Saturday, March 5, 2022

FYI: FL Sup Ct Rejects Challenge to Fee Charged for Paying by Credit Card

The Supreme Court of Florida recently rejected a consumer's challenge to a convenience fee charged when he made a payment using his credit card.

 

In so ruling, the Court determined that the consumer's unjust enrichment claim failed because he received adequate consideration in exchange for a challenged fee when he took advantage of the privilege of using his credit card to make a payment.

 

A copy of the opinion is available at:  Link to Opinion

 

The case arose out of a Notice of Violation sent to a driver ("Driver") for failure to comply with a steady red-light signal. The City of Miami contracted with a company ("Contractor") to maintain the red-light cameras, issue and mail the citations and process violator's payments of the civil penalties. The Notice that Contractor sent to Driver required him to pay a statutory penalty of $158.

 

The Notice included instructions for payment, and further advised that a convenience fee would be charged for payments made online or by phone. Driver elected to pay with his credit card and paid a 5% convenience fee.

 

Driver subsequently filed a putative class action in federal court, arguing that the fee was prohibited under Florida Statutes §§ 316.0083(b)(4), 318.121, and 560.204, and Contractor was therefore unjustly enriched by retaining the fee.

 

Contractor moved to dismiss for failure to state a claim and the trial court agreed. The trial court held that (1) the fee was not prohibited under section 316.0083(b)(4) because it was not a "commission" within the meaning of the statute; (2) the fee was not prohibited by section 318.121 because that section only applied to violations assessed under chapter 318 of Florida Statutes; and (3) section 560.204 did not provide a private right of action, because violations of that section are enforced by the Financial Services Commission's Office of Financial Regulation.

 

Driver appealed, and the U.S. Court of Appeals for the Eleventh Circuit determined there was no guiding precent on the key issues and certified numerous questions to the Florida Supreme Court.

 

Although several questions were certified to the Florida Supreme Court, the Court addressed only whether the unjust enrichment claim failed because Driver received adequate consideration in exchange for the challenged fee when he took advantage of the privilege of using his credit card to pay the penalty.

 

In order to state a claim for unjust enrichment, a plaintiff must allege "a benefit conferred upon a defendant by the plaintiff, the defendant's appreciation of the benefit, and the defendant's acceptance and retention of the benefit under circumstances that make it inequitable for him to retain it without paying the value thereof." Fla. Power Corp. v. City of Winter Park, 887 So. 2d 1237, 1241 n.4 (Fla. 2004) (quoting Ruck Bros. Brick, Inc. v. Kellogg & Kimsey, Inc., 668 So. 2d 205, 207 (Fla. 2d DCA 1995)); see also Agritrade, LP v. Quercia, 253 So. 3d 28, 33 (Fla. 3d DCA 2017).

 

The Florida Supreme Court determined the issue to be whether Driver as a matter of law could plead that it was inequitable for Contractor to retain what Driver paid. The Court ruled he could not.

 

The Court found that even if the fee were prohibited under one of the statutes cited by Driver, Contractor's retention of the fee was not inequitable because Contractor gave value in exchange in that plaintiff did not have to procure postage and a check or money order; he could pay the balance over time; he avoided the risk of the payment being delayed, lost or stolen; he was afforded more time to make the payment because it was instantaneous; and he was provided with immediate confirmation of his payment.

 

Therefore, the Florida Supreme Court held it was not inequitable for Contractor to retain the convenience fee because it "first pa[id] the value thereof to the plaintiff." Agritrade, 253 So. 3d at 33 (quoting Peoples Nat'l Bank, 667 So. 2d at 879).

 

Thus, the Court ruled that Driver's unjust enrichment claim failed because he did not allege a benefit conferred and accepted which would be unjust for Contractor to retain.

 

The Court answered one of the certified question in the affirmative, declined to answer the remaining certified questions, and remanded the case to the Eleventh Circuit.

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

Tuesday, March 1, 2022

FYI: Amendments to the GLBA Safeguards Rule: What's New, What's Not, and What's Hot for Non-Bank Financial Institutions

The Federal Trade Commission recently amended the Safeguards Rule, 16 C.F.R. § 314.1, et seq., with significant changes to how an information security program should be designed, what it must include, and who needs to be in charge. 

 

Some may note the similarity to the New York Department of Financial Services' Cybersecurity Requirements for Financial Services Companies, N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00, et seq.

 

The FTC's Rule is now considerably lengthier, but not all the amendments added anything new or substantive.  In this article we will explain which changes look new but are not, which are new and substantial, which do not apply to small businesses, and when certain provisions go into effect.

 

 

THE RULE

 

The Rule was promulgated under the Gramm-Leach-Bliley Act which, in part, requires the FTC to issue rules setting forth standards that financial institutions must implement to safeguard certain information.  The Rule applies to customer information held by non-banking financial institutions and "sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of [that information]."

 

The Rule provides this non-inclusive list of entities that are considered financial institutions under the Gramm-Leach-Bliley Act and subject to the rule:

 

  • Mortgage lenders;
  • Pay day lenders;
  • Finance companies;
  • Mortgage brokers;
  • Account servicers;
  • Check cashers;
  • Wire transferors;
  • Travel agencies operated in connection with financial services;
  • Collection agencies;
  • Credit counselors and other financial advisors;
  • Tax preparation firms, non-federally insured credit unions;
  • Investment advisors that are not required to register with the SEC; and
  • Entities acting as finders.

 

Additionally, in its definitions, the Rule provides more detailed examples of entities considered financial institutions.

 

 

THE AMENDMENTS

 

The amendments to the Rule became effective Jan. 10, 2022, although some of the most important provisions are not effective until Dec. 9, 2022.  The FTC summarized the highlights as providing:

 

  • More guidance on how to develop and implement specific aspects of an overall information security program.
  • New provisions to improve the accountability of information security programs.
  • Exemptions for financial institutions that collect less customer information.
  • Inclusion of entities engaged in activities that are incidental to financial activities.
  • New terms and examples.

 

 

WHAT'S NEW

 

Section 314.2 – Seven New Definitions. As mentioned above, most of the defined terms are newly added to this section but not new to the Rule because they were previously cross-referenced to their definitions in the Privacy Rule.  Following are the seven new terms, and one that has been modified:

 

  • Authorized User: This new term "means any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data."

 

  • Encryption: This new term "means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material."

 

  • Financial Institution: This term has been modified to include "any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. . ." (emphasis added). It specifically applies to "[a] company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate is a financial institution because acting as a finder is an activity that is financial in nature or incidental to a financial activity listed in 12 CFR 225.86(d)(1)."

 

  • Information Security Program: This new term "means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information."

 

  • Multi-Factor Authentication: This new term "means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics."

 

  • Penetration Testing: This new term "means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems."

 

  • Security Event: This new term "means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form."

 

Section 314.5 – Effective Date. This section identifies certain provisions of § 314.4 that are not effective until Dec. 9, 2022, as described below.

 

Section 314.6 – Exceptions. This "small business" section identifies certain provisions of § 314.4 that "do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers."  Those provisions are identified below.

 

 

WHAT'S HOT

 

Section 314.4 – Elements. This section has been completely overhauled, and now explains with specificity the elements, new and old, that must be included in an information security program.  Except where indicated, these elements must be incorporated by Dec. 9, 2022. 

 

In summary, the elements checklist includes:

 

1-  A single "qualified individual" designated to oversee, implement, and enforce the information security program. Previously, the program could be coordinated by a designated employee or employees.

 

2-  An information security program based on a risk assessment. This is a current requirement, as well as the need to periodically perform additional risk assessments.  However, effective Dec. 9, 2022, the risk assessment must include, except for small businesses:

 

•           Criteria for the evaluation and categorization of identified security risks or threats;

•           Criteria for the assessment of the confidentiality, integrity, and availability of information, including the adequacy of the existing controls in the context of the identified risks or threats; and

•           Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

 

3-  Safeguards designed to control identified risks through:

 

•           Access controls, including technical and physical controls, to authenticate and limit access;

•           Identification and management of data, personnel, devices, systems, and facilities;

•           Encryption of all customer information held or transmitted;

•           Secure development practices and security testing for applications used for transmitting, accessing, or storing customer information;

•           Multi-factor authentication for any individual accessing any information system;

•           Procedures for the secure disposal of customer information no later than two years after the last date the information is used;

•           Procedures for change management;

•           Policies, procedures, and controls to monitor and log the activity of authorized users and detect unauthorized access, use or tampering.

 

4-  Regular testing and monitoring of the safeguards' effectiveness. This general requirement is currently in effect, but new requirements effective Dec. 9, 2022, and not applicable to small businesses, are:

 

•           Annual penetration testing; and

•           Vulnerable assessments.

 

5-  Policies and procedures that include:

 

•           Security awareness training;

•           Use of qualified information security personnel to manage risks and oversee the program;

•           Security training and updates to address risks; and

•           Verification that information security personnel maintain current knowledge of changing information security threats and countermeasures.

 

6-  Service provider oversight through:

 

•           Selecting service providers capable of maintaining appropriate safeguards, which is a current requirement;

•           Requiring the safeguards by contract, which is also a current requirement; and

•           Periodically assessing service providers based on the risk they present and the adequacy of their safeguards, effective Dec. 9, 2022.

 

7-  A written incident response plan, with seven specific requirements, designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information. This is not required for small businesses.

 

8-  A regular written report, prepared at least annually, by the qualified individual to the board of directors that includes the status of, and compliance with the information security program, and any related material matters. This is not required for small businesses.

 

 

WHAT'S NOT NEW

 

Section 314.1 – Purpose and Scope. Although amended subsection (b) appears significantly lengthier, it simply incorporates the definition of "financial institution" from the Privacy Rule, as modified and with examples, "to allow the Rule to be read on its own, without reference to the Privacy Rule."

 

Section 314.2 – Eleven Old Definitions. Previously, the Rule had only three defined terms and a general provision explaining that the terms used in the Rule had the same meaning as those defined in the Privacy Rule, 16 C.F.R. § 313.3.

 

Now, the Rule has 18 defined terms, but the majority have been carried over from the Privacy Rule to "improve clarity and ease of use."  The Rule's pre-amendment terms and those carried over from the Privacy Rule without substantive change are:

 

  • Consumer;
  • Customer;
  • Customer Information;
  • Customer Relationship;
  • Financial Product or Service;
  • Information System;
  • Nonpublic Personal Information;
  • Personally Identifiable Financial Information;
  • Publicly Available Information;
  • Service Provider; and
  • You.

 

Section 314.3 – Standards for Safeguarding Customer Information. This section is essentially unchanged.

 

 

COMPLIANCE

 

The elements described in § 314.4 are not new concepts and many entities are already compliant.  However, because the elements are now far more specific and detailed than before, those subject to the Rule should compare its elements to those of their own programs to ensure compliance, leaving time for compliance by Dec. 9, 2022.

 

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

Sunday, February 27, 2022

FYI: 9th Cir Holds Defendant's Interpretation of FCRA Not "Negligent" or "Willful"

The U.S. Court of Appeals for the Ninth Circuit recently affirmed a trial court's grant of summary judgment in favor of a credit reporting agency, holding that the plaintiff consumer failed to present sufficient evidence that the agency violated the federal Fair Credit Reporting Act ("FCRA") willfully or negligently, as required for liability.

 

A copy of the opinion is available at:  Link to Opinion

 

The Ninth Circuit previously held that the defendant credit reporting agency violated the FCRA when, in 2010, it issued a tenant screening report that disclosed a criminal charge that was filed against the consumer in 2000 but dismissed in 2004. The FCRA prohibits the disclosure in a credit report of any adverse item of information that antedates the report by more than seven years. 15 U.S.C. § 1681c(a)(5). The FCRA imposes liability for negligent or willful violations of its terms. §§ 1681n(a), 1681o.

 

On remand, the trial court granted summary judgment to the agency, holding that the consumer failed to present evidence that the CRA violated the FCRA willfully or negligently, as required for liability by §§ 1681n(a) and 1681o(a). The consumer timely appealed.

 

At issue on appeal was whether the defendant was negligent or willful in adopting an interpretation of § 1681c(a)(5), which the Ninth Circuit subsequently held was erroneous, that permitted the reporting of a dismissal of a charge that had been filed more than seven years from the date of the report, where the dismissal occurred within seven years of the report.

 

"To prove a negligent violation [of the FCRA], a plaintiff must show that the defendant acted pursuant to an objectively unreasonable interpretation of the statute." Marino, 978 F.3d at 673–74 (citing Syed v. M-I LLC, 853 F.3d 492, 505 (9th Cir. 2017)).

 

A plaintiff can prove a willful violation by showing a knowing or a reckless violation of a standard. Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 57 (2007). To prove a willful violation in the absence of knowing disregard, "a plaintiff must show not only that the defendant's interpretation was objectively unreasonable, but also that the defendant ran a risk of violating the statute that was substantially greater than the risk associated with a reading that was merely careless." Marino, 978 F.3d at 673 (citing Safeco, 551 U.S. at 69).

 

The consumer argued on appeal that because a 1998 amendment removed the phrase "the date of disposition" from what was previously §1681c(a)(5), that indicated that Congress no longer wished to calculate the reporting period from the date of disposition.

 

However, the Ninth Circuit noted that even though Congress removed "the date of disposition" as the reference date, it did not replace that phrase with another reference date in § 1681c(a)(5), even though a different provision of the statute, §1681c(a)(2), explicitly measures a reporting window "from the date of entry."

 

Furthermore, the Ninth Circuit recalled that when it held that the seven-year reporting window in §1681c(a)(5) regarding a dismissal of a charge is measured from the date the criminal charge was filed, not when it was dismissed, the panel was not unanimous.

 

The consumer also argued that it was reckless for the defendant to rely on an "outdated" 1990 commentary by the Federal Trade Commission ("FTC"), the agency responsible for enforcing the FCRA, which stated "if charges are dismissed at or before trial, or the consumer is acquitted, the date of such dismissal or acquittal is the date of disposition." FTC, Commentary on the Fair Credit Reporting Act, 55 Fed. Reg. 18,818 (May 4, 1990) (former 16 C.F.R. pt. 600).

 

In response, the Ninth Circuit countered that, although the 1990 Commentary necessarily did not address the change in the statutory language as it was written before the 1998 amendment, it was the only guidance from the FTC on this issue in 2010 when the agency issued the tenant screening report.

 

Furthermore, the Court observed that the defendant had introduced evidence that the statute had "been interpreted for decades to permit" credit reporting agencies to report the dismissal of a charge where the dismissal occurred within seven years from the report.

 

Thus, the Ninth Circuit concluded that a reasonable fact finder could not find on this record that the defendant's violation of § 1681c(a)(5) was negligent, much less willful.

 

Accordingly, the Ninth Circuit affirmed the trial court's grant of summary judgment to the defendant on the consumer's claims under the FCRA.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars