Financial institutions, CRA reach settlement over 2017 data breach
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”
The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.