(202) 349-8000
1250 24 th St NW · Suite 700 · Washington D.C. 20037
www.buckleykolar.com
InfoBytes
CONSUMER FINANCE HEADLINES & DEADLINES FOR OUR CLIENTS AND FRIENDS
Topics – Covered This Week (Click to View)
FEDERAL ISSUES
HUD Announces $100,000 Settlement of Fair Lending Complaint with First Indiana Bank. On June 4, the U.S. Department of Housing and Urban Development (HUD) announced that it has negotiated a $100,000 settlement with First Indiana Bank, N.A. (First Indiana) to resolve allegations of discriminatory mortgage lending. The agreement resolves a complaint filed in March 2007 by the National Community Reinvestment Coalition (NCRC) alleging that First Indiana discriminated on the bases of national origin and race by refusing to make loans on row houses or for less than $100,000 on any property. NCRC contended that the bank's lending practices discriminated against Hispanics and African Americans because row houses valued under $100,000 are more heavily concentrated in African-American and Hispanic neighborhoods. This settlement is the second row house conciliation agreement HUD has reached in less than a year. In September 2006, HUD negotiated a similar settlement with SouthStar Funding LLC of Atlanta (most recently reported in the September 29th, 2006 issue of Infobytes). Under the HUD-brokered conciliation agreement, First Indiana agreed, among other things to do the following: institute a "second review" procedure for all denied loan applications, not unlawfully use minimum property values as an underwriting criterion for any of its loan products, nor unlawfully price row homes or loans that serve low- to moderate-income communities, not unlawfully exclude row homes from any of its loan products or use unlawful underwriting criteria to evaluate applicants for loans secured by row homes, and notify the mortgage loan brokers with whom it conducts business that it has discontinued its minimum property value and no row home policies. The release can be viewed at http://www.hud.gov/news/release.cfm?content=pr07-080.cfm.
Financial Services Industry Comments on GLB Model Privacy Form. On May 29, the American Bankers Association, America’s Community Bankers, the Financial Services Roundtable, and the Consumer Bankers Association issued a joint comment letter (Comment Letter) requesting revision of, and then another comment period in regard to, an interagency proposal for a model privacy form under the Gramm-Leach-Bliley Act. On March 20, 2007, various financial regulatory agencies requested comments on the proposed two-page model short form privacy notice. The proposed form would provide a standard format for banks to use to notify customers of their privacy protection disclosures and also offer a “user-friendly” mechanism for consumers to opt-out of allowing the sharing of nonpublic personal information. Although the Comment Letter showed strong support for the underlying objective of the proposed form, it also expressed concern that “the prescriptive nature of the proposed form would make it impossible for most institutions to explain their privacy policies and practices accurately.” Further, the Comment Letter noted that the proposed form may open banks to legal attacks claiming that the use of the form is unfair and deceptive. The Comment Letter also cautioned that the proper implementation of the proposed form may impose significant compliance costs on user banks. For the full text of the Comment Letter, please see http://www.fsround.org/policy/pstatements/pdfs/SAVEDShortformprivacyjointlettrwaaedits.pdf.
OCC Calls for Better Credit Card Disclosures. On June 7, Comptroller of the Currency John C. Dugan told a subcommittee of the House Committee on Financial Services that current credit card disclosure rules should be changed to improve consumers’ ability to make well-informed decisions when choosing credit cards. Comptroller Dugan said, “Effective disclosure can have three fundamental benefits for consumers: first, informed consumer choice; second, enhanced issuer competition to provide consumers the terms they want; and third, greater transparency that will hold the most aggressive credit card practices up to the glare of public scrutiny and criticism, making issuers think long and hard about the costs of such practices before implementing them.” According to the Comptroller, disclosures have not kept pace with the changes and complexities of credit card terms and practices, and accordingly many consumers do not understand certain features like “universal default” and “double cycle billing.” The Office of the Comptroller of the Currency (OCC) does not have the authority to issue regulations under the primary consumer protection statutes governing credit card lending and, accordingly, the Comptroller stressed the importance of the Federal Reserve Board’s (FRB) undertaking to revise its disclosure rule. With respect to going beyond disclosure regulation to restrict risk-based pricing, the Comptroller cautioned that Congress should bear in mind that “proposals to restrict risk-based pricing could have unintended consequences regarding banks’ ability to manage risks, or on the availability and affordability of credit cards more generally.” For a copy of the OCC’s press release on the Comptroller’s testimony, please see http://www.occ.treas.gov/ftp/release/2007-54.htm.
Agencies Release List of Distressed, Underserved Nonmetropolitan Middle-Income Geographies. On June 1, the federal banking and thrift regulatory agencies announced the availability of the 2007 list of distressed and underserved nonmetropolitan middle-income geographies in which bank revitalization or stabilization activities will receive Community Reinvestment Act (CRA) consideration as "community development." "Distressed nonmetropolitan middle-income geographies" and "underserved nonmetropolitan middle-income geographies" are designated by the agencies in accordance with their CRA regulations. For a copy of the Federal Deposit Insurance Corporation's (FDIC) press release on the subject, please see http://www.fdic.gov/news/news/press/2007/pr07045.html; for the 2007 list, as well as lists from previous years, please see http://www.ffiec.gov/cra/examinations.htm.
STATE ISSUES
Ohio Attorney General Targets Brokers, Lenders for Undue Influence on Appraisers. On June 7, Ohio Attorney General, Marc Dann, announced that he has lodged complaints against ten companies for violating Ohio’s consumer protection laws in the “first big sweep of lawsuits targeting unscrupulous mortgage brokers and lenders since the state’s new predatory lending law took effect.” The complaints allege undue influence on appraisers by mortgage brokers, lenders, and other entities involved in arranging mortgage loans. According to the Attorney General, the complaints state that these companies have committed unconscionable acts or practices in violation of the Ohio Consumer Sales Practices Act (OCSPA) by knowingly compensating, instructing, inducing, coercing, or intimidating appraisers for the purpose of improperly influencing the independent process. The Attorney General is asking for declaratory judgments stating that each act alleged in the complaints violates the OCSPA and permanent injunctions from engaging in the alleged behavior, as well as the imposition of civil penalties of $25,000 each and orders to reimburse all consumers damaged by the companies unfair, deceptive, and unconscionable acts. The Attorney General is also asking for orders for the lenders to maintain all business records related to transactions in Ohio for a period of five years. For a copy of Attorney General Dann’s press release announcing the complaints, please see http://www.ag.state.oh.us/press/07/06/pr070607.asp.
Minnesota Limits Sale, Exchange of Credit Inquiry Information. Minnesota Governor Tim Pawlenty recently signed into law S.F. 241, which prohibits a consumer reporting agency or any other business entity from selling to, or exchanging with, a third party the existence of a credit inquiry arising from a consumer mortgage loan application when the sale or exchange is triggered by an inquiry made in response to an application for credit. The law excludes third parties holding an existing mortgage loan on the property. Further, the law explicitly does not apply to “information provided by a mortgage originator or servicer to a third party providing services in connection with the mortgage loan origination or servicing; a proposed or actual securitization; secondary market sale, including sales of servicing rights; or similar transaction related to the consumer mortgage loan.” S.F. 241 also amends certain homestead property laws. Most notably, the law increases the dollar amount of the homestead exemption from $200,000 to $300,000. S.F. 241 is effective August 1, 2007. Full text of S.F. 241 can be found at http://www.revisor.leg.state.mn.us/bin/bldbill.php?bill=S0241.4.html&session=ls85.
Delaware Proposes Guidance on Nontraditional Mortgage Product Risks. Recently, the Delaware Bank Commissioner issued proposed Regulation 2106/2208, Guidance on Nontraditional Mortgage Product Risks. According to the Commissioner, the proposed regulation “parallels the guidance jointly issued by the OCC, the FRB, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision and the National Credit Union Administration,” and “is being adopted to provide regulatory consistency between mortgage brokers and mortgage lenders regulated under Chapters 21 and 22 respectively of Title 5 of the Delaware Code that are not affiliated with a bank holding company or an insured financial institution, and the financial institutions that are subject to that federal Guidance.” A public hearing on the proposed regulation was scheduled to be held on Wednesday, June 6, 2007 and written comments were required to be received at or before that hearing. For a copy of the Bank Commissioner’s Notice of Proposed Adoption, please see http://banking.delaware.gov/proposed%20reg.%20notice.shtml.
Nevada Requires New Regulations for Nontraditional Mortgages. Effective January 1, 2008, regulations concerning nontraditional mortgage loan products and lending practices must be adopted by the Nevada Commissioner of Financial Institutions, in cooperation with the Nevada Commissioner of Mortgage Lending. Nevada, A.B. 329. The regulations must be substantially similar to the provisions set forth in the "Guidance on Nontraditional Mortgage Product Risks" published by the Conference of State Bank Supervisors and the American Association of Residential Mortgage Regulators on November 14, 2006. A nontraditional mortgage loan product, as defined by the Nevada law, means a residential loan agreement whose terms allow a borrower to defer repayment of principal or payment of interest on the loan for a period. Nontraditional mortgage loan products also include interest-only loans and payment option adjustable-rate mortgages. The Nevada law does not apply to home equity lines of credit other than simultaneous second-lien home equity lines of credit or reverse mortgages, as they are not considered nontraditional mortgage loans. Full text of A.B. 328 can be found at http://www.leg.state.nv.us/74th/Bills/AB/AB329_EN.pdf; “Guidance on Nontraditional Mortgage Product Risks” can be found at http://www.csbs.org/Content/NavigationMenu/RegulatoryAffairs/FederalAgencyGuidanceDatabase/CSBS-AARMR_FINAL_GUIDANCE.pdf.
Indiana Amends Loan Broker Act. Recently, Indiana’s Governor Mitch Daniels signed H.B. 1717 into law, substantially amending the state’s Loan Broker Act. Among other things, H.B. 1717 requires “principal managers” of licensees to register with the state, increases license application fees, requires license applicants to provide information regarding the applicant’s “ultimate equitable owner,” prohibits licensees from improperly influencing appraisers, and requires that every contract for the services of a loan broker specify that no statement or representation by the broker is enforceable unless it is in writing. H.B. 1717 does not change the Loan Broker Act’s exemption for “creditors,” but it does impose notice requirements in connection with certain other exemptions, including exemptions for HUD-approved mortgagees and approved Fannie Mae and Freddie Mac sellers/servicers. The amendments generally become effective July 1, 2007. Full text of H.B. 1717 can be found at http://www.in.gov/legislative/bills/2007/PDF/HE/HE1717.1.pdf
Iowa Amends Banking Laws with Respect to Registration, Licensure, Availability of Examination Records. On May 24, Iowa’s Governor Culver signed into law S.F. 360, an act enhancing the authority of the Division of Banking and its Professional Licensing Bureau, repealing certain restrictions on out-of-state entities, and limiting the disclosure of examination records. Specifically, the act allows the Superintendent of the Division of Banking to issue rules concerning the grounds for denial of an individual registration based on information received as a result of background checks, character and fitness grounds, and any other grounds for which an individual registrant or licensee may be disciplined. The act also authorizes the licensing boards within the Professional Licensing Bureau to (i) refuse to issue or renew licenses on a wide variety of grounds, including any of the grounds for which a license may be revoked or suspended or a licensee may otherwise be disciplined and (ii) suspend, revoke, or refuse to issue or renew a license, or discipline a licensee, based upon disciplinary action by a licensing authority in Iowa or in any other state, territory or country. Additionally, the act repeals certain restrictions on the ability of out-of-state banks, bank holding companies and industrial loan companies to acquire and compete with in-state industrial loan companies. Finally, the act provides that all papers, documents, examination reports, and other writings relating to the supervision of licensees are not public records, making them inaccessible through Iowa’s Open Records Law. The act becomes effective on July 1, 2007. Full text of S.F. 360 can be found at http://coolice.legis.state.ia.us/Cool-ICE/default.asp?Category=billinfo&Service=Billbook&menu=false&ga=82&hbill=SF360.
Texas House Joint Resolution Proposes Amendment to Constitution regarding Home Equity Loans. Effective May 22, the Texas Legislature passed H.J.R. 72 proposing a Texas constitutional amendment that would clarify certain provisions relating to the making of home equity loans and use of home equity loan proceeds. This amendment comes after various attempts to simplify home equity lending to the residents of Texas and is the result of studies conducted by the state’s Finance Commission. The amendment will appear as a ballot item in the November 6, 2007 election. Full text of HJR 72 may be found at http://www.capitol.state.tx.us/tlodocs/80R/billtext/html/HJ00072F.HTM.
Texas Passes Bill Requiring Original Signatures on Paper Documents Before Recordation. On May 25, Texas Governor Rick Perry signed into law H.B. 732, amending the Texas Property Code to require that “paper documents” concerning real or personal property cannot be recorded or serve as notice of the paper document unless (i) they contain original signatures acknowledged, sworn to with a proper jurat, or proved according to law or (ii) they are attached as exhibits to paper affidavits or other documents that have original signatures meeting the foregoing requirements. An original signature may not be required for electronic documents complying with other applicable law, including the Uniform Real Property Electronic Recording Act. To view full text of H.B. 732 see http://www.capitol.state.tx.us/tlodocs/80R/billtext/html/HB00732F.htm.
ChoicePoint, 44 State AGs Reach Voluntary Agreement to Protect Consumer Information. On May 31, the National Association of Attorneys General (NAAG) announced that 44 state attorneys general entered into an Assurance of Voluntary Compliance and Discontinuance (Assurance) with ChoicePoint that requires the data broker to take additional steps to protect sensitive consumer information. The Assurance resolves the state AGs’ investigation into ChoicePoint’s data handling processes that arose from the 2004 ChoicePoint data breach (see the March 4th, 2005 issue of InfoBytes). This settlement is different from the $10 million settlement previously reached by the FTC and ChoicePoint in 2006 (see the January 27th, 2006 issue of InfoBytes). Under the terms of the Assurance, which will last at least 10 years, ChoicePoint will take several steps to further protect sensitive customer information, including developing credentialing processes to verify the identity and business activities of customers seeking access to certain information and establishing the customers’ legitimate business purpose for requesting the information they seek. These processes may require ChoicePoint to obtain written certifications from prospective customers and may involve onsite visual inspections of customer facilities in appropriate cases. ChoicePoint has also committed to audit its customers to help protect sensitive personal information provided by ChoicePoint from unauthorized, fraudulent, or unlawful access by its customers. In addition, ChoicePoint will pay $500,000 to the state AGs to defray the cost of the states’ investigation and will be subject to third-party audits to monitor compliance with the Assurance. To access a copy of the NAAG press release, please see hhttp://www.naag.org/44_attorneys_general_reach_settlement_with_choicepoint.php.
Georgia Governor Signs Data Security Breach Amendments. On May 24, Georgia Governor Sonny Perdue signed into law S.B. 236, amending the state’s original breach notification law, the Georgia Personal Identity Protection Act (the GPIPA), Ga. Code Ann. § 10-1-910 et seq., which only applied to information brokers. With certain limited exceptions, the new law will now require state and local government entities, termed “data collectors”, in addition to information brokers, to notify state residents if their unencrypted electronic personal information is breached. The new law also amends the GPIPA to (i) adjust the triggers for substitute notice in the GPIPA, (ii) allow notification by telephone, and (iii) extend the breach-notification period of those who maintain data on behalf of an information broker, or now a data collector, to 24 hours instead of “immediately.” Unlike data security breach laws in some states, the amended law does not cover businesses other than those deemed to be “information brokers” or those maintaining computerized data on behalf of information brokers or data collectors. The law also amends Georgia’s identity theft statute. The law took effect on May 24, immediately after the Governor signed it. Full text of S.B. 236 is available at http://www.legis.state.ga.us/legis/2007_08/versions/sb236_AP_12.htm.
Nebraska Governor Signs Credit Freeze Law, Law to Protect Employees' Social Security Numbers. On May 24, Nebraska Governor Dave Heineman signed into law L.B. 674, creating the Credit Report Protection Act (CRPA), a credit freeze law for state residents, and imposing restrictions on employer use of employee’s social security numbers. The CRPA will, among other things, require credit reporting firms to place a security freeze on a credit report within three business days of a request from a consumer and allow firms to charge a fee of $15 for a freeze, unless the consumer is a minor or a victim of identity theft. The CRPA will also require firms to temporarily lift a freeze within three business days of a request from a consumer, until January 1, 2009, when the timeframe will be reduced to 15 minutes for requests by telephone or a secure electronic method during specified business hours. The new law will also restrict an employer’s use of an employee’s social security number by prohibiting employers from publicly displaying more than the last four digits of an employee’s social security number and prohibiting other actions related to employees’ social security numbers, including requiring the electronic transmission of more than the last four digits unless the connection is secure or the information is encrypted. The CRPA will take effect on September 1, 2007. The social security number restrictions will take effect on September 1, 2008. Full text of L.B. 674 is available at http://uniweb.legislature.ne.gov/FloorDocs/Current/PDF/Slip/LB674.pdf.
COURTS
Supreme Court Reverses Ninth Circuit in FCRA Insurance Adverse Action Cases. On June 4, the Supreme Court issued an opinion in two consolidated Fair Credit Reporting Act (FCRA) insurance adverse action cases, Safeco Insurance Co. v. Burr, No. 06-84, and GEICO General Insurance Co. v. Edo, No. 06-100. The Court reversed, 7-2, the holding of the U.S. Court of Appeals for the Ninth Circuit that GEICO had taken adverse action when it provided insurance at a rate higher than the best available rate, after considering credit-report information about the consumer. It held that GEICO did not have to provide an adverse action notice because the consumer in that case would not have received a better rate even if his credit report had not been considered at all, but held that an insurance company must provide a notice if the consumer would have received a better rate but for information in the credit report. The Court also unanimously reversed, as to Safeco, the Ninth Circuit’s holding that a company can be found to have willfully violated FCRA’s adverse action requirement if it had inadequate compliance procedures, which could have forced companies to waive attorney-client privilege in order to avoid the statutory penalties of $100-$1000 per “willful” violation of FCRA. The Court agreed with the Ninth Circuit that a company that acts with “reckless disregard” of its FCRA obligations can be held to have violated the law willfully, but applied an objective, rather than subjective, standard in which conduct based on an interpretation that is not “objectively unreasonable,” based on available guidance from the federal appellate courts and the Federal Trade Commission, will not be held to be a willful violation. For a more detailed discussion of the case, please see the InfoBytes Special Alert for June 4, 2007. Safeco Insurance Co. v. Burr, 2007 WL 1582951 (S. Ct. June 4, 2007), is available at http://www.supremecourtus.gov/opinions/06pdf/06-84.pdf.
Sixth Circuit Allows Emotional Distress Claim Based on Cardholder Collection Practices to Proceed. On May 29, the U.S. Court of Appeals for the Sixth Circuit, ruling under Tennessee law, reversed the dismissal of an intentional infliction of emotional distress claim, where the card issuer's collection practices may have contributed to the authorized cardholder's suicide. In MacDermid v. Discover Financial Services, 2007 WL 1529406, No. 06-5792 (6th Cir. May 29, 2007), Mrs. MacDermid, who had a history of mental disorders, drug and alcohol abuse, and personal bankruptcy, applied online for several credit cards from Discover, using her husband as the primary card holder and herself as an authorized user. To hide the cards from her husband, she listed a secret post office box on the application. Mr. MacDermid eventually found out about the credit cards and immediately contacted Discover to cancel the cards. A few months later, Mrs. MacDermid committed suicide, and both her suicide note and her psychiatrist's affidavit suggested that her stress about the credit card debt was a "significant precipitating factor" for her suicide. Mr. MacDermid brought suit in federal court alleging, among other things, intentional infliction of emotional distress (called "outrageous conduct" in Tennessee), violation of the Tennessee Consumer Protection Act, violation of the federal Fair Debt Collection Practices Act (FDCPA), and violation of the Truth in Lending Act (TILA). In the initial proceedings, the magistrate judge dismissed those claims, and Mr. MacDermid appealed. The Sixth Circuit reversed the dismissal of the outrageous conduct claim, but upheld dismissal of the others. Regarding the outrageous conduct claim, the court noted that the decisive issue is whether Discover's collection efforts, which included threatening Mrs. MacDermid with jail time and criminal prosecution despite being warned by Mr. MacDermid of her mental illness issues, constituted enough evidence to support a claim for outrageous conduct. However, the court predicated the reversal on the allegation that Discover threatened criminal prosecution against Mrs. MacDermid, without basis, for her failure to pay a purely civil debt. The court upheld the dismissal on the other issues, including holding that: (i) Internet credit card applications, even if they have no mechanism for obtaining signatures of all cardholders, are not inherently deceptive, and, in this case, such applications expressly complied with both state and federal law, including the state Uniform Electronic Transactions Act, and the federal Electronic Signatures in Global and National Commerce Act; (ii) there was no colorable TILA claim that Discover's efforts to impose liability Mr. MacDermid violated that act because he never received the mandated disclosures (since they were sent to the secret PO Box), because TILA does not require issuers to investigate the legitimacy of an address provided in an application; and (iii) the FDCPA did not apply because Discover was collecting its own debts, and therefore was not a debt collector subject to the FDCPA. For a copy of the opinion, please see http://caselaw.lp.findlaw.com/data2/circs/6th/065792p.pdf.
MySpace Announces Settlement of Spam Claims Against TheGlobe.com. On May 31, MySpace, Inc. (MySpace), which operates a popular social networking site, and TheGlobe.com, Inc. (Globe) announced the settlement of MySpace’s claims that Globe violated the CAN-SPAM Act, as well as California’s anti-spam statute, by sending unsolicited e-mails from fake accounts to MySpace users. MySpace Inc. v. TheGlobe.com Inc. (C.D.Cal., No. CV 06-3391). Earlier this year, the U.S District Court for the Central District of California in an unpublished court ruling had found, among other things, that a liquidated damages provision in MySpace’s terms of service of $50 per unsolicited communication was enforceable. Details of the settlement were not disclosed, but a recent regulatory filing by Globe indicates that it agreed to pay MySpace $2.55 million to settle the lawsuit. For a copy of MySpace’s current terms of service, please see http://www.myspace.com/Modules/Common/Pages/TermsConditions.aspx.
Online Marketers Settle CAN-SPAM, FTC Act Allegations. Recently, two online merchants who touted allegedly bogus “fountain of youth” oral sprays settled Federal Trade Commission and CAN-SPAM Act charges for $172,500 in consumer injuries. FTC v. Pacific Herbal Sciences, Inc., No. CV05-7242-RSWL (C.D. Cal., Apr. 26, 2007). The oral sprays were alleged to help lose weight, reverse aging, and prevent or treat diseases by providing or helping the body to produce human growth hormone. The marketing materials referred to clinical studies and prestigious publications to bolster their claims, but the Federal Trade Commission (FTC) alleged these claims were false. The sellers’ websites also assured consumers that information submitted would be encrypted, but the FTC charged that no encryption technology was used. The FTC also claimed that one of the marketers violated the CAN-SPAM Act when sending e-mail messages. These e-mails purportedly falsely identified the sender, used deceptive subject headings, failed to include an opt-out feature, and failed to disclose the sender’s postal address. The sender allegedly even forged email addresses to make it appear that the marketing e-mails were coming from “ftc.gov” and “uce.gov.” The settlement included a payment for consumer injuries, and it also contained nearly $3 million monetary judgments. The monetary judgments were suspended, based on the defendants’ financial disclosures. The FTC announced these stipulated final orders on May 29. More information, including copies of the consent orders, is available on the FTC’s website at http://www.ftc.gov/os/caselist/pacificherbal/pacificherbal.shtm.
Web Site Representations Satisfy Requirements of Magnuson-Moss Warranty Act. On May 30, the U.S. District Court for the Northern District of Illinois held that claims for breach of an express warranty may proceed under the Magnuson-Moss Warranty Act (MMWA), 15 U.S.C. § 2301, absent a showing of privity. In re McDonald’s French Fry Litigation, 2007 U.S. Dist. LEXIS 38960, No. 06C4467 (N.D. Ill., May 30, 2007). A class of individuals with dietary restrictions alleged, among other things, that McDonald’s allergen and dietary information maintained on its web page represented that McDonald’s french fries and hash browns did not contain milk, wheat and gluten. The class claims that such allergen and dietary information maintained on McDonald’s website constituted an express warranty that was breached when McDonald’s revealed potato products do in fact contain milk, wheat and gluten. McDonald’s moved for the court to dismiss the breach of express warranty claim because there was no privity of contract between McDonald’s and the class. The court held that while privity is normally a requirement of recovery under a common law breach of warranty claim, because the alleged representations were in writing, the claims were covered by the Magnuson-Moss Warranty Act and exempt from the privity requirement. The court stated that "[b]ecause the complaint alleges that defendant made at least one written representation[ ] through the website about the composition of the potato products, and that those representations were directed to consumers,” plaintiffs' breach of express warranty claim may continue under the MMWA. For a copy of the opinion, please contact .
District Court Strikes Down Arbitration Provision in Website Agreement. On May 30, the U.S. District Court for the Eastern District of Pennsylvania held that the arbitration provision in a website agreement entered into with Linden Research, Inc. (Linden) was unconscionable and therefore unenforceable. Bragg v. Linden Research, Inc., 2007 WL 1549013, No. CIV.A.06 4925 (E.D.Pa. May 30, 2007). Linden operates a website set in a virtual world called “Second Life.” Participants in Second Life create avatars to represent them and “live” in the virtual world, interacting with other avatars, making and acquiring property, transacting business and the like. Unlike most other virtual world websites, Second Life permits users to own property rights in the content they create and to purchase, rent and sell “virtual land” on the website. The plaintiff was a participant in Second Life who purchased numerous parcels of land in the website, including, a parcel of virtual land named “Taessot” for $300 in April 2006. Linden advised the plaintiff by email that Taessot had been improperly purchased, it took Taessot back from the plaintiff and froze the plaintiff’s account. The plaintiff sued Linden, and Linden moved to compel arbitration. In order to participate in Second Life, a person must accept the Terms of Service (TOS) by clicking the “accept” button on the website. The TOS included a California choice of law provision, an arbitration provision, and a forum selection clause. These clauses were buried in the lengthy TOS under the heading “GENERAL PROVISIONS.” The court, applying the Federal Arbitration Act and California contract law, ruled that the arbitration agreement was procedurally and substantively unconscionable. Under California law, a contract is procedurally unconscionable if it is a contract of adhesion (i.e., a standardized contract, imposed and drafted by the party of superior bargaining strength, which permits the subscribing party only the options of accepting or rejecting the contract). The court determined that the TOS was procedurally unconscionable because it was a contract of adhesion, there were no reasonably available market alternatives (Second Life was the only virtual world to permit ownership of property), and the arbitration clause was so inconspicuous that its existence came as a surprise to the user. The court determined that the TOS was substantively unconscionable based on the lack of mutuality of the TOS, the high costs of arbitration and the fee-sharing arrangement, the confidentiality provision in the TOS, and the lack of legitimate business realities creating a special need for the one-sidedness of the contract terms. For a copy of the opinion, please see http://www.paed.uscourts.gov/documents/opinions/07D0658P.pdf.
MISCELLANY
Illinois Department of Financial & Professional Regulation Announces Licensee Security Breach. The Illinois Department of Financial & Professional Regulation (IDFPR) recently announced a security breach on a State of Illinois server containing personal information of licensees of the IDFPR. On its website, the IDFPR explains that the matter involved criminal conduct and that law enforcement asked it to delay notification to the affected licensees and the General Assembly to prevent interference with an ongoing criminal investigation. The IDFPR reports that there is currently no indication that the unauthorized access to the server resulted in the theft of any personal identifying information and that a preliminary investigation revealed that the data on the server was compromised sometime in January 2007. The IDFPR further reports that it has isolated the compromised server and is thoroughly checking all other like systems for security breaches. The IDFPR is comprised of four divisions: Division of Banking, Division of Financial Institutions, Division of Insurance, and Division of Professional Regulation, and the entities it regulates include, among others, state chartered banks, trust companies, savings banks and savings and loan associations, mortgage bankers and brokers, credit unions, title insurance companies, and other businesses making loans of $40,000 or less. For a copy of the IDFPR’s website posting regarding the breach, please see http://www.idfpr.com/BreachInformation.asp.
OCC, FDIC Warn of Fraudulent Correspondence in their Names. On June 6, the OCC issued OCC Alert 2007-31, warning that fraudulent e-mails, faxes and postal mail allegedly issued by the OCC regarding restricted funds are continuing to circulate. The OCC warns that any documents claiming that the OCC is holding, or has placed a hold on, any funds for the benefit of any individual or entity are fraudulent. The OCC does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises, or governmental entities and does not establish, maintain, or control any deposit accounts for, or in the name of, any individuals, businesses, or governments. On June 5, the FDIC issued Special Alert 140-2007, warning that certain letters that appear to be faxed by the FDIC to financial institutions in the United States and other countries are fraudulent. The letters state that “information is sought pursuant to sections 5318(J) and 5318(k) of Title 31 of the United States Code, as added by sections 313 and 319(b) of the USA PATRIOT ACT OF 2001 (Public Law 107-56).” The letters also state in part, "As part of our oversight duties over banks operating in the United States, it is our statutory responsibility to ensure that foreign banks which maintain correspondent accounts with banks in the United Sates are up to date with their Certification." The letters also ask recipients to complete a form (attached as a second page to the fraudulent fax) and return the completed form by fax to a telephone number provided and are signed by "Ms Rosaline Smith, For and on Behalf of Federal Deposit Insurance Corporation." The FDIC warns that financial institutions should not respond to the fraudulent request for information and should not, under any circumstances, forward any information to the fax telephone number. For a copy of the FDIC’s Special Alert, including information on reporting fraudulent activity, please see http://www.fdic.gov/news/news/SpecialAlert/2007/sa07140.html; for a copy of the OCC’s Alert, including information on detecting and reporting fraudulent activity, please see http://www.occ.treas.gov/ftp/alert/2007-31.html.
Visa Mandates Level 4 Merchant Compliance Plan. In an effort to help reduce cardholder data compromises, Visa has mandated that acquirers develop a formal written compliance program that identifies, prioritizes, and manages overall risk within their Level 4 merchant populations. The Level 4 merchant compliance plan must include (i) a timeline of critical events, (ii) a risk-profiling strategy, (iii) a merchant education strategy, (iv) a compliance strategy, and (v) compliance reporting. According to Visa, many acquirers have already provided summaries, but all other acquirers must e-mail summaries of their Level 4 merchant compliance plans by July 31, 2007 to . Acquirers that fail to do so may face risk controls. Acquirers must ensure that their merchants maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), as part of the Visa Cardholder Information Security Program (CISP). Visa has instituted risk-prioritized merchant validation requirements, which are based on the volume of transactions and the potential risk introduced into the payment system. Acquirers are currently required to ensure that their Level 1, 2, and 3 merchants validate the PCI DSS annually, but validation of Level 4 merchants is currently at the discretion of acquirers. Even though Level 4 merchants handle fewer transactions than Level 1, 2, or 3 merchants—cumulatively less than one third of all Visa transactions—they account for more than 99 percent of the merchants that accept Visa. Therefore, cardholder data compromises affect Level 4 merchants with greater frequency than Level 1, 2, and 3 merchants combined. For more information, please contact .
FIRM NEWS
Jeff Naimon and Kirk Jensen spoke at the American Conference Institute's upcoming seminar "Preventing, Defending and Resolving Consumer Credit Litigation" which took place on June 5-6, 2007 in New York. Mr. Naimon participated on the RESPA panel and Mr. Jensen spoke on arbitration.
HUD Announces $100,000 Settlement of Fair Lending Complaint with First Indiana Bank. On June 4, the U.S. Department of Housing and Urban Development (HUD) announced that it has negotiated a $100,000 settlement with First Indiana Bank, N.A. (First Indiana) to resolve allegations of discriminatory mortgage lending. The agreement resolves a complaint filed in March 2007 by the National Community Reinvestment Coalition (NCRC) alleging that First Indiana discriminated on the bases of national origin and race by refusing to make loans on row houses or for less than $100,000 on any property. NCRC contended that the bank's lending practices discriminated against Hispanics and African Americans because row houses valued under $100,000 are more heavily concentrated in African-American and Hispanic neighborhoods. This settlement is the second row house conciliation agreement HUD has reached in less than a year. In September 2006, HUD negotiated a similar settlement with SouthStar Funding LLC of Atlanta (most recently reported in the September 29th, 2006 issue of Infobytes). Under the HUD-brokered conciliation agreement, First Indiana agreed, among other things to do the following: institute a "second review" procedure for all denied loan applications, not unlawfully use minimum property values as an underwriting criterion for any of its loan products, nor unlawfully price row homes or loans that serve low- to moderate-income communities, not unlawfully exclude row homes from any of its loan products or use unlawful underwriting criteria to evaluate applicants for loans secured by row homes, and notify the mortgage loan brokers with whom it conducts business that it has discontinued its minimum property value and no row home policies. The release can be viewed at http://www.hud.gov/news/release.cfm?content=pr07-080.cfm.
Agencies Release List of Distressed, Underserved Nonmetropolitan Middle-Income Geographies. On June 1, the federal banking and thrift regulatory agencies announced the availability of the 2007 list of distressed and underserved nonmetropolitan middle-income geographies in which bank revitalization or stabilization activities will receive Community Reinvestment Act (CRA) consideration as "community development." "Distressed nonmetropolitan middle-income geographies" and "underserved nonmetropolitan middle-income geographies" are designated by the agencies in accordance with their CRA regulations. For a copy of the Federal Deposit Insurance Corporation's (FDIC) press release on the subject, please see http://www.fdic.gov/news/news/press/2007/pr07045.html; for the 2007 list, as well as lists from previous years, please see http://www.ffiec.gov/cra/examinations.htm.
Ohio Attorney General Targets Brokers, Lenders for Undue Influence on Appraisers. On June 7, Ohio Attorney General, Marc Dann, announced that he has lodged complaints against ten companies for violating Ohio’s consumer protection laws in the “first big sweep of lawsuits targeting unscrupulous mortgage brokers and lenders since the state’s new predatory lending law took effect.” The complaints allege undue influence on appraisers by mortgage brokers, lenders, and other entities involved in arranging mortgage loans. According to the Attorney General, the complaints state that these companies have committed unconscionable acts or practices in violation of the Ohio Consumer Sales Practices Act (OCSPA) by knowingly compensating, instructing, inducing, coercing, or intimidating appraisers for the purpose of improperly influencing the independent process. The Attorney General is asking for declaratory judgments stating that each act alleged in the complaints violates the OCSPA and permanent injunctions from engaging in the alleged behavior, as well as the imposition of civil penalties of $25,000 each and orders to reimburse all consumers damaged by the companies unfair, deceptive, and unconscionable acts. The Attorney General is also asking for orders for the lenders to maintain all business records related to transactions in Ohio for a period of five years. For a copy of Attorney General Dann’s press release announcing the complaints, please see http://www.ag.state.oh.us/press/07/06/pr070607.asp.
Minnesota Limits Sale, Exchange of Credit Inquiry Information. Minnesota Governor Tim Pawlenty recently signed into law S.F. 241, which prohibits a consumer reporting agency or any other business entity from selling to, or exchanging with, a third party the existence of a credit inquiry arising from a consumer mortgage loan application when the sale or exchange is triggered by an inquiry made in response to an application for credit. The law excludes third parties holding an existing mortgage loan on the property. Further, the law explicitly does not apply to “information provided by a mortgage originator or servicer to a third party providing services in connection with the mortgage loan origination or servicing; a proposed or actual securitization; secondary market sale, including sales of servicing rights; or similar transaction related to the consumer mortgage loan.” S.F. 241 also amends certain homestead property laws. Most notably, the law increases the dollar amount of the homestead exemption from $200,000 to $300,000. S.F. 241 is effective August 1, 2007. Full text of S.F. 241 can be found at http://www.revisor.leg.state.mn.us/bin/bldbill.php?bill=S0241.4.html&session=ls85.
Delaware Proposes Guidance on Nontraditional Mortgage Product Risks. Recently, the Delaware Bank Commissioner issued proposed Regulation 2106/2208, Guidance on Nontraditional Mortgage Product Risks. According to the Commissioner, the proposed regulation “parallels the guidance jointly issued by the OCC, the FRB, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision and the National Credit Union Administration,” and “is being adopted to provide regulatory consistency between mortgage brokers and mortgage lenders regulated under Chapters 21 and 22 respectively of Title 5 of the Delaware Code that are not affiliated with a bank holding company or an insured financial institution, and the financial institutions that are subject to that federal Guidance.” A public hearing on the proposed regulation was scheduled to be held on Wednesday, June 6, 2007 and written comments were required to be received at or before that hearing. For a copy of the Bank Commissioner’s Notice of Proposed Adoption, please see http://banking.delaware.gov/proposed%20reg.%20notice.shtml.
Nevada Requires New Regulations for Nontraditional Mortgages. Effective January 1, 2008, regulations concerning nontraditional mortgage loan products and lending practices must be adopted by the Nevada Commissioner of Financial Institutions, in cooperation with the Nevada Commissioner of Mortgage Lending. Nevada, A.B. 329. The regulations must be substantially similar to the provisions set forth in the "Guidance on Nontraditional Mortgage Product Risks" published by the Conference of State Bank Supervisors and the American Association of Residential Mortgage Regulators on November 14, 2006. A nontraditional mortgage loan product, as defined by the Nevada law, means a residential loan agreement whose terms allow a borrower to defer repayment of principal or payment of interest on the loan for a period. Nontraditional mortgage loan products also include interest-only loans and payment option adjustable-rate mortgages. The Nevada law does not apply to home equity lines of credit other than simultaneous second-lien home equity lines of credit or reverse mortgages, as they are not considered nontraditional mortgage loans. Full text of A.B. 328 can be found at http://www.leg.state.nv.us/74th/Bills/AB/AB329_EN.pdf; “Guidance on Nontraditional Mortgage Product Risks” can be found at http://www.csbs.org/Content/NavigationMenu/RegulatoryAffairs/FederalAgencyGuidanceDatabase/CSBS-AARMR_FINAL_GUIDANCE.pdf.
Indiana Amends Loan Broker Act. Recently, Indiana’s Governor Mitch Daniels signed H.B. 1717 into law, substantially amending the state’s Loan Broker Act. Among other things, H.B. 1717 requires “principal managers” of licensees to register with the state, increases license application fees, requires license applicants to provide information regarding the applicant’s “ultimate equitable owner,” prohibits licensees from improperly influencing appraisers, and requires that every contract for the services of a loan broker specify that no statement or representation by the broker is enforceable unless it is in writing. H.B. 1717 does not change the Loan Broker Act’s exemption for “creditors,” but it does impose notice requirements in connection with certain other exemptions, including exemptions for HUD-approved mortgagees and approved Fannie Mae and Freddie Mac sellers/servicers. The amendments generally become effective July 1, 2007. Full text of H.B. 1717 can be found at http://www.in.gov/legislative/bills/2007/PDF/HE/HE1717.1.pdf
Iowa Amends Banking Laws with Respect to Registration, Licensure, Availability of Examination Records. On May 24, Iowa’s Governor Culver signed into law S.F. 360, an act enhancing the authority of the Division of Banking and its Professional Licensing Bureau, repealing certain restrictions on out-of-state entities, and limiting the disclosure of examination records. Specifically, the act allows the Superintendent of the Division of Banking to issue rules concerning the grounds for denial of an individual registration based on information received as a result of background checks, character and fitness grounds, and any other grounds for which an individual registrant or licensee may be disciplined. The act also authorizes the licensing boards within the Professional Licensing Bureau to (i) refuse to issue or renew licenses on a wide variety of grounds, including any of the grounds for which a license may be revoked or suspended or a licensee may otherwise be disciplined and (ii) suspend, revoke, or refuse to issue or renew a license, or discipline a licensee, based upon disciplinary action by a licensing authority in Iowa or in any other state, territory or country. Additionally, the act repeals certain restrictions on the ability of out-of-state banks, bank holding companies and industrial loan companies to acquire and compete with in-state industrial loan companies. Finally, the act provides that all papers, documents, examination reports, and other writings relating to the supervision of licensees are not public records, making them inaccessible through Iowa’s Open Records Law. The act becomes effective on July 1, 2007. Full text of S.F. 360 can be found at http://coolice.legis.state.ia.us/Cool-ICE/default.asp?Category=billinfo&Service=Billbook&menu=false&ga=82&hbill=SF360.
Texas House Joint Resolution Proposes Amendment to Constitution regarding Home Equity Loans. Effective May 22, the Texas Legislature passed H.J.R. 72 proposing a Texas constitutional amendment that would clarify certain provisions relating to the making of home equity loans and use of home equity loan proceeds. This amendment comes after various attempts to simplify home equity lending to the residents of Texas and is the result of studies conducted by the state’s Finance Commission. The amendment will appear as a ballot item in the November 6, 2007 election. Full text of HJR 72 may be found at http://www.capitol.state.tx.us/tlodocs/80R/billtext/html/HJ00072F.HTM.
Texas Passes Bill Requiring Original Signatures on Paper Documents Before Recordation. On May 25, Texas Governor Rick Perry signed into law H.B. 732, amending the Texas Property Code to require that “paper documents” concerning real or personal property cannot be recorded or serve as notice of the paper document unless (i) they contain original signatures acknowledged, sworn to with a proper jurat, or proved according to law or (ii) they are attached as exhibits to paper affidavits or other documents that have original signatures meeting the foregoing requirements. An original signature may not be required for electronic documents complying with other applicable law, including the Uniform Real Property Electronic Recording Act. To view full text of H.B. 732 see http://www.capitol.state.tx.us/tlodocs/80R/billtext/html/HB00732F.htm.
ChoicePoint, 44 State AGs Reach Voluntary Agreement to Protect Consumer Information. On May 31, the National Association of Attorneys General (NAAG) announced that 44 state attorneys general entered into an Assurance of Voluntary Compliance and Discontinuance (Assurance) with ChoicePoint that requires the data broker to take additional steps to protect sensitive consumer information. The Assurance resolves the state AGs’ investigation into ChoicePoint’s data handling processes that arose from the 2004 ChoicePoint data breach (see the March 4th, 2005 issue of InfoBytes). This settlement is different from the $10 million settlement previously reached by the FTC and ChoicePoint in 2006 (see the January 27th, 2006 issue of InfoBytes). Under the terms of the Assurance, which will last at least 10 years, ChoicePoint will take several steps to further protect sensitive customer information, including developing credentialing processes to verify the identity and business activities of customers seeking access to certain information and establishing the customers’ legitimate business purpose for requesting the information they seek. These processes may require ChoicePoint to obtain written certifications from prospective customers and may involve onsite visual inspections of customer facilities in appropriate cases. ChoicePoint has also committed to audit its customers to help protect sensitive personal information provided by ChoicePoint from unauthorized, fraudulent, or unlawful access by its customers. In addition, ChoicePoint will pay $500,000 to the state AGs to defray the cost of the states’ investigation and will be subject to third-party audits to monitor compliance with the Assurance. To access a copy of the NAAG press release, please see hhttp://www.naag.org/44_attorneys_general_reach_settlement_with_choicepoint.php.
Illinois Department of Financial & Professional Regulation Announces Licensee Security Breach. The Illinois Department of Financial & Professional Regulation (IDFPR) recently announced a security breach on a State of Illinois server containing personal information of licensees of the IDFPR. On its website, the IDFPR explains that the matter involved criminal conduct and that law enforcement asked it to delay notification to the affected licensees and the General Assembly to prevent interference with an ongoing criminal investigation. The IDFPR reports that there is currently no indication that the unauthorized access to the server resulted in the theft of any personal identifying information and that a preliminary investigation revealed that the data on the server was compromised sometime in January 2007. The IDFPR further reports that it has isolated the compromised server and is thoroughly checking all other like systems for security breaches. The IDFPR is comprised of four divisions: Division of Banking, Division of Financial Institutions, Division of Insurance, and Division of Professional Regulation, and the entities it regulates include, among others, state chartered banks, trust companies, savings banks and savings and loan associations, mortgage bankers and brokers, credit unions, title insurance companies, and other businesses making loans of $40,000 or less. For a copy of the IDFPR’s website posting regarding the breach, please see http://www.idfpr.com/BreachInformation.asp.
Financial Services Industry Comments on GLB Model Privacy Form. On May 29, the American Bankers Association, America’s Community Bankers, the Financial Services Roundtable, and the Consumer Bankers Association issued a joint comment letter (Comment Letter) requesting revision of, and then another comment period in regard to, an interagency proposal for a model privacy form under the Gramm-Leach-Bliley Act. On March 20, 2007, various financial regulatory agencies requested comments on the proposed two-page model short form privacy notice. The proposed form would provide a standard format for banks to use to notify customers of their privacy protection disclosures and also offer a “user-friendly” mechanism for consumers to opt-out of allowing the sharing of nonpublic personal information. Although the Comment Letter showed strong support for the underlying objective of the proposed form, it also expressed concern that “the prescriptive nature of the proposed form would make it impossible for most institutions to explain their privacy policies and practices accurately.” Further, the Comment Letter noted that the proposed form may open banks to legal attacks claiming that the use of the form is unfair and deceptive. The Comment Letter also cautioned that the proper implementation of the proposed form may impose significant compliance costs on user banks. For the full text of the Comment Letter, please see http://www.fsround.org/policy/pstatements/pdfs/SAVEDShortformprivacyjointlettrwaaedits.pdf.
OCC Calls for Better Credit Card Disclosures. On June 7, Comptroller of the Currency John C. Dugan told a subcommittee of the House Committee on Financial Services that current credit card disclosure rules should be changed to improve consumers’ ability to make well-informed decisions when choosing credit cards. Comptroller Dugan said, “Effective disclosure can have three fundamental benefits for consumers: first, informed consumer choice; second, enhanced issuer competition to provide consumers the terms they want; and third, greater transparency that will hold the most aggressive credit card practices up to the glare of public scrutiny and criticism, making issuers think long and hard about the costs of such practices before implementing them.” According to the Comptroller, disclosures have not kept pace with the changes and complexities of credit card terms and practices, and accordingly many consumers do not understand certain features like “universal default” and “double cycle billing.” The Office of the Comptroller of the Currency (OCC) does not have the authority to issue regulations under the primary consumer protection statutes governing credit card lending and, accordingly, the Comptroller stressed the importance of the Federal Reserve Board’s (FRB) undertaking to revise its disclosure rule. With respect to going beyond disclosure regulation to restrict risk-based pricing, the Comptroller cautioned that Congress should bear in mind that “proposals to restrict risk-based pricing could have unintended consequences regarding banks’ ability to manage risks, or on the availability and affordability of credit cards more generally.” For a copy of the OCC’s press release on the Comptroller’s testimony, please see http://www.occ.treas.gov/ftp/release/2007-54.htm.
Texas House Joint Resolution Proposes Amendment to Constitution regarding Home Equity Loans. Effective May 22, the Texas Legislature passed H.J.R. 72 proposing a Texas constitutional amendment that would clarify certain provisions relating to the making of home equity loans and use of home equity loan proceeds. This amendment comes after various attempts to simplify home equity lending to the residents of Texas and is the result of studies conducted by the state’s Finance Commission. The amendment will appear as a ballot item in the November 6, 2007 election. Full text of HJR 72 may be found at http://www.capitol.state.tx.us/tlodocs/80R/billtext/html/HJ00072F.HTM.
Texas Passes Bill Requiring Original Signatures on Paper Documents Before Recordation. On May 25, Texas Governor Rick Perry signed into law H.B. 732, amending the Texas Property Code to require that “paper documents” concerning real or personal property cannot be recorded or serve as notice of the paper document unless (i) they contain original signatures acknowledged, sworn to with a proper jurat, or proved according to law or (ii) they are attached as exhibits to paper affidavits or other documents that have original signatures meeting the foregoing requirements. An original signature may not be required for electronic documents complying with other applicable law, including the Uniform Real Property Electronic Recording Act. To view full text of H.B. 732 see http://www.capitol.state.tx.us/tlodocs/80R/billtext/html/HB00732F.htm.
ChoicePoint, 44 State AGs Reach Voluntary Agreement to Protect Consumer Information. On May 31, the National Association of Attorneys General (NAAG) announced that 44 state attorneys general entered into an Assurance of Voluntary Compliance and Discontinuance (Assurance) with ChoicePoint that requires the data broker to take additional steps to protect sensitive consumer information. The Assurance resolves the state AGs’ investigation into ChoicePoint’s data handling processes that arose from the 2004 ChoicePoint data breach (see the March 4th, 2005 issue of InfoBytes). This settlement is different from the $10 million settlement previously reached by the FTC and ChoicePoint in 2006 (see the January 27th, 2006 issue of InfoBytes). Under the terms of the Assurance, which will last at least 10 years, ChoicePoint will take several steps to further protect sensitive customer information, including developing credentialing processes to verify the identity and business activities of customers seeking access to certain information and establishing the customers’ legitimate business purpose for requesting the information they seek. These processes may require ChoicePoint to obtain written certifications from prospective customers and may involve onsite visual inspections of customer facilities in appropriate cases. ChoicePoint has also committed to audit its customers to help protect sensitive personal information provided by ChoicePoint from unauthorized, fraudulent, or unlawful access by its customers. In addition, ChoicePoint will pay $500,000 to the state AGs to defray the cost of the states’ investigation and will be subject to third-party audits to monitor compliance with the Assurance. To access a copy of the NAAG press release, please see hhttp://www.naag.org/44_attorneys_general_reach_settlement_with_choicepoint.php.
Illinois Department of Financial & Professional Regulation Announces Licensee Security Breach. The Illinois Department of Financial & Professional Regulation (IDFPR) recently announced a security breach on a State of Illinois server containing personal information of licensees of the IDFPR. On its website, the IDFPR explains that the matter involved criminal conduct and that law enforcement asked it to delay notification to the affected licensees and the General Assembly to prevent interference with an ongoing criminal investigation. The IDFPR reports that there is currently no indication that the unauthorized access to the server resulted in the theft of any personal identifying information and that a preliminary investigation revealed that the data on the server was compromised sometime in January 2007. The IDFPR further reports that it has isolated the compromised server and is thoroughly checking all other like systems for security breaches. The IDFPR is comprised of four divisions: Division of Banking, Division of Financial Institutions, Division of Insurance, and Division of Professional Regulation, and the entities it regulates include, among others, state chartered banks, trust companies, savings banks and savings and loan associations, mortgage bankers and brokers, credit unions, title insurance companies, and other businesses making loans of $40,000 or less. For a copy of the IDFPR’s website posting regarding the breach, please see http://www.idfpr.com/BreachInformation.asp.
OCC, FDIC Warn of Fraudulent Correspondence in their Names. On June 6, the OCC issued OCC Alert 2007-31, warning that fraudulent e-mails, faxes and postal mail allegedly issued by the OCC regarding restricted funds are continuing to circulate. The OCC warns that any documents claiming that the OCC is holding, or has placed a hold on, any funds for the benefit of any individual or entity are fraudulent. The OCC does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises, or governmental entities and does not establish, maintain, or control any deposit accounts for, or in the name of, any individuals, businesses, or governments. On June 5, the FDIC issued Special Alert 140-2007, warning that certain letters that appear to be faxed by the FDIC to financial institutions in the United States and other countries are fraudulent. The letters state that “information is sought pursuant to sections 5318(J) and 5318(k) of Title 31 of the United States Code, as added by sections 313 and 319(b) of the USA PATRIOT ACT OF 2001 (Public Law 107-56).” The letters also state in part, "As part of our oversight duties over banks operating in the United States, it is our statutory responsibility to ensure that foreign banks which maintain correspondent accounts with banks in the United Sates are up to date with their Certification." The letters also ask recipients to complete a form (attached as a second page to the fraudulent fax) and return the completed form by fax to a telephone number provided and are signed by "Ms Rosaline Smith, For and on Behalf of Federal Deposit Insurance Corporation." The FDIC warns that financial institutions should not respond to the fraudulent request for information and should not, under any circumstances, forward any information to the fax telephone number. For a copy of the FDIC’s Special Alert, including information on reporting fraudulent activity, please see http://www.fdic.gov/news/news/SpecialAlert/2007/sa07140.html; for a copy of the OCC’s Alert, including information on detecting and reporting fraudulent activity, please see http://www.occ.treas.gov/ftp/alert/2007-31.html.
Financial Services Industry Comments on GLB Model Privacy Form. On May 29, the American Bankers Association, America’s Community Bankers, the Financial Services Roundtable, and the Consumer Bankers Association issued a joint comment letter (Comment Letter) requesting revision of, and then another comment period in regard to, an interagency proposal for a model privacy form under the Gramm-Leach-Bliley Act. On March 20, 2007, various financial regulatory agencies requested comments on the proposed two-page model short form privacy notice. The proposed form would provide a standard format for banks to use to notify customers of their privacy protection disclosures and also offer a “user-friendly” mechanism for consumers to opt-out of allowing the sharing of nonpublic personal information. Although the Comment Letter showed strong support for the underlying objective of the proposed form, it also expressed concern that “the prescriptive nature of the proposed form would make it impossible for most institutions to explain their privacy policies and practices accurately.” Further, the Comment Letter noted that the proposed form may open banks to legal attacks claiming that the use of the form is unfair and deceptive. The Comment Letter also cautioned that the proper implementation of the proposed form may impose significant compliance costs on user banks. For the full text of the Comment Letter, please see http://www.fsround.org/policy/pstatements/pdfs/SAVEDShortformprivacyjointlettrwaaedits.pdf.
Supreme Court Reverses Ninth Circuit in FCRA Insurance Adverse Action Cases. On June 4, the Supreme Court issued an opinion in two consolidated Fair Credit Reporting Act (FCRA) insurance adverse action cases, Safeco Insurance Co. v. Burr, No. 06-84, and GEICO General Insurance Co. v. Edo, No. 06-100. The Court reversed, 7-2, the holding of the U.S. Court of Appeals for the Ninth Circuit that GEICO had taken adverse action when it provided insurance at a rate higher than the best available rate, after considering credit-report information about the consumer. It held that GEICO did not have to provide an adverse action notice because the consumer in that case would not have received a better rate even if his credit report had not been considered at all, but held that an insurance company must provide a notice if the consumer would have received a better rate but for information in the credit report. The Court also unanimously reversed, as to Safeco, the Ninth Circuit’s holding that a company can be found to have willfully violated FCRA’s adverse action requirement if it had inadequate compliance procedures, which could have forced companies to waive attorney-client privilege in order to avoid the statutory penalties of $100-$1000 per “willful” violation of FCRA. The Court agreed with the Ninth Circuit that a company that acts with “reckless disregard” of its FCRA obligations can be held to have violated the law willfully, but applied an objective, rather than subjective, standard in which conduct based on an interpretation that is not “objectively unreasonable,” based on available guidance from the federal appellate courts and the Federal Trade Commission, will not be held to be a willful violation. For a more detailed discussion of the case, please see the InfoBytes Special Alert for June 4, 2007. Safeco Insurance Co. v. Burr, 2007 WL 1582951 (S. Ct. June 4, 2007), is available at http://www.supremecourtus.gov/opinions/06pdf/06-84.pdf.
Sixth Circuit Allows Emotional Distress Claim Based on Cardholder Collection Practices to Proceed. On May 29, the U.S. Court of Appeals for the Sixth Circuit, ruling under Tennessee law, reversed the dismissal of an intentional infliction of emotional distress claim, where the card issuer's collection practices may have contributed to the authorized cardholder's suicide. In MacDermid v. Discover Financial Services, 2007 WL 1529406, No. 06-5792 (6th Cir. May 29, 2007), Mrs. MacDermid, who had a history of mental disorders, drug and alcohol abuse, and personal bankruptcy, applied online for several credit cards from Discover, using her husband as the primary card holder and herself as an authorized user. To hide the cards from her husband, she listed a secret post office box on the application. Mr. MacDermid eventually found out about the credit cards and immediately contacted Discover to cancel the cards. A few months later, Mrs. MacDermid committed suicide, and both her suicide note and her psychiatrist's affidavit suggested that her stress about the credit card debt was a "significant precipitating factor" for her suicide. Mr. MacDermid brought suit in federal court alleging, among other things, intentional infliction of emotional distress (called "outrageous conduct" in Tennessee), violation of the Tennessee Consumer Protection Act, violation of the federal Fair Debt Collection Practices Act (FDCPA), and violation of the Truth in Lending Act (TILA). In the initial proceedings, the magistrate judge dismissed those claims, and Mr. MacDermid appealed. The Sixth Circuit reversed the dismissal of the outrageous conduct claim, but upheld dismissal of the others. Regarding the outrageous conduct claim, the court noted that the decisive issue is whether Discover's collection efforts, which included threatening Mrs. MacDermid with jail time and criminal prosecution despite being warned by Mr. MacDermid of her mental illness issues, constituted enough evidence to support a claim for outrageous conduct. However, the court predicated the reversal on the allegation that Discover threatened criminal prosecution against Mrs. MacDermid, without basis, for her failure to pay a purely civil debt. The court upheld the dismissal on the other issues, including holding that: (i) Internet credit card applications, even if they have no mechanism for obtaining signatures of all cardholders, are not inherently deceptive, and, in this case, such applications expressly complied with both state and federal law, including the state Uniform Electronic Transactions Act, and the federal Electronic Signatures in Global and National Commerce Act; (ii) there was no colorable TILA claim that Discover's efforts to impose liability Mr. MacDermid violated that act because he never received the mandated disclosures (since they were sent to the secret PO Box), because TILA does not require issuers to investigate the legitimacy of an address provided in an application; and (iii) the FDCPA did not apply because Discover was collecting its own debts, and therefore was not a debt collector subject to the FDCPA. For a copy of the opinion, please see http://caselaw.lp.findlaw.com/data2/circs/6th/065792p.pdf.
MySpace Announces Settlement of Spam Claims Against TheGlobe.com. On May 31, MySpace, Inc. (MySpace), which operates a popular social networking site, and TheGlobe.com, Inc. (Globe) announced the settlement of MySpace’s claims that Globe violated the CAN-SPAM Act, as well as California’s anti-spam statute, by sending unsolicited e-mails from fake accounts to MySpace users. MySpace Inc. v. TheGlobe.com Inc. (C.D.Cal., No. CV 06-3391). Earlier this year, the U.S District Court for the Central District of California in an unpublished court ruling had found, among other things, that a liquidated damages provision in MySpace’s terms of service of $50 per unsolicited communication was enforceable. Details of the settlement were not disclosed, but a recent regulatory filing by Globe indicates that it agreed to pay MySpace $2.55 million to settle the lawsuit. For a copy of MySpace’s current terms of service, please see http://www.myspace.com/Modules/Common/Pages/TermsConditions.aspx.
Online Marketers Settle CAN-SPAM, FTC Act Allegations. Recently, two online merchants who touted allegedly bogus “fountain of youth” oral sprays settled Federal Trade Commission and CAN-SPAM Act charges for $172,500 in consumer injuries. FTC v. Pacific Herbal Sciences, Inc., No. CV05-7242-RSWL (C.D. Cal., Apr. 26, 2007). The oral sprays were alleged to help lose weight, reverse aging, and prevent or treat diseases by providing or helping the body to produce human growth hormone. The marketing materials referred to clinical studies and prestigious publications to bolster their claims, but the Federal Trade Commission (FTC) alleged these claims were false. The sellers’ websites also assured consumers that information submitted would be encrypted, but the FTC charged that no encryption technology was used. The FTC also claimed that one of the marketers violated the CAN-SPAM Act when sending e-mail messages. These e-mails purportedly falsely identified the sender, used deceptive subject headings, failed to include an opt-out feature, and failed to disclose the sender’s postal address. The sender allegedly even forged email addresses to make it appear that the marketing e-mails were coming from “ftc.gov” and “uce.gov.” The settlement included a payment for consumer injuries, and it also contained nearly $3 million monetary judgments. The monetary judgments were suspended, based on the defendants’ financial disclosures. The FTC announced these stipulated final orders on May 29. More information, including copies of the consent orders, is available on the FTC’s website at http://www.ftc.gov/os/caselist/pacificherbal/pacificherbal.shtm.
Web Site Representations Satisfy Requirements of Magnuson-Moss Warranty Act. On May 30, the U.S. District Court for the Northern District of Illinois held that claims for breach of an express warranty may proceed under the Magnuson-Moss Warranty Act (MMWA), 15 U.S.C. § 2301, absent a showing of privity. In re McDonald’s French Fry Litigation, 2007 U.S. Dist. LEXIS 38960, No. 06C4467 (N.D. Ill., May 30, 2007). A class of individuals with dietary restrictions alleged, among other things, that McDonald’s allergen and dietary information maintained on its web page represented that McDonald’s french fries and hash browns did not contain milk, wheat and gluten. The class claims that such allergen and dietary information maintained on McDonald’s website constituted an express warranty that was breached when McDonald’s revealed potato products do in fact contain milk, wheat and gluten. McDonald’s moved for the court to dismiss the breach of express warranty claim because there was no privity of contract between McDonald’s and the class. The court held that while privity is normally a requirement of recovery under a common law breach of warranty claim, because the alleged representations were in writing, the claims were covered by the Magnuson-Moss Warranty Act and exempt from the privity requirement. The court stated that "[b]ecause the complaint alleges that defendant made at least one written representation[ ] through the website about the composition of the potato products, and that those representations were directed to consumers,” plaintiffs' breach of express warranty claim may continue under the MMWA. For a copy of the opinion, please contact .
District Court Strikes Down Arbitration Provision in Website Agreement. On May 30, the U.S. District Court for the Eastern District of Pennsylvania held that the arbitration provision in a website agreement entered into with Linden Research, Inc. (Linden) was unconscionable and therefore unenforceable. Bragg v. Linden Research, Inc., 2007 WL 1549013, No. CIV.A.06 4925 (E.D.Pa. May 30, 2007). Linden operates a website set in a virtual world called “Second Life.” Participants in Second Life create avatars to represent them and “live” in the virtual world, interacting with other avatars, making and acquiring property, transacting business and the like. Unlike most other virtual world websites, Second Life permits users to own property rights in the content they create and to purchase, rent and sell “virtual land” on the website. The plaintiff was a participant in Second Life who purchased numerous parcels of land in the website, including, a parcel of virtual land named “Taessot” for $300 in April 2006. Linden advised the plaintiff by email that Taessot had been improperly purchased, it took Taessot back from the plaintiff and froze the plaintiff’s account. The plaintiff sued Linden, and Linden moved to compel arbitration. In order to participate in Second Life, a person must accept the Terms of Service (TOS) by clicking the “accept” button on the website. The TOS included a California choice of law provision, an arbitration provision, and a forum selection clause. These clauses were buried in the lengthy TOS under the heading “GENERAL PROVISIONS.” The court, applying the Federal Arbitration Act and California contract law, ruled that the arbitration agreement was procedurally and substantively unconscionable. Under California law, a contract is procedurally unconscionable if it is a contract of adhesion (i.e., a standardized contract, imposed and drafted by the party of superior bargaining strength, which permits the subscribing party only the options of accepting or rejecting the contract). The court determined that the TOS was procedurally unconscionable because it was a contract of adhesion, there were no reasonably available market alternatives (Second Life was the only virtual world to permit ownership of property), and the arbitration clause was so inconspicuous that its existence came as a surprise to the user. The court determined that the TOS was substantively unconscionable based on the lack of mutuality of the TOS, the high costs of arbitration and the fee-sharing arrangement, the confidentiality provision in the TOS, and the lack of legitimate business realities creating a special need for the one-sidedness of the contract terms. For a copy of the opinion, please see http://www.paed.uscourts.gov/documents/opinions/07D0658P.pdf.
Texas Passes Bill Requiring Original Signatures on Paper Documents Before Recordation. On May 25, Texas Governor Rick Perry signed into law H.B. 732, amending the Texas Property Code to require that “paper documents” concerning real or personal property cannot be recorded or serve as notice of the paper document unless (i) they contain original signatures acknowledged, sworn to with a proper jurat, or proved according to law or (ii) they are attached as exhibits to paper affidavits or other documents that have original signatures meeting the foregoing requirements. An original signature may not be required for electronic documents complying with other applicable law, including the Uniform Real Property Electronic Recording Act. To view full text of H.B. 732 see http://www.capitol.state.tx.us/tlodocs/80R/billtext/html/HB00732F.htm.
Sixth Circuit Allows Emotional Distress Claim Based on Cardholder Collection Practices to Proceed. On May 29, the U.S. Court of Appeals for the Sixth Circuit, ruling under Tennessee law, reversed the dismissal of an intentional infliction of emotional distress claim, where the card issuer's collection practices may have contributed to the authorized cardholder's suicide. In MacDermid v. Discover Financial Services, 2007 WL 1529406, No. 06-5792 (6th Cir. May 29, 2007), Mrs. MacDermid, who had a history of mental disorders, drug and alcohol abuse, and personal bankruptcy, applied online for several credit cards from Discover, using her husband as the primary card holder and herself as an authorized user. To hide the cards from her husband, she listed a secret post office box on the application. Mr. MacDermid eventually found out about the credit cards and immediately contacted Discover to cancel the cards. A few months later, Mrs. MacDermid committed suicide, and both her suicide note and her psychiatrist's affidavit suggested that her stress about the credit card debt was a "significant precipitating factor" for her suicide. Mr. MacDermid brought suit in federal court alleging, among other things, intentional infliction of emotional distress (called "outrageous conduct" in Tennessee), violation of the Tennessee Consumer Protection Act, violation of the federal Fair Debt Collection Practices Act (FDCPA), and violation of the Truth in Lending Act (TILA). In the initial proceedings, the magistrate judge dismissed those claims, and Mr. MacDermid appealed. The Sixth Circuit reversed the dismissal of the outrageous conduct claim, but upheld dismissal of the others. Regarding the outrageous conduct claim, the court noted that the decisive issue is whether Discover's collection efforts, which included threatening Mrs. MacDermid with jail time and criminal prosecution despite being warned by Mr. MacDermid of her mental illness issues, constituted enough evidence to support a claim for outrageous conduct. However, the court predicated the reversal on the allegation that Discover threatened criminal prosecution against Mrs. MacDermid, without basis, for her failure to pay a purely civil debt. The court upheld the dismissal on the other issues, including holding that: (i) Internet credit card applications, even if they have no mechanism for obtaining signatures of all cardholders, are not inherently deceptive, and, in this case, such applications expressly complied with both state and federal law, including the state Uniform Electronic Transactions Act, and the federal Electronic Signatures in Global and National Commerce Act; (ii) there was no colorable TILA claim that Discover's efforts to impose liability Mr. MacDermid violated that act because he never received the mandated disclosures (since they were sent to the secret PO Box), because TILA does not require issuers to investigate the legitimacy of an address provided in an application; and (iii) the FDCPA did not apply because Discover was collecting its own debts, and therefore was not a debt collector subject to the FDCPA. For a copy of the opinion, please see http://caselaw.lp.findlaw.com/data2/circs/6th/065792p.pdf.
MySpace Announces Settlement of Spam Claims Against TheGlobe.com. On May 31, MySpace, Inc. (MySpace), which operates a popular social networking site, and TheGlobe.com, Inc. (Globe) announced the settlement of MySpace’s claims that Globe violated the CAN-SPAM Act, as well as California’s anti-spam statute, by sending unsolicited e-mails from fake accounts to MySpace users. MySpace Inc. v. TheGlobe.com Inc. (C.D.Cal., No. CV 06-3391). Earlier this year, the U.S District Court for the Central District of California in an unpublished court ruling had found, among other things, that a liquidated damages provision in MySpace’s terms of service of $50 per unsolicited communication was enforceable. Details of the settlement were not disclosed, but a recent regulatory filing by Globe indicates that it agreed to pay MySpace $2.55 million to settle the lawsuit. For a copy of MySpace’s current terms of service, please see http://www.myspace.com/Modules/Common/Pages/TermsConditions.aspx.
Online Marketers Settle CAN-SPAM, FTC Act Allegations. Recently, two online merchants who touted allegedly bogus “fountain of youth” oral sprays settled Federal Trade Commission and CAN-SPAM Act charges for $172,500 in consumer injuries. FTC v. Pacific Herbal Sciences, Inc., No. CV05-7242-RSWL (C.D. Cal., Apr. 26, 2007). The oral sprays were alleged to help lose weight, reverse aging, and prevent or treat diseases by providing or helping the body to produce human growth hormone. The marketing materials referred to clinical studies and prestigious publications to bolster their claims, but the Federal Trade Commission (FTC) alleged these claims were false. The sellers’ websites also assured consumers that information submitted would be encrypted, but the FTC charged that no encryption technology was used. The FTC also claimed that one of the marketers violated the CAN-SPAM Act when sending e-mail messages. These e-mails purportedly falsely identified the sender, used deceptive subject headings, failed to include an opt-out feature, and failed to disclose the sender’s postal address. The sender allegedly even forged email addresses to make it appear that the marketing e-mails were coming from “ftc.gov” and “uce.gov.” The settlement included a payment for consumer injuries, and it also contained nearly $3 million monetary judgments. The monetary judgments were suspended, based on the defendants’ financial disclosures. The FTC announced these stipulated final orders on May 29. More information, including copies of the consent orders, is available on the FTC’s website at http://www.ftc.gov/os/caselist/pacificherbal/pacificherbal.shtm.
Web Site Representations Satisfy Requirements of Magnuson-Moss Warranty Act. On May 30, the U.S. District Court for the Northern District of Illinois held that claims for breach of an express warranty may proceed under the Magnuson-Moss Warranty Act (MMWA), 15 U.S.C. § 2301, absent a showing of privity. In re McDonald’s French Fry Litigation, 2007 U.S. Dist. LEXIS 38960, No. 06C4467 (N.D. Ill., May 30, 2007). A class of individuals with dietary restrictions alleged, among other things, that McDonald’s allergen and dietary information maintained on its web page represented that McDonald’s french fries and hash browns did not contain milk, wheat and gluten. The class claims that such allergen and dietary information maintained on McDonald’s website constituted an express warranty that was breached when McDonald’s revealed potato products do in fact contain milk, wheat and gluten. McDonald’s moved for the court to dismiss the breach of express warranty claim because there was no privity of contract between McDonald’s and the class. The court held that while privity is normally a requirement of recovery under a common law breach of warranty claim, because the alleged representations were in writing, the claims were covered by the Magnuson-Moss Warranty Act and exempt from the privity requirement. The court stated that "[b]ecause the complaint alleges that defendant made at least one written representation[ ] through the website about the composition of the potato products, and that those representations were directed to consumers,” plaintiffs' breach of express warranty claim may continue under the MMWA. For a copy of the opinion, please contact .
District Court Strikes Down Arbitration Provision in Website Agreement. On May 30, the U.S. District Court for the Eastern District of Pennsylvania held that the arbitration provision in a website agreement entered into with Linden Research, Inc. (Linden) was unconscionable and therefore unenforceable. Bragg v. Linden Research, Inc., 2007 WL 1549013, No. CIV.A.06 4925 (E.D.Pa. May 30, 2007). Linden operates a website set in a virtual world called “Second Life.” Participants in Second Life create avatars to represent them and “live” in the virtual world, interacting with other avatars, making and acquiring property, transacting business and the like. Unlike most other virtual world websites, Second Life permits users to own property rights in the content they create and to purchase, rent and sell “virtual land” on the website. The plaintiff was a participant in Second Life who purchased numerous parcels of land in the website, including, a parcel of virtual land named “Taessot” for $300 in April 2006. Linden advised the plaintiff by email that Taessot had been improperly purchased, it took Taessot back from the plaintiff and froze the plaintiff’s account. The plaintiff sued Linden, and Linden moved to compel arbitration. In order to participate in Second Life, a person must accept the Terms of Service (TOS) by clicking the “accept” button on the website. The TOS included a California choice of law provision, an arbitration provision, and a forum selection clause. These clauses were buried in the lengthy TOS under the heading “GENERAL PROVISIONS.” The court, applying the Federal Arbitration Act and California contract law, ruled that the arbitration agreement was procedurally and substantively unconscionable. Under California law, a contract is procedurally unconscionable if it is a contract of adhesion (i.e., a standardized contract, imposed and drafted by the party of superior bargaining strength, which permits the subscribing party only the options of accepting or rejecting the contract). The court determined that the TOS was procedurally unconscionable because it was a contract of adhesion, there were no reasonably available market alternatives (Second Life was the only virtual world to permit ownership of property), and the arbitration clause was so inconspicuous that its existence came as a surprise to the user. The court determined that the TOS was substantively unconscionable based on the lack of mutuality of the TOS, the high costs of arbitration and the fee-sharing arrangement, the confidentiality provision in the TOS, and the lack of legitimate business realities creating a special need for the one-sidedness of the contract terms. For a copy of the opinion, please see http://www.paed.uscourts.gov/documents/opinions/07D0658P.pdf.
OCC, FDIC Warn of Fraudulent Correspondence in their Names. On June 6, the OCC issued OCC Alert 2007-31, warning that fraudulent e-mails, faxes and postal mail allegedly issued by the OCC regarding restricted funds are continuing to circulate. The OCC warns that any documents claiming that the OCC is holding, or has placed a hold on, any funds for the benefit of any individual or entity are fraudulent. The OCC does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises, or governmental entities and does not establish, maintain, or control any deposit accounts for, or in the name of, any individuals, businesses, or governments. On June 5, the FDIC issued Special Alert 140-2007, warning that certain letters that appear to be faxed by the FDIC to financial institutions in the United States and other countries are fraudulent. The letters state that “information is sought pursuant to sections 5318(J) and 5318(k) of Title 31 of the United States Code, as added by sections 313 and 319(b) of the USA PATRIOT ACT OF 2001 (Public Law 107-56).” The letters also state in part, "As part of our oversight duties over banks operating in the United States, it is our statutory responsibility to ensure that foreign banks which maintain correspondent accounts with banks in the United Sates are up to date with their Certification." The letters also ask recipients to complete a form (attached as a second page to the fraudulent fax) and return the completed form by fax to a telephone number provided and are signed by "Ms Rosaline Smith, For and on Behalf of Federal Deposit Insurance Corporation." The FDIC warns that financial institutions should not respond to the fraudulent request for information and should not, under any circumstances, forward any information to the fax telephone number. For a copy of the FDIC’s Special Alert, including information on reporting fraudulent activity, please see http://www.fdic.gov/news/news/SpecialAlert/2007/sa07140.html; for a copy of the OCC’s Alert, including information on detecting and reporting fraudulent activity, please see http://www.occ.treas.gov/ftp/alert/2007-31.html.
Financial Services Industry Comments on GLB Model Privacy Form. On May 29, the American Bankers Association, America’s Community Bankers, the Financial Services Roundtable, and the Consumer Bankers Association issued a joint comment letter (Comment Letter) requesting revision of, and then another comment period in regard to, an interagency proposal for a model privacy form under the Gramm-Leach-Bliley Act. On March 20, 2007, various financial regulatory agencies requested comments on the proposed two-page model short form privacy notice. The proposed form would provide a standard format for banks to use to notify customers of their privacy protection disclosures and also offer a “user-friendly” mechanism for consumers to opt-out of allowing the sharing of nonpublic personal information. Although the Comment Letter showed strong support for the underlying objective of the proposed form, it also expressed concern that “the prescriptive nature of the proposed form would make it impossible for most institutions to explain their privacy policies and practices accurately.” Further, the Comment Letter noted that the proposed form may open banks to legal attacks claiming that the use of the form is unfair and deceptive. The Comment Letter also cautioned that the proper implementation of the proposed form may impose significant compliance costs on user banks. For the full text of the Comment Letter, please see http://www.fsround.org/policy/pstatements/pdfs/SAVEDShortformprivacyjointlettrwaaedits.pdf.
ChoicePoint, 44 State AGs Reach Voluntary Agreement to Protect Consumer Information. On May 31, the National Association of Attorneys General (NAAG) announced that 44 state attorneys general entered into an Assurance of Voluntary Compliance and Discontinuance (Assurance) with ChoicePoint that requires the data broker to take additional steps to protect sensitive consumer information. The Assurance resolves the state AGs’ investigation into ChoicePoint’s data handling processes that arose from the 2004 ChoicePoint data breach (see the March 4th, 2005 issue of InfoBytes). This settlement is different from the $10 million settlement previously reached by the FTC and ChoicePoint in 2006 (see the January 27th, 2006 issue of InfoBytes). Under the terms of the Assurance, which will last at least 10 years, ChoicePoint will take several steps to further protect sensitive customer information, including developing credentialing processes to verify the identity and business activities of customers seeking access to certain information and establishing the customers’ legitimate business purpose for requesting the information they seek. These processes may require ChoicePoint to obtain written certifications from prospective customers and may involve onsite visual inspections of customer facilities in appropriate cases. ChoicePoint has also committed to audit its customers to help protect sensitive personal information provided by ChoicePoint from unauthorized, fraudulent, or unlawful access by its customers. In addition, ChoicePoint will pay $500,000 to the state AGs to defray the cost of the states’ investigation and will be subject to third-party audits to monitor compliance with the Assurance. To access a copy of the NAAG press release, please see hhttp://www.naag.org/44_attorneys_general_reach_settlement_with_choicepoint.php.
Georgia Governor Signs Data Security Breach Amendments. On May 24, Georgia Governor Sonny Perdue signed into law S.B. 236, amending the state’s original breach notification law, the Georgia Personal Identity Protection Act (the GPIPA), Ga. Code Ann. § 10-1-910 et seq., which only applied to information brokers. With certain limited exceptions, the new law will now require state and local government entities, termed “data collectors”, in addition to information brokers, to notify state residents if their unencrypted electronic personal information is breached. The new law also amends the GPIPA to (i) adjust the triggers for substitute notice in the GPIPA, (ii) allow notification by telephone, and (iii) extend the breach-notification period of those who maintain data on behalf of an information broker, or now a data collector, to 24 hours instead of “immediately.” Unlike data security breach laws in some states, the amended law does not cover businesses other than those deemed to be “information brokers” or those maintaining computerized data on behalf of information brokers or data collectors. The law also amends Georgia’s identity theft statute. The law took effect on May 24, immediately after the Governor signed it. Full text of S.B. 236 is available at http://www.legis.state.ga.us/legis/2007_08/versions/sb236_AP_12.htm.
Nebraska Governor Signs Credit Freeze Law, Law to Protect Employees' Social Security Numbers. On May 24, Nebraska Governor Dave Heineman signed into law L.B. 674, creating the Credit Report Protection Act (CRPA), a credit freeze law for state residents, and imposing restrictions on employer use of employee’s social security numbers. The CRPA will, among other things, require credit reporting firms to place a security freeze on a credit report within three business days of a request from a consumer and allow firms to charge a fee of $15 for a freeze, unless the consumer is a minor or a victim of identity theft. The CRPA will also require firms to temporarily lift a freeze within three business days of a request from a consumer, until January 1, 2009, when the timeframe will be reduced to 15 minutes for requests by telephone or a secure electronic method during specified business hours. The new law will also restrict an employer’s use of an employee’s social security number by prohibiting employers from publicly displaying more than the last four digits of an employee’s social security number and prohibiting other actions related to employees’ social security numbers, including requiring the electronic transmission of more than the last four digits unless the connection is secure or the information is encrypted. The CRPA will take effect on September 1, 2007. The social security number restrictions will take effect on September 1, 2008. Full text of L.B. 674 is available at http://uniweb.legislature.ne.gov/FloorDocs/Current/PDF/Slip/LB674.pdf.
Supreme Court Reverses Ninth Circuit in FCRA Insurance Adverse Action Cases. On June 4, the Supreme Court issued an opinion in two consolidated Fair Credit Reporting Act (FCRA) insurance adverse action cases, Safeco Insurance Co. v. Burr, No. 06-84, and GEICO General Insurance Co. v. Edo, No. 06-100. The Court reversed, 7-2, the holding of the U.S. Court of Appeals for the Ninth Circuit that GEICO had taken adverse action when it provided insurance at a rate higher than the best available rate, after considering credit-report information about the consumer. It held that GEICO did not have to provide an adverse action notice because the consumer in that case would not have received a better rate even if his credit report had not been considered at all, but held that an insurance company must provide a notice if the consumer would have received a better rate but for information in the credit report. The Court also unanimously reversed, as to Safeco, the Ninth Circuit’s holding that a company can be found to have willfully violated FCRA’s adverse action requirement if it had inadequate compliance procedures, which could have forced companies to waive attorney-client privilege in order to avoid the statutory penalties of $100-$1000 per “willful” violation of FCRA. The Court agreed with the Ninth Circuit that a company that acts with “reckless disregard” of its FCRA obligations can be held to have violated the law willfully, but applied an objective, rather than subjective, standard in which conduct based on an interpretation that is not “objectively unreasonable,” based on available guidance from the federal appellate courts and the Federal Trade Commission, will not be held to be a willful violation. For a more detailed discussion of the case, please see the InfoBytes Special Alert for June 4, 2007. Safeco Insurance Co. v. Burr, 2007 WL 1582951 (S. Ct. June 4, 2007), is available at http://www.supremecourtus.gov/opinions/06pdf/06-84.pdf.
Illinois Department of Financial & Professional Regulation Announces Licensee Security Breach. The Illinois Department of Financial & Professional Regulation (IDFPR) recently announced a security breach on a State of Illinois server containing personal information of licensees of the IDFPR. On its website, the IDFPR explains that the matter involved criminal conduct and that law enforcement asked it to delay notification to the affected licensees and the General Assembly to prevent interference with an ongoing criminal investigation. The IDFPR reports that there is currently no indication that the unauthorized access to the server resulted in the theft of any personal identifying information and that a preliminary investigation revealed that the data on the server was compromised sometime in January 2007. The IDFPR further reports that it has isolated the compromised server and is thoroughly checking all other like systems for security breaches. The IDFPR is comprised of four divisions: Division of Banking, Division of Financial Institutions, Division of Insurance, and Division of Professional Regulation, and the entities it regulates include, among others, state chartered banks, trust companies, savings banks and savings and loan associations, mortgage bankers and brokers, credit unions, title insurance companies, and other businesses making loans of $40,000 or less. For a copy of the IDFPR’s website posting regarding the breach, please see http://www.idfpr.com/BreachInformation.asp.
OCC Calls for Better Credit Card Disclosures. On June 7, Comptroller of the Currency John C. Dugan told a subcommittee of the House Committee on Financial Services that current credit card disclosure rules should be changed to improve consumers’ ability to make well-informed decisions when choosing credit cards. Comptroller Dugan said, “Effective disclosure can have three fundamental benefits for consumers: first, informed consumer choice; second, enhanced issuer competition to provide consumers the terms they want; and third, greater transparency that will hold the most aggressive credit card practices up to the glare of public scrutiny and criticism, making issuers think long and hard about the costs of such practices before implementing them.” According to the Comptroller, disclosures have not kept pace with the changes and complexities of credit card terms and practices, and accordingly many consumers do not understand certain features like “universal default” and “double cycle billing.” The Office of the Comptroller of the Currency (OCC) does not have the authority to issue regulations under the primary consumer protection statutes governing credit card lending and, accordingly, the Comptroller stressed the importance of the Federal Reserve Board’s (FRB) undertaking to revise its disclosure rule. With respect to going beyond disclosure regulation to restrict risk-based pricing, the Comptroller cautioned that Congress should bear in mind that “proposals to restrict risk-based pricing could have unintended consequences regarding banks’ ability to manage risks, or on the availability and affordability of credit cards more generally.” For a copy of the OCC’s press release on the Comptroller’s testimony, please see http://www.occ.treas.gov/ftp/release/2007-54.htm.
Visa Mandates Level 4 Merchant Compliance Plan. In an effort to help reduce cardholder data compromises, Visa has mandated that acquirers develop a formal written compliance program that identifies, prioritizes, and manages overall risk within their Level 4 merchant populations. The Level 4 merchant compliance plan must include (i) a timeline of critical events, (ii) a risk-profiling strategy, (iii) a merchant education strategy, (iv) a compliance strategy, and (v) compliance reporting. According to Visa, many acquirers have already provided summaries, but all other acquirers must e-mail summaries of their Level 4 merchant compliance plans by July 31, 2007 to . Acquirers that fail to do so may face risk controls. Acquirers must ensure that their merchants maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), as part of the Visa Cardholder Information Security Program (CISP). Visa has instituted risk-prioritized merchant validation requirements, which are based on the volume of transactions and the potential risk introduced into the payment system. Acquirers are currently required to ensure that their Level 1, 2, and 3 merchants validate the PCI DSS annually, but validation of Level 4 merchants is currently at the discretion of acquirers. Even though Level 4 merchants handle fewer transactions than Level 1, 2, or 3 merchants—cumulatively less than one third of all Visa transactions—they account for more than 99 percent of the merchants that accept Visa. Therefore, cardholder data compromises affect Level 4 merchants with greater frequency than Level 1, 2, and 3 merchants combined. For more information, please contact .
© Buckley Kolar, LLP 2005. INFOBYTES is not intended as legal advice to any person or firm. It is provided as a client service and information contained herein is drawn from various public sources, including other publications.
We welcome reader comments and suggestions regarding issues or items of interest to be covered in future editions of InfoBytes. Email:
For back issues of INFOBYTES (or other Buckley Kolar LLP publications), visit http://www.buckleykolar.com/publications.
Copyright © 2008