I’m thrilled to announce that Bedard Law Group is the new sponsor for the Compliance Digest. Bedard Law Group, P.C. – Compliance Support – Defense Litigation – Nationwide Complaint Management – Turnkey Speech Analytics. And Our New BLG360 Program – Your Low Monthly Retainer Compliance Solution. Visit www.bedardlawgroup.com, email John H. Bedard, Jr., or call (678) 253-1871.
Every week, AccountsRecovery.net brings you the most important news in the industry. But, with compliance-related articles, context is king. That’s why the brightest and most knowledgable compliance experts are sought to offer their perspectives and insights into the most important news of the day. Read on to hear what the experts have to say this week.
Pa. State Judge Dismisses Hunstein Case for Lack of Standing
In a case that was defended by the teams at Martin Golden Lyons Watts Morgan and Lippes Mathias, a state court judge in Pennsylvania has dismissed a Hunstein case on the grounds the plaintiff lacked standing to sue, saying that there “appears to be little difference” between the agency printing and mailing a letter or it using a third party to do so. More details here.
WHAT THIS MEANS, FROM CHELSEY PANKRATZ OF FROST ECHOLS: Another Hunstein claim has been dismissed for lack of standing. The Pennsylvania state court in this case analyzed the abundant federal caselaw that has determined that plaintiffs in these kinds of lawsuits do not have standing, and determined that the plaintiff did not have standing under Pennsylvania’s definition either. The court held that plaintiff’s interest in the outcome of the litigation was not direct or immediate, and that there were no allegations as to what harm the plaintiff suffered. Thus, plaintiff’s claim did not meet the Pennsylvania requirements for standing. This is another positive step in the direction of hopefully eliminating these Hunstein style claims.
THE COMPLIANCE DIGEST IS SPONSORED BY:
Judge Awards Defendants $50k in Attorney’s Fees in FDCPA Case
In a case that was defended by Avanti Bakane and the team at Gordon Rees, a District Court judge in Georgia has ordered the plaintiff’s in a Fair Debt Collection Practices Act case to pay nearly $50,000 in attorney’s fees and costs to the defendant, overruling all of the plaintiff’s objections to reduce the award. More details here.
WHAT THIS MEANS, FROM BRENDAN LITTLE OF LIPPES MATHIAS: In December 2023, the Court determined that Defendant was entitled to reimbursement of its attorneys’ fees and costs because, inter alia, plaintiffs’ counsel’s failure to conduct an adequate pre-suit investigation, repeatedly seeking to dismiss the action after inflicting cost to the defendant and even pursuing summary judgment despite the lack of credibility in plaintiffs’ claims. The only issue before the Court in this application was whether Defendant’s request for $47,731 in attorneys’ fees and $1,170 in costs was reasonable. First, Defendant’s attorneys’ hourly rates ranging from $260/hr to $310/hr were not challenged by Plaintiffs and accepted by the Court. Second, in an attempt to reduce the award, Plaintiffs argued that the billing by Defendant’s counsel was “redundant , excessive and unreasonable.” Noting that generalized objections to fee petitions are not given much weight, the Court rejected Plaintiffs’ contentions and determined it was reasonable for defense counsel to have two lawyers assist in the motion practice associated with the case and prepare for depositions. The Court granted Defendant’s fee petition in its entirety holding Plaintiffs and their counsel jointly and severally liable for the award.
Settling Debt Not Enough for Plaintiff to Have Standing, Judge Dismisses FDCPA Class Action
A District Court judge in New Jersey has granted a defendant’s motion to dismiss a Fair Debt Collection Practices Act class-action, ruling the plaintiff lacked standing to sue after claiming the defendant violated the statute by failing to indicate if interest, costs, or fees were included when it referenced the balance that was owed in a collection letter that was sent to the plaintiff, who settled the debt for less than the full balance. More details here.
WHAT THIS MEANS, FROM MITCH WILLIAMSON OF BARRON & NEWBURGER: What struck me immediately when I read this decision was that the Judge, a newcomer not yet on the bench a full year, saw this case for what it was. “For the reasons stated herein, the Court notes the subject Complaint borderlines on the frivolous.” He then referenced Fed. R. Civ, P. 11(b)(2) (the ‘sanctions” rule). The facts are short and sweet, Resurgent obtained a judgment previously entered in March 2016 and sent a collection letter in March 2021 seeking to collect the judgement amount which had grown slightly due to post judgment interest. The alleged violation was that the letter did not break out the interest added post judgment and as a result, the debtor was misled as to the amount of the debt thus leading to an “informational injury.” The argument made by Plaintiff in favor of standing was that this “informational injury” would have had a negative effect on what the debtor did in response. The complaint was filed as a class. Does anybody file these FDCPA claims any other way, irrespective as to whether class treatment is actually appropriate? Nonetheless the Court needs to first evaluate the claims as they pertain to Plaintiff.
And in this case there was one wee problem, which the Judge picked up on, hence the prior comment. After the debtor got the allegedly violative letter which allegedly effected his ability to respond, he did in fact respond and settled the debt for roughly 52% of the balance due. Sounds like he suffered great harm to me.
The takeaway, as new Judges take the bench, there is hope their fresh eyes will recognize that many of these FDCPA cases are contrived for the sole purpose of providing a living to a certain set of attorneys and they will evaluate these cases for what many of them are. We have to do our part by acting as the adult in the room and educating those judges with logic and common sense
FTC Publishes Final Health Breach Notification Rule
The Federal Trade Commission has announced final changes to the Health Breach Notification Rule, requiring entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and even the media in the event that personally identifiable information is compromised. More details here.
WHAT THIS MEANS, FROM LESLIE BENDER OF EVERSHEDS-SUTHERLAND: The nation’s consumer protection agency – the Federal Trade Commission (“FTC”) – has implemented a new breach notification requirement for non-bank financial institutions under its Gramm Leach Bliley Safeguards Rule (the “Safeguards Rule”), effective May 13, 2024. This new breach notification requirement is in addition to the FTC’s oversight of breaches of health information that fall outside of HIPAA’s scope under the Health Breach Notification Rule (the “HBNR”). The FTC has also announced updates to the HBNR which should be published shortly and will take effect sixty days later. Neither of these breach notification rules preempt state breach notice laws – so covered businesses (and their service providers) may want to be prepared to evaluate both state and federal breach notification laws when security incidents occur.
Non-bank financial institutions who discover that information of 500 or more people has been acquired “without authorization” must begin reporting these instances to the FTC within thirty days of discovery. Accounts Recovery hosted a webinar to review this FTC breach notification rule on May 6, 2024 [hyperlink]. In case you missed it, this quick summary is provided. Once the FTC’s Health Breach Notification Rule is published in the Federal Register we will side-by-side each for your practical consideration.
Summary
The FTC’s Safeguards Rule breach notification requirements have expanded to include a new public database of instances in which consumers’ nonpublic information has been subjected to unauthorized access. On May 13, 2024, the FTC’s breach notice feature under its Safeguards Rule takes effect. Financial institutions subject to the FTC’s jurisdiction may want to assure they have processes in place to allow them to meet these new reporting obligations:
- Report data breaches/unauthorized acquisitions affecting 500 or more consumers to the FTC via an electronic form located at its website www.ftc.gov
- Breach notices must explain types of information involved in the “notification event,” date or date range of event, number of consumers affected, and whether law enforcement is involved and has provided a determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security
- Notification of a breach must occur “as soon as possible, an no later than 30 days after discovery of the event,” and
- “Notification events” go beyond traditional data security breaches and include the unauthorized acquisition of unencrypted customer information.
- The Safeguards Rule’s notification requirements do not pre-empt notifications that may also be required under state or other laws.
Background
In December, 2021, the FTC modernized its Safeguards Rule by establishing a series of standards financial institutions are obligated to assure their information security programs (and those of their vendors) meet. The FTC expected compliance with all features of the modernized Safeguards Rule, which it patterned after the New York Department of Financial Services Cybersecurity Regulations, by June 9, 2023. When the FTC published its Safeguards Ruleupdates it concurrently launched a supplemental notice of proposed rulemaking in which it proposed to add breach notification requirements. The FTC sought further comment on potential breach notification requirements at that time. Having received fourteen public comments, the FTC now strengthens the Safeguards Rule’s protections for consumers, by adding a requirement for notification of breaches.
Under the Safeguards Rule, the FTC considers an entity to be a “financial institution” and subject to the FTC’s jurisdiction if it is “engaged in an activity that is financial in nature or incidental to such financial activities.” Traditional banks are not subject to the FTC’s Safeguards Rule oversight; however, the FTC’s regulatory umbrella covers a broad list of “financial institutions.” FTC regulated “financial institutions” include mortgage lenders, pay day lenders, finance companies, account servicers, check cashiers, travel agencies, finders, retailers that extend credit, appraisers, auto lessors, credit counselors, non-federally insured credit unions, collection agencies, financial advisors, and more. The FTC’s breach notice rule under the Safeguards Rule explains that service providers for “financial institutions” are covered and even financial institutions to whom individuals apply for credit, regardless of whether or not credit is ultimately extended, are subject to the Safeguards Rule.
Practical Analysis
Other unique features of the breach notice requirement in the FTC’s Safeguards Rule include the following:
- Information covered. An extensive description of personally identifiable non-public financial information a consumer provides, including without limitation, information the financial institution collects through an internet “cookie” – which the FTC describes as “an information collecting device from a web server.”
- Expanded List of Reportable Events. Consistent with the FTC’s enforcement actions under its Health Breach Notification Rule, the FTC takes a broad view of what data security events must be reported to the FTC (and the public). In addition to traditional data breaches, the FTC now expects entities to report unauthorized acquisitions of 500 or more consumer’s information to be “notification events.”
- Presumption of Un-Encryption. The Safeguards Rule now explains that a “notification event” is the “acquisition of … [unencrypted customer] information without the authorization of the individual to which the information pertains.” The Rule goes further to include a rebuttable presumption that customer information will be considered “unencrypted” “if the encryption key was accessed by an unauthorized person … unless you have reliable evidence showing that there has not been, or could not reasonably have been unauthorized acquisition of such information.”
- Trigger for Discovery. Clarity on what triggers a “notification event.” The FTC explains is considered to be “discovered as of the first day on which such event is known.” This means that a financial institution is deemed to know of a notification event “if the event is known to any person, other than the person committing the breach, who is the financial institution’s employee, officer, or other agent.”
Conclusion
The FTC’s expansive new public breach notification expectations under its Safeguards Rule may prompt FTC-regulated “financial institutions” and service providers working on their behalf to review their internal breach detection and notification strategies to assure that as of May 13, 2024, they are in a position to quickly detect and react to instances of unauthorized access of nonpublic consumer information. In addition, companies that fall under the FTC’s broad “financial institutions” umbrella and their service providers may want renew employee awareness initiatives around incident detection and reporting, pre-planning methods or strategies for investigating potential breaches and potentially conducting tabletop exercises, and determining what types of public relations or legal planning is advisable given the public nature of breach notifications the FTC expects.
Appeals Court Vacates Ruling in FDCPA Case to Dismiss for Lack of Standing
The Court of Appeals for the Third Circuit has vacated a lower court’s opinion in a Fair Debt Collection Practices Act case, but only to dismiss the complaint because the plaintiff lacked standing to sue, instead of dismissing the case because the plaintiff failed to state a claim. More details here.
WHAT THIS MEANS, FROM XERXES MARTIN OF MARTIN GOLDEN LYONS WATTS MORGAN: Good things come to those who wait. Plaintiff Martha Osorio filed her suit against Transworld Systems in November of 2021. The claim asserted was that this language did not clearly identify who the creditor is — Creditor: Garden State Healthcare Associates. Plaintiff wanted the judge or jury to find that this did not clearly identify the current creditor, as it did not expressly say whether Garden State was the original or current creditor. Fortunately, in May of 2022 the district court granted Transworld Systems’ motion to dismiss, finding the FDCPA does not contain such identifying requirement and she could not be confused by the letter, especially when she alleged she incurred a financial obligation to Garden State. Plaintiff appealed.
Fast forward to April 26, 2024, after the parties extensively briefed arguments on whether a proper claim was brought under the FDCPA, the FDCPA’s requirements, and whether the identification in the letter was sufficient, the Third Circuit Court of Appeals issued its three-page opinion. The panel determined that Plaintiff never had standing to bring her suit as mere confusion is not enough to get over the injury-in-fact hurdle of Ramirez v. TransUnion. Case dismissed. Hopefully we see less confusion in the future thanks to Transworld Systems fighting this one.
Arizona Court of Appeals Affirms Constitutionality of Predatory Debt Collection Act
The Arizona Court of Appeals this week upheld the state’s controversial Predatory Debt Collection Act, rebuffing an industry challenge led by the Arizona Creditors Bar Association. The decision ensures the law, which includes measures to shield individuals from medical debt garnishments and cap interest rates, remains in effect. More details here.
WHAT THIS MEANS, FROM CHUCK DODGE OF HUDSON COOK: In case anyone has lost their notes on this Act, this is your reminder that it’s very tough on creditors and debt collectors but generous for consumers. And it looks like we get to keep it. The Appeals court has affirmed that the Act is constitutional, so the Arizona voters win. The court rejected creditors’ and collectors’ arguments that the Act could be applied retroactively, pointing to language in the Act and an old Arizona statute saying that laws apply prospectively unless they specify otherwise. So executing on an Arizona judgment through wage garnishment is going to be terribly slow with the reduced wage garnishment maximum, and asset garnishment is not looking much better with the increase in exemptions. With this more limited ability to collect unpaid debts reduced to judgment in Arizona, we expect credit offerings to tighten considerably as creditors measure the financial risks implicated creditors now face with these more limited recovery options.
Connecticut Legislature Passes Medical Debt Credit Reporting Bill
The Connecticut legislature yesterday passed Senate Bill 395, which prohibits healthcare providers from reporting medical debt to credit agencies. The bill, which had already passed in the Senate and now awaits the governor’s signature, will take effect on July 1, if signed by Gov. Ned Lamont. More details here.
WHAT THIS MEANS, FROM BILL MAROHN OF TOBIN & MAROHN: Connecticut joined the growing number of States that are looking to restrict credit reporting of medical debt is not particularly unique. However, what is unique and potentially troubling is the scope of the law and the impact it could have if medical debt is reported in error. The definition of medical debt is far more expansive and imprecise than those used in other states. There are also much harsher penalties in the Bill for any errant reporting of medical debt. Finally, the July 1, 2024 implementation date will require debt collectors to act quickly to comply. The growing patchwork of State specific medical debt credit reporting laws will certainly create operational and compliance struggles. Debt collectors must continually evaluate their reporting protocols, policies, and procedures to remain compliant with these growing number of State specific credit reporting laws.
I’m thrilled to announce that Bedard Law Group is the new sponsor for the Compliance Digest. Bedard Law Group, P.C. – Compliance Support – Defense Litigation – Nationwide Complaint Management – Turnkey Speech Analytics. And Our New BLG360 Program – Your Low Monthly Retainer Compliance Solution. Visit www.bedardlawgroup.com, email John H. Bedard, Jr., or call (678) 253-1871.