A putative consumer class action filed in California state court on Friday the 18th against Petco Animal Supplies Stores Inc. (Petco) and its wholly owned subsidiary PupBox Inc. (PupBox) alleges that between February and August an “unauthorized plugin” on the PupBox website caused the personal and credit card information of approximately 30,000 consumers to be stolen by an unauthorized third party. The complaint asserts, on information and belief, that the cyberattack resulted from the defendants’ failure to encrypt payment card data (PCD) at the point of sale and/or that the defendants “failed to install updates, patches, and malware protection or to install them in a timely manner to protect against a data security breach; and/or failed to provide sufficient control employee credentials and access to computer systems to prevent a security breach and/or theft of PCD.” The complaint further alleges that although Petco first learned of the cyberattack in early August, PupBox customers were not notified of the breach until October, creating a two-month lag during which class members could have attempted to mitigate the damage caused by the breach. The lawsuit alleges violations of the Washington State Consumer Protection Act, the California Unfair Competition Law, the California Consumer Records Act, and common law claims for negligence, negligence per se, breach of implied contract, and unjust enrichment.

Data breaches can be costly to companies in more ways than one. In addition to having to hire a forensic investigator to investigate the breach, companies risk reputational damage, contractual disputes, class action litigation, and potential regulatory investigations. For those financial companies regulated by the federal Gramm-Leach-Bliley Act’s Safeguards Rule or the data security provisions of New York’s Department of Financial Services, their responsibility to secure sensitive information extends to their affiliates and service providers as well.

While cyber insurance policies can provide an array of coverages and are a must-have, preparation is your best defense against a cyberattack. Many financial companies are required to create and maintain an information security program as well as a safeguard compliance program. All companies should be updating software security patches at the first opportunity and actively monitoring their systems for signs of unauthorized intrusions such as phishing exploits that inadvertently reveal passwords or other sensitive information. Sensitive data should be retained for only as long as necessary and stored in an encrypted database with limited access. Contracts with service providers should mandate strong data security practices as well. The time and effort expended on data protection have proven to be well worth the investment.

Senator Paul S. Sarbanes passed away peacefully on the evening of December 6, 2020, according to a statement released by the office of his son, U.S. Representative John Sarbanes (D-Md.).1

Sarbanes will be best remembered by most Americans for the landmark Sarbanes-Oxley Act of 2002,2 which sought to improve transparency and accountability for publicly traded companies in the wake of the accounting scandal that led to the largest bankruptcy to date of Enron Corporation in 2001.

He was then-ranking member of the Senate Banking, Housing and Urban Affairs Committee, and Sarbanes’ draft legislation gained bipartisan committee approval just days prior to the revelation of a $3.8 billion accounting fraud by WorldCom, which led to that company’s bankruptcy, eclipsing Enron’s. The draft was approved by the Senate in a 97-0 vote, and the final legislation was approved by overwhelming majorities in both houses: 423-3 in the House and 99-0 in the Senate.3

Among numerous improvements to financial reporting and accountability, the Sarbanes-Oxley Act created the Public Company Accounting Oversight Board, which brought independent oversight to auditors for the first time and established pay clawbacks4 and prison sentences5 for securities fraud by managers and investment advisors.

A graduate of Princeton University and Harvard Law School, Sarbanes served as a clerk with the 4th Circuit Court of Appeals and was an accomplished lawyer prior to entering politics. He served his home state of Maryland in the state legislature between 1967 and 1971 before being elected to the U.S. House of Representatives. In 1976, he was elected to represent Maryland in the Senate, a position he would hold for five terms until his retirement in 2007.

Sarbanes is survived by his three children: Michael, Janet, and John, who has served as the representative from Maryland’s 3rd District since 2006.

[1] Congressman John Sarbanes Announces the Passing of Senator Paul Sarbanes.

[2] 116 Stat. 745.

[3] Final Vote Results of Roll Call 348; Roll Call Vote 107th Congress – 2nd Session.

[4] MiMedx Plans to Claw Back Pay From Ex-CEO and Other Bosses.

[5] Raleigh Investment Advisor Sentenced to 40 Years for Orchestrating Ponzi Scheme, Obstructing the SEC, and Committing Aggravated Identity Theft.

A recent alert by Jamie Gottlieb Furia in Lowenstein Sandler’s White Collar Criminal Defense practice discusses the jury’s verdict against two former MiMedx Group Inc. executives for their involvement in an alleged fraud scheme. The three-week trial before U.S. District Judge Jed Rakoff marked the first white-collar jury trial in the Southern District of New York since March, when the COVID-19 pandemic began. Read the alert here.

In the most recent development in Cohen v. Capital One Funding LLC [1], a case seeking to certify a class asserting that New York State’s usury laws can apply to securitized credit card debts, Capital One-affiliated defendants have prevailed in their efforts to have the claims dismissed.  Plaintiffs sought to apply New York’s statutory caps on interest charges of 16 percent (civil) [2] and 25 percent (criminal) [3] to interest payments on credit cards issued by ex-New York banks (in this case, Virginia) but bundled into asset-backed securities held by New York trusts.

As we noted previously, the dispute turns on the application of a 2015 decision by the U.S. Court of Appeals for the Second Circuit, [4] in which that Court held that a purchaser of a bank loan was governed by the New York limits because it was neither a national bank itself nor acting on behalf of a national bank.  As a result, applying New York’s usury limits did not “significantly interfere” with the activities of a national bank, the seller. The significant interference standard was first articulated by the Supreme Court in Marquette Nat. Bank v. First of Omaha Svc. Corp. [5] applying the National Banking Act of 1864 (“NBA”), which preempts state usury laws with respect to national banks.

Plaintiffs argued that because defendants are not national banks and do not exercise national banking authority, Madden is dispositive and New York’s usury limits apply to their debts.

The District Court disagreed, holding Plaintiff’s claims to be preempted by the NBA, focusing on the distinction between the role of the parties in Cohen and Madden:

Although Defendants are not national banks, the Amended Complaint and documents on which it relies clearly show that Defendants were either subsidiaries of Capital One … or else carrying out Capital One’s business. [6]

Analyzing Madden, the District Court pointed out the distinction that it found crucial:

Capital One’s role as ABS sponsor and servicer, and retention of ownership and control over the underlying credit card loans … is not analogous to Madden, where [the banks] severed their contractual ties to plaintiff’s debt. [7]

The District Court found support for this position in Madden itself, where the Second Circuit explicitly conditioned the circumstances in which a non-bank can avail itself of NBA protections:

The [Second Circuit] observed that, although NBA preemption was available to non-national bank entities where the application of state law risked significantly interfering with a national bank’s powers, it had usually been in circumstances where the non-bank entity “acted on behalf of a national bank in carrying out the national bank’s business.” Madden, 786 F.3d at 251. That was not the case with Midland and its affiliate, which were acting “solely on their own behalves, as the owners of the debt,” and not on behalf of [banks]. [8]

The Second Circuit will likely have an opportunity to revisit its decision in Madden as Plaintiffs have appealed the District Court’s dismissal. [9]

[1] Cohen v. Capital One Funding LLC, No. 19-cv-03479 (E.D.N.Y.).

[2] N.Y. Gen. Oblig. Law § 5–501; N.Y. Banking Law § 14-a.

[3] N.Y. Penal Law § 190.40.

[4] Madden v. Midland Funding, LLC, 786 F.3d 246 (2d Cir. 2015).

[5] 439 U.S. 299, 313 (1978).

[6] Cohen, slip op. at 31 (emphasis added; quotation omitted).

[7] Id. at 35.

[8] Id. at 34.

[9] Cohen v. Capital One Funding, LLC, No. 20-3690 (2nd Cir.).

Last week, Judge Naomi Buchwald of the Southern District of New York provided final approval of a nearly $22 million settlement between a class of indirect investors and five Wall Street banks that the plaintiff investors accused of manipulating the London Interbank Offered Rate (LIBOR) in violation of the Sherman Act. The plaintiffs are over-the-counter (OTC) investors who indirectly interacted with the defendant banks via interest rate swaps and other transactions. These plaintiffs made purchases from other banks that are not defendants in the case; the five settling defendants are JPMorgan, Citibank, Bank of America, HSBC, and Barclays. The suit is one of many filed after Barclays admitted in 2012 that it had manipulated LIBOR.

LIBOR is a benchmark that is designed to reflect the cost of borrowing funds in the market and is applied to many types of financial instruments, including futures, swaps, options, and bonds. It is also referenced by consumer lending products such as mortgages, credit cards, and student loans. The alleged LIBOR manipulation had a widespread impact on global markets and consumers, including government entities and not-for-profit organizations.

Plaintiffs alleged that the defendants, who are members of a panel assembled by a bank trade association to calculate a daily interest rate benchmark, conspired to submit artificial, depressed rates from August 2007 to May 2010. They claim that the defendant banks instructed LIBOR rate submitters to artificially lower their LIBOR submissions in order to avoid the appearance that the banks were in financial difficulty. Also, plaintiffs allege that the defendants’ traders asked LIBOR rate submitters to adjust the submissions to benefit the traders’ positions. Plaintiffs claimed that their positions in various financial instruments were negatively affected by this manipulation of LIBOR, in violation of the Sherman Act.

Under the terms of the settlement agreement, Citi must pay approximately $7 million, HSBC must pay $4.75 million, and JPMorgan and Bank of America must each pay approximately $5 million. Barclays will “substantially” assist the plaintiffs in ongoing related litigation against other banks, providing proffers, documents, and testimony to the plaintiffs, instead of making any payment. The other four defendants also agreed to provide “significant” cooperation to the plaintiffs in their continued litigation.

The case is In re: Libor-based Financial Instruments Antitrust Litigation, index number 1:11-md-02262, pending in the U.S. District Court for the Southern District of New York.

In a previous post, we discussed Kirschner v. JPMorgan Chase Bank,[1] an action in which the trustee of bankrupt Millennium Labs brought state law securities fraud claims on behalf of a group of “approximately 400 mutual funds, pension funds, universities, [CLO]s and other institutional investors,” against banks that organized a $1.765 billion syndicated loan.

The threshold issue faced by the court was whether an investor’s share of a syndicated loan qualifies as a “security” for the purposes of state securities laws. Federal courts have previously held that syndicated loan interests do not qualify as securities for purposes of federal securities fraud claims.[2]

The trustee in Kirschner urged the court to embrace an inclusive view of the definition of securities when applying the test originally set forth by the Supreme Court in Reves v. Ernst & Young, specifically in light of the possibility that an instrument can be deemed a security based on “the reasonable expectations of the investing public”:[3]

“Whatever similarities early generations of syndicated bank loans once shared with traditional commercial lending, the Note offering mirrored a high yield bond issuance.”[4]

The court, in its decision of May 22, 2020, took a less expansive view, observing that:

“[T]he Credit Agreement and [Confidential Information Memorandum] would lead a reasonable investor to believe that the Notes constitute loans, and not securities. For example, the Credit Agreement repeatedly refers to the underlying transaction documents as ‘loan documents,’ and the words ‘loan’ and ‘lender’ are used consistently, instead of terms such as ‘investor.’”[5]

Notably, the court premised its decision in part on the sophistication of the investors, concluding:

“[I]t would have been reasonable for these sophisticated institutional buyers to believe that they were lending money, with all of the risks that may entail, and without the disclosure and other protections associated with the issuance of securities.”[6]

The prevailing trend in capital markets is for increasingly sophisticated instruments to be made available to ever-broader groups of investors. Where the public once had limited—if any—access to short selling, short-term trading, and complex equity option strategies, all of these have become feasible for individual investors in recent years. Access to participation in syndicated lending may follow the same route, and this may eventually require courts to revisit the scope of investor protections available.

For now, the court has extended its deadline for counsel to the trustee to file its motion and supporting papers to amend the complaint through July 31, 2020.[7]

The case is Kirschner v. JPMorgan Chase Bank, N.A., No. 17-cv-06334-PGG (S.D.N.Y.).


[1] Kirschner v. JPMorgan Chase Bank, N.A., No. 17-cv-06334-PGG (S.D.N.Y.).

[2] Banco Espanol de Credito v. Pacific National Bank, 973 F.2d 51 (2d Cir. 1992).

[3] 494 U.S. 56, 66 (1990) (“The Court will consider instruments to be ‘securities’ on the basis of such public expectations, even where an economic analysis of the circumstances of the particular transaction might suggest that the instruments are not ‘securities’ as used in that transaction.”)

[4] Kirschner, ECF No. 81 at 17.

[5] Kirschner, ECF No. 119 at 18-19.

[6] Id. at 22.

[7] Kirschner, ECF No. 127.

Until 2010, securities fraud class actions pursued in American federal courts dominated the means by which investors sought redress for alleged fraud committed around the world. Securities fraud litigation in non-U.S. legal systems was fraught with risks, such as fee-shifting rules and limited precedent. However, once the U.S. Supreme Court decided Morrison v. National Australia Bank in 2010[1], foreclosing many foreign claims from being brought in U.S. courts, foreign investors–with claims against foreign companies resting on transactions occurring outside the U.S.–needed to avail themselves of foreign laws and procedures.

In the wake of Morrison, many foreign investors developed strategies suited to their locales, such as litigation funding to address fee-shifting risks. With U.S. courts foreclosed to them, procedures to bring and resolve single and group securities fraud actions based on existing law became increasingly well defined in Australia, Japan, and France, as well as in less common venues such as the Netherlands and Denmark. In Germany, the Capital Market Investors’ Model Proceeding Act, or KapMuG[2]–enacted in 2005 in response to a specific corporate accounting scandal involving Deutsche Telekom–became the focus of renewed interest.

In the United Kingdom, securities litigation had long been confined to claims arising from allegedly false statements in offering documents, such as a prospectus. However, as in Germany, new legislation was introduced in the wake of major corporate fraud–in this instance, the catalyst was BP’s Deepwater Horizon oil spill disaster. Sections 90 and 90A of the UK Financial Services and Markets Act now offer British investors causes of action roughly analogous to those available under Sections 11 and 10(b) of the Securities Act and the Securities Exchange Act in the United States. UK securities fraud actions, however, are still limited to the opt-in method, in which each claimant is required to be an actual party rather than having the option to participate in any recovery as a passive class member.

This ability to pursue a U.S.-style opt-out class action was still not available in the UK until the enactment of the Consumer Rights Act 2015, which applies primarily to certain goods and services and unfair business terms, including violations of competition laws[3]. UK class actions face stringent judicial review and are currently available to address only a limited set of product- and service-related claims, a scope that does not include securities fraud. But the first UK opt-out class action against financial company defendants has already been brought, alleging damages related to unlawful manipulation of the foreign exchange market between 2007 and 2013, in violation of competition laws[4].

Thus, the UK has now established all the elements of a U.S.-style securities fraud class action. The next step is simply to make the cause of action and the procedure available together. In light of the trend in developments in the UK away from continental traditions and possibly toward U.S.-style litigation, the future of UK law may hold the seeds of U.S.-style securities class actions.


[1] 561 U.S. 247 (2010).

[2] Kapitalanleger-Musterverfahrensgesetz, BGBl 2005, I, 2437 (Aug. 16, 2005).

[3] Consumer Rights Act 2015, 63 Eliz. 2, 2015 c. 15, sched. 8 (Eng.) (amending section 47B of Competition Act 1998).

[4] Michael O’Higgins FX Class Representative Ltd v. Barclays Bank PLC and Others, case no. 1329/7/7/19.

In the latest development in a prosecution previously covered on this blog, Privinvest Group executive Jean Boustani was acquitted of all charges on Dec. 2 by a jury in the U.S. District Court for the Eastern District of New York, following a six-week trial.

The case centered on nearly $2 billion in loans from Credit Suisse and Russian financer VTB to help fund maritime projects in Mozambique. Prosecutors alleged that Boustani paid $100 million in bribes and kickbacks to high-ranking Mozambican government officials to secure three lucrative contracts for his employer, Privinvest Group, an international shipbuilding firm based in Abu Dhabi. Privinvest Group itself was not charged in this case.

Boustani, a Lebanese national, was found not guilty on all counts brought against him, including conspiracy to commit wire fraud, conspiracy to commit securities fraud, and conspiracy to commit money laundering after taking the stand in his own defense. Boustani and his lawyers readily admitted that he paid millions of dollars to Mozambican officials, but the government did not bring actual bribery charges against Boustani beyond the conspiracy counts, likely because of a recent decision from the U.S. Court of Appeals for the Second Circuit, U.S. v. Hoskins, 902 F.3d 69 (2d Cir. 2018). In that decision, the Second Circuit held that non-U.S. citizens cannot be charged with violating the Foreign Corrupt Practices Act if the defendant does not have a sufficient nexus to a U.S. company and the alleged wrongdoing took place in another country.

After the acquittal, jurors, including the jury foreman, stated that the evidence presented by prosecutors failed to show why venue was proper in the U.S., especially in the Eastern District of New York, when Boustani had never been to the U.S. before he was arrested. Prosecutors asserted at trial that most of the transactions at issue in the case were conducted in U.S. dollars and involved U.S. correspondent banks, but those ties were not strong enough for jurors to conclude that Boustani should be held accountable for any wrongdoing in the U.S.

Lowenstein Sandler’s Capital Markets Litigation team recently defeated a fund administrator’s renewed motion to dismiss on jurisdictional grounds, a second key victory in an action for common law fraud, securities fraud, and Racketeer Influenced and Corrupt Organizations Act violations, among other claims. The plaintiffs, investors in a tax lien fund, seek to recoup millions of dollars in losses resulting from the fund’s operation as a Ponzi scheme. The defendants include the fund’s now-dissolved New Jersey-based administrator, Apex Fund Services (US), Inc., as well as its Bermuda-based parent and several other affiliated entities (collectively, the “Apex Defendants”).

New Jersey Superior Court Judge Peter Bogaard of the Law Division, Morris County, denied the Apex Defendants’ entire renewed motion to dismiss on jurisdictional grounds. In their motion, the Apex Defendants claimed that the Court lacked personal jurisdiction over the Apex Defendant entities based outside of New Jersey.

The Lowenstein team persuaded the Court to deny the motion based on theories of agency, alter ego, and successor liability. “Apex is playing a shell game, trying to hide behind layers of phantom entities to evade liability for the fraud it actively committed in New Jersey,” the team argued.

Following jurisdictional discovery, the Lowenstein team submitted extensive evidence convincing the Court to look beyond–or pierce the veil of–the corporate form of the now-dissolved Apex New Jersey entity in order to exercise jurisdiction over its parent. The team successfully argued that the New Jersey Apex subsidiary was the alter ego of its parent entity, functioning as a mere conduit in New Jersey for the Apex parent’s self-described “global” fund administration business. The evidence demonstrated that the Apex subsidiary was not capitalized at inception, that it was financially dependent on its parent, and that it disregarded corporate formalities with respect to intercompany transactions, as well as transfers of employees and clients among the various Apex entities, without compensation. In addition, and consistent with similar Ponzi scheme cases, the team showed that the Apex New Jersey entity acted as its parent’s New Jersey-based agent, providing another basis for the court to exercise personal jurisdiction over the parent. See Anwar v. Fairfield Greenwich Ltd., 728 F. Supp. 2d 372 (S.D.N.Y. 2010).

Additionally, the team showed that the evidence supported a finding of successor liability as to Apex Charlotte because of a de facto merger that occurred between it and Apex New Jersey, and because Apex Charlotte thereafter continued the business of Apex New Jersey, simply “becoming a ‘new hat’ for the predecessor.” Woodrick v. Jack J. Burke Real Estate, Inc., 306 N.J. Super. 73, 74 (App. Div. 1997). The evidence demonstrated that, just as the fraudulent scheme was being revealed, the Apex parent stripped the New Jersey entity of its assets and transferred its ongoing business to a Charlotte, North Carolina-based entity also bearing the Apex name, again for no consideration, ultimately dissolving the New Jersey entity.

Having defeated the jurisdictional challenge, the Lowenstein team will continue to pursue claims on behalf of the investors, who seek more than $40 million in damages based on the defendants’ false representations to them concerning Apex’s control of the money invested in the fund, as well as its active concealment of the theft by providing investors with false monthly net asset value statements. Rather, and remarkably, Apex had been permitting the fund’s manager, Vincent Falci, to access the accounts and embezzle millions of dollars; Falci has since been sentenced to 15 years in federal prison for securities and wire fraud.[1]

As reported by Law360, Judge Bogaard stated at the motion to dismiss hearing: “Justice, while to be blind, is not to be blissfully ignorant of things, and I certainly find based on the materials submitted that plaintiffs have established on a prima facie basis that exercising jurisdiction over the named defendants is appropriate at this time.”[2]

This decision marks the second time the team defeated a motion to dismiss in this action.[3]

The case is Maffei et al. v. Apex Fund Services (US) Inc. et al., case number L-63-18, pending in the Superior Court of New Jersey, Morris County.


[1] https://www.law360.com/articles/1162422/former-nj-fire-chief-gets-15-years-for-10m-ponzi-scheme

[2] https://www.law360.com/articles/1215974/fund-admin-s-parent-can-t-escape-40m-ponzi-scheme-suit

[3] https://www.law360.com/articles/1076984/investors-beat-bid-to-toss-40m-nj-ponzi-scheme-row

In the latest development in one of two federal cases examining whether New York usury laws can limit the interest rates charged on credit card debts that are securitized, the Capital One affiliate defendants have moved to dismiss the action brought by plaintiff credit card holders. The plaintiffs alleged that their interest rates, ranging from 22.5 to 27.74 percent, exceed New York’s statutory interest rate limit of 16 percent for civil usury, and even, in some cases, the 25 percent limit for criminal usury. The case is Cohen et al. v. Capital One Funding LLC et al., docket number 19-cv-03479, pending in the U.S. District Court for the Eastern District of New York.

As previously covered on this blog, the U.S. Supreme Court has held that the National Banking Act of 1864 preempts state laws that “significantly interfere” with national bank activities. Marquette Nat. Bank v. First of Omaha Svc. Corp., 439 U.S. 299, 313 (1978). Accordingly, while national banks must comply with the usury laws of the state in which they are located, if a borrower moves to a state with a lower maximum interest rate, the bank need not comply with that state’s lower rate. Barnett Bank of Marion County, N.A. v. Nelson, 517 U.S. 25, 33 (1996).

In 2015, the U.S. Court of Appeals for the Second Circuit examined this National Banking Act preemption when a Delaware bank lent to a New York borrower. Although the loan complied with Delaware usury law, the Delaware bank then sold the loan to an entity that was not a national bank. Because the loan purchaser was not a national bank or acting on behalf of a national bank, the appellate court concluded that New York usury law did not “significantly interfere” with the purchaser and that New York’s maximum interest rate cap applied to the loan. Madden v. Midland Funding, LLC, 786 F.3d 246 (2d Cir. 2015).

In moving to dismiss the Cohen claims, the Capital One defendants argued that the Second Circuit recognized in Madden that usury claims are still federally preempted when there is still substantial connection between a national bank and the debt after it is sold, so that state usury laws would still “significantly interfere” with national banking activities. Because Capital One, N.A. – the ultimate parent entity of the defendants – still retained ownership of the plaintiff’s credit card accounts after selling the credit card receivables to its affiliates to be securitized, the defendants argued that New York’s usury limit would “significantly interfere” with Capital One’s ability to run its credit card business nationwide.

Capital One received support from the Bank Policy Institute and the Structured Finance Association in an amicus brief, urging the court to adopt the defendants’ reading of Madden. Plaintiffs argued in their opposition brief that because defendants are not national banks and do not exercise national banking authority, Madden is dispositive and New York’s usury limits apply to their debts.

The motion was fully briefed on Nov. 1, 2019, and the parties await a decision from Judge Kiyo A. Matsumoto. We will cover the decision when it is published.