Alston & Bird Consumer Finance Blog

Uncategorized

Wave Goodbye to the Waiver Debate: Court Holds Data Breach Investigation Report Not Work Product from the Start

By ,

Litigants in data breach class actions often fight over whether a data breach investigation report prepared in response to the breach is protected by the work-product doctrine. Common areas of dispute include whether the report was prepared in whole or in part for business—not legal—purposes, and whether the report relays facts that are not discernable from other sources. The fight becomes even more complicated, however, when the company that suffered the data breach is required to provide the report to regulators.

For example, in the mortgage industry, mortgagees regulated by the Multistate Mortgage Committee (MMC) are required to provide a “root cause report” following a data breach. Similarly, under Mortgagee Letter 2024-10, FHA-approved mortgagees must notify HUD of a cybersecurity incident and provide the cause of the incident. These reporting obligations involve production of information to regulators that typically overlaps with the content of data breach investigation reports.

Traditionally, one might think that disclosure of an investigation report (or its contents) to a regulator was a question of waiver. But recently, a federal district court in the Southern District of Florida bypassed the waiver analysis entirely by holding that reports provided to regulators weren’t protected by the work-product doctrine because they were primarily created for regulatory compliance rather than in anticipation litigation, even though, factually, they weren’t originally created for the purpose of regulatory compliance.

What Happened?

In a recent decision in a data breach litigation against a national mortgage loan servicer, the court considered whether investigative reports prepared by cybersecurity firms were protected under the work-product doctrine. These reports were initially withheld from discovery on the familiar grounds that they were prepared in anticipation of litigation following a data breach. But the plaintiffs argued that because the reports were disclosed to mortgage industry regulators, any work-product protections were waived.

Rather than address the waiver issue, the court analyzed whether the documents were privileged in the first place under the dual-purpose doctrine, which assesses whether a document was prepared in anticipation of litigation or for other business purposes. Under this doctrine (adopted by the First, Second, Third, Fourth, Sixth, Seventh, Eighth, Ninth, and D.C. Circuits), a document is protected if it was created “because of” the anticipated litigation, even if it also serves an ordinary business purpose. Notably, the court found that the reports were primarily created to comply with regulatory obligations, specifically those imposed by the MMC, even though they’d initially been prepared in anticipation of litigation. In the court’s view, the unredacted submission of the reports to the MMC, when demanded, evidenced that the predominant purpose for their creation was regulatory compliance.

The court ended with the suggestion that the defendants could have avoided this issue by creating a separate document for regulatory compliance, omitting sensitive findings related to litigation. Aside from this suggestion, there does not appear to be a legal framework under the which the disclosed reports would have been protected work product, at least in the court’s view.

Why Does it Matter?

The district court’s decision creates a new challenge for breach victims seeking to protect investigation reports from disclosure under the work-product doctrine. A key purpose of the doctrine is to allow parties to engage in pre-litigation investigations without the fear of disclosure. Data breach victims dealing with regulators have historically had to manage the risk that disclosing investigation reports (in whole or in part) to regulators could result in litigation over whether work-product protections were waived. But the decision appears to raise the stakes. The risk of disclosure is not limited to a waiver analysis, where parties can defend the disclosure based on the circumstances of the compelled disclosure and can rely on law requiring the narrow construction of privilege waivers. Now, parties must also consider whether using a report for a non-litigation purpose after the fact will lead to the conclusion that the report wasn’t prepared for litigation at all and therefore not privileged in the first place.

What Do I Need to Do?

Because this decision is by a federal district court, this is an area that should be monitored to determine whether a trend develops around the court’s rationale. And in the interim, the best option seems to be to follow the court’s suggestion: create separate documents for regulatory compliance and litigation purposes.

It is, of course, important to maintain a good relationship with regulators to try to circumvent these issues, but the two-report approach is a practical way to preempt the issue entirely. The reality is that many litigation-related items do not need to be submitted in a regulatory report. For example, an emerging issue in the cybersecurity space is whether following a data breach, the company that suffered the breach should bring claims against other related parties. Analyzing the merits of this type of litigation is plainly covered by the work-product doctrine but is not needed for regulatory reports. Thus, by following the two-report approach, sensitive findings related to that potential litigation can be omitted from the regulatory report, preserving the work-product protection for the litigation-related document. This approach could help companies navigate the complexities of dual-purpose documents and maintain the intended protections of the work-product doctrine.

The End of Disparate Impact Liability?

By

On April 23, 2025, President Trump signed an Executive Order entitled “Restoring Equality of Opportunity and Meritocracy,” which seeks to “eliminate the use of disparate-impact liability in all contexts to the maximum degree possible.”

This sweeping eradication of the disparate impact theory is not surprising. Indeed, the Consumer Financial Protection Bureau (CFPB) under the first Trump Administration (Trump I) strongly questioned the doctrine and ultimately brought no disparate impact enforcement actions. Further, the Trump I CFPB rescinded Bulletin 2013-02, in which the CFPB had previously asserted that indirect auto lenders may be held liable under the legal doctrines of both disparate treatment and disparate impact for disparities in their portfolio. What’s more, the Congressional resolution rescinding the Bulletin further prevented the CFPB “from ever reissuing a substantially similar rule unless specifically authorized to do so by law.” In addition, the CFPB under Trump I challenged the validity of the disparate impact theory under the Equal Credit Opportunity Act (ECOA) in light of the of the U.S. Supreme Court 2015 ruling in Texas Department of Housing v. Inclusive Communities Project Inc., which applied the disparate impact theory under different language found in the Fair Housing Act. And earlier this year, Attorney General Bondi ordered the U.S. Department of Justice (DOJ) to issue updated guidance that “narrow[s] the use of ‘disparate impact’ theories that effectively require use of race- or sex-based preference.”

Nonetheless, the language of the Executive Order is stark: “It is the policy of the United States to eliminate the use of disparate-impact liability in all contexts to the maximum degree possible to avoid violating the Constitution, Federal civil rights laws, and basic American ideals.” To that end, the Executive Order boldly demands that all agencies “deprioritize enforcement of all statutes and regulations to the extent they include disparate-impact liability.”

What is the Disparate Impact Theory?

Disparate impact is a theory of discrimination applied when a facially neutral practice has a statistically significant impact on a protected group. According to the Executive Order, “disparate-impact liability” creates “a near insurmountable presumption of unlawful discrimination … where there are any differences in outcomes in certain circumstances among different races, sexes, or similar groups, even if there is no facially discriminatory policy or practice or discriminatory intent involved, and even if everyone has an equal opportunity to succeed.”  The order criticizes disparate-impact liability as “all but requir[ing] individuals and businesses to consider race and engage in racial balancing to avoid potentially crippling legal liability.”  Thus, according to President Trump, disparate-impact liability prevents employers from “act[ing] in the best interests of the job applicant, the employer, and the American public” and undermines “meritocracy,” “a colorblind society,” and “the American Dream.”

Civil rights advocates, on the other hand, argue that the Trump Administration misstates the disparate impact legal theory and effectively instructs the government to stop enforcing key civil rights protections in the workplace, at schools, and throughout society – the latter of which includes the offering of loans and other consumer financial products and services. Does this Executive Order then mean that lenders can once again impose facially neutral policies that traditionally have been viewed as discriminatory under the disparate impact theory, such as increased minimum loan amount requirements (beyond investor and agency thresholds) or practices that exclude self-employment income?

What Does the Executive Order Mean for Financial Services Enforcement?

As stated previously, the Executive Order directs all federal agencies to deprioritize enforcement of all statutes and regulations to the extent they include disparate impact liability. Consequently, the Executive Order also instructs all heads of federal agencies, including the CFPB and the U.S. Department of Housing and Urban Development (HUD), to evaluate all pending proceedings relying on disparate impact theories and “take appropriate action” within 45 days.  Agencies must conduct a similar review of “consent judgments and permanent injunctions” within 90 days.

The above indicates that federal agencies may not pursue fair lending actions rooted in disparate impact – at least for a while. The Executive Order even attempts to curtail state actions by requiring the Attorney General, “in coordination with other agencies,” to determine whether state laws imposing disparate impact liability are preempted. Of course, private litigation is still a real tool for consumer complainants. And federal agencies may still look to the disparate treatment theory to pursue and remediate potential fair lending violations under ECOA, the Fair Housing Act, and other federal statutes. Further, certain federal claims, more recently characterized (or mischaracterized) as disparate impact, such as pricing discrimination, may continue to be brought, but as newly and perhaps more appropriately packaged disparate treatment claims.

What Does the Executive Order Mean for Financial Services Compliance?

Given the potential for private litigation and increased interest by the states in light of federal deprioritization – not to mention the fact that the statute of limitations for most federal fair lending violations can be up to five (5) years, lenders should continue to conduct their routine fair lending monitoring and testing, which seeks to detect disparities among statutorily protected groups. Frankly, this testing alone cannot identify whether any disparities are due to discrimination, much less whether the discrimination was of the disparate treatment or disparate impact variety (though the results are more likely to detect disparate impact discrimination than isolated instances of discriminatory treatment). Nevertheless, the results of monitoring and testing provide lenders with a starting point for assessing their policies, procedures, and practices for fair lending compliance. One question that remains, however, is whether lenders should add White as a racial category in their monitoring efforts.

Are You Ready for the Corporate Transparency Act’s Filing Deadline?

By

As the new year approaches, so does an important deadline: although January 1, 2025, is the date by which non-exempt companies formed prior to 2024 must file a Beneficial Ownership Information (BOI) Report with the Financial Crimes Enforcement Network (FinCEN) under the Corporate Transparency Act (CTA), we recommend that affected entities file BOI Reports no later than December 31, 2024.

Enacted in 2021, and effective January 1 of this year, the CTA aims to combat illicit financial activity by requiring certain businesses operating in or accessing U.S. markets to provide ownership information on associated individuals.

Looking forward from January 1, non-exempt companies must file BOI reports: (a) within 30 days of entity formation; and (b) within 30 calendar days of changes to any information provided in the initial or a subsequent BOI report.

Alston & Bird has previously reported on the CTA’s requirements, and is happy to assist clients who have questions regarding their initial and ongoing filing obligations under the CTA.

Shareholders Sharpen Focus on AI-Related Securities Disclosures

By

What Happened?

As Alston & Bird’s Securities Litigation Group reported, the number of securities class actions based on AI-related allegations is rising.  With six new filings in the first half of 2024 and at least five more identified by the authors since, a new trend of AI lawsuits has emerged. This trajectory is likely to continue alongside increased AI-related research and development spending in the coming years.

Why Is It Important?

A recent proposed rule and several enforcement actions indicate that the Securities and Exchange Commission (“SEC”) has a growing appetite for regulating AI-specific disclosures, and shareholders’ interest in claims. In this environment, it is imperative that companies remain cognizant of their public statements on AI.

Last year, the SEC proposed a rule that would govern AI use by broker dealers and investment advisers. Although the rule is not yet final, the agency has pursued several AI-related enforcement actions with its authority to regulate false or misleading public statements.

Thus far, the SEC’s enforcement actions have been limited to companies whose public statements on AI usage were at issue.  These companies allegedly claimed to use a specific AI model to elevate their customer offerings but could not provide any evidence of their AI implementation when questioned by the SEC.

Those previous actions do not necessarily mean that a company’s ability to prove it implemented AI technology in some form will be enough to avoid scrutiny or liability. Investor plaintiffs targeting companies’ AI disclosures represent a new frontier of potential risk for companies and their directors and officers.

What To Do Now?

Companies should consider whether the board’s audit or risk committees should be tasked with understanding the company’s AI use and considering associated disclosures in addition to any privacy and confidentiality concerns that arise. Companies can identify their AI experts to properly vet any technical proposed disclosures on AI to confirm the disclosures are accurate. The key is to make sure AI disclosures and company claims about AI prospects have a reasonable basis that’s adequately disclosed.

Companies should also aim to create and maintain appropriate risk disclosures. When disclosing material risks related to AI, risk factors become more meaningful when they are tailored to the company and the industry, not merely boilerplate.

Consumer Finance State Roundup

By

The latest edition of the Consumer Finance State Roundup features recently enacted measures of potential interest from Colorado and South Carolina:

  • Colorado: Effective May 17, House Bill 24-1011 (2024 Colo. Sess. Laws 189) adds new Section  38-40-106 to the Colorado Revised Statutes addressing requirements for mortgage servicers with respect to the disbursement of insurance proceeds in connection with mortgaged residential property.

First, the new section sets forth certain actions that mortgage servicers must take regarding disbursement of insurance proceeds to borrowers.  Upon a borrower’s request, a mortgage servicer must promptly disclose to the borrower specific conditions under which it will disburse insurance proceeds to the borrower in the event a residential property subject to a mortgage is damaged or destroyed and an insurance company pays insurance proceeds to satisfy a claim for such damage or destruction.  Next, upon receipt from a borrower of a “repair plan” or a “rebuild plan” (either of which the borrower must develop in consultation with a contractor), a mortgage servicer has 30 days to approve or deny such plan.  A repair plan or rebuild plan must include specific milestones, enumerated in the new section, that require the mortgage servicer to disburse insurance proceeds in certain amounts upon meeting those milestones.

Second, immediately when it begins servicing a borrower’s mortgage and upon the borrower’s request thereafter, a mortgage servicer must disclose to the borrower the interest rate associated with the mortgage and provide the borrower with contact information of a primary point of contact for communication with the mortgage servicer.

Finally, the measure makes conforming amendments to the Non-bank Mortgage Servicers Act by adding new Section 5-21-107.5, and repeals Section 10-4-112 as it pertains to property damage and time of payment provisions.

  • South Carolina:  Effective November 21, Senate Bill 700 enacts the “South Carolina Earned Wage Access Services Act,” (the “Act”), S.C. Code Ann. §§ 39-5-810 et seq. For purposes of the Act, “earned wage access services” means “the business of providing consumer-directed wage access services [“offering or providing earned wage access services directly to consumers”] or employer-integrated wage services.” In addition to administrative provisions (e.g., application, recordkeeping, and reporting requirements), we note the following:

First, the Act requires a “provider” – a business entity that will engage in the business of providing earned wage access services to consumers – to register with the South Carolina Department of Consumer Affairs (“Department”).  However, the Act does not apply entities doing business under South Carolina or federal laws relating to banks, credit unions, savings and loan associations, savings banks, or trust companies.

Second, the Act sets forth compliance obligations for a provider.  Among other requirements, a provider must: (a) develop and implement policies and procedures to respond to questions raised by consumers and address any consumer complaints in an expedient manner; and (b) offer a consumer at least one reasonable option to obtain proceeds at no cost to the consumer, and clearly explain to the consumer how to elect such no-cost option.

Third, the Act prohibits a provider from engaging in certain conducting, such as charging a late fee, interest, or any other penalty or charge for failure to repay outstanding proceeds.