The offshore outsourcing of customer service call center and data center services to locations outside of the U.S. has become a fairly standard business practice in many industries. Now, a consumer class action lawsuit filed against Bank of America on Aug. 3, 2011, challenges the financial industry's practice of transferring customer service calls to offshore call centers staffed with foreign nationals, alleging that doing so puts the privacy of customers' financial information at risk - not from hackers and thieves, but from surveillance by the U.S. government.

According to the complaint in Stein, et al. v. Bank of America, et al., filed in the U.S. District Court for the District of Columbia, the electronic transfer of customers' financial records that occurs when calls are transferred to overseas call centers allows the U.S. government to intercept and seize these records without violating the Fourth Amendment to the U.S. Constitution (prohibiting illegal searches and seizures) or any other U.S. laws that would otherwise have prohibited these government actions had such calls been transferred to call centers located in the U.S. This transfer is allegedly conducted without the knowledge or prior authorization of customers, which the plaintiffs allege violates the federal Right to Financial Privacy Act. In addition, the complaint alleges that routing the calls overseas violates the D.C. Consumer Protection Procedures Act, and contains causes of action under the common law doctrines of unjust enrichment, negligent bailment and negligence. Similar class action lawsuits have been recently filed by the same plaintiff's counsel against American Express.

Under the Right to Financial Privacy Act, financial institutions are prohibited from giving the government access to or copies of, or information contained in, the financial records of a customer except under the specific provisions of the Act. Under the Act, no government agency can access or obtain customer financial records from financial institutions (1) unless the records are reasonably described and the customer specifically authorizes the disclosure, in writing and in accordance with the requirements of the Act to both the financial institution and the government agency, or (2) unless the government obtains a warrant or subpoena in accordance with the Act.

In the complaint, plaintiffs allege that the U.S. government can - and does - intercept and seize transmissions of data between Bank of America and its offshore call centers, and even if such transmissions are not actually intercepted by the U.S. Government, the plaintiffs assert that they are still "at risk" of being intercepted. Plaintiffs claim that, by routing financial records to and from foreign nationals in overseas call centers, where U.S. electronic surveillance is "pervasive" and unconstrained by the Fourth Amendment and other U.S. laws, Bank of America has permitted the U.S. Government "access" to these financial records in violation of the federal Right to Financial Privacy Act.

Plaintiffs are seeking class certification of the national class, and a court order requiring Bank of America to produce records to identify the members of the class and bear the cost of class notification, as well as records to identify the total number of times customer financial records have been transferred to offshore call centers. The suit seeks monetary damages of $100 per data transmission, compensatory damages and exemplary treble damages, punitive damages, costs and attorneys' fees. The complaint also seeks injunctive relief requiring compliance with the Right to Financial Privacy Act, including an order barring Bank of America from transmitting customer financial records to offshore call centers until the bank obtains customer authorization in accordance with § 3403(a) of the Act.

In addition, plaintiffs are alleging six separate violations of the D.C. Consumer Protection Act, based on the allegations that routing the calls to offshore call centers violates a customer's constitutional and statutory rights to be protected against U.S. government interception and therefore misrepresents, among other things, the characteristics and standards of the services that Bank of America provides to its customers (i.e., that had the call center been located in the U.S., a customer would have expected its financial records to be protected from U.S. government interception). Each of these alleged violations is based on consumers being unaware that their calls to Bank of America's customer service center, via a U.S. toll-free telephone number, may be transferred to and serviced by foreign nationals operating out of offshore call centers. Plaintiffs seek $1,500 for each person whose calls were routed to offshore call centers and $1,500 for each phone call routed to offshore call centers in violation of the D.C. Act. The complaint also seeks punitive damages related to each call, injunctive relief, costs and fees.

--------------------------------------------------------------------------------

While the merits of this line of lawsuits are yet to be determined, the increased scrutiny at federal and state levels into consumer privacy continues. As the U.S. considers adopting more comprehensive privacy legislation, we will continue to monitor and report on developments affecting financial institutions in this area.