On April 3, Iowa Governor Terry Branstad signed SF 2259, which amends the state’s data breach notice law to add a requirement that businesses that experience a data breach notify the state attorney general’s office within five days of discovering or being notified of the breach. Previously, state law required that businesses notify only consumers after discovery or notification. Several existing exemptions to the consumer notice requirement, including for businesses subject to Title V of the Gramm-Leach-Bliley Act, also apply to the attorney general notice requirement. SF 2259 also amends (i) the definition of “breach of security” to cover personal information maintained in any medium that was transferred to that medium from computerized form, e.g., printed records originally maintained in electronic form; and (ii) the definition of “personal information” to include encrypted, redacted, or otherwise protected data. The changes take effect July 1, 2014.
On April 7, Illinois Attorney General (AG) Lisa Madigan sued a payday loan lead generator to enforce a 2012 cease and desist order issued by the state’s Department of Financial and Professional Regulation. The regulator and the AG assert that the state’s Payday Loan Reform Act (PLRA), which broadly defines “lender” to include “any person or entity . . . that . . . arranges a payday loan for a third party, or acts as an agent for a third party in making a payday loan, regardless of whether approval, acceptance, or ratification by the third party is necessary to create a legal obligation for the third party,” required the lead generator to obtain a license before operating in Illinois. The AG claims that the lead generator violated the state’s Consumer Fraud and Deceptive Business Practices Act by offering and arranging payday loans in knowing violation of the PLRA’s licensing and other requirements. The suit also alleges that the lead generator knowingly matched Illinois consumers with unlicensed members of the generator’s payday lender network. The AG is seeking a permanent injunction and a $50,000 civil penalty. On the same day, the AG also announced it filed suits against four online payday lenders for failing to obtain a state license, making payday loans with interest rates exceeding state usury caps, and otherwise violating state payday loan limitations. Those suits ask the court to permanently enjoin the lenders from operating in Illinois and declare all existing payday loan contracts entered into by those lenders null and void, with full restitution to borrowers.
On April 1, New York Attorney General (AG) Schneiderman announced that 10 repossession companies agreed to discontinue repossessing vehicles at the request of title loan companies. The AG states that out-of-state or online lenders offer title loans, which he characterizes as a type of payday loan with high interest rates, to New Yorkers without obtaining a New York license, and offer loans in excess of the 16% interest rate cap applicable to unlicensed lenders. In September 2013, the AG settled with five companies that collected debts on allegedly illegal payday loans, part of a broader effort by New York authorities to address alleged usurious online lending.
On March 25, California Attorney General (AG) Kamala Harris announced that she and four other state AGs—Suthers (CO), Bondi (FL), Cortez Masto (NV), and King (NM)—signed a letter of intent with the President of the National Banking and Securities Commission of Mexico to establish a bi-national working group on money laundering enforcement. The working group will be tasked with (i) establishing the scope of coordination between Mexico and U.S. state AGs on money laundering enforcement issues; (ii) developing a plan for mutual technical assistance and training on combating money laundering; and (iii) sharing best practices on money laundering enforcement techniques and other enforcement issues of mutual concern, including the impact of money laundering on the border region of the U.S. and Mexico.
On March 19, Illinois Attorney General (AG) Lisa Madigan announced a suit against a lender for allegedly offering a short-term credit product designed to evade the state’s usury cap. The AG claims the lender offers a revolving line of credit with advertised interest rates of 18 to 24%, and then adds on “account protection fees.” The AG characterizes those fees as interest substantially in excess of the state’s 36% usury cap. According to the AG, after a borrower takes out the short-term loan, the lender allegedly provides a payment schedule and instructs the borrower to make minimum payments, which consumers who filed complaints with the AG’s office believed was a timeline to pay off the full debt. The complaint is the AG’s first under the Dodd-Frank Act and claims that the lender’s practices take unreasonable advantage of consumers and constitute abusive practices. The complaint also alleges violations of the state Consumer Fraud and Deceptive Businesses Practice Act and seeks restitution, civil penalties, disgorgement, and an order nullifying all existing contracts with Illinois consumers and prohibiting the company from selling lines of credit and revolving credit in Illinois.
On February 27, California Attorney General Kamala Harris issued a guide to assist small businesses in defending against the threat of cybercrime. The guide, which was developed with the California Chamber of Commerce and Lookout, a mobile security company, stresses that small businesses should assume that they are a target for cybercrime and act accordingly. In addition to providing actionable steps to prevent cyber-attacks, the guide encourages every small business to develop a “game plan” for responding to the inevitability of an actual incident: “Experience has shown that many organizations wait until they have actually suffered a serious data breach before attempting to come up with a process for dealing with such a situation – which amounts, effectively, to building an airplane in the air.”
On January 30, Nevada’s Clark County District Court ordered the State AG to pay attorneys’ fees in connection with a mortgage servicing vendor’s attempts to obtain discovery in the state’s case alleging the company facilitated fraudulent residential foreclosures, including through so-called “robosigning” tactics. Nevada v. Lender Processing Svcs., Inc., No. A-11-653289-B, (Nev. Dist. Ct. Jan. 30, 2014). The company asserted that the AG abused the discovery process by repeatedly failing to produce materials sufficient to support its claims under the Nevada Deceptive Trade Practices Act. The court rejected the AG’s defense, among others, that the alleged discovery deficiencies simply reflect disagreements between the parties over the evidence necessary to support a claim under state law. Although not a direct issue in this case, the company’s brief repeatedly calls out the AG’s use of outside counsel and notes a challenge to the AG’s use of an outside firm on a contingency fee basis, which is pending before the state supreme court.
On January 28, Missouri Attorney General Chris Koster announced a settlement with the owners of a vehicle extended-service-contract seller alleged to have marketed limited-time extend warranty programs for vehicles. The AG alleged that the company attempted to sell vehicle breakdown coverage with a generalized and often misleading description of the coverage, and that many customers later discovered their contracts were actually provided by a third party and did not contain the coverage promised. The AG stated that consumers who asked for refunds faced numerous objections and delays. The settlement requires the owners to pay $60,000 to resolve claims of deception, unfair practices, and unlawful insurance practices, and also permanently prohibits them from selling “additive contracts” in Missouri. The AG stated that the settlement “highlights [his office’s] efforts to clean up the auto service contract industry in Missouri and protect consumers from future deceptive sales practices.”
On January 24, the California Attorney General (AG) sued a health care company over its alleged failure to timely submit notice of a 2011 data breach. According to the complaint, the company learned of the breach at the end of September 2011, completed a preliminary investigation in December 2011, and subsequently continued the investigation through mid-February 2012. The company allegedly did not begin mailing notice letters to affected individuals until mid-March. The complaint alleges the company failed to provide such notice in the most expedient time possible, which the AG alleges could have commenced in December 2011. The complaint also includes allegations regarding the actual breach at issue. The AG is seeking statutory penalties of $2500 per violation. Among other things, the suit demonstrates the AG’s inclination to take privacy and data security actions beyond the California Online Privacy Protection Act.
On January 24, New York Attorney General (AG) Eric Schneiderman announced the resolution of a lawsuit filed in August 2013 against Native American tribe-affiliated payday lending firms and their owners for allegedly violating the state’s usury and licensed lender laws in connection with their issuing of personal loans over the Internet. The AG claims that the companies charged New York consumers annual interest rates on payday loans far in excess of the 16% rate cap set by state law. According to the announcement, the defendants agreed to modify the terms of all outstanding loans made to New York borrowers and to not collect interest on outstanding loans. The defendants also must provide refunds to borrowers who have paid back more than the principal of their loan plus the state-capped interest rate of 16%, and pay $1.5 million in penalties. The companies also must become licensed in New York before offering new loans in the state.
On January 14, the U.S. Supreme Court unanimously held that an action filed by a state attorney general seeking restitution on behalf of hundreds of the state’s citizens who are not themselves parties to the action is not a “mass action” within the meaning of the Class Action Fairness Act (CAFA), and that such a suit cannot be removed to or filed in federal court under that Act. Mississippi ex rel. Hood v. AU Optronics Corp., No. 12-1036, 2014 WL 113485 (Jan. 14, 2013). In this case, defendants in a civil suit brought by the Mississippi Attorney General on behalf of allegedly harmed state citizens sought to invoke CAFA’s provision allowing the removal of “mass actions,” those “in which monetary relief claims of 100 or more persons are proposed to be tried jointly on the ground that the plaintiffs’ claims involve common questions of law or fact.” The district court and Fifth Circuit looked to the “real parties in interest”—the more than 100 allegedly harmed state citizens—and determined that the case qualified as a mass action. The Court disagreed and held that under a plain reading of CAFA, “100 or more persons” refers to named plaintiffs, not unnamed parties in interest. The Court explained that (i) CAFA uses “persons” and “plaintiffs” the same way they are used in Federal Rule of Civil Procedure 20, i.e. as individuals who are proposing to join as “plaintiffs” in a single action; and (ii) “claims of 100 or more” unnamed individuals cannot be “proposed to be tried jointly on the ground that the. . . claims” of some completely different group of named plaintiffs “involve common questions of law or fact.” Further, the Court determined that (i) the CAFA provision that a “mass action” removed to federal court may not be transferred unless a majority of plaintiffs so request would be unworkable if “plaintiffs” included unnamed real parties in interest; and (ii) Congress did not intend that courts conduct an inquiry into the real parties in interest. The Court declined to reach the issue of whether other state attorney general cases could be deemed class actions under different facts. In the rulings below, both the district and appeals courts rejected defendants’ argument that the suit was a class action. The Court also did not reach the issue present in the underlying decisions of whether the suit fell within the “general public” exemption to CAFA mass actions.
On January 17, New York Attorney General (AG) Eric Schneiderman announced that Gary Fishman will lead a new Criminal Enforcement and Financial Crimes Bureau. The bureau, which expands the Attorney General’s former Criminal Prosecutions Bureau, will focus on combating complex financial crimes in (i) bank and financial institution fraud; (ii) securities and investment fraud; (iii) money laundering; (iv) tax crimes; (v) mortgage fraud; (vi) investment schemes; and (vii) insurance fraud. The bureau also intends to form a Financial Intelligence Section that will review banking, regulatory, law enforcement, and open-source data to identify trends that will enhance the investigation and prosecution of financial crime schemes. Mr. Fishman has served as Senior Investigative Counsel since joining the AG’s office in 2012. Prior to joining the AG’s office, Mr. Fishman was the Managing Director of Investigative Group International and before that served as a New York County District Attorney’s Office prosecutor for more than 15 years, including as the Principal Deputy Chief of the Major Economic Crimes Bureau in the Investigation Division.
On December 30, Massachusetts Attorney General (AG) Martha Coakley announced the state’s sixth settlement related to allegedly unlawful RMBS practices, which resulted from the AG’s ongoing review of subprime mortgage securitization practices in Massachusetts. The most recent agreement requires an underwriting firm to pay a total of $17.3 million, which includes $11.3 million to be dedicated to compensate government entities that had invested with the Massachusetts Pension Reserve Investment Management Board and $6 million to be paid to the state.
On December 16, the North Carolina attorney general (AG) filed a lawsuit against an online payday lender, two loan servicers, and a related debt collection company, and the Colorado AG filed suit against the same loan servicers and collection company. The Colorado AG previously filed a separate suit against the lender. In addition, the New Hampshire AG promised to enforce a state banking department order against the same entities targeted in the other state actions. All three actions are parallel to, and were taken in coordination with, a CFPB action filed December 16 purportedly signaling broader pursuit of “regulatory-evasion schemes.” In general, the states are alleging that the lender violated state usury or licensing laws in the online origination of short-term, small dollar loans. The lender asserts that it is a Native American sovereign entity not subject to relevant state laws. The states also allege that a servicer, either in its own name or through a related entity, provided the lender with marketing, web hosting and customer services, collected consumer information, and conducted the loans’ initial underwriting review, and then purchased all loans immediately after origination. The states further allege that either the servicers or a related debt collection company engaged in servicing and collections, and that the totality of the activities violated state lending and licensing laws by, among other things, financing and collecting on illegal payday loans. The state AG suits are similar to suits previously filed by other state attorneys general, including in New York, Georgia, Minnesota, and Virginia.
On December 19, the CFPB and attorneys general for 49 states and the District of Columbia, and a nonbank mortgage servicer, filed a proposed consent order in the U.S. District Court for the District of Columbia, pursuant to which the servicer will be required to provide $2 billion in principal reduction to certain borrowers and refund $125 million to nearly 185,000 borrowers who were foreclosed upon.
The agreement is modeled on the 2012 national mortgage servicing settlement between five banks and federal and state authorities, and it is the first such agreement with a nonbank mortgage servicer. The proposed order would resolve allegations that the servicer, and two other servicers it acquired in recent years, engaged in unfair and deceptive acts and practices in the servicing of residential mortgages and foreclosure processing in violation of state consumer protection laws and the Consumer Financial Protection Act. Those allegations are detailed in a complaint filed by the CFPB and states on the same day.
Along with the monetary settlement, the agreement requires the servicer to implement numerous servicing policy changes, which incorporate the standards established in the national servicing settlement and add requirements related to transferred loans. The servicing requirements included in the settlement are in addition to new servicing standards the CFPB finalized earlier this year, which take effect on January 10, 2014. Compliance with the agreement will be overseen by the monitor of the national settlement. The agreement does not include releases for any potential claims of criminal liability and does not prohibit private actions.