Saturday, January 31, 2015

FTC: FTC Issues Report on the Internet of Things


The FTC has issued a staff report on the “Internet of Things,” recommending businesses take concrete steps to enhance and protect the privacy and security of consumers.  The report entitled Internet of Things: Privacy & Security in a Connected World (http://www.ftc.gov/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things) provides a look at the FTC’s expectations for consumer data privacy and security for internet connected products.  While the report does not have the force of law, it does provide insight of the FTC’s minimum expectations should a data breach or other FTC Act violation occur.

For purposes of the report, the FTC defined the “Internet of Things” as being devices (other than computers, smart phones or tablets) that connect or transmit information with or between each other through the internet.  For instance, the Internet of Things would include devices with imbedded intelligence like smart appliances and medical devices.  The report expressly excludes business to business products.

RECOMMENDATIONS:

·       Companies developing Internet of Things (“IoT”) products should implement reasonable security.  As noted by the FTC Staff, reasonable security is not a one size fits all proposition and should take into account a number of factors, including: the amount and sensitivity of the data collected, the sensitivity of the device’s functionality, and the costs of remedying the security vulnerabilities.  At a minimum, however:

·       Companies should build security into their devices at the outset and not as an afterthought;

·       Companies should do privacy or security risk assessments;

·       Companies should consider how to minimize the data they collect and retain, only collecting and retaining the minimum necessary;

·       Companies should insure their service providers are capable of maintaining reasonable security;

·       For systems with significant risk, companies should implement a defense-in-depth approach with security measures at several levels; and

·       Companies should continue to monitor products through their life cycle, patch known vulnerabilities, and clearly represent the extent to which they will provide ongoing security updates and software patches.


·       Companies should examine their data practices and business needs and engage in data minimization.  The FTC noted that engaging in data minimization helps safe guard against the potential harms caused by a data breach, making products less attractive to data thieves and making it less likely the data will be used in a way that is inconsistent with the consumer’s expectations.  At a minimum:

·       Companies should develop policies and practices that impose reasonable limit on the collection and retention of consumer data;

·       Companies should establish reasonable retention limits for the data collected; and

·       Companies should also consider whether they can collect and maintain data in a de-identified form and maintain up to date with technological developments to insure the data is no re-identified and require the same of their third party vendors.

·       The FTC continued to emphasize that companies should provide consumers with notice and choice as to what data will be collected, particularly if data would be used in a way the consumer would not expect.  While the FTC staff recognized the practical difficulties of providing choice where there is no consumer interface (for instance, smart appliances), they provided several examples of how notice can be provided to a consumer, including the use of icons, set up menus, and affixed barcodes that when scanned, would take the consumer to a website enabling consumers to make choices through the website interface.

 LEGISLATION RECOMMENDATIONS:
Recognizing that this industry is in the early stages, the FTC did not advocate for IoT specific legislation at this time; however, the report did recognize a need for general data security legislation.  The report reiterated the Commission’s previous recommendation that Congress enact “strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.”

 

 

CFPB: A Summary of the CFPB’s Annual Report to the Committees on Appropriations


On December 31st, the CFPB issued its annual report to the Committees on Appropriations of the United States Senate and House of Representatives.  The Report highlights the activities of the CFPB from October 1, 2013 through September 30, 2014, its fiscal year.  The full text of the Report can be found here:
The Report, including appendices, is 176 pages long.  Here are the highlights in 700 words or less.
Highlights from the Report include the following:
·       In the 2014 fiscal year, the CFPB employed 1,443 employees;
·      The CFPB incurred approximately $498 million in obligations, including $237 million which was spent on employee salaries and benefits;
·       In the 2014 fiscal year, the CFPB collected over $77 million in civil
      penalties;
·       In the 2014 fiscal year, the CFPB received approximately 240,600 complaints.  Of those, 36% related to collections and 21% related to mortgages;
·       The CFPB identified certain areas for future rule making, including reloadable prepaid cards, debt collection, small dollar credit, overdraft protection;
·       During the 2014 Fiscal Year, the CFPN was a party to 41 public enforcement actions, several of which were joint ventures with other agencies of state attorney generals; and
·       Of those actions, about half were resolved with pre-suit consent 
      orders.
 
Complaints.
The Report also offers insights as to how complaints received through the complaint portals are handled.  Complaints are initially screened by several criteria, including whether they are within the CFPB’s primary enforcement authority and whether the complaint is complete.   Screened complaints are then forwarded to the appropriate company.  The company then reviews the complaint and responds to the consumer and the CFPB.  After receiving the company’s response, the CFPB then requests further feedback from the consumer.  After receiving the consumer’s feedback, the CFPB reviews the consumer feedback, as well as other information, including the timeliness of the company’s response, to prioritize complaints for investigation.  The Report indicates that with regard to the majority of complaints addressed by companies, the consumer accepted the company’s response without further dispute.  Report of the CFPB Pursuant to 1017(E)(4) of the Dodd-Frank Act, p. 76.
As noted above, 36% of the complaints received by the CFPB related to debt collection.  Of those complaints, the leading causes of concern were continued attempts to collect debt not owed and communication tactics. The CFPB noted that with respect to the attempts to collect debt not owed, “the attempt to collect the debt is not itself the problem; rather, consumer argue that the calculation of the underlying debt is inaccurate or unfair.”  Id., p. 48.  As to communication tactics, the most common complaint noted is when a consumer gets a call about another person’s debt.  Id. at p. 49.
Regarding mortgage complaints, the overwhelming majority of complaints concern problems when unable to pay and complaints concerning making payments.  Id. at p. 50.  The issues within those categories are widespread and include complaints about loan modifications, collection and foreclosures. 
Enforcement Actions.
The CFPB was a party to 41 public enforcement actions.  Approximately half of those, were resolved prior to suit through consent orders.  Of those public enforcement actions, almost half involved real estate related issues.

Truth in Lending: Supreme Court Decision in Jesinoski Resolves Split in Circuits




 

 In a unanimous decision, the United States Supreme Court has ruled that a borrower exercising his right of rescission under the Truth in Lending Act need only provide written notice of rescission to his lender within three years and is not required to file suit within that same three year period.  Jesinoski v. Countrywide Home Loans, 574 U.S.____ (2015).   In so ruling, the Court stated that the language of 15 U.S.C. 1635 “leaves no doubt that rescission is effected when the borrower notified the creditor of his intention to rescind.”    
              In Jesinoski, the borrowers sent the lender written notice of rescission via letter exactly three years after borrowing money to refinance their home.  The lender refused to acknowledge the rescission’s validity.  A year later, the borrowers filed suit seeking a declaration of rescission and damages.  The district court granted the lender’s motion for judgment on the pleadings, concluding rescission could only be exercised by filing suit within three years of the loan’s consummation.  The Eight Circuit affirmed. 
Under the Truth in Lending Act, the time period in which to rescind depends upon whether the lender delivered all required disclosures to the borrower.  If all disclosures were delivered to the borrower, the borrower has three business days from later of the date of loan consummation or the date of delivery of all disclosures to rescind.  However, if all required disclosures are not delivered, the statute sets an outer limit by providing the borrower with three years from the date the loan was consummated to rescind.  15 U.S.C. 1635(a).  The Court relied upon the language of 15 U.S.C. 1635 which provides that a borrower “shall have the right to rescind… by notifying the creditor in accordance with the regulations of the Board, of his intention to do so.”   While the statute provides the time period in which notice must be provided, it does not provide the manner in which notice must be provided.  Thus, the court concluded that there is no requirement that suit be brought within that same time period.  The Court’s decision resolves a split between the circuits.

 

 
 
 

Fair Credit Reporting Act: Eleventh Circuit Rules on Issue of First Impression


In a case of first impression, the Eleventh Circuit has ruled that a consumer’s credit report does not have to be published to a third party in order to recover actual damages for a negligent violation of 15 U.S.C. 1681i(a).  In Collins v. Experian Information Solutions, the consumer sued the credit reporting agency alleging both negligent and willful violations of the Fair Credit Reporting Act’s duty to conduct a reasonable reinvestigation of disputed information contained in the consumer’s credit file. Collins v. Experian Information Solutions, 2015 U.S. App. LEXIS 50 (11th Cir. Jan. 5, 2015).  In 2010, Collins was sued by a debt buyer to collect on an account. The small claims court, after a trial on the merits, ruled in Collins’ favor.  Within days of the court’s decision, Collins disputed the debt’s entry on his credit report, explaining:

I don’t owe any money to Equable Ascent Financial…This account is wrong….Equable Ascent sued me for this debt in small claims court of Jefferson County, Alabama, case #SM-10-2973,…judgment was entered for defendant, you can call the court for more information at 205-325-XXXX or the attorney for Equable Ascent at 205-250-XXXX. 

Collins, at *3.  Because of a zip code discrepancy on the envelope, Experian sent Collins a letter seeking verification that he had in fact sent the dispute notification.  Collins responded indicating again that he didn’t owe the debt, that Equable had lost its suit to collect on the debt and requesting deletion of the debt.  Collins additionally included copies of his driver’s license and social security card, and listed his birth date.  Experian then sent an automated consumer debt verification form to Equable who responded that the debt was valid.  Relying upon the creditor’s verification, Experian took no further action to investigate and continued to report the account.  Collin subsequently filed suit alleging that Experian’s investigation of the dispute was unreasonable and that Experian was liable for both negligent and willful violations of the FCRA.  

On appeal, the issue before the court was “whether an allegation of a violation of 1681i(a)…requires the consumer reporting agency to have disclosed the consumer’s credit report to a third party in order for q consumer to recover actual damages.”  Collins at *1-2.  15 U.S.C. 1681o meanwhile provides for the recovery of actual damages for any negligent violation of the FCRA. 15 U.S.C. 1681o(a)(1).  In distinguishing Collins from the majority of cases requiring a showing that the inaccurate information was published to a third party, the court relied upon the distinction between the terms “consumer report” and “file.” The court noted that 15 U.S.C. 15 U.S.C.1681i(a) sets forth the credit reporting agency’s duty to conduct a reasonable investigation of the completeness or accuracy of any item of information contained in a consumer's file.  1681e(b), under which the majority of cases had been decided, required the consumer reporting agency to follow reasonable procedures to assure the maximum accuracy of a consumer report.  A consumer report is defined by the FCRA as being

any written, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity…which is used or expected to be used or collected in whole or part for the purposes of serving as a factor in establishing the consumer’s eligibility for…credit or insurance…

 
15 U.S.C. 1681a(d)(1) (emphasis added).  A file, on the other hand, “when used in the connection with information on any consumer means all of the information on that consumer recorded and retained by a consumer reporting agency regardless of how the information is stored.” 15 U.S.C. 1681a(g) (emphasis added).  Because a “consumer report” requires communication to a third party and a file does not, the court held that “the plain language of the FCRA contains no requirement that the disputed information be published to a third party in order for a consumer to recover actual damages under 16 U.S.C. 1681i(a).”  Collins at *13.        

Friday, January 30, 2015

Bankruptcy and FDCPA: Crawford v. LVNV Funding is Not Likely to Be the End of the Story




In July of 2014, the Eleventh Circuit expanded the reach of the FDCPA to proofs of claim. Crawford v. LVNV Funding, LLC, 758 F.3d 1254 (11th Cir. 2014).  Prior to the Crawford decision, the overwhelming majority of courts had resoundingly held that proofs of claim were not subject to the FDCPA.  As stated by one court in rejecting the notion that FDCPA claims could arise from proofs of claim, “there is strong and ample authority for the proposition that a creditor’s filing of a claim in a bankruptcy proceeding, even if the claim is prescribed by applicable state law, is not an unlawful debt collection practice actionable under the FDCPA…This court…is “convinced that the Code and Rules are up to the task of compensating a debtor for any damages or costs occasioned by, and to punish and deter, those who would abuse the bankruptcy claims process, such that an objection to claim and motion for sanctions, if warranted, will typically be the appropriate measures to take in cases involving stale claims by debt buyers.””  Jenkins v. Genesis Fin. Solutions, LLC, 456 B.R. 236 (E.D.N.C. Bankr. 2011) quoting B-Real, LLC v. Chaussee, 399 B.R.  225, 241 (9th Cir. BAP 2008).

All of that was thrown into doubt in July 2014 when the Eleventh Circuit published its decision in Crawford.  In Crawford, the debtor commenced an adversary proceeding against a debt buyer, alleging that the filing of a time barred proof of claim violated the automatic stay and the FDCPA.  The debt buyer ultimately withdrew the proof of claim; however, the adversary proceeding proceeded forward.  The Bankruptcy Court granted LVNV’s motion to dismiss holding that the filing of a proof of claim, even one on time barred debt, did not constitute a violation of the FDCPA.  The district court affirmed. On appeal, the Eleventh Circuit reversed, holding that the filing of a proof of claim was an attempt to collect a debt and that the filing of a proof of claim for time barred debt violated the FDCPA.  In so holding, the court seemed to take issue with the fact that an otherwise uncollectible debt would result in some recovery under the Chapter 13 plan. “Such a distribution of funds to debt collectors with time-barred claims then necessarily reduces the payments to other legitimate creditors with enforceable claims.”  Crawford, 758 F.3d at 1261.   Additionally, the court premised its reversal on the notion that “a debt collector’s filing of a time-barred proof of claim creates the misleading impression to the debtor that the debt collector can legally enforce the debt.”  Id.

Is that the end of the story?  Most definitely not.  Too much shouldn’t be read into Crawford.  Crawford appears to be hampered by the limitations of the issues presented to the court.  For example, neither the district court nor the court of appeals addressed the issue of whether the Bankruptcy Code preempts the FDCPA, presumably because it was not raised by the defendant in its defense of the adversary proceeding.  Crawford at footnote 7.  Additionally, in recent weeks, a number of decisions from other courts have suggested that they will not blindly follow Crawford.

In Elliott v. Cavalry Investments, the Southern District of Indiana addressed the many open ended questions left by Crawford.  Elliott v. Cavalry Invs., 2015 U.S. Dist. LEXIS 2423 (S.D. Ind. Jan. 9, 2015).  While the Elliott court denied the creditor’s motion to dismiss an adversary proceeding based upon the allegation that the proof of claim was time barred, it was quick to point out that its decision should not be read too broadly. In fact, the court stated that “the Court cannot say as a matter of law that the Elliotts’ Complaint fails to state a claim.  Nor is the court finding that the allegations categorically establish an FDCPA violation.”  Elliott, at *6. In fact, the court proceeded to set forth the reasons the filing of a proof of claim may not necessarily be considered a violation of the FDCPA.  The court noted that there are significant differences between a lawsuit initiated to collect on a time barred debt and a proof of claim filed on a time barred debt.  Most significantly, in the bankruptcy context, there are procedures in place to object to proofs of claim and the presence of a trustee who is tasked with examining and objecting to proofs of claim which are unenforceable.  The court also noted the distinction between debt that is unenforceable and debt that is nonexistent.  But see, Grandidier v. Quantum 3 Group, LLC, 2014 U,S, Dist. LEXIS 169279 (S.D. Ind. Dec. 8 2014) (where the court held that the FDCPA can apply to time barred proofs of claim and denied defendant’s motion to dismiss).

Recently, back in the Eleventh Circuit, defense counsel have been taking a different approach with some initial success.  In Walker v. LVNV Funding, LLC, 2014 U.S. Dist. LEXIS 178661 (N.D. Ala. Dec, 31, 2014) defendant counsel moved to withdraw the reference from the bankruptcy court, contending that the Bankruptcy Code preempts the FDCPA where creditors misbehave in the bankruptcy context.  The court determined that because the courts of the Eleventh Circuit were split on that issue, the issue would require substantial and material consideration of the FDCPA in order to resolve the claims, and granted to motion to withdraw the reference.  See also Williams v. LVNV Funding, LLC, 2014 U.S. Dist. LEXIS 178659 (N.D. Ala. Dec, 31, 2014).  Likewise in the Eleventh Circuit, the bankruptcy courts have made it clear that any adversary proceedings bringing FDCPA claims based upon time barred proofs of claim actions must be brought within the one year statute of limitations provided in 15 U.S.C. 1692k.  Gurganus v. Recovery Mgmt. Sys. Corp., 2015 Bankr. LEXIS 3 (N.D. Ala. Jan. 5, 2015).

While Crawford could have huge implications, too much shouldn’t be read into the decision just yet.  Practitioners should be mindful that it left unaddressed the question of whether the Bankruptcy Code preempts the FDCPA and there is a split in the circuits as to this issue.  Further, the holding in Crawford does not take into account the fundamental differences and implications between a proof of claim and a lawsuit to collect a debt.  “Debtors in bankruptcy proceedings do not need protection from abusive collection methods that are covered under the FDCPA because the claims process is highly regulated and court controlled.” See Jenkins, 456 B.R. at 240.  The recent withdrawal of references that have occurred in the Eleventh Circuit suggest there is more to come on this issue.