Category: Consumer Protection

The CFPB’s Consumer Complaint System: Key Points of Concern for Financial Services Companies

The National Law Review recently published an article by Stephanie L. Sanders and Richard Q. Lafferty of Poyner Spruill LLP regarding CFPB’s Consumer Complaint System:

The Dodd-Frank Act requires the Consumer Financial Protection Bureau (CFPB) to collect, investigate and respond to consumer complaints as part of its work in protecting consumers of financial products and services.  Over the past year, CFPB’s Consumer Response team has gradually begun taking complaints on credit cards, mortgages, private student loans, other consumer loans, and other bank products and services.  Because the complaint process could result in investigation or enforcement actions, financial services companies should be sure they understand the system and are prepared to respond promptly to complaints.  Below is a list of recommendations for financial service companies to deal with the complaint system.

Know How to Use the Complaint System

CFPB’s website now prominently includes a “Submit a Complaint” portal.  Consumers wishing to make a complaint in one of the above categories can simply click on the “Submit a Complaint” icon and follow the directions provided.  In addition, CFPB accepts complaints by telephone, mail, email, and fax.  The portal is the primary means of communication between CFPB and financial service companies, so companies should be familiar with the portal and establish procedures for fielding any complaints in a timely manner.  CFPB has provided aCompany Portal Manual explaining how the portal and the complaint process works.

Once a complaint is submitted, CFPB screens it to determine whether it falls within the agency’s primary enforcement authority, whether it is complete, and whether it is a duplicate submission.  If the complaint passes these tests, it is then forwarded to the company for response.  The company is notified of the complaint and can log into the portal to view all active cases.  Upon receipt of the complaint, the company must communicate with the consumer to determine the appropriate response.  The company’s response is submitted via the portal, and the consumer is invited to review the response.  The consumer can log onto the secure portal or call a toll-free number to receive status updates and review responses.  The consumer is then given an opportunity to dispute the response.

Be Prepared to Respond Quickly

CFPB requests that companies respond to complaints within 15 calendar days and resolve complaints within 60 days.  Failure to provide a timely response may trigger an investigation of the complaint by CFPB.  Since a complete response requires that the company correspond with the complaining consumer, companies should pursue a response quickly to ensure they meet CFPB deadlines.

Understand that Complaints May Result in Investigations or Enforcement Actions by CFPB

The Consumer Response Team prioritizes review and investigation of complaints where a consumer disputes the response or the company fails to provide a timely response.  In addition, the team analyzes groups of complaints to identify issue-specific trends.  In some cases, complaints are referred to CFPB’s Division of Supervision, Enforcement, and Fair Lending and Equal Opportunity for further action.  Financial services companies should thus be vigilant on the same matters, paying greater attention to disputed responses, ensuring that responses are timely, and monitoring for trends in the complaints received so that underlying problems are addressed before they are raised by the agency.

Understand that cCmplaints May Also Result in Investigations By Other Agencies

If a complaint is outside CFPB’s jurisdiction, it may be forwarded to the appropriate regulator (for example, while CFPB handles complaints on private student loans, it forwards complaints received about federal student loans to the Department of Education).

In addition, the Dodd-Frank Act requires CFPB to share consumer complaint information with the Federal Trade Commission (FTC) and other state and federal agencies.  For example, if CFPB receives a complaint about identity theft, it may share that with the FTC, which is the agency that has historically investigated such complaints.  As a result, financial services companies may need to anticipate receiving questions from the FTC about the effectiveness of their Red Flags program, which companies should have fully implemented in response to applicable FTC and other federal agency rules.  In addition, CFPB currently shares its complaints with the FTC’s Consumer Sentinel system, an online database of consumer complaints maintained by the FTC that is accessible by law enforcement.

Be Prepared for an Increase in the Volume of Complaints

Consumer use of the complaint system is off to a strong start.  CFPB recently issued a Consumer Response Annual Report summarizing the use of the complaint system from its launch in July 2011 through December 31, 2011.  The report indicates that CFPB received 13,210 consumer complaints during that time, including 9,307 credit card complaints and 2,326 mortgage complaints.  The most common credit card complaints involved billing disputes, identity theft, and APR or interest rates.  The most common mortgage complaints involved situations in which the consumer was unable to pay (loan modification, collection, foreclosure).  The complaint systems for bank products and services, private student loans, and other consumer loans only began in 2012, so the report did not cover those categories.  By the end of 2012, the CFPB expects that the complaint system will cover all consumer financial products and services.

Financial services companies should monitor these trends to identify issues that may affect their business.  They also should anticipate a significant increase in complaint volume as CFPB adds additional products to the complaint system and more consumers become aware of it.  By comparison, the FTC Consumer Sentinel fielded 1.8 million complaints in 2011.

© 2012 Poyner Spruill LLP

Kansas Supreme Court Decision Declares Resale Price Maintenance Per Se Illegal Under State Antitrust Statute

The National Law Review recently published an article by Lawrence I. FoxMegan Morley, and Joseph F. Winterscheid of McDermott Will & Emery regarding Resale Price Maintenance in Kansas:

The Kansas Supreme Court recently determined resale price maintenance isper se illegal under state law, becoming the latest state to reject the rule of reason standard mandated by the Supreme Court of the United States.  The decision serves as a reminder that although a supplier’s pricing policies may be permissible under federal law, they may nevertheless be subject to per se condemnation under certain state statutes.

On May 4, 2012, the Kansas Supreme Court announced that resale price maintenance (RPM) is per se illegal under Kansas law in O’Brien v. Leegin Creative Leather Products, Inc.  With this ruling, Kansas joined a growing number of states—including Maryland, New York and California—that have refused to follow the Supreme Court of the United State’s 2007 holding in Leegin Creative Leather Products, Inc. v. PSKS, Inc. that the legality of RPM should be assessed under the rule of reason.  The O’Brien decision therefore serves as yet another sobering reminder that suppliers need to be mindful that although RPM may be subject to rule of reason analysis at the federal level, it remains subject to per secondemnation at the state level in many states under state antitrust statutes

In O’Brien, the plaintiff, a purchaser of accessories, filed a class action litigation against Leegin Creative Leather Products, a manufacturer and retailer of Brighton fashion accessories and luggage (Brighton)—the same defendant involved in the U.S. Supreme Court’s landmark 2007 eponymous decision—alleging Brighton’s pricing practices violated the Kansas Restraint of Trade Act (KRTA).  These practices included calling for retailers to sell Brighton products at a “keystone” price determined by Brighton and for certain “heart store” retailers to sell Brighton products at a “suggested price every day, 365 days a year.”  Brighton did admit to investigating reports it received regarding alleged violations of the policy and, although not occurring in Kansas, it acknowledged refusing to deal with retailers that intentionally violated the policy.

Upon motion for summary judgment, the trial court held the plaintiff’s RPM claims should be evaluated under the rule of reason.  To determine that a rule of reason analysis is appropriate, the court invoked language from Heckard v. Park, 188 P.2d 926, 931 (1948), and Okerberg v. Crable, 341 P.2d 966, 971 (1959): “The real question is never whether there is any restraint of trade but always whether the restraint is reasonable in view of all the facts and circumstances and whether it is inimical to the public welfare.”  Using this standard, the court refused to grant summary judgment because it believed there was a genuine issue of material fact as to the reasonableness of Brighton’s pricing policies.  The trial court, however, still granted Brighton’s summary judgment motion after ruling the plaintiff would be unable to prove antitrust injury.

On the plaintiff’s appeal, the Kansas Supreme Court overturned the ruling of the trial court and declared that horizontal and vertical restraints of trade, including RPM, are per se illegal.  In reaching this decision, the Kansas Supreme Court examined the plain language of KRTA, federal antitrust rulings and past Kansas precedent.

First, the court looked at the statutory language of KRTA.  Section 50-101(d) provides “[a]ny such combinations are declared to be against public policy, unlawful and void.”  Section 50-112 states “[a]ll arrangements, contracts, agreements, trusts, or combinations … designed or which tend to advance, reduce, or control the price … to the consumer … are hereby declared to be against public policy, unlawful, and void.”  Because these statutes do not mention reasonableness, the court believed that this “clear statutory language draws a bright line” against the use of a rule of reason standard.

Second, the court briefly addressed and then dismissed the notion that federal antitrust rulings, such as Leegin, compelled a rule of reason analysis.  Citing a string of Kansas decisions, the court determined “that federal precedents interpreting, construing, and applying federal statutes have little or no precedential weight when the task is interpretation and application of a clear and dissimilar Kansas statute.”

Third, the Kansas Supreme Court looked at prior state cases to assess whether a reasonableness standard should be read into KRTA.  Three of these cases were decided under Kansas’s General Statutes of 1915 and Revised Statutes of 1923, which the court described as the “legislative ancestor[s]” of KRTA and which contained similar language to the present day statute.  In each of these cases, the Kansas Supreme Court held the vertical price-fixing agreements at issue were unenforceable and per se illegal.

In 1937, however, the state legislature enacted the Kansas Fair Trade Act (KFTA).  This statute both permitted contracts controlling resale prices and authorized private actions to punish deviations from these contracts.  Although the legislature repealed this statute in 1963, the Kansas Supreme Court examined whether the per se rule adopted in these pre-KFTA cases had been overruled while KFTA was in effect.  The only relevant cases decided during this period were the aforementioned decisions in Heckard and Okerberg, which did indeed adopt a reasonableness standard.

Analyzing these KFTA-era cases, however, the Kansas Supreme Court determined that this “reasonableness rubric” did not apply to alleged price-fixing agreements.  The restraints of trade at issue in those cases—non-compete covenants and requirements contracts—were “factually and legally distinct from vertical and horizontal price-fixing.”  Moreover, the court went on to state it would have to read unwritten elements into the unambiguous statutory language of KRTA to impose a rule of reason in price-fixing cases, which would require the court to impermissibly encroach on the legislative function.  The court concluded that if Heckard andOkerberg were before it today, it would not impose a reasonableness standard because the clear statutory language does not require it.  The Kansas Supreme Court therefore overruled the reasonableness standard adopted in Heckard andOkerberg and held that price-fixing violations are per se illegal under KRTA.

With the decision in O’Brien, Kansas is the latest state to reject the rule of reason standard mandated by Leegin for federal RPM cases when applying state antitrust statutes.  This decision serves as a reminder to suppliers that although their pricing policies may be permissible under federal law, these same policies may nevertheless be subject to per se condemnation under certain state statutes.  Any programs directed at affecting downstream resale prices must therefore be crafted carefully to ensure they are legally compliant at both the state and federal levels.

© 2012 McDermott Will & Emery

Otsuka v. Sandoz – Motivation Trumps Structure

An article by Warren Woessner of Schwegman, Lundberg & Woessner, P.A. about Otsuka v. Sandoz recently appeared in The National Law Review:

The recent decision of the Fed. Cir. in Otsuka v. SandozApp. No. 2011-1126, -1127 (Fed. Cir. May 7, 2012) continues the courts admirable work in defining obviousness post-KSR. This case revisits the standards involved in making out a prima-facie case of structural obviousness. What is particularly interesting in this decision is the weight – or lack thereof – that the court gave to evidence of therapeutic utility of the closest prior art compound. In fact, the court applied the fairly obscure maxim of patent law articulated forty years ago In re Steminski, 444 F.2d 581 (CCPA 1971). John L. White, in Chemical Patent Practice, summarized the holding of Steminski as part of his discussion of the “Hass-Henze Doctrine”:

“The [CCPA] concluded that because the characteristics normally possessed by members of a homologous series [e.g., differing by only one methylene group] are principally the same, varying gradually from member to member [e.g., methyl, ethyl, propyl, butyl, etc], chemists knowing the properties of one member of a series would in general know what to expect in adjacent members so that a mere difference in degree is not the marked superiority which will ordinarily remove the unpatentability of adjacent homologs of old substances. Contra, where no use for the prior art compound is known [citing Steminski].”

Sandoz was trying to invalidate an anti-schizophrenic drug, aripiprazole, marketed by Otsuka as Abilify. The court abbreviated its structure by referring to it as a 2,3-dichlorophenylbutoxy compound. Sandoz et al. were trying to invalidate the claim to this compound in US Pat No. 5,006,528 over an earlier patent that disclosed the 2,3-dicholorphenylpropoxy analog of Abilify (a butoxy compound). Not only is the prior art compound  a homolog of Abilify, but the prior art patent disclosed a laundry list of utilities, including “antischizophrenia agents”. Many other structurally more remote analogs were disclosed, and three others were discussed in detail in the opinion, but the appellant/defendants must have felt pretty confident, even though the district court ruled that the patent was unobvious.

No such luck! The Fed. Cir. discussed the “lead compound concept” at length and stated that: “Absent a reason or motivation based on such prior art evidence [of pertinent properties], mere structural similarity between a prior art  compound and the claimed compound does not inform the lead compound selection….See KSR [citation omitted] (‘A fact finder should be aware, of course, of the distortion caused by hindsight bias and must be cautious of arguments reliant upon ex post reasoning.’)” Slip op. at 18-19. In other words, structural similarity, taken alone is not sufficient to establish obviousness.

But wasn’t there data beyond the “naked” structure of the 2.3-dichlorophenyl propoxy prior art homolog? Citing Takeda, 492 F.3d at 1357 and Pfizer, 480 F.3d at 1361, the court fell back on the rule that the art worker must be motivated to use the teachings of the reference to achieve the claimed invention and had a reasonable expectation of success. The court focused on the generality of the prior art disclosure of utility and the primitive nature of this area of pharmacology prior to Otsuka’s invention of Abilify: “At the relevant time, there were no carbostyril compounds that were marketed as antipsychotics or were publicly known to have potent antipsychotic activity with minimal side effects.”So reasonable expectation of success probably carried the day (or the lack thereof), and the ‘528 patent remains valid. Apart from the revival of Steminski, I was heartened by the number of times that the court criticized defendants’ use of what the court(s) considered to be hindsight. For instance, defendants tried to argue that Otsuka’s advance involved “a short timeline”. The Fed. Cir. replied:

“The inventor’s own path itself never leads to a conclusion of obviousness; that is hindsight. What matters is the path the [POSA] would have followed, as evidenced by the pertinent prior art…the district court’s careful analysis exposed the Defendants’ obviousness case for what it was—a poster child for impermissible hindsight reasoning.”

Not just pretty words, beautiful ones!

© 2012 Schwegman, Lundberg & Woessner, P.A.

Why Your Qualified Plan – Isn’t

Recently The National Law Review published an article by Ben F. Wells and William M. Freedman of Dinsmore & Shohl LLP regarding Qualified Plans:

There are many generous tax benefits that come from having a “qualified” retirement plan (such as a section 401(k) plan). For example, as an employer, you can deduct your plan contributions, but participating employees don’t have to recognize the contributions as income until they receive a distribution; usually many years later. However, those tax benefits disappear if your plan loses its qualified status.

What can cause a plan to lose its qualified status?

Several things, but there are three types of problems that frequently arise:

  • Failure to adopt required plan amendments in a timely fashion. The IRS issues reams of guidance that require plan amendments. Fail to adopt even one on time, and your plan is technically disqualified.
  • Failure to administer the plan in accordance with its terms. Your plan document probably contains hundreds of pages of fine print and technical jargon. Most employers have never read it, at least not all the way through. But you are required to follow it to the letter. Slip up one time and your plan can be considered disqualified.
  • Failure to satisfy the Internal Revenue Code’s various tests. The Code contains a number of mathematical tests which specify who must benefit from the plan and what benefits must be provided. These tests also prohibit “discrimination” in favor of highly compensated employees and others. Many of those tests are extremely complex and easy to violate. Fail one of them, and fail to correct it within the allowable time periods, and your plan will be disqualified.

How to correct qualification failures

Luckily the IRS has provided ways to correct most qualification failures. For example, their “Employee Plans Compliance Resolution System” or “EPCRS” allows plan sponsors to correct qualification failures through a variety of methods, such as employer contributions, retroactive amendments and corrective distributions. Generally those corrections are designed to put the plan in a position as if the qualification error had not occurred. But these require experienced and knowledgeable advisors to navigate.

Conclusion

To help avoid disqualification, make sure that:

  • Your advisors are monitoring your plan to help eliminate potential causes of disqualification.
  • Your plan document is up to date, and matches the way you actually administer your plan. Don’t make a change to your plan without telling your document provider and third party administrator.
  • Someone in your organization is reviewing your plan’s discrimination testing and dealing with violations.

If you see a problem, correct it as soon as possible – before the IRS audits you. This way you can keep your qualified plan “qualified.”

© 2012 Dinsmore & Shohl LLP

White House Report May Have Long-Term Effect on Consumer Privacy and How Companies Do Business

A recent White House report on consumer  data privacy forecasts a multifaceted approach to fulfilling public expectations regarding the protection of consumer’s personal information.  Although it is uncertain if the report will result in new legislation in the near future, the report could have long-term implications for the current regulatory landscape.

In February 2012 the White House released a report detailing the current administration’s position on consumer privacy, entitled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.  Although it is uncertain if the report will result in new privacy legislation in the near term, the report may still have long-term implications for the current regulatory landscape.

As explained in the report’s Executive Summary, the consumer privacy framework proposed by the administration consists of four key elements: (1) a Consumer Privacy Bill of Rights; (2) a “multistakeholder” process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business  contexts; (3) effective enforcement; and (4) a commitment to increase interoperability with the privacy frameworks of international partners. Below we examine each of these elements.

1. Consumer Privacy Bill of Rights

Building upon Fair Information Practice Principles that were first promulgated by the U.S. Department of Health, Education, and Welfare in the 1970s, the Consumer Privacy Bill of Rights is intended to affirm consumer expectations with regard to how companies handle personal data.2  Although the administration recognizes consumers have “certain responsibilities” to protect their own privacy, it also emphasizes the importance of using personal data in a manner consistent with the context in which it is collected.

In a press release accompanying the release of the report, the White House summarized the basic tenets of the Consumer Privacy Bill of Rights3:

Transparency—Consumers have a right to easily understandable information about privacy and security practices.

Respect for Context—Consumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.4

Security—Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy—Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.

Focused Collection—Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability—Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The outline for the Consumer Privacy Bill of Rights is largely aspirational, in that it does not create any enforceable obligations.  Instead, the framework simply creates suggested guidelines for companies that collect personal data as a primary, or even ancillary, function of their business operations.  As the administration recognizes, in the absence of legislation these are only “general principles that afford companies discretion in how they implement them.”5

Nevertheless, as consumers become more invested in how their personal information is used, a company that disregards the basic tenets of the Consumer Privacy Bill of Rights may be doing so at its own peril.  Although the Consumer Privacy Bill of Rights has not been codified, companies should expect that some iteration of the same principles will ultimately be legislated, or voluntarily adopted by enough industry leaders to render them enforceable by the FTC.  Therefore, companies would be welladvised to make sure they have coherent privacy policies in place now in order to avoid running afoul of guidelines imposed by whatever regulatory framework is implemented later.

2. The “Multistakeholder” Process to Develop Enforceable Codes of Conduct

The report also encourages stakeholders—described by the Administration as “companies, industry groups, privacy advocates, consumer groups, crime victims, academics, international partners, State Attorneys General, Federal civil and criminal law enforcement representatives, and other relevant groups”—to cooperate in the development of rules implementing the principles outlined in the Consumer Privacy Bill of Rights.  Of all the elements comprising the administration’s consumer privacy framework, it is this “multistakeholder” process that will likely see the most activity in coming months.

The report identifies several benefits attributable to this approach6:  First, an open process reflects the character of the internet itself as an “open, decentralized, user-driven platform for communication, innovation and economic growth.”  Second, participation of multiple stakeholders encourages flexibility, speed and creativity.  Third, this approach is likely to producesolutions “in a more timely fashion than regulatory processes and treaty-based organizations.”  Finally, the multistakeholder process allows experts to focus on specific challenges, rather than relying upon centralized authority.

The report contemplates that the multistakeholder process  will be moderated by the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA), a view echoed by the press release accompanying the report.7  This process will likely present companies whose operations involve the collection of consumer data online—a rapidly expanding category that encompasses far more than just internet businesses—with an opportunity to shape future internet privacy legislation.

NTIA has already initiated the conversation through the issuance of a Request for Public Comments on the administration’s consumer privacy framework.8  NTIA has suggested the first topic for discussion should be a “discrete issue that allows consumers and businesses to engage [in] and conclude multistakeholder discussions in a reasonable timeframe.”9    As  one example, NTIA has suggested stakeholders discuss how the  Consumer Privacy Bill of Rights’ “transparency” principle should be applied to privacy notices for mobile applications.  When one considers that by some estimates the revenue generated by the mobile application market is expected to reach $25 billion over the next four years, it is clear that even this “discrete” issue alone could result in a significant regulatory impact.10

3. Effective Enforcement

The report further suggests that the Federal Trade Commission (FTC) will play a vital role in the enforcement of the consumer privacy protections outlined by the administration and developed during the multistakeholder process.  The administration admits, however, that in the absence of new legislation, the FTC’s authority in the area of consumer privacy may be limited to the enforcement of guidelines adopted by companies voluntarily.

According to the administration, enforcement actions “by the FTC (and State Attorneys General) have established that companies’ failures to adhere to voluntary privacy commitments, such as those stated in privacy policies, are actionable under the FTC Act’s (and State analogues) prohibition on unfair or deceptive acts or practices.”11  Therefore, in the administration’s view, the guidelines developed during the multistakeholder process would be enforceable under the existing statutory framework.

In light of the current election cycle and the resulting political landscape, it seems unlikely Congress will pass new consumer privacy legislation in the near term.  Nevertheless, companies should remain mindful that the FTC—and even state Attorneys General—may become more aggressive in addressing flagrant violations of consumers’ privacy expectations.  For instance, California’s Attorney General has explained that her office intends to enforce an agreement that California reached with Apple and other industry leaders earlier this year.  The agreement would require developers of mobile applications to post conspicuous privacy policies that explain how users’ personal information is gathered and used.

Moreover, the increased attention directed at privacy issues by consumer groups and the public at large suggests an inevitable groundswell of support for new privacy legislation.  As Jon Leibowitz, the chairman of the FTC, explained earlier this week, we could see new privacy legislation early in the term of the next Congress.12

4. A Commitment to Increased Operability

Recognizing that other countries have taken different approaches to data privacy issues, the report also encourages the development of interoperability with regulatory regimes implemented internationally.  The administration has suggested a three-pronged approach to achieving increased operability: mutual recognition, development of codes of conduct through multistakeholder processes and enforcement cooperation.

With respect to mutual recognition, the report identifies existing examples of transnational cooperation in the privacy context.  For example, it cites the Asia-Pacific Economic Cooperation’s voluntary system of Cross Border Privacy Rules and also the European Union’s Data Protection Directive.  It appears that the administration, at least for now, will depend upon companies’ voluntary adoption of these international frameworks.

Just as the administration will rely upon the multistakeholder process to develop domestic codes of conduct, it will adopt the same approach to developing globally applicable rules and guidelines.  Although the administration contemplates this process will be directed by the U.S. Departments of Commerce and State, the report does not provide any details.

Finally, the report explains the FTC will spearhead the U. S. Government’s efforts to cooperate with the FTC’s foreign counterparts in the “development of privacy enforcement priorities, sharing of best practices, and support for joint enforcement initiatives.”13

1  Report at 1. 

2  Although businesses are also “consumers,” the report appears to focus on protecting individuals’ personally identifiable information. 

3  We Can’t Wait: Obama Administration Unveils Blueprint for a “Privacy Bill of Rights” to Protect Consumers Online, February 23, 2012, Office of the Press Secretary. 

4 To illustrate the “context” principle, the report provides the example of a hypothetical social networking provider.  Users expect that certain biographical information will be collected in order to improve the service; however, if the provider sells the same biographical information to an information broker for advertising purposes, that use is more attenuated from users’ expectations.  Therefore, the latter use is not consistent with the “context” in which the biographical information was provided. 

5  Report at 2. 

6  Report at 23. 

7  We Can’t Wait, February 23, 2012, Office of the Press Secretary (“In the coming weeks, the Commerce Department’s National Telecommunications and Information Administration will convene stakeholders … .”). 

8  Docket No. 120214135-2135-01, February 29, 2012. 

9 Moving Forward with the Consumer Privacy Bill of Rights, Lawrence E. Strickling, Assistant Secretary for Communications and Information, February 29, 2012. 

10 According to Markets & Markets, a market research company and consulting firm. 

11 Report at 29. 

12 U.S. Agency Seeks Tougher Consumer Privacy Rules, The New York Times, March 26, 2012. 

13 Report at 33. 

© 2012 McDermott Will & Emery

The Growing Corporate Threat of Taxpayer Identity Theft Fraud

The National Law Review recently published an article by Latour “LT” Laffferty of Fowler White Boggs P.A. regarding Identity Theft:

Identity theft continues to be a growing problem nationwide, but particularly in Florida which continues to lead the nation per capita in reported incidents of identity theft according to the Federal Trade Commission (FTC), a national clearinghouse for consumer fraud complaints. Taxpayer identity theft fraud, a subset of identity theft in general, is the most prevalent form of identity theft according to the FTC which reported that tax-related identity theft incidents increased from 51,702 in 2008 to 248,357 in 2010. This is a dramatic increase from the 35,000 instances of employment-related identity theft cases reported in 2007.

Taxpayer identity theft fraud involves not only the theft of someone’s identity but also the filing of a fraudulent tax return using the victim’s social security number to receive a tax refund often totaling more than $9,000.00. The IRS identified and prevented the issuance of more than $14 billion in fraudulent refunds in 2011. A 2008 report issued by the Treasury Inspector General for Tax Administration (TIGTA), an IRS watchdog, stated that the prevention of taxpayer identity theft fraud is an employer’s issue involving the security of their systems and data. According to TIGTA, 938,664 of the 2.1 million fraudulent tax returns filed in 2011 involved identity theft and totaled $6.5 billion. The stolen information includes the person’s name, date of birth and social security number or Medicare beneficiary number.

The latest twist, however, is that your own employees are in on the crime as law enforcement agencies are reporting that employees at many businesses that compile personal information are misappropriating and selling the information to thieves who are filing fraudulent tax returns. The Centers for Medicare and Medicaid Services (CMS) issued a Fraud Alert in February 2012 warning healthcare providers that perpetrators are misappropriating the identities of Medicare beneficiaries from “employers, schools, hospitals, and prisons” but any businesses that store personal information are at risk from current or prospective employees. Recent law enforcement arrests report finding suspects with massive quantities of tax refunds and lists of prospective employers to apply for jobs with the specific intent to steal taxpayer identities from their databases.

The reality of this emerging threat is that perpetrators are actually targeting organizations for employment so that they can specifically breach their data security and commit identity theft and aid those committing tax refund fraud. These organizations have both a fiduciary and legal duty to safeguard that personal information, but also a legal duty to notify those consumers who they can reasonably identify that their personal information has been stolen.

©2002-2012 Fowler White Boggs P.A.

FTC Obtains Injunction, Asset Freeze on Alleged Mortgage Scam

The National Law Review recently published an article by Steven Eichorn of Ifrah Law regarding a Recent FTC Injunction:

The Federal Trade Commission has obtained an order from the federal court for the Central District of California for a preliminary injunction and asset freeze against all the defendants in an alleged mortgage modification scam.

The complaint was filed against California-based Sameer Lakhany and a number of related corporate entities for violating the Federal Trade Commission Act and the Mortgage Assistance Relief Services Rule, now known as Regulation O.This was the first FTC complaint against a mortgage relief scheme that falsely promised to get help for homeowners who joined with other homeowners to file so-called “mass joinder” lawsuits against their lenders.

The complaint listed two separate alleged schemes that collected over $1 million in fees and used images of President Obama to urge consumers to call for modifications under the “Obama Loan Modification Programs.”

The first scheme was a loan modification plan under which the defendants allegedly promised substantial relief to unwary homeowners from unaffordable mortgages and foreclosures. Their website featured a seal indicating that it was an “NHLA accredited mortgage advocate” and that NHLA is “a regulatory body in the loan modification industry to insure only the highest standards and practices are being performed. They have an A rating with the BBB.” Unfortunately, the NHLA is not a “regulatory body” and it actually has an “F” rating with the BBB.

The defendants reinforced their sales pitch by portraying themselves as nonprofit housing counselors that received outside funding for all their operating costs, except for a “forensic loan audit” fee. According to the FTC, the defendants told consumers that these audits would uncover lender violations 90 percent of the time or more and that the violations would provide leverage over their lenders and force the lenders to grant a loan modification. The defendants typically charged consumers between $795 and $1595 for this “audit.” Also, if the “audit” did not turn up any violations, the consumers could get a 70 percent refund. Unfortunately, there were often no violations found, any “violations” did not materially change the lender’s position, and it was nearly impossible to actually get a refund for this fee.

The second alleged scheme was that the defendants created a law firm, Precision Law Center, and attempted to sell consumers legal services. Precision Law Center was supposed to be a “full service law firm”, with a wide variety of practice areas. It even claimed to “have assembled an aggressive and talented team of litigators to address the lenders in a Court of Law.” However, the FTC charged that the firm never did anything besides for filing a few complaints, which were mostly dismissed.

To assist Precision Law Center in getting new clients, the defendants sent out direct mail from their law firm that resembled a class action settlement notice. The notice “promised” consumers that if they sued their lenders along with other homeowners in a “mass joinder” lawsuit, they could obtain favorable mortgage concessions from their lenders or stop the foreclosure process. The fee to participate in this lawsuit was usually between $6,000 to $10,000. The material also allegedly claimed that 80 to 85 percent of these suits are successful and that consumers might also receive their homes free and clear and be refunded all other charges.

The defendants’ direct mail solicitation also contained an official-looking form designed to mimic a federal tax form or class action settlement notice. It had prominent markings urging the time sensitivity of the materials and it requested an immediate response.

Obviously, these defendants employed many egregious marketing techniques that crossed the FTC’s line of permissibility. However, in light of the FTC’s renewed focus on Internet marketing, even a traditional marketing campaign should be carefully crafted with legal ramifications in mind.

As a final note, it is always smart not to antagonize the FTC by proclaiming (like the defendants here did) that they are “Allowed to Accept Retainer Fees” because it was “Not covered by FTC.” We couldn’t think of a better way to get onto the FTC’s radar screen!

© 2012 Ifrah PLLC

Data Security Breach Alert: 1.5 Million Credit Card Customers Affected

The National Law Review recently published an article regarding A Recent Security Breach written by Adam M. Veness of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

Global Payments, Inc. (NYSE: GPN) (“Global”) has reported a significant data security breach for approximately 1.5 million credit card customers.  According to astatement that Global released on Sunday, their investigation has revealed that “Track 2 card data may have been stolen, but that cardholders’ names, addresses and social security numbers were not obtained by criminals.”  Using Track 2 data, a hacker can transfer a credit card’s account number and expiration date to a fraudulent card, and then use the fraudulent card for purchases.

As a result of the breach, Visa has removed Global from its list of companies that it considers to be “compliant services providers.”  In an effort to calm consumers, Global issued a press release today assuring that “[b]ased on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

The incident reinforces the importance of maintaining adequate data security.  Companies must take ample precautions to secure their customers’ data, and if they fail to do so, they may be vulnerable to a serious security breach that could adversely affect their bottom line.  As of the time of this post, Global’s stock price has fallen approximately 12% since the data breach news was announced.  Even when following best practices in data security, companies still may face data security breaches.  Despite these inevitable risks, companies should do everything reasonably required to protect against data breaches.  If a company can show that it has taken the proper precautions, then this may mitigate or reduce potential liability in the event of a breach.  After a breach, companies should ensure that they follow all of the strict legal requirements for notifying customers of the breach and remedying the effects of the breach.  Doing so may greatly reduce a company’s exposure to customer lawsuits and government action against the company.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Identity Theft Continues to Top FTC’s List of Consumer Complaints

Recently The National Law Review published an article by Rachel Hirsch of Ifrah Law regarding FTC’s Top Consumer Complaints:

For more than a decade, the Federal Trade Commission has been releasing its list of the top ten categories of consumer complaints received by the agency in the previous year. This list always serves as a good indication of the areas toward which the FTC may choose to direct its resources and increase its scrutiny.

For the 12th year in a row, identity theft was the number one complaint received by the FTC. Out of more than 1.8 million complaints the FTC received last year, 15% – or 279,156 – were about identity theft. Of those identity theft complaints, close to 25 percent were related to tax or wage-related fraud. The number of complaints related to identity theft actually declined in 2011 from the previous year, but this type of fraud still topped the list.

Most identity theft complaints came from consumers reporting that their personal information was stolen and used in government documents — often to fraudulently collect government benefits. Complaints about government document-related identity theft have increased 11% since 2009 and represented 27% of identity theft complaints last year. These numbers are likely to increase as concerns about consumer data privacy continue to garner the attention of the FTC.

After ID theft, the FTC’s top consumer complaints for 2011 were as follows:

• Debt collection complaints
• Prizes, sweepstakes, and lotteries
• Shop-at-Home and catalog sales
• Banks and lenders
• Internet services
• Auto-related complaints
• Imposter scams
• Telephone and mobile services
• Advance-fee loans and credit protection or repair

While credit cards are intertwined with many of the above complaints, complaints about credit cards themselves are noticeably absent from the 2011 list. In past years, credit card fraud was a major source of complaints from consumers. The drop in credit card-fraud-related complaints, however, is not surprising given the passage of the Credit CARD Act of 2009. This landmark federal legislation banned interest rate hikes “at any time for any reason” and limited the instances when rates on existing card balances could be hiked by issuers. The law also required lenders to give customers at least 45 days advance notice of significant changes in terms to allow card users time to shop around for better terms.

With the upcoming changes to the FTC’s advertising guidelines, there may very well be new additions to the consumer complaint list next year. Those complaints that already appear on the list are also likely to receive increased scrutiny.

© 2012 Ifrah PLLC

FDA Discloses Method for Classifying Food Facilities as "High Risk" Under FSMA

The National Law Review published an article regarding FDA High Risk Food Facilities Classification Methods written by Lynn C. Tyler, M.S.Nicolette R. Hudson and Hae Park-Suk of Barnes & Thornburg LLP:

The Food Safety Modernization Act (FSMA), signed by President Obama in January 2011, requires FDA to inspect food facilities on different time tables depending on whether a facility is classified as “high risk” or not. High-risk facilities must be inspected at least once within the first five years after the enactment of the FSMA and once every three years thereafter. Non-high risk facilities must be inspected at least once within the first seven years after the enactment of the FSMA and once every five years thereafter.

The U.S. Food and Drug Administration (FDA) recently disclosed the method it intends to follow to classify food facilities as high risk or non-high risk under the FSMA. The agency first noted that the FSMA set forth six risk factors to be considered in making this determination:

  • The known safety risks of the food manufactured, processed, packed or held at the facility
  • The compliance history of the facility
  • The facility’s hazard analysis and risk-based preventive controls (HARBPC)
  • Whether the food at the facility meets the criteria for priority to detect intentional adulteration in imported food
  • Whether the food at the facility has received certain certifications
  • Other criteria identified by Health and Human Services

FDA then noted that for FY 2011-13 the classification decision will be based primarily on the first two factors and according to the following algorithms:

  • If a facility manufactures food categories associated with foodborne outbreaks AND class I recalls (reasonable probability of serious adverse health consequences or death), it is high risk
  • If a facility manufactures food categories associated with foodborne outbreaks OR class I recalls AND it has not been inspected within the last five years, it is high risk
  • Facilities with a checkered compliance history (three or more inspections resulting in Voluntary Action Indicated findings or one or more resulting in Official Action Indicated findings within the last five years) are high risk

FDA stated that it plans to modify and adjust these criteria in the future as it develops data on some of the FSMA criteria and for other reasons. It also reserved the right to inspect a facility more frequently when necessary in its judgment.

© 2012 BARNES & THORNBURG LLP