State AG Monitor

State AGs in the News

Posted in Consumer Financial Protection Bureau, Data Privacy, Environment, Financial Industry, Health Care, Pharmaceuticals, Securities, State AGs in the News

Consumer Financial Protection Bureau

CFPB Continues Drive to Clean Up Auto Lending

  • The Consumer Financial Protection Bureau (CFPB) settled with Westlake Services, LLC and wholly-owned subsidiary Wilshire Consumer Credit, LLC (“Westlake”), resolving allegations that the indirect auto lender and title loan company violated the Consumer Financial Protection Act, the Fair Debt Collection Practices Act, and the Truth in Lending Act.
  • The CFPB alleged that Westlake deceived borrowers by using call spoofing technology to make borrowers think they were being called by repossession companies, investigation or enforcement divisions, flower delivery companies, and even the borrowers’ family and friends. The CFPB alleged that, in some cases, Westlake’s goal was to trick the borrower into making additional payments to avoid repossession and, in other cases, it was to discover the location of a vehicle so it could be repossessed. In addition, Westlake allegedly called borrowers’ employers, family, and friends and disclosed loan information.
  • The CFPB also alleged that Westlake marketed its services deceptively, in part by using the monthly rate and failing to disclose the annual percentage rate as required by law. Westlake also allegedly changed the terms of the loans without the borrowers’ permission, causing greater amounts of interest to accrue.
  • Under the Consent Order Westlake is required to provide $44.1 million to consumers in both cash relief and reductions in their balance. Westlake is also required to pay a civil penalty of $4.25 million to the CFPB, and to alter its advertising and loan servicing practices to comport with the law.

CFPB Takes First Step Toward Limiting the Use of Arbitration Clauses

  • The CFPB announced that it is considering proposals to exercise authority under Dodd-Frank to regulate the use of arbitration clauses in consumer financial products. The CFPB indicated that such action is needed to prevent companies from “sidestep[ing] the courts and avoid[ing] accountability for wrongdoing.”
  • Earlier this year, the CFPB completed a Congressionally-mandated study on the effect of arbitration clauses in financial products, concluding that the use of such clauses restricted consumers’ ability to obtain adequate relief when they have a dispute with financial service providers. Specifically, the CFPB concluded that most arbitration clauses found in contracts for consumer financial products like credit cards and bank accounts deny consumers the right to participate in class action lawsuits and arbitrations. The CFPB study also found that fewer than 25 percent of consumers surveyed knew they were subject to an arbitration clause in their contract, and fewer than 7 percent realized that the clauses restricted their ability to sue in court.
  • The CFPB indicated that it would not seek to ban arbitration clauses outright, but rather will push for clauses that expressly state that they do not apply to class action lawsuits “unless and until the class certification is denied by the court or the class claims are dismissed in court.” However, the CFPB has indicated that it will continue to seek advice, input, and recommendations from small business leaders as it drafts the final rule.

Consumer Protection

West Virginia AG Sues Volkswagen for Consumer Deception, Other States May Follow

  • West Virginia AG Patrick Morrisey filed a lawsuit against Volkswagen of America, Inc. arguing that the car maker violated the West Virginia Consumer Credit and Protection Act through advertising and marketing various models as utilizing “clean” diesel engines.
  • Paralleling claims made by the Environmental Protection Agency, AG Morrisey’s complaint alleges that Volkswagen engineered certain diesel vehicles to utilize emissions controls while the vehicle is being tested in order to appear compliant with U.S. standards, but then to suppress emissions controls while driving to increase performance and fuel economy. The lawsuit seeks civil penalties of $5,000 per violation, as well as costs related to the investigation and litigation.
  • Meanwhile, AGs from at least 30 other states have formed a multistate investigation into Volkswagen’s actions regarding its clean diesel claims, with AGs from New York and Illinois serving subpoenas on the carmaker.

Data Privacy

European Court of Justice Attacks Safe Harbor

  • The European Court of Justice (CJEU)—the highest court on issues of EU law—has ruled that a 2000 agreement between the European Commission and the U.S. Department of Commerce granting safe harbor for data transfers across the Atlantic failed to adequately protect the privacy rights of EU citizens. The CJEU decision was based in part on the fact that U.S. law allows the government “to have access on a generalized basis to the content of electronic communications,” which the CJEU felt “compromise[ed] the essence of the fundamental right to respect for private life.”
  • The safe harbor agreement created a streamlined protocol under which firms could transfer personal data from Europeans to the U.S. while maintaining legality under EU privacy law. The safe harbor agreement allowed firms to self-certify that they were in compliance with the requirements of EU privacy law. The safe harbor also provided a standard from which the Federal Trade Commission, the main U.S. authority on data security, could judge a company’s compliance efforts.
  • As some commentators have noted, the decision may have broad effects for companies looking to transfer data to the U.S., not only large tech companies like Facebook or Google, but any company that has international operations and the need to transfer employee or customer data. Without the safe harbor option, data exporters will need to execute standard contract clauses identified by the EU Data Protection Directive, or adopt binding company rules with specific reference to the data involved and the security precautions in place to ensure that it will be protected once transferred outside of the EU.
  • From the European perspective, the outcome is significant: transatlantic companies may need to compartmentalize data in the EU country where it is collected, and deny access without approval through diplomatic channels. As we have previously reported, Microsoft is battling with the Department of Justice over whether it must provide direct access to data stored on servers in Ireland in response to a U.S. subpoena.


Gulf States Get Final Settlement From Deepwater Oil Spill—BP on Hook for Record Civil Penalty

  • BP Exploration & Production Inc. reached an agreement to settle all remaining claims stemming from the 2010 Deepwater Horizon oil spill in the Gulf of Mexico.
  • As indicated in the Consent Decree containing the terms of the settlement, which is guaranteed by parent companies BP Corporation North America Inc. and BP P.L.C., BP will pay approximately $20.8 billion, including:
    • $8.1 billion to federal and state trustees for damages to natural resources, with $700 million set aside to address any natural resource conditions that are currently unknown and to assist in adaptive management needs.
    • $5.5 billion as a civil penalty for violating the U.S. Clean Water Act—the largest civil penalty in the history of environmental law.
    • $4.9 billion to the Gulf states (Alabama, Florida, Louisiana, Mississippi, and Texas), and an additional amount, up to $1 billion, to numerous local governments, to settle claims for economic damages caused by the spill.
  • The Consent Decree and the Damage Assessment and Restoration Plan are lodged at the U.S. District Court for the Eastern District of Louisiana, and will be available for public comment until December 4, 2015.


New York AG Probes Fantasy Sports for Insider Bets

  • New York AG Eric Schneiderman has initiated an investigation into daily fantasy sports betting site operators FanDuel Inc. and DraftKings Inc. in the wake of allegations that employees may have used nonpublic information to make wagers.
  • AG Schneiderman sent letters specifically seeking responses to questions, including how the websites store user-generated data, how that information is protected, and whether the companies have rules or policies regarding who can access or use that information. Among other things, the letters request information regarding an employee of DraftKings who allegedly won $350,000 by playing daily fantasy sports on rival FanDuel.
  • There is also a growing concern over the legality of daily online fantasy sports. The 2006 Unlawful Internet Gambling Enforcement Act contained a carve out for “fantasy sports,” but commentators wonder if that would be applicable to the form offered by the two sites. Senator Bob Menendez and Representative Frank Pallone have asked the Federal Trade Commission to weigh in on the discussion, and Rep. Pallone had previously requested a Congressional hearing on the issue of fantasy sports and sports betting.

SEC Settles With Drug Maker Over FCPA Allegations in China

  • The Securities and Exchange Commission (SEC) accepted Bristol-Myers Squibb’s (BMS) Offer of Settlement, resolving charges that the pharmaceutical maker violated the Foreign Corrupt Practices Act (FCPA) by offering cash payments and other benefits to health care providers at state-owned hospitals in China in exchange for increased sales of BMS’s prescription medications.
  • The SEC alleged that BMS failed to detect and prevent personnel at BMS’s joint venture in China from offering bribes. The SEC alleged that BMS did not properly investigate “red flags” indicating that improper payments were occurring, including claims made by former employees. It also claimed that BMS did not properly implement a formal FCPA compliance program, including violations of the Recordkeeping and Internal Controls Provisions of the FCPA.
  • BMS did not admit to the findings, but agreed to return $11.4 million in profits and to pay a civil penalty of $2.75 million to the SEC. In addition, BMS has implemented measures to enhance its ability to detect and prevent bribery, specifically in its expense claims that involve interaction with health care providers.

State AGs in the News

Posted in Consumer Financial Protection Bureau, Consumer Protection, Environment, Securities, State AGs in the News

Consumer Financial Protection Bureau

CFPB Double Teams With DOJ to Double Up on Fifth Third

  • The Consumer Financial Protection Bureau (CFPB) resolved two separate enforcement actions with Fifth Third Bancorp, the first claiming discriminatory auto loan pricing and the second claiming deceptive acts or practices in marketing credit card add-on products.
  • In the first action, the CFPB, working with the U.S. Department of Justice (DOJ), alleged that Fifth Third violated the Equal Credit Opportunity Act by giving auto dealers discretion to charge auto loan interest rates that were higher than those set by the bank, based on factors other than the consumer’s creditworthiness. Although Fifth Third did not discriminate directly, the CFPB and DOJ alleged that its use of subjective and unguided pricing discretion as an indirect lender resulted in dealerships charging higher rates to qualified African-American and Hispanic borrowers.
  • In addition to paying a penalty of $18 million, Fifth Third agreed to limit dealer markup to 1.25 percent, for loans of 60 months or less, and 1 percent, for loans greater than 60 months.
  • In the second action, the CFPB alleged that Fifth Third (through the actions of its third-party service providers) violated the Consumer Financial Protection Act by deceptively enrolling consumers in a credit card add-on product without first providing adequate disclosure as to its terms and conditions. The CFPB also alleged that Fifth Third misled consumers through sales calls and other marketing efforts, where they indicated that the cardholder could sample the product “risk-free” when in fact the bank had already enrolled them for a monthly fee.
  • Fifth Third agreed to pay $3 million to affected consumers and a $500,000 penalty to the CFPB to resolve the allegations related to the add-on product. In addition, the bank agreed to create a Vendor Management Program and an internal audit process to monitor its service providers’ compliance therewith.

Consumer Protection

FTC Sues Weight Loss Supplement Company for “Gagging” Consumers

  • The FTC filed a lawsuit in federal court against Roca Labs, Inc. and Roca Labs Nutraceutical USA, Inc. (together, “Roca”) alleging that Roca’s marketing and sales of its weight loss supplements—a powder that when mixed with water creates a gel-like substance purported to take up space in the stomach, and thus reduce the capacity for caloric intake—violated Sections 5 and 12 of the FTC Act.
  • In the complaint, the FTC alleged that Roca’s marketing practices were deceptive because they stated or implied that consumers could lose substantial amounts of weight by taking Roca’s products (e.g., as much as 21 pounds in one month, 90 percent success rate in achieving substantial weight loss) without adequate research to substantiate the claims. The FTC further alleged that Roca misrepresented that its products “create a natural gastric bypass effect in the stomach,” and deceptively used search engine queries like “gastric bypass surgery” to direct consumers to its website.
  • The FTC also alleged that Roca unfairly used “gag clauses” in their sales contracts and terms and conditions of use, through which Roca threatened to sue purchasers if they complained to a third-party consumer reporting organization (e.g., Better Business Bureau), or posted negative comments about Roca and its products on Internet websites. Roca also failed to provide refunds: the initial three to four month supply cost $480. The lawsuit was filed in federal court for the Middle District of Florida, No. 8:15-cv-02231.

California AG Seeks Greater Transparency in Prop 65 Private Enforcement

  • California AG Kamala Harris has proposed amended regulations to govern the enforcement of Proposition 65, the state law requiring businesses with 10 or more employees to warn individuals through labeling when there is a risk of exposure to known carcinogens or other substances that may cause reproductive harm.
  • The amended regulations seek to address one particular area of scrutiny: Proposition 65 has been criticized over the years for too freely allowing private enforcement actions against unsuspecting businesses when the AG does not file a lawsuit after a notice period. These private enforcers are permitted to retain 25 percent of any penalty recovered—up to $2,500 per person exposed, per day. Because Proposition 65 claims can be combined with other state laws that allow disgorgement of profits (unfair practices) and attorneys’ fees when a plaintiff acts in the public interest, Proposition 65 has been seen as creating lucrative opportunities for private litigants with little public benefit.
  • The amended regulations focus on increasing transparency and ensuring a public benefit when Proposition 65 is enforced through private lawsuits. The amended regulation requires private enforcers to provide greater disclosure to the AG’s office during litigation, and would require a private plaintiff to demonstrate to a court approving a settlement, that any “Additional Settlement Payments” (i.e., payments in lieu of a civil penalty) are in the public interest, and would ensure that settlements are not structured so as to erode funding for the Office of Environmental Health Hazard Assessment.


Federal, State, and Local Regulators Clean Up Glass Producer

  • The U.S. Environmental Protection Agency (EPA), together with the states of Iowa and New York and the San Joaquin Valley Air Pollution Control District, settled claims with Guardian Industries Corp. for alleged violations of the U.S. Clean Air Act.
  • The regulators alleged that Guardian modified its furnaces at several glass manufacturing facilities across the nation without installing the proper pollution control technologies, and without obtaining the required permits under the Clean Air Act.
  • The Consent Decree, which is subject to court approval after a period of 30 days for public comment, requires Guardian to pay $312,000 in civil penalties to the EPA and the states. It also requires Guardian to install certain pollution control technologies estimated to reduce emissions of soot, nitrogen oxides, sulfur dioxide, and sulfuric acid by approximately 50 percent.

Wyoming AG Defends Laws Prohibiting Pictures

  • A coalition of conservation and animal rights groups has filed a lawsuit in U.S. District Court for the District of Wyoming challenging the constitutionality of two Wyoming statutes passed earlier this year that would restrict the ability of individuals to gather data on the condition of natural resources on private and public land.
  • The first law, Wyoming Statute § 6-3-414, criminalizes the collection of resource data on private land, where the data collector intends to submit the data to an agency of the state or federal government. It also states that data collected would not be admissible in any civil or administrative proceeding. The second law, § 40-26-101, prohibits gathering resource data on both private and public land if the person does not have specific authorization to gather the data. As commentators have noted, the Wyoming laws could apply to a broad range of activity, even tourist photos taken after hours in a National Park and posted on an internet forum.
  • The lawsuit seeks to declare the laws unconstitutional under the First Amendment, the Supremacy Clause, and the Equal Protection Clause. It also seeks to enjoin Wyoming AG Peter Michael and the state Department of Environmental Quality from enforcing them. The case is Western Watersheds Project v. Attorney General, Case No. 2:15-cv-00169.


Delaware and Massachusetts AGs Question Advisors’ Use of Leveraged ETFs

  • Delaware AG Matt Denn and Massachusetts AG Maura Healy settled with LPL Financial, LLC, resolving the AGs’ investigation into whether LPL violated state law through the use of leveraged exchange traded funds (ETFs) in consumer investment accounts.
  • The AGs’ investigation centered on whether LPL’s investment advisors properly disclosed the risks associated with leveraged ETFs, and whether such investments were even suitable for LPL’s clients. Leveraged ETFs are investment funds that seek to achieve a multiple of the daily returns on an index like the Standard & Poor’s 500. The AGs iterated, however, that returns from leveraged ETFs can be much more negatively affected during periods of market volatility, causing an investor to lose money when holding leveraged ETFs, even if the investor correctly guessed on the direction of the relevant index.
  •  Under the terms of the settlement, LPL will pay $1.6 million to compensate and educate investors, as well as $200,000 in civil penalties to both states

State AGs in the News

Posted in Charities, Consumer Protection, Environment, False Claims Act, Financial Industry, Securities, State AGs in the News

Practice Insights

Its Only “Natural”

  • In a recent post, Dickstein Shapiro Counsel Doreen Manchester discusses issues surrounding the use of the term “natural” in connection with consumer products.


California Gives AG Greater Oversight of Charities

  • California Governor Jerry Brown signed into law a bill that seeks to increase transparency and accountability in charitable fundraising.
  • The new law, which goes into effect in January 2016, will bring some significant changes, particularly for those companies that raise money for charities. For-profit companies acting as fundraisers will be required to disclose to potential donors that a portion of their contributions will be retained by the company. In addition, fundraising counsel will be precluded from compensation that is based on a percentage of donations received.
  • The law will also expand AG enforcement authority, by: including for-profit fundraising firms and other third parties in the 10-year statute of limitations applicable to charitable enforcement cases; and allowing the AG to bring enforcement cases against fundraising firms and other third parties who aid and abet a violation of the laws on charities.

Consumer Protection

FTC Looks Closely at Vision Improvement App

  • The Federal Trade Commission (FTC) settled with software developer Carrot Neurotechnology, Inc. and owners Adam Goldberg and Aaron Seitz (together, “respondents”), resolving claims that respondents falsely represented that their Ultimeyes app, which it sold for between $5.99 and $9.99, would restore and improve users’ vision.
  • The FTC alleged that Carrot made deceptive efficacy claims (e.g., “improves vision on average by 31%”) and false establishment claims (e.g., “scientifically shown to improve vision ”). The FTC indicated that respondents did not have proper scientific evidence to support these claims and failed to disclose that the research it cited in support of its claims came from an affiliated source.
  • The proposed consent order requires the respondents to pay $150,000 to the FTC for a consumer redress fund, and to provide customer information to the FTC so it can efficiently satisfy claims. It also calls for respondents to conduct adequate human clinical testing before making health benefit or performance-based representations on future products. The proposed order will be open for comments for 30 days before the FTC decides whether to make it final.

Missouri AG Conducts Price Check on Walgreens

  • Missouri AG Chris Koster is headed back to court with Walgreens over allegations that the drugstore chain has failed to implement a 2013 consent judgment that required the drugstore chain to prevent consumer deception resulting from expired or inaccurate price tags. The 2013 order requires, among other things, that Walgreens replace expired sale tags within 12 hours after the price has changed.
  • AG Koster’s investigation found that during a five-week period this summer, 49 of 50 Walgreens stores had expired or otherwise incorrect price tags. It also revealed that many consumers were overcharged at the register as a result of expired tags.
  • AG Koster filed a motion to hold Walgreens in contempt, and is seeking to fine the company up to $5,000 for every violation discovered, as well as additional fines for every day that an expired tag is found.


Investigative Engines Rev in Response to Findings on Volkswagen “Clean” Diesels

  • The U.S. Environmental Protection Agency (EPA) issued a Notice of Violation of the Clean Air Act to Volkswagen AG, Audi AG, and Volkswagen Group of America, Inc. (Volkswagen) effectively recalling nearly 500,000 cars equipped with “clean diesel” engines.
  • The EPA and the California Air Resources Board (CARB) concluded that Volkswagen rigged its software so that its U.S. emissions test results would show that its vehicles had a cleaner exhaust profile than they actually did. Testing conducted by the EPA and CARB indicated that the affected vehicles emit up to 40 times more pollution than emission standards allow. The results from this joint investigation triggered governments in Europe and elsewhere to look deeper into Volkswagen’s emissions compliance.
  • In the U.S. the issue is far from resolved. Members of Congress are calling for the FTC to investigate whether Volkswagen’s advertising of clean diesel violates the FTC Act’s prohibition on deceptive practices. In addition, New York AG Schneiderman is undertaking an investigation that could be joined by other State AGs, into whether Volkswagen’s actions violated state unfair and deceptive practices and environmental protection laws. Volkswagen has set aside $7.3 billion to address the approximately 11 million vehicles affected worldwide, but warned that future costs remain undetermined.

False Claims Act

DOJ Piles on For-Profit College

  • ITT Educational Services, Inc. disclosed that it is under investigation by the U.S. Department of Justice (DOJ) to determine whether it violated the False Claims Act.
  • In a recently filed 8-K, ITT indicated that the DOJ had issued a Civil Investigative Demand asking for documents and answers to interrogatories regarding whether ITT “knowingly submitted false statements in violation of the Department of Education’s Program Participation Agreement regulations.” ITT indicated that it believes its practices were in compliance, and that it is cooperating with the DOJ.
  • ITT is currently defending two other government lawsuits. The Consumer Financial Protection Bureau filed suit last fall, alleging that ITT engaged in predatory lending practices, and the Securities and Exchange Commission filed suit in May 2015, alleging that ITT committed fraud in concealing the size of nonperforming student loan portfolios from investors.

Financial Industry

Regulators Grab for Bitcoins—New York DFS Issues First-of-Kind “BitLicense”

  • The New York Department of Financial Services (DFS) issued the first “BitLicense” to Circle Internet Financial Ltd., allowing the mobile payments firm to transfer and exchange virtual currencies, including bitcoin.
  • DFS finalized its rules for virtual currencies in June, and gave existing virtual currency firms until August 10 to apply for a license. DFS reported receiving 25 applications. At that point, former DFS superintendent Benjamin Lawsky provided a variety of clarifications regarding how DFS will exercise its new authority:
    • Only firms that are financial intermediaries (i.e., those that hold customer funds) will be required to apply for a BitLicense.
    • Companies will need prior DFS approval for material changes to their products or business models, such as offering exchange services.
    • DFS will not require duplication of compliance efforts—companies that already report to federal regulators, such as Treasury’s Financial Crimes Enforcement Network (FinCEN), can forgo duplicative DFS requirements.
    • Large investors (>10 percent) must demonstrate that they will not be a control person.
  • At the same time, the U.S. Commodity Futures Trading Commission (CFTC) is asserting authority over virtual currencies. The CFTC recently accepted an Offer of Settlement from Coinflip, Inc., resolving allegations that it violated the Commodity Exchange Act by operating as a clearing platform for bitcoin futures and options trading. According to the Order, the CFTC declared that virtual currencies are commodities.

Another California City Sues Bank for Housing Discrimination

  • The City of Oakland, California filed a lawsuit against Wells Fargo Bank, N.A., alleging predatory lending and discrimination in violation of the U.S. Fair Housing Act and the California Fair Employment and Housing Act.
  • Oakland’s complaint centers on the claim that Wells Fargo gave more expensive and higher-risk loans to Oakland’s black and Hispanic residents, despite the City’s claim that many qualified for favorable loan terms like those given to white borrowers. The lawsuit mirrors similar claims from the City of Los Angeles, and from Cook County, Illinois. Those suits were dismissed in July.
  • Wells Fargo replied that “[Oakland’s] accusations against Wells Fargo do not reflect how we operate in the communities where we do business.” The bank emphasized that it will vigorously defend its record as a fair and responsible lender.


SEC Wields Cybersecurity Authority

  • The Securities and Exchange Commission (SEC) settled with R.T. Jones Capital Equities Management, Inc., resolving claims that the investment advisor failed to implement cybersecurity protections required by Rule 30(a) of Regulation S-P (“Safeguards Rule”). The SEC censured R.T. Jones, and ordered it to pay a civil penalty of $75,000.
  • The Safeguards Rule, adopted by the SEC in 2000, requires registered investment advisers to implement policies and procedures reasonably designed, a) to insure the security of customer records and information, b) to protect against anticipated threats, and c) to protect against unauthorized access to customer information.
  • This action was initiated following a data breach in which a hacker gained access rights to unencrypted data stored on a third-party web server, including dates of birth and social security numbers, for more than 100,000 individuals. Although there has not been evidence of any clients being harmed by the breach, the SEC found multiple deficiencies in R.T Jones’ cybersecurity policies, the SEC has indicated that it will emphasize cybersecurity in light of the increasing number of cyberattacks on financial firms.

It’s Only “Natural”

Posted in Consumer Protection

Class action litigation over consumer product claims continues to rise, and no product is safe, whether food, dietary supplement, or cosmetic. Those manufacturers looking to distinguish their products through the use of the terms “natural” or “all-natural” have done so at the risk of drawing attention from the plaintiff’s bar and consumer groups. In August 2014, a class action lawsuit, Paulino et al v. Conopco Inc., was filed in the Eastern District of New York, alleging that Conopco, doing business as Unilever, misled consumers when it marketed a line of its personal care products (including shampoos, conditioners, body washes, and lotions) under the product name “Suave NATURALS.” Plaintiffs allege that the representation of “NATURALS” on the packaging of these products is misleading because the products contain unnatural and synthetic ingredients.

On August 17, 2015, Judge Gleeson ruled on Conopco’s motion to dismiss, allowing the majority of the claims to survive and move forward. Specifically, Judge Gleeson left intact claims for breach of warranty and violations of New York General Business Law § 349, which prohibits deceptive acts or practices. As Judge Gleeson indicated, a claim under § 349 only requires that a plaintiff allege (1) that the defendant was engaged in a “consumer-oriented” business practice or act; (2) the act or practice was misleading in a material respect; and (3) the plaintiff was injured as a result.

The crux of the Plaintiffs’ claims, as it regards the misleading element under § 349, is twofold: First, that Conopco knew that the use of the term “natural” on consumer products is a “purchase motivator”; and second, that the Plaintiffs purchased the products believing they were, in fact, “natural,” when they were not. These are both factual determinations.

Plaintiffs pointed to other aspects of the label to bolster their allegations that a reasonable consumer would be misled, drawing attention to the implication that the products were infused with certain ingredients like sun-ripened strawberries, wild cherry blossoms, and tropical coconuts. For the Plaintiffs, the fact that the products bore pictures of nature scenes, and images of cherry blossoms and coconuts, only added to the confusion—at least according to the complaint.

Conopco argued that no reasonable consumer could have been confused by its labels. Conopco indicated that its products are a value brand, and that its labels make no explicit claim of being “all natural” or “100% natural.” Instead, the Judge found that the complaint sufficiently alleged violations of § 349, indicating that a reasonable juror could reach the conclusion that the use of the term “NATURALS” on a shampoo label indicates that the product inside is mostly comprised of natural ingredients.

So while this case moves forward, manufacturers and consumers alike are left to ponder its implications. The easy explanation is that judges are often cautious at the motion to dismiss stage, and as the issue of consumer reasonableness is predominantly factual, cases like this should proceed to discovery.

Yet one is left to wonder what, exactly, a manufacturer can say on a label to avoid costly litigation in this area—one that the FDA has not addressed through regulation. Should manufacturers avoid launching products that have words or images depicting, for example, the ocean or waterfalls on the label for fear that the reasonable consumer expects there to be a dab of the Atlantic or the mist of Niagara Falls in the product? Probably not. Indeed, consumers are more product savvy than that.

Recent trends calling for greater disclosure of artificial dyes, flavors, and GMOs are actually a result of a higher level of consumer savviness. Yet there is still a line of case law that expects reasonable consumers to look no further than the front of the box to garner the truth about a product and its ingredients (See, e.g., Williams v. Gerber Prods. Co.). It goes without saying that manufacturers should not deceive consumers through their labels and consumers should get what they pay for. But there must be some balance between thwarting deception and using common sense.

For now, the boundaries for how products can use the term or concept of “natural” will continue to remain fuzzy. Manufacturers seeking to tout “natural” elements of their products should assume that their labels will be closely scrutinized, make their claims carefully, and be able to back them up with substantiation.

State AGs in the News

Posted in Consumer Financial Protection Bureau, Consumer Protection, Data Privacy, False Claims Act, Securities

Consumer Financial Protection Bureau

CFPB Takes on the World, Secures Injunctions

  • The Consumer Financial Protection Bureau (CFPB) filed a lawsuit in the Southern District of Florida against World Law Debt Services, LLC; Orion Processing, LLC; Family Capital Investment & Management, LLC; and a group of related companies and individuals (together, “World Law”) for violations of the Consumer Financial Protection Act and the Telemarketing Sales Rule.
  • The complaint centered on World Law’s alleged representations to provide consumers with a “team of attorneys” that would negotiate consumer debt settlements directly with creditors. The CFPB alleged that such representations were deceptive as most of the debt relief services provided were performed by non-attorneys, even when the creditor initiated debt collection litigation. The CFPB also alleged that World Law instructed consumers to stop paying their creditors directly, and instead direct the payments to World Law, which resulted in lowered credit scores, late fees, and collection suits. In addition, consumers suffered harm because World Law was generally unsuccessful in negotiating lower debt payments.
  • The CFPB also alleged that World Law violated the Telemarketing Sales Rule by charging consumers upfront fees for debt relief services. The CFPB indicated that World Law charged initial fees and monthly attorney fees, and “bundled legal service fees” ranging from 10 to 15 percent of the consumers’ outstanding debt balance.
  • The CFPB secured preliminary injunctions, asset freezes, and appointment of receivers against both groups of defendants (Orion Processing and Capital Investment). The Court also granted CFPB permission to take limited expedited discovery for the purpose of locating assets, documents, and business records, and enforcing compliance with the order to enjoin defendants’ business operations.

Consumer Protection

FTC Warns Against the Deceptive Use of Green Seals

  • The Federal Trade Commission (FTC) sent letters to environmental certification organizations, and to businesses using the organizations’ certification seals, warning both groups that the seals were being used in a manner that was not in compliance with the FTC’s Guides for the Use of Environmental Marketing Claims, and that could be misleading to consumers.
  • The main concern for the FTC is that when companies use an unqualified certification seal without stating the specific environmental benefit or attribute the product is claiming (e.g., biodegradability), the seal creates the impression that the product has a broader range of environmental benefits or attributes than it really does. The FTC indicated that unqualified green certifications can be misleading to consumers, who might view the “green” seal as an indication of compliance with all potential aspects of environmental certification.
  • The FTC did not announce any enforcement action associated with the warning letters—nor did it disclose the names of the organizations or companies involved—but it indicated the growing importance for environmentally-conscious consumers to be able to accurately rely on a company’s claims regarding the “greenness” of its products. In the past, the FTC has followed previous warning letters with enforcement actions under Section 5 of the FTC Act when companies continued to make false or deceptive statements related to environmentally-conscious product claims.

New York AG Seeks Recall of “Adulterated” Devil’s Claw

  • New York AG Eric Schneiderman has sent cease-and-desist letters to companies that make or distribute a dietary supplement derived from the devil’s claw plant, native to the Kalahari desert and marketed for treating joint pain, contending the supplements are either adulterated or misbranded. AG Schneiderman has asked the companies to create a plan outlining how they will recall the affected shipments.
  • The AG’s action is based on a study by the New York Botanical Garden, which in turn relied on a relatively new form of testing using DNA barcodes to determine that the indicated supplements claiming to contain extracts from the devil’s claw plant are actually made from a cheaper, related plant species that does not contain the same array of phytochemicals. As we have noted in prior posts, the New York AG’s office has placed dietary supplements under close scrutiny since an investigation in February alleged a wide discrepancy in product contents.
  • But not all botanists agree. The American Botanical Council responded that the AG’s investigation is incorrect in its conclusion, arguing that “[b]oth species of devil’s claw have a similar chemical profile” and “both are considered equally effective.”

Data Privacy

Senators Show Continued Interest in Car Hacking

  • Senators Richard Blumenthal of Connecticut and Edward Markey of Massachusetts have sent letters to 18 car makers, asking for updated information as to how the companies are addressing the cybersecurity and privacy risks associated with automobiles’ increased use of electronic controls connected through control area networks.
  • The issue has been on the Senators’ agenda since 2013, but gained urgency when researchers demonstrated they could hack a car from 10 miles away and take over control of vital functions like the brakes, transmission, and engine. The two senators have co-sponsored the Security and Privacy in Your Car Act (or SPY Car Act) of 2015, which has been referred to the Committee on Commerce, Science, and Transportation.
  • In addition, Senator Markey conducted a 2014 investigation and authored a thorough report based on the findings, concluding that automakers’ security and privacy practices were “alarmingly inconsistent and incomplete.” Senator Markey has also indicated his desire for the National Highway Traffic Safety Administration to work with the FTC to create clear and mandatory rules to govern the automotive industry, and to rely less on voluntary agreements.

Department of Commerce Scraps First Attempt to Control Hacking Software

  • The Department of Commerce, Bureau of Industry and Security (BIS) will revisit its efforts to codify export controls on intrusion software, after its first attempt garnered a multitude of criticism. BIS action is needed in this area to implement an agreement among 41 countries intended to control the export of certain dual-use technologies (where one use is for weapons or surveillance).
  • The Proposed Rule, issued last May, sought to extend BIS authority over—and thus require a license to export—“intrusion software,” or computer programs designed to allow a hacker to extract data or take control of a computer or network from an external location.
  • The problem, according to Congressman Jim Langevin and industry analysts, was that the Proposed Rule did not properly distinguish between offensive uses (bad) and defensive uses (good) of such software. Without a better distinction, the Proposed Rule could actually hamper cybersecurity research efforts and prevent multinational companies from building more robust network security processes.


False Claims Act

State Hospital System Settles False Claims Suit With DOJ

  • The U.S. Department of Justice (DOJ) has settled with North Broward Hospital District (Broward), a special division of the state of Florida that operates multiple hospitals throughout the state, over alleged violations of the U.S. Stark Law, Anti-Kickback Statute, and False Claims Act.
  • The underlying lawsuit, filed by a whistleblower in 2010, alleged that Broward violated Stark and other federal laws by providing significantly above-market salaries, based on the volume of referrals, to a group of nine doctors who allegedly made Medicare or Medicaid patient referrals to various other departments of the hospitals. Broward allegedly applied pressure to keep certain referrals within its network, even though some physicians were concerned about quality of the referred services.
  • For its part, Broward indicated that the settlement will not require a tax increase, or result in the delay of any capital projects. It specifically noted that the allegations were focused solely on “highly complicated contracts with physicians,” and that the “investigation was never about patient care.” Broward agreed to pay $69.5 million to settle the lawsuit, of which $12.05 million will be paid to relator Dr. Michael Reilly under the qui tam provisions of the False Claims Act.


Another Settlement Floats up From Dark Pool Investigations

  • According to news reports, Credit Suisse Group AG has reached an agreement with the Securities and Exchange Commission (SEC) and New York AG Eric Schneiderman to settle claims arising out of its use of private share trading exchanges (“dark pools”) that allegedly provided an improper advantage to high frequency traders to the detriment of institutional investors.
  • Like similar cases against other banks operating private dark pool exchanges, the allegations against Credit Suisse involve deficiencies in how the bank described and disclosed to its clients the mechanism through which trades were executed.
  • Under the terms of the agreement, the Swiss bank will pay $50 million in fines and disgorgement to the SEC and $30 million to the New York AG.

State AGs in the News

Posted in Consumer Financial Protection Bureau, Consumer Protection, Data Privacy, False Claims Act, Securities, States v. Federal Government

Consumer Financial Protection Bureau

CFPB Lowers the Curtain on Debt Buyers

  • The Consumer Financial Protection Bureau (CFPB) secured consent orders with Encore Capital Group, Inc. (including subsidiaries Midland Funding, LLC, and Midland Credit Management, Inc.) and Portfolio Recovery Associates, LLC, resolving allegations that the two debt purchasers and collectors violated the Fair Debt Collection Practices Act and the Consumer Financial Protection Act by engaging in unfair and deceptive collection practices.
  • The CFPB alleged that Encore and Portfolio (including their subsidiaries) purchased delinquent and charged-off consumer debt accounts for “pennies on the dollar,” and then used high-pressure practices (which included making false statements, harassing consumers, and threatening lawsuits) to collect on the debt. In some cases, the CFPB found that the debt was unsubstantiated, indicated an inaccurate amount, or was legally unenforceable; in others, it argued that the collectors filed lawsuits with no intent of proving the debt, but rather they sought to obtain default judgments against unknowing consumers.
  • The consent orders require Encore and Portfolio to stop collecting on over $128 million in debt, and to take action to remedy their actions alleged to be in violation of the law, including providing refunds of over $61 million for debt that was time-barred, or otherwise invalid when collected. The collectors must also move to vacate all judgments and dismiss all lawsuits where they misrepresented that a debt would be assumed valid. Finally, the collectors must pay civil penalties to the CFPB: $10 million for Encore, and $8 million for Portfolio.

Consumer Protection

New Jersey AG Settles With App Dealer

  • Acting New Jersey AG John Hoffman settled with DealerApp Vantage, LLC, resolving allegations that the mobile app developer violated the New Jersey Consumer Fraud Act by providing customized apps and accompanying marketing strategies services to automobile dealerships.
  • DealerApp’s mobile app allegedly collected and transmitted consumer information, which it then passed on to third-party data analytics companies without providing notice to or securing approval from the consumers involved. The information transmitted included consumers’ names, email addresses, telephone numbers, unique device identifiers, location information, and information about the vehicles purchased. The AG determined that neither DealerApp’s nor the dealerships’ customer privacy policies adequately disclosed the scope of this use of consumer information.
  • DealerApp did not admit to violating the law, but agreed to enter into a consent order to resolve the investigation, under which it will pay $38,000 in civil penalties, and $10,724 in attorneys’ fees and investigative costs. Provided DealerApp modifies its practices to be in line with New Jersey law and otherwise complies with the terms of the order, $26,224 of the total amount will be suspended.

Data Privacy

At Federal Appeals Court, Microsoft Argues to Protect Consumer Data Stored Abroad

  • Microsoft Corp. argued before the U.S. Court of Appeals for the Second Circuit that consumer data stored on servers located in Ireland cannot be seized by the U.S. government through a domestic search warrant. The District Court—which based its decision on the question of control, not the location of the servers—had ruled against Microsoft, and ordered it to produce the requested email. Microsoft refused and was held in contempt.
  • In its appellate brief, Microsoft argued that consumers owned their email (as opposed to Microsoft corporate documents), and thus when email is stored on foreign servers, it is akin to documents in a safe deposit box. Microsoft highlighted that the Electronic Communications Privacy Act of 1986 (ECPA) does not authorize extraterritorial application, and that the government must instead use procedures set out in mutual legal assistance treaties (there is one between the U.S. and Ireland), or other diplomatic means, to involve the government of the country where the servers are located.
  • The government, which was seeking emails in aid of a drug trafficking investigation, argued that because Microsoft was a U.S. company, controlled the servers in Ireland, and maintained access to the data stored thereon through computers located in the U.S., the data was properly recoverable through a provision in the ECPA that allows federal agents to command email providers to seize and turn over customers’ private emails.

False Claims Act

Reverse Mortgage Company Moves Forward With Settlement

  • The Department of Justice (DOJ) reached an agreement with Walter Investment Management Corp. and its subsidiaries (Walter), to resolve allegations that Walter violated the False Claims Act in connection with reimbursements the lender sought under a program administered by the U.S. Department of Housing and Urban Development (HUD) that insured reverse mortgage loans.
  • HUD insures reverse mortgage loans by reimbursing lenders for the amount of the loan, including servicing costs and accrued interest, if the lender is unable to recoup the full amount when it becomes due and payable. The government alleged that Walter submitted claims for reimbursement for interest on unrecouped loans even though it had not fulfilled the necessary deadlines for notice and appraisal procedures.
  • HUD also reimburses lenders for commissions paid to real estate agents when the lender is forced to foreclose on the property in order to recover on the loan. Here, the government alleged that Walter sought reimbursement of liquidation referral fees (which are not allowed) by falsely representing that such fees were sales commissions. The government further alleged that Walter formed straw companies to handle the liquidation, then kicked a portion of the referral fees back to itself.
  • Walter must pay $29.6 million to resolve the charges against it. The case was originally filed by a whistleblower who was a former executive for one of Walter’s subsidiaries.


SEC Calls Foul on Sports Nutrition Company

  • The Securities and Exchange Commission (SEC) entered into a cease and desist order with MusclePharm Corporation, a company that manufactures sports nutrition products, for its failure to make required disclosures under the 1933 Securities Act and the 1934 Securities Exchange Act.
  • Specifically, the SEC alleged that MusclePharm omitted or understated the value of numerous executive perquisites, including those related to automobiles, private jet use, apparel, meals, golf club memberships, and personal tax and legal services. It also allegedly failed to disclose related party transactions and executive bankruptcies. The SEC also claimed that MusclePharm issued stock without a registration statement, when it offered shares to third parties who then paid cash to settle outstanding debts to vendors.
  • The order requires MusclePharm to pay a civil penalty of $700,000 to the SEC and to hire an independent consultant to conduct a comprehensive review of its policies, procedures, controls, and training regarding financial disclosures. Chief Executive Brad Pyatt was required to pay a penalty of $150,000, and other executives were suspended from practicing as accountants for SEC-regulated entities.

States v. Federal Government

Parties Prepare for Oral Argument on Vermont’s Genetically Engineered Labeling Law

  • In an important case for the food industry, Plaintiffs-Appellants Grocery Manufacturers Association, et al, have filed their reply brief in the Second Circuit Court of Appeals. Plaintiffs are seeking to overturn the district court decision denying their request for a preliminary injunction to prevent Vermont from enforcing a recently-enacted law, Act 120. that requires food producers to label products produced through genetic engineering (GE).
  • Plaintiffs contend that the law will ultimately not be upheld because it is unconstitutional, and argue that a preliminary injunction is needed because otherwise they will suffer harm as they are forced to conduct research into product supply chains to determine which products have GE components, and redesign thousands of products’ labels to be in compliance with the Act’s 2016 effective date. As the Act also precludes food companies from using the term “natural” in certain settings, Plaintiffs additionally argue it is a per se violation of the First Amendment. To this Vermont responds that Act 120 is rationally related to the State’s legitimate interest of informing consumers and preventing deception. It also argues that the Act does not violate the First Amendment because inherently misleading speech is not protected.
  • This case has received significant amici interest on both sides of the issue: Eight states, as well as scientists, farmers, and environmental and consumer advocacy groups have filed briefs in support of Vermont’s right to provide GE information to consumers. In contrast, industry groups, trade associations, and the Chamber of Commerce have filed briefs in support of plaintiffs, arguing that Act 120 would create an immense burden on businesses.
  • Meanwhile, Congress is considering whether to enter the debate. The “Safe and Accurate Food Labeling Act of 2015,” contrary to its title, would make the Vermont law largely moot by prohibiting individual states from requiring food companies to provide GE information on labels.

State AGs in the News

Posted in Antitrust, Consumer Protection, Data Privacy, False Claims Act, Securities, States v. Federal Government

AG Insights

States Seek Strengthened Data Breach Laws

  • In a recent post, Dickstein Shapiro Counsel Aaron Lancaster explains how state legislatures are shaping law and policy to better protect consumers against the growing threat of data breaches.


California DMV Asked to Prevent “Bird-Dogging”

  • California auto dealers have asked the California DMV to stop Tesla Motors Inc. from offering current Tesla owners a $1000 credit when they successfully refer a new purchaser, with the purchaser also receiving a $1000 discount.
  • The dealers argue that the practice, known in the industry as “bird-dogging,” violates state law because it provides a financial incentive to a person who is not licensed to sell vehicles. The letter from the California New Car Dealers Association argues that “other licensed dealers would like to offer similar referral fees” but “California law flatly prohibits the practice.”
  • Tesla has faced challenges to its direct-to-consumer sales model under various state competition laws, including a prior challenge to the referral program under Virginia law. In response to an inquiry by the Virginia Motor Vehicle Board, Tesla altered the program by offering the whole $2,000 incentive to the buyer.

Consumer Protection

FTC Gets to the Bottom of Wellness Drink Marketing Plan

  • The Federal Trade Commission (FTC) has filed a lawsuit against Vemma Nutrition Company and Chief Executive Officer Benson K. Boreyko for violating Section 5 of the FTC Act by operating an illegal pyramid scheme in connection with marketing health and wellness drinks through a network of independent affiliates.
  • The complaint alleges that Vemma and Boreyko deceived consumers into buying in to the Vemma Affiliate program by falsely representing the level of income they could earn from selling products, or referring other affiliates. The FTC, working with AGs from Arizona, South Carolina, and Michigan, secured a preliminary injunction and asset freeze. Boreyko is already subject to a 1999 order involving multilevel marketing and unsubstantiated claims for certain nutritional items.
  • The FTC highlighted that Vemma stressed recruitment over product sales, and that the company overall offered no guidance regarding a marketing strategy. As the FTC has indicated in its guidelines, network, or multilevel marketing operations can be legitimate, but only when the business model is based on making sales of products to the public (as opposed to recruiting paying members).

FTC Seeks Greater Disclosure From Online Endorsements

  • The FTC entered into a settlement with Machinima, Inc. to resolve allegations that the online network for video game enthusiasts engaged in a deceptive advertising campaign by paying well-known, influential gamers (“influencers”) to post videos on YouTube that promoted Microsoft’s new Xbox One video gaming system.
  • The administrative complaint explained that Machinima was hired to provide a marketing campaign that built interest around the launch of Microsoft’s new gaming system, Xbox One. As part of this campaign, Machinima allegedly paid influencers to post videos on YouTube that depicted the Xbox One products in a favorable light, giving the impression that the videos were independently produced and reflective of the influencer’s impartial personal views.
  • The consent order prohibits Machinima from misrepresenting, expressly, or by implication, that an influencer endorsing a product is an independent user or ordinary consumer if Machinima has a material connection to that product. The order also requires influencers to prominently disclose any material connection with the product they are endorsing, and prohibits Machinima from compensating any influencer who has not made the required disclosures.

Data Privacy

Facebook Alleged to Violate State Privacy Law by Storing Faces, Again

  • A second consumer class action lawsuit has been filed in federal court in Illinois, alleging that Facebook Inc. violated the Illinois Biometric Information Privacy Act through the social network’s “Photo Tag Suggest,” a feature that the plaintiffs argue encourages users to identify and label people in the photos they upload to Facebook.
  • Unlike a previously-filed lawsuit that seeks to certify a broad class that includes Facebook users, the recent complaint focuses on a narrower class of non-Facebook users who have been identified and labeled through the photo tag feature. As the Illinois law requires notification and consent before a company can store biometric data, this narrower class might better avoid the inevitable defense based on Facebook’s terms of use.
  • The case is Gullen v. Facebook, Inc., No. 1:15-cv-07681 (N.D. Ill 8/31/15). In addition to declaratory and injunctive relief, attorneys’ fees, and litigation expenses, plaintiffs are seeking statutory damages under the Illinois law of $5,000 for every intentional and reckless violation, and $1,000 for every negligent violation.

False Claims Act

Small Business Lender Sued for False Claim in Connection With SBA Loan Program

  • The Department of Justice (DOJ) settled with EDF Resources Capital Inc. and Chief Executive Officer Frank Dinsmore resolving allegations that the lender violated the False Claims Act when it failed to maintain the statutorily-required level of reserves, and failed to make required loss-sharing payments to the government under the Small Business Administration’s (SBA) 504 loan program.
  • The SBA 504 program uses local lenders, like EDF, to arrange, service, and collect on long-term business loans which are guaranteed, in large part, by the government. In exchange for authority to make loans without SBA approval, EDF was required to maintain a reserve fund to cover its share of any potential losses, and to remit certain payments to the SBA for nonperforming loans. The DOJ alleged that EDF hid some of the troubled loans in a separate entity created by Dinsmore (Redemption Reliance LLC) so as to avoid having to reimburse the SBA for its share of the risk associated with those loans.
  • The settlement requires EDF and Dinsmore to make payments and turn over certain assets worth approximately $6 million. In an earlier action, the SBA permanently revoked EDF’s authority to participate in the 504 program.


Delaware Court Finds CEO Unlawfully Drove Down Stock Price

  • Investors in Dole Food Co. secured a favorable decision in their appraisal lawsuit, alleging that Chief Executive Officer David Murdock and chief counsel Michael Carter engaged in fraud and other misconduct to drive down the company’s share price to allow Murdock to acquire control at a lower price.
  • In a memorandum opinion, the Delaware Court of Chancery found that Murdock and Carter had driven down the value of the company’s shares by convincing the directors that the company was overvalued, understating how much Dole could earn by spinning off a couple of its businesses, and by canceling the company’s stock buy-back program. The court also noted that Murdock did not disclose to the board that he had been in discussions with an investment bank for more than a year prior to the sale.
  • The court found that Murdock and Carter engaged in fraud and violated duties to shareholders by “orchestrating an unfair, self-interested transaction.” The court ordered the pair to pay $148.1 million to reimburse shareholders for the loss in value.

States v. Federal Government

AGs Push for State Sanctions on Iran

  • Oklahoma AG Scott Pruitt and Michigan AG Bill Schuette sent a letter to all 50 state governors arguing that states have legal authority to ignore President Obama’s pending action on the Iranian nuclear program and asking that they maintain and implement state-level sanctions against Iran.
  • The letter argues that the President’s executive agreement does not have the force of a treaty, and thus cannot bind the states. It argues that state entities that are stewards of public monies—like pension funds—have moral, reputational, and prudential reasons to maintain and enforce state sanctions.
  • Twenty-five states currently maintain some form of state-level sanctions against Iran, however, given the Constitutional allotment of foreign policy powers (and the Commerce Clause), the scope of states’ authority to sanction a foreign country are limited. Oklahoma currently does not have a sanctions package in place, but AG Pruitt has indicated he will work to implement one. Michigan prohibits Iranian companies or entities from submitting bids for state work or contracts, and AG Schuette has stated that he will continue to enforce that provision.

States Seek Strengthened Data Breach Laws

Posted in Data Privacy, States v. Federal Government

Data privacy and breach notification has become a hot topic for state legislatures—thanks, in part, to the prompting of State AGs and a recent spate of high profile data breaches affecting millions of consumers. During the first half of 2015, 32 state legislatures considered bills to significantly amend or enhance state laws on consumer data protection. At least 13 of those have made it beyond the governor’s desk, and of those still pending, many stand a good chance of being passed, in some form, in the fall term as the issue is one with broad bipartisan support.

General Trends

The 2015 bills demonstrate the variability of state policies’ approaches to address a common problem. Yet, for the most part, the bills demonstrate a few general trends in data protection:

  • AG Involvement: Many of the new bills require the breached entity to provide notification to the State AG, at least when facing a breach that effects a certain threshold number of consumers. States differ on the number of affected consumers necessary to trigger the reporting requirements, or the number of days a company has to report after discovering the breach, but there is a clear trend toward greater AG authority to investigate data breaches and comment on companies’ data privacy policies.
  • Encryption: The 2015 bills continue to focus on the issue of encryption, creating a safe harbor from liability for businesses to store data and personal information in encrypted format. The new Washington law goes even further as it identifies a minimum standard for encryption, and grants safe harbor only when the breach does not also provide access to the encryption key, or other capacity to decrypt the data.
  • A Growing Universe of Covered Data: State legislatures continue to expand protection to a broader set of consumer data. For example, Nevada now protects health insurance identification numbers, state driver identification numbers, credit and debit card numbers, social security numbers, user names or email addresses with passwords, and bank account information; North Dakota added consumer birth dates, mothers’ maiden name, and employment identification credentials to the list of protected data. Other states want to include birth certificates, medical information, digital signatures, security tokens, and biometric information.
  • Expanded Jurisdiction: The 2015 legislative efforts demonstrate a continued movement toward establishing liability not only for the owners of the data or the databases, but also for businesses that license, maintain, or simply access data, regardless of ownership (see e.g., Illinois S.B. 1833). Likewise, states are also expanding liability to businesses that maintain data on state residents, even if those businesses are not residents, and have no business in the state.
  • Post-Breach Mitigation: A rapidly growing trend is the requirement that a business provide identity theft protection and loss mitigation services following a data breach for which they are at fault. Certain State AGs have required this on an ad hoc basis for the past few years, but the idea to codify loss mitigation started in California last year. As we indicated then, trends can spread quickly among state legislatures. Although states appear to be converging on a 12-month period for such protection (see e.g., Pennsylvania S.B. 753), some AGs may view these provisions as a floor, and insist on greater coverage for more severe breaches.
  • Student Data Protection: Finally, states are also looking to expand protections for student-specific data. For example, Virginia H.B. 2350 would require the state department of education to create a model data security protocol to protect student data privacy, with the idea that it could then be adopted by school districts. New Hampshire H.B. 322, Utah H.B. 163, and North Dakota S.B. 2326 all attempt to create similar legislative frameworks for protecting students.

New Ideas

In this rapidly evolving area of law, policy makers are not always content to follow trends, but choose instead to get out in front of the next new problem. The lineup of 2015 bills provides a glimpse of new ideas that could find staying power among policy makers, including the following:

  • Biometrics: Biometric data is beginning to make its way into legislative definitions of protectable personal information. For example, Oregon S.B. 601 looks to protect “data from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris…” Wyoming S.B. 36 includes “data generated from measurements or analysis of human body characteristics for authentication purposes.”
  • Mobile: States are also experimenting with provisions that specifically address mobile data issues. Connecticut S.B. 949 includes a provision that requires companies that sell smart phones to ensure capability for the owner to lock out the phone when it is lost or stolen. Illinois S.B. 1833 contained a provision that would have expanded protected personal information to include geolocation data, however that bill was vetoed by the Governor on the basis that guarding geolocation data was too onerous, and not in line with other states’ requirements. As more consumer activity migrates to the mobile web, we are likely to see more states try to address mobile-specific issues of data security.
  • Secure Access Measures: In certain sensitive industries like insurance and banking, a few states have sought to require companies to use specific data security protocols, like multifactor verification, secure access controls, and internal security compartmentalization that prevents employees and third-party affiliates from accessing data outside the specific needs of their duties, and creates firewalls against hackers who gain access to one area of the system.

Harmonization or Amalgamation?

It is not too surprising that state policies addressing a rapidly evolving area of law—like consumer data privacy—will vary in their approach. As uniform federal legislation has failed to build consensus in Congress, and since State AGs are almost uniformly against federal legislation on this topic that would preempt state law, the baton remains in the hands of state legislatures.

Although it is still too early to determine whether a unified theory of data protection will emerge from the assorted state efforts, the business reality is that it might not even matter. As states focus their data breach jurisdiction on consumers, and businesses expand in a digital space without state lines, the stricter elements of each state’s data privacy regime will become part of an amalgamated national approach. Illinois Governor Rauner essentially acknowledged this in the text accompanying his veto of S.B. 1833, where he argued that Illinois need not require companies to post a privacy notice on their website, because California already does. Thus, for large and midsized companies, rather than customize privacy policies for each state where their consumers live, the goal will be to craft a single policy with maximum compliance.

State AGs in the News

Posted in Consumer Financial Protection Bureau, Consumer Protection, Data Privacy, Health Care, Securities, State AGs in the News

Consumer Financial Protection Bureau

CFPB Joins With New York Department of Financial Services to Sue Pension Advance Companies

  • The Consumer Financial Protection Bureau (CFPB) and the New York Department of Financial Services (DFS) filed a lawsuit against Pension Funding LLC, Pension Income LLC, and managers Stephen Covey, Edwin Lichtig, and Rex Hofelter (“defendants”), for violating the Consumer Financial Protection Act and various New York state laws.
  • The complaint alleges that defendants used deceptive practices to steer military veterans and civil servants to defendants’ website, and then offered lump sum cash advances to the consumers in exchange for their agreement to redirect all or part of their pension payments to defendants over a period of eight years. The complaint alleged that defendants falsely advertised their product was a pension buyout (not a loan), and that it had low or no applicable interest rate and no associated costs or fees. In addition, defendants allegedly misrepresented that their product would not appear on credit reports, was not taxable, and was better than a home equity loan.
  • The CFPB and DFS, however, claim that the effective interest rate was usually greater than 28 percent—a full 12 percent higher than what is allowed by New York state usury laws, and significantly higher than comparable products such as credit cards and home equity lines. Plaintiffs seek a permanent injunction, as well as damages, disgorgement, civil penalties, and costs and fees.

Consumer Protection

AGs Seek Clarity and Procedures for Cancelation of Student Debt

  • AGs from 11 states sent a letter to the U.S. Department of Education (DOE), requesting enhanced procedures and policies to govern the process of discharging student debt associated with attendance at Corinthian and other for-profit schools.
  • The AGs’ letter specifically asks that the DOE address four main concerns:
    • the creation of a simplified process for student borrowers to apply for discharge of their loans;
    • greater participation of AGs in the process of determining whether a for-profit school has committed a deceptive practice;
    • loan discharges based on groups or cohorts of students, based on the AGs’ investigative results (not individual applications); and
    • clear guidance as to the types of loans that are eligible, the extent to which students can recover amounts already paid, and the ability to discharge loans that have already been consolidated.
  • The DOE announced that it is undertaking a rulemaking process that will clarify how certain borrowers can seek debt relief, and will strengthen provisions to hold colleges accountable for wrongdoing that results in loan discharges. The DOE plans to hold public hearings in September to establish a negotiated rulemaking committee.

FTC Shines Light on UV Disinfectors

  • The Federal Trade Commission (FTC) reached settlements with Angel Sales, Inc. and Zadro Health Solutions, Inc., resolving claims that the companies violated the FTC Act by engaging in unfair and deceptive practices and false advertising in connection with the marketing of devices that use ultraviolet light to disinfect shoes, water, and surfaces.
  • The FTC alleged (Angel Sales, Zadro) that the companies made unsubstantiated claims about their devices’ efficacy in killing certain levels of bacteria and fungi. For example, Angel Sales claimed its device “kills over 95% of germs, bacteria, even the fungus responsible for the highly contagious MRSA bacteria – in less than one hour” and Zadro claimed its products “safely kill 99.99% of targeted bacteria.” The FTC also alleged that the companies falsely implied that scientific studies supported their claims.
  • The stipulated orders (Angel Sales, Zadro) prohibit the companies from making unsubstantiated claims, expressly or by implication, and require 10 years of compliance and record-keeping. Although the FTC issued monetary judgments against both companies ($656,423 and $629,359, respectively), Angel Sales’ judgment is suspended entirely, and Zadro’s judgment partially based on their inability to pay. Zadro must provide $222,029 for consumer refunds.

Data Privacy

Court of Appeals Confirms FTC Authority Over Cybersecurity Practices

  • The Third Circuit Court of Appeals affirmed that the Federal Trade Commission (FTC) has authority to regulate companies’ cybersecurity protections for consumer data under Section 5 of the FTC Act, prohibiting “unfair or deceptive acts or practices in or affecting commerce.”
  • As we already reported, in FTC v. Wyndham Worldwide Corporation, the district court found that the FTC’s enforcement authority included data breaches. Wyndham appealed that decision, arguing that the FTC did not have authority to punish private businesses for maintaining a different level of data security than that advised by the FTC.
  • In response, the Third Circuit indicated that Wyndham’s liability was not based on the standard of data security it employed, but rather on the fact that it published a privacy policy “to attract customers who are concerned about data privacy” but failed to deliver by “investing inadequate resources in cybersecurity” and instead exposed its customers to substantial financial injury, while retaining the profits of their business.

Health Care

New York AG Pursues Hospitals With Alcohol Problems

  • New York AG Eric Schneiderman, together with the U.S. Attorney for the Eastern District of New York, reached settlements with multiple hospitals to resolve a joint investigation into alleged Medicare fraud and violations of the False Claims Act.
  • The AG alleged that SpecialCare Hospital Management Corporation, a for-profit hospital management company based in Missouri, referred patients to Columbia Memorial Hospital, St. Joseph’s Medical Center, and Benedictine Hospital (“treatment hospitals”) to receive medically unnecessary inpatient drug and alcohol treatment services, from unlicensed providers, in exchange for kickbacks in the form of an administrative services agreement.
  • SpecialCare and its former Chief Executive Officer agreed to pay $6 million to resolve the claims against it. SpecialCare also entered into a corporate integrity agreement with the U.S. Inspector General’s Office, and agreed to a five-year injunction on doing business with any health care provider in New York that submits claims to Medicaid or Medicare. For their part in the alleged scheme, Benedictine agreed to pay $880,000; St. Joseph’s $600,000; and Columbia Memorial $650,000.

Florida Looks to Crack Down on Rising Health Care Costs

  • Florida Governor Rick Scott has increased the number of planned audits of state hospitals from 31 to at least 129 in an effort to determine whether they have been overcharging Medicaid in violation of Florida law.
  • The audit follows an inquiry by the state Agency for Health Care Administration, in which the agency sought confirmation from various hospitals that they were in compliance with Florida Statute 409.975, which caps the rate that hospitals can charge the Medicaid program at 120 percent of the rate determined by the Agency.
  • Governor Scott’s concerns over Medicaid overcharges likely stems from the state’s budgetary problem, in which the state is looking to cut spending on Medicaid at a time when health care costs in the state are rising. By some accounts, Florida will be short $579 million in meeting its health care funding needs for 2016-17.


Federal Judge Looks Into Dark Pools, Doesn’t See Viable Claims

  • A federal judge for the Southern District of New York has dismissed claims against major U.S. stock exchanges and Barclays Plc in connection with allegations that they created “dark pool” alternative trading platforms and allowed high-frequency traders to front-run regular investors’ trades.
  • The court conceded that the dark pools might lack a “productive purpose” and “merely allow[ed] certain traders to exploit technological inefficiencies.” Yet it found that the exchanges, as self-regulated organizations, enjoyed “absolute immunity” against plaintiffs’ claims that they created complex orders for, and provided nonpublic information to, high-frequency traders, allowing the traders to exploit the infrastructure of the data feeds and networking of the exchanges. The judge indicated that such immunity even applies when the exchanges “act in a capricious, even tartuffian manner which causes enormous damage.”
  • In February, a New York state court denied Barclays’ motion to dismiss claims brought by AG Eric Schneiderman, alleging that Barclays violated the New York Martin Act when it made material misrepresentations to investors regarding how its dark pool trading platforms operated. That case is ongoing.

State AGs in the News

Posted in Antitrust, Consumer Protection, Data Privacy, False Claims Act, State AGs in the News

Hot News

Commissioner Joshua Wright to Leave FTC

  • The Federal Trade Commission (FTC) announced this week that Commissioner Joshua D. Wright, a Republican member of the FTC, will resign his position on Monday, August 24, 2015.
  • Wright, who has been with the agency since January 2013, will return to George Mason University School of Law as a Professor of Law.
  • The announcement was made less than a week after the FTC issued official guiding principles on its Section 5 enforcement authority, which we talked about in last week’s post.


Pharmaceutical Companies Settle With FTC Over Generic ADHD Drug Allegations

  • Concordia Healthcare Corp. and Par Pharmaceutical Holdings Inc. settled with the FTC this week regarding Federal Trade Commission (FTC) allegations that the companies engaged in anticompetitive conduct.
  • The FTC alleged that Concordia and Par entered into an agreement in which Concordia and Par agreed not to compete in the sale of the generic version of Kapvay, which treats attention deficit hyperactivity disorder. According to the FTC complaint, Concordia agreed not to sell the generic drug in exchange for a share of Par’s revenues, resulting in higher prices for consumers.
  • Under the settlement, among other things, the companies are prohibited from continuing the alleged anticompetitive practice and both companies are prohibited from entering agreements to bar, or delay entry of an authorized generic drug.
  • In June, we reported a similar settlement where Cephalon Inc. and its parent company, Teva Pharmaceutical Industries Ltd., agreed to pay $1.2 billion to settle FTC allegations that Cephalon reached agreements with drug manufacturers that blocked generic drug competition.

Consumer Protection

Forty-nine States and the District of Columbia to Share $71 Million Settlement

  • Numerous State Attorneys General (eg., here, here and here) announced a $71 million multistate settlement this week with Amgen Inc. to resolve allegations that the pharmaceutical company violated consumer protection laws through alleged deceptive and misleading marketing of its Enbrel and Aranesp medications.
  • The states alleged, among other things, that the company unlawfully promoted its anemia drug Aranesp and its arthritis and psoriasis drug Enbrel for off-label uses that were contrary to Food and Drug Administration (FDA) approval and made unapproved and unsubstantiated claims related to the drugs. As part of the Consent Judgment, Amgen must change its marketing and promotional practices and not make any false, misleading, or deceptive claims in promoting Enbrel or Aranesp.
  • West Virginia Attorney General Patrick Morrisey said “[t]his settlement is a win for West Virginia consumers. We enforce our consumer protection laws in a vigorous yet fair manner, and this settlement will help ensure West Virginia doctors and patients aren’t deceived by unlawful drug marketing practices.”

Data Privacy

Target Settles With Visa Over Data Breach

  • Target Corporation reportedly has reached a settlement agreement with Visa, agreeing to reimburse costs related to its 2013 data breach to Visa and the financial institutions that issued the cards. While Target has not announced a dollar amount, sources say that the retail giant has agreed to pay up to $67 million.
  • The data breach exposed 40 million debit and credit card accounts and Target reportedly has incurred $162 million in net expenses related to the breach as of January of this year. Some financial institutions have sued Target, saying they have spent billions of dollars replacing compromised cards and increasing customer service operations because of the data breach.

False Claims Act

Missouri Hospital Agrees to Pay $5.5 Million to Settle Alleged False Claims Act Violations

  • The Department of Justice (DOJ) announced that Mercy Health Springfield Communities, formerly known as St. John’s Health System Inc., and its affiliate, Mercy Clinic Springfield Communities, formerly known as St. John’s Clinic, have agreed to pay $5.5 million to settle allegations that they violated the False Claims Act.
  • The DOJ alleged that the hospitals submitted false claims to the Medicare program for services rendered to patients referred by physicians who improperly received bonuses based on the value of those referrals. While there was no determination of liability by the DOJ, the hospital agreed to pay $5.5 million to settle the allegations.
  • A lawsuit filed by a whistleblower, a physician employed by the hospital, under the qui tam provisions of the False Claims Act, sparked the DOJ investigation and is part of DOJ’s Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative, that began in 2009. The case is United States ex rel. Moore v. Mercy Health Springfield Communities f/k/a St. John’s Health System, Inc., et al., Case No. 13-3019-CV (W.D. Mo).