InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal District Court Allows Data Breach Class Action to Proceed Based On Risk Of Future Harm
On October 11, the U.S. District Court for the Southern District of California held that the plaintiffs in a consolidated data breach class action have plead sufficient harm to satisfy Article III's injury-in-fact requirement despite having not suffered any actual harm to date. In re Sony Gaming Networks & Customer Data Security Breach Litig., No. 11-md-2258, 2012 WL 4849054 (S.D. Cal. Oct. 11, 2012). The plaintiffs allege on behalf of a putative class that Sony Computer Entertainment America and a group of related entities (collectively Sony) failed to implement industry-standard practices to protect customers' personal information. The plaintiffs claim that as a result of Sony's failings they suffered an increased risk of future harm following a criminal theft of personal information from Sony's PlayStation computer network. The defendants moved to dismiss the plaintiffs' numerous claims, including on the grounds that the plaintiffs have suffered no real injury and therefore do not have standing to pursue the case. The court agreed with the plaintiffs that their claims are analogous to those sustained by the Ninth Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). As in Krottner, the court held that although none of the plaintiffs have suffered any actual loss, the increased threat of future injury is sufficient for standing and the plaintiffs sufficiently allege that such increased risk is causally connected to Sony's actions. However, the court held that plaintiffs' allegations do not show any cognizable injury necessary to sustain their claim of negligence under California law. The court dismissed the plaintiffs' negligence and other claims with leave to amend, and dismissed certain other claims with prejudice.
GAO Urges Federal Actions to Protect Mobile Device Users' Privacy
On October 11, the GAO released a report on its examination of how the mobile industry collects location data and the resulting impact on consumers. According to the report, privacy advocates expressed concerns that consumers are generally unaware of how location data is used by third-parties and that consumers could be subject to increased risk of surveillance by law enforcement, identity theft, and threats to personal safety. The GAO examined how companies have applied practices recommended by industry associations and privacy advocates to protect consumers' privacy while using mobile location data. The report reviews actions taken by federal agencies to provide consumer education and develop industry codes of conduct. The GAO recommends, among other things, that NTIA work with stakeholders to develop industry codes of conduct and that the FTC consider issuing guidance on mobile companies' appropriate actions to protect location data privacy.
CFPB Releases Additional Credit Card Complaints
On October 10, the CFPB added credit card complaints dating back to December 1, 2011 to its publicly available consumer complaint database. The CFPB launched the database in June 2012, but until now had only provided data for complaints received after June 1, 2012. The CFPB is collecting complaints regarding a number of other consumer products and services, including auto and student loans, but the CFPB has not indicated when it will make those complaints available through the public database. The CFPB also announced that the public database is no longer in “beta” form and released a “snapshot” of the consumer complaint process to date, including an analysis of complaints received through September 30, 2012.
CFPB Continues Credit Card Enforcement Activity
On October 1, the CFPB announced a coordinated enforcement action taken by federal regulators against a major credit card company and several of its subsidiaries alleged to have violated multiple consumer financial protection laws. According to the CFPB, the investigations conducted by it and other federal regulators and a state regulator revealed that the companies (i) charged illegal late fees, (ii) discriminated on the basis of age in the offering of credit, (iii) engaged in deceptive marketing, and (iv) failed to properly report consumer credit disputes. To resolve the allegations, the companies agreed to enter into several different consent orders. Two orders obtained by the CFPB and a joint CFPB/FDIC order require three of the subsidiaries collectively to refund approximately $85 million to approximately 250,000 customers and pay a cumulative $18 million in civil money penalties. Likewise, the OCC issued a consent order that includes an additional $500,000 penalty, and provides for restitution that overlaps with the broader restitution ordered by the CFPB. Finally, an order obtained by the Federal Reserve Board, requires the company, and certain of its subsidiaries, to pay an additional $9 million penalty. Furthermore, pursuant to the various orders, the companies agreed to undergo an independent audit and implement enhanced compliance systems to address the alleged illegal practices. This is the third public CFPB-led enforcement action aimed at credit card companies, and the first to go beyond allegations regarding ancillary products and resolve alleged violations of the CARD Act, the Fair Credit Reporting Act, and the Equal Credit Opportunity Act.
Nevada's Federal District Court Declines to Enforce Browsewrap Arbitration Agreement
On September 27, the U.S. District Court for the District of Nevada followed other federal courts and held that an arbitration clause within the Terms of Use agreement on Zappos.com was unenforceable given that users were neither provided with notice of the agreement nor an opportunity to affirmatively assent to the agreement. In re Zappos.com, Inc. Customer Data Sec. Breach Litig., No. 12-325, 2012 WL 4466660 (D. Nev. Sep. 27, 2012). Customers sued Zappos in several federal district courts for damages resulting from a security breach of the company’s website. After those actions were consolidated, Zappos filed a motion to compel arbitration based on the argument that by using the website the customers accepted and agreed to its Terms of Use, which included an agreement to arbitrate all claims arising from use of the website, and which were available through a hyperlink on each page of Zappos.com. Such hyperlinked Terms of Use are known as “browsewrap” agreements. The court held that despite the broad federal policy in favor of arbitration, the company had provided no evidence that the customers clicked on, viewed, or expressly manifested assent to the Terms of Use agreement, there was no acceptance of the Terms of Use provisions by customers, and thus those provisions, including the arbitration clause, were unenforceable. Moreover, the court held that because Zappos retained the unilateral right to revise the Terms of Use, the contract was illusory and therefore unenforceable. Accordingly, the court denied Zappos motion to compel arbitration.
CFPB Announces Enforcement Action Against Credit Card Issuer
On September 24, the CFPB announced that it resolved an investigation initiated by the FDIC and subsequently joined by the CFPB into telephone sales of certain ancillary or “add on” products marketed and sold by a major credit card issuer. The products related to (i) payment protection, (ii) credit monitoring, (iii) identity theft protection, and (iv) protection in the event of wallet loss. Pursuant to the Joint Consent Order released by the CFPB, the bank will pay a $14 million penalty and provide approximately $200 million in restitution to eligible consumers who purchased one or more ancillary products over a period of approximately four years. The order also calls for certain changes to the bank’s marketing and sales practices in connection with the products. During a press call to announce the consent order, CFPB Director Richard Cordray explained that the CFPB “expect[s] that more such actions will follow.” The CFPB is publishing the orders from its various actions on its administrative adjudication docket. Mr. Cordray also stated that “[i]n the meantime, [the CFPB is] signaling as clearly as [it] can that other financial institutions should review their marketing practices to ensure that they are not deceiving or misleading consumers into purchasing financial products or services.” In July, the CFPB issued Bulletin 2012-06, which outlines the CFPB’s expectations for the institutions it supervises, and their vendors, with regard to offering ancillary products in compliance with federal consumer financial laws. BuckleySandler represented the bank in this joint CFPB-FDIC investigation and enforcement action.
Eleventh Circuit Holds Monetary Damages Caused by Identity Theft Present a Cognizable Injury
Recently, the U.S. Court of Appeals for the Eleventh Circuit, in a case of first impression, held that the named plaintiffs in a putative class action could pursue their claims for monetary loss from a health care company that allegedly failed to protect their personal information. Resnick v. AvMed Inc., No. 11-13694, 2012 WL 3833035 (11th Cir. Sep. 25, 2012). The plaintiffs allege that they became subject to identity theft several months after laptops containing their sensitive personal information were stolen from the company’s offices. The plaintiffs sued the health care company, alleging negligence, negligence per se under Florida law, breach of contract, unjust enrichment, breach of implied covenant of good faith and fair dealing, and breach of fiduciary duty. The district court dismissed all claims, holding that the complaint failed to state a cognizable injury. On appeal, the court of appeals reversed the district court on the majority of the claims. It held that because the complaint alleges financial injury, and because monetary loss is cognizable under Florida law, the plaintiffs have alleged a cognizable injury. The court found that the plaintiffs “have shown a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence” because the plaintiffs plead that they were careful in protecting their identities and had never been victims of identity theft. Finding that causation was sufficiently plead, the court of appeals reversed the district court with regard to the counts of negligence, breach of contract, and breach of fiduciary duty. The court affirmed dismissal of the claims of negligence per se and breach of implied covenant of good faith and fair dealing because failure to comply with the relevant state statute cannot serve as a basis for negligence per se, and because the health care company’s actions were not shown to be conscious and deliberate as necessary to support a claim of breach of implied covenant. Finally, the court held that the plaintiffs alleged sufficient facts to sustain a claim for unjust enrichment because they claim to have paid monthly premiums to the company, while alleging that the company failed to implement sufficient data management and security measures. The case was remanded for further proceedings.
Canada Proposes Adding Mobile Payments to Card Industry Voluntary Code of Conduct
Recently, Canada’s Department of Finance published a consultation paper that proposes an addendum to the Code of Conduct for the Credit and Debit Card Industry in Canada to apply the Code to mobile payments. The Code, which took effect in August 2010, is a voluntary measure applicable to credit and debit card networks and covers point-of-sale, Internet, and phone payment methods. The addendum would extend the Code to apply explicitly to payments initiated by consumers that access a deposit or credit account through a payment network accessed by mobile device at the point-of-sale. The addendum also would clarify the way in which five of the ten elements of the code would apply to mobile payments. For example, the addendum would prohibit credit and debit card functions from co-residing in the same mobile payment application. Canada’s Department of Finance has invited stakeholder comments on all aspects of the proposal.
NIST Finalizes Information Security Risk Assessment Guidelines
On September 18, the National Institute of Standards and Technology released a final version of its risk assessment guidelines, which are designed to advise all types of government and private organizations—including financial institutions—about information security risks and information technology infrastructures. The Guide for Conducting Risk Assessments provides guidance regarding (i) threats, (ii) vulnerabilities, (iii) impact to missions and business operations, and (iv) the likely threat of exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequence.
FBI Warns Financial Institutions About New Cyber Threats
On September 17, the FBI, together with the Financial Services Information Sharing and Analysis Center and the Internet Crime Complaint Center, issued a fraud alert to advise financial institutions of a new trend in which cyber criminals steal financial institution employee credentials for subsequent use in conducting wire fraud. The alert identifies spam and phishing emails as the primary method by which outsiders have obtained employee credentials, and notes that small and medium sized banks and credit unions have been the most targeted institutions to date. The fraudsters also have stolen administrative credentials to third-party services and have used those credentials to circumvent financial institutions’ authentication methods. Once obtained, the credentials have been used to conduct unauthorized wire transactions. The alert notes that in some instances the unauthorized transactions have been preceded by a denial of service attack against the institution’s public website, which may have served as cover for the illicit activity by distracting the institution’s personnel responsible for detecting unauthorized activity.