Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Supreme Court agrees with Third Circuit that consumers may sue “any” government entity under FCRA

    Courts

    On February 8, the Supreme Court of the United States unanimously decided that a consumer can sue any government agency—in this case the U.S. Department of Agriculture (USDA)—for damages for violating the Fair Credit Reporting Act of 1970, as amended by the Consumer Credit Reporting Reform Act of 1996 (the Act). The court found that government agencies are expressly included in the definition of any “person” who violates the statute.  On appeal from the 3rd Circuit, the case involved an individual who sued the USDA for monetary damages under FCRA, alleging that the USDA furnished incorrect information to a credit reporting company stating that his account was past due, damaging his credit score and impairing his ability to access affordable credit. 

    In affirming the 3rd Circuit’s reversal of the lower court’s dismissal of the case, the Supreme Court noted that, while the U.S. is “generally immune” from monetary judgment suits as a sovereign body, Congress can waive this immunity. Applying a “clear statement” rule, the Supreme Court interpreted the Act’s statutory language that authorizes consumer suits for money damages against “[a]ny person” who willfully or negligently fails to comply with [the law]” to constitute a clear waiver of federal government sovereign immunity. As the Court explained, “the Act defines the term ‘person’ to include “any . . . governmental . . . agency,” therefore “FCRA clearly waives sovereign immunity in cases like this one.” 

    Courts U.S. Supreme Court FCRA CCRA USDA Sovereign Immunity

  • District Court: Employees are not “customers” under California Customer Records Act in breach lawsuit

    Privacy, Cyber Risk & Data Security

    On February 24, the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care. Plaintiffs, comprised of current and former employees, sued the company, claiming a 2021 data breach exposed their personal identifiable information (PII) to an unauthorized actor. Several plaintiffs were victims of apparent identity theft, the complaint stated, which alleged negligence, breach of contract and implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and breach of the California Consumer Privacy Act, the state’s Unfair Competition Law, and the California Customer Records Act (CCRA). In dismissing the case, the court concluded, among other things, that the plaintiffs failed to plead facts showing specific measures that the company did or did not take, such as data encryption, to protect employee data. Additionally, the complaint did not “contain any allegations regarding the manner in which their systems were breached.” Moreover, the court determined that the complaint did not plausibly allege that the employees qualify as “customers” under the CCRA (a “customer” under the law is defined as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business,” but in this matter, the court stated the plaintiffs did not allege that they provided their PII to the company in exchange for a product or service; rather, they were required to give their PII as part of their employment). The court also ruled that the plaintiffs did not plausibly allege that the company unreasonably delayed notifying them of the data breach by waiting 24 days after the breach to provide notice.

    Privacy/Cyber Risk & Data Security Courts California CCPA CCRA State Issues Data Breach Class Action New York

Upcoming Events