidance on how to secure confidentiality agreements from regulators; and (3) discuss key provisions that should be incorporated into any confidentiality agreement with a regulator. This webinar will benefit counsel providing advice and analysis in litigation, compliance, and regulatory matters.

To register, click here.

In an opinion issued November 29, the Ninth Circuit Court of Appeals affirmed the dismissal of Chad Eichenberger’s lawsuit against ESPN for allegedly disclosing personal information.  The suit was originally filed in federal court in the District of Columbia in March of 2014, alleging that ESPN gave the personally identifiable information of consumers who watched the WatchESPN app on Roku to an Adobe Systems analytics unit in violation of the Video Privacy Protection Act of 1988.  The VPPA prohibits a “video tape service provider” from knowingly disclosing “personally identifiable information concerning any consumer of such provider.”

The information given to Adobe by ESPN included individuals’ Roku device serial numbers and the identity of videos watched on the app.  Adobe then used the information to identify specific consumers with existing information from a source other than ESPN.  The Ninth Circuit rejected ESPN’s argument that Eichenberger did not have standing to sue, reasoning that “[e]very disclosure of an individual’s ‘personally identifiable information’ and video-viewing history offends the interests that the [VPPA] protects.”  Nevertheless, the Ninth Circuit affirmed the lower court’s dismissal, concluding that the information obtained was not personally identifiable information.

The court reasoned that “personally identifiable information” must be more than information that simply shows an individual has watched certain videos—it must be information that actually can be used to identify an individual.  Without the existing information in Adobe’s system, which included “email addresses, account information, or Facebook profile information, including photos and usernames,” no “ordinary person” could readily identify the particular individual who watched the videos.  This “ordinary person” standard was set forth in a Third Circuit decision, In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262, 285 (3d Cir. 2016).

On November 16, the Federal Communications Commission adopted new rules to allow telephone carriers to block robocalls as potentially fraudulent when they come from certain types of phone numbers.

According to the FCC’s press release, robocalls are the top consumer complaint submitted to the FCC, with more than 200,000 annually.  The FCC’s report also highlights a more recent phenomenon where callers are now “spoofing” – the practice of altering or manipulating their Caller ID information to hide their true identity and to trick a consumer into answering the call.  For instance, callers may create the illusion that they are calling from the IRS and defraud consumers by having them pay money that is not owed to the IRS.

The FCC has previously found call blocking by carriers to be unlawful and has allowed call blocking only in “rare and limited circumstances.”  However, the new rules permit telephone carriers to block robocalls from telephone numbers in “certain, well-defined circumstances,” including where the numbers have not been assigned to a phone carrier, are not in use, or are clearly invalid, such as those with nonexistent area codes.  The rules were adopted to further the FCC’s “goal of removing regulatory roadblocks and give [the] industry the flexibility to block illegal calls.”

The FCC’s commissioner, Mignon Clyburn, commented: “Will the adoption of today’s report and order put an end to unlawful robocalls for good?  Sadly, no, but doing nothing ensures that things will get worse.”  The report reminds all consumer-facing companies using outbound telephony that the FCC is keeping a close watch on their activities.

New York Attorney General Eric Schneiderman has introduced a bill that would expand that state’s existing data breach laws. This proposed legislation, called the Stop Hacks and Improve Electronic Data Security Act, or the SHIELD Act, is sponsored by two Democratic members of the state legislature (Senator David Carlucci and Assembly member Brian Kavanagh). Schneiderman stated in a press release: “It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl.”

The SHIELD Act would:

  • Expand the requirement for a breach that must be reported to the Attorney General. Currently, a breach is defined as the unauthorized acquisition of certain private information. The SHIELD Act would expand this to include any unauthorized access to the information. This means that the unauthorized viewing of private information would be considered a breach, even if there is no evidence that the data was actually extracted.
  • Expand the type of private information that triggers a breach notification. Currently, companies are not required to meet data security requirements if the information they possess and store does not include Social Security numbers. The new law includes HIPAA-covered health data, biometric information, and user name and password combinations.
  • Require that a company give notice to the Attorney General of a breach if the business owns or licenses data with private information pertaining to New York residents. Currently, the notification law only applies to companies conducting business within the state.

The law would allow the AG’s Office to seek penalties of either $5,000 or, alternatively, $20 per failed notification. The latter penalty option is capped at $250,000, an increase from the current $150,000 cap. The law includes a safe harbor provision for companies that receive an annual certification of their data security compliance by an independent third-party organization. The law would have a less demanding standard for small businesses with less than $3 million in annual gross revenue and fewer than 50 employees.  Entities that are already regulated by existing New York and federal data security requirements (including regulations under the Gramm-Leach-Bliley Act) are considered compliant with the SHIELD Act’s security requirements.

The bill is currently in committee. Troutman Sanders will continue to monitor the bill’s progress through the New York state legislature.

On November 8, the Federal Trade Commission announced that it had approved a final order settling claims arising out of a data breach at Georgia-based tax preparation firm TaxSlayer, LLC.

In late 2015, hackers hit TaxSlayer with a “list validation” or “credential stuffing” attack.  With that type of attack, hackers attempt to use login credentials stolen from one site to access accounts on another site.  List-validation attacks are effective because consumers often use the same login credentials on multiple sites.  Indeed, the hackers who hit TaxSlayer were able to access the accounts of almost 9,000 of TaxSlayer’s customers.  They then used the data they accessed to commit tax identity fraud – filing fake tax returns with altered bank routing numbers and pocketing consumers’ refunds.

The FTC’s Complaint

In its complaint, the FTC alleged that TaxSlayer violated three rules based on the Gramm-Leach-Bliley Act—the Privacy Rule, Regulation P, and the Safeguards Rule.

The Privacy Rule, which was promulgated by the FTC, and Regulation P, which was promulgated by the CFPB, are two iterations of the same underlying rule.  They require financial institutions to provide consumers with an initial privacy notice, followed by annual privacy notices.  Under these rules, a financial institution must provide consumers with a “clear and conspicuous” notice that “accurately reflects [its] privacy policies and practices.”  Additionally, the financial institution must provide the notice to consumers in a manner such that the consumer “can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.”

According to the FTC, TaxSlayer violated the Privacy Rule and Regulation P in two ways:  (1) by allegedly failing to provide a clear and conspicuous notice, because TaxSlayer placed its Privacy Policy “towards the end of a long License Agreement,” such that the notice “did not convey the importance, nature, and relevance” of the Privacy Policy to consumers; and (2) by allegedly failing to provide the notice in a manner such that consumers could reasonably be expected to receive it, because TaxSlayer “did not require customers to acknowledge receipt of the initial notice as a necessary step to obtaining a particular financial product or service.”

The Safeguards Rule, which was promulgated by the FTC, requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive information security program.  The information security program must be written in one or more readily accessible parts.  It must also contain administrative, technical, and physical safeguards that are appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it stores.

According to the FTC, TaxSlayer violated the Safeguards Rule in three ways:  (1) by failing to have a written information security program until November 2015; (2) by failing to conduct a risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; and (3) by failing to implement information safeguards to control the risks to customer information from inadequate authentication (like list-validation attacks).

The Settlement

As part of the settlement with the FTC, TaxSlayer agreed to not violate the Privacy Rule, Regulation P, or the Safeguards Rule for twenty years; agreed to have a third party audit its compliance program at least once every two years for the next ten years; and agreed to provide the FTC with compliance-monitoring submissions for the next twenty years.

The FTC’s press release is available here.

The TaxSlayer case and settlement underscore how important it is for companies to regularly review their privacy policies and notices, to adopt and implement information security policies and safeguards, and to critically assess information security risks.

The November 3 decision in Alpha Tech Pet, Inc. v. Lagasse, LLC, et al. highlights that one of the key individualized issues present in many TCPA class actions – whether consumers provided their consent to be called, texted, or, as in this case, sent faxes – can defeat class claims.

In its complaint, Alpha Tech Pet alleged that the defendants sent it eight unsolicited fax advertisements in violation of the Telephone Consumer Protection Act, 47 U.S.C. § 227, et seq.  Alpha Tech Pet sought to certify a class of all persons to whom the defendants sent faxes from May 1, 2011 to May 1, 2015.  Importantly, the class included members who had received both solicited and unsolicited faxes.

In March 2017, the United States District Court for the District of Columbia, in Bais Yaakov of Spring Valley v. FCC, held that the TCPA only applies to unsolicited fax advertisements and not to solicited faxes.  Since that decision, “several courts have found class certification inappropriate in TCPA cases where, ‘to determine whether any putative member of the proposed class had a TCPA claim, the Court would first be required to determine whether that proposed class member ‘solicited’ the faxes it received.’”  However, the defendant must first “set forth ‘specific evidence showing that a significant percentage of the putative class consented to the communication at issue’ before a court can find that ‘issues of individualized consent predominate [over] any common questions of law or fact.’”

In Alpha Tech Pet, the United States District Court for the Northern District of Illinois followed these courts’ reasoning, finding “the individualized consent issues created by Bais Yaakov dispositive of plaintiffs’ class certification claims.”  The Court found that the defendants “set forth several different types of consent-related evidence,” namely consent forms provided by the defendants’ customers, a description of the defendants’ practices of requesting fax numbers from customers, and declarations from 25 customer fax recipients who consented to receive the faxes.  The Court held that this was “concrete evidence of consent” by a significant portion of the proposed class.  Accordingly, “individualized consent issues would require a series of mini-trials, thus defeating predominance and superiority.”  The Court therefore grated the defendants’ motion to deny class certification.

While Alpha Tech Pet focuses specifically on consent related to the receipt of faxes, consent will also pose an individualized issue in TCPA class actions involving telephone calls or text messages.  For non-telemarketing calls, the caller must have the prior express consent of the called party while telemarketing calls require prior express written consent of the called party.