Today, the United States Supreme Court resolved a circuit split regarding what constitutes an “autodialer” under the Telephone Consumer Protection Act (TCPA). In a blow to the plaintiffs’ bar, the Supreme Court ruled in favor of defendant Facebook, establishing a narrower, nationwide standard for what type of dialing equipment constitutes an “autodialer.”

The TCPA prohibits auto-dialed calls and texts to cellphones without prior express consent. Statutory penalties under the TCPA are severe: $500 per call in violation of the statute, or $1,500 per call for willful violations. 47 U.S.C. § 227(b)(3). The key issue in the Facebook appeal was whether a computer that simply stores and then dials a list of numbers qualifies as an “autodialer,” or whether the “autodialer” must itself randomly generate the list of numbers to be called.

In Facebook, Inc. v. Duguid, et al., No. 19-511, a unanimous Court overturned a Ninth Circuit ruling that held that dialing equipment that dials numbers from a stored list (as opposed to a randomly generated list) can qualify as an autodialer under the TCPA. The high court held, instead, that “Congress’ definition of an autodialer requires that in all cases, whether storing or producing numbers to be called, the equipment in question must use a random or sequential number generator.” The Second, Sixth, and Ninth Circuits had previously held that equipment that merely dials numbers from a stored list can qualify as an autodialer under the TCPA.

The TCPA defines “automatic telephone dialing system” as “equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator, and, to dial such numbers.” 47 U.S.C. § 227(a)(1). In the case below, Duguid filed a putative class action over text messages he received from Facebook in 2014, alleging that Facebook violated the TCPA by sending automated text messages to his cellphone using an autodialer. Facebook argued that the TCPA did not apply, saying the technology it used to send Duguid text messages was not an autodialer because it did not send him text messages using a “random or sequential number generator.” The district court agreed and the plaintiff appealed to the Ninth Circuit, which reversed.

Before the Supreme Court, Facebook argued that the phrase “using a random or sequential number generator” modified both “store” and “produce,” while the plaintiff urged that the phrase only modified “produce,” such that an autodialer would encompass any equipment that can simply store and dial numbers, such as your average smartphone. The Supreme Court held that Facebook’s reading provided the most natural construction and, further, that it more closely aligned with Congress’ intent in enacting the TCPA, which arose–in part–from concerns that autodialers could randomly dial emergency lines, creating a threat to public safety, or “tie up all the lines of any business with sequentially numbered phone lines.”

The Supreme Court also appeared to recognize the potentially crippling effect the plaintiff’s reading would have on businesses that use telemarketing, stating that “[e]xpanding the definition of an autodialer to encompass any equipment that merely stores and dials telephone numbers would take a chainsaw to these nuanced problems when Congress meant to use a scalpel.”

While today’s ruling is a significant victory for the TCPA defense bar, businesses should continue to ensure compliance with the TCPA’s other requirements and prohibitions, including those relating to prerecorded calls.

The U.S. Supreme Court will hear arguments on March 30, 2021, in a case that will help clarify when an intangible, nonmonetary injury is sufficiently “concrete and particularized” to give rise to Article III standing.1 The Supreme Court’s decision will likely provide guidance for class-action plaintiffs seeking to bring (and class-action defendants looking to defend against) claims for civil penalties in the wake of the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins.2 The case could have profound consequences for any company that is potentially subject to a claim for statutory civil penalties in a federal class action lawsuit.

The Ninth Circuit’s Decision in Ramirez v. TransUnion LLC

Sergio Ramirez tried to buy a car with his wife. The dealership obtained a credit report, which incorrectly identified Ramirez as appearing on a list of Specially Designated Nationals (“SDNs”)–that is, people prohibited from doing business in the United States for national security reasons. It is essentially a terrorist watch list.

Ramirez contacted the credit reporting agency, TransUnion, to fix the error. In response, he received two letters. The first letter contained his ordinary credit report with a summary-of-rights form and instructions on how to submit proposed corrections. The second letter (“SDN Letter”) disclosed that Ramirez’s name was a “potential match” for names on the Treasury Department’s SDN list, but it lacked a summary-of-rights form or instructions on corrections. As it turns out, TransUnion included SDN references in credit reports based on information supplied by a third-party vendor that used software dependent on comparing first and last names. The assessment thus did not consider addresses, Social Security numbers, or any other identifying information.

Ramirez sued, alleging that TransUnion violated the Fair Credit Reporting Act (“FCRA”) when it willfully failed to follow reasonable procedures to ensure accuracy of the alerts, willfully failed to disclose full credit reports by sending the SDN Letter separately from the balance of the credit report, and willfully failed to provide a summary of rights with the SDN Letter.

Ramirez’s suit was brought individually and also on behalf of all 8,185 individuals who received the SDN Letter in a seven-month period. The trial court certified that class, and the jury returned a verdict of $60 million in favor of the class, including $8 million in statutory civil penalties and $52 million in punitive damages. (The Ninth Circuit later reduced the punitive damages to $32 million.)

In a 2-1 decision, the Ninth Circuit affirmed class certification and the verdict.3 The majority opinion, written by Judge Murguia and joined by Judge Fletcher, applied a two-part test to determine “whether the violation of a statutory right constitutes a concrete injury.” The court first asked “whether the statutory provisions at issue were established to protect [the plaintiff’s] concrete interests (as opposed to purely procedural rights).” And then, if they were, “whether the specific procedural violations alleged actually harm, or present a material risk of harm to, such interests.”

The majority had little difficulty finding the answer to both questions to be yes, since the protective purposes of FCRA are clear, as is the risk of harm from a false accusation that a person is an SDN. In her dissent, Judge McKeown explained that the class consisted of anyone who received the SDN Letter rather than anyone who had the false SDN accusation distributed to third parties. There was therefore no guarantee that every class member even opened the mailing, let alone that the incorrect credit report confused, distressed, or otherwise affected the absent class members.

The Ramirez argument comes one month after a similar case in which the Eleventh Circuit held that data breach victims must show more than a heightened risk of future injury or costs incurred to mitigate potential harm in order to establish Article III standing.

The Upcoming Argument

The question before the Supreme Court is whether the absent class members in Ramirez sustained a concrete injury sustaining Article III standing.

TransUnion’s argument focuses on the record at trial, which definitively established only that a quarter of the absent class members had the incorrect information distributed to third parties. As a result, as much as three-quarters of the class never suffered any harm as a result of the incorrect information. TransUnion argues that the trial court therefore should have never certified the class because its membership (all persons who received the SDN Letter in a seven-month period) is untethered from the alleged harm–that is, dissemination of the false SDN identification.

Ramirez turns this on its head and points out that there is no dispute that a quarter of the class suffered a concrete injury through dissemination of the SDN Letters. As for the rest, Ramirez argues that TransUnion must have also disseminated the incorrect SDN allegation of the third-party vendor that printed the SDN Letters, which suffices for an FCRA violation. And in any event, under Spokeo, there need only be a “risk of real harm,” which Ramirez argues is present when TransUnion prepares an incorrect credit report that exists solely so that TransUnion can distribute it to its customers on demand.

The Supreme Court’s decision will likely turn on how speculative or inference-driven a predicate for Article III standing can be. The outcome will affect not only FCRA litigation but also virtually any claim in which a plaintiff sues only for civil penalties because of a statutory violation. Such claims are ubiquitous in consumer fraud statutes, such as the Fair and Accurate Credit Transactions Act, the Stored Communications Act, and the Telephone Consumer Protection Act.


1 TransUnion LLC v. Ramirez, No. 20-297.

2 578 U.S. 330.

3 Ramirez v. TransUnion LLC, 951 F.3d 1008 (9th Cir. 2020), reh’g denied (Apr. 8, 2020).

A White Collar Criminal Defense alert by Rachel Maimin, Kathleen McGee, and Carly Coleman discusses the $105 million settlement that New York State and New York City recently received from a hedge fund manager accused of evading tax liability.  This settlement results from a qui tam suit filed in 2018 under the New York False Claims Act, which permits a whistleblower to receive a significant portion of any recovery.  Read the alert here.

On February 16, Judge Furman of the Southern District of New York handed down a ruling in In re Citibank August 11, 2020 Wire Transfers concluding that Citibank could not recover $900 million inadvertently wired to lenders.

The entire 105-page decision[1] is a fascinating read, describing a near-perfect storm of convoluted financial arrangements, technological limitations, and all-too-understandable human error that culminated in the following screen shot from Citibank’s internal system:[2]

The premise was that the user needed to direct a principal payment to an internal Citibank account rather than out of the bank to the lenders, while allowing the payment of interest to leave the bank. To make this adjustment, the user clearly directs “PRINCIPAL” to an “Internal G[eneral] L[edger]” account, directing the system to “Overwrite [the] default settlement instruction.” In fact, to accomplish the intended redirection, the user also needed to select the “FRONT” and “FUND” lines. Without those cryptic additions, the full amount of all principal and interest, approximately $900 million, was inadvertently deposited in lender accounts.

The decision also offers an important and detailed discussion of New York’s discharge-for-value law. The court drew on the formulation from the leading Court of Appeals decision on the topic:

“When a beneficiary receives money to which it is entitled and has no knowledge that the money was erroneously wired, the beneficiary should not have to wonder whether it may retain the funds; rather, such a beneficiary should be able to consider the transfer of funds as a final and complete transaction, not subject to revocation.”[3]

The court, in deciding that the erroneously paid lenders were not, in fact, on notice that the payment was in error, specifically pointed to the Bloomberg Terminal chat functions, in which the hedge fund lenders ruthlessly skewered the Citibank employees … but only after Citibank asked that the funds be returned. The court reproduced some of the “quite colorful” comments, including:

“I feel really bad for the person that fat fingered a $900mm erroneous payment. Not a great career move” and “How was work today honey? It was ok, except I accidentally sent $900mm out to people who weren’t supposed to have it”[4]

Ultimately, however, one salient takeaway is inescapable: syndicated lending may, at times, look like investing in securities, but it is quite different.

Syndicated loans are not considered securities, and the loan is not based on a registration statement and prospectus but rather on a confidential information memorandum (CIM). Notably, statements in the CIM are not covered by state or federal securities laws.

Additionally, in the event a bond is to be retired early, the bondholder would expect to receive a notice that the bond is being called or, for bonds without call features, an offer to repurchase the bond at the prevailing market price (or perhaps at a premium). In the absence of these types of communications, the lender could arguably be considered to be put on notice that something was amiss should the entire outstanding principal and interest be returned prior to the bond’s maturity.

With a syndicated loan, there are generally no such formalities required. Consequently, in In re Citibank, there was no reason for lenders to imagine that they were receiving anything other than what they were due.

The case is In re Citibank August 11, 2020 Wire Transfers, No. 1:20-cv-06539-JFM (S.D.N.Y.). We expect to revisit this matter after an appeal.

[1] In re Citibank August 11, 2020 Wire Transfers, dkt. no. 243 (Feb. 16, 2021) (“In re Citibank”).

[2] Id. at 13.

[3] Banque Worms v. Bank Am. Int’l, 570 N.E.2d 189, 196 (1991).

[4] In re Citibank at 73.

Earlier this month, the Eleventh Circuit, in Tsao v. Captiva MVP Restaurant Partners, LLC, No. 18-14959, 2021 WL 381948 (11th Cir. Feb. 4, 2021), affirmed the dismissal of a class-action lawsuit brought on behalf of patrons of a restaurant chain, holding that data breach victims must show more than a heightened risk of future injury or costs incurred to mitigate potential harm in order to establish Article III standing.

The plaintiff in Tsao alleged that a data breach targeted at a restaurant chain’s point-of-sale system revealed class members’ credit and debit card information, exposing class members to identity theft and fraud.

Relying on the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) and the Eleventh Circuit’s ruling in Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. 2020), the court held that a plaintiff alleging a threat of future harm “does not have Article III standing unless the hypothetical harm alleged is either ‘certainly impending’ or there is a ‘substantial risk’ of such a harm.” Moreover, the court held, a plaintiff cannot “conjure standing” by inflicting harm on itself to mitigate the alleged risk, such as by spending time and resources canceling credit cards, resulting in temporary loss of use of the canceled cards and lost cash back or reward points. Applying this standard, the court found that plaintiff had failed to establish that the threat of future harm was “certainly impending” or that there was a “substantial risk” of such harm, and that he could not “manufacture standing” by incurring costs to mitigate a “non-imminent harm.”

In so holding, the Eleventh Circuit sided with the Second, Third, Fourth, and Eighth Circuits–all of which have declined to find standing based on an increased risk of identity theft and the cost of measures taken to protect against it. While the Tsao decision doesn’t resolve the circuit split, it provides additional protection to companies in the Eleventh Circuit that take steps to promptly alert their customers of data breaches. The Tsao decision is also likely to factor into the Equifax appeal, brought on behalf of a handful of objectors to the class settlement arising out of the 2017 data breach at Equifax–one of the largest ever, which is currently scheduled for oral argument before the Eleventh Circuit on April 20.

Last March, The New York Times reported that Senate Majority Leader Mitch McConnell had been “quietly making overtures” to older Republican-nominated judges to encourage them to retire so that then-President Trump could fill their vacancies before the end of his term. After the 2020 presidential election, the Los Angeles Times reported that, reciprocally, some federal judges had been deliberately delaying their retirements in the hope that a different president would be able to nominate their successors.

In the three weeks since President Biden’s inauguration, 28 federal judges have announced that they are retiring or transitioning to “senior status”–a form of semi-retirement available to more senior judges in which they can reduce their caseload or be more selective in the types of cases they accept, and that opens up their seat as vacant.

The recent retirement announcements include some jurists who are well known within the financial services industry:

  • Robert A. Katzmann has served on the Second Circuit since 1999 and was its Chief Judge from 2013 to 2020. The day after President Biden’s inauguration, NYU Law announced that Judge Katzmann was taking senior status and joining the NYU Law faculty. Among his many decisions in over two decades on the bench, Judge Katzmann wrote the seminal majority opinion in United States v. Martoma, which defined the personal benefit element of insider trading.
  • Denny Chin, who served as a district judge in the Southern District of New York from 1994 until 2010, when President Obama elevated him to the Second Circuit, will take senior status in June. Judge Chin is perhaps best known for presiding over the prosecution of Bernie Madoff, whom he sentenced to a prison term of 150 years. Judge Chin also granted summary judgment to dispose of a copyright class action that would have prevented Google from scanning tens of millions of books into a digital library.
  • Outside New York, Dan Aaron Polster, a federal district judge in Cleveland, has risen to national prominence as the judge presiding over the multidistrict litigation arising from opiate litigation in federal courts. He previously presided over a securities fraud action against Cliffs Natural Resources Inc., which resulted in an $84 million class settlement. Judge Polster took senior status on January 31.

In addition to those who have already announced their retirement, many judges with heavy footprints in capital markets litigation either are or will become eligible for retirement on pension or senior status within the next four years, should they so choose. These include, among many others, First Circuit Judge William J. Kayatta Jr.; Second Circuit Judges Jose A. Cabranes, Rosemary S. Pooler, and Susan L. Carney; Seventh Circuit Chief Judge Diane Wood and Judges Frank Easterbrook and David F. Hamilton; and Ninth Circuit Chief Judge Sidney Thomas.

These resignations are not likely to result in a sea change in the federal courts’ political composition. But the displacement of older voices with newer and often more ideological jurists may have a significant impact on capital markets litigation for decades to come.

President Biden has not yet announced any judicial nominations.

A complete list of retiring federal judges is available at the website of the Administrative Office of the U.S. Courts

As financial services firms increasingly turn to artificial intelligence (AI), banking regulators warn that despite their astonishing capabilities, these tools must be relied upon with caution.

Last week, the Board of Governors of the Federal Reserve (the Fed) held a virtual AI Academic Symposium to explore the application of AI in the financial services industry. Governor Lael Brainard explained that “particularly as financial services become more digitized and shift to web-based platforms,” a steadily growing number of financial institutions have relied on machine learning to detect fraud, evaluate credit, and aid in operational risk management, among many other functions.[i]

In the AI world, “machine learning” refers to a model that processes complex data sets and automatically recognizes patterns and relationships, which are in turn used to make predictions and draw conclusions.[ii] “Alternative data” is information that is not traditionally used in a particular decision-making process but that populates machine learning algorithms in AI-based systems and thus fuels their outputs.[iii]

Machine learning and alternative data have special utility in the consumer lending context, where these AI applications allow financial firms to determine the creditworthiness of prospective borrowers who lack credit history.[iv] Using alternative data such as the consumer’s education, job function, property ownership, address stability, rent payment history, and even internet browser history and behavioral information–among many other data–financial institutions aim to expand the availability of affordable credit to so-called “credit invisibles” or “unscorables.”[v]

Yet, as Brainard cautioned last week, machine-learning AI models can be so complex that even their developers lack visibility into how the models actually classify and process what could amount to thousands of nonlinear data elements.[vi] This obscuring of AI models’ internal logic, known as the “black box” problem, raises questions about the reliability and ethics of AI decision-making.[vii]

When using AI machine learning to evaluate access to credit, “the opaque and complex data interactions relied upon by AI could result in discrimination by race, or even lead to digital redlining, if not intentionally designed to address this risk.”[viii] This can happen, for example, when intricate data interactions containing historical information such as educational background and internet browsing habits become proxies for race, gender, and other protected characteristics–“leading to biased algorithms that discriminate.”[ix]

Consumer protection laws, among other aspects of the existing regulatory framework, cover AI-related credit decision-making activities to some extent. Still, in light of the rising complexity of AI systems and their potentially inequitable consequences, AI-focused legal reforms may be needed. At this time, to help ensure that financial services are prepared to manage these risks, the Fed has called on stakeholders–from financial services firms to consumer advocates and civil rights organizations as well as other businesses and the general public–to provide input on responsible AI use.[x]

[i] Lael Brainard, Governor, Bd. of Governors of the Fed. Reserve Sys., AI Academic Symposium: Supporting Responsible Use of AI and Equitable Outcomes in Financial Services (Jan. 12, 2021), available at

[ii] Pratin Vallabhaneni and Margaux Curie, “Leveraging AI and Alternative Data in Credit Underwriting: Fair Lending Considerations for Fintechs,” 23 No. 4 Fintech L. Rep. NL 1 (2020).

[iii] Id.

[iv] Id.; Brainard, supra n. 1.

[v] Vallabhaneni and Margaux Curie, supra n.2; Kathleen Ryan, “The Big Brain in the Black Box,” Am. Bar Assoc. (May 2020),

[vi] Brainard, supra n.1; Ryan, supra n.5.

[vii] Brainard, supra n.1; Ryan, supra n.5.

[viii] Brainard, supra n.1.

[ix] Id. (citing Carol A. Evans and Westra Miller, “From Catalogs to Clicks: The Fair Lending Implications of Targeted, Internet Marketing,” Consumer Compliance Outlook (2019)).

[x] Id.

In the wake of the Great Financial Crisis, global financial markets got their first experience of negative interest rates, something classical economists had long thought to be unworkable if not impossible. On April 20, concerns surrounding the effects of the COVID-19 crisis introduced investors to another negative first: crude oil prices.

On July 9, investors brought a class action complaint [1] alleging violations of Section 6b(e)(3) of the Commodity Exchange Act (CEA) [2] and its implementing regulations at 17 C.F.R. Sec. 180.1, which extended the prohibition on untrue statements or omissions of material fact from equity markets to the markets for futures, options, and other derivatives, by brokerage TD Ameritrade, Inc., and its derivatives-focused subsidiary Thinkorswim.

Intraday chart of the price of the May 2020 WTI crude futures contract on April 20, 2020 (Bloomberg), as set forth in the complaint.

To be clear, this was not a situation where you could pull up to the pump, fill up, and pocket some cash for doing so. The negative prices occurred in the commodity futures market, where investors enter into contracts to take delivery of a given amount of a commodity on a certain date. In this instance, the market was West Texas Intermediate (WTI) crude oil, which is oil that is produced all over the United States and Canada and transferred by pipeline to a massive hub storage and distribution facility in Cushing, Oklahoma.

The relevant futures contract stipulated that buyers would have to take delivery in May 2020, and April 20 was the final day that investors who did not (or in the case of the vast majority of investors, could not) take physical delivery of crude oil to sell out their positions. Over the course of the day, the price of the May 2020 WTI Crude contract fell steadily from its prior closing price of $18.27 per barrel, eventually falling as low as -$40.32 and closing at -$13.10, effectively requiring investors to pay $13.10 to avoid taking delivery of the crude oil.

The complaint alleged that Defendants’ risk disclosures made false and misleading statements and omissions regarding “multiple, robust risk management” processes that Plaintiff investors relied on, when in fact, Defendants’ systems could not accept or process transaction orders with negative prices, despite warnings in the prior weeks from the Chicago Mercantile Exchange, where the WTI futures contracts trade, that negative prices were possible. [3]

The complaint also claimed that Defendants failed to act properly when liquidating Plaintiffs’ positions because Defendants did not automatically close out the positions when the contract price fell to $0, the point beyond which investors would not be able to execute trades on their own.

On December 17, 2020, the Court issued a decision [4] disagreeing with Plaintiff and dismissing the complaint. The Court held that Plaintiff failed to adequately plead scienter. More notably, the Court held that the complaint failed to allege that Plaintiff attempted to place a trade at a negative price, which rendered insufficient  the complaint’s allegations of a false statement or omission (due to lack of standing), reliance, and loss causation insufficient.

The Court went on to point out that Plaintiff’s account agreement granted Defendants “sole discretion” when liquidating positions where a client’s position had fallen in value, creating margin deficiencies, as they had in this instance.

Because the Court also granted TD Ameritrade’s request to compel arbitration, we may not have the benefit of a ruling on a second amended complaint. However, as we previously noted in our discussion of the dismissal in Kirschner v. JPMorgan, the recent trend of making increasingly complex securities and derivatives available to a broader population of the investing public may continue to generate litigation.


[1] Lindstrom v. TD Ameritrade, Inc., No. 1:20-cv-04028 (N.D. Ill.).

[2] 7 U.S.C. §§ 9 et seq.

[3] See, e.g., Chicago Mercantile Exch., Advisory 20-152, “CME Clearing Plan to Address the Potential of a Negative Underlying in Certain Energy Options Contracts” (Apr. 8, 2020), available at 

[4] Lindstrom, No. 1:20-cv-04028, Dkt. No. 52 (Dec. 17, 2020).

In 2020, the Financial Industry Regulatory Authority Inc. (FINRA) settled alleged rule violations with various large investment firms, including Merrill Lynch, Citigroup Global Markets Inc. (CGMI), Transamerica Financial Advisors, Inc. (TFA), and RBC Capital Markets, LLC (RBC), with the majority of the Letters of Acceptance, Waiver, and Consent in those matters being signed in just the past two months. What is notable is not that these firms were found to have violated FINRA’s rules but rather that the firms received what appeared to be significant credit for their “extraordinary cooperation” in identifying the disclosure violations, taking measures to correct them, and then reporting them to FINRA, all prior to detection or intervention by FINRA. Their actions mitigated whatever typical sanctions FINRA would assess for those rule violations.

FINRA provides credit for extraordinary cooperation. The organization has laid out what it deems to constitute extraordinary cooperation–i.e., proactive steps a member organization can take, both prior to and after FINRA intervention, that can reduce or completely eliminate sanctions that would otherwise be assessed for offending conduct–in a series of regulatory guidances, most recently in Regulatory Notice 19-23:

  1. Identifying and taking steps to correct deficient procedures and systems.
  2. Providing restitution to customers.
  3. Self-reporting violations.
  4. Providing substantial assistance to FINRA investigations.

The extraordinary cooperation credit can take many forms; if, for example, a problem has been fully remediated, FINRA may conclude that no enforcement action is necessary. In other matters, even if enforcement action is taken, the sanctions may be reduced–be it a reduced fine, formal discipline without a fine, or even FINRA forgoing an undertaking (such as requiring a member to hire an independent consultant to oversee the member’s operations) that might have otherwise been imposed. Whether credit is awarded depends on the specific facts of each case.

In Merrill Lynch’s case, the company engaged an outside consultant to identify customers who did not receive appropriate rebates and fee waivers, and it proactively made restitution to those individuals. The matter was resolved without a fine. TFA likewise was able to avoid a fine for its rule violations. TFA engaged an outside consultant to help identify customers who received misstatements about investment opportunities in 529 plans and provided FINRA with detailed information about the challenges associated with collecting and assessing 529 plan data. As for RBC, the company proactively discovered supervisory deficiencies in connection with its 529 plan offerings, revised its systems, and engaged an outside consultant to formulate an action plan to provide customers with restitution. The company received credit for its efforts. And CGMI received a corresponding credit for taking measures to identify and correct various disclosure violations and was also commended for offering substantial assistance to FINRA in investigating those violations by maintaining open, transparent lines of communication with the organization throughout the process and providing access to documents and information.

Whether or not to self-report is a fact-specific inquiry and should be guided by legal counsel familiar with the business and regulatory history of the firm. However, in order to be in a position to take advantage of the extraordinary cooperation credit, member firms should develop an internal system of guidelines providing for periodic self-audits to identify potential rule violations and internal procedures for reporting (internally) a suspected FINRA violation. It also bears mentioning that efforts to conceal misconduct, on the other hand, can cause FINRA to impose strict penalties for violations and should be discouraged.

A putative consumer class action filed in California state court on Friday the 18th against Petco Animal Supplies Stores Inc. (Petco) and its wholly owned subsidiary PupBox Inc. (PupBox) alleges that between February and August an “unauthorized plugin” on the PupBox website caused the personal and credit card information of approximately 30,000 consumers to be stolen by an unauthorized third party. The complaint asserts, on information and belief, that the cyberattack resulted from the defendants’ failure to encrypt payment card data (PCD) at the point of sale and/or that the defendants “failed to install updates, patches, and malware protection or to install them in a timely manner to protect against a data security breach; and/or failed to provide sufficient control employee credentials and access to computer systems to prevent a security breach and/or theft of PCD.” The complaint further alleges that although Petco first learned of the cyberattack in early August, PupBox customers were not notified of the breach until October, creating a two-month lag during which class members could have attempted to mitigate the damage caused by the breach. The lawsuit alleges violations of the Washington State Consumer Protection Act, the California Unfair Competition Law, the California Consumer Records Act, and common law claims for negligence, negligence per se, breach of implied contract, and unjust enrichment.

Data breaches can be costly to companies in more ways than one. In addition to having to hire a forensic investigator to investigate the breach, companies risk reputational damage, contractual disputes, class action litigation, and potential regulatory investigations. For those financial companies regulated by the federal Gramm-Leach-Bliley Act’s Safeguards Rule or the data security provisions of New York’s Department of Financial Services, their responsibility to secure sensitive information extends to their affiliates and service providers as well.

While cyber insurance policies can provide an array of coverages and are a must-have, preparation is your best defense against a cyberattack. Many financial companies are required to create and maintain an information security program as well as a safeguard compliance program. All companies should be updating software security patches at the first opportunity and actively monitoring their systems for signs of unauthorized intrusions such as phishing exploits that inadvertently reveal passwords or other sensitive information. Sensitive data should be retained for only as long as necessary and stored in an encrypted database with limited access. Contracts with service providers should mandate strong data security practices as well. The time and effort expended on data protection have proven to be well worth the investment.