I’m thrilled to announce that Bedard Law Group is the new sponsor for the Compliance Digest. Bedard Law Group, P.C. – Compliance Support – Defense Litigation – Nationwide Complaint Management – Turnkey Speech Analytics. And Our New BLG360 Program – Your Low Monthly Retainer Compliance Solution. Visit www.bedardlawgroup.com, email John H. Bedard, Jr., or call (678) 253-1871.
Every week, AccountsRecovery.net brings you the most important news in the industry. But, with compliance-related articles, context is king. That’s why the brightest and most knowledgable compliance experts are sought to offer their perspectives and insights into the most important news of the day. Read on to hear what the experts have to say this week.
Communicating With CRAs Not a Violation of FDCPA, Judge Rules
Being denied credit because of a negative item on a credit report is sufficient grounds for a plaintiff to have standing to sue, ruled a District Court judge in New York, but communicating information about an unpaid debt with the credit reporting agencies is not a violation of the Fair Debt Collection Practices Act, so he granted the defendant’s motion to dismiss the case. More details here.
WHAT THIS MEANS, FROM CAREN ENLOE OF SMITH DEBNAM: Let’s just start with discussing the elephant in the room – pro se complaints are trending up. Is this a bad thing, good thing or just a thing? Hard to say just yet, but it is creating more motion practice (and potentially more defense costs) along the way. Turning to Ross, her pro se complaint, and the Court’s granting of the debt buyer’s motion to dismiss, I like this decision. In Ross, the consumer alleged that the FDCPA prohibits credit reporting when a consumer issues a cease and desist and disputes the debt. Not so. The Court correctly ruled that a request for a cease and desist only applies to communications with the consumer and does not cut off the debt collector’s (in this case the debt buyer’s) right to report the debt to CRAs. An important note to the industry here, the debt buyer accurately reported the debt as disputed. Had the debt buyer not done so, it would have had a problem under 1692e which prohibits “[c]ommunicating or threatening to communicate to any person credit information which is known or which should be known to be false, including the failure to communicate that a disputed debt is disputed.” Here, because the debt buyer correctly reported the debt as disputed, the Court found no violation of 1692e.
Another quick note here, don’t sleep on the statute of limitations defense! Here, the Court strictly construed each communication from the debt collector as a separate communication creating separate time limitations and violations. Several of the FDCPA violations complained of, therefore, were never reached on their merits.
THE COMPLIANCE DIGEST IS SPONSORED BY:
Judge Denies Motion to Remand FCRA, FDCPA Case Back to State Court
A District Court judge in Michigan has denied a plaintiff’s motion to remand a Fair Debt Collection Practices Act and Fair Credit Reporting Act case back to small claims court where it was originally filed and notified the plaintiff that he must file a more “definitive” statement of claims to provide the defendant with more information for its response. More details here.
WHAT THIS MEANS, FROM JESSICA KLANDER OF BASSFORD REMELE: So far the “undated letter” has been the favorite attempted FDCPA claim asserted by the plaintiff’s bar post-Regulation F. Luckily it hasn’t gotten much traction. The Judge here correctly concluded that nothing in the letter violated the FDCPA. Unfortunately, it is incredibly disappointing that the Judge also refused to apply the model validation notice’s intended safe harbor against liability. There hasn’t yet been a good case to test the veracity of the safe harbor as the attempted claims targeting the model validation notice have been easily resolved by courts in the defendants’ favor (for the most part) on other grounds. The legal strength of the safe harbor therefore remains an open question. The good news is that the safe harbor does appear to be successful in preventing the plaintiff’s bar from asserting claims in the first place as FDCPA claims are significantly down across the industry. We can certainly chalk that up as a win!
Judge Grants MTD in FCRA, FDCPA Case Against Collector, Credit Reporting Agency
A District Court judge in New Jersey has granted motions to dismiss filed by the defendants in a Fair Debt Collection Practices Act and Fair Credit Reporting Act lawsuit because the plaintiff, who was representing herself, failed to include enough facts in her complaint to adequately back up her claims. More details here.
WHAT THIS MEANS, FROM LORAINE LYONS OF MARTIN GOLDEN LYONS WATTS MORGAN: This case can be summed up by a phrase often attributed to Abraham Lincoln: “A man who is his own lawyer has a fool for a client.” Now, the plaintiff is probably not a fool, but failed to recognize the practice of law is a profession, there are pleading requirements, and opposing a motion requires more than cutting and pasting from a brief filed in a separate lawsuit.
FTC Amends Safeguards Rule
The Federal Trade Commission on Friday announced it has amended the Safeguards Rule that will require non-bank financial institutions to report data breaches to the agency. More details here.
WHAT THIS MEANS, FROM LAURIE NELSON OF AUTOSCRIBE: This amendment, essential to many readers here as it applies to all non-bank financial institutions, including debt collectors, mortgage brokers, motor vehicle dealers, and payday lenders, requires reporting certain data breaches and other security events to the FTC. While a reporting requirement of data breaches and security events may seem straightforward, it needs to be thoroughly reviewed by all non-bank financial institutions as the definitions included may encompass more than many may think. The amendment may require changes in company policies even if such policies meet applicable state data breach law requirements today. Examples of such include:
Notification Event/Consent
A “notification event” definition includes ANY instance where a third-party accesses unencrypted information without the proper consumer’s authorization. Therefore, this definition would require the consumers’ consent even if current state privacy laws or the GLBA Privacy rule do not require consent for sharing the covered information.
Notification Trigger
A “notification trigger” is defined as the discovery of the event vs. an arguably lower standard found in some state laws, which provides the notification trigger as the determination that a breach occurred. This means that affected entities will likely not have time to investigate a possible incident thoroughly before the 30-day notification clock starts ticking.
Presumption of Acquisition of Information
The amendment provides a presumption that an unauthorized acquisition has occurred in the event of unauthorized access to unencrypted customer information. This presumption can only be rebutted by adequate evidence showing no unauthorized acquisition of such information. Again, this contradicts what we find in many state laws that allow an entity to determine whether personal information was confirmed or reasonably believed to have been acquired.
So again, all need to understand that reliance on state law compliance will not guarantee compliance. All those covered by this amendment need to pay special attention to each detail to ensure the processes and procedures are in place to meet the requirements.
NY DFS Bolsters Cybersecurity Regulation
The New York Department of Financial Services yesterday updated and amended its cybersecurity regulations, instituting more controls and protections while also updating the notification requirements in the event of a ransomware attack. More details here.
WHAT THIS MEANS, FROM STEFANIE JACKMAN OF TROUTMAN PEPPER: There is a ton to digest in NY DFS’s recently updated cybersecurity regulations. As compared to other states, DFS appears to be charting a unique course that stands well apart from anything we have seen before at the state level when it comes to consumer data security. Among the highlights, the updated regulations:
- Create an entirely new category of Class A companies ($20M+ revenue) with lots of new onerous requirements;
- Require certain independent audits;
- Expand what is required for risk assessments;
- Impose new accountability requirements for governing bodies of impacted companies;
- Expand minimum policy requirements (e.g., retention, remote access, training);
- Impose expanded multifactor authentication requirements;
- Require root cause analysis in response to security incidents;
- Require implementation of business continuity and disaster recovery plans;
- Impose certification requirements on the “highest ranking executive” and CISO in various circumstances; and
- Mandate certain notice requirements in the event of ransom payments.
In addition, DFS provides for enhanced penalties for non-compliance. If your entity is subject to the NY DFS’s authority, it is critical to pay close attention to these regulations and identify what needs to evolve within your organization’s current data security programs to ensure ongoing compliance.
OCC Updates Exam Procedures, Guidance for TCPA Compliance
The Office of the Comptroller of the Currency, which regulates national banks in the United States, yesterday released an updated guide for how it will examine for compliance with the Telephone Consumer Protection Act. The document can be used by anyone to serve as a primer on the TCPA and what is — and is not allowed — under the statute. More details here.
WHAT THIS MEANS, FROM LAUREN BURNETTE OF MESSER STRICKLER BURNETTE: ‘Tis the season…. to update your compliance management system! Those of you within OCC’s purview should use this new examination guidance as an opportunity to put your CMS through its paces. Among other updates, the October 2023 guidance incorporates the currently-effective provisions of the TRACED Act, identifies the focus of examinations, and provides clear instructions regarding the types of information OCC will seek during its investigation. As 2023 winds down, think about starting 2024 with a clean — and compliant — slate by making sure your policies don’t leave you vulnerable.
Judge Denies MVN Safe Harbor, But Rules Undated MVN Doesn’t Violate FDCPA
The bad news: Yet another District Court judge has ruled that there is no safe harbor from a violation of the Fair Debt Collection Practices Act when using the Model Validation Notice. The good news: Sending a Model Validation Notice without a date is not a violation of the FDCPA, that judge has ruled. More details here.
WHAT THIS MEANS, FROM BRIT SUTTELL OF BARRON & NEWBURGER: There are now four court opinions, including this one, where the judge decided that an undated MVN is not subject to the “safe harbor” provided by the Reg. F. This is frustrating for members of the collection industry who spent an inordinate amount of time and money preparing for Reg. F implementation. These decisions highlight a problem that me and other colleagues were asking — what does the “safe harbor” mean? Ideally, we would like it to mean a litigation safe harbor for those companies that comply with the MVN. We understand that you still cannot misstate the balance, or overshadow the notice, but the fact that those were not allegations in these four lawsuits is frustrating.
This case did have a good industry outcome, ultimately, and I would encourage folks to concentrate on that part of the opinion. The “safe harbor” briefing in this case was skeletal and did not include an analysis under any level of agency deference. I cannot say for certain that would have changed the judge’s mind, but it would have been really nice to have those arguments on record. Of course, that just begs the question as to how long before the United States Supreme Court does away with the highest level of agency deference, called “Chevron deference.” We should know by next June!
I’m thrilled to announce that Bedard Law Group is the new sponsor for the Compliance Digest. Bedard Law Group, P.C. – Compliance Support – Defense Litigation – Nationwide Complaint Management – Turnkey Speech Analytics. And Our New BLG360 Program – Your Low Monthly Retainer Compliance Solution. Visit www.bedardlawgroup.com, email John H. Bedard, Jr., or call (678) 253-1871.