Saturday, August 20, 2022

FYI: 7th Cir Upholds Dismissal of Case for Lack of Standing at Summary Judgment Stage

The U.S. Court of Appeals for the Seventh Circuit recently affirmed a trial court's dismissal of a lawsuit at the summary judgment stage for lack of Article III standing.

 

In so ruling, the Seventh Circuit held that, when litigation moves beyond the pleading stage and Article III standing is challenged as a factual matter, plaintiffs cannot rely on mere allegations of injury.  Instead, they must provide evidence of a legally cognizable injury in fact.

 

A copy of the opinion is available at:  Link to Opinion

 

A magazine article described a controlled hack of a vehicle that exploited a vulnerability in the vehicle's "infotainment" system. The vehicle's manufacturer immediately issued a recall and provided a free software update to patch the vulnerability. Federal regulators supervising the recall determined that the patch eliminated the vulnerability.

 

Four plaintiffs sued the manufacturer and the designer of the infotainment system on behalf of every consumer who had purchased or leased 2013–2015 vehicles from the same manufacturer equipped with the same system, asserting federal and state warranty and consumer-fraud claims. The plaintiffs argued that, although the alleged defect never manifested again after the hack described in the magazine, they paid more for their vehicles than they would have if they had known about the cybersecurity vulnerability.

 

While discovery proceeded, the original trial judge overseeing the case retired, and the case was reassigned. After discovery closed, the plaintiffs failed to provide evidence in support of their claimed overpayment injury when faced with a motion to dismiss challenging their Article III standing.

 

The trial court thus dismissed the case for lack of standing, and the plaintiffs timely appealed.

 

As you may recall, the Constitution limits the jurisdiction of the federal courts to "Cases" and "Controversies." U.S. CONST. art. III, § 2. Standing is an essential component of the case-or-controversy requirement, Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992), and consists of three familiar elements: the plaintiff must have "(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision," Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). Additionally, "the proof required to establish standing increases as the suit proceeds." Davis v. FEC, 554 U.S. 724, 734 (2008).

 

The plaintiffs here were faced with a factual challenge to their standing, asserting that there was in fact no "injury in fact". See Apex Digit., Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 444 (7th Cir. 2009). In response to a factual challenge, the plaintiff can no longer rest on the allegations in the complaint and must adduce specific evidence to satisfy each of the elements necessary to establish his standing to sue. Id.

 

Here, the Seventh Circuit held that the plaintiffs failed to meet their burden against the factual challenge.

 

The operative motion to dismiss for lack of standing —- filed at the close of discovery -— argued both that the alleged overpayment injury was not cognizable as a legal matter and that the plaintiffs had no competent evidence that they suffered an overpayment injury as a factual matter. 

 

The Court determined that the plaintiffs' response to the motion to dismiss did exactly what the Supreme Court of the United States in Lujan said is inadequate in such circumstances; instead of citing specific evidence in the record and developing a factual argument demonstrating that they suffered an overpayment injury, the plaintiffs relied on mere allegations from their complaint.

 

The plaintiffs pointed to their expert reports as evidence in support of an overpayment injury, but they did so for the first time on appeal. The Seventh Circuit concluded that this was far too late because they have repeatedly reminded litigants that they will not consider evidence and factual arguments that were not presented to the trial court. E.g., Packer v. Trs. of Ind. Univ. Sch. of Med., 800 F.3d 843, 849 (7th Cir. 2015).

 

As a fallback argument, the plaintiffs contended that, as nonmovants, they are entitled to the benefit of the entire record under Rule 56 of the Federal Rules of Civil Procedure. Rule 56 permits the court to consider uncited materials in the record when ruling on a motion for summary judgment, but requires the court to consider "only the cited materials." FED. R. CIV. P. 56(c)(3).

 

However, the Seventh Circuit stated that Rule 56 also assigns to the parties the responsibility to "cit[e] to particular parts of materials in the record" when asserting that genuine factual disputes preclude summary judgment. Id. R. 56(c)(1)(A); see also Compania Administradora de Recuperacion v. Titan Int'l, Inc., 533 F.3d 555, 562 (7th Cir. 2008). The Court also reasoned that this latter requirement is especially important in cases involving a voluminous record, as was the situation here. See Sommerfield v. City of Chicago, 863 F.3d 645, 650 (7th Cir. 2017). Thus, the Court rejected the plaintiffs' Rule 56 argument.

 

The plaintiffs also argued that the law-of-the-case doctrine barred the second trial judge from reconsidering the question of standing because the original judge had already ruled on the issue on multiple occasions. The law-of-the-case doctrine "posits that when a court decides upon a rule of law, that decision should continue to govern the same issues in subsequent stages in the same case." Arizona v. California, 460 U.S. 605, 618 (1983). When a case is transferred between trial judges midway through litigation, the doctrine discourages the new judge from reconsidering rulings made by the original judge. Gilbert v. Ill. State Bd. of Educ., 591 F.3d 896, 902 (7th Cir. 2010).

 

Nevertheless, the Seventh Circuit concluded that the law-of-the-case doctrine did not prevent the second trial judge from ruling on the factual challenge to the plaintiffs' standing.

 

First, the Court noted that law-of-the-case is a discretionary doctrine, not a rigid bar, Pepper v. United States, 562 U.S. 476, 506 (2011), and its force is lowest when applied to jurisdictional questions, Chi. Joe's Tea Room, LLC v. Village of Broadview, 894 F.3d 807, 818 (7th Cir. 2018). Second, the Court pointed out that law-of-the-case does not apply at all where the precise issue presented differs from the one decided earlier. Gilbert, 591 F.3d at 903. As the plaintiffs acknowledged, the second trial judge was presented with a factual challenge to standing, while the first judge ruled only on facial challenges.

 

Accordingly, the Seventh Circuit affirmed the trial court's dismissal of the case for lack of Article III standing.

 

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

Thursday, August 18, 2022

FYI: CFPB's New Data Security Standard Is Not So Standard

Insufficient data protection or information security can violate the prohibition against unfair acts or practices according to a circular released last week by the federal Consumer Financial Protection Bureau.

 

This position is not new, as the CFPB has been pursuing covered entities for lax data security measures for some years.

 

In 2016 the CFPB brought its first data security enforcement action against Dwolla, a payment processor. What makes this action stand out is that Dwolla did not suffer a data breach nor was it accused of exposing consumer non-public information. Instead, the Bureau claimed the company mispresented to consumers the quality of its encryption and data-security protections.

 

In addition, the CFPB alleged Dwolla did not have "reasonable and appropriate data-security policies and procedures governing the collection, maintenance, or storage of consumers' personal information." Dwolla was ordered to pay a $100,000 fine and take measures to fix its "security flaws."

 

In the intervening years, the CFPB has added information and data security to its examination procedures.

 

THE IMPORTANCE OF THE CIRCULAR

 

While the CFPB believes lax data security can be an unfair act when providing consumer financial services, the problem for covered entities is that the Bureau does not provide any detail on what are appropriate data security standards. In fact, the CFPB emphasizes that compliance with existing federal data security regulations might not be enough.

 

Last year, the Federal Trade Commission promulgated amendments to its Safeguards Rule addressing data security for entities subject to the federal Gramm-Leach-Bliley Act. Amendments that impose requirements on a covered entity's data security policies and procedures become effective on Dec. 9. Because the amended rule applies to entities that are also covered by the CFPB, you would expect compliance with the amended Safeguards Rule would satisfy the Bureau. But you would be wrong. The circular points out that the CFPB's expectations concerning data security are "not coextensive" with the Safeguards Rule or "other federal laws governing data security."

 

The timing of the release of the circular is also important. On July 21, ACA International, the American Financial Services Association, the Consumer Data Industry Association, and the National Automobile Dealers Association wrote the FTC requesting a one-year extension of the effective date of the new requirements. On Aug. 5, the Office of Advocacy of the U.S. Small Business Administration made a similar letter request. But even if the implementation of the new Safeguards Rule standards is delayed for another year, as the CFPB sees it, covered entities are already expected to have sufficient data protection controls in place today.

 

THREE PRACTICES DESIGNED TO FAIL

 

Although the circular does not explain what these appropriate controls might be, it does provide examples of practices likely to get covered entities in hot water.

 

  • First, not requiring multi-factor authentication or its equivalent "for its employees or offer[ing] multifactor authentication as an option for consumers accessing systems and accounts" may trigger liability.

 

  • Second, "not having adequate password management policies" will likely trigger a violation.

 

  • Third, the failure to have policies and procedures for updates and patches to "systems, software and code" is likely to trigger liability.

 

But as often has been the case with the Bureau, understanding which compliance measures will work is often found in its past enforcement actions and the circular devotes significant text to those.

 

ENFORCEMENT, EXAMINATION, AND INVESTIGATION OF DATA SECURITY

 

When the CFPB releases a circular like this one, you can expect to see enforcement actions, more rigorous examinations, and investigations centered around the circular's subject matter.

 

Such was the case following a 2014 release of a circular concerning the Furnisher Rule which applies standards for furnishing to credit reporting agencies and dispute investigations under the Fair Credit Reporting Act.

 

Following the release of the Furnisher Rule circular, several enforcement actions included allegations that the covered entity violated the rule and noted in its 2017 and 2019 reports that examinations of covered entities revealed non-compliance with the Furnisher Rule. And since data security and privacy are hot news topics, the Bureau will want to capture some of those headlines for itself.

 

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

Tuesday, August 16, 2022

FYI: FTC Seeks Input for Potential "Commercial Surveillance" Rules Impacting Consumer Lending

The Federal Trade Commission recently issued an Advance Notice of Proposed Rulemaking seeking input that will shape potential rules "to crack down on harmful commercial surveillance and lax data security."

 

The focus of the ANPR overlaps in part with recent state consumer data privacy laws and federal legislation and rulemaking, but the definition of "commercial surveillance" is extremely broad and "refers to the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information." 

 

By that definition, for example, receiving information from a consumer who applies for a loan and, using that information with permission to obtain information of their creditworthiness, would be considered "commercial surveillance."

 

Note that the definition in the ANPR differs from the definition in the FTC's Fact Sheet on the FTC's Commercial Surveillance and Data Security Rulemaking where commercial surveillance is described as "the business of collecting, analyzing, and profiting from information about people."

 

The ANPR provides a summary of the FTC's history of enforcement actions related to data privacy and security and then turns to its reasons for the rulemaking, explaining that its "experience suggests that enforcement alone without rulemaking may be insufficient to protect consumers from significant harms."

 

The ANPR states that part of the issue is the fact that "the FTC Act limits the remedies that the Commission may impose in enforcement actions," since "the Commission does not have authority to seek civil penalties for first-time violations [of Section 5 of the FTC Act]."  However, trade regulation rules would remedy that issue and "incentivize all companies to invest in compliance more consistently."

 

The ANPR includes 95 questions spread out among the following topics:

 

  • To What Extent Do Commercial Surveillance Practices or Lax Security Measures Harm Consumers?
  • To What Extent Do Commercial Surveillance Practices or Lax Data Security Measures Harm Children, including Teenagers?
  • How Should the Commission Balance Costs and Benefits?
  • How, if at All, Should the Commission Regulate Harmful Commercial Surveillance or Data Security Practices that Are Prevalent?
  • Rulemaking Generally
  • Data Security
  • Collection, Use, Retention, and Transfer of Consumer Data
  • Automated Decision-Making Systems
  • Discrimination Based on Protected Categories
  • Consumer Consent
  • Notice, Transparency, and Disclosure
  • Remedies
  • Obsolescence

 

The deadline for submitting comments will be 60 days from the date the ANPR is published in the Federal Register, and there will be a virtual public forum on Sept. 8, 2022.

 

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars