Digest 6.20.2019 The State AG Report Weekly

Consumer Protection

California Attorney General Sues Country Club Owners and Operators Over Allegedly Failing to Repay Deposits to Members

  • California AG Xavier Becerra filed a lawsuit against country club owners and operators ClubCorp Holdings, Inc., ClubCorp Club Operations, Inc., CCA Club Operations Holding, LLC, ClubCorp USA, Inc., and their subsidiaries and affiliates (collectively, “ClubCorp”) over allegations that they failed to repay deposits owed to their members under membership agreements in violation of the state’s Unfair Competition Law and False Claims Act.
  • According to the complaint, ClubCorp allegedly failed to return over $10 million in membership initiation deposits to members as required by membership contracts or, if members could not be located, escheat their deposits to the state Controller’s Office (“SCO”); counted members’ deposits as part of their assets; and omitted the deposits in reports to the SCO.
  • The complaint seeks injunctive relief, restitution, civil penalties, damages, and attorney’s fees and costs.

FTC Holds Hearing on Competition and Consumer Protection Featuring Attorneys General and Staff

  • The Federal Trade Commission (“FTC”) held its final session of its Hearings on Competition and Consumer Protection in the 21st Century, which featured Nebraska AG Doug Peterson, Louisiana AG Jeff Landry, South Dakota AG Jason Ravnsborg, and Tennessee AG Herbert Slatery, as well as senior consumer protection, antitrust, and data privacy staffers.
  • According to reports, the AGs and staff discussed the need for greater federal and state involvement in protecting competition in the technology industry and increasing transparency regarding use of personal data, among other things.
  • As previously reported, the National Association of Attorneys General submitted comments to the FTC, signed by a bipartisan coalition of 43 AGs, noting similar antitrust and data privacy concerns.

Data Privacy & Security

New York Legislature Passes Bill Expanding Data Security and Consumer Privacy Protections

  • The New York Legislature passed the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act, submitted by New York AG Letitia James, that would expand the state’s data breach law and Internet Security and Privacy Act.
  • The bill, S5575B, expands the definition of “personal information” to include additional information such as biometric information, email addresses, and corresponding passwords or security questions and answers; expands the definition of “data breach” to include unauthorized access to private information; applies data breach notification requirements to any entity that owns or licenses data containing private information of a state resident; and specifies reasonable data security requirements depending upon the size of a business.
  • The bill is pending the Governor’s signature and, if signed, will go into effect 90 days after enactment, except for the section of the bill applying data breach notification requirements to additional entities, which will go into effect 240 days after enactment

FTC Settles With Auto Dealer Software Provider Over Allegedly Failing to Protect Consumers’ Personal Information

  • The Federal Trade Commission (“FTC”) reached a settlement with auto dealer software provider LightYear Dealer Technologies, LLC d/b/a DealerBuilt (“DealerBuilt”) to resolve allegations that it failed to protect consumers’ personal information in violation of the FTC Act and Safeguards Rule of the Gramm-Leach-Bliley Act.
  • According to the complaint, DealerBuilt allegedly failed to impose access controls or authentication protections for personal and financial data it stored and transmitted, failed to address an insecure connection to its backup network for 18 months, failed to perform adequate vulnerability testing, and failed to develop and implement written information security policies, allegedly leading to a breach of its backup database in October 2016.
  • Under the terms of the decision and order, DealerBuilt must cease maintaining consumers’ personal information until it implements a comprehensive information security program and submit to the FTC biennial third-party assessments of its information security program, among other things.

FTC Warns that Claims of “Participation” in International Privacy Frameworks Are False Unless Participation Is Certified

  • The Federal Trade Commission (“FTC”) reached a settlement with background screening company SecurTest, Inc. and issued warning letters to 15 other companies over allegations that they falsely claimed compliance with international privacy requirements in violation of the FTC Act.
  • According to the complaint, SecurTest allegedly falsely claimed on its website that it participated in the European Union (“EU”)-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks—which establish processes to allow companies to transfer consumer data from those foreign jurisdictions to the United States in compliance with those jurisdictions’ laws—when, in reality, it never received certification of compliance with the frameworks.
  • Under the terms of the decision and order, SecurTest is enjoined from misrepresenting its participation in either framework and must monitor compliance with the terms of the order.
  • In letters to 15 companies, the FTC warned the companies that claims of “participation” in international privacy frameworks, including the U.S.-EU Safe Harbor and U.S.-Swiss Harbor frameworks and the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules system, when they are not in fact certified participants, are false and violate the FTC Act. The letters instruct the companies to remove the claims from all of their public documents.

FTC Releases Agenda For Fourth Annual Workshop on Consumer Privacy and Data Security

  • The Federal Trade Commission (“FTC”) released the agenda for its fourth annual PrivacyCon, a workshop on research and trends related to consumer privacy and data security.
  • The agenda details four sessions of presentations and discussions on topics such as privacy policies, disclosures, and permissions; the impact of the European Union General Data Protection Regulations on web privacy; consumer preferences, expectations, behaviors, and understanding and attitudes about digital privacy and online tracking; online advertising; mobile applications; and data vulnerabilities, leaks, and breach notifications.
  • PrivacyCon 2019 will take place on June 27, 2019, at the Constitution Center in Washington, D.C., and is open to the public.


California Attorney General Settles With Automotive Replacement Parts Retailer and Distributor Over Allegedly Improper Disposals of Hazardous Waste and Consumer Personal Information

  • California AG Xavier Becerra reached a settlement with automotive replacement parts retailer and distributor AutoZone, Inc. over allegations that it disposed of hazardous and universal waste at unauthorized landfills in violation of the state’s Hazardous Waste Control Law and Consumer Privacy Act.
  • According to the final judgment and permanent injunction on consent (“Consent Judgment”), AutoZone allegedly disposed of hazardous and universal waste—including batteries, aerosol cans, electronic devices, and receptacles containing auto fluids—at landfills not authorized to accept hazardous waste, allowed its customers to deposit hazardous auto fluids and other waste into trash containers in its stores’ parking lots, and disposed of customers’ records without rendering customers’ personal information unreadable.
  • Under the terms of the Consent Judgment, AutoZone must pay $8.9 million in civil penalties, $1.35 million towards environmental projects, and $750,000 to reimburse investigative and enforcement costs, but may earn a $1 million credit towards the penalties by undertaking at least $2 million in environmental enhancement work not required by law, among other things.

False Claims Act

Maryland Attorney General Settles With Information Technology Companies Over Allegedly Misrepresenting Software to State Health Benefit Exchange

  • Maryland AG Brian Frosh and the U.S. Department of Justice (“DOJ”) reached separate settlements with Curám Software Ltd. and Curám Software, Inc. (collectively, “Curám”) and its parent, International Business Machines Corporation (“IBM”) over Curám’s role, as a subcontractor, in the failed launch of Maryland’s health exchange website in violation of the federal and state False Claims Acts.
  • According to the settlement agreement, Curám allegedly failed to deliver on what it promised, resulting in the botched development and launch of the website, which crashed shortly after launching in October 2013.
  • Under the terms of the settlement agreement, the parties must pay $2.8 million to the state, which includes restitution and will accrue interest, and pay $12 million to the United States.
  • As previously reported, AG Frosh reached a settlement in 2015 with Noridian Healthcare Solutions LLC, the lead contractor hired to build the state’s health exchange website, over similar allegations.

For-Profit Colleges

45 Attorneys General and CFPB Settle With Lender Over Allegedly Offering Deceptive Student Loans

  • 45 AGs, led by Kentucky AG Andy Beshear, and the Consumer Financial Protection Bureau (“CFPB”) reached separate settlements with lender Student CU Connect CUSO, LLC (“CUSO”) to resolve allegations that it offered deceptive loans to students in violation of the federal Dodd-Frank Wall Street Reform and Consumer Financial Protection Act of 2010 and the states’ and the District of Columbia’s unfair trade practices and consumer protection laws.
  • According to the AGs’ assurance of voluntary compliance (“AVC”) and the CFPB’s complaint, CUSO allegedly issued loans to students of for-profit college ITT Technical Institute (“ITT Tech”) who it knew were likely to default on their loans, did not understand the terms of their loans, or did not realize they had taken out loans.
  • Under the terms of the AGs’ AVC and the CFPB’s proposed stipulated judgment, CUSO must forgive over $168 million in debt for former ITT Tech students, cease collecting on and discharge outstanding loans, and seek deletion of tradelines in students’ credit reports relating to these loans.


New York Attorney General Issues Cease and Desist Letters to 44 Pharmacies Over Allegedly Failing to Post Prices for Commonly Prescribed Drugs

  • New York AG Letitia James issued cease and desist letters to 44 pharmacies over allegations that they failed to post prices of commonly prescribed drugs in violation of the state’s consumer protection law.
  • According to the AG’s office, the pharmacies allegedly failed to maintain and update weekly the list of prices of the most commonly prescribed drugs (the “Drug Retail Price List”) and post conspicuous signage notifying consumers that the list is available for their review.
  • The letters, which are not publicly available, reportedly demand that the pharmacies come into full compliance within 15 days of receipt of the letter.


New York Attorney General Settles With Fuel Supplier Over Allegedly Failing to Deliver Fuel to Consumers

  • New York AG Letitia James reached a settlement with fuel supplier Ferrellgas Partners LP (“Ferrellgas”) to resolve allegations that it failed to deliver fuel to consumers. The AG’s office and news reports do not disclose the statutory authority the AG asserted to reach this settlement.
  • According to the AG’s office, Ferrellgas allegedly failed to deliver fuel to consumers, causing consumers to nearly or completely run out of fuel, and failed to provide live customer service for consumers to contact.
  • According to the AG’s office, under the terms of the settlement, Ferrellgas must pay $75,000 in costs to the AG’s office, compensate consumers who experienced a disruption to their fuel supply, reimburse consumers for certain disruption-related expenses, increase its fuel storage capacity in the state, expand its customer service operations at certain locations, and obtain additional trucks to ship and deliver fuel.