BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY
On November 17, the named plaintiff in Toney v. Quality Resources, Inc., et al. asked an Illinois federal court for final approval of a Telephone Consumer Protection Act (TCPA) class action settlement agreement.
As background, in December 2012, Sarah Toney ordered three pairs of children’s slippers online from a website operated by Stompeez. The website required Toney to provide her telephone number in order to complete the order. The site specified that the phone number would be used “for questions about order.” Toney subsequently began to receive telephone calls on her cell phone, and she claimed that the calls were made by Quality Resources, Inc. as a part of a combined and concerted telemarketing effort. More specifically, Stompeez allegedly sold Toney’s and the putative class members’ information to Quality Resources. Quality Resources would contact consumers to confirm that the consumers’ contact information was correct and also to engage in an “up sell” to the consumer, in order to sell other goods and services of Sempris LLC, unrelated to Stompeez or Quality Resources. Toney filed her class action complaint against the companies in January 2013.
After more than three years of litigation, the parties reached a settlement, which was preliminarily approved by the Court in August 2016. The settlement provides that Sempris will pay $2.15 million into a common fund. The settlement class consists of “all persons who are or were the subscribers and/or customary users of the telephone numbers on the Class List, and to whom, from January 3, 2009 through the date of preliminary approval, Quality Resources, Inc., made a call or calls in connection with Stompeez Kids Slippers purchases.” According to records obtained in discovery, there are 64,106 unique telephone numbers attributable to the settlement class members.
Because the Settlement only resolves claims against Sempris, and leaves open claims against Quality Resources, Sempris has also agreed to assign the Plaintiff and the settlement class any rights to indemnity or subrogation against Quality Resources for claims arising out of this action.
Troutman Sanders will continue to monitor the case for the Court’s order granting final approval.
BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY
The United States District Court for the Southern District of Alabama recently granted final approval of a class action settlement against Boyd Biloxi LLC, alleging that Biloxi sent telemarketing messages that violated the Telephone Consumer Protection Act.
The class action Complaint was originally filed on July 16, 2014. The named plaintiff alleged that Biloxi made calls to him and the putative class members offering free tickets to concerts or other special promotions. After engaging in discovery for more than a year, the parties reached a settlement through mediation.
The settlement class consists of “all persons who, since October 16, 2013 through May 11, 2016, received a telephone call to a residential or cellular telephone number initiated by, on behalf of or at the direction of Boyd Biloxi which used an artificial and/or pre-recorded voice message or was placed by an automatic telephone dialing system [“ATDS”].” The class consists of over 68,000 individuals. 33 class members submitted requests for exclusion, and two pro se objections were filed.
Each class member who submits a valid claim will receive a $150 gift card for food, beverages, concert tickets, hotel rooms, or gift shop items at Boyd Biloxi properties. The company also agreed to implement policies for its marketing activities using prerecorded messages or an ATDS to comply with the TCPA. The settlement agreement further provides for an attorneys’ fee award of up to $2 million and an incentive award of $3,500 for the named plaintiff.
BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY
On November 9, the United States District Court for the Northern District of Illinois granted final approval of a $49.9 million Telephone Consumer Protection Act class action settlement against US Coachways, Inc.
The original Complaint was filed against US Coachways on July 29, 2014, alleging that the motor coach leasing company sent out thousands of unlawful text messages to what they hoped were potential customers, in violation of the TCPA. The named plaintiff allegedly received more than 20 unsolicited text message advertisements.
The settlement class consists of “all persons within the United States who received one or more text advertisements on behalf of US Coachways, Inc. at any time in the four years prior to the filing of the Complaint continuing through the date of the Settlement Agreement.” There were no requests for exclusion and no objections from the class, which consists of more than 85,000 individuals.
Because US Coachways cannot fund the settlement, the company tendered a claim for the action to its insurer for defense and indemnity, but the insurance company denied coverage to US Coachways. US Coachways has therefore assigned its rights against the insurer to Plaintiff and the class, and agreed to contribute $50,000 which was applied toward the cost of notice to the class. Plaintiff and his counsel will next pursue an action against the insurer to collect on the $49.9 million judgment.
BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY
A class of consumers in multidistrict litigation (MDL) recently filed their Motion for Final Approval of a Telephone Consumer Protection Act class action settlement against a debt collection company, Convergent Outsourcing Inc. (“Convergent”).
Between October 2012 and June 2013, the named plaintiffs initiated separate putative class actions throughout the country alleging that Convergent violated the TCPA. On November 5, 2013, the Judicial Panel on Multidistrict Litigation consolidated the actions as an MDL. According to the Consolidated Amended Complaint, Convergent called Plaintiffs and the putative class members without their consent using an automatic telephone dialing system (“ATDS”) on behalf of various creditors.
The settlement consists of two classes:
- A Rule 23(b)(3) damages class that includes several hundred thousand people that Convergent called after October 26, 2008 who can point to certain objective facts to argue Convergent lacked consent to call them. This class will share a $5.5 million common fund.
- A Rule 23(b)(2) injunction class that includes those persons not in the Rule 23(b)(3) damages class who Convergent called since October 26, 2008. These individuals retain their right to sue Convergent individually but waive their right to bring a class action. In exchange, Convergent agreed to an injunction prohibiting it from seeking to dismiss any TCPA claim for failing to plead an ATDS was used and, in any answer to such suit, it will admit that it used an ATDS.
No objections were filed to the settlement, and only twenty-three class members opted out. A final approval hearing was scheduled for November 10.
BY ROSS ANDRE AND ALAN D. WINGFIELD
In a motion filed in a putative class action pending in California, Facebook, Inc. seeks to dismiss claims under the Telephone Consumer Protection Act, arguing, among other things, that the TCPA as applied to Facebook’s “status update” text messages is unconstitutional. The plaintiff in Holt v. Facebook, Inc., No. 3:16-cv-02266-JST (N.D. Cal.), alleges that Facebook violated the TCPA (and California law) by sending unsolicited text messages to cellular telephone subscribers, particularly in instances where the number has been reassigned and the messages from Facebook are intended for the prior owner. Holt alleges that shortly after registering a new cellular telephone number, she began receiving automated text messages from Facebook, asking her to post a status update or giving her glimpses into status updates of “her” friends. She contends that Facebook sends such messages regularly, without consent and in violation of the TCPA, to consumers nationwide.
In a motion filed on July 1, 2016, Facebook moved to dismiss the Complaint on a number of grounds. Chief among those was Facebook’s contention that the TCPA, as applied to Facebook’s status update messages as alleged in the Complaint, is unconstitutional. Facebook argues that status updates constitute speech entitled to First Amendment protection and that the TCPA violates those protections. More specifically, Facebook contends that its status update messages are noncommercial speech, subject to strict scrutiny and a presumption that any content-based restriction is unconstitutional. Facebook argues that because the TCPA is “riddled with exceptions” that effectively pick and choose what speech is permissible, it is not a neutral content-based restriction. Under the strict scrutiny framework, Facebook argues, the statute is unconstitutional, because it targets only one type of speech in an overinclusive and indefensible way.
On October 17, the United States Federal Government intervened in the case and filed a brief in support of the constitutionality of the TCPA. In addition to a number of procedural points, the government argues that the Ninth Circuit has twice considered—and rejected—constitutional challenges to the TCPA, either with respect to the particular provisions that Facebook now attacks or others like them. The government argues that there has been no change in the law to justify a departure from these prior holdings and in decisions from courts outside of the Ninth Circuit. The government also challenges Facebook’s contention that its text messages are not commercial speech, arguing that the messages explicitly invite recipients to interact with the Facebook platform. Finally, the government argues that even if strict scrutiny applies, the TCPA survives that analysis because it furthers a compelling government interest in protecting consumers from harassing communications and is narrowly tailored to achieve those aims.
In its response filed on November 1, Facebook argues that the Supreme Court’s recent decision in Reed v. Town of Gilbert, 135 S. Ct. 2218 (2015), changed First Amendment jurisprudence and, under its holding, Facebook’s messages are not commercial speech. From that standard, Facebook argues, strict scrutiny compels the conclusion that the TCPA as applied to Facebook’s activities is unconstitutionally restrictive.
The court has yet to issue an opinion with respect to Facebook’s challenge, which is now fully briefed, but the outcome could have broad implications for the scope of the TCPA.
On October 26, 2016 HIMSS, the leading organization in the US for health information technology and data management, issued a Call to Action for the healthcare industry to work together with cybersecurity experts from different sectors to enhance the preparedness of the healthcare industry to the imminent threat of cyber-attacks. The Call to Action reinforces the very real threat that the healthcare industry faces from internal and external threats. In a blog post announcing the Call to Action, Lee Kim, Director for Privacy and Security at HIMSS North America, and Samantha Burch, Senior Director, Congressional Affairs, HIMSS North America state that “Given the vast amount of data being breached and large numbers of healthcare organizations being compromised by both insider and external threat actors (such as nation state and non-state actors, organized cybercriminals and others), it is clear the health sector needs to change its attitude toward the adoption of cybersecurity practices.”
The HIMSS Call to Action makes clear that risks to the healthcare industry from cyber-attacks go beyond mere financial and reputational damage. “The health sector currently is too vulnerable to cyber-attacks and compromises. Patient safety hangs in the balance. As a critical infrastructure sector, the health sector cannot afford to wait any longer in revolutionizing our collective approach to cybersecurity and working collaboratively with the federal government and others towards a solution. It is only a matter of time before a patient is seriously injured or potentially dies as a result of a cyber-attack or compromise—unless all stakeholders make a commitment to work together to redraw a new baseline for the health sector.”
HIMSS is recommending three key steps as part of its Call to Action:
- Adoption of a Universal Information Privacy and Security Framework for the Health Sector;
- Having Congress create a Cyber Leader role with the US Department of Health and Human Services; and
- Addressing the shortage of qualified cybersecurity professionals.
The HIMSS Call to Action is an important reminder that healthcare is extremely vulnerable to cyber-attack and that everyone in the healthcare sector should be taking immediate steps to prepare for and respond to these attacks. Troutman Sanders Healthcare and Cybersecurity Practices will continue to follow the HIMSS Call to Action and provide updates on significant developments.
BY JULIE D. HOFFMEISTER AND DAVID N. ANTHONY
On September 29, the United States District Court for the Northern District of Illinois preliminarily approved a $76 million Telephone Consumer Protection Act class action against several cruise marketing companies inBirchmeier v. Caribbean Cruise Line, Inc.
According to the class action complaint that was filed more than four years ago, a telemarketing company, ESG and its related entities, placed prerecorded voice calls to class members’ cellular and landline telephones to seek business for defendants Caribbean Cruise Line, Inc.; Vacation Ownership Marketing Tours, Inc.; and Berkley Group, Inc. After certifying two classes, the Court granted partial summary judgment to the plaintiffs, holding that the calls made by ESG to consumers’ cell phones violated the TCPA. One of the only issues left for trial was whether the defendants would be held vicariously liable for the calls placed on their behalf. As the parties were preparing for trial, the defendants moved for summary judgment and to decertify the class based on the Supreme Court’s decision in Spokeo. The Court denied both motions and the parties subsequently settled.
The settlement agreement provides for two classes – one for individuals that received cellular phone calls and another for those who received landline calls – who received calls made by or on behalf of the defendants from August 2011 to August 2012. Each class member who submits a valid claim will be entitled to $500 per call unless the $76 million ceiling is reached. If it is, then class members will receive a pro rata share of the fund based on the number of calls they received. Such relief, commented the parties, is almost unprecedented.
The Birchmeier settlement is one of the largest settlements in TCPA history, and it illustrates the importance of not only ensuring your company’s compliance with TCPA requirements, but also keeping a close eye on any third party vendors who are acting on your behalf.
BY RONALD I. RAETHER, JR., MARK C. MAO, ASHLEY L. TAYLOR, JR. AND C. READE JACOB, JR.
On September 13, the New York Department of Financial Services issued proposed regulations that would require banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program and to take other measures to protect against data breaches and cyber attacks.
Among the planned requirements, regulated financial institutions will be required to (a) establish a cybersecurity program and adopt a written cybersecurity policy; (b) designate a Chief Information Security Officer responsible for implementing, overseeing, and enforcing its new program and policy; and (c) have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity, and availability of information systems. Board chairpersons would also be required to file annual certifications with NYDFS, stating, to the best of their knowledge, that their companies’ cyber programs comply with the regulation.
Other measures would include appointing overseers for outside vendors and limiting access of customers’ non-public information, such as Social Security numbers, to employees who need those details, according to the proposal. Systems would have to include multiple steps for verifying user identities.
Notably, the proposed regulations are already called for under guidance set by the Federal Financial Institutions Examination Council, a panel of regulators including the Federal Deposit Insurance Corp., the Federal Reserve, and the Office of the Comptroller of the Currency.
The proposed regulations are also similar to (albeit more comprehensive than) Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth regulation. That law, which has been in place since 2010, requires every business that licenses or owns personal information of Massachusetts residents to comply with minimum security standards. Those minimum standards include implementing a written information security program (referred to as a “WISP”) with appropriate administrative, technical, and physical safeguards.
The proposed regulation is subject to a 45-day notice and public comment period following the September 28 publication in the New York State register before its final issuance.
BY RONALD I. RAETHER, JR.
You cannot control when a data breach or other cyber incident will occur at your financial institution, but you can control how you prepare for it. Cyberattacks and incidents are increasing across every industry. This holds true for large financial players and small community banks alike. The rise of these incidents will have an impact not only on patron security, but also on the regulations by which financial institutions must abide.
During this complimentary webinar on October 5 at 12 p.m. EST, Troutman Sanders attorneys Shannon Pattersonand Ron Raether will address how action – or inaction – now can affect your company after an attack or incident. The discussion will include incorporating cybersecurity into corporate governance, tools for building a culture of privacy compliance, why you should be preparing for litigation before an event occurs, and best practices for your company’s response.
For more information or to register, please click here. One hour of CLE credit is currently pending.
BY JULIE D. HOFFMEISTER AND RONALD I. RAETHER, JR.
The Third Circuit recently affirmed a District Court’s dismissal of a data breach class action against Benecard Services Inc. (“Benecard”).
Benecard is a prescription benefit administrative services company that provides mail and specialty drug dispensing, managed vision services, and contact lens mail order services to public and private sector organizations. The instant case arose from the 2015 data breach of Benecard’s computer system. Plaintiffs are former employees and customers of Benecard who provided their names, dates of birth, addresses, and Social Security numbers as a prerequisite to employment or use of Benecard’s services. Plaintiffs’ personal information was compromised during the breach. Specifically, Plaintiffs’ personal information was used by unknown third parties to file fraudulent tax returns, and the IRS subsequently issued tax refunds to the unknown third parties rather than to Plaintiffs. Plaintiffs brought claims against Benecard for negligence and breach of implied contract under Pennsylvania law.
The District Court held that Pennsylvania’s economic loss doctrine barred Plaintiffs’ negligence claim, and that Plaintiffs’ breach of contract claim failed to state a claim for relief. The Third Circuit affirmed the District Court’s decision.
First, Pennsylvania’s economic loss doctrine provides that “no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage.” Because Plaintiffs’ negligence claim sounds only in economic loss resulting from the fraudulent tax returns filed with their information, the economic loss doctrine bars their claim, affirmed the Third Circuit.
The Third Circuit also shot down Plaintiffs’ alternative theory that Benecard breached an implied contract by failing to adequately safeguard Plaintiffs’ confidential information that Plaintiffs entrusted to Benecard as a condition of employment or doing business with the company. “This requirement alone did not create a contractual promise to safeguard that information, especially from third party hackers,” held the Third Circuit. Plaintiffs did not offer evidence of “any company-specific documents or policies from which one could infer an implied contractual duty to protect Plaintiffs’ information.” In other words, “[m]erely claiming that an implied contract arose ‘from the course of conduct’ between Plaintiffs and Benecard is insufficient to defeat a motion to dismiss.”
The class action is now dismissed in its entirety.