State AG Monitor

States Seek Strengthened Data Breach Laws

Posted in Data Privacy, States v. Federal Government

Data privacy and breach notification has become a hot topic for state legislatures—thanks, in part, to the prompting of State AGs and a recent spate of high profile data breaches affecting millions of consumers. During the first half of 2015, 32 state legislatures considered bills to significantly amend or enhance state laws on consumer data protection. At least 13 of those have made it beyond the governor’s desk, and of those still pending, many stand a good chance of being passed, in some form, in the fall term as the issue is one with broad bipartisan support.

General Trends

The 2015 bills demonstrate the variability of state policies approaches to address a common problem. Yet, for the most part, the bills demonstrate a few general trends in data protection:

  • AG Involvement: Many of the new bills require the breached entity to provide notification to the State AG, at least when facing a breach that effects a certain threshold number of consumers. States differ on the number of affected consumers necessary to trigger the reporting requirements, or the number of days a company has to report after discovering the breach, but there is a clear trend toward greater AG authority to investigate data breaches and comment on companies’ data privacy policies.
  • Encryption: The 2015 bills continue to focus on the issue of encryption, creating a safe harbor from liability for businesses to store data and personal information in encrypted format. The new Washington law goes even further as it identifies a minimum standard for encryption, and grants safe harbor only when the breach does not also provide access to the encryption key, or other capacity to decrypt the data.
  • A Growing Universe of Covered Data: State legislatures continue to expand protection to a broader set of consumer data. For example, Nevada now protects health insurance identification numbers, state driver identification numbers, credit and debit card numbers, social security numbers, user names or email addresses with passwords, and bank account information; North Dakota added consumer birth dates, mothers’ maiden name, and employment identification credentials to the list of protected data. Other states want to include birth certificates, medical information, digital signatures, security tokens, and biometric information.
  • Expanded Jurisdiction: The 2015 legislative efforts demonstrate a continued movement toward establishing liability not only for the owners of the data or the databases, but also for businesses that license, maintain, or simply access data, regardless of ownership (see e.g., Illinois S.B. 1833). Likewise, states are also expanding liability to businesses that maintain data on state residents, even if those businesses are not residents, and have no business in the state.
  • Post-Breach Mitigation: A rapidly growing trend is the requirement that a business provide identity theft protection and loss mitigation services following a data breach for which they are at fault. Certain State AGs have required this on an ad hoc basis for the past few years, but the idea to codify loss mitigation started in California last year. As we indicated then, trends can spread quickly among state legislatures. Although states appear to be converging on a 12-month period for such protection (see e.g., Pennsylvania S.B. 753), some AGs may view these provisions as a floor, and insist on greater coverage for more severe breaches.
  • Student Data Protection: Finally, states are also looking to expand protections for student-specific data. For example, Virginia H.B. 2350 would require the state department of education to create a model data security protocol to protect student data privacy, with the idea that it could then be adopted by school districts. New Hampshire H.B. 322, Utah H.B. 163, and North Dakota S.B. 2326 all attempt to create similar legislative frameworks for protecting students.

New Ideas

In this rapidly evolving area of law, policy makers are not always content to follow trends, but choose instead to get out in front of the next new problem. The lineup of 2015 bills provides a glimpse of new ideas that could find staying power among policy makers, including the following:

  • Biometrics: Biometric data is beginning to make its way into legislative definitions of protectable personal information. For example, Oregon S.B. 601 looks to protect “data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris…” Wyoming S.B. 36 includes “data generated from measurements or analysis of human body characteristics for authentication purposes.”
  • Mobile: States are also experimenting with provisions that specifically address mobile data issues. Connecticut S.B. 949 includes a provision that requires companies that sell smart phones to ensure capability for the owner to lock out the phone when it is lost or stolen. Illinois S.B. 1833 contained a provision that would have expanded protected personal information to include geolocation data, however that bill was vetoed by the Governor on the basis that guarding geolocation data was too onerous, and not in line with other states’ requirements. As more consumer activity migrates to the mobile web, we are likely to see more states try to address mobile-specific issues of data security.
  • Secure Access Measures: In certain sensitive industries like insurance and banking, a few states have sought to require companies to use specific data security protocols, like multifactor verification, secure access controls, and internal security compartmentalization that prevents employees and third-party affiliates from accessing data outside the specific needs of their duties, and creates firewalls against hackers who gain access to one area of the system.

Harmonization or Amalgamation?

It is not too surprising that state policies addressing a rapidly evolving area of law—like consumer data privacy—will vary in their approach. As uniform federal legislation has failed to build consensus in Congress, and since State AGs are almost uniformly against federal legislation on this topic that would preempt state law, the baton remains in the hands of state legislatures.

Although it is still too early to determine whether a unified theory of data protection will emerge from the assorted state efforts, the business reality is that it might not even matter. As states focus their data breach jurisdiction on consumers, and businesses expand in a digital space without state lines, the stricter elements of each state’s data privacy regime will become part of an amalgamated national approach. Illinois Governor Rauner essentially acknowledged this in the text accompanying his veto of S.B. 1833, where he argued that Illinois need not require companies to post a privacy notice on their website, because California already does. Thus, for large and midsized companies, rather than customize privacy policies for each state where their consumers live, the goal will be to craft a single policy with maximum compliance.

State AGs in the News

Posted in Consumer Financial Protection Bureau, Consumer Protection, Data Privacy, Health Care, Securities, State AGs in the News

Consumer Financial Protection Bureau

CFPB Joins With New York Department of Financial Services to Sue Pension Advance Companies

  • The Consumer Financial Protection Bureau (CFPB) and the New York Department of Financial Services (DFS) filed a lawsuit against Pension Funding LLC, Pension Income LLC, and managers Stephen Covey, Edwin Lichtig, and Rex Hofelter (“defendants”), for violating the Consumer Financial Protection Act and various New York state laws.
  • The complaint alleges that defendants used deceptive practices to steer military veterans and civil servants to defendants’ website, and then offered lump sum cash advances to the consumers in exchange for their agreement to redirect all or part of their pension payments to defendants over a period of eight years. The complaint alleged that defendants falsely advertised their product was a pension buyout (not a loan), and that it had low or no applicable interest rate and no associated costs or fees. In addition, defendants allegedly misrepresented that their product would not appear on credit reports, was not taxable, and was better than a home equity loan.
  • The CFPB and DFS, however, claim that the effective interest rate was usually greater than 28 percent—a full 12 percent higher than what is allowed by New York state usury laws, and significantly higher than comparable products such as credit cards and home equity lines. Plaintiffs seek a permanent injunction, as well as damages, disgorgement, civil penalties, and costs and fees.

Consumer Protection

AGs Seek Clarity and Procedures for Cancelation of Student Debt

  • AGs from 11 states sent a letter to the U.S. Department of Education (DOE), requesting enhanced procedures and policies to govern the process of discharging student debt associated with attendance at Corinthian and other for-profit schools.
  • The AGs’ letter specifically asks that the DOE address four main concerns:
    • the creation of a simplified process for student borrowers to apply for discharge of their loans;
    • greater participation of AGs in the process of determining whether a for-profit school has committed a deceptive practice;
    • loan discharges based on groups or cohorts of students, based on the AGs’ investigative results (not individual applications); and
    • clear guidance as to the types of loans that are eligible, the extent to which students can recover amounts already paid, and the ability to discharge loans that have already been consolidated.
  • The DOE announced that it is undertaking a rulemaking process that will clarify how certain borrowers can seek debt relief, and will strengthen provisions to hold colleges accountable for wrongdoing that results in loan discharges. The DOE plans to hold public hearings in September to establish a negotiated rulemaking committee.

FTC Shines Light on UV Disinfectors

  • The Federal Trade Commission (FTC) reached settlements with Angel Sales, Inc. and Zadro Health Solutions, Inc., resolving claims that the companies violated the FTC Act by engaging in unfair and deceptive practices and false advertising in connection with the marketing of devices that use ultraviolet light to disinfect shoes, water, and surfaces.
  • The FTC alleged (Angel Sales, Zadro) that the companies made unsubstantiated claims about their devices’ efficacy in killing certain levels of bacteria and fungi. For example, Angel Sales claimed its device “kills over 95% of germs, bacteria, even the fungus responsible for the highly contagious MRSA bacteria – in less than one hour” and Zadro claimed its products “safely kill 99.99% of targeted bacteria.” The FTC also alleged that the companies falsely implied that scientific studies supported their claims.
  • The stipulated orders (Angel Sales, Zadro) prohibit the companies from making unsubstantiated claims, expressly or by implication, and require 10 years of compliance and record-keeping. Although the FTC issued monetary judgments against both companies ($656,423 and $629,359, respectively), Angel Sales’ judgment is suspended entirely, and Zadro’s judgment partially based on their inability to pay. Zadro must provide $222,029 for consumer refunds.

Data Privacy

Court of Appeals Confirms FTC Authority Over Cybersecurity Practices

  • The Third Circuit Court of Appeals affirmed that the Federal Trade Commission (FTC) has authority to regulate companies’ cybersecurity protections for consumer data under Section 5 of the FTC Act, prohibiting “unfair or deceptive acts or practices in or affecting commerce.”
  • As we already reported, in FTC v. Wyndham Worldwide Corporation, the district court found that the FTC’s enforcement authority included data breaches. Wyndham appealed that decision, arguing that the FTC did not have authority to punish private businesses for maintaining a different level of data security than that advised by the FTC.
  • In response, the Third Circuit indicated that Wyndham’s liability was not based on the standard of data security it employed, but rather on the fact that it published a privacy policy “to attract customers who are concerned about data privacy” but failed to deliver by “investing inadequate resources in cybersecurity” and instead exposed its customers to substantial financial injury, while retaining the profits of their business.

Health Care

New York AG Pursues Hospitals With Alcohol Problems

  • New York AG Eric Schneiderman, together with the U.S. Attorney for the Eastern District of New York, reached settlements with multiple hospitals to resolve a joint investigation into alleged Medicare fraud and violations of the False Claims Act.
  • The AG alleged that SpecialCare Hospital Management Corporation, a for-profit hospital management company based in Missouri, referred patients to Columbia Memorial Hospital, St. Joseph’s Medical Center, and Benedictine Hospital (“treatment hospitals”) to receive medically unnecessary inpatient drug and alcohol treatment services, from unlicensed providers, in exchange for kickbacks in the form of an administrative services agreement.
  • SpecialCare and its former Chief Executive Officer agreed to pay $6 million to resolve the claims against it. SpecialCare also entered into a corporate integrity agreement with the U.S. Inspector General’s Office, and agreed to a five-year injunction on doing business with any health care provider in New York that submits claims to Medicaid or Medicare. For their part in the alleged scheme, Benedictine agreed to pay $880,000; St. Joseph’s $600,000; and Columbia Memorial $650,000.

Florida Looks to Crack Down on Rising Health Care Costs

  • Florida Governor Rick Scott has increased the number of planned audits of state hospitals from 31 to at least 129 in an effort to determine whether they have been overcharging Medicaid in violation of Florida law.
  • The audit follows an inquiry by the state Agency for Health Care Administration, in which the agency sought confirmation from various hospitals that they were in compliance with Florida Statute 409.975, which caps the rate that hospitals can charge the Medicaid program at 120 percent of the rate determined by the Agency.
  • Governor Scott’s concerns over Medicaid overcharges likely stems from the state’s budgetary problem, in which the state is looking to cut spending on Medicaid at a time when health care costs in the state are rising. By some accounts, Florida will be short $579 million in meeting its health care funding needs for 2016-17.

Securities

Federal Judge Looks Into Dark Pools, Doesn’t See Viable Claims

  • A federal judge for the Southern District of New York has dismissed claims against major U.S. stock exchanges and Barclays Plc in connection with allegations that they created “dark pool” alternative trading platforms and allowed high-frequency traders to front-run regular investors’ trades.
  • The court conceded that the dark pools might lack a “productive purpose” and “merely allow[ed] certain traders to exploit technological inefficiencies.” Yet it found that the exchanges, as self-regulated organizations, enjoyed “absolute immunity” against plaintiffs’ claims that they created complex orders for, and provided nonpublic information to, high-frequency traders, allowing the traders to exploit the infrastructure of the data feeds and networking of the exchanges. The judge indicated that such immunity even applies when the exchanges “act in a capricious, even tartuffian manner which causes enormous damage.”
  • In February, a New York state court denied Barclays’ motion to dismiss claims brought by AG Eric Schneiderman, alleging that Barclays violated the New York Martin Act when it made material misrepresentations to investors regarding how its dark pool trading platforms operated. That case is ongoing.

State AGs in the News

Posted in Antitrust, Consumer Protection, Data Privacy, False Claims Act, State AGs in the News

Hot News

Commissioner Joshua Wright to Leave FTC

  • The Federal Trade Commission (FTC) announced this week that Commissioner Joshua D. Wright, a Republican member of the FTC, will resign his position on Monday, August 24, 2015.
  • Wright, who has been with the agency since January 2013, will return to George Mason University School of Law as a Professor of Law.
  • The announcement was made less than a week after the FTC issued official guiding principles on its Section 5 enforcement authority, which we talked about in last week’s post.

Antitrust

Pharmaceutical Companies Settle With FTC Over Generic ADHD Drug Allegations

  • Concordia Healthcare Corp. and Par Pharmaceutical Holdings Inc. settled with the FTC this week regarding Federal Trade Commission (FTC) allegations that the companies engaged in anticompetitive conduct.
  • The FTC alleged that Concordia and Par entered into an agreement in which Concordia and Par agreed not to compete in the sale of the generic version of Kapvay, which treats attention deficit hyperactivity disorder. According to the FTC complaint, Concordia agreed not to sell the generic drug in exchange for a share of Par’s revenues, resulting in higher prices for consumers.
  • Under the settlement, among other things, the companies are prohibited from continuing the alleged anticompetitive practice and both companies are prohibited from entering agreements to bar, or delay entry of an authorized generic drug.
  • In June, we reported a similar settlement where Cephalon Inc. and its parent company, Teva Pharmaceutical Industries Ltd., agreed to pay $1.2 billion to settle FTC allegations that Cephalon reached agreements with drug manufacturers that blocked generic drug competition.

Consumer Protection

Forty-nine States and the District of Columbia to Share $71 Million Settlement

  • Numerous State Attorneys General (eg., here, here and here) announced a $71 million multistate settlement this week with Amgen Inc. to resolve allegations that the pharmaceutical company violated consumer protection laws through alleged deceptive and misleading marketing of its Enbrel and Aranesp medications.
  • The states alleged, among other things, that the company unlawfully promoted its anemia drug Aranesp and its arthritis and psoriasis drug Enbrel for off-label uses that were contrary to Food and Drug Administration (FDA) approval and made unapproved and unsubstantiated claims related to the drugs. As part of the Consent Judgment, Amgen must change its marketing and promotional practices and not make any false, misleading, or deceptive claims in promoting Enbrel or Aranesp.
  • West Virginia Attorney General Patrick Morrisey said “[t]his settlement is a win for West Virginia consumers. We enforce our consumer protection laws in a vigorous yet fair manner, and this settlement will help ensure West Virginia doctors and patients aren’t deceived by unlawful drug marketing practices.”

Data Privacy

Target Settles With Visa Over Data Breach

  • Target Corporation reportedly has reached a settlement agreement with Visa, agreeing to reimburse costs related to its 2013 data breach to Visa and the financial institutions that issued the cards. While Target has not announced a dollar amount, sources say that the retail giant has agreed to pay up to $67 million.
  • The data breach exposed 40 million debit and credit card accounts and Target reportedly has incurred $162 million in net expenses related to the breach as of January of this year. Some financial institutions have sued Target, saying they have spent billions of dollars replacing compromised cards and increasing customer service operations because of the data breach.

False Claims Act

Missouri Hospital Agrees to Pay $5.5 Million to Settle Alleged False Claims Act Violations

  • The Department of Justice (DOJ) announced that Mercy Health Springfield Communities, formerly known as St. John’s Health System Inc., and its affiliate, Mercy Clinic Springfield Communities, formerly known as St. John’s Clinic, have agreed to pay $5.5 million to settle allegations that they violated the False Claims Act.
  • The DOJ alleged that the hospitals submitted false claims to the Medicare program for services rendered to patients referred by physicians who improperly received bonuses based on the value of those referrals. While there was no determination of liability by the DOJ, the hospital agreed to pay $5.5 million to settle the allegations.
  • A lawsuit filed by a whistleblower, a physician employed by the hospital, under the qui tam provisions of the False Claims Act, sparked the DOJ investigation and is part of DOJ’s Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative, that began in 2009. The case is United States ex rel. Moore v. Mercy Health Springfield Communities f/k/a St. John’s Health System, Inc., et al., Case No. 13-3019-CV (W.D. Mo).

State AGs in the News

Posted in Antitrust, Consumer Financial Protection Bureau, Consumer Protection, Data Privacy, Intellectual Property, Securities, State AGs in the News

AG Insights

  • In a recent post, Dickstein Shapiro Counsel Doreen Manchester weighs the pros and cons of pending federal legislation on cosmetic products, and offers commentary on the effect it might have on the industry.

Breaking News

FTC Offers Guidance on Section 5 Enforcement Authority

  • The Federal Trade Commission (FTC) has issued an official statement on how it will interpret and enforce its authority to “prevent unfair methods of competition” under Section 5 of the FTC Act. The FTC voted four to one to issue the statement, with Commissioner Ohlhausen dissenting.
  • The FTC statement indicates that the FTC will consider three guiding principles when determining whether to take an enforcement action under Section 5:
  • Furtherance of consumer welfare as the public policy rationale;
  • Analysis based on the “Rule of Reason,” whereby the FTC weighs the harm to competition or competitive markets, against the cognizable efficiencies and business justifications; and
  • Deference to traditional antitrust laws (e.g., Sherman Act, Clayton Act) when they are applicable and provide sufficient legal authority to address the anticompetitive practice.
  • Prior commissioners and commentators have argued that Section 5 grants broader powers than traditional antitrust laws. This logic underpinned recent actions addressing the use or abuse of standard essential patents, and search algorithms. In recent years, however, certain commissioners have issued individual interpretations of FTC authority under Section 5 that are narrower (Wright, Ohlhausen).

Consumer Financial Protection Bureau

Bank Faces Another Investigation Into Auto Lending Practices

  • The Consumer Financial Protection Bureau (CFPB) has referred Santander Consumer USA Holdings Inc. to the Department of Justice over allegations that the bank violated the Equal Credit Opportunity Act by charging certain protected groups of borrowers higher interest and fees on auto loans.
  • Santander reported the CFPB action in its most recent 10-Q, noting the investigation centered on “(i) statistical disparities in markups charged by automobile dealers to protected groups on loans originated by those dealers and purchased by the Company, and (ii) the treatment of certain types of income in the Company’s underwriting process.” Some industry groups have indicated concern over the use of statistical disparate impact analysis for making such claims.
  • For Santander, this is just the latest in a string of auto loan-related investigations: State AGs and the Department of Justice (DOJ) issued subpoenas last year for alleged wrongdoing in the bank’s subprime auto lending, and the DOJ settled earlier this year over auto repossessions involving U.S. service members.

Consumer Protection

Texas AG Asks Bankruptcy Judge to Remember the Gift Card Holders

  • Texas AG Ken Paxton has filed a motion asking the judge overseeing the liquidation of the remaining RadioShack assets to compel notice of bankruptcy proceedings to those customers who purchased unredeemed gift cards.
  • AG Paxton’s motion argues that purchasers of up to 2.9 million unredeemed gift cards, worth approximately $46 million, should be given notice as known creditors so they can take part in the liquidation process. The AG indicated that all consumers holding an unredeemed gift card should have priority treatment for payment ahead of general unsecured claims. The implication, if the court agrees, is that an extra $46 million could be paid prior to the general unsecured creditors receiving payment.

Florida AG Sues to Prevent Business Services

  • Florida AG Pam Bondi filed a lawsuit against United Business Services, Inc.; United Certificate Services Inc.; and Corporate Filing Services of Florida for allegedly violating the Florida Unfair and Deceptive Trade Practices Act by promoting the sale of optional business documents and misleading businesses into paying for unnecessary services.
  • The defendants allegedly targeted newly-registered businesses, offering the chance to purchase certain business documents and services—certificates of status, employee law posters, record keeping of corporate minutes, and others—while giving the impression that such documents were mandatory under Florida law. In many cases the documents were not required, or were available for free or at a lower price from the state Division of Corporations.
  • The complaint was filed in Florida state court, seeking a permanent injunction and restitution. Upon commencing the action, AG Bondi obtained a temporary injunction and asset freezes against the defendants.

FTC Seeks to Stop “Blind Bumping”

  • The Federal Trade Commission (FTC) has filed claims in federal court against Sequoia One, LLC; Gen X Marketing Group, LLC; and their individual owners and managers (defendants), operating as data brokers, for violating the FTC Act’s prohibition on unfair and deceptive practices by illegally selling consumers’ payday loan applications.
  • The FTC alleges that defendants sold financial information from consumers’ online loan applications to certain nonlenders and phony online merchants knowing they would use the information to debit consumers’ bank accounts and bill their credit cards without their consent. The FTC alleges that the defendants sold the information for a very reduced rate, knowing that the buyer was using a “blind bump” practice, whereby it billed consumers for a purported service that was hidden in website terms and conditions. The complaint alleges that the defendants helped to conceal the ensuing fraud by using deceptive and misleading tactics to avoid alerting consumers’ banks.
  • Some of the individual defendants—without admitting or denying the FTC’s allegations—have entered into stipulated judgments (McDonnell, Bartholomews). The judgments enjoin them from any further brokering of sensitive personal information, or misrepresenting information in connection to a loan or extension of credit. The judgments impose joint and several liability on over $7 million in equitable relief, but offer suspended judgments due to inability to pay. The litigation against corporate defendants Sequoia One and Gen X, along with owner Jason Kotzker, continues.

Data Privacy

Delaware Governor Signs Law to Increase Online Privacy Protections

  • Delaware Governor Jack Markell signed four pieces of legislation into law, enhancing the First State’s online privacy protections—especially for children. The laws, which had been proposed by AG Matt Denn, contain many new and novel restrictions that, due to Delaware’s status as the headquarters or state of incorporation of many large companies, will likely influence further reforms in corporate policies and state laws.
  • The Online Privacy and Protection Act requires commercial websites and apps to post a privacy policy explaining what information the website or online app collects and what it does with that information. It also limits advertising directed at children for products like alcohol, tobacco, and firearms, and restricts the ability of online book sellers from disclosing information about customers’ reading choices without a court order.
  • The Employee/Applicant Protection for Social Media Act limits businesses from forcing employees or job applicants to provide access to information on personal social media accounts. The Student Data Privacy Protection Act protects student data generated by education technology, and prohibits service providers from selling student data, using student data to engage in targeted advertising, or amassing a profile on students to be used for non-educational purposes.

Intellectual Property

Invisible Line Between Products and Data Tested at Federal Circuit

  • The Federal Circuit heard oral argument in ClearCorrect Operating, LLC v. ITC, a closely watched appeal of an International Trade Commission (ITC) action to ban ClearCorrect from “importing” digital data via the Internet to be used to create products on 3D printers in the U.S.
  • The initial complaint was filed by Align Technology Inc., makers of patented Invisalign dental alignment devices that operate by making small changes through a series of plastic retainers, slowly moving crooked teeth into proper alignment. Align Technology had previously sought and obtained an exclusion order from the ITC, excluding ClearCorrect from importing that actual patent infringing dental alignment device.
  • Under its current business model, ClearCorrect creates a scan of a patient’s teeth in the U.S. Using that scan, technicians in Pakistan create digital files that will direct a 3D printer to create the series of plastic retainers. The overseas entity then “exports” the digital files back to the U.S., and the actual devices are 3D printed in Texas.
  • Align Technology alleged that importing data to print infringing alignment devices in the U.S. was a violation of a previous consent order between the two companies, barring importation of infringing “articles.” The ITC agreed, and in 2012 banned the importation of such data on the basis that the devices, once printed, will infringe a U.S. patent.
  • Open internet advocates are quick to highlight potential ramifications if the court upholds the ITC’s order, including the precedent that an “executive can order data ‘seized’ as it travels over the Internet.” Yet, those industries that now produce services existing almost wholly in digital form, have indicated support for the ITC’s order, arguing that limiting the ITC’s jurisdiction to physical goods “would severely undermine the agency’s future efficacy, as commerce increasingly occurs over the Internet.”

Securities

SEC Charges Massive International Insider Trading Scheme

  • The Securities and Exchange Commission (SEC), working with other federal agencies, filed a complaint in federal court against 32 individuals and entities alleged to be involved in a massive international insider trading scheme with over $100 million in unlawful profits. In addition, several defendants have been arrested and indicted.
  • The SEC’s complaint alleges that the operation, which took place over a five-year period, included Ukrainian hackers stealing confidential earnings information from U.S. and Canadian newswire services and providing it to traders in the U.S., France, and Russia to trade on before the information became publicly disclosed.
  • The traders allegedly paid the hackers for the information, and used multiple accounts and straw man companies to conceal the trades and the payments to the hackers. According to some reports, the traders even provided “shopping lists” to hackers, requesting certain types of news releases on certain companies they wanted to trade on.

Will the Passage of the Personal Care Products Safety Act Provide a Rich Foundation for Uniform Cosmetic Compliance or Merely Draw Unwanted Attention?

Posted in Consumer Protection

Larger cosmetics companies are lining up in support of the Personal Care Products Safety Act (“the Act”), a draft bill that would create a mandatory compliance and reporting framework under the Food and Drug Administration (FDA). Why would these companies be willing to embrace more regulation (and the costs that come with it) from the FDA? The answer may be simple: larger players in the industry see benefits from an upfront national compliance regime. The logic is that not only would a new, uniform law help build consumer confidence in the industry, but it may protect the industry from the growing web of state regulatory efforts. Yet, on second blush, that logic might need a slight makeover.

The FDA defines a “cosmetic,” as a product, including the raw materials used as ingredients, “intended to be applied to the human body for cleansing, beautifying, promoting attractiveness or altering the appearance without affecting the body’s structure or functions.” In the U.S., the cosmetics industry is growing, has significant participation by large multinational companies, and by some accounts, earns more than $56 billion in annual revenues.

Traditionally, the FDA has focused enforcement efforts on food and drugs, and more recently, dietary supplements. With the cosmetics industry, the FDA has taken a softer approach. The majority of FDA actions in cosmetics has consisted of sending warning letters when products marketed as cosmetics make drug-like claims (i.e., that the product can cure or prevent disease, or otherwise affect the structure or function of the body). The cosmetics most often cited by the FDA for allegedly making claims that cross over into the realm of drugs are anti-aging and wrinkle-reducing products.

The allure of the Act for large manufacturers would seemingly be that once the FDA determines that a cosmetic ingredient or nonfunctional constituent is safe, the manufacturer would be in the clear, and could thus avoid potentially more onerous state law requirements. Yet, when put under a magnifier, that notion probably conceals a deeper reality. Only those laws in areas directly addressed by the Act would be preempted; including the determination of safety, the requirements for registration, good manufacturing practices, mandatory recalls, and adverse event reporting. The Act does not preempt laws already in effect when the Act is passed.

The Act will not prevent a State AG or FTC investigation into deceptive practices, nor will it stop lawsuits from advocacy groups or the plaintiffs’ contingency bar, as it expressly does not preempt lawsuits based in product liability, and a host of other common law legal doctrines. As we learned from the Supreme Court’s decision in POM Wonderful, FDA regulatory primacy will not insulate cosmetics producers from actions brought by competitors under other federal statutes, including the Lanham Act. In addition, if the wave of class action food lawsuits in recent years is any lesson, the new law might, at least, in the short term, lead to increased scrutiny of cosmetics marketing practices and greater numbers of class action lawsuits.

State AGs continue to show increased interest in consumer products, including cosmetics, with recent investigations into dietary supplements, drug company practices, and bath products, among others. Similarly, State AGs are also taking a greater role in pushing legislation on consumer issues where the federal government is silent. The recent Vermont law on genetically engineered food labels is a good example of the power of an AG to propose and follow through on a legislative issue with a consumer focus.

For larger cosmetics businesses, the Act puts forth compliance requirements that are only minimally abrasive, easily addressed by in-house experts and outside counsel. For smaller producers, many of which oppose the bill, the effects of the Act could be more invasive. A closer analysis of the Act, however, might lead all cosmetic companies to question its benefits overall. Will an additional layer of regulation bring forth a healthier, more vibrant industry, or will it only draw unwanted regulatory attention?

State AGs in the News

Posted in Consumer Financial Protection Bureau, Consumer Protection, Employment, False Claims Act, Financial Industry, State AGs in the News

Breaking News

AGs Find Themselves on the Other Side of an Investigation

  • A Texas grand jury has indicted Texas AG Ken Paxton for securities fraud, alleging that Paxton misled investors prior to assuming his position as AG. According to the special prosecutors involved, Paxton is accused of encouraging investors to put more than $600,000 into tech startup company Servergy, Inc. while failing to disclose that he was making commissions, and misrepresenting himself as an investor.
  • Similarly, a Pennsylvania district attorney has charged Pennsylvania AG Kathleen Kane with perjury and obstruction of law based on Kane’s alleged leaks of confidential investigative information and subsequent related false statements and denials.
  • Both AGs deny the charges and have indicated that they will fight the charges. Neither has indicated that they will resign.

Consumer Financial Protection Bureau

CFPB Goes Trolling Offshore for Payday Lenders

  • The Consumer Financial Protection Bureau (CFPB) filed a lawsuit in the Southern District of New York against a network of 11 interconnected companies registered in Canada and Malta (“NDG Enterprise”), that originated, serviced, and collected on consumer payday loans over the Internet.
  • In the complaint, the CFPB alleges that NDG violated the Consumer Financial Protection Act’s prohibition on unfair, deceptive, and abusive practices by attempting to collect loan amounts and fees that were illegal under state lending laws, void, or for which consumers had no obligation to repay. It also alleged that NDG used illegal wage assignment clauses—through which a lender collects payments and fees directly from the borrower’s employer—and falsely threatened consumers with lawsuits, arrests, and imprisonment for failure to pay back the loans and fees.
  • According to the complaint, NDG’s operation was highly customized, with separate and specialized entities for lead generating, funding, and collection activities. NDG used this separation, and foreign locations of its entities, to avoid responding to consumer complaints and to argue that it was not subject to U.S. or state law. The CFPB is seeking a permanent injunction against NDG’s operation, plus damages, consumer redress, disgorgement, and costs.

Citibank Discloses Investigation Into Student Lending Practices

  • In a recent SEC filing, Citibank, N.A. indicated that it was undergoing a “regulatory investigation concerning certain student loan servicing practices.” It further stated that “[s]imilar servicing practices have been the subject of an enforcement action against at least one other institution,” and that “regulators may order that Citibank, N.A. remediate customers and/or impose penalties or other relief.”
  • According to reports, the CFPB is the entity conducting the investigation, with the focus being whether Citibank overstated the minimum amounts due on billing statements or failed to provide information to its customers necessary to obtain income-tax benefits associated with their loans.
  • The CFPB brought and recently settled similar claims against Discover, based on loan activity associated with Student Loan Corp., an entity purchased by Discover but previously owned in part by Citibank. In that case, Discover resolved the allegations by agreeing to pay $16 million for consumer refunds and a $2.5 million civil penalty.

Consumer Protection

California Changes the Rules for Sweepstakes Gaming

  • California AG Kamala Harris, along with federal regulators, closed down the operation of Capital Sweepstakes Systems, Inc. for allegedly violating state laws governing gambling and unfair competition. In addition to the $1.6 million Capital agreed to forfeit to the federal government, the game maker agreed to pay $700,000 in civil penalties and costs to the state.
  • Sweepstakes game providers offer software-based games that mimic traditional casino games like slot machines and video poker, but are played at terminals in internet cafes, gas stations, and convenience stores. In the states where sweepstakes games are legal, the key distinction between sweepstakes gaming and gambling is whether the consumer pays to play the game, or simply receives a chance to play incident to a separate purchase.
  • AG Harris’s enforcement action follows a recent California Supreme Court ruling holding sweepstakes games to be illegal, as well as a state law passed in 2014.

FTC Investigates For-Profit College’s Business Practices

  • The Apollo Education Group, Inc. has disclosed in a recent filing with the SEC that the Federal Trade Commission (FTC) is investigating the company in regards to the business practices of its wholly-owned subsidiary, the University of Phoenix.
  • Apollo indicated that the FTC issued a civil investigative demand seeking documents and information regarding the University of Phoenix’s “marketing, recruiting, enrollment, financial aid, tuition and fees, academic programs, academic advising, student retention, billing and debt collection, complaints, accreditation, training, military recruitment, and other compliance matters, for the time period of January 1, 2011 to the present.”
  • The investigation into Apollo is likely part of a broader FTC effort to crack down on for-profit colleges, particularly in connection to military recruitment and the G.I. Bill. Last year, the FTC served a similar demand on DeVry Education Group. In May, the FTC reached an agreement with the Professional Career Development Institute, doing business as Ashworth College, to resolve claims that the for-profit college misrepresented to potential students that it would provide proper training and credentials for the careers advertised, and that the course credits earned by the students would be eligible to transfer to other schools.

Employment

Connecticut Law Encourages Discussion to Bridge Pay Gap Between Genders

  • Connecticut recently enacted “An Act Concerning Pay Equity and Fairness,” a law designed to narrow the wage gap between men and women by preventing employer policies that require “pay secrecy.”
  • The new law generally prohibits employers from taking measures to prevent employees from disclosing, inquiring about, or discussing wages with other employees. It is part of a broader movement that includes 12 other states and the federal government.
  • The Connecticut law specifically precludes employers from forcing employees to sign waivers regarding their right to discuss wages, and from discharging, disciplining, or retaliating against employees who seek to discuss wages. The law, however, does not require employers to disclose the amount of wages paid to any employee; and if asked, employees have no obligation to disclose their own wages to a peer.

SEC Mandates Disclosure of CEO Pay Ratio

  • In a three to two decision, the Securities and Exchange Commission (SEC) approved a proposed rule that would require approximately 3,800 companies to disclose the ratio of the CEO’s salary to that of the median worker. The rule takes effect in 2017.
  • The rule, which was mandated by the 2010 Dodd-Frank Act, was first proposed by the SEC in 2013. In its final form, the rule provides greater flexibility in calculating the ratio of pay, by allowing companies to use statistical sampling to define the median employee salary, and by allowing companies to omit up to 5 percent of employees outside the U.S. from the calculation. In addition, emerging growth, registered investment companies, small businesses, and foreign private issuers will be exempt from the rule’s reporting requirement, and the data for the calculations only need to be gathered every three years.
  • The rule has numerous critics, including SEC Commissioner Daniel Gallagher who indicated that it might be “the most useless of our Dodd-Frank mandates.” Other critics, including the U.S. Chamber of Commerce, have pointed to the difficulty in comparing ratios from one industry to the next, and highlighted the additional compliance costs associated with making the necessary calculations. And yet supporters of the rule, like the AFL-CIO, note that it will give better information to shareholders when making investment decisions, and to the general public when assessing income inequality and raising wages.

False Claims Act

Federal Court Defines Key Term in ACA’s 60-Day Rule

  • In a recent ruling in United States v. Continuum Health Partners Inc., the Southern District of New York provided insight into a key provision of False Claims Act liability added by the Affordable Care Act—namely, when the 60-day period during which a healthcare provider can refund overpayments made by the federal government without facing liability begins. In denying Continuum Health Partners Inc.’s motion to dismiss, Judge Edgardo Ramos ruled that an overpayment is “identified,” and thus starts the 60-day clock, when the hospital or healthcare provider is “put on notice” that a possible overpayment exists.
  • Continuum, which admittedly overbilled Medicaid in multiple accounts, due to a computer glitch, had argued the 60-day period only begins to run once the healthcare provider identifies the specific amounts and instances for each and every overcharge. Judge Ramos indicated that such an interpretation would be “absurd” as it would seemingly allow companies to employ “willful ignorance” to delay the obligation to repay the government, and would create a perverse incentive to under-invest in resources that serve to verify and account for overpayments.
  • The Centers for Medicare and Medicaid Services had issued a proposed rule in 2012 that defined “identified” to require “actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment.” However, publication of the final rule was delayed earlier this year, and is now set for February 2016.

DOJ Taps Spinal Company for $13.5 Million

  • The U.S. Department of Justice (DOJ) reached a settlement agreement with NuVasive Inc., under which the maker of spine-related medical devices will pay $13.5 million to resolve claims that it violated the False Claims Act and the Anti-Kickback Statute.
  • The DOJ alleged that NuVasive promoted its products for surgical uses that were not approved or cleared by the FDA, resulting in false claims to federal health care programs for spine surgeries that were not eligible for reimbursement. In addition, NuVasive allegedly paid kickbacks to doctors in the form of speakers’ fees and expenses related to attendance at events sponsored by the Society for Lateral Access Surgery, an organization created, funded, and operated solely by NuVasive.
  • The lawsuit against NuVasive was originally filed by a former sales representative turned whistleblower, who under the terms of the settlement, will receive approximately $2.2 million. For its part, NuVasive did not admit liability or wrongdoing, and was not required by the DOJ to enter a corporate integrity agreement as part of the settlement.

Financial Services

Financial Consultant Has Access Pulled by New York DFS Investigation

  • The New York Division of Financial Services (DFS) has indicated that it will deny Promontory Financial Group LLC access to confidential supervisory information under New York State Banking Law, based on DFS’s findings that the banking consultant “exhibited a lack of independent judgment in the preparation and submission of certain reports to the Department in 2010-2011.” The DFS, however, did not accuse Promontory of a legal violation.
  • The DFS report, which was issued in response to an investigation into Promontory’s actions to resolve allegations that Standard Charter Bank violated federal banking laws and sanctions imposed by the U.S. Treasury, outlines material changes and omissions that Promontory made to its report in response to requests from the bank. It also identifies testimony given by Promontory during the DFS investigation that indicates a lack of credibility.
  • The DFS ruling to suspend access to Promontory will effectively prevent it from serving as a regulatory compliance consultant to big banks and foreign governments. In response, Promontory has stated that it “stand[s] behind the integrity of [its] professionals and the quality of [its] work.” It also indicated that it “will litigate the matter and defend [the] firm against this regulatory overreach.”

State AGs in the News

Posted in Antitrust, Charities, Consumer Financial Protection Bureau, Consumer Protection, Securities, State AGs in the News

Antitrust

Federal Appeals Court Focuses on Utah Contact Lens Law

  • Leading national manufacturers of contact lenses are asking the U.S. Tenth Circuit Court of Appeals to reverse a lower court decision not to enjoin enforcement of a new Utah law on vertical price controls in the contact lens industry. On June 16, the Tenth Circuit removed the temporary injunction pending appeal it had issued in May, and allowed the law to go into effect. The court’s ruling on the preliminary injunction has been expedited, and both sides have filed their briefs.
  • The law was enacted earlier this year and bans contact lens manufacturers and distributors from “fixing or otherwise controlling the price that a contact lens retailer charges or advertises for contact lenses.” The law specifically prohibits a manufacturer from discriminating against a contact lens retailer that sells or advertises contact lenses for a particular price; operates in a particular channel of trade; is a person authorized by law to prescribe contact lenses; or is associated with a person authorized by law to prescribe contact lenses.
  • Utah AG Sean Reyes argued that the new law is a legitimate antitrust measure and would benefit consumers by encouraging greater price competition. In contrast, national contact lens manufacturers argued that the law violates the Commerce Clause of the U.S. Constitution because it effectively seeks to regulate interstate commerce, stating that “it will necessarily result in [a] Utah retailer receiving a competitive advantage over the non-Utah retailers who abide by the [unilateral pricing] policies.”

Charities

Citizens United Loses in Federal Court, Must Disclose Donors

  • In Citizens United v. Schneiderman, a federal court in New York ruled that a State AG can require charitable organizations to disclose a list of major donors as part of the organization’s annual reporting requirements under state law.
  • The plaintiffs, Citizens United Foundation and Citizens United, two nonprofit corporations, sought to enjoin New York AG Eric Schneiderman from enforcing state Exec. Law §172, requiring charities registered in New York to disclose the names of donors who gave $5,000 or more by providing a copy of each entity’s confidential “Schedule B” filings that accompany federal tax returns.
  • The court indicated that this type of disclosure forms an important part of a State AG’s investigative authority “because he can compare major donor information against other documents that charities submit, allowing him to uncover possible violations and ultimately take action against unlawful charities.” This decision mirrors recent decisions involving a similar state law in California.

Consumer Financial Protection Bureau

CFPB Gives Failing Marks to Student Lender

  • The Consumer Financial Protection Bureau (CFPB) reached an agreement with Student Financial Aid Services, Inc., (SFAS) to resolve claims that the company violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and the Electronic Funds Act through its paid subscription services.
  • SFAS, which operated the website FAFSA.com, was alleged to have used deceptive tactics to enroll and automatically bill consumers for online or over-the-phone assistance for filling out the federal government’s Free Application for Federal Student Aid (FAFSA). SFAS allegedly charged a recurring annual fee, with a negative option for termination, for up to four years.
  • The consent order requires SFAS to pay $5.2 million to the CFPB for redress to consumers who were charged for unauthorized, recurring service fees, and to cease all recurring or automatic charges. The order also requires SFAS to pay a civil penalty of $1—this nominal amount is to ensure that the company’s remaining funds are focused on repaying harmed consumers while preserving victims’ eligibility for additional relief from the CFPB Civil Penalty Fund in the future. In addition to the order, SFAS agreed to transfer the website FAFSA.com to the U.S. Department of Education, which uses FAFSA.ed.gov.

CFPB Hits the Brakes on the “Equity Accelerator”

  • The Consumer Financial Protection Bureau (CFPB) took action against two companies for allegedly deceiving consumers by marketing a mortgage payment system that promised consumers savings on interest over time through biweekly payments made automatically from consumers’ bank accounts.
  • Paymap Inc., a payment processor and wholly-owned subsidiary of Western Union, together with LoanCare LLC, a mortgage servicer, marketed an “Equity Accelerator” product to LoanCare’s customers. The companies claimed that through biweekly payments, “the average customer will achieve over $33,000 in interest savings.” The CFPB alleged, however, that few customers achieved that level of savings, and that even though Paymap withdrew funds from consumers’ accounts every two weeks, it would still only make payments on consumers’ mortgages as per their original monthly schedule. As such, any savings came not from more frequent payments, but from the additional principal paid each year.
  • According to the orders, Paymap will return $33.4 million to consumers and pay a $5 million civil penalty to the CFPB. For its part in providing customers, LoanCare LCC will pay a $100,000 civil penalty. Both companies are prohibited from advertising the benefits of mortgage payment programs without credible evidence to support their claims, and must disclose when the projected savings comes only from increased annual payment amounts. In addition, both companies must keep records on their compliance with the CFPB orders, and report regularly to the CFPB for a period of five years.

DC Circuit Clarifies Who Has Standing to Sue the CFPB

  • The Court of Appeals for the DC Circuit overturned a lower court opinion that held that State National Bank of Big Spring did not have standing to challenge the constitutionality of certain aspects of the Consumer Financial Protection Bureau (CFPB) since the Texas bank had not been subject to a CFPB enforcement action.
  • Instead, the DC Circuit indicated that an entity can challenge an agency when it can show that the entity operates in a sector the agency regulates. As stated by the court, “[i]t would make little sense to force a regulated entity to violate a law (and thereby trigger an enforcement action against it) simply so that the regulated entity can challenge the constitutionality of the regulating agency.”
  • Since the bank does business in the remittance market, and the CFPB has authority to regulate that sector, the DC Circuit ruled that the bank had standing to challenge the CFPB on at least two constitutional issues. The DC Circuit did not address the substance of the bank’s challenge, namely that it was unconstitutional for the CFPB to operate under a single director instead of a commission similar to that of the Federal Trade Commission or the Securities and Exchange Commission, and that the recess appointment of CFPB Director Cordray was unconstitutional.

Consumer Protection

Washington AG Makes Crowdfunder Pay

  • Washington AG Bob Ferguson has successfully sued Altius Management LLC and its President for violations of the state Unfair Business Practices and Consumer Protection Act in connection with a failed crowdfunding project.
  • According to the complaint, Altius created, marketed, and accepted funding for a Kickstarter campaign to create a custom set of playing cards. Altius secured over $25,000 in funding from 810 backers, and thus, as per the terms and conditions of the Kickstarter platform, was legally bound to fulfill backer rewards (i.e., provide each backer with the indicated custom set of playing cards). AG Ferguson brought the law suit when, after more than two years, Altius failed to deliver the product, and had not issued any refunds.
  • The default judgment requires Altius to pay $668 in restitution and $23,183 for attorneys’ fees and costs. The court held that each unrewarded or unrefunded contributor formed a separate violation of state law and also issued civil penalties totaling $31,000: Because there were 31 backers in Washington, the court issued 31 separate civil penalties of $1,000 each.

Wireless Provider Disputes “Apparent” Liability

  • AT&T Mobility LLC responded to a decision made last month by the Federal Communications Commission (FCC) to fine the wireless provider $100 million for throttling broadband speeds after users reached a certain data usage threshold for the month, even though such data plans were sold as “unlimited.”
  • The FCC issued a Notice of Apparent Liability (NAL) claiming that AT&T violated the Open Internet Transparency Rule when it failed to advise users that their broadband access would be slowed or throttled if they exceeded a monthly limit of data usage. The FCC’s investigation claimed that some users had their speeds slowed by more than 80 percent, even though they had paid for unlimited data plans, rendering their Internet access almost useless during the period of throttling. The FCC alleged that heavy users faced, on average, 12 days per month of throttling.
  • In its Response to the NAL, AT&T argued that the FCC’s forfeiture penalty of $100 million was seemingly “plucked out of thin air, and the injunctive sanctions it proposes are beyond the Commission’s authority.” In addition, AT&T argued that it was not given proper notice that its practices would be in violation of the Transparency Rule, and that the FCC has ignored other wireless providers who have used similar practices. Finally, AT&T indicated that the term “unlimited” was not deceptive, and must be viewed in the context of the agreement, which applied to data quantity, not speed. Since the NAL, AT&T has switched to a policy that only reduces heavy users’ speeds during periods of peak network congestion.

Securities

Food Company Digests SEC Fine for Alleged Bribes in China

  • The Securities and Exchange Commission (SEC) settled its allegations against Mead Johnson Nutrition Company, resolving claims that Mead violated the Foreign Corrupt Practices Act through the conduct of its Chinese subsidiary and third-party distributors.
  • The SEC alleged that Mead’s Chinese subsidiary made over $2 million in improper payments, and provided other incentives to professionals at government-owned hospitals in China from 2008 to 2013, in order to entice the hospitals to use the company’s infant food and formula products. Although the payments were made through third-party distributors, the SEC was able to trace them back to Mead because the distributors received discounts to compensate them for their expenses.
  • As indicated in the SEC Order, Mead presented an Offer of Settlement in which it agreed to pay $9 million in disgorgement and prejudgment interest, and $3 million as a penalty. It did not admit wrongdoing. The Department of Justice closed its investigation accordingly.

State AGs in the News

Posted in Antitrust, Charities, Consumer Financial Protection Bureau, Consumer Protection, Data Privacy, State AGs in the News

Antitrust

AT&T Inches Closer to Approval for DirecTV Acquisition

  • The U.S. Department of Justice (DOJ) stated that it will not challenge AT&T’s proposed acquisition of DirecTV, and the Federal Communication Commission (FCC) has indicated, subject to specific conditions, that it is likely to approve the deal that would join the country’s largest satellite television provider with the second-largest wireless communication company.
  • FCC Chairman Wheeler has issued a proposed order, currently awaiting approval from the other commissioners, in which he outlined the conditions upon which he would approve the merger.
  • The order would require that AT&T increase investment in high-speed fiber connections, avoid policies that favor affiliated video services and content, and submit all completed interconnection agreements and network performance reports to the FCC. The chairman also proposed the appointment of an independent officer to help ensure compliance with the proposed conditions.

Oklahoma Gives AG Enhanced Powers Over Professional Boards

  • Oklahoma Governor Mary Fallin issued an executive order providing the State AG’s office with the power to oversee state regulatory boards. The boards, many of which regulate professional standards and licensing, are now required to submit “all proposed licensure or prohibition actions” to the AG for legal review.
  • Earlier this month, AG Scott Pruitt wrote a letter to the governor, warning that many Oklahoma professional boards and commissions were at risk of antitrust liability in light of the recent decision in North Carolina State Board of Dental Examiners v F.T.C. decided earlier this year. In that case, the Supreme Court held that a state licensing board consisting of active participants in the regulated occupation cannot maintain immunity from antitrust liability if it is not actively supervised by the state.
  • AG Pruitt noted in his letter that many of Oklahoma’s professional boards are at risk of antitrust liability, as they are comprised of members from the profession they regulate, yet do not have sufficient state oversight. Although the AG had previously provided legal advice to various state boards, the governor’s executive order gives him the power to remove those board members who do not follow the AG’s directives.

Another Senator Seeks Antitrust Investigation Into Airlines

  • This week U.S. Senator, Charles Schumer called for greater federal scrutiny into the airlines’ sales practices, urging the DOJ and Department of Transportation to investigate whether certain airlines are violating antitrust laws by “freezing out” third-party travel websites. Senator Schumer’s request comes on the heels of Senator Richard Blumenthal’s letter to the DOJ alleging potential collusion among major air carriers.
  • According to Senator Schumer, a growing number of airlines are withholding information from third-party websites, such as TripAdvisor, Expedia, and Orbitz, or charging extra fees for tickets purchased through them. Senator Schumer argues that these changes in policy deny consumers the opportunity to compare different flights and airlines side by side, resulting in reduced competition and higher prices.
  • Airlines for America, an industry group, responded in favor of the airlines, pointing out that “[a]irlines like any other company that sells consumer goods, should be able to sell their products where they believe they are best suited for their customers.”

Charities

New York AG Puts Greater Focus on Charity

  • New York AG Eric Schneiderman filed a lawsuit to close the National Children’s Leukemia Foundation (NCLF) and to hold its founder Zvi Shor accountable for failing to conduct most of the programs advertised on its website, for failing to provide more than a tiny fraction of the money raised toward the charitable causes the donors intended to support, and for ignoring state filing obligations.
  • The NCLF had indicated that it used donations to create a bone marrow registry, an umbilical cord blood banking program, and its own cancer research center. It also told its donors that it had filed a patent application for a new lifesaving treatment for leukemia.
  • The lawsuit alleges that during a five-year period, NCLF raised $9.7 million; $8.9 million of which was raised by professional fundraisers hired by NCLF, who in turn were paid approximately $7.5 million. The AG also alleges that the organization spent less than one percent of the money raised on direct cash assistance to leukemia patients and transferred another five percent to a shell organization in Israel run by Shor’s sister, allegedly for research purposes.

Consumer Financial Protection Bureau

CFPB Adds $70 Million in Penalties Onto $700 Million Restitution for Alleged Deceptive Credit Add-ons

  • The Consumer Financial Protection Bureau (CFPB) announced that it had reached an agreement with Citibank, N.A., Department Stores National Bank, and Citicorp Credit Services, Inc., (together “Citi”) to resolve allegations that Citi violated the Consumer Financial Protection Act and the Telemarketing Sales Rule through aggressive marketing, billing, and collection practices associated with credit card add-on products and services.
  • The CFPB alleged that Citi engaged in myriad unfair or deceptive practices associated with its credit card accounts, including the following claims:
    • Deceptive marketing, where Citi misrepresented or failed to inform consumers about the true cost of the services offered, and also misrepresented the benefits and scope of the add-on products and services.
    • Unfair billing practices, where Citi either charged consumers for debt protection and credit monitoring services they did not receive, or charged consumers without express authorization.
    • Deceptive collection practices, where Citi misled consumers to believe that additional, optional, fees were unavoidable processing fees.
  • The consent order requires Citi to provide $700 million in relief to approximately 8.8 million customer accounts. Citi must also pay $35 million to the CFPB, and a separate $35 million to the Comptroller of the Currency as civil penalties.
  • The consent order also requires Citi to cease billing for credit monitoring products that do not provide the claimed benefits and precludes Citi from marketing or selling credit card add-on products and services by telephone or at point-of-sale without prior approval of its compliance plan by the CFPB. In addition, for a period of five years, Citi must keep detailed records on every enrollment in consumer credit add-on products and services.

Consumer Protection

FTC Seeks Enforcement Against Alleged Repeat Offender

  • The Federal Trade Commission (FTC) filed an enforcement action under seal in federal court against LifeLock, Inc., alleging that the company violated the terms of its 2010 settlement with the FTC and 35 State AGs.
  • The 2010 settlement required LifeLock and its principals, among other things, to stop making any further deceptive claims, including falsely advertising that it protected consumer data with the same high-level safeguards as financial institutions; and to establish a comprehensive information security program to protect the sensitive personal data, including credit card, social security, and bank account numbers it collects from its users. The FTC now alleges that LifeLock has failed to satisfy either.
  • The FTC is asking the court to order LifeLock to provide full redress to all consumers affected by the company’s ongoing violations.

Forty-Five AGs Call for Call-Blocking

  • Indiana AG Greg Zoeller led a group of 45 AGs asking telecom service providers to offer technology to their consumers that would allow customers to request automatic call-blocking of robo-calls and other mass call efforts.
  • The AGs’ letter, which was sent through the collaborative forum of the National Association of Attorneys General, is addressed to the CEOs of five major telecom service providers. It highlights recent events, including AGs efforts in requesting the Federal Communications Commission (FCC) to provide clarification, and the FCC’s guidance that expressly permits telecom companies to offer their customers the ability to block robo- and autodialed calls, as well as other unwanted spam calls and texts.
  • Previously, representatives of the telecom industry had testified in front of a Senate sub-committee that “legal barriers prevent carriers from implementing advanced call-blocking technology to reduce the number of unwanted telemarketing calls.”

Data Privacy

Seventh Circuit Clarifies “Impending Certainty” Defense for Data-Breached Companies

  • The Seventh Circuit has ruled that victims of the 2013 Neiman Marcus data breach adequately alleged standing to sue the retailer, even if they have not yet suffered any fraudulent charges, identity theft, or other damages from the information taken by hackers.
  • The Seventh Circuit decision reversed the trial court (N.D. Ill.), which had ruled that the plaintiff’s theory of damages, based on the risk of future harm, was too remote to grant Article III standing. The trial court dismissed the lawsuit based in large part on a 2013 Supreme Court decision, Clapper v Amnesty International, which held that plaintiffs must show that a future injury is “certainly impending” in order to bring claims.
  • The Seventh Circuit distinguished the Clapper holding significantly in the context of a consumer data breach, and indicated that a plaintiff can demonstrate standing, even if there is only a “substantial risk” of future harm, and the plaintiff is compelled to “reasonably incur costs to mitigate or avoid that harm.”
  • The court also weakened one other potential challenge to consumers claiming standing in data breach lawsuits: it indicated that even though other major retailers suffered similar breaches that may have exposed plaintiff’s private information, for pleading causation, the plaintiffs’ injuries were still “fairly traceable” to Neiman based on the retailer’s “admissions and actions” following the breach.

Facebook Loses Appeal, Lacks Standing to Challenge Search Warrants on Behalf of Users

  • A New York state appeals court upheld the trial court’s determination that Facebook, Inc. lacked standing to challenge, on behalf of its users, the state prosecutor’s search warrants demanding access to user account information.
  • The warrants were issued in support of the state’s investigation into disability fraud, and sought information on 381 Facebook users alleged to have led active lives despite collecting state disability payments. Facebook argued that the warrants were overly broad as they requested information regarding users’ ages, religions, cities of birth, educational affiliations, family members, partners, friends, favorite music, political “liked” things, photographs, private chats, and messages. Although the court ruled against Facebook on standing, it indicated that it was troubled by the scope of the warrants.
  • Facebook also argued that because it was required to participate in the search and provide the information stored on its servers to the state, the warrants were the legal equivalent of a civil subpoena, which an Internet service provider can challenge under the U.S. Stored Communications Act. The five judge panel, however, ruled that a social media company has “no constitutional or statutory right to challenge an allegedly defective warrant before it is executed.” The court indicated that under state and federal law, only defendants could challenge search warrants, and only after they have been executed in a pre-trail hearing.

State AGs in the News

Posted in Antitrust, Consumer Financial Protection Bureau, Consumer Protection, Data Privacy, Employment, State AGs in the News

Antitrust

FTC Investigation Looks to Take Another Bite Out of Apple

  • According to sources, the Federal Trade Commission (FTC) is looking into whether Apple Inc. (“Apple”), is violating antitrust laws with its streaming music service, Apple Music. Unlike prior reports of investigations into whether Apple was engaging in anticompetitive actions by negotiating with record labels to cancel “freemium” music streaming services, this new inquiry addresses subscription service pricing through Apple’s iOS platform.
  • When a consumer purchases a subscription to a rival streaming service through the Apple App Store, Apple receives a 30 percent royalty. Thus if a rival charges $10 per month, it only nets $7 and pays the other $3 to Apple. By contrast, when Apple charges $10 per month for Apple Music, it keeps the entire $10. Given that the streaming companies must all pay similar licensing fees for the music they stream, Apple’s competitors claim they must either increase prices (and be uncompetitive), or have their margins compressed (and be unprofitable). A similar issue may also be brewing with the much-rumored Apple streaming TV service.
  • Yet some factors argue against liability: Apple’s iOS is estimated to only comprise about 17 percent of the market for mobile operating systems. In addition, the competing streaming services can sell their subscription services at a slight discount payable through their website where they keep all of the fee, instead of through the App Store. (But this is hampered by restrictions Apple places on all apps sold in the App Store, precluding third-party marketing and linking to the company’s website.)

DOJ Gets Requests to Embark on Expedition Into Amazon

  • Groups of authors, booksellers, and literary agents (together, “publishing industry groups”) are asking the U.S. Department of Justice (DOJ) to investigate Amazon.com for violations of antitrust laws, arguing that “Amazon’s dominant position makes it a monopoly as a seller of books and a monopsony as a buyer of books.”
  • The publishing industry groups point to Amazon’s 40% market share in new books and 65% market share in e-books. Their letters state that Amazon abuses its market power in a variety of ways, including:
    • selling books below cost as “loss leaders” for other higher margin items sold on Amazon;
    • delaying delivery and removing books from preorder status (or delisting them altogether);
    • directing buyers to other titles, including its own books; and
    • requiring self-published authors to price their books within a specific range or be subjected to a significant cut in royalties.
  • The European Commission, the antitrust enforcement body of the European Union, has already opened a formal investigation into Amazon over its e-book distribution agreements. The Commission is investigating whether Amazon is abusing a dominant position by contractually requiring publishers to inform Amazon about more favorable terms offered to competitors or offer Amazon similar terms.

Consumer Financial Protection Bureau

CFPB and DOJ Resolve Claims Against Auto Lender for Discriminatory Practices

  • The Consumer Financial Protection Bureau (CFPB) and the U.S. Department of Justice (DOJ) resolved a joint investigation into whether American Honda Finance Corporation, as a captive auto finance company and ninth largest auto lender in the market, violated the Equal Credit Opportunity Act (ECOA) through lending practices that allegedly resulted in higher interest rates for certain groups of minority car buyers.
  • At the core of the investigation was a practice through which Honda created a minimum interest rate for a consumer application, based on objective risk-based criteria, but then afforded dealers discretion to increase or “mark up” the minimum rate using dealer specific factors, and then receive extra compensation from Honda based on the markup. The CFPB and DOJ’s findings indicated that under the dealer discretion model certain minority groups paid from .25 to .36 percent higher interest rates.
  • The consent order requires Honda to deposit $24 million into escrow for consumer redress, and to create a plan detailing the process of how it will provide redress funds to overcharged consumers. Honda must also modify its lending practices and guidelines to limit dealer discretion to increase the minimum rate, and must form a compliance committee to ensure that the consent order is properly implemented.

Consumer Protection

New York AG Continues to Scratch Away at Deceptive Auto Sales Practices

  • New York AG Eric Schneiderman reached a settlement with Atlantic Automotive Group resolving an investigation into 22 auto dealerships’ alleged violations of the AG’s Auto Advertising Guidelines and a previous Assurance of Discontinuance.
  • The AG’s investigation was in response to many different alleged violations, including “jamming” style practices; where the dealer has customers sign blank documents, later filling in terms other than what was agreed upon, and charging consumers for unrequested extended warranties or vehicle maintenance contracts.
  • The investigation also addressed the use of direct mail advertisements, purporting to offer consumers the opportunity to play a game—for example, a lottery-style scratch off card—where consumers could allegedly win a cash prize, a flat-screen television, an Apple iPad, and the like. The tickets, however, did not tell the consumer if they won, but instead required them to come to the dealership to claim their prize, where the dealer would inform them that they had not won, and proceed to try to sell them a car.
  • As a result of this action Atlantic will pay $310,000 in restitution and penalties. Atlantic did not admit any liability or wrongdoing, and indicated that the majority of the conduct came from “rogue employees,” who it has since “g[o]t rid of.” Atlantic cooperated with the AG’s investigation and is implementing the necessary fixes, including hiring an advertising compliance officer.

New Jersey AG Settles Lawsuit Against “As Seen on TV” Company

  • New Jersey Acting AG John Hoffman reached a settlement with Telebrands, Corp., resolving litigation that alleged that the maker of “As Seen on TV” products violated the New Jersey Consumer Fraud Act, state advertising regulations, and a 2001 consent order, through the use of aggressive sales practices.
  • AG Hoffman claimed that consumers ordering a product from Telebrands would be subjected to a lengthy and automated ordering process, during which they would be aggressively upsold additional products without providing a way for the caller to decline. Customers were allegedly not allowed to confirm the total cost of their order before authorizing charges, often resulting in unwanted products and hidden shipping and handling charges. The complaint also alleged that the company made it difficult to return products or contact a customer service representative.
  • According to the consent judgment, Telebrands will pay $550,000 to cover attorneys’ fees and investigative costs, but does not admit fault or liability. Telebrands agreed to implement internal auditing processes, and to hire a special liaison to monitor the company’s compliance with the settlement terms and applicable laws. In addition the company will provide information to consumers as to the total cost of their order prior to authorizing payment, the option to speak with a live customer service representative if there is a problem with the order, and a clear method to decline solicitations for additional merchandise.

Data Privacy

FCC Continues to Expand Role in Enforcing Data Security

  • The Federal Communications Commission (FCC) reached an agreement with TerraCom, Inc., and YourTel America, Inc., resolving claims that the companies failed to protect the personal information of more than 300,000 consumers in violation of a carrier’s duty under the Communications Act (the “Act”) and counter to the Act’s prohibition on unjust and unreasonable practices.
  • The FCC alleged that the companies failed to protect customer personal information—including names, addresses, Social Security numbers, and driver’s licenses—by allowing a vendor to store the unencrypted information on unprotected servers. The FCC generally takes the position that a company must provide a reasonable level of protection for personal information, and a company violates that requirement where, as was the case here, the information can be accessed through the internet by anyone with a search engine.
  • The consent decree requires the companies to pay $3.5 million as a civil penalty, and to notify all consumers whose information was vulnerable, providing complimentary credit monitoring and appropriate mitigation measures. In addition, the companies are required to develop internal control measures, including a data breach response plan, a designated senior manager who is a certified privacy professional, and compliance reports to be filed with the FCC.
  • The settlement also resolves the FCC’s claims that YourTel overbilled the federal government in regards to the company’s failure to remove ineligible consumers from the reported subscriber base under a federal program that provides subsidized wired and wireless communication for low-income users.

Employment

DOL Issues Guidance for Classifying Workers Under FLSA

  • The U.S. Department of Labor (DOL) Wage and Hour Division issued an Administrator’s Interpretation to guide businesses on how to classify workers, as either employees or independent contractors, under the Fair Labor Standards Act (FLSA).
  • The Interpretation indicates that the FLSA was intended to operate under a “very broad definition of employment,” and stresses that the question of whether a worker is an employee under the FLSA is a legal question that should be determined by the application of the “economic realities” test—not by a company-determined classification. Although this test requires a balancing of multiple factors, the Interpretation warns against a mechanical application, and instead looks to whether the worker is economically dependent on the business (employee), or as a matter of economic fact, in business for himself (independent).
  • The Interpretation comes at a moment when state lawmakers and regulators are questioning some of the practices and legal assumptions of app-based “sharing economy” platforms through which consumers can contract directly with workers.

State AGs in the News

Posted in Antitrust, Consumer Financial Protection Bureau, Consumer Protection, Data Privacy, False Claims Act, State AGs in the News

Antitrust

State AGs and FTC Approve Dollar Store Merger, Subject to Divestitures

  • Dollar Tree, Inc., and Family Dollar Stores, Inc., have reached an agreement with federal regulators and seventeen State AGs, allowing the discount retail chains to move forward with the $9.2 billion merger proposed last summer.
  • The AGs and the Federal Trade Commission (FTC) separately challenged the merger as anticompetitive in local markets, asserting that the relevant geographic market was as narrow as half a mile in some cases, but included both discount general merchandise retail stores and discounted general merchandise in retail stores (thus including larger retailers).
  • The AGs’ consent order adopts the actions required by the FTC order, including Dollar Tree’s sale of more than 330 stores nationwide to Sycamore Partners, a private equity firm, within 150 days after consummating the merger. The AGs’ order also requires notification with respect to certain transactions or store closures for five years and requires the merging entities to pay $865,181 in attorneys’ fees to the AGs.

DOJ Investigation Into Alleged Airline Coordination Triggers Class Actions

  • The Department of Justice (DOJ) has opened an investigation into whether American Airlines Group Inc., Southwest Airlines Co., United Continental Holdings, Inc., and Delta Airlines, Inc.—together more than 80 percent of the domestic market—violated U.S. antitrust laws by coordinating to limit both the number of seats available for purchase, and the number of flights and routes offered. The DOJ allegedly is asking the airlines for, among other things, documents that reference the “need for, or the desirability of, capacity reductions or growth limitations by the company or any other airline.”
  • Senator Richard Blumenthal, previously the AG for Connecticut, urged the DOJ to investigate what he called “anticompetitive, anti-consumer conduct and misuse of market power in the airline industry.” Senator Blumenthal—referencing a 2013 complaint by the DOJ and a group of State AGs to block the merger between American and U.S. Airways—indicated that the airlines appeared to be using certain terminology (“capacity discipline”) in public statements, and otherwise coordinating a strategy to limit expansion. The airlines and some industry analysts do not necessarily agree, with some pointing to seating capacity growth of five percent in 2014.
  • There is a growing queue of follow-on consumer class action lawsuits, based in large part on the claims from the investigation. These classes have the potential to be quite broad: in one complaint filed in Illinois, the plaintiffs are seeking class status for “all consumers who flew domestically from October 1, 2012 to present,” and alleging that the airlines, “in tandem, raised fares, imposed new and higher fees on travelers and reduced their capacity and service.” The case is Bidgoli v. American Airlines Group Inc., 15-cv-5903, (N.D. Ill). In total, there are at least 15 class actions that have been filed against the airlines, making a future Multidistrict Litigation likely.

Consumer Financial Protection Bureau

CFPB and 47 States Settle With Chase for $216 Million, Mandate Reforms to Debt Collection Practices

  • The Consumer Financial Protection Bureau (CFPB) and AGs from 47 states reached an agreement to resolve claims that Chase Bank USA N.A. and Chase Bankcard Services Inc. (together, “Chase”) violated the Consumer Financial Protection Act (CFPA) by engaging in unlawful debt collection and sale practices.
  • The CFPB and the AGs alleged that Chase violated Section 1036 of the CFPA for unfair, deceptive, or abusive acts or practices by:
    • Submitting consumers to collections for accounts that were not theirs, in amounts that were incorrect or uncollectable;
    • Making inaccurate credit reporting and entering unlawful judgments that may affect consumers’ ability to obtain credit, employment, and housing;
    • Filing lawsuits and obtaining judgments against consumers using false and deceptive affidavits and other documents that were prepared without following required procedures (“robo-signing”); and
    • Selling accounts to debt buyers that were already settled, discharged in bankruptcy, not owed by the consumer, or incorrect in some other fashion, with knowledge that debt buyers would file collection lawsuits based on the invalid information.
  • The consent order requires Chase to pay consumer redress of not less than $50 million, a civil penalty of $30 million to the CFPB, a separate $30 million civil penalty to the Office of the Comptroller of the Currency, and $106 million in payments to the states. It also requires Chase, within 60 days of the effective date, to withdraw, dismiss, or terminate all pre-judgment collections litigation, and all post-judgment enforcement actions pending at any time.
  • In addition, as a result of this joint action, Chase must reform its debt collection and sale practices, including the creation of safeguards to ensure that debt information is accurate, that consumers receive notice and information on the new debt holder when their debt is sold to a third party, and that debt buyers are restricted from reselling Chase’s consumer debts to other purchasers.

Consumer Protection

FTC Continues to Work With Florida AG to Address Deceptive Practices

  • The Federal Trade Commission (FTC) and Florida AG Pam Bondi filed a joint lawsuit against E.M. Systems & Services, LLC, and a network of related companies operating under fictitious names (together, “Defendants”), for allegedly running a fraudulent and deceptive credit card payment reduction scam.
  • The complaint alleges that Defendants called consumers, identifying themselves as “card services,” or “card member services,” or by one of the Defendants’ businesses and claimed to have a business relationship with the consumer’s lender. Defendants offered debt relief through interest rate reductions, but after securing an upfront fee ranging from $500 to $1500, failed to fulfill their claims.
  • AG Bondi and the FTC secured a preliminary injunction and asset freeze, and are seeking a permanent injunction and restitution for consumers. In addition, as this action is the second joint federal-state action in as many weeks in Florida, it serves as a reminder of the increasingly collaborative efforts of federal and state enforcement for consumer protection.

FTC Notches More Settlements Against Payday Lenders

  • The Federal Trade Commission (FTC) settled claims against Frampton Rowland III and Timothy Coppinger, and the network of companies they owned or controlled (together, “Defendants”), alleging violations of the FTC Act, the Truth in Lending Act, and the Electronic Fund Transfer Act.
  • According to the complaint, Defendants operated a series of payday lending operations, through which they would purchase sensitive consumer financial information from lead generators, and then make unauthorized loans, followed by unauthorized withdrawals of “finance charges” from consumers’ bank accounts every two weeks. If consumers contested that the loan was not authorized, Defendants would produce false or misleading documentation; if consumers closed their bank account, Defendants would sell the “loans” to debt buyers who then harassed consumers for payment.
  • The consent orders require that Defendants pay approximately $44 million ($32.1 from Coppinger defendants and $22.9 from Rowland defendants) as equitable money relief, although the orders are suspended upon Defendants’ permanent transfer of bank account assets to a court-appointed Receiver. The Orders also extinguish any related consumer debt obligations, and enjoin Defendants from reporting borrowers to credit reporting bureaus.

Data Privacy

Forty-seven States Ask Congress to Preserve State Authority in Data Security and Privacy

  • Forty-seven State AGs, coordinated under the auspices of the National Association of Attorneys General (NAAG), urged Congress to preserve state authority to enforce state laws that address data security and data breach notification.
  • In a letter addressed to Congressional leadership, the AGs ask Congress not to preempt state law on data security and privacy through passage of federal legislation. The AGs argue that states are quicker to adopt legislation, more willing to try innovative approaches to addressing evolving threats, and better able to respond to identity theft and consumer fraud as it affects their constituents. Some AGs also wrote separate letters on the issue to their individual state senators.
  • The AGs indicate that many state laws provide greater protection to residents than would the current federal bill under consideration. According to some estimates, as many as 38 states would have reduced protections under the federal bill. The AGs also highlight the significant role they play in enforcing data privacy, including a growing number of states where a data-breached company must report to and coordinate with the AG. Moreover, for companies that do business in multiple states, the current structure creates an incentive to comply with the strictest requirements. Most parties involved in the debate recognize the benefit of a uniform national standard, but as the AGs indicate, the best approach might be one where a federal law created a minimum standard with joint state/federal enforcement, and states remained empowered to create greater protections.

False Claims Act

DOJ Settles With Company Claiming Benefits for “Disadvantaged” Owners

  • The U.S. Department of Justice (DOJ) reached an agreement with LB&B Associates Inc. and its principals resolving allegations that the government support services company violated the False Claims Act in order to obtain set aside contracts through a government program designed to support small, disadvantaged businesses.
  • The 8(a) Program, offered by the U.S. Small Business Administration (SBA) provides preferential procurement options for companies that are primarily owned and controlled by a person that is “socially and economically disadvantaged.” The government claimed that in seeking certification under the 8(a) Program, LB&B falsely represented that Lily Brandon—who satisfied the 8(a) requirements—controlled the operations of LB&B, when in fact she did not.
  • The settlement, which requires LB&B to pay the government $7.8 million, arises out of the government’s intervention in a lawsuit filed by former employees of LB&B. Under the whistleblower provision of the False Claims Act, the former employees will receive $1.5 million of the settlement.