CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

SEC Issues Risk Alert Regarding Broker-Dealers and Investment Advisers’ Privacy Practices and Compliance with Regulation S-P

Posted on: April 22nd, 2019

By: Jennifer Lee

On April 16, 2019, the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert summarizing the findings from the examinations of broker-dealers and investment advisers’ privacy practices and compliance with Regulation S-P.

Regulation S-P, 17 C.F.R. § 248.30, was enacted to protect the privacy of customers and their information. It has three major components:

  1. Firms are required to provide their customers with a copy of their privacy policies and procedures at the initial outset of the relationship and also on an annual basis.
  2. Firms are prohibited from sharing customers’ nonpublic information with unaffiliated third parties unless the customer is given prior notice regarding such practices.
  3. Firms must inform customers that they have a right to opt-out of the firm’s data sharing practices with unaffiliated third-parties and provide a method in which customers can opt-out.

During the examinations, which spanned over the course of the past two years, the Office of Compliance Inspections and Examinations (“OCIE”) found common deficiencies in firms’ compliance with Regulation S-P. The OCIE found that some firms did not provide customers with the initial and/or annual privacy policies and procedures. In other instances, the privacy policies and procedures were inadequate to satisfy the requirements under Regulation S-P. For example, the policies and procedures failed to identify the precautions taken to ensure the integrity of customers’ information.

Even when firms gave the required notices and had satisfactory written policies and procedures on the books, the OCIE often found that such policies and procedures were not actually being implemented and firms’ practices diverged from the written policies and procedures. Customers’ personally identifiable information (“PII”) were sent via unencrypted emails and left in unsecured physical locations, firm employees had customer information on unsecured personal devices, and outside vendors were not vetted on their cybersecurity and privacy practices.

These findings are unsurprising because often when a new set of privacy or cybersecurity regulations is introduced, companies will invest an incredible amount of time and resources to develop policies and procedures that comply with the new requirements. Usually, most of this work is done by the COO or Chief Information Security Officer (“CISO”). However, it does not and cannot stop there as most enforcement actions and customer actions are brought based on the firm’s failure to implement its policies and procedures.

To reduce the risk of enforcement and customer actions, firms must ensure that the policies and procedures in its books are put into practice. This requires buy-in from everyone at the executive level—from the CEO to the CMO—and cooperation from multiple departments in the firm that may not necessarily work closely with each other on a regular basis. In addition, firms should shift their perspective on compliance with Regulation S-P and other privacy or cybersecurity regulation. It is not a one-off event. Instead, it should be seen as an active and on-going process that requires constant training and monitoring.

If you have any questions regarding your firm’s compliance with Regulation S-P or other privacy and cybersecurity regulations, please contact Jennifer Lee at [email protected].

Is Flood Insurance the Next Big Thing in California?

Posted on: April 19th, 2019

By: Matthew Jones

California’s winter has been quite wet given the significant amount of rain. With heavy rain comes flooding and mudslides. California is not used to either of those types of events; but maybe it should be. Recently, the Russian River flood in Sacramento, California has brought problems to residents in the region. Approximately 2,600 homes and businesses were damaged by the floods, as well as some automobiles. However, the flood problems do not stop there. Consumers are also running into insurance issues since traditional homeowners’ insurance does not cover flood damage.

So what should be done to protect your property from the next flood? The Department of Insurance answered that question by educating consumers on the need to purchase flood insurance. One thing to keep in mind, however, is that flood insurance typically does not take effect for 30 days. Also, there are various exclusions to coverage, including for earthquakes, landslides, land subsidence, sinkholes, destabilization or movement of land from water accumulation, or gradual erosion. So while flood insurance may provide some peace of mind in the event of a flood, potential property damage may not be covered in full.

Given the Department of Insurance’s press releases on the topic, as well as the constant and unpredictable climate change, it is likely that the amount of flood insurance policies issued will only increase.

If you have any questions or would like more information, please contact Matthew Jones at [email protected].

Largest Jury Verdict in TCPA History: Defendant Faces $925 Million in Damages

Posted on: April 18th, 2019

By: Jennifer Lee

On Friday, April 12, 2019, a federal jury in Oregon rendered a verdict in a certified class action that could leave ViSalus, Inc. on the hook for $925 million for making more than 1.85 million unsolicited robocalls in violation of the Telephone Consumer Protection Act (“TPCA”). The case is Wakefield v. ViSalus Inc., Case No. 3:15-cv-01857, in the U.S. District Court for the District of Oregon.

The TCPA prohibits prerecorded calls to cell phones and home phones without prior written consent from the recipient. The TCPA also prohibits the use of an automated dialing system (“ATDS”) to place calls to cell phones without prior written consent. This was a non-issue as ViSalus had already conceded that it used an ATDS for the calls at issue.

During the three-day trial, the named plaintiff and class representative Lori Wakefield testified that she had received four prerecorded calls from ViSalus on her home phone even though she did not consent to such calls. The jury believed her and concluded that the four calls received by Wakefield and the 1.85 million calls received by members of the certified class violated the TCPA.

Statutory damages for TCPA violations are $500 per call, and with more than 1.85 million calls at issue, this verdict could translate into approximately $925 million in damages for ViSalus. But there is more. Since the TCPA allows for treble damages for deliberate violations, if U.S. District Judge Michael Simon finds that ViSalus “willfully or knowingly” violated the statute, ViSalus may be subject to $2.775 billion in damages.

This verdict has wide-reaching implications for companies. It shows that jurors are receptive to TCPA class actions and do not view them as nuisance cases. This is in part because consumers are being bombarded by unwanted telemarketing calls, which are at historical highs and increasing every year. It also means that companies will have a harder time settling these cases and will lead to higher settlement amounts as the plaintiffs’ bar becomes more willing to take TCPA class actions all the way to trial.

If you have any questions regarding the TCPA, including compliance and defending against a TCPA class action, please contact Jennifer Lee at [email protected].

Plaintiffs’ Burden to Establish Punitive Damages: Farmers & Merchants Trust Co. v. Vanetik

Posted on: April 18th, 2019

By: Jennifer Weatherup

A recent decision from the California Court of Appeal has outlined the requirements for establishing a defendant’s financial condition as a prerequisite to an award of punitive damages, and has further emphasized that it is the plaintiff’s burden to provide a comprehensive picture of the defendant’s financial condition in support of a punitive damages award.

In Farmers & Merchants Trust Co. v. Vanetik, Plaintiff F&M Trust, who was the trustee and administrator of a pension plan, sued Defendants Yuri and Tony Vanetik[1] for breach of contract and fraud. F&M Trust claimed that the Vanetiks made several false statements and representations, which induced it to acquire stock in their company. At trial, the jury found the Vanetiks’ liable, and F&M Trust was awarded over $3 million dollars in punitive damages from the Vanetiks.

The Court of Appeal struck down this award because F&M Trust failed to present sufficient evidence of the Vanetiks’ financial condition. Because punitive damages are intended to punish wrongdoing and deter future misconduct, juries must consider three elements when determining an appropriate punitive damages award: (1) the wrongfulness of a defendant’s conduct, (2) the amount of compensatory damages, and (3) the defendant’s wealth. Wealth must be considered in order to determine whether a particular award is significant enough to punish that particular defendant.

As the Vanetik Court observed, a plaintiff wishing to impose punitive damages on a defendant must present evidence that provides a “balanced overview” of their financial condition. Thus, a plaintiff cannot cherry pick details relating to a defendant’s assets while failing to present evidence of liabilities or encumbrances on their property. Because F&M Trust only presented circumstantial evidence of the Vanetiks’ income, failed to determine whether Tony Vanetik’s home was subject to a lien or even owned by Tony, and failed to consider the Vanetiks’ liabilities, the Court found that there was insufficient admissible evidence to support a punitive damages award.

The Court further rejected F&M Trust’s claim that they should be excused from their failure to present evidence of the Vanetiks’ financial conditions because Defendants did not produce that evidence. Prior caselaw does provide that punitive damages may be awarded without evidence of a financial condition if a plaintiff’s failure to produce evidence is the result of the defendant’s failure to comply with discovery obligations. However, the plaintiff bears the burden of showing that the lack of evidence was the defendant’s fault, and F&M Trust failed to satisfy this burden.

As the Court noted, F&M Trust never filed a motion for pretrial discovery into the Vanetiks’ financial condition, even though a plaintiff must obtain a court order before conducting discovery into a defendant’s financial condition. Similarly, the trial court did not order the Vanetiks’ financial condition before the punitive damages portion of the trial. Thus F&M Trust’s failure to produce sufficient evidence of the Vanetiks’ financial condition is not excused, and the punitive damages award must be stricken.

The Vanetik case provides useful authority for professionals and other defendants who are facing a substantial punitive damages award, as it demonstrates the extent to which plaintiffs bear the burden of establishing defendants’ financial condition, and emphasizes the need for plaintiffs to present a complete picture of defendants’ finances, rather than relying on selective, incomplete, or circumstantial evidence.

If you have any questions or would like more information, please contact Jennifer Weatherup at [email protected].

[1] Plaintiff also sued the Vanetiks’ attorney. The Court separately found that the attorney could not be found liable for conspiracy.

Ninth Circuit: Creditors May Be Vicariously Liable for TCPA Violations Based on Common Law Ratification Principles

Posted on: April 16th, 2019

By: Nikki Sachdeva

In a recent opinion, the U.S. Court of Appeals for the Ninth Circuit reversed a district court’s grant of summary judgment in favor of a creditor, finding that common law principles of ratification may create vicarious liability under the Telephone Consumer Protection Act (TCPA). In Henderson v. United Student Aid Funds, 2019 U.S. App. LEXIS 8597 (9th Cir. Mar. 22, 2019), the Court heard an appeal by named plaintiff Henderson in a putative class action brought under the TCPA. After ceasing to make payments on her student loan, Henderson began receiving calls from several debt collection companies. Henderson alleged that the pattern of the calls, which included several prerecorded messages to a cellular telephone number she had not provided in connection with her loan application or consented to be called on, evidenced the use of a combination of skip-tracing and autodialing. Such combined use is prohibited by the TCPA.  47 U.S.C. § 227(b)(1)(A)(iii).

United Student Aid Funds (“USA Funds”), which owned Henderson’s loans, had hired a loan servicer, which in turn hired debt collectors to collect on the unpaid loans. USA Funds did not have contractual relationships with the debt collectors, nor did it have day-to-day interactions with them. However, USA Funds had access to the debt collectors’ performance reports and had previously reviewed the debt collectors’ call notes upon identification of an issue with improper calling practices. As to the loan servicer, USA Funds monitored its regulatory compliance and, while it did not have the ability to fire debt collectors, USA Funds had the ability to ask the loan servicer to replace debt collectors.

In 2017, the U.S. District Court for the Southern District of California granted summary judgment in favor of USA Funds. The district court rejected Henderson’s arguments that there was a triable issue of fact as to whether USA Funds could be liable under theories of classical agency or implied actual authority. Further, finding that there was no principal-agent relationship between USA Funds and the debt collectors, the district court held that USA Funds could not be vicariously liable under a ratification theory.

The Ninth Circuit, in a 2-1 decision, reversed the district court’s grant of summary judgment and remanded for further proceedings. The Court held that there was a material issue of fact as to whether USA Funds ratified the debt collectors’ calling practices. According to the Court’s opinion, federal common law principles of ratification may create vicarious liability under the TCPA even where the contractual agreements at issue state and/or suggest an independent contractor relationship rather than an agency relationship. First, the Court held that ratification may create an agency relationship where none existed before where the acts are “done by an actor… who is not an agent but pretends to be.” The Court noted that the debt collectors told borrowers they were calling on behalf of USA Funds and accepted payments on USA Funds’ behalf. Finding that there was a triable issue of fact, the Court continued: “a reasonable jury could conclude that USA Funds accepted the benefits—loan payments—of the collectors’ calls while knowing some of the calls may have violated the TCPA. If a jury concluded that USA Funds also had ‘knowledge of material facts,’ USA Funds’ acceptance of the benefits of the collector’s unlawful practices would constitute ratification.”

The Ninth Circuit’s decision in Henderson raises issues for creditors and other businesses who engage third parties to conduct borrower or consumer calls on their behalf. Businesses should be mindful that they may be exposed to vicarious liability under the TCPA based on improper conduct by third parties even where there is no contractual relationship with the entity making the allegedly violative telephone calls.

If you have any questions or would like more information, please contact Nikki Sachdeva at [email protected].