Does the Fair Credit Reporting Act Preempt State-Law Claims for Unfair and Deceptive Trade Practices?

In cases that involve claims brought under North Carolina’s Unfair and Deceptive Trade Practices Act, an often overlooked issue is whether federal law preempts the 75-1.1 claim.

In a case of apparent first impression, a federal district court in North Carolina recently ruled that the federal Fair Credit Reporting Act (FCRA) can preempt a 75-1.1 claim, at least where there is no evidence that the defendant’s acts were willful or malicious.

Equifax doesn’t report the bankruptcy discharge of a consumer’s debt

Myrick v. Equifax Information Services, LLC involves a consumer whose obligations under a mortgage that had been discharged in bankruptcy. The consumer alleged that Equifax failed to properly report the status of the debt on the consumer’s credit report. Equifax was reporting that the consumer’s loan payments were past due, but did not note the discharge of the obligation.

The consumer disputed the report with Equifax through Equifax’s website. The consumer asserted that the credit report should reflect the discharge.

After Equifax received the dispute, Equifax contacted the bank that had extended the credit line and attempted to verify the status of the debt. The bank indicated that the consumer had an open account. The bank did not verify to Equifax that the account had been discharged. Equifax then informed the consumer that Equifax believed that the account reporting was correct.

Several months later, the consumer sent a dispute letter to Equifax. In the letter, the consumer reiterated that this debt had been discharged.  The consumer also attached a copy of the bankruptcy court’s order of discharge. As is typical, the discharge order did not specifically identify the bank’s debt.  The order further indicated that the bankruptcy had discharged at least some of the consumer’s debts, but may not have discharged all of them.

In response to the letter, Equifax requested that the consumer “be specific with [his] concerns by listing the names, numbers, and the nature of the dispute.”

The consumer sues Equifax for its reporting and dispute investigation procedures

The consumer did not provide the information requested. Instead, the consumer sued both the bank and Equifax in the United States District Court for the Eastern District of North Carolina. The lawsuit alleged that the companies violated both the FCRA and section 75-1.1.

The FCRA is a federal statutory scheme that governs the reporting of consumer debt. The FCRA imposes statutory duties on consumer reporting agencies about how they maintain and report consumer credit histories. The FCRA creates a private right of action, and provides for the recovery of actual damages, for the negligent or willful violation of any duty that the statute imposes. An aggrieved consumer can also recover punitive damages, but only if the consumer can prove that the reporting agency was willfully non-compliant.

After the consumer filed the lawsuit, the bank verified to Equifax that the debt had been discharged and settled with the consumer.  The consumer and Equifax proceeded to litigate the matter.  At the conclusion of discovery, Equifax moved for summary judgment.

Senior District Judge W. Earl Britt partially denied summary judgment as to the FCRA claims, but granted summary judgment to Equifax on the 75-1.1 claim.

The consumer alleged that Equifax violated the FCRA through both its procedures for preparing credit reports, and for conducting post-dispute investigations. As to its investigation, the consumer contended that Equifax had an independent duty to verify that the disputed debt had been discharged once Equifax received notice of the general bankruptcy discharge.

Judge Britt determined that the evidence was insufficient to make out a FCRA violation for Equifax’s original credit reporting, but denied summary judgment as to the FCRA claim premised on Equifax’s post-dispute investigation procedures. The judge did not believe that the consumer forecast sufficient evidence of willful non-compliance to take a punitive-damages claim to a jury.

The FCRA preempts the consumer’s 75-1.1 claim

Equifax also sought summary judgment on the 75-1.1 claim. Equifax argued that the 75-1.1 claim was preempted by the FCRA. The FCRA broadly limits consumers from bringing a suit against a reporting agency under state law “except as to false information furnished with malice or willful intent to injure such consumer.”

In a decision of apparent first impression, Judge Britt determined that the FCRA preempted the 75-1.1 claim in this particular case because Equifax’s conduct was, at most, negligent. In his decision, Judge Britt referenced Congress’s intent to allow state-law claims only in very narrow circumstances. Because the consumer failed to forecast any malice or willful intent to injure by Equifax, the consumer could not maintain his state-law claim for unfair and deceptive trade practices.

As Myrick shows, preemption can be a powerful way for a defendant to eliminate potential treble-damages liability under a state unfair and deceptive practices statute. The FCRA is one of a few federal statutes with an express preemption statute. Defendants have been successful, however, in arguing that other federal statutes so pervasively regulate conduct impliedly as to preempt state-law claims

Myrick is a reminder that plaintiffs and defendants alike should consider potential preemption arguments where federal statutes or regulations may also regulate conduct that allegedly violates section 75-1.1.

Author: George Sanderson

How Variations in the Law on Deceptive Conduct Can Affect Litigation Strategy

North Carolina is not the only jurisdiction with a statute that prohibits deceptive conduct. These statutes, however, are not identical.

Today’s post shows how the variations among these statutes can affect litigation strategy.

The recent decision in Greene v. Gerber Products Co. provides the backdrop. Greene is a putative class action about advertisements and marketing for baby formula. The plaintiffs claim that Gerber falsely advertised that its formula reduces the risk that infants will develop allergies.

Greene features three sets of putative named plaintiffs. The plaintiffs bought the formula in three different states: Ohio, New York, and North Carolina. Each plaintiff alleged a violation of the statutory prohibition on deception in the state of purchase (for North Carolina, N.C. Gen. Stat. § 75-1.1). The plaintiffs sued Gerber in federal court in New York.

Gerber moved to dismiss. Its arguments for dismissing the statutory claims, however, varied significantly as to each set of plaintiffs.

Our inquiry: if the plaintiffs all alleged basically the same facts, and if each state prohibits deceptive advertisements, why do the arguments vary so much?

Good Start, but Bad Ending

Gerber sells a line of baby formula called “Good Start.” The plaintiffs took issue with statements on the label of this formula and with certain print and television advertising. Good Start contains partially hydrolyzed whey protein, an ingredient that Gerber claimed reduces the risk of developing allergies.

The plaintiffs alleged that these claims are false or deceptive. They then alleged that, when they decided to buy Good Start, they reviewed the representations about the formula’s alleged effects on allergies. They further alleged that Gerber used those statements to lure the plaintiffs—and all putative class members—to pay an inflated price.

Three Statutes, Three Sets of Arguments

Gerber moved to dismiss the statutory claims under Ohio, New York, and North Carolina law.

  1. Ohio

The Ohio plaintiffs alleged a violation of the Ohio Consumer Sales Practice Act. To pursue a class action under that act, a plaintiff must show that the defendant had notice that the alleged violation is substantially similar to an act or practice previously declared to be deceptive.

Gerber argued that it never had the required notice. In response, the plaintiffs argued that Gerber did have notice, based on (a) a rule promulgated by the Ohio attorney general, and (b) certain consent decrees between the attorney general and parties that allegedly made false health claims. The court agreed with Gerber, concluding—without getting into the weeds—that neither the rule nor the consent judgments count as prior determinations of deceptive conduct.

The court also dismissed the Ohio plaintiffs’ claims under the Ohio Deceptive Trade Practices Act. That act has mainly been interpreted as an analogue of the federal Lanham Act—and therefore does not confer standing on consumers.

Notably, Gerber’s arguments as to the Ohio plaintiffs have no application to a section 75-1.1 claim. Consumers can sue under section 75-1.1, and there’s no notice requirement for a class action.

  1. New York

The New York plaintiffs sued for violation of New York General Business Law § 349, which prohibits deceptive acts or practices against consumers. Gerber primarily argued that the New York plaintiffs couldn’t make out a violation of this statute because the plaintiffs didn’t suffer an actual injury, which section 349 requires.

The court disagreed. The complaint alleged that the New York plaintiffs would have purchased less-expensive formula but for the statements about allergies. That theory was sufficient, the court concluded, because it reflected a loss of money directly connected to an allegedly deceptive statement.

Would a “no injury” argument have fared better for an alleged violation of section 75-1.1? In 75-1.1 jurisprudence, courts have tended to refer to this issue as one of “standing.”  Courts have dismissed section 75-1.1 claims for failing to connect allegedly unfair or deceptive conduct to a real injury.

  1. North Carolina

Gerber, however, didn’t seek dismissal of the 75-1.1 claim in Greene based on an absence of injury. Instead, Gerber turned to a relatively recent line of cases that require a misrepresentation-based claim under section 75-1.1 to be pleaded with particularity.

The plaintiffs, citing earlier caselaw, argued against the particularity requirement.

The court then sidestepped the issue. It ruled that, even if the law requires particularity, the plaintiffs had satisfied that requirement. The court showed that the complaint:

  • specified and attached the alleged misrepresentations,
  • described where the misrepresentations were located,
  • explained why the statements were false or deceptive, and
  • included a statement of the plaintiffs’ reliance on the statements.

Interestingly, Gerber did not seek dismissal of the 75-1.1 claim based on the economic-loss rule. That tactical decision could be because of recent decisions about the interplay between that doctrine and section 75-1.1.

Know Your Geography

Gerber offers a vivid example of the havoc that a multistate consumer class action can wreak. Even when the case involves fundamentally a single fact pattern, state-by-state differences in the law on deceptive trade practices mean that a defendant that wants to file a Rule 12(b)(6) motion can raise a deluge of arguments.

That deluge, of course, can drown a reader. These cases therefore require careful strategic and tactical decisions in selecting the best arguments. Those decisions, in turn, call for a deep understanding of the law in each relevant state.

Plaintiffs, too, face hard decisions in (a) selecting which state’s law on deceptive conduct might be the best for a putative class action, and (b) crafting a complaint to anticipate the Rule 12(b)(6) arguments to come.

On top of these considerations, both plaintiffs and defendants in consumer class actions must assess the extraterritorial effect of statutory prohibitions on deceptive conduct, as well as questions of personal jurisdiction.

As these points show, there’s simply no magic bullet—for any party—in multistate claims about deceptive conduct. Even if a single theme might apply across all claims, the claims themselves might turn on different elements and defenses, and attention to these nuances can determine success or defeat.

Author: Stephen Feldman

How a Potent Defense Can Stifle Data-Breach Lawsuits by Businesses

Consumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too.

When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified.  

This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.

Instead, a business plaintiff must overcome a different defense: the economic-loss rule.  That rule prevents plaintiffs who suffer economic losses stemming from a contract from trying to recover those losses through non-contract claims. 

A recent decision from a federal court in Colorado involving one of my kids’ favorite mac-and-cheese spots shows how the economic-loss rule can apply when one business sues another over a data breach. This post studies that decision.

A Cyberattack Compromises Diners’ Payment Card Data

SELCO Community Credit Union v Noodles & Company concerns a cyberattack on the Noodles & Company restaurant chain that compromised customers’ credit and debit card information. The plaintiffs were not consumers, but instead credit unions whose cardholders dined at Noodles and whose information was compromised. They sued Noodles for failing to prevent the breach. 

According to the credit unions, Noodles breached a common-law duty to protect its customers’ payment card information by failing to implement industry-standard data-security measures. The credit unions alleged that this breach caused them damages, including the costs to cancel and reissue affected cards and to refund cardholders for unauthorized charges.

The credit union brought tort claims—all based on theories of negligence—against Noodles. Noodles filed a motion to dismiss based on the economic-loss rule, pointing to agreements it and the plaintiffs had entered as participants in the payment-card-processing ecosystem.   

The Payment Card Ecosystem: A Chain of Interrelated Contracts

The court provided the following diagram to explain this ecosystem:

ap

In its motion, Noodles observed that each actor in this ecosystem signed an agreement with at least one other actor in which it agreed to follow rules issued by the bank-card associations. Importantly, the agreements required merchants to maintain a certain level of security for payment-card data—including compliance with a set of detailed best practices for data security in the payment-card industry called the Payment Card Industry Data Security Standard (PCI DSS).

Noodles argued that these agreements also allocated the parties’ rights and responsibilities in the event of a cyberattack. More specifically, the agreements called for the credit unions to guarantee cardholders zero liability for fraudulent transactions. The credit unions, in turn, could partially recover their losses through a loss-shifting scheme managed by the bank-card associations.

According to Noodles, this arrangement reflected “a series of determinations by several sophisticated commercial entities about how the risk of fraudulent transactions should be allocated in the payment card networks.” Noodles accused the credit unions of trying to re-allocate that risk—and violating the economic-loss rule—by bringing tort claims.

An Independent Duty?

The credit unions had two main arguments in response.

First, they argued that Noodles owed them a common-law duty to secure payment-card data and to prevent foreseeable harm to cardholders. This duty, they urged, was separate and distinct from any contract-based duty to comply with PCI DSS. The credit unions made this argument to try to shoehorn their claims into what’s known as the “independent duty” exception to the economic-loss rule.

Second, the credit unions argued that the economic-loss rule should not apply because the credit unions had no contract with Noodles. Thus, the credit unions argued, they never had the chance to “reliably allocate risks and costs” with Noodles.  

The Court’s Decision

The court, like my children, sided with Noodles.

On the independent-duty argument, the court concluded that each duty that Noodles allegedly breached was bound up in the agreements to comply with the bank-card association rules and PCI DSS. Even if Noodles might also have had a common law duty to protect payment card data from a cyberattack, that duty could not be considered “independent of a contract that memorialize[d] it.”

The fact that the credit unions never contracted directly with Noodles had no analytical impact. In the court’s view, the economic-loss rule does not mandate a one-to-one contract relationship. Instead, the court reasoned, the rule asks whether a plaintiff had “the opportunity to bargain and define their rights and remedies, or to decline to enter into the contractual relationship.” The credit unions had that chance here.

Lessons for Litigants

SELCO confirms that the economic-loss rule can provide a powerful shield against attempts—including and especially by businesses—to make end-runs around negotiated limitations and allocations of liability for cyberattacks.

Defendants, however, must be ready to show that the contract on which they rely imposes relevant data-security obligations. Doing so requires that the obligations be clearly defined—well before litigation arises—in any contracts that involve the receipt or handling of sensitive information.

Clearly defining data-security obligations in contracts is already a recognized best practice for information-security risk management.  But as SELCO demonstrates, this type of clarity can also lay the groundwork for deploying the economic-loss rule against lawsuits arising from a successful cyberattack. 

Author: Alex Pearce