Second Circuit guts jury verdict with post-trial decertification

Given the low probability that a class action will go to trial and the high probability that a settlement favorable to plaintiffs and their attorneys will be reached after class certification, there is a consistent “race to certification” in many consumer class action matters. The plaintiffs’ bar frequently frames claims with an eye towards meeting Rule 23 requirements, with little regard to whether or not the evidence actually exists to prove the merits of the claims.

While many defendants are disheartened when a class is certified, a recent decision out of the Second Circuit reminds that certification is not the coup de gras of any defense, and plaintiffs are always at risk (even after trial), of losing this status.

In Mazzei v. The Money Store, plaintiff Joseph Mazzei brought claims against The Money Store (a loan servicer and mortgage lender), alleging breach of contract for the assessment of late fees after his defaulted loan was accelerated (i.e., the entire sum of principal and interest was due). Mazzei argued that “post-acceleration” late fees violated the terms of the mortgage loan.

Based on these claims, Mazzei sought and obtained certification of a national class of borrowers whose loans were either owned or serviced by The Money Store. He prevailed on his late fee claims at a jury trial, obtaining a class award of approximately $32 million plus prejudgment interest. However, after the jury verdict and before entry of final judgment, The Money Store successfully moved to decertify the class, on the grounds that Mazzei’s failure to prove privity of contract for absent class members failed to meet Rule 23 requirements of typicality and predominance. This ruling left Mazzei, although successful at trial, an award of only $133.80.

Unsurprisingly, Mazzei appealed the decertification, arguing that 1) decertification is unavailable after a jury trial, 2) decertification findings were incompatible with the Seventh Amendment, and 3) Rule 23 elements were satisfied. The Second Circuit ruled against Mazzei on all three grounds.

First, the Court found that decertification could be granted at any time prior to final judgment. The panel cited the “affirmative duty” of the district court to monitor its class decisions because the results of class proceedings are “binding on absent class members.” Rule 23, the Court held, not only authorized decertification after trial, but the process was “corollary” to the rule’s purpose.

The Court was also not persuaded that decertification after trial impugned any parties’ Seventh Amendment right to a jury trial. Mazzei was able to present his claims to the jury. And absent class members’ right to a jury trial was not impaired because they were still able to file individual claims, since the statute of limitations on any action was tolled up until decertification.

Finally, decertification was justified because the district court had the power to determine that the jury’s factual findings supporting certification were “seriously erroneous,” a “miscarriage of justice,” or “egregious.” The Second Circuit panel agreed with the district court’s assessment that Mazzei was not typical of class members whose loans were serviced (not owned) by The Money Store, and common issues did not predominate because fact-finders would have to look at every class member’s loan documents to determine whether there was privity of contract. Based on the lack of classwide evidence of privity of contract, Rule 23 was not satisfied.

The Court further refused to create subclasses of individuals whose loans were owned by The Money Store, and those whose loans were merely serviced by the company. There was no evidence in the record to enable the Court to determine what types of loans each of the class members had, making subclasses impossible to determine.

This decision is a powerful reminder that a class can be decertified at any stage in a litigation, enabling defendants to snatch victory from the jaws of defeat after a disfavorable jury verdict. Hopefully, plaintiffs will become more thoughtful about their cases, with the realization that making factual allegations to get past class certification will do them no good if they can’t back them up.

New PCI requirements for retailers

For retailers that accept credit or debit cards and use service providers, a new version of the PCI Data Security Standards (PCI DSS v3.2) will impose new requirements as of November 1, 2016.

The Payment Card Industry (PCI) Security Standards Council issued “clarifications” and “evolving requirements” in the new version. Clarifications are changes to ensure “that concise wording in the standard portrays the desired intent of the requirements.” Evolving requirements aim to “ensure that the standards are up to date with emerging threats and changes in the market.”  The Council also issued guidance as part of the new standards.

Altogether, there are 44 clarifications and 12 evolving requirements. Although every change can be  important, this post focuses on the 12 evolving requirements.

November 1, 2016 Compliance Date

  • Section 3: adopts a “minimum necessary” standard for Permanent Account Number (PAN) display. The display would usually be limited to only the last 4 digits of the PAN or, if a bank identification number is needed, only the first 6 digits of the PAN.
  • Section 8.3: requires multi-factor authentication for all access that is “individual non-console administrator access” and all remote access to the cardholder data environment. Note that the guidance specifies that multi-factor authorization is not required at both the system level and application level for any particular system component.
  • Section 8.3.2: requires multi-factor authentication for “all remote network access originating from outside the entity’s network [both user and administrator, and including third party access for support or maintenance].” Per the guidance, this requirement applies to any remote access “when that remote access could lead to access to the cardholder data environment.”  The guidance also recommends (but does not require) multi-factor authentication for all remote access to the entity’s network.

January 31, 2018 Compliance Date

While these new requirements have a long lead time, the new standards describe them as “best practices” until the compliance date.

  • Section 3.5.1: requires service providers to maintain a documented description of their cryptographic architecture. This documentation includes details of algorithms, protocols, and keys (key strength, expiry date, and usage). It also includes hardware security modules and secure cryptographic devices for key management. Service providers must maintain current documentation to help service providers detect missing keys and identify unauthenticated additions to the cryptographic architecture.
  • Section 6.4.6: mandates updated documentation, including network diagrams, system configurations, and vulnerability scanning for any new or changed systems and networks.
  • Section 8.3.1: requires multi-factor authentication for administrator non-console access into the cardholder data environment. Per the guidance, this requirement does not apply to application or system accounts performing automated functions.
  • Section 10.8: requires service providers to establish processes for timely detection and reporting of failures of critical security control systems, such as firewalls, anti-virus systems, physical access controls, and audit logging.
  • Section 10.8.1: requires service providers to respond in a timely fashion to failures of the critical security control systems.
  • Section requires service providers that elect to use segmentation to test every six months and after changes to segmentation controls/methods. The tests are reviews of the twice-yearly (at least) penetration tests.
  • Section 12.4.1: requires service provider executive management to establish responsibility for protection of cardholder data and a PCI DSS compliance program, including a charter and communication to executive management.
  • Section 12.11: requires service providers to perform reviews (at least quarterly) to confirm that personnel are following security policies and operational procedures. These reviews must include:  (1) daily log reviews; (2) firewall rule-set reviews; (3) applying configuration standards to new systems; (4) responding to security alerts; and (5) change management processes.  Testing procedures include interviews of responsible personnel.
  • Section 12.11.1: requires service providers to document the quarterly review process in Section 12.11, including the results of the reviews and sign-off by the personnel assigned responsibility for the PCI DSS compliance program.

The mysterious world of green chemistry: Maine’s green chemistry law

Continuing our review of state green chemistry laws, Maine’s Safer Chemicals in Children’s Products Act primarily requires reporting the use of specified chemicals in certain children’s products based on risk and hazard criteria, although it may be used to restrict or ban use. Manufacturers of certain children’s products that contain specified chemicals must submit a one-time report to the Maine Department of Environmental Protection. The SCCP defines “manufacturers” as the domestic manufacturer or brand holder, and the importer or first domestic distributor if the manufacturer does not have a US presence.

Chemical Lists

The Department maintains three chemical lists based on risk and hazard criteria. The first list, “chemicals of concern,” includes approximately 1400 chemicals identified by other lists (such as those from EPA, the EU, and Proposition 65) as carcinogens, reproductive toxins, or endocrine disruptors. From this list, 49 chemicals make the second list, called “chemicals of high concern,” because they are found to be (1) present in human blood, breast milk, urine, or tissue; or (2) present in a home environment (e.g., in dust, indoor air, drinking water); or (3) added to or present in consumer products used in the home. Chemicals of high concern may then be placed on the third list, “priority chemicals,” based on factors such as pervasiveness of use, presence in the environment, and prohibition of use in other states.

Priority Chemicals

Priority chemicals are subject to reporting requirements and possibly other restrictions. The Department publishes these requirements in conjunction with adding a chemical to the priority chemicals list. Reports are required either for an intentionally-added priority chemical or the presence of a priority chemical above de minimis levels, defined as 100 parts per million. Please note that priority chemicals in a product above 100 ppm as the result of contamination do not require a report if the manufacturer has legitimate manufacturing control processes in place.

The current priority chemicals and requirements are:

  • Arsenic
  • Cadmium
  • Mercury

Manufacturers must report the presence of any of these chemicals above 100 parts per million in children’s accessories, bedding, childcare articles, clothing, cosmetics, costumes, craft supplies, footwear, games, jewelry, personal care products, safety seats, school supplies, and toys.

  • Bisphenol A

The sale of reusable food and beverage containers, baby food packaging, and infant formulate packaging made with BPA is prohibited.

Manufacturers must report the presence of BPA above 100 parts per million in toys, child care articles, and tableware.

  • Formaldehyde

Manufacturers must report the presence of any intentionally-added formaldehyde in children’s accessories, bedding, childcare articles, clothing, cosmetics, costumes, craft supplies, footwear, games, jewelry, personal care products, safety seats, school supplies, and toys.

  • Nonylphenol and Nonylphenol Ethoxylates

Manufacturers must report the present of NP/NPE above 100 ppm in household and commercial cleaning products, cosmetics, personal care products, and home maintenance products.

  • Phthalates

Manufactures must report the presence of any intentionally-added DEHP, DBP, DEP, or BBP in children’s clothing, footwear, craft supplies, cosmetics and personal care products, home cleaning products, furniture and furnishing, and accessories and jewelry, as well as building and home maintenance products with which children may have direct contact.


If a report is required, manufacturers have 30 days after the product first becomes available for purchase in Maine to submit the report.

Report information includes:

  • Name and address of the manufacturer
  • Name, address, and phone number of a contact person for the manufacturer
  • A description of the product, including size of the product/component that contains the chemical
  • Whether it is mouthable (less than 5 cm)
  • Units sold/distributed in Maine
  • The amount of formaldehyde in the product
  • The function of formaldehyde in the product
  • Any other relevant information (e.g., exposure assessments of the product).

The Department has published guidance on reporting and chemical-specific reporting forms.

The Department also imposes an unspecified “reporting fee” intended to cover the cost of collecting and managing the information. There is little information about this fee, and the Department’s guidance suggests contacting Kerri Malinowski,, with any questions regarding the applicability and amount of the fee.


If the Department identifies an unreported product containing a priority chemical, it will first send a notification to the manufacturer. The manufacturer then has an opportunity to rebut the Department’s position. The manufacturer could, for example, identify the chemical as a contaminant and describe its manufacturing control processes.

No fines or penalties are specified in the statute or guidance, but the statute expressly prohibits the sale of products within the state if not reported. The Department’s public enforcement reports contain no enforcement actions to date. Although not specified, the Department could pursue penalties under Maine’s general enforcement provisions for environmental laws, which authorizes civil penalties of up to $10,000 per violation per day.

Update: FTC gets $13.4 million judgment against BlueHippo


Updating a prior post, on May 2, 2016, the Federal Trade Commission (FTC) announced its receipt of a $13.4 million judgment against the CEO of BlueHippo, after the Second Circuit overturned the district court’s determination that BlueHippo’s damages were limited to $600,000 in 2014.

BlueHippo marketed computers and electronics to consumers regardless of their credit history, using an installment payment method. If a consumer missed an installment payment, BlueHippo represented that consumers could convert installments already paid to credits, with which they could buy other products from BlueHippo’s online store. The catch is that allegedly, consumers’ use of the credits was significantly restricted and the credits could not be used to cover shipping and other similar fees.

As a result, the FTC charged BlueHippo with deception under Section 5 of the FTC Act, and the parties entered into a consent order to resolve the charge.

The FTC later alleged that BlueHippo violated the consent order by misrepresenting its consumer financing of the computers, its failure to disclose its store credit policy, and its conditioning sales upon mandatory pre-authorized electronic funds transfer from consumers. The FTC sought $14 million in damages, based upon the gross receipts of BlueHippo’s 55,892 customers.

The Second Circuit upheld the FTC’s $14 million claim in 2014, holding that the “FTC is entitled to a presumption of consumer reliance upon showing that (1) the defendant made material misrepresentations or omissions that ‘were of a kind usually relied upon by reasonable prudent persons’; (2) the misrepresentations or omissions were widely disseminated; and (3) consumers actually purchased the defendants’ products.”

The Second Circuit remanded the matter to the trial court, and in April of 2016, the trial court found that BlueHippo and its CEO were in contempt of the court’s order, entering a judgment against the CEO for $13.4 million.

Why not the full $14 million? Certain amounts were deducted from the total. Ultimately, the parties agreed on the amount BlueHippo paid in cash refunds, and the court convinced the FTC to agree with the defendant’s computation of state settlement payments. The court also dismissed as “speculative” the defendant’s claim for discovery that there were some states in which no consumers were charged fees.

That last point is an important one. The FTC’s presumption of consumer harm not only resulted in the original $14 million court order, but also formed the basis of the $13.4 million contempt order as well as the denial of discovery on whether consumers were charged fees.

Prop 65 safe harbor level for BPA finalized

Following the California Office of Environmental Health Hazard Assessment’s proposed regulations for temporary point-of-sale warnings for BPA exposures from canned and bottled foods and beverages, this week OEHHA finalized the Maximum Allowable Dose Level for BPA of 3 micrograms per day from dermal exposure from solid materials. The MADL will go into effect on October 1, 2016.

Once in effect, this will be the rate of exposure at which a warning will be required for dermal exposure to BPA.

Now that the first BPA 60-day notice of violation is out, it remains to be seen whether this seemingly low MADL for just dermal absorption will result in significant numbers of enforcement actions. Proving that an average user is not exposed to 3 µg/day of BPA just from touching a product may be difficult for defendants, unlike, for example, lead cases, in which ingestion through hand-to-mouth activities often drives exposure and has limited the types of products ripe for Proposition 65 claims.

The dermal MADL also provides little to no guidance for food and beverage manufacturers, as there still remains no safe harbor level for ingestion.

The seal is broken on BPA

After significant industry speculation over what consumer products would be the first targets for Proposition 65 BPA enforcement, the Center for Environmental Health issued the first BPA 60-day notice of violation on June 14, 2016, a little over a month after BPA’s listing anniversary date. The notice is not for canned food; it is not for sunglasses. The inaugural notice is for a thermal-printed receipt provided to the Center for Environmental Health after (presumably) purchasing food at a Del Taco.


Thermal printing is widely used to print receipts because these printers are both fast and do not require ink.  These printers work by heating specially prepared receipt paper in a precise fashion to produce both images and characters.  Some advocacy groups had previously taken-up the issue of BPA in thermal receipt paper, and there are receipt papers on the market that are specifically marketed as being BPA free.  We don’t know whether this signifies the start of a trend for thermal receipt paper claims, but we will continue to watch for more notices.

We will also be watching how this initial notice plays out – typically, exposure analyses for lead and phthalates have focused on the hand-to-mouth exposure pathway. With a proposed safe harbor level of 3 µg/day for BPA, we are interested to see whether dermal exposure alone is enough to cause a significant exposure.

Congress passes TSCA reform bill – no relief from Prop 65

After decades of stalled efforts, the House and Senate have both passed TSCA reform legislation. The bill, the Frank R. Lautenberg Chemical Safety for the 21st Century Act (H.R. 2576), is the result of extensive negotiations between the House and Senate to reconcile differences between competing TSCA reform bills in both houses. We expect the President to sign the bill in short order.

While the bill is welcome reform of a failed law, it’s primary impact will be to manufacturers, as it requires review of existing chemicals in use (eliminating TSCA’s grandfathering) and new chemicals prior to introduction into the market. But its effects will likely be felt all throughout the supply chain, as EPA has the authority to ban, phase-out, or restrict chemicals that pose an unreasonable risk to health or the environment.

Perhaps most important to readers of this blog, the reform bill does not preempt any chemicals management laws in effect prior to April 22, 2016, or any actions taken under laws in effect as of 2003 – it does not preempt Proposition 65, or most of the patchwork of state green chemistry laws already in effect.

EPA will need to undertake extensive rulemaking to implement the changes, and we will keep you updated on those rules as they develop.

Key Provisions

EPA Review of Chemicals – the bill mandates EPA review of new and existing chemicals in commerce to determine whether they pose an unreasonable risk to health or the environment. EPA may only consider health and environmental impact data in making this threshold determination – it may not look at economic impacts or undertake a cost/benefit analysis, which was a common complaint about the existing TSCA regime. New chemicals may not be introduced into the US market without EPA review, and EPA must prioritize existing chemicals for ongoing review (at least 20 “high priority” existing chemicals within three and half years).

Regulation of Chemicals – if EPA determines a chemical poses an unreasonable risk, it must impose regulations to eliminate the risk. This can include bans, phase-outs, or restrictions on use. Unlike the threshold determination, EPA must consider the costs and benefits of a given regulatory response, as well as the availability of alternatives. Exemptions exist for restrictions that would disrupt the national economy and for replacement parts.

Federal Preemption – the bill preempts state or local chemical restrictions except for statutes and regulations existing prior to April 22, 2016 and actions taken under laws in effect as of August 31, 2003 (for example, OEHHA can add a new chemical to the Proposition 65 list because of the August 2003 preemption date). Preemption includes only restrictions – it does not extend to state laws that require reporting or monitoring. Under these terms, none of the major chemicals managements laws appear to be preempted, including:

Confidential Business Information – the bill moves away from TSCA’s current broad protections for CBI claims. All CBI claims for new chemicals must be substantiated and expire after 10 years, unless re-substantiated. The bill specifies some types of information as presumptively CBI (e.g., mixture composition, sales and marketing information), but expressly excludes health and safety data from CBI protection. EPA must also look at existing CBI claims to determine whether such claims are substantiated and should remain.

Fees and Penalties – the bill imposes fees on industry to cover (some of) the costs of implementation, up to $25 million annually. We expect new chemical review applications will require payment of fees to cover EPA’s costs. The bill also provides for maximum civil penalties of $37,500 per violation, and maximum criminal penalties of $50,000 per violation.

FDA says evaporated cane juice labels are false and misleading

On Wednesday, the FDA issued guidance on the use of the phrase “evaporated cane juice” in order to “enhance consumers’ ability to make informed choices among sweeteners by promoting accurate and consistent labeling.” In an opinion that will have far-reaching implications in the food industry, the FDA concluded that “the term ‘evaporated cane juice’ is false or misleading because it suggests that the sweetener is a ‘juice’ or is made from ‘juice’ and does not reveal that its basic nature and characterizing properties are those of a sugar.”

In recent years, food manufacturers have used the phrase “evaporated cane juice” to describe sweeteners made from the fluid extract of sugar cane on food labels. Alleging that the term incorrectly gives the appearance that there is either no sugar in the product, or that any sweetener in the product is from a natural source, there have been a rash of consumer class actions claiming that this phrase is false and misleading.

On March 5, 2014, the FDA announced it was reopening the comment period on its 2009 proposed guidance of the phrase, to get more information about “how the ingredient sometimes declared as ‘evaporated cane juice’ is produced, what its basic nature and characterizing properties are, and how it compares with other sweeteners made from sugar cane.” In response, many evaporated cane class actions were either stayed or dismissed pending the FDA’s determination based on primary jurisdiction concerns.

Now, after the FDA’s declaration that “[s]weeteners derived from sugar cane should not be listed in the ingredient declaration by names such as ‘evaporated cane juice,’ which suggest that the ingredients are from or contain fruit or vegetable ‘juice’…” we expect to see a large uptick in false advertising litigation regarding food labels using the phrase and food manufacturers and retailers should act quickly to change their labels. The FDA announced that it “would not object to the use of stickers” to correct the problem before formal label changes are possible, and this may be the quick stopgap businesses are looking for to stem the inevitable tide of litigation.

This guidance follows the FDA’s recent announcement that it is accepting public comment on the meaning of the term “natural” on food labels. Although it may be a few years before the FDA issues formal guidance on the definition (if at all), the tone of the evaporated cane juice guidance might be a signal of things to come.

FTC aims to modernize warranty requirements

The FTC has recently proposed amendments to the Disclosure Rule and Pre-Sale Availability Rule it issued under the Magnuson-Moss Warranty Act, the federal law governing warranties on consumer products. These amendments come in response to the E-Warranty Act of 2015, which President Obama signed into law in September 2015.  Click through to the full discussion that my colleagues, Jeff Webb and Patrick McMillin, have authored.