Category: Consumer Protection

What You Need to Know About the DOJ’s Consumer Protection Branch

The Consumer Protection Branch of the United States Department of Justice (DOJ) is one of the most overlooked and misunderstood parts of the country’s largest law enforcement agency. With a wide field of enforcement, the Branch can pursue civil enforcement actions or even criminal prosecutions against companies based in the United States and even foreign companies doing business in the country.

Here are four things that Dr. Nick Oberheiden, a defense lawyer at Oberheiden P.C., thinks that people and businesses need to know about the DOJ’s Consumer Protection Branch.

The Wide Reach of “Protecting Consumers”

According to the agency itself, the Consumer Protection Branch “leads Department of Justice enforcement efforts to enforce consumer protection laws that protect Americans’ health, safety, economic security, and identity integrity.” While “identity integrity” is relatively tightly confined to issues surrounding identity theft and the unlawful use of personal data and information, “health,” “safety,” and “economic security” are huge and vaguely defined realms of jurisdiction.

Under the Branch’s enforcement focus or interpretation of its law enforcement mandate, it has the power to prosecute fraud and misconduct in the fields of:

  • Pharmaceuticals and medical devices

  • Food and dietary supplements

  • Consumer fraud, including elder fraud and other scams

  • Deceptive trade practices

  • Telemarketing

  • Data privacy

  • Veterans fraud

  • Consumer product safety and tampering

  • Tobacco products

Business owners and executives are often surprised to learn that the Consumer Protection Branch has so many oversight powers. But the Consumer Protection Branch’s wide reach is not limited to the laws that it can invoke and enforce; it also has a wide geographical reach, as well. In order to carry out its objective, the Branch brings both criminal and affirmative civil enforcement cases throughout the country. In one recent case, the Consumer Protection Branch prosecuted a drug manufacturer for violations of the federal Food, Drug, and Cosmetic Act (FDCA) after the drug maker hid and destroyed records before an inspection by the U.S. Food and Drug Administration (FDA). The drug manufacturer, however, was an Indian company that sold several cancer drugs in the U.S. The plant inspection took place in West Bengal, India.

The Branch Has Lots of Laws at Its Disposal

The extremely broad reach of the Consumer Protection Branch comes with a significant implication: There are numerous laws that the Branch can invoke as it regulates and investigates businesses. Many of these are substantive laws that prohibit certain types of conduct, like:

Others, however, are procedural laws, which prohibit using certain means to carry out a crime, like:

  • Mail fraud (18 U.S.C. § 1341), which is the crime of using the mail system to commit fraud

  • Wire fraud (18 U.S.C. § 1343), which is the crime of using wire, radio, or television communication devices to commit fraud, including the internet

This can mean that many defendants get hit with multiple criminal charges for the same line of conduct, drastically increasing the severity of a criminal case. For example, in one case, a group of pharmacists fraudulently billed insurers for over $900 million in medications that they knew were not issued under a valid doctor-patient relationship. They were charged with misbranding medication and healthcare fraud, in addition to numerous counts of mail fraud for shipping that medication through the mail.

The Branch Has the Power to Pursue Civil and Criminal Sanctions

Lots of business owners and executives are also unaware of the fact that the DOJ’s Consumer Protection Branch has the power to pursue both civil and criminal cases if the law being enforced allows for it.

This has serious consequences for companies, and not just because the Branch can imprison individuals for putting consumers at risk: It also complicates the strategy for defending against enforcement action.

A good example of how this works in real life is a healthcare fraud allegation that is pursued by the Consumer Protection Branch under the False Claims Act, or FCA, because the alleged fraud implicated money from a government healthcare program, like Medicare or Medicaid. For it to be the crime of healthcare fraud, the Consumer Protection Branch would have to prove that there was an intent to defraud the program. If there is no intent, though, the Branch can still pursue civil penalties.

This complicates the defense strategy because keeping prosecutors from establishing your intent is not the end of the case. It just takes prison time off the table. While this is a big step in protecting your rights and interests, it still leaves you and your company open to civil liability. That liability can be quite substantial, as many anti-fraud laws – including the FCA – impose civil penalties on each violation and impose treble damages, or three times the amount fraudulently obtained.

As Dr. Nick Oberheiden, a consumer protection defense lawyer at the national law firm Oberheiden P.C., explains, “While relying on a lack of intent defense can work with other criminal offenses, it is a poor choice when fighting against allegations of fraud because it tacitly admits to the fraudulent actions. Enforcement agencies like the DOJ’s Consumer Protection Branch can then easily impose civil liability against your company.”

The Branch Works in Tandem With Other Agencies

The Consumer Protection Branch only has about 200 prosecutors, support professionals, embedded law enforcement agents, and investigators. However, between October 2020 and December 2021, the Branch charged at least 96 individuals and corporations with criminal offenses and another 112 with civil enforcement actions, collecting $6.38 billion in judgments and resolutions.

The Branch can do this in large part because it works closely with other federal law enforcement agencies, like the:

By pooling their resources with other agencies like these, the DOJ’s Consumer Protection Branch can bring more weight to its enforcement action against your company.

Article By Dr. Nick Oberheiden of Oberheiden P.C.

For more consumer protection legal news, click here to visit the National Law Review.

Oberheiden P.C. © 2022

“Red Flags in the Mind Set”: SEC Sanctions Three Broker/Dealers for Identity Theft Deficiencies

In 1975, around the time of “May Day” (1 May 1975), which brought the end of fixed commission rates and the birth of registered clearing agencies for securities trading (1976), the U. S. Securities and Exchange Commission (“SEC”) created a designated unit to deal with the growth of trading and the oversight of broker/dealers. That unit, the Office of Compliance Inspections and Examinations (the “OCIE”), evolved and grew over time. It regularly issued Risk Alerts on specific topics aimed at Broker/Dealers and/or Investment Advisers, expecting that those addressees would take appropriate steps to prevent the occurrence of the identified risk, or at least mitigate its impact on customers. On Sept. 15, 2020, the OCIE issued a Risk Alert entitled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise,” which emphasized the importance of compliance with SEC Regulation S-ID, the “Identity Theft Red Flags Rule,” adopted May 20, 2013, under Sections of the Securities Exchange Act of 1934 (the “34 Act”) and the Investment Advisers Act of 1940, as amended (the “40 Act”). See, in that connection, the discussion of this and related SEC cyber regulations in my Nov. 19, 2020, Blog “Credential Stuffing: Cyber Intrusions into Client Accounts of Broker/Dealers and Investment Advisors.”

The SEC was required to adopt Regulation S-ID by a provision in the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, which amended a provision of the Fair Credit Reporting Act of 1970 (“FCRA”) to add both the SEC and the Commodity Futures Trading Commission to the federal agencies that must have “red flag” rules. That “red flag” requirement for the seven federal prudential bank regulators and the Federal Trade Commission was made part of the FCRA by a 2003 amendment. Until Wednesday, July 27, 2022, the SEC had (despite the Sept. 15, 2020, Risk Alert) brought only one enforcement action for violating the “Red Flag” Rule (in 2018 when customers of the firm involved suffered harm from the identity thefts). In 2017, however, the Commission created a new unit in its Division of Enforcement to better address the growing risks of cyber intrusion in the U.S. capital markets, the Crypto Assets and Cyber Unit (“CACU”). That unit almost doubled in size recently with the addition of 20 newly assigned persons, as reported in an SEC Press Release of May 3, 2022. There the Commission stated the Unit “will continue to tackle the omnipresent cyber-related threats in the nation’s [capital] markets.” Also, underscoring the ever-increasing role played by the SEC in overseeing the operations of broker/dealers and investment advisers, the OCIE was renamed the Division of Examinations (“Exams”) on Dec. 17, 2020, elevating an “Office” of the SEC to a “Division.”

Examinations of three broker/dealers by personnel from Exams led the CACU to investigate all three, resulting in the institution of Administrative and Cease-and Desist Proceedings against each of the respondents for violations of Regulation S-ID. In those proceedings, the Commission alleged that the Identity Theft Protection Program (“ITPP”), which each respondent was required to have, was deficient. Regulation S-ID, including its Appendix A, sets forth both the requirements for an ITPP and types of red flags the Program should consider, and in Supplement A to Appendix A, includes examples of red flags from each category of possible risks. An ITPP must be in writing and should contain the following:

  1. Reasonable policies and procedures to identify, detect and respond appropriately to relevant red flags of the types likely to arise considering the firm’s business and the scope of its brokerage and/or advisory activities; and those policies and procedures should specify the responsive steps to be taken; broad generalizations will not suffice. Those policies and procedures should also describe the firm’s practices with respect to theft identification, prevention, and response, and direct that the firm document the steps to be taken in each case.
  2.  Requirements for periodic updates of the Program, including updates reflecting the firm’s experience with both a) identity theft; and b) changes in the firm’s business. In addition, the updates should address changes in the types and mechanisms of cybersecurity risks the firm might plausibly encounter.
  3. Requirements for periodic review of the types of accounts offered and the risks associated with each type.
  4. Provisions directing at least annual reports to the firm’s board of directors, and/or senior management, addressing the program’s effectiveness, including identity theft-related incidents and management responses to them.
  5. Provisions for training of staff in identity theft and the responses required by the firm’s ITPP.
  6. Requirements for monitoring third party service providers for compliance with identity theft provisions that meet those of the firm’s program.

The ITPP of each of the three broker/dealers was, as noted, found deficient. The first, J.P. Morgan Securities, LLC (“MORGAN”), organized under Delaware law and headquartered in New York, New York, is a wholly owned subsidiary of JPMorgan Chase & Co. (described by the Commission as “a global financial services firm” in its July 27, 2022, Order Instituting Administrative and Cease-and-Desist Proceedings [the “Morgan Order”]). Morgan is registered with the Commission as both a broker/dealer (since Dec. 13, 1985) and an investment adviser (since April 3, 1965). As recited in the Morgan Order, the SEC found Morgan offered and maintained customer accounts “primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions.” The order further notes that from Jan. 1, 2017, through Dec. 31, 2019, Morgan’s ITPP did not meet the requirements of Regulation S-ID because it “merely restated the general legal requirements” and did not specify how Morgan would identify a red flag or direct how to respond to it. The Morgan Order notes that although Morgan did take action to detect and respond to incidents of identity theft, the procedures followed were not in Morgan’s Program. Further, Morgan did not periodically update its program, even as both the types of accounts offered, and the extent of cybersecurity risks changed. The SEC also found Morgan did not adequately monitor its third-party service providers, and it failed to provide any identity theft-specific training to its staff. As a result, Morgan had violated Regulation S-ID. The order noted that Morgan “has undertaken substantial remedial acts, including auditing and revising … [its Program].” Nonetheless, Morgan was ordered to cease and desist from violating Regulation S-ID, was censured, and was ordered to pay a civil penalty of $1.2 million.

The second broker/dealer charged was UBS Financial Services Inc.(“UFS”), a Delaware corporation dually registered with the Commission as both a broker/dealer and an investment adviser since 1971. UFS, headquartered in Weehawken, New Jersey, is a subsidiary of UBS Group AG, a publicly traded major financial institution incorporated in Switzerland. In 2008, UBF adopted an ITPP (the “UBF Program”) pursuant to the 2003 amendments to the FCRA. The program applied both to UBF and to other affiliated entities and branch offices in the U.S. and Puerto Rico “which offered private and retail banking, mortgage, and private investment services that operated under UBS Group AG’s Wealth Management Americas’ line of business.” See my blog published on Aug. 22, 2022, “Only Sell What You Know: Swiss Bank Negligence is a Fraud on Clients,” for information about the origins and history of UBS Group AG.

The July 27, 2022, SEC Order instituting Administrative and Cease-and-Desist Proceedings against UBF (the “UBF Order”) stated that UBF made no change to the UBF Program when, in 2013, it became subject to Regulation S-ID, or thereafter from Jan. 1, 2017, to Dec. 31, 2019, other than to revise the list of entities and branches it covered. The Commission found UBF failed to update the UBF Program even as the accounts it offered changed, and without considering if some accounts offered by affiliated entities and branches are not “covered accounts” within regulation S-ID. The UBF Program did not have reasonable policies and procedures to identify red flags, taking into consideration account types and attendant risks, and did not specify what responses were required. The SEC also found the program wanting for not providing for periodic updates, especially addressing changes in accounts and/or in cybersecurity risks. The annual reports to the board of directors “did not provide sufficient information” to assess the UBF Program’s effectiveness or the adequacy of UBF’s monitoring of third-party service providers; indeed, the UBF Order notes the “board minutes do not reflect any discussion of compliance with Regulation S-ID.” In addition, UBF “did not conduct any training of its staff specific” to the UBF Program, including how to detect and respond to red flags.  As a result, the Commission found UBF in violation of Regulation S-ID. Although the Commission again noted the “substantial remedial acts” undertaken by UBF, including retaining “an outside consulting firm to review its Program” and to recommend change, the SEC nonetheless ordered UBF to cease and desist from violating the Regulation, censured UBF, and ordered it to pay a civil penalty of $925,000.

The third member of this broker/dealer trio is TradeStation Securities, Inc. (“TSS”), a Florida corporation headquartered in Plantation, Florida, that, according to the July 27, 2022, SEC Order Instituting Administrative and Cease-and-Desist Proceedings (the “TSS Order”), “provides primarily commission-free, directed online brokerage services to retail and institutional customers.” TSS has been registered with the SEC as a broker/dealer since January 1996. Their ITPP, too, was found deficient. The ITPP implemented by TSS (the “TSS Program”) essentially ignored the reality of TSS’s business as an online operation. For instance, the TSS Program cited only the red flags offered as “non-comprehensive examples in Supplement A to Appendix A” and not any “relevant to its business and the nature and scope of its brokerage activities.” Hence, the TSS Program cited the need to confirm the physical appearance of customers to make certain it was consistent with photographs or physical descriptions in the file. But an online broker/dealer would have scant opportunity to see a customer or a new customer in person, even when opening an account. Nor did TSS check the Supplement A red flag examples cited in the TSS Program when opening new customer accounts. The TSS Program directed only that “additional due diligence” should be performed if a red flag were identified, rather than directing specific responsive steps to be taken, such as not opening an account in a questionable situation. There were no requirements for periodic updates of the TSS Program. Indeed, “there were no material changes to the Program” after May 20, 2013, “despite significant changes in external cybersecurity risks related to identity theft.” At this point in the TSS Order, the Commission cited a finding in the Federal Register that “[a]dvancements in technology … have led to increasing threats to the integrity … of personal information.” The SEC found that TSS did not provide reports about the TSS Program and compliance with Regulation S-ID either to the TSS board or to a designated member of senior management, and that TSS had no adequate policies and procedures in place to monitor third-party service providers for compliance with detecting and preventing identity theft. The order is silent on the extent of TSS’s training of staff to deal with identity threats, but considering the other shortcomings, presumably such training was at best haphazard. The Commission found that TSS violated Regulation S-ID. Although the TSS Order noted (as with the other Proceedings) the “substantial remedial acts” undertaken by TSS, including retaining “an outside consulting firm” to aid compliance, the Commission nonetheless ordered TSS to cease-and-desist from violating the Regulation, censured TSS, and ordered it to pay a civil penalty of $425,000.

These three enforcement actions on the same day, especially ones involving two of the world’s leading financial institutions, signal a new level of attention by the Commission to cybersecurity risks to customers of broker/dealers and investment advisers, with a focus on the risks inherent in identity theft. As one leading law firm writing about these three actions advised, “[f]irms should review their ITPPs placing particular emphasis on identifying red flags tailored to their business and on conducting regular compliance reviews to update those red flags and related policies and procedures to reflect changes in business practices and risk.” That sound advice should be followed NOW, before the CACU comes calling.

For more Financial, Securities, and Banking Law news, click here to visit the National Law Review.

©2022 Norris McLaughlin P.A., All Rights Reserved

FDA Issues Warning Letters to 7 Dietary Supplement Companies for Drug Claims

  • On November 17, 2022, FDA posted warning letters to 7 companies for selling different dietary supplements with claims that caused the products to be “drugs” in violation of the Federal Food, Drug, and Cosmetic Act (FD&C Act).  Under the FD&C Act, products intended to diagnose, cure, treat, mitigate, or prevent disease are drugs and are subject to the requirements that apply to drugs, even if they are labeled as dietary supplements.

  • The claims were found on the 7 companies’ websites, social media pages, and/or Amazon or Walmart storefronts, and included a variety of statements regarding the products’ claimed abilities to cure, treat, mitigate, or prevent cardiovascular disease (or related conditions, such as atherosclerosis, stroke, or heart failure).  Six of the companies at issue sell a product(s) containing one or more dietary ingredients identified as Vitamin B3, red yeast rice, pine bark extract, EPA and DHA omega-3 fatty acids, magnesium, zinc, bergamot, Hawthorn berry, Hawthorn extract, Coleus forskohlii, hops, taurine, garlic powder, amino sulfonic acid, Co-Q-10, and/or octacosanol.  The seventh company does not list a dietary ingredient but identifies its product as a “glycocalyx regenerating product” and notes various “pathologies associated with impaired endothelial glycocalyx.”  As noted in the warning letters, FDA has not evaluated whether the unapproved products are effective for their intended use, the proper dosage, potential interaction with FDA-approved drugs or other substances, or whether they have dangerous side effects or other safety concerns.  Further, in addition to characterizing the products as unapproved “new drugs,” FDA’s letters note misbranding charges based on the impossibility of writing adequate directions for a layperson to use the products safely for the intended purpose of treating one more diseases that are not amenable to self-diagnosis or treatment without the supervision of a licensed practitioner.

  • FDA requested that the companies respond to the warning letters within 15 working days and describe how they will address the issues, or provide reasoning and substantiation as to why they believe the products are not in violation of the law.  Failure to adequately address could result in legal action, such as product seizure and/or injunction.

For more Biotech, Food and Drug Law news, click here to visit the National Law Review

© 2022 Keller and Heckman LLP

REI PFAS Consumer Fraud Lawsuit Continues Trend of Similar Lawsuits

On October 28, 2022, a PFAS consumer fraud class action lawsuit was filed in Washington against REI over alleged PFAS content in various articles of waterproof clothing sold by the company. The REI PFAS consumer fraud lawsuit is but the latest in a growing line of PFAS lawsuits that allege that certain consumer goods contain PFAS, that the products or company’s values were marketed as healthy or environmentally friendly, and that consumers would not have purchased the products if they knew that the products contained PFAS.

As we predicted in early 2021, the increased attention on PFAS content in consumer goods in the scientific community and media presented significant risks to various industries, including the apparel and cosmetics industry, and our prediction was that the developments would lead to a significant number of lawsuits alleging consumer fraud. Consumer goods industries, insurers, and investment companies interested in the consumer goods vertical with niche interest in cosmetics companies must pay careful attention to the cosmetics lawsuits and the increasing trend of lawsuits targeting the industry.

REI PFAS Consumer Fraud Lawsuit

On October 28, 2022, plaintiffs Jacob Krakauer and Joyce Rockwood filed a lawsuit in Washington federal court seeking a proposed class action against REI. The lawsuit alleges that REI markets the company and its products as environmentally friendly and sustainable. Further, the lawsuit cites to statements made by REI that the company is taking proactive steps with respect to chemical use in its products to argue that such statements were false, misleading or induced consumers to purchase products when the presence of PFAS in the products was not disclosed.

In the Complaint, plaintiffs allege the following counts against REI:

  • Violation of state consumer protection laws and the federal Magnuson-Moss Warranty Act

  • Breach of warranty (implied and express)

  • Fraud (actual and constructive)

  • Fraudulent inducement

  • Money had and received

  • Fraudulent omission or concealment

  • Fraudulent misrepresentation

  • Negligent misrepresentation

  • Unjust enrichment

  • Negligent failure to warn

The plaintiffs seek certification of a nationwide class action lawsuit, with subclasses defined as consumers n Washington and Arizona. In addition, the lawsuit seeks damages, fees, costs, the establishment of medical monitoring, and a jury trial.

Just the Beginning For Consumer Products Companies

With studies underway, legislation pending that targets consumer goods, and increasing media reporting on PFAS in consumer goods and concerns over human health, product manufacturers should be increasingly wary of lawsuits similar to the REI lawsuit being filed against them. There are an increasing number of PFAS consumer fraud cases being filed, with some of the below as representative of recent trends:

  • Cosmetics industry:

    • Brown v. Cover Girl, New York (April 1, 2022)

    • Anderson v. Almay, New York (April 1, 2022)

    • Rebecca Vega v. L’Oreal, New Jersey (April 8, 2022)

    • Spindel v. Burt’s Bees, California (March 25, 2022)

    • Hicks and Vargas v. L’Oreal, New York (March 9, 2022)

    • Davenport v. L’Oreal, California (February 22, 2022)

  • Food packaging industry:

    • Richburg v. Conagra Brands, Illinois (May 6, 2022)

    • Ruiz v. Conagra Brands, Illinois (May 6, 2022)

    • Hamman v. Cava Group, California (April 27, 2022)

    • Azman Hussain v. Burger King, California (April 11, 2022)

    • Little v. NatureStar, California (April 8, 2022)

    • Larry Clark v. McDonald’s, Illinois (March 28, 2022)

  • Feminine hygiene products:

    • Gemma Rivera v. Knix Wear Inc., California (April 4, 2022)

    • Blenis v. Thinx, Inc., Massachusetts (June 18, 2021)

    • Destini Canan v. Thinx Inc., California (November 12, 2020)

As the above is indicative of, several major companies now find themselves embroiled in litigation focused on PFAS false advertising, consumer protection violations, and deceptive statements made in marketing and ESG reports. The lawsuits may well serve as test cases for plaintiffs’ bar to determine whether similar lawsuits will be successful in any (or all) of the fifty states in this country. Companies must consider the possibility of needing to defend lawsuits involving plaintiffs in all fifty states for products that contain PFAS.

It should be noted that these lawsuits would only touch on the marketing, advertising, ESG reporting, and consumer protection type of issues. Separate products lawsuits could follow that take direct aim at obtaining damages for personal injury for plaintiffs from consumer products. In addition, environmental pollution lawsuits could seek damage for diminution of property value, cleanup costs, and PFAS filtration systems if drinking water cleanup is required.

Conclusion

It is of the utmost importance that businesses along the whole supply chain in the consumer products industry evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate PFAS at an ever-increasing pace. Similarly, state level EPA enforcement action is increasing at a several-fold rate every year. Now, the first wave of lawsuits take direct aim at the consumer products industry. Companies that did not manufacture PFAS, but merely utilized PFAS in their manufacturing processes, are therefore becoming targets of costly enforcement actions at rates that continue to multiply year over year. Lawsuits are also filed monthly by citizens or municipalities against companies that are increasingly not PFAS chemical manufacturers.

For more Environmental Law news, click here to visit the National Law Review.

©2022 CMBG3 Law, LLC. All rights reserved.

Pair of Lawsuits Target Mint Flavored Products

  • Spencer Sheehan, a well-known class-action attorney, has filed a pair of class-action lawsuits in the U.S. District Court for the Northern District of Illinois, alleging that mint flavored products which do not contain mint are deceptively labeled.
  • The first lawsuit alleged that a “mint chocolate chip ice cream” statement of identity is misleading to consumers where the product’s flavor is derived from “natural flavor” and not any mint or mint-containing ingredient. The product also contains images of mint leaves on the front panel. As support for the allegation that the lack of mint is deceptive, the complaint cites to the ice cream flavoring regulation (21 CFR 135.110(f)(2)), which requires that the term “flavored” (e.g., mint flavored) be used where a product contains a natural flavor which predominates.
  • The second lawsuit alleged that consumers are misled by a gum product which is labeled as “original flavor” with a backdrop of what appears to be a blue mint leaf, but which only contains “natural and artificial flavor,” and no mint-based ingredients. Plaintiff, citing to the general flavoring regulation (21 CFR 101.22), alleged that the product should have been labeled as “naturally and artificially flavored mint” and that the failure to disclose the flavor or include the other qualifiers is misleading.
  • Although Plaintiffs have alleged technical violations of FDA’s labeling regulations, courts have consistently held that a reasonable consumer may not be aware of the intricacies of FDA’s labeling regulations and that therefore a technical labeling violation is not in itself sufficient to show that a reasonable consumer would be misled.

Article By Food and Drug Law Practice Group at Keller and Heckman LLP

For more biotech, food, and drug law legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

Chamber of Commerce Challenges CFPB Anti-Bias Focus Concerning AI

The end of last month the U.S. Chamber of Commerce, the American Bankers Association and other industry groups (collectively, “Plaintiffs”) filed suit in Texas federal court challenging the Consumer Financial Protection Bureau’s (“CFPB”) update this year to the Unfair, Deceptive, or Abusive Acts or Practices section of its examination manual to include discrimination.  Chamber of Commerce of the United States of America, et al v. Consumer Financial Protection Bureau, et al., Case No. 6:22-cv-00381 (E.D. Tex.)

By way of background, the Consumer Financial Protection Act, which is Title X of the 2010 Dodd-Frank Act (the “Act”), prohibits providers of consumer financial products or services or a service provider from engaging in any unfair, deceptive or abusive act or practice (“UDAAP”).  The Act also provides the CFPB with rulemaking and enforcement authority to “prevent unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.”  See, e.g.https://files.consumerfinance.gov/f/documents/cfpb_unfair-deceptive-abusive-acts-practices-udaaps_procedures.pdf.  In general, the Act provides that an act or practice is unfair when it causes or is likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers, and the injury is not outweighed by countervailing benefits to consumers or to competition.

The CFPB earlier this spring published revised examination guidelines on unfair, deceptive, or abusive acts and practices, or UDAAPs.  Importantly, this set forth a new position from the CFPB, that discrimination in the provision of consumer financial products and services can itself be a UDAAP.  This was a development that was surprising to many providers of financial products and services.  The CFPB also released an updated exam manual that outlined its position regarding how discriminatory conduct may qualify as a UDAAP in consumer finance.  Additionally, the CFPB in May 2022 additionally published a Consumer Financial Protection Circular to remind the public of creditors’ adverse action notice requirements under the Equal Credit Opportunity Act (“ECOA”).  In the view of the CFPB, creditors cannot use technologies (include algorithmic decision making) if it means they are unable to provide required explanations under the ECOA.

In July 2022, the Chamber and others called on the CFPB to rescind the update to the manual.  This included, among other arguments raised in a white paper supporting their position, that in conflating the concepts of “unfairness” and “discrimination,” the CFPB ignores the Act’s text, structure, and legislative history which discusses “unfairness” and “discrimination” as two separate concepts and defines “unfairness” without mentioning discrimination

The Complaint filed this fall raises three claims under the Administrative Procedure Act (“APA”) in relation to the updated manual as well as others.  The Complaint contends that ultimately it is consumers that will suffer as a result of the CFPB’s new position, as “[t]hese amendments to the manual harm Plaintiffs’ members by imposing heavy compliance costs that are ultimately passed down to consumers in the form of higher prices and reduced access to products.”

The litigation process started by Plaintiffs in this case will be time consuming (a response to the Complaint is not expected from Defendants until December).  In the meantime, entities in the financial sector should be cognizant of the CFPB’s new approach and ensure that their compliance practices appropriately mitigate risk, including in relation to algorithmic decision making and AI.  As always, we will keep you up to date with the latest news on this litigation.

For more Consumer Finance Legal News, click here to visit the National Law Review

© Copyright 2022 Squire Patton Boggs (US) LLP

First BIPA Trial Results in $228M Judgment for Plaintiffs

Businesses defending class actions under the Illinois Biometric Information Privacy Act (BIPA) have struggled to defeat claims in recent years, as courts have rejected a succession of defenses.

We have been following this issue and have previously reported on this trend, which continued last week in the first BIPA class action to go to trial. The Illinois federal jury found that BNSF Railway Co. violated BIPA, resulting in a $228 million award to a class of more than 45,000 truck drivers.

Named plaintiff Richard Rogers filed suit in Illinois state court in April 2019, and BNSF removed the case to the US District Court for the Northern District of Illinois. Plaintiff alleged on behalf of a putative class of BNSF truck drivers that BNSF required the drivers to provide biometric identifiers in the form of fingerprints and hand geometry to access BNSF’s facilities. The lawsuit alleged BNSF violated BIPA by (i) failing to inform class members their biometric identifiers or information were being collected or stored prior to collection, (ii) failing to inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected, and (iii) failing to obtain informed written consent from class members prior to collection.

In October 2019, the court rejected BNSF’s legal defenses that the class’s BIPA claims were preempted by three federal statutes governing interstate commerce and transportation: the Federal Railroad Safety Act, the Interstate Commerce Commission Termination Act, and the Federal Aviation Administration Authorization Act. The court held that BIPA’s regulation of how BNSF obtained biometric identifiers or information did not unreasonably interfere with federal regulation of rail transportation, motor carrier prices, routes, or services, or safety and security of railroads.

Throughout the case, including at trial, BNSF also argued it should not be held liable where the biometric data was collected by its third-party contractor, Remprex LLC, which BNSF hired to process drivers at the gates of BNSF’s facilities. In March 2022, the court denied BNSF’s motion for summary judgment, pointing to evidence that BNSF employees were also involved in registering drivers in the biometric systems and that BNSF gave direction to Remprex regarding the management and use of the systems. The court concluded (correctly, as it turned out) that a jury could find that BNSF, not just Remprex, had violated BIPA.

The case proceeded to trial in October 2022 before US District Judge Matthew Kennelly. At trial, BNSF continued to argue it should not be held responsible for Remprex’s collection of drivers’ fingerprints. Plaintiff’s counsel argued BNSF could not avoid liability by pleading ignorance and pointing to a third-party contractor that BNSF controlled. Following a five-day trial and roughly one hour of deliberations, the jury returned a verdict in favor of the class, finding that BNSF recklessly or intentionally violated BIPA 45,600 times. The jury did not calculate damages. Rather, because BIPA provides for $5,000 in liquidated damages for every willful or reckless violation (and $1,000 for every negligent violation), Judge Kennelly applied BIPA’s damages provision, which resulted in a judgment of $228 million in damages. The judgment does not include attorneys’ fees, which plaintiff is entitled to and will inevitably seek under BIPA.

While an appeal will almost certainly follow, the BNSF case serves as a stark reminder of the potential exposure companies face under BIPA. Businesses that collect biometric data must ensure they do so in compliance with BIPA and other biometric privacy regulations. Where BIPA claims have been asserted, companies should promptly seek outside counsel to develop a legal strategy for a successful resolution.

For more Privacy and Cybersecurity Legal News, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

White House Office of Science and Technology Policy Releases “Blueprint for an AI Bill of Rights”

On October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) unveiled its Blueprint for an AI Bill of Rights, a non-binding set of guidelines for the design, development, and deployment of artificial intelligence (AI) systems.

The Blueprint comprises of five key principles:

  1. The first Principle is to protect individuals from unsafe or ineffective AI systems, and encourages consultation with diverse communities, stakeholders and experts in developing and deploying AI systems, as well as rigorous pre-deployment testing, risk identification and mitigation, and ongoing monitoring of AI systems.

  2. The second Principle seeks to establish safeguards against discriminative results stemming from the use of algorithmic decision-making, and encourages developers of AI systems to take proactive measures to protect individuals and communities from discrimination, including through equity assessments and algorithmic impact assessments in the design and deployment stages.

  3.  The third Principle advocates for building privacy protections into AI systems by default, and encourages AI systems to respect individuals’ decisions regarding the collection, use, access, transfer and deletion of personal information where possible (and where not possible, use default privacy by design safeguards).

  4. The fourth Principle emphasizes the importance of notice and transparency, and encourages developers of AI systems to provide a plain language description of how the system functions and the role of automation in the system, as well as when an algorithmic system is used to make a decision impacting an individual (including when the automated system is not the sole input determining the decision).

  5. The fifth Principle encourages the development of opt-out mechanisms that provide individuals with the option to access a human decisionmaker as an alternative to the use of an AI system.

In 2019, the European Commission published a similar set of automated systems governance principles, called the Ethics Guidelines for Trustworthy AI. The European Parliament currently is in the process of drafting the EU Artificial Intelligence Act, a legally enforceable adaptation of the Commission’s Ethics Guidelines. The current draft of the EU Artificial Intelligence Act requires developers of open-source AI systems to adhere to detailed guidelines on cybersecurity, accuracy, transparency, and data governance, and provides for a private right of action.

For more Technology Legal News, click here to visit the National Law Review.
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Former Uber Security Chief Found Guilty in Criminal Trial for Failure to Disclose Breach to FTC

On October 5, 2022, former Uber security chief Joe Sullivan was found guilty by a jury in U.S. federal court for his alleged failure to disclose a breach of Uber customer and driver data to the FTC in the midst of an ongoing FTC investigation into the company. Sullivan was charged with one count of obstructing an FTC investigation and one count of misprision, the act of concealing a felony from authorities.

The government alleged that in 2016, in the midst of an ongoing FTC investigation into Uber for a 2014 data breach, Sullivan learned of a new breach that affected the personal information of more than 57 million Uber customers and drivers. The hackers allegedly demanded a ransom of at least $100,000 from Uber. Instead of reporting the new breach to the FTC, Sullivan and his team allegedly paid the ransom and had the hackers sign a nondisclosure agreement. Sullivan also allegedly did not report the breach to Uber’s General Counsel.  Uber did not publicly disclose the incident or inform the FTC of the incident until 2017, when Uber’s new chief executive, Dara Khosrowshahi, joined the company.

This case is significant because it represents the first time a company executive has faced criminal prosecution related to the handling of a data breach.

For more Privacy Law news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

USDA Focused on Accurate “Made in the USA” Beef Labeling

  • In response to industry concerns for mislabeled beef products, U.S. Agriculture Secretary Tom Vilack recently said that the “Product of the USA” label on meat products should undergo a full-scale review. Vilack maintains that he is “committed to ensuring that the ‘Product of USA’ label reflects what a plain understanding of those terms means to U.S. consumers.” In March, we reported that the Tenth Circuit dismissed lawsuits based on meat producer’s use of allegedly deceptive and misleading “Product of the USA”  labels on their beef products that did not originate from cattle born and raised in the United States.
  • The issue of country-of-origin beef labeling (“COOL”) continues to be a source of debate. Earlier this week, the FTC finalized a rule that is intended to tighten the use of the Made in the USA standard. The FTC said that this update would benefit small businesses who lack the resources to defend their products from foreign imitators. However, the FTC rule does not require USDA action. In response, the beef industry is demanding Congress to act swiftly.
  • R-CALF, a group of USA-based cattle ranchers, has been pushing hard for reforms on COOL. On September 22, R-CALF released a poll that shows staggering support for mandatory COOL legislation by the American public. R-CALF reports that 86 percent of American voters support the American Beef Labeling Act that reinstates mandatory country of origin labeling for beef, and 90 percent of voters are concerned that foreign importers of beef can legally put a “Product of USA” sticker on a package containing beef that was born, raised, and harvested outside the United States.
  • Currently, Congress is working through prospective beef labeling legislation that would require USDA oversight of COOL. The American Beef Labeling Act (S.2716) is a bipartisan bill that was introduced in the Senate in 2021; however, the bill has languished without action in the U.S. Senate Agriculture Committee. In March 2022, a bipartisan companion bill was introduced in the U.S. House (H.R.7291), which has also seen little to no progress in the House Agriculture Committee. Keller and Heckman will continue to monitor these legislative developments and USDA action.

For more Food and Drug Law news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP