The Intersection of Privacy and Fair Debt Collection: District Court (Ill.) Finds No FDCPA Standing for “Hunstein” Violation Where Data Shared with Vendor was Encrypted

In Tukin v. Halsted Financial Services, LLC, Judge Wood found no Article III standing for a Hunstein claim (of sharing a consumer’s data with a vendor) where the sharing was done by way of encrypted data transfer.

First, of note, Judge Wood found no “glassine window” violation for use of an “Intelligent Mail Code” on the dunning letter’s envelope.

Count III alleges that Halsted violated 15 U.S.C. § 1692f(8) by displaying a code on the outside of the envelope which, “upon information and belief,” contained confidential information. Again, Tukin has failed to demonstrate that he suffered any injury beyond feelings of concern and worry—that is, he has not shown actual harm. Additionally, Tukin does not dispute that the visible code was an “Intelligent Mail Code” required by the United States Postal Service. (SOMF ¶ 21.) The display of such codes do not violate § 1692f(8). See Official Comment to 12 C.F.R. § 1006.22(F)(2) (explaining that the phrase “language or symbol” in § 1692f(8) does “not include language and symbols that facilitate communications by mail, such as . . . the United States Postal Service’s Intelligent Mail barcode”). Accordingly, Tukin has no claim under § 1692f(8).

Second, Judge Wood found that the encryption of the data shared between the Defendant and its vendor destroyed any standing to assert a Hunstein violation — even though the decision does not mention Hunstein.  Judge Wood explained:

Finally, Count IV alleges that Halsted violated 15 U.S.C § 1692c(b) by using a vendor, FocusOne, to print and mail its letter to Tukin, as the use of a vendor necessarily involved the disclosure of information about his debt to a third party.2 The Court need not address whether the so-called “letter vendor” theory of liability provides a sufficient basis for Article III standing because Tukin cannot establish that such injury occurred here. 3 Tukin does not dispute that FocusOne does not analyze, modify, or manipulate the data and letters transmitted to it for printing, or that the data used to print and mail those letters was secure and encrypted at all times it was in FocusOne’s possession. (SOMF ¶¶ 5–6, 23–24.) Indeed, he does not dispute that no individual had access to the unencrypted data. (Id. ¶ 25.) Put simply, Tukin has not provided any evidence that his information was disclosed nor can he show a resulting injury from that disclosure.

The issue of encrypting data that’s shared between a creditor/debt collector and its vendor raises a proper intersection between the FDCPA and data privacy laws.  The Court’s focus on security, data encryption, and access controls, are in line with the new FTC Safeguards Rule.  16 CFR section 314.4(c).  The new requirements are applicable not only to covered financial institutions but flow to service providers via the oversight obligations.  16 CFR section 314.4(f).

Similarly, though not as specific in its requirements, in California, the CPRA also includes an affirmative obligation to implement and maintain reasonable security procedures and practices.   Civ. Code section 1798.100(e) (effective Jan. 1, 2023).