Category: Consumer Protection

Nineteen States Have Banned TikTok on Government-Issued Devices

Governors of numerous states have issued Executive Orders in the past several weeks banning TikTok from government-issued devices and many have already implemented a ban, with others considering similar measures. There is also bi-partisan support of a ban in the Senate, which unanimously approved a bill last week that would ban the app from devices issued by federal agencies. There is already a ban prohibiting military personnel from downloading the app on government-issued devices.

The bans are in response to the national security concerns that TikTok poses to U.S. citizens [View related posts].

To date, 19 states have issued some sort of ban on the use of TikTok on government-issued devices, including some Executive Orders banning the use of TikTok statewide on all government-issued devices. Other state officials have implemented a ban within an individual state department, such as the Louisiana Secretary of State’s Office. In 2020, Nebraska was the first state to issue a ban. Other states that have banned TikTok use in some way are: South Dakota, North Dakota, Maryland, South Carolina, Texas, New Hampshire, Utah, Louisiana, West Virginia, Georgia, Oklahoma, Idaho, Iowa, Tennessee, Alabama, Virginia, and Montana.

Indiana’s Attorney General filed suit against TikTok alleging that the app collects and uses individuals’ sensitive and personal information, but deceives consumers into believing that the information is secure. We anticipate that both the federal government and additional state governments will continue to assess the risk and issue bans on its use in the next few weeks.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.
For more Cybersecurity Legal News, click here to visit the National Law Review.

TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.

Arbitration: In Kelly v. McClatchy Co., LLC, 2022 WL 1693339 (E.D. Cal.  May 26, 2022), the District Court denied the defendant’s motion to compel arbitration because the contractual relationship between the parties had terminated before the unwanted calls were made. Plaintiffs had originally signed defendant’s Terms of Service which bound them to an arbitration provision for all legal disputes. Plaintiffs then cancelled their subscriptions which subsequently ended the enforceability of the Terms of Service against them. However, plaintiffs then received unwanted calls from Defendant seeking service renewals which the court deemed were not covered by the arbitration clause, even under a theory of post-expiration enforcement.

ATDS: Following Facebook v. Duguid, 141 S. Ct. 1163 (2021), courts are still struggling to define an “automatic telephone dialing system,” and the Third Circuit weighed in through Panzarella v. Navient Sols., Inc., 2022 WL 2127220 (3d Cir. June 14, 2022).  The district court granted defendant’s motion for summary judgment on the grounds that plaintiffs failed to show that an ATDS was used to call their phones. The Third Circuit upheld the summary judgment ruling but did not decide whether the dialing equipment used constituted an “ATDS” under the TCPA. Rather, its ruling hinged on the fact that defendant’s dialer pulled phone numbers from its internal database, not computer-generated tables. As such, the Third Circuit found that even though the system may very well be an unlawful ATDS system under the TCPA, if it is not used in that way, defendants could not be held liable.

In an interesting move, the court in Jiminez v. Credit One Bank, N.A., Nco Fin. Sys., 2022 WL 4611924 (S.D.N.Y. Sept. 30, 2022), narrowed the definition of an “ATDS,” choosing to reject the Second Circuit approach in favor of the Third Circuit’s approach in Panzarella. Here, plaintiff alleged that defendant used a dialing system to send numerous calls without consent. The Second Circuit follows the majority view that, if a system used to dial numbers has the ability to store or generate random numbers, the call made violates the TCPA, even if the random dialing function is not actually utilized. But the court in Jiminez found the Third Circuit’s reasoning persuasive and applied it to the case, finding that plaintiff failed to show the dialing system was actually used in a way that violated the TCPA. It granted summary judgment to defendants on the TCPA claims because the evidence showed the numbers used were all taken from a pre-approved customer list, not generated from random dialing.

Similarly, in Borden v. Efinancial, LLC, 2022 WL 16955661 (9th Cir. Nov. 16, 2022), the Ninth Circuit also adopted a narrower definition of an ATDS, finding that to qualify as an ATDS, a dialing system must use its automation function generate and dial random or sequential telephone numbers. This means that a mere ability to generate random or sequential numbers is irrelevant, the generated numbers must actually be telephone numbers. Given the circuit split on this issue, it seems likely that the Supreme Court will eventually have to weigh in.

Notably, in May 2022, the FCC issued a new order which will target unlawful robocalls originating outside the country. The order creates a new classification of service providers called “Gateway Providers” which have traditionally served a transmitters of international robocalls. These providers are domestic intermediaries which are now required to register with the FCC’s Robocall Mitigation database, file a mitigation plan with the agency, and certify compliance with the practices therein.

Class Certification: In Drazen v. Pinto, 41 F. 4th 1354 (11th Cir. July 27, 2022), the Eleventh Circuit considered the issue of standing in a TCPA class action. Plaintiffs’ proposed settlement class included unnamed plaintiffs who had only received one unsolicited text message. Because the court held in an earlier case (Salcedo v. Hanna, 936 F.3d 1162 (11th Cir. 2019)) that just one unwanted message is not sufficient to satisfy Article III standing, it found that some of the class members did not have adequate standing. The district court approved the class with these members in it, finding that those members could remain because they had standing in their respective Circuit and only named plaintiffs needed to have standing. The Eleventh Circuit held otherwise and vacated the class certification and settlement in the case. It remanded, allowing for redefinition of the class giving all members standing.

Consent: Chennette v. Porch, 2022 WL 6884084 (9th Cir. Oct. 12, 2022), involved a defendant who used cell phone numbers posted on publicly available websites, like Yelp and Facebook, to solicit client leads to contractors through unwanted text messages. The court rejected defendant’s argument that plaintiffs consented to the calls because their businesses were advertised through these public posts with the intent of obtaining new business. Beyond that, the court also found that even though these cell phones were used for both personal and business purposes, the numbers still fell within the protection of the TCPA, allowing plaintiffs to satisfy both statutory and Article III standing.

Damages: In Wakefield v. ViSalus, 2022 WL 11530386 (9th Cir. Oct. 20, 2022), the Ninth Circuit adopted a new test to determine the constitutionality of an exceptionally large damages award. Defendant was a marketing company that made unwanted calls to former customers, soliciting them to renew their subscriptions to weigh-loss products. After a multi-day trial, a jury returned a verdict for the plaintiff with a statutory damages award of almost $1 billion. The Ninth Circuit reversed and remanded to the district court to consider the constitutionality of the award. While the district court’s test asked whether the award was “so severe and oppressive” as to violate defendant’s due process rights, the Ninth Circuit instructed it to reassess using a test outlined in a different case, Six Mexican Workers. The Six Mexican Workers test assesses the following factors in determining the constitutionality of the damages award: “1) the amount of award to each plaintiff, 2) the total award, 3) the nature and persistence of the violations, 4) the extent of the defendant’s culpability, 5) damage awards in similar cases, 6) the substantive or technical nature of the violations, and 7) the circumstances of each .” We are still awaiting that determination on remand.

Standing: In Hall v. Smosh Dot Com, Inc., 2022 WL 2704571 (E.D. Cal July 12, 2022), the court addressed whether plaintiff had standing under the TCPA as a cell phone plan subscriber where the text messages were only received by someone else on the plan; in this case, plaintiff was the subscriber and her minor son was the recipient of the unwanted text messages. The court granted defendant’s motion to dismiss for lack of standing because she could not show that status of a subscriber alone could convey adequate standing under Article III.

In Rombough v. State Farm, No. 22-CV-15-CJW-MAR, (N.D. Iowa June 9, 2022), the court evaluated standing under the TCPA based on a plaintiff’s number being listed on the Do Not Call list. It determined that being on the DNC was not an easy ticket into court, plaintiff needed to allege more than just having its number on the list. Rather, the plaintiff need have actually registered their own numbers on the list.

© 2022 Vedder Price
For more Cybersecurity and Privacy Law news, click here to visit the National Law Review.

CFPB Investigates Crypto Lender

On December 1, 2022, the Consumer Financial Protection Bureau (Bureau) made public an administrative order denying Nexo Financial LLC’s (Nexo) petition to modify the Bureau’s civil investigative demand.  The order represents the first publicly known Bureau investigation of a digital asset company, in this case, over Nexo’s “Earn Interest” crypto lending product.

The Bureau served Nexo with a civil investigative demand in late 2021 seeking further information about whether Nexo products were subject to federal consumer financial law, and in particular Nexo’s compliance with the Consumer Financial Protection Act and regulations under the Electronic Funds Transfer Act.  Nexo sought to set aside the civil investigative demand and argued that, because the SEC had taken the position that other crypto lending products were securities, the Bureau was estopped from investigating it under provisions of federal law that preempt the Bureau from regulating securities products.

The Bureau rejected Nexo’s line of reasoning.  According to the Bureau order, “Nexo Financial is trying to avoid answering any of the Bureau’s questions about the Earn Interest Product (on the theory that the product is a security subject to SEC oversight) while at the same time preserving the argument that the product is not a security subject to SEC oversight.”  The order continues, “This attempt to have it both ways dooms Nexo Financial’s petition from the start.”  The Bureau also found that Nexo’s petition was not timely filed.

As we recently noted, the Bureau has been increasing its attention to the digital asset sector.  The Nexo order includes a lengthy discussion about the breadth of its jurisdiction and ability to investigate potential violations of law.  As the crypto winter persists, we expect to see the Bureau continue to explore ways to assert its authority to regulate elements of the digital asset sector.

Article By Scott H. Kimpel of Hunton Andrews Kurth

For more financial legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

What You Need to Know About the DOJ’s Consumer Protection Branch

The Consumer Protection Branch of the United States Department of Justice (DOJ) is one of the most overlooked and misunderstood parts of the country’s largest law enforcement agency. With a wide field of enforcement, the Branch can pursue civil enforcement actions or even criminal prosecutions against companies based in the United States and even foreign companies doing business in the country.

Here are four things that Dr. Nick Oberheiden, a defense lawyer at Oberheiden P.C., thinks that people and businesses need to know about the DOJ’s Consumer Protection Branch.

The Wide Reach of “Protecting Consumers”

According to the agency itself, the Consumer Protection Branch “leads Department of Justice enforcement efforts to enforce consumer protection laws that protect Americans’ health, safety, economic security, and identity integrity.” While “identity integrity” is relatively tightly confined to issues surrounding identity theft and the unlawful use of personal data and information, “health,” “safety,” and “economic security” are huge and vaguely defined realms of jurisdiction.

Under the Branch’s enforcement focus or interpretation of its law enforcement mandate, it has the power to prosecute fraud and misconduct in the fields of:

  • Pharmaceuticals and medical devices

  • Food and dietary supplements

  • Consumer fraud, including elder fraud and other scams

  • Deceptive trade practices

  • Telemarketing

  • Data privacy

  • Veterans fraud

  • Consumer product safety and tampering

  • Tobacco products

Business owners and executives are often surprised to learn that the Consumer Protection Branch has so many oversight powers. But the Consumer Protection Branch’s wide reach is not limited to the laws that it can invoke and enforce; it also has a wide geographical reach, as well. In order to carry out its objective, the Branch brings both criminal and affirmative civil enforcement cases throughout the country. In one recent case, the Consumer Protection Branch prosecuted a drug manufacturer for violations of the federal Food, Drug, and Cosmetic Act (FDCA) after the drug maker hid and destroyed records before an inspection by the U.S. Food and Drug Administration (FDA). The drug manufacturer, however, was an Indian company that sold several cancer drugs in the U.S. The plant inspection took place in West Bengal, India.

The Branch Has Lots of Laws at Its Disposal

The extremely broad reach of the Consumer Protection Branch comes with a significant implication: There are numerous laws that the Branch can invoke as it regulates and investigates businesses. Many of these are substantive laws that prohibit certain types of conduct, like:

Others, however, are procedural laws, which prohibit using certain means to carry out a crime, like:

  • Mail fraud (18 U.S.C. § 1341), which is the crime of using the mail system to commit fraud

  • Wire fraud (18 U.S.C. § 1343), which is the crime of using wire, radio, or television communication devices to commit fraud, including the internet

This can mean that many defendants get hit with multiple criminal charges for the same line of conduct, drastically increasing the severity of a criminal case. For example, in one case, a group of pharmacists fraudulently billed insurers for over $900 million in medications that they knew were not issued under a valid doctor-patient relationship. They were charged with misbranding medication and healthcare fraud, in addition to numerous counts of mail fraud for shipping that medication through the mail.

The Branch Has the Power to Pursue Civil and Criminal Sanctions

Lots of business owners and executives are also unaware of the fact that the DOJ’s Consumer Protection Branch has the power to pursue both civil and criminal cases if the law being enforced allows for it.

This has serious consequences for companies, and not just because the Branch can imprison individuals for putting consumers at risk: It also complicates the strategy for defending against enforcement action.

A good example of how this works in real life is a healthcare fraud allegation that is pursued by the Consumer Protection Branch under the False Claims Act, or FCA, because the alleged fraud implicated money from a government healthcare program, like Medicare or Medicaid. For it to be the crime of healthcare fraud, the Consumer Protection Branch would have to prove that there was an intent to defraud the program. If there is no intent, though, the Branch can still pursue civil penalties.

This complicates the defense strategy because keeping prosecutors from establishing your intent is not the end of the case. It just takes prison time off the table. While this is a big step in protecting your rights and interests, it still leaves you and your company open to civil liability. That liability can be quite substantial, as many anti-fraud laws – including the FCA – impose civil penalties on each violation and impose treble damages, or three times the amount fraudulently obtained.

As Dr. Nick Oberheiden, a consumer protection defense lawyer at the national law firm Oberheiden P.C., explains, “While relying on a lack of intent defense can work with other criminal offenses, it is a poor choice when fighting against allegations of fraud because it tacitly admits to the fraudulent actions. Enforcement agencies like the DOJ’s Consumer Protection Branch can then easily impose civil liability against your company.”

The Branch Works in Tandem With Other Agencies

The Consumer Protection Branch only has about 200 prosecutors, support professionals, embedded law enforcement agents, and investigators. However, between October 2020 and December 2021, the Branch charged at least 96 individuals and corporations with criminal offenses and another 112 with civil enforcement actions, collecting $6.38 billion in judgments and resolutions.

The Branch can do this in large part because it works closely with other federal law enforcement agencies, like the:

By pooling their resources with other agencies like these, the DOJ’s Consumer Protection Branch can bring more weight to its enforcement action against your company.

Article By Dr. Nick Oberheiden of Oberheiden P.C.

For more consumer protection legal news, click here to visit the National Law Review.

Oberheiden P.C. © 2022

“Red Flags in the Mind Set”: SEC Sanctions Three Broker/Dealers for Identity Theft Deficiencies

In 1975, around the time of “May Day” (1 May 1975), which brought the end of fixed commission rates and the birth of registered clearing agencies for securities trading (1976), the U. S. Securities and Exchange Commission (“SEC”) created a designated unit to deal with the growth of trading and the oversight of broker/dealers. That unit, the Office of Compliance Inspections and Examinations (the “OCIE”), evolved and grew over time. It regularly issued Risk Alerts on specific topics aimed at Broker/Dealers and/or Investment Advisers, expecting that those addressees would take appropriate steps to prevent the occurrence of the identified risk, or at least mitigate its impact on customers. On Sept. 15, 2020, the OCIE issued a Risk Alert entitled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise,” which emphasized the importance of compliance with SEC Regulation S-ID, the “Identity Theft Red Flags Rule,” adopted May 20, 2013, under Sections of the Securities Exchange Act of 1934 (the “34 Act”) and the Investment Advisers Act of 1940, as amended (the “40 Act”). See, in that connection, the discussion of this and related SEC cyber regulations in my Nov. 19, 2020, Blog “Credential Stuffing: Cyber Intrusions into Client Accounts of Broker/Dealers and Investment Advisors.”

The SEC was required to adopt Regulation S-ID by a provision in the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, which amended a provision of the Fair Credit Reporting Act of 1970 (“FCRA”) to add both the SEC and the Commodity Futures Trading Commission to the federal agencies that must have “red flag” rules. That “red flag” requirement for the seven federal prudential bank regulators and the Federal Trade Commission was made part of the FCRA by a 2003 amendment. Until Wednesday, July 27, 2022, the SEC had (despite the Sept. 15, 2020, Risk Alert) brought only one enforcement action for violating the “Red Flag” Rule (in 2018 when customers of the firm involved suffered harm from the identity thefts). In 2017, however, the Commission created a new unit in its Division of Enforcement to better address the growing risks of cyber intrusion in the U.S. capital markets, the Crypto Assets and Cyber Unit (“CACU”). That unit almost doubled in size recently with the addition of 20 newly assigned persons, as reported in an SEC Press Release of May 3, 2022. There the Commission stated the Unit “will continue to tackle the omnipresent cyber-related threats in the nation’s [capital] markets.” Also, underscoring the ever-increasing role played by the SEC in overseeing the operations of broker/dealers and investment advisers, the OCIE was renamed the Division of Examinations (“Exams”) on Dec. 17, 2020, elevating an “Office” of the SEC to a “Division.”

Examinations of three broker/dealers by personnel from Exams led the CACU to investigate all three, resulting in the institution of Administrative and Cease-and Desist Proceedings against each of the respondents for violations of Regulation S-ID. In those proceedings, the Commission alleged that the Identity Theft Protection Program (“ITPP”), which each respondent was required to have, was deficient. Regulation S-ID, including its Appendix A, sets forth both the requirements for an ITPP and types of red flags the Program should consider, and in Supplement A to Appendix A, includes examples of red flags from each category of possible risks. An ITPP must be in writing and should contain the following:

  1. Reasonable policies and procedures to identify, detect and respond appropriately to relevant red flags of the types likely to arise considering the firm’s business and the scope of its brokerage and/or advisory activities; and those policies and procedures should specify the responsive steps to be taken; broad generalizations will not suffice. Those policies and procedures should also describe the firm’s practices with respect to theft identification, prevention, and response, and direct that the firm document the steps to be taken in each case.
  2.  Requirements for periodic updates of the Program, including updates reflecting the firm’s experience with both a) identity theft; and b) changes in the firm’s business. In addition, the updates should address changes in the types and mechanisms of cybersecurity risks the firm might plausibly encounter.
  3. Requirements for periodic review of the types of accounts offered and the risks associated with each type.
  4. Provisions directing at least annual reports to the firm’s board of directors, and/or senior management, addressing the program’s effectiveness, including identity theft-related incidents and management responses to them.
  5. Provisions for training of staff in identity theft and the responses required by the firm’s ITPP.
  6. Requirements for monitoring third party service providers for compliance with identity theft provisions that meet those of the firm’s program.

The ITPP of each of the three broker/dealers was, as noted, found deficient. The first, J.P. Morgan Securities, LLC (“MORGAN”), organized under Delaware law and headquartered in New York, New York, is a wholly owned subsidiary of JPMorgan Chase & Co. (described by the Commission as “a global financial services firm” in its July 27, 2022, Order Instituting Administrative and Cease-and-Desist Proceedings [the “Morgan Order”]). Morgan is registered with the Commission as both a broker/dealer (since Dec. 13, 1985) and an investment adviser (since April 3, 1965). As recited in the Morgan Order, the SEC found Morgan offered and maintained customer accounts “primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions.” The order further notes that from Jan. 1, 2017, through Dec. 31, 2019, Morgan’s ITPP did not meet the requirements of Regulation S-ID because it “merely restated the general legal requirements” and did not specify how Morgan would identify a red flag or direct how to respond to it. The Morgan Order notes that although Morgan did take action to detect and respond to incidents of identity theft, the procedures followed were not in Morgan’s Program. Further, Morgan did not periodically update its program, even as both the types of accounts offered, and the extent of cybersecurity risks changed. The SEC also found Morgan did not adequately monitor its third-party service providers, and it failed to provide any identity theft-specific training to its staff. As a result, Morgan had violated Regulation S-ID. The order noted that Morgan “has undertaken substantial remedial acts, including auditing and revising … [its Program].” Nonetheless, Morgan was ordered to cease and desist from violating Regulation S-ID, was censured, and was ordered to pay a civil penalty of $1.2 million.

The second broker/dealer charged was UBS Financial Services Inc.(“UFS”), a Delaware corporation dually registered with the Commission as both a broker/dealer and an investment adviser since 1971. UFS, headquartered in Weehawken, New Jersey, is a subsidiary of UBS Group AG, a publicly traded major financial institution incorporated in Switzerland. In 2008, UBF adopted an ITPP (the “UBF Program”) pursuant to the 2003 amendments to the FCRA. The program applied both to UBF and to other affiliated entities and branch offices in the U.S. and Puerto Rico “which offered private and retail banking, mortgage, and private investment services that operated under UBS Group AG’s Wealth Management Americas’ line of business.” See my blog published on Aug. 22, 2022, “Only Sell What You Know: Swiss Bank Negligence is a Fraud on Clients,” for information about the origins and history of UBS Group AG.

The July 27, 2022, SEC Order instituting Administrative and Cease-and-Desist Proceedings against UBF (the “UBF Order”) stated that UBF made no change to the UBF Program when, in 2013, it became subject to Regulation S-ID, or thereafter from Jan. 1, 2017, to Dec. 31, 2019, other than to revise the list of entities and branches it covered. The Commission found UBF failed to update the UBF Program even as the accounts it offered changed, and without considering if some accounts offered by affiliated entities and branches are not “covered accounts” within regulation S-ID. The UBF Program did not have reasonable policies and procedures to identify red flags, taking into consideration account types and attendant risks, and did not specify what responses were required. The SEC also found the program wanting for not providing for periodic updates, especially addressing changes in accounts and/or in cybersecurity risks. The annual reports to the board of directors “did not provide sufficient information” to assess the UBF Program’s effectiveness or the adequacy of UBF’s monitoring of third-party service providers; indeed, the UBF Order notes the “board minutes do not reflect any discussion of compliance with Regulation S-ID.” In addition, UBF “did not conduct any training of its staff specific” to the UBF Program, including how to detect and respond to red flags.  As a result, the Commission found UBF in violation of Regulation S-ID. Although the Commission again noted the “substantial remedial acts” undertaken by UBF, including retaining “an outside consulting firm to review its Program” and to recommend change, the SEC nonetheless ordered UBF to cease and desist from violating the Regulation, censured UBF, and ordered it to pay a civil penalty of $925,000.

The third member of this broker/dealer trio is TradeStation Securities, Inc. (“TSS”), a Florida corporation headquartered in Plantation, Florida, that, according to the July 27, 2022, SEC Order Instituting Administrative and Cease-and-Desist Proceedings (the “TSS Order”), “provides primarily commission-free, directed online brokerage services to retail and institutional customers.” TSS has been registered with the SEC as a broker/dealer since January 1996. Their ITPP, too, was found deficient. The ITPP implemented by TSS (the “TSS Program”) essentially ignored the reality of TSS’s business as an online operation. For instance, the TSS Program cited only the red flags offered as “non-comprehensive examples in Supplement A to Appendix A” and not any “relevant to its business and the nature and scope of its brokerage activities.” Hence, the TSS Program cited the need to confirm the physical appearance of customers to make certain it was consistent with photographs or physical descriptions in the file. But an online broker/dealer would have scant opportunity to see a customer or a new customer in person, even when opening an account. Nor did TSS check the Supplement A red flag examples cited in the TSS Program when opening new customer accounts. The TSS Program directed only that “additional due diligence” should be performed if a red flag were identified, rather than directing specific responsive steps to be taken, such as not opening an account in a questionable situation. There were no requirements for periodic updates of the TSS Program. Indeed, “there were no material changes to the Program” after May 20, 2013, “despite significant changes in external cybersecurity risks related to identity theft.” At this point in the TSS Order, the Commission cited a finding in the Federal Register that “[a]dvancements in technology … have led to increasing threats to the integrity … of personal information.” The SEC found that TSS did not provide reports about the TSS Program and compliance with Regulation S-ID either to the TSS board or to a designated member of senior management, and that TSS had no adequate policies and procedures in place to monitor third-party service providers for compliance with detecting and preventing identity theft. The order is silent on the extent of TSS’s training of staff to deal with identity threats, but considering the other shortcomings, presumably such training was at best haphazard. The Commission found that TSS violated Regulation S-ID. Although the TSS Order noted (as with the other Proceedings) the “substantial remedial acts” undertaken by TSS, including retaining “an outside consulting firm” to aid compliance, the Commission nonetheless ordered TSS to cease-and-desist from violating the Regulation, censured TSS, and ordered it to pay a civil penalty of $425,000.

These three enforcement actions on the same day, especially ones involving two of the world’s leading financial institutions, signal a new level of attention by the Commission to cybersecurity risks to customers of broker/dealers and investment advisers, with a focus on the risks inherent in identity theft. As one leading law firm writing about these three actions advised, “[f]irms should review their ITPPs placing particular emphasis on identifying red flags tailored to their business and on conducting regular compliance reviews to update those red flags and related policies and procedures to reflect changes in business practices and risk.” That sound advice should be followed NOW, before the CACU comes calling.

For more Financial, Securities, and Banking Law news, click here to visit the National Law Review.

©2022 Norris McLaughlin P.A., All Rights Reserved

FDA Issues Warning Letters to 7 Dietary Supplement Companies for Drug Claims

  • On November 17, 2022, FDA posted warning letters to 7 companies for selling different dietary supplements with claims that caused the products to be “drugs” in violation of the Federal Food, Drug, and Cosmetic Act (FD&C Act).  Under the FD&C Act, products intended to diagnose, cure, treat, mitigate, or prevent disease are drugs and are subject to the requirements that apply to drugs, even if they are labeled as dietary supplements.

  • The claims were found on the 7 companies’ websites, social media pages, and/or Amazon or Walmart storefronts, and included a variety of statements regarding the products’ claimed abilities to cure, treat, mitigate, or prevent cardiovascular disease (or related conditions, such as atherosclerosis, stroke, or heart failure).  Six of the companies at issue sell a product(s) containing one or more dietary ingredients identified as Vitamin B3, red yeast rice, pine bark extract, EPA and DHA omega-3 fatty acids, magnesium, zinc, bergamot, Hawthorn berry, Hawthorn extract, Coleus forskohlii, hops, taurine, garlic powder, amino sulfonic acid, Co-Q-10, and/or octacosanol.  The seventh company does not list a dietary ingredient but identifies its product as a “glycocalyx regenerating product” and notes various “pathologies associated with impaired endothelial glycocalyx.”  As noted in the warning letters, FDA has not evaluated whether the unapproved products are effective for their intended use, the proper dosage, potential interaction with FDA-approved drugs or other substances, or whether they have dangerous side effects or other safety concerns.  Further, in addition to characterizing the products as unapproved “new drugs,” FDA’s letters note misbranding charges based on the impossibility of writing adequate directions for a layperson to use the products safely for the intended purpose of treating one more diseases that are not amenable to self-diagnosis or treatment without the supervision of a licensed practitioner.

  • FDA requested that the companies respond to the warning letters within 15 working days and describe how they will address the issues, or provide reasoning and substantiation as to why they believe the products are not in violation of the law.  Failure to adequately address could result in legal action, such as product seizure and/or injunction.

For more Biotech, Food and Drug Law news, click here to visit the National Law Review

© 2022 Keller and Heckman LLP

REI PFAS Consumer Fraud Lawsuit Continues Trend of Similar Lawsuits

On October 28, 2022, a PFAS consumer fraud class action lawsuit was filed in Washington against REI over alleged PFAS content in various articles of waterproof clothing sold by the company. The REI PFAS consumer fraud lawsuit is but the latest in a growing line of PFAS lawsuits that allege that certain consumer goods contain PFAS, that the products or company’s values were marketed as healthy or environmentally friendly, and that consumers would not have purchased the products if they knew that the products contained PFAS.

As we predicted in early 2021, the increased attention on PFAS content in consumer goods in the scientific community and media presented significant risks to various industries, including the apparel and cosmetics industry, and our prediction was that the developments would lead to a significant number of lawsuits alleging consumer fraud. Consumer goods industries, insurers, and investment companies interested in the consumer goods vertical with niche interest in cosmetics companies must pay careful attention to the cosmetics lawsuits and the increasing trend of lawsuits targeting the industry.

REI PFAS Consumer Fraud Lawsuit

On October 28, 2022, plaintiffs Jacob Krakauer and Joyce Rockwood filed a lawsuit in Washington federal court seeking a proposed class action against REI. The lawsuit alleges that REI markets the company and its products as environmentally friendly and sustainable. Further, the lawsuit cites to statements made by REI that the company is taking proactive steps with respect to chemical use in its products to argue that such statements were false, misleading or induced consumers to purchase products when the presence of PFAS in the products was not disclosed.

In the Complaint, plaintiffs allege the following counts against REI:

  • Violation of state consumer protection laws and the federal Magnuson-Moss Warranty Act

  • Breach of warranty (implied and express)

  • Fraud (actual and constructive)

  • Fraudulent inducement

  • Money had and received

  • Fraudulent omission or concealment

  • Fraudulent misrepresentation

  • Negligent misrepresentation

  • Unjust enrichment

  • Negligent failure to warn

The plaintiffs seek certification of a nationwide class action lawsuit, with subclasses defined as consumers n Washington and Arizona. In addition, the lawsuit seeks damages, fees, costs, the establishment of medical monitoring, and a jury trial.

Just the Beginning For Consumer Products Companies

With studies underway, legislation pending that targets consumer goods, and increasing media reporting on PFAS in consumer goods and concerns over human health, product manufacturers should be increasingly wary of lawsuits similar to the REI lawsuit being filed against them. There are an increasing number of PFAS consumer fraud cases being filed, with some of the below as representative of recent trends:

  • Cosmetics industry:

    • Brown v. Cover Girl, New York (April 1, 2022)

    • Anderson v. Almay, New York (April 1, 2022)

    • Rebecca Vega v. L’Oreal, New Jersey (April 8, 2022)

    • Spindel v. Burt’s Bees, California (March 25, 2022)

    • Hicks and Vargas v. L’Oreal, New York (March 9, 2022)

    • Davenport v. L’Oreal, California (February 22, 2022)

  • Food packaging industry:

    • Richburg v. Conagra Brands, Illinois (May 6, 2022)

    • Ruiz v. Conagra Brands, Illinois (May 6, 2022)

    • Hamman v. Cava Group, California (April 27, 2022)

    • Azman Hussain v. Burger King, California (April 11, 2022)

    • Little v. NatureStar, California (April 8, 2022)

    • Larry Clark v. McDonald’s, Illinois (March 28, 2022)

  • Feminine hygiene products:

    • Gemma Rivera v. Knix Wear Inc., California (April 4, 2022)

    • Blenis v. Thinx, Inc., Massachusetts (June 18, 2021)

    • Destini Canan v. Thinx Inc., California (November 12, 2020)

As the above is indicative of, several major companies now find themselves embroiled in litigation focused on PFAS false advertising, consumer protection violations, and deceptive statements made in marketing and ESG reports. The lawsuits may well serve as test cases for plaintiffs’ bar to determine whether similar lawsuits will be successful in any (or all) of the fifty states in this country. Companies must consider the possibility of needing to defend lawsuits involving plaintiffs in all fifty states for products that contain PFAS.

It should be noted that these lawsuits would only touch on the marketing, advertising, ESG reporting, and consumer protection type of issues. Separate products lawsuits could follow that take direct aim at obtaining damages for personal injury for plaintiffs from consumer products. In addition, environmental pollution lawsuits could seek damage for diminution of property value, cleanup costs, and PFAS filtration systems if drinking water cleanup is required.

Conclusion

It is of the utmost importance that businesses along the whole supply chain in the consumer products industry evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate PFAS at an ever-increasing pace. Similarly, state level EPA enforcement action is increasing at a several-fold rate every year. Now, the first wave of lawsuits take direct aim at the consumer products industry. Companies that did not manufacture PFAS, but merely utilized PFAS in their manufacturing processes, are therefore becoming targets of costly enforcement actions at rates that continue to multiply year over year. Lawsuits are also filed monthly by citizens or municipalities against companies that are increasingly not PFAS chemical manufacturers.

For more Environmental Law news, click here to visit the National Law Review.

©2022 CMBG3 Law, LLC. All rights reserved.

Pair of Lawsuits Target Mint Flavored Products

  • Spencer Sheehan, a well-known class-action attorney, has filed a pair of class-action lawsuits in the U.S. District Court for the Northern District of Illinois, alleging that mint flavored products which do not contain mint are deceptively labeled.
  • The first lawsuit alleged that a “mint chocolate chip ice cream” statement of identity is misleading to consumers where the product’s flavor is derived from “natural flavor” and not any mint or mint-containing ingredient. The product also contains images of mint leaves on the front panel. As support for the allegation that the lack of mint is deceptive, the complaint cites to the ice cream flavoring regulation (21 CFR 135.110(f)(2)), which requires that the term “flavored” (e.g., mint flavored) be used where a product contains a natural flavor which predominates.
  • The second lawsuit alleged that consumers are misled by a gum product which is labeled as “original flavor” with a backdrop of what appears to be a blue mint leaf, but which only contains “natural and artificial flavor,” and no mint-based ingredients. Plaintiff, citing to the general flavoring regulation (21 CFR 101.22), alleged that the product should have been labeled as “naturally and artificially flavored mint” and that the failure to disclose the flavor or include the other qualifiers is misleading.
  • Although Plaintiffs have alleged technical violations of FDA’s labeling regulations, courts have consistently held that a reasonable consumer may not be aware of the intricacies of FDA’s labeling regulations and that therefore a technical labeling violation is not in itself sufficient to show that a reasonable consumer would be misled.

Article By Food and Drug Law Practice Group at Keller and Heckman LLP

For more biotech, food, and drug law legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

Chamber of Commerce Challenges CFPB Anti-Bias Focus Concerning AI

The end of last month the U.S. Chamber of Commerce, the American Bankers Association and other industry groups (collectively, “Plaintiffs”) filed suit in Texas federal court challenging the Consumer Financial Protection Bureau’s (“CFPB”) update this year to the Unfair, Deceptive, or Abusive Acts or Practices section of its examination manual to include discrimination.  Chamber of Commerce of the United States of America, et al v. Consumer Financial Protection Bureau, et al., Case No. 6:22-cv-00381 (E.D. Tex.)

By way of background, the Consumer Financial Protection Act, which is Title X of the 2010 Dodd-Frank Act (the “Act”), prohibits providers of consumer financial products or services or a service provider from engaging in any unfair, deceptive or abusive act or practice (“UDAAP”).  The Act also provides the CFPB with rulemaking and enforcement authority to “prevent unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.”  See, e.g.https://files.consumerfinance.gov/f/documents/cfpb_unfair-deceptive-abusive-acts-practices-udaaps_procedures.pdf.  In general, the Act provides that an act or practice is unfair when it causes or is likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers, and the injury is not outweighed by countervailing benefits to consumers or to competition.

The CFPB earlier this spring published revised examination guidelines on unfair, deceptive, or abusive acts and practices, or UDAAPs.  Importantly, this set forth a new position from the CFPB, that discrimination in the provision of consumer financial products and services can itself be a UDAAP.  This was a development that was surprising to many providers of financial products and services.  The CFPB also released an updated exam manual that outlined its position regarding how discriminatory conduct may qualify as a UDAAP in consumer finance.  Additionally, the CFPB in May 2022 additionally published a Consumer Financial Protection Circular to remind the public of creditors’ adverse action notice requirements under the Equal Credit Opportunity Act (“ECOA”).  In the view of the CFPB, creditors cannot use technologies (include algorithmic decision making) if it means they are unable to provide required explanations under the ECOA.

In July 2022, the Chamber and others called on the CFPB to rescind the update to the manual.  This included, among other arguments raised in a white paper supporting their position, that in conflating the concepts of “unfairness” and “discrimination,” the CFPB ignores the Act’s text, structure, and legislative history which discusses “unfairness” and “discrimination” as two separate concepts and defines “unfairness” without mentioning discrimination

The Complaint filed this fall raises three claims under the Administrative Procedure Act (“APA”) in relation to the updated manual as well as others.  The Complaint contends that ultimately it is consumers that will suffer as a result of the CFPB’s new position, as “[t]hese amendments to the manual harm Plaintiffs’ members by imposing heavy compliance costs that are ultimately passed down to consumers in the form of higher prices and reduced access to products.”

The litigation process started by Plaintiffs in this case will be time consuming (a response to the Complaint is not expected from Defendants until December).  In the meantime, entities in the financial sector should be cognizant of the CFPB’s new approach and ensure that their compliance practices appropriately mitigate risk, including in relation to algorithmic decision making and AI.  As always, we will keep you up to date with the latest news on this litigation.

For more Consumer Finance Legal News, click here to visit the National Law Review

© Copyright 2022 Squire Patton Boggs (US) LLP

First BIPA Trial Results in $228M Judgment for Plaintiffs

Businesses defending class actions under the Illinois Biometric Information Privacy Act (BIPA) have struggled to defeat claims in recent years, as courts have rejected a succession of defenses.

We have been following this issue and have previously reported on this trend, which continued last week in the first BIPA class action to go to trial. The Illinois federal jury found that BNSF Railway Co. violated BIPA, resulting in a $228 million award to a class of more than 45,000 truck drivers.

Named plaintiff Richard Rogers filed suit in Illinois state court in April 2019, and BNSF removed the case to the US District Court for the Northern District of Illinois. Plaintiff alleged on behalf of a putative class of BNSF truck drivers that BNSF required the drivers to provide biometric identifiers in the form of fingerprints and hand geometry to access BNSF’s facilities. The lawsuit alleged BNSF violated BIPA by (i) failing to inform class members their biometric identifiers or information were being collected or stored prior to collection, (ii) failing to inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected, and (iii) failing to obtain informed written consent from class members prior to collection.

In October 2019, the court rejected BNSF’s legal defenses that the class’s BIPA claims were preempted by three federal statutes governing interstate commerce and transportation: the Federal Railroad Safety Act, the Interstate Commerce Commission Termination Act, and the Federal Aviation Administration Authorization Act. The court held that BIPA’s regulation of how BNSF obtained biometric identifiers or information did not unreasonably interfere with federal regulation of rail transportation, motor carrier prices, routes, or services, or safety and security of railroads.

Throughout the case, including at trial, BNSF also argued it should not be held liable where the biometric data was collected by its third-party contractor, Remprex LLC, which BNSF hired to process drivers at the gates of BNSF’s facilities. In March 2022, the court denied BNSF’s motion for summary judgment, pointing to evidence that BNSF employees were also involved in registering drivers in the biometric systems and that BNSF gave direction to Remprex regarding the management and use of the systems. The court concluded (correctly, as it turned out) that a jury could find that BNSF, not just Remprex, had violated BIPA.

The case proceeded to trial in October 2022 before US District Judge Matthew Kennelly. At trial, BNSF continued to argue it should not be held responsible for Remprex’s collection of drivers’ fingerprints. Plaintiff’s counsel argued BNSF could not avoid liability by pleading ignorance and pointing to a third-party contractor that BNSF controlled. Following a five-day trial and roughly one hour of deliberations, the jury returned a verdict in favor of the class, finding that BNSF recklessly or intentionally violated BIPA 45,600 times. The jury did not calculate damages. Rather, because BIPA provides for $5,000 in liquidated damages for every willful or reckless violation (and $1,000 for every negligent violation), Judge Kennelly applied BIPA’s damages provision, which resulted in a judgment of $228 million in damages. The judgment does not include attorneys’ fees, which plaintiff is entitled to and will inevitably seek under BIPA.

While an appeal will almost certainly follow, the BNSF case serves as a stark reminder of the potential exposure companies face under BIPA. Businesses that collect biometric data must ensure they do so in compliance with BIPA and other biometric privacy regulations. Where BIPA claims have been asserted, companies should promptly seek outside counsel to develop a legal strategy for a successful resolution.

For more Privacy and Cybersecurity Legal News, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP