On September 25, the FTC announced the settlement of its first case against a debt collector for using text messaging to attempt to collect debts in an allegedly unlawful manner. The complaint, filed on August 23, alleged that an individual and the two debt collection companies he controlled violated the FDCPA and FTC Act when the companies failed to disclose in English- and Spanish-language text messages and phone calls that the companies were debt collectors and that they falsely portrayed themselves as law firms. The FTC also alleged that the defendants illegally revealed debts to the consumers’ family members, friends, and co-workers. To resolve the FTC’s claims, the companies agreed to pay a $1 million civil penalty, agreed not to send text messages omitting the disclosures required by law and agreed to obtain a consumer’s express consent before contacting them by text message. The defendants are also barred from falsely claiming to be law firms and from falsely threatening to sue or take any action – such as seizure of property or garnishment – that they do not actually intend to take.
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.
On September 23, California Governor Jerry Brown signed SB 568, which prohibits an operator of a website, online service, online application, or mobile application from (i) marketing or advertising certain products or services to a minor and (ii) knowingly using, disclosing, compiling, or allowing a third-party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services. The provisions apply to marketing provided by an advertising service if the operator notifies the service that the website, online service, or application is directed to minors. The bill also requires operators to permit a minor, who is a registered user of the operator’s website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s website, service, or application by the minor. The law provides exceptions for content or information posted by a third-party, or if (i) any other provision of state or federal law requires the operator or third party to maintain the content or information or (ii) the operator anonymizes the content or information. The law is effective January 1, 2015.
On September 18, the U.S. District Court for the Western District of Washington held that an employee’s computer, issued by the employer, is not a “facility” subject to protections of the Stored Communications Act. Roadlink Workforce Solutions, L.L.C. v. Malpass, No. 13-5459, 2013 WL 5274812 (W.D. Wash. Sept. 18, 2013). In this case, an employer sued a former employee for allegedly copying and then deleting certain information from an employer-issued computer before leaving to work for a competitor. The employer claimed a private right of action under the Stored Communications Act based on its allegation that the former employee intentionally exceeded his authorization to access a “facility through which an electronic communication service” it provided, and obtained and altered an electronic communication while it was in electronic storage. The court held that the employer-issued computer was not a facility through which an electronic communication service is provided, citing to previous decisions holding that including personal computing devices within the definition of “facility” would render other parts of the SCA illogical. The court reasoned that the plaintiff’s definition of facility would mean that any web site accessed on the computer would be a “user” of the communication service provided by the computer, and exempt from the SCA because of the exception for communications “of or intended for” that website. The court also held that the employer failed to demonstrate that the files accessed were in electronic storage because emails that have been opened but not deleted to not fit the SCA’s definition of “storage.” The court dismissed the employer’s SCA claim and a claim under the Computer Fraud and Abuse Act, but retained jurisdiction over certain state claims.
Comptroller Highlights Emerging Cybersecurity Risks, Discusses OCC and Financial Institution Responses
On September 18, in remarks before the Exchequer Club, Comptroller of the Currency Thomas Curry highlighted the emerging operational risks for financial institutions posed by cyberattacks, one of several risk areas identified by the OCC in its recent semiannual report. Comptroller Curry bank cyberattacks have lead to only minor disruptions so far, but are evolving and growing with the development and implementation of new technologies. The Comptroller identified the OCC’s and other federal banking agencies’ attempts to address these risks, including through an FFIEC working group created earlier this year. The Comptroller hopes the working group will address cyber issues through changes to examination policy and by supporting increased information sharing and communication between regulated institutions and their regulators, as well as among regulators and other government entities. According to the Comptroller, the OCC currently is engaged in outreach on this issue to all of its regulated institutions, but is especially focused on assisting community banks and thrifts. The Comptroller urged financial institutions, their boards, and senior level management to be aware of and engaged on the risks posed by cyber threats, including, for example, by considering the potential for new products or strategic business decisions to create new vulnerabilities. He also implored institutions and their leaders to effectively share information, such as through industry cyber threat sharing organizations.
Recently, the Organization for Economic Cooperation and Development (OECD) released updates to its privacy guidelines, with a focus on (i) practical implementation of privacy protection through risk management, and (ii) addressing the global dimension of privacy through improved interoperability. The revised guidelines, which the OECD describes as the first update of the original 1980 version that served as the first internationally agreed upon set of privacy principles, incorporate new concepts related to (i) national privacy strategies, (ii) privacy management programs, and (iii) data security breach notification. The new guidelines also reflect the organization’s modern views with regard to trans-border data flows, organizational accountability, and privacy enforcement.
On September 2, the U.S. Court of Appeals for the Fifth Circuit restored a group of financial institutions’ negligence claim against a payment processor in Lone Star Nat. Bank v. Heartland Payment Systems, No. 12-20648, 2013 WL 4728445 (5th Cir. Sept. 3, 2013). The restored claim relates to a 2008 data breach of a payment processor’s systems that exposed 130 million credit card numbers to cyberthieves. As a result of the breach, the institutions incurred costs to replace consumers’ compromised credit cards and to refund fraudulent charges. The ruling reversed the district court, which held that New Jersey’s economic loss doctrine barred the institutions’ negligence claim and limited them to seeking contractual remedies from the payment processor. The Fifth Circuit ruled that negligence claims for such losses are permitted where, as here, there is a distinguishable class of plaintiffs who are owed a duty and the defendant is not exposed to boundless liability.
On August 30, the California Court of Appeals for the Second Circuit held that a company was bound by the terms of an unexecuted agreement sent via email because it accepted the email offer through performance. DC Media Capital v. Imagine Fulfillment Services, No. B239081, 2013 WL 4665219 (Cal. Ct. App., Aug. 30, 2013). Notably, the court also found that a subsequent email exchange between the parties about modifying a contract term effectively amended the contract such that the company could be held liable for breach. We note that this decision is not certified for publication.
On August 29, the U.S. District Court for the Northern District of Illinois ordered an online payday loan operation to cease business activities and freeze assets in response to a complaint and memorandum filed by the FTC on August 27. Federal Trade Commission v. Caprice Marketing, LLC, No. 13-cv-6072 (N. Dist. Ill. Aug. 29, 2013). The FTC alleges that the defendants obtained sensitive personal and financial information from consumers by falsely representing that such information would be used to match consumers with payday lenders but instead used the information to make unauthorized withdrawals from consumer accounts.
Tenth Circuit Asks Oklahoma Supreme Court to Decide Application of Internet Based Terms to Written Contract
On August 15, the U.S. Court of Appeals for the Tenth Circuit asked the Oklahoma Supreme Court to decide whether a written consumer contract for the sale of goods incorporates by reference a separate document entitled “Terms of Sale” available on the seller’s website, when the contract states that it is “subject to” the seller’s “Terms of Sale” but does not specifically reference the website. Walker v. BuildDirect.com Techs., Inc., No. 12-6261, slip op. (10th Cir. Aug. 15, 2013). In this case, the plaintiffs filed a putative class action over allegedly defective home building products they ordered from the seller by telephone and subsequently agreed to purchase by written contract. The seller moved to compel arbitration, arguing that the written contract for the sale of goods incorporated by reference the Terms of Sale provided on the seller’s website, which included an arbitration clause. The district court denied the motion to compel, holding that the contract was ambiguous and that it could not determine as a matter of law that the contract incorporated the Internet-based terms. On appeal, the court noted that, although Oklahoma courts have held that a written contract can incorporate an extrinsic document by reference, the state’s highest court has not set standards for incorporation by reference that would resolve this case, nor has it addressed a case similar to this one. Finding no precedent in Oklahoma state law, and that the question can be resolved on the undisputed facts presented, the appeals court certified the question to the Oklahoma Supreme Court.
On August 12, New York Attorney General (AG) Eric Schneiderman announced a lawsuit against payday lending firms and their owners for allegedly violating the state’s usury and licensed lender laws in connection with their issuing of personal loans over the Internet. The AG claims that the companies charged annual interest rates from 89% to more than 355% to thousands of New York consumers, which rates far exceed the 16% rate cap set by state law. The AG joins the FTC and other state attorneys general who have acted against some of these and other Internet lending companies. Federal and state authorities more generally have been ratcheting up their scrutiny of online lending, and the AG’s action follows an inquiry initiated last week by the New York Department of Financial Services concerning payday lending. The AG states that his investigation began last fall. He is seeking a court order prohibiting the companies and individuals from engaging in further illegal lending or enforcing existing usurious loan contracts, cancellation of all outstanding loans, restitution for borrowers of all interest collected above the legal limit of 16% interest, disgorgement of profits, and penalties of up to $5,000 per violation for deceptive acts and practices.
On August 12, Senators Tom Carper (D-DE) and Tom Coburn (R-OK), the leaders of the Senate Committee on Homeland Security and Government Affairs, sent a letter to Secretary of Homeland Security Janet Napolitano regarding federal virtual currency policy. The committee reportedly sent similar letters to the DOJ, the Federal Reserve Board, the Treasury Department, the SEC, the CFTC, and the OMB. Citing a federal court’s recent holding that virtual currency Bitcoin is money or currency for the purpose of determining jurisdiction under the Securities Act of 1933, as well as other recent developments related to virtual currencies, the lawmakers seek information about (i) the agencies’ existing policies on virtual currencies, (ii) coordination among federal or state entities related to the treatment of virtual currencies, and (iii) “any plans” “strategies” or “ongoing initiatives” regarding virtual currencies. This recent scrutiny of virtual currencies follows regulatory and enforcement actions taken earlier this year, including guidance issued by FinCEN and federal criminal charges against a digital currency issuer and money transfer system. For a review of those actions and other state and federal regulatory challenges facing emerging payment providers, please see a recent article by BuckleySandler attorneys Margo Tank and Ian Spear.
As the technology continues to grow and become a part of day-to-day life, smartphones and tablets are reshaping the delivery of financial services to consumers. The mobile device is quickly becoming a full-fledge platform for electronic financial services, especially for mobile payments.
The variety and number of mobile devices and service providers to support them has introduced new and different stakeholders – all of whom are competing with traditional financial institutions for dominance in the mobile commerce/mobile payment space. This new and rapidly evolving environment presents new and operational risks for consumers, payment providers, and the recipients of the payments. It will be vital to identify who has legal responsibility and liability for the various risks associated with payment platforms and payment transactions.
To learn more about the mobile technology issues impacting the financial services industry, please review some of our recent articles on the issue. BuckleySandler attorneys Margo Tank and David Whitaker raise legal considerations surrounding the regulatory uncertainty in mobile payments in their article, “Is Regulatory Uncertainty an Impediment to Mobile Payments?” earlier this year. In “Federal Regulators Issue Guidance on Social Media and Mobile Privacy” Margo, David, and Ian Spear discuss the recent guidance and flexible guidelines issued by the FFIEC and FTC. Another recent article by Margo and David provides a list of the accessibility items financial services companies should consider when developing their websites and mobile apps.
On August 12, New York Department of Financial Services (NY DFS) Superintendent Benjamin Lawsky issued a notice of inquiry about the “appropriate regulatory guidelines that [the NY DFS] should put in place for virtual currencies.” The NY DFS notes the emergence of Bitcoin and other virtual currency as the catalyst for its inquiry, and the notice states that the NY DFS already has “conducted significant preliminary work.” That preliminary work includes 22 subpoenas the NY DFS reportedly issued last week to companies associated with Bitcoin.
The NY DFS is concerned that virtual currency exchangers may be engaging in money transmission as defined in New York. Under existing New York law, and the laws of a majority of other states, companies engaged in money transmission must obtain a license, post collateral, submit to periodic examinations, and comply with anti-money laundering laws. However, the NY DFS also suggests that regulating virtual currency under existing money transmission rules may not be the most beneficial approach. Instead, it is considering “new guidelines that are tailored to the unique characteristics of virtual currencies.” The NY DFS notice does not provide any timeline for further action on these issues.
Meanwhile, the U.S. Senate Committee on Homeland Security and Government Affairs is reviewing federal policy as it relates to virtual currencies. Read more…
On August 6, the U.S. District Court for the Eastern District of Texas held that the court has subject matter jurisdiction over the SEC’s claims that a Texas man and his company defrauded investors in a Ponzi scheme involving Bitcoin. SEC v. Shavers, No. 13-416, 2013 WL 4028182 (E.D. Tex. Aug. 6, 2013). The SEC filed suit last month alleging that the man misled investors with false assurances about the investment opportunity in Bitcoin-denominated investments he offered and sold through the Internet, while actually using Bitcoin payments received from new investors to make purported interest payments and to cover investor withdrawals. In addressing subject matter jurisdiction, the court held that the institution’s investments meet the definition of investment contract, and are securities because, among other things, Bitcoin is within the definition of “money” for purposes of the rules governing investment contracts – Bitcoin can purchase goods or services, and can be exchanged for conventional government-backed currencies. Therefore, the court held that investors who provided Bitcoin investments provided “money,” and the court has jurisdiction to hear the case under the Securities Act of 1933 and the Exchange Act of 1934.