By: Michael W. Ross

In an article published last month in Law360 (and reprinted in our Consumer Finance Observer periodical), our lawyers highlighted the increasing focus of government enforcement authorities on how companies are using “alternative data” in making consumer credit decisions. For example, the article highlighted that – as stated in a June 2019 fair lending report from the CFPB – “[t]he use of alternative data and modeling techniques may expand access to credit or lower credit cost and, at the same time, present fair lending risks.” Regulators have continued to focus on this area, including on the benefits and risks of using alternative data in lending decisions.

Earlier this month, the CFPB posted a widely reported-on blog entry on the benefits of using alternative data in lending decisions. The CFPB blog post provided an update to the public on the agency’s first and only no-action letter, issued to Upstart Network, Inc. in 2017. In that letter, the CFPB stated it had no intention of taking action against Upstart under the Equal Credit Opportunity Act (ECOA), which prohibits discrimination in lending, for using certain alternative data sources – particularly information about a borrower’s education and employment history – to make credit decisions. To obtain that letter, Upstart committed to implementing a risk management and compliance plan that included a process for analyzing the potential risk that its use of alternative data could lead to impermissible discrimination against protected classes of consumers.

In an article published by Law360, Jenner & Block Partner Amy M. Gallegos provides five best practices to help businesses minimize Telephone Consumer Protection Act (TCPA) wrong-number claims in the wake of Wells Fargo’s recent $17.85 million TCPA settlement.  Penalties against companies that make wrong-number calls can be substantial, and the article highlights the importance of a strong and thorough TCPA compliance program. 

To read the full article, please click here.

By: Gabriel K. Gillett and Katherine Rosoff

On August 7, 2019 the Second Circuit certified two questions to the New York Court of Appeals with broad implications for multi-jurisdictional class actions.  First, “whether New York recognizes ‘cross-jurisdictional class action tolling,’ i.e., tolling of a New York statute of limitations by the pendency of a class action in another jurisdiction.”  Chavez v. Occidental Chem. Corp., -- F.3d. --, 2019 WL 3673190, *1 (2d Cir. Aug. 7, 2019).  Second, “whether non-merits dismissal of class certification can terminate class action tolling” when dismissal included a “return jurisdiction” clause allowing the plaintiffs to renew their claims if they were unable to find an adequate forum in their home countries.  Id. 

The case was brought by agricultural workers from Costa Rica, Ecuador and Panama, alleging they suffered adverse health effects from a pesticide used on banana plantations.  The parties agree that their claims accrued no later than August 1993 and are subject to New York’s 3-year statute of limitations in personal injury actions.  However, the parties dispute whether plaintiffs’ claims were tolled by related actions filed in other jurisdictions.

By: Kara K. Trowell

On July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.

Expanded Definitions.

Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements.  First, private information has been expanded to include:

• (a) financial account numbers that can be used alone to access a financial account;
• (b) biometric data used to authenticate an individual’s identity;
• (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
• (d) unsecured protected health information covered under HIPAA.

These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.

Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.

By: Gabriel K. Gillett and Howard S. Suskin

In a decision issued on August 5, 2019, the US Court of Appeals for the Second Circuit created a split with other courts, including the Third Circuit, on the issue of whether there is a private right of action for rescission under the Investment Company Act (ICA).  The Second Circuit held that, based on the text of the statute and its legislative history, “ICA § 47(b)(2) creates an implied private right of action for a party to a contract that violates the ICA to seek rescission of that violative contract.”  Oxford University Bank v. Lansuppe Feeder Inc., No. 16-4061 (2d Cir. Aug. 5, 2019), Slip op. 23.  In so holding, the court acknowledged that it was creating a circuit split:

We note that the Third Circuit and several lower courts have reached the opposite result.  In Santomenno ex rel. John Hancock Trust v. John Hancock Life Ins. Co., 677 F.3d 178 (3d Cir. 2012), the Third Circuit found plaintiffs lacked a private right of action to seek rescission under § 47(b).  Plaintiffs in Santomenno alleged violations of ICA § 26(f), which makes it unlawful to pay ‘fees and charges’ on certain insurance contracts that exceed what is ‘reasonable,’ id. at 187, and sought rescission (in addition to monetary damages).  The court in Santomenno found that plaintiffs did not have a cause of action.  We do not find the reasoning in Santomenno persuasive. 

Slip op. 21-22.

Litigators should watch to see how other courts weigh in, and whether the Supreme Court ultimately takes up the issue to resolve the split.

Gabriel Gillett is an Associate in Jenner & Block’s Appellate & Supreme Court Practice in Chicago.   Howard Suskin is a Partner and Co-Chair of the Securities Litigation Practice Group at the firm.

By: David P. Saunders

At the risk of stating the obvious, everyone uses email. It has become a central component of both our daily lives and, of course our businesses.  As we transform into a fully digital,
corporate world, there are those who have sought to exploit the growing reliance on email.  Spammers, hackers, and of course, phishers.  No, not the people who go to those really long concerts; we are talking about email scammers who purport to tell you that your UPS package has arrived, but all you need to do is click a link and enter some information.  These scams can cripple a business, and trying to prevent these scams is difficult because in many ways, the solution relies on removing human error.

Enter the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.  FinCEN recently held a forum aimed at discussing ways to identify and curtail business email scammers.  The forum, held in New York City, analyzed the trends in business email scams.  At the forum, FinCEN released a report indicating that reporting of business email scams had more than doubled between 2016 and 2018.  The report also detailed that fake invoice scams grew as a methodology, and that manufacturing and construction businesses were top targets.