November 5, 2019 The Intersection of the California Consumer Privacy Act and California’s Preexisting Consumer Protection Statutes

By Kate T. Spelman

CaliforniaWith the close of the California state legislative session on Sept. 14, 2019, the final shape of the California Consumer Privacy Act (CCPA)—which is set to take effect on Jan. 1, 2020—came into focus. The most recent amendments included carve-outs for business-to-business contracts and employee records, though both sunset after a year. While the statutory language is settled for now, many questions remain about how it will be enforced. The Attorney General has issued proposed regulations clarifying some of this uncertainty. However, one issue that may be left for future judicial interpretation is the interplay between the CCPA and California’s preexisting consumer protection statutes such as the Unfair Competition Law (UCL) and the Consumer Legal Remedies Act (CLRA). As discussed below, the CCPA contains an explicit prohibition, along with implicit safe harbors, likely to limit certain UCL and/or CLRA claims related to the use or disclosure of information subject to the CCPA.

The CCPA Likely Bars Derivative UCL Claims

The CCPA provides for enforcement by the Attorney General, but §1798.150(a) creates a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Despite several legislative attempts to broaden the private right of action—which were supported by California’s Attorney general—it is currently limited to “violations as defined in subdivision (a),” precluding CCPA claims related to violations of other statutory provisions. (Notably, the CCPA contains no express provision permitting attorney fees for prosecution of claims under §1798.150, though plaintiffs’ attorneys may argue that such fees should be awarded as “other relief the court deems proper” (§1798.150(a)(1)(C)), or pursuant to the private attorney general attorney fee statute, CCP §1021.5.)

Given the narrow private right of action in the CCPA, consumers may seek an indirect route to CCPA liability under the “unlawful” prong of the UCL, which prohibits business practices that violate another law. However, §1798.150(c) of the CCPA states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” While California courts have held that the absence of a statutory private right of action does not preclude derivative UCL liability, a plaintiff may not “plead around an absolute bar to relief simply by recasting the cause of action as one for unfair competition.” Cel-Tech Commc’ns v. Los Angeles Cellular Tel. Co., 20 Cal. 4th 163, 182 (1999) (emphasis added). In other words, statutes that explicitly preclude private rights of action cannot be enforced through the UCL. For this reason, courts have rejected UCL “unlawful” claims where, for example, the predicate statute expressly exempted the defendants from liability for the alleged violation at issue, or stated that it was “not intended to create new civil causes of action.” Hobby Indus. Assn. of Am. v. Younger, 101 Cal. App. 3d 358, 370 (1980); LegalForce RAPC Worldwide P.C. v. UpCounsel, No. 18-02573, 2019 WL 160335, at *16 (N.D. Cal. Jan. 10, 2019). The CCPA’s admonition that the statute not be interpreted to “serve as the basis for a private right of action under any other law” is a strong basis on which a court could preclude UCL claims based on the same rationale.

Separate and apart from the statutory bar, consumers may lack standing to seek redress under the UCL for violations of the CCPA. This is because the UCL requires proof that a plaintiff “has lost money or property as a result of the unfair competition” (Cal. Bus. & Prof. Code §17204), and a plaintiff may need to allege something more than, for example, the unlawful collection or sale of her personal information to satisfy this requirement.

The CCPA May Provide ‘Safe Harbor’ Protections Against Other Consumer Protection Claims

Even assuming a bar against UCL “unlawful” claims based on express CCPA violations, consumers may assert UCL or CLRA claims based on allegedly unfair or deceptive conduct related to the collection, sale, or disclosure of personal information when such conduct does not directly violate the CCPA. In those cases, compliance with the CCPA could defeat UCL or CLRA claims that implicate conduct permitted by the CCPA or its implementing regulations, since the California Supreme Court has held that “[w]hen specific legislation provides a ‘safe harbor,’ plaintiffs may not use the general unfair competition law to assault that harbor.” Cel-Tech Commc’ns, 20 Cal. 4th at 182; see also Alvarez v. Chevron, 656 F.3d 925, 934 (9th Cir. 2011) (safe harbor provisions of California regulations prohibited CLRA claim). For example, a UCL or CLRA claim related to a business’ allegedly deceptive sale of consumers’ personal information to third parties may be barred by the business’s provision of a “clear and conspicuous” opt-out link on its Internet homepage in compliance with CCPA §1798.135(a). Additionally, a UCL or CLRA claim related to a business’ practice of charging more to consumers who prohibit that business from selling their personal information may be precluded if the difference is “reasonably related to the value provided to the business by the consumer’s data,” as permitted by CCPA §1798.125.

Thus, while the CCPA imposes new and arguably stringent requirements for businesses handling personal information, compliance with those requirements could provide protection against UCL and CLRA lawsuits regarding the allegedly deceptive treatment of consumers’ personal information.

Reprinted with permission from the November 5 issue of The Recorder. © [2019] ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. The original article can be viewed here.

October 14, 2019 California Attorney General Issues Proposed CCPA Guidelines

By: David P. Saunders

New-Update-IconOn October 10, 2019, the California Attorney General surprised many by issuing 24 pages of proposed regulations implementing the California Consumer Privacy Act of 2018 (CCPA).  After reviewing the proposed regulations, they have left many in the industry shaking their heads.  Absent from the proposed regulations is much of the clarity that industry participants were hoping for.  In its place are additional obligations that not only risk confusing consumers, but that likely will pose administrative and logistical challenges.

Public comment on the proposed regulations is open through 5:00 pm PST on December 6, 2019.  Interested parties can submit comments by e-mail to or by mailing comments to the Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013.  Additionally, the Attorney General will be holding four public hearings on the new proposed regulations, the schedule of which is available here. 

In the meantime, let us examine the proposed regulations...

To read the full client alert, please click here

September 25, 2019 FinCEN Has Eye on Sports Betting, Crypto Money Laundering Risks

Casino1In an article published by Bloomberg, Partners Reid J. Schar and Wade A. Thomson and Associate E.K. McWilliams highlight a recent speech by the director of the Financial Crimes Enforcement Network (FinCEN), an arm of the Treasury Department.  Speaking at an anti-money laundering conference in Las Vegas, FinCEN Director Kenneth A. Blanco affirmed the Department’s commitment to enforcing the Bank Secrecy Act on casinos and other businesses that deal in cryptocurrency.  The authors give context to the speech and discuss its implications for brick-and-mortar and online gaming establishments.

To read the full article, please click here.

September 23, 2019 California Enacts AB 5, Gig Worker Bill

By: Amy Egerton-Wiley

New-Development-IconOn September 18, 2019, Governor Gavin Newsom signed Assembly Bill 5 (AB 5) into law, which is intended to reclassify many of the state’s independent contractors as employees.  Proponents of the bill claim that the bill rectifies misclassification of employees as independent contractors.  Opponents, which include both workers and companies, note the importance of the flexibility of independent contractors and worry about the increased costs to consumers.

This bill largely codifies the “ABC” test established by the California Supreme Court in Dynamex v. Superior Court, 4. Cal. 5th 903 (2018).  Under the ABC test, a worker must be classified as an employee (versus an independent contractor) unless the hiring entity can establish:

(A) that the worker is “free from the control and direction of the hiring entity in connection with the performance of the work,”

(B) that the worker “performs work that is outside the usual course of the hiring entity's business,” and

(C) that the worker is “customarily engaged in an independently established trade, occupation, or business.”

Dynamex, 4 Cal. 5th at 964.

AB 5 expands the ABC test to certain areas not explicitly subject to Dynamex, such as reimbursements for expenses incurred in the course of employment.  Of course, companies that rely on independent contractors will be impacted by this legislation.

While AB 5 will not take effect until January 1, 2020, it may impact ongoing litigation, such as the San Diego City Attorney’s recent lawsuit against the grocery delivery service Instacart, which alleges that the company misclassified workers as independent contractors.  And it remains to be seen whether the law will be subject to a challenge via referendum or in the courts.

September 18, 2019 A Brief History of the Consumer Financial Protection Bureau Payday Lending Rule

By: Alexander N. Ghantous

LendingBetween 2013 and 2016, the Consumer Financial Protection Bureau (CFPB) issued no fewer than six white papers or reports relating to payday loan protections.[1]  On the date of the last report, June 2, 2016, the CFPB issued a proposed rule[2], and on October 5, 2017, a final rule issued that addresses payday loans, auto title loans, and other loans that require the entire loan balance, or the majority of a loan balance, be repaid at once.[3]  The rule’s stated objective was to eliminate “payday debt traps” by, among other things, addressing underwriting through establishing “ability-to-repay” protections that vary by loan type.[4]

Under the final rule, for payday loans, auto title loans, and other loans comprised of lengthier terms and balloon payments, the CFPB would require a “‘full-payment’ test” to establish that borrowers can afford to pay back the loan and also limits the quantity of loans taken “in quick succession” to only three.[5]  The rule also lays out two instances when the “full-payment” test is not required:  (1) borrowing up to $500 when the loan balance can be repaid at a more gradual pace; and (2) taking loans that are less risky, such as personal loans taken in smaller amounts.[6]  The rule would also establish a “debit attempt cutoff,” which requires lenders to obtain renewed authorization from a borrower after two consecutive unsuccessful debits on a borrower’s account.[7]  The rule was scheduled to become effective one year and 9 months after being published by the Federal Register, which was last month[8] (the rule was published on November 17, 2017[9]).     

However, on February 6, 2019,  the CFPB announced that it was proposing to issue a new rule to rescind the underwriting provisions of the prior rule, namely, the requirements for payday loans, auto title loans, and other loans comprised of lengthier terms and balloon payments.[10]  According to the CFPB’s preliminary findings, overturning the requirements would make credit more readily available to consumers.[11]  That same day, the CFPB also proposed pushing the rule’s compliance date from August 19, 2019 to November 19, 2020.[12]

On June 6, 2019, the CFPB issued a final rule to delay the compliance date for the mandatory underwriting provisions of the 2017 final rule to November 19, 2020 in order to provide additional time to permit an orderly conclusion to its separate rulemaking process to reconsider the mandatory underwriting provisions.[13]  Note that the payment provisions of the final rule, which address withdrawing payments from accounts, have not been delayed by rulemaking, and the CFPB has made no move to rescind those provisions.[14]  However, the CFPB also has not opposed the compliance date for those provisions being stayed through at least December 6, 2019, in connection with a lawsuit in the Western District of Texas that challenges the rulemaking.[15]

Thus, the earliest that any part of the rule will go into effect is December 2019.


[1] Consumer Fin. Prot. Bureau, (last visited Sept. 18, 2019).

[2] Consumer Fin. Prot. Bureau, (June 2, 2016). 

[3] Consumer Fin. Prot. Bureau, (Oct. 5, 2017).

[4] Id

[5] Id

[6] Id

[7] Id

[8] Id

[9] Payday, Vehicle Title, and Certain High-Cost Installment Loans, 82 FR 54472-01

[10] Consumer Fin. Prot. Bureau, (Feb. 6, 2019).

[11] Id

[12] Id

[13] Consumer Fin. Prot. Bureau, (last visited Sept. 18, 2019).

[14] Consumer Fin. Prot. Bureau, (Feb. 6, 2019).

[15] Cmty. Fin. Servs. Ass’n of Am., Ltd. v. Consumer Fin. Prot. Bureau, No. 1:18-cv-00295-LY (Tex. Dist. Aug. 6, 2019) (order staying litigation and compliance date).    

PEOPLE: Alexander N. Ghantous

September 12, 2019 HUD’s FHA Lender Annual Certification Statements May Significantly Reduce FHA Lender Risk of False Claims Act Liability

By: Damon Y. Smith

New-Update-IconSeptember 13, 2019 is the deadline for comments on HUD’s proposed changes to FHA Lender Annual Certification Statements.  The most significant changes include elimination of, inter alia:

  • Broad certification language stating that the operations of the lender conformed to all HUD regulations and requirements;
  • Acknowledgements that lenders are responsible for the actions of their employees, including loan underwriters and originators;
  • General certifications that the lender is not under indictment for or convicted of offenses that reflect adversely on its integrity, competence or fitness;
  • Certifications involving criminal misconduct on the part of lender staff, including mortgage underwriters and originators; and
  • Certifications regarding compliance with the SAFE Act.

These changes represent a dramatic departure from the prior administration, which brought False Claims Act claims against lenders for submitting the certifications to be eligible for FHA programs while underwriting loans that they allegedly knew were not in compliance with FHA’s regulatory requirements.   See, e.g.,  Because the False Claims Act liability allows for treble damages, some considered the risk of substantial liability to be too high for further participation in FHA’s single family programs.  See

If adopted, the new certification may lead to additional interest in FHA programs from lenders who curtailed or ended their participation because of the potential risks associated with the prior certification. 

The Federal Register Notice can be found here.

September 11, 2019 DC Court Again Dismisses Challenge to OCC’s FinTech Charter, Splitting with SDNY

By: William S. C. Goldstein

FinTechOn September 3, 2019, a federal district court in the District of Columbia dismissed, for the second time, a lawsuit brought by the Conference of State Bank Supervisors (CSBS) seeking to block the Office of the Comptroller of the Currency (OCC) from issuing national bank charters to certain non-bank financial technology (FinTech) companies.  Conference of State Bank Supervisors v. Office of the Comptroller of the Currency, No. 18-cv-2449, slip op. at 1-6 (D.D.C. Sept. 3, 2019) (CSBS II).  CSBS’s earlier suit, brought in 2017, was previously dismissed by Judge Dabney Friedrich as premature:  Because OCC had not yet finalized its procedure for accepting FinTech charter applications, let alone received any applications, Judge Friedrich found that CSBS’s claims were unripe and alleged no injury sufficient for standing.  CSBS v. OCC, 313 F. Supp. 3d 285, 296-301 (D.D.C. 2018).  In October 2018, CSBS brought suit again—this time after OCC had finalized its procedures for accepting FinTech charter applications, albeit before OCC had actually received any applications.  CSBS II, slip op. at 2.  Judge Friedrich held that neither this change nor the Senate’s confirmation of Joseph Otting as Comptroller of the Currency, another change in the facts highlighted by CSBS, “cure[s] the original jurisdictional deficiency.” Id. (alteration in original; citation omitted).  The court pointedly explained that “it will lack jurisdiction over CSBS’s claims at least until a Fintech applies for a charter.” Id. at 5.

In dismissing CSBS’s suit for lack of standing, Judge Friedrich found herself in disagreement with Judge Victor Marrero of the Southern District of New York.  Judge Marrero held in May of this year, on a very similar record, that the New York State Department of Financial Services (DFS) had standing to challenge OCC’s FinTech plans—and that DFS was right on the merits, essentially blocking OCC from issuing FinTech charters.  See Vullo v. OCC, 378 F. Supp. 3d 271 (S.D.N.Y. 2019).  Judge Friedrich “respectfully disagree[d] with Vullo, to the extent that its reasoning conflicts with either this opinion or CSBS I.” CSBS II, slip op. at 2 n.2.  The heart of the divergence seems to be Judge Friedrich’s conclusion that there could be no jurisdiction at least until OCC received a charter application. Id. at 5. Judge Marrero, by contrast, found that OCC “has the clear expectation of issuing [FinTech] charters” and thus that “DFS has demonstrated a ‘substantial risk that harm will occur.’” Vullo, 378 F. Supp. 3d at 288 (citation omitted).  Due to that difference of opinions, CSBS will have to wait at least until a FinTech company applies for a charter before filing again.  Such an application may not be forthcoming, as the SDNY’s ruling may keep any FinTech companies from applying for a charter in the near future, given the legal uncertainty.  The parties in Vullo are in the process of negotiating the language of a proposed final judgment to submit to the court, presumably to allow for OCC to take an appeal to the Second Circuit. See Endorsed Letter, Lacewell v. OCC, No. 18-cv-8377 (S.D.N.Y. Aug. 28, 2019), ECF No. 38.


PEOPLE: William S. C. Goldstein (Billy)

September 6, 2019 Eleventh Circuit Rules: Receiving Text Message Was Not Injury Under the TCPA

By: Olivia Hoffman

Text MessageThe Eleventh Circuit recently decided a case that raised the bar for pleading injury under the Telephone Consumer Privacy Act (TCPA), 47 U.S.C. § 227, noting its disagreement with an earlier decision from the Ninth Circuit on the same issue and creating a possible roadblock for future plaintiff classes seeking to assert claims under the TCPA.

In Salcedo v. Hanna, the Eleventh Circuit held that “receiving a single unsolicited text message” in violation of the TCPA was not a “concrete injury” sufficient to confer standing on the plaintiff.[1]  The case arose out of a text message that plaintiff John Salcedo received from his former attorney, defendant Alex Hanna, offering Salcedo a discount on Hanna’s services.  According to Salcedo, receiving the text message “caused [him] to waste his time answering or otherwise addressing the message” and “resulted in an invasion of [his] privacy and right to enjoy the full utility of his cellular device.”[2]  Salcedo filed a class action complaint in the Southern District of Florida on behalf of a class of former clients of Hanna who had received similar unsolicited text messages.  Salcedo demanded statutory damages of $500 per text message and treble damages of $1,500 per text message for knowing or willful violations of the statute.

The case went up to the Eleventh Circuit on interlocutory appeal.  The court held that Salcedo’s receipt of a single unwanted text message from his former lawyer was not a concrete injury for the purpose of Article III.  It distinguished other unsolicited, one-off communications that have sufficed to confer standing, such as a junk fax—which, the court noted, rendered the plaintiff’s fax machine “unavailable for legitimate business messages” for “a full minute” and also used the plaintiff’s paper and ink.[3]  Here, by contrast, Salcedo had failed to allege that the text message cost him any money or interfered with his use of his cellular phone for a specific amount of time.  The court also observed that not only is the TCPA silent on text messages, but “the receipt of a single text message is qualitatively different from the kinds of things Congress was concerned about when it enacted the TCPA,” which involved more serious privacy and nuisance issues.[4]  Ultimately, the court concluded that the receipt of a single text message, while perhaps “[a]nnoying,” was “not a basis for invoking the jurisdiction of the federal courts.”[5]

In reaching this conclusion, the Eleventh Circuit explicitly rejected the reasoning of the Ninth Circuit—the only other Circuit to directly address the issue of whether receipt of a text message, on its own, constitutes injury under the TCPA—in a similar case.  Indeed, in Van Patten v. Vertical Fitness Group, LLC, the Ninth Circuit held that unwanted text messages implicate the same kinds of concerns as unsolicited calls, reasoning that the receipt of unwanted telemarketing text messages “present[s] the precise harm and infringe[s] the same privacy interests Congress sought to protect in enacting the TCPA.”[6]

The Eleventh Circuit’s opinion in Salcedo does not impose a per se bar on TCPA claims based on the receipt of unsolicited text messages.  Rather, it requires plaintiffs pleading claims under the TCPA to allege a “particular loss of opportunity,” or to allege “specifically” that the defendant’s text message cost them money or deprived them of the use of their device for a period of time.[7]  Under this framework, the question of whether an individual has suffered a concrete injury sufficient to confer standing is a highly individualized and fact-specific inquiry.  As a result, as some commentators have noted, plaintiffs seeking to assert claims under the TCPA on behalf of a class may struggle to establish, for example, that the questions of law or fact common to the class members predominate, or that a class action is a superior vehicle for resolving the dispute.[8]   


[1] Salcedo v. Hanna, No. 17-14077, 2019 WL 4050424, at *1 (11th Cir. Aug. 28, 2019).

[2] Id. at *3.

[3] Id. at *3-*4.

[4] Id. at *4.

[5] Id. at *7.

[6] 847 F.3d 1037, 1043 (9th Cir. 2017).

[7] 2019 WL 4050424, at *3-*4.

[8] See Fed. R. Civ. P. 23.

August 19, 2019 Regulators Continue to Focus on the Use of Alternative Data

By: Michael W. Ross

In an article published last month in Law360 (and reprinted in our Consumer Finance Observer periodical), our lawyers highlighted the increasing focus of government enforcement Consumer Law Blog - August 2019authorities on how companies are using “alternative data” in making consumer credit decisions. For example, the article highlighted that – as stated in a June 2019 fair lending report from the CFPB – “[t]he use of alternative data and modeling techniques may expand access to credit or lower credit cost and, at the same time, present fair lending risks.” Regulators have continued to focus on this area, including on the benefits and risks of using alternative data in lending decisions.

Earlier this month, the CFPB posted a widely reported-on blog entry on the benefits of using alternative data in lending decisions. The CFPB blog post provided an update to the public on the agency’s first and only no-action letter, issued to Upstart Network, Inc. in 2017. In that letter, the CFPB stated it had no intention of taking action against Upstart under the Equal Credit Opportunity Act (ECOA), which prohibits discrimination in lending, for using certain alternative data sources – particularly information about a borrower’s education and employment history – to make credit decisions. To obtain that letter, Upstart committed to implementing a risk management and compliance plan that included a process for analyzing the potential risk that its use of alternative data could lead to impermissible discrimination against protected classes of consumers.

The CFPB’s blog post reported on the results of Upstart analyzing almost two years of data from its risk management process. Its data showed that Upstart’s model approved 27 percent more applicants than would have been approved by a traditional underwriting model (i.e., one that did not use alternative data and machine learning), and led to 16 percent lower average APRs for approved loans. The CFPB also reported that expansion of credit occurred “across all tested race, ethnicity, and sex segments,” and resulted in particular increases in approval among applicants under twenty-five, those with incomes under $50,000, and those with “near prime” credit scores.[1] These results hearken back to a report by the Philadelphia Federal Reserve in 2017 concluding that the use of alternative data in credit decisions (in that case, relying on data from another FinTech lender, Lending Club) expanded access to credit in underserved areas at a lower cost than would otherwise be available.

The news of Upstart’s results was widely reported, as the use of alternative data in consumer lending remains a hot topic that regulators and legislators are continuing to watch closely.


[1] Government agencies and legislators also continue to focus on the potential risks of alternative data. In June, for example, Senators Warren and Jones wrote a letter to various government regulators highlighting concerns that using algorithms in underwriting decisions could lead to unlawful discrimination.


PEOPLE: Michael W. Ross

August 15, 2019 5 Best Practices to Avoid TCPA Wrong-Number Claims

MobileIn an article published by Law360, Jenner & Block Partner Amy M. Gallegos provides five best practices to help businesses minimize Telephone Consumer Protection Act (TCPA) wrong-number claims in the wake of Wells Fargo’s recent $17.85 million TCPA settlement.  Penalties against companies that make wrong-number calls can be substantial, and the article highlights the importance of a strong and thorough TCPA compliance program. 

To read the full article, please click here.

August 14, 2019 Second Circuit Asks: Will New York Recognize Cross-Jurisdictional Class Action Tolling?


By: Gabriel K. Gillett and Katherine Rosoff

Banana plantationOn August 7, 2019 the Second Circuit certified two questions to the New York Court of Appeals with broad implications for multi-jurisdictional class actions.  First, “whether New York recognizes ‘cross-jurisdictional class action tolling,’ i.e., tolling of a New York statute of limitations by the pendency of a class action in another jurisdiction.”  Chavez v. Occidental Chem. Corp., -- F.3d. --, 2019 WL 3673190, *1 (2d Cir. Aug. 7, 2019).  Second, “whether non-merits dismissal of class certification can terminate class action tolling” when dismissal included a “return jurisdiction” clause allowing the plaintiffs to renew their claims if they were unable to find an adequate forum in their home countries.  Id. 

The case was brought by agricultural workers from Costa Rica, Ecuador and Panama, alleging they suffered adverse health effects from a pesticide used on banana plantations.  The parties agree that their claims accrued no later than August 1993 and are subject to New York’s 3-year statute of limitations in personal injury actions.  However, the parties dispute whether plaintiffs’ claims were tolled by related actions filed in other jurisdictions.

Judge Sack, writing for Judges Raggi and Carney, found no clear case law on whether New York State would recognize cross-jurisdictional class action tolling.  The panel explained that, although New York has adopted the federal rule from American Pipe Construction Co. v. Utah, 414 U.S. 538 (1974) that allows for class-action tolling, New York state courts have not determined whether New York would apply that rule to class actions in other jurisdictions.  Courts within the Second Circuit that have been tasked with predicting New York’s ruling on the issue are split.  See, e.g., Chavez, 2019 WL 3673190, at *7 n.5.  So too, the Second Circuit recognized, are courts in other states that have faced the same issue.  Id. 

Faced with a thorny question of state law, the Second Circuit asked the New York Court of Appeals to weigh in.  See Second Circuit Local Rule 27.2; 22 NYCRR § 500.27.  The Court of Appeals will decide whether to accept the question, and if it does, it may order briefing and argument on the merits consistent with the court’s rules.

CATEGORIES: Decisions of Note

PEOPLE: Gabriel K. Gillett, Katherine Rosoff (Katie)

August 7, 2019 New York SHIELD Act Expands Data Security and Breach Notification Requirements

By: Kara K. Trowell

ShieldOn July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.

Expanded Definitions.

Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements.  First, private information has been expanded to include:

  • (a) financial account numbers that can be used alone to access a financial account;
  • (b) biometric data used to authenticate an individual’s identity;
  • (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
  • (d) unsecured protected health information covered under HIPAA.

These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.

Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.

Expanded Coverage.

Moreover, the SHIELD Act also expanded its data breach notification requirements to mandate compliance by any person or business that owns or licenses computerized data that includes the private information of New York residents, regardless of whether the person or business conducts business in New York.  It provides for exemptions under certain circumstances, such as when the “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”  Additionally, while businesses that are already regulated by and comply with data breach notice requirements under certain state and federal cybersecurity laws, such as HIPAA, GLBA and NY DFS Reg. 500, must also notify the state Attorney General, Department of State Division of Consumer Protection and Division of the State Police, they need not further notify affected New York residents.

New “Reasonable” Data Security Requirements.

The SHIELD Act also enacted requirements for covered entities to implement reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of sensitive data, and the law itself provides examples of “reasonable practices.”  Again, compliance is presumed for businesses that are already in compliance with applicable laws such as HIPAA and the GLBA.  Notably, there is a limited exemption to the requirement for small businesses, which are defined as any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.

Enforcement and Penalties for Non-Compliance.

The SHIELD Act does not provide consumers with a private right of action, but instead permits an attorney general to bring an action to enjoin violations of the law and obtain civil penalties.  For data breach notification violations that are neither reckless nor knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice including consequential financial losses.  For reckless or knowing violations, a court may impose increased penalties of the greater of $5000 dollars or up to $20 per instance for a maximum of $250,000.  For violations of the reasonable safeguard requirements, a court may impose penalties of not more than $5,000 per violation.  The time for commencing an action under the law has also been increased from two to three years from the date on which the attorney general became aware of the violation, or the date that the covered entity provide notice of the breach.  No action may be brought after six years from the date the breach was discovered unless the company took steps to hide the breach.

The SHIELD Act takes effect on March 21, 2020.

CATEGORIES: Privacy Data Security

August 6, 2019 Second Circuit Creates Split on Investment Company Act Private Right of Action

By: Gabriel K. Gillett and Howard S. Suskin

New-Development-IconIn a decision issued on August 5, 2019, the US Court of Appeals for the Second Circuit created a split with other courts, including the Third Circuit, on the issue of whether there is a private right of action for rescission under the Investment Company Act (ICA).  The Second Circuit held that, based on the text of the statute and its legislative history, “ICA § 47(b)(2) creates an implied private right of action for a party to a contract that violates the ICA to seek rescission of that violative contract.”  Oxford University Bank v. Lansuppe Feeder Inc., No. 16-4061 (2d Cir. Aug. 5, 2019), Slip op. 23.  In so holding, the court acknowledged that it was creating a circuit split:

We note that the Third Circuit and several lower courts have reached the opposite result.  In Santomenno ex rel. John Hancock Trust v. John Hancock Life Ins. Co., 677 F.3d 178 (3d Cir. 2012), the Third Circuit found plaintiffs lacked a private right of action to seek rescission under § 47(b).  Plaintiffs in Santomenno alleged violations of ICA § 26(f), which makes it unlawful to pay ‘fees and charges’ on certain insurance contracts that exceed what is ‘reasonable,’ id. at 187, and sought rescission (in addition to monetary damages).  The court in Santomenno found that plaintiffs did not have a cause of action.  We do not find the reasoning in Santomenno persuasive. 

Slip op. 21-22.

Litigators should watch to see how other courts weigh in, and whether the Supreme Court ultimately takes up the issue to resolve the split.

Gabriel Gillett is an Associate in Jenner & Block’s Appellate & Supreme Court Practice in Chicago.   Howard Suskin is a Partner and Co-Chair of the Securities Litigation Practice Group at the firm.

CATEGORIES: Decisions of Note

PEOPLE: Howard S. Suskin, Gabriel K. Gillett

August 5, 2019 FinCen Issues Report on Business Email Scams

By: David P. Saunders

Data securityAt the risk of stating the obvious, everyone uses email. It has become a central component of both our daily lives and, of course our businesses.  As we transform into a fully digital,
corporate world, there are those who have sought to exploit the growing reliance on email.  Spammers, hackers, and of course, phishers.  No, not the people who go to those really long concerts; we are talking about email scammers who purport to tell you that your UPS package has arrived, but all you need to do is click a link and enter some information.  These scams can cripple a business, and trying to prevent these scams is difficult because in many ways, the solution relies on removing human error.

Enter the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.  FinCEN recently held a forum aimed at discussing ways to identify and curtail business email scammers.  The forum, held in New York City, analyzed the trends in business email scams.  At the forum, FinCEN released a report indicating that reporting of business email scams had more than doubled between 2016 and 2018.  The report also detailed that fake invoice scams grew as a methodology, and that manufacturing and construction businesses were top targets.

While knowledge and preparation are critical to defending a business from email scams, the reality of today’s world is that it is inevitable that a scam will succeed from time to time.  And that is where FinCEN’s Rapid Response Program comes in.  The program was established in 2014 to assist businesses seeking to report and attempt to recover the loss of funds resulting from, among other things, e-mail scams.  It has helped to recover more than $500 million in funds.  According to FinCEN, “[u]nder the program, when U.S. law enforcement receives a [scamming] complaint from a victim or a financial institution, the relevant information is forwarded to FinCEN, which moves quickly to track and recover the funds.  The program utilizes FinCEN’s ability to rapidly share information with counterpart Financial Intelligence Units (FIU) in more than 164 jurisdictions, and leverages these relationships to encourage foreign authorities to intercede and hold funds or reverse wire transfers.”  See  This is an important tool in a business’ toolbox when it comes to remediating the harm of an email scam.  For information about the program, businesses can contact

July 30, 2019 Crypto Corner – Updates on Cryptocurrency

By: Michael W. Ross

CryptoIn the first half of 2019, the “crypto-winter” that had set in during 2018 appeared to see signs of a thaw, albeit with new regulatory developments and controversy continuing to characterize the space.  On the regulatory front, the Securities and Exchange Commission (SEC) issued more detailed guidelines for companies seeking to sell digital tokens.  The 13-page “Framework for ‘Investment Contract’ Analysis of Digital Assets” provides a detailed analysis of the factors relevant to the Howey test that the SEC uses to determine the existence of a security (and all that designation entails).  At the same time, the SEC issued a no-action letter for a company that had represented it would not be using its tokens to fund the development of the token network, and that the tokens would be immediately usable—underscoring two key factors of the SEC’s assessment.  In another development, the Financial Action Task Force (FATF)—a global inter-governmental organization focused on fighting money-laundering—issued new guidelines on cryptocurrency companies operating in its 37 member countries, including requirements about collecting user information.  FINRA has also decided to continue a reporting initiative it announced last year.

On the news-making front, much industry attention was paid to the SEC’s suit against a Canadian messaging company called Kik Interactive, alleging that Kik propped up its failing business by pivoting to an unregistered token offering through which it raised $100 million.  Some have viewed the case as one to watch to see whether courts will view digital tokens the same way as the SEC has.  More recently, focus on developments at the SEC have been overtaken by news of Facebook’s anticipated Libra token.  Built on a permissioned blockchain network overseen by a litany of household names, and backed by a basket of traditional assets, the Libra token met early news of its potential to change the game for cryptocurrency.  More recent weeks have seen a flurry of commentary by regulators and legislators focused on the need to analyze the token under existing financial services laws, as well as concerns about money-laundering, consumer protection and privacy.  For those interested in the space, it will be worth monitoring further developments as they unfold.


PEOPLE: Michael W. Ross