InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for preliminary approval of class action settlement and supporting memorandum, in December 2021, the defendant determined that an unauthorized third party gained access to and gathered data from its computer network in June 2021. The plaintiffs further alleged that, “if [the defendant] ‘properly monitor[ed] … [its] computer network and systems that housed the … [PII],’ [the defendant] ‘would have discovered the intrusion sooner.’” Furthermore, the plaintiffs alleged that the defendant failed to provide “timely and adequate notice” to the plaintiff class, and filed claims for negligence, breach of implied contract, and invasion of privacy by intrusion. The settlement also includes a provision for the defendant to pay directly for credit monitoring and identity theft protection services, not limited by the $475,000 cap, along with about $51,000 for settlement administration costs. The plaintiffs would also be able to seek up to $210,000 for attorney fees and costs, and a total $5,000 for service awards to the named plaintiffs.
District Court grants preliminary approval of data breach class action
On October 3, the U.S. District Court for the Eastern District of Wisconsin granted preliminary approval of a data breach class action settlement. According to the plaintiff’s unopposed motion for preliminary approval, a ransomware attack on the company potentially allowed an unauthorized actor to access the personal information of approximately two million of the company’s patients, employees, employee beneficiaries, and other individuals from May 28, 2021 to June 4, 2021. The company announced the ransomware attack in a data breach notice sent to customers on June 24, 2021. The plaintiff filed her complaint alleging, among other things, that the company “failed to take adequate measures to protect her and other putative Class Members’ Personal Information and failed to disclose that [the company’s] systems were susceptible to a cyberattack.” After other plaintiffs filed suit, the plaintiffs moved to consolidate the actions and alleged several violations, including negligence and breach of implied contract. The settlement provides for a $3.7 million settlement fund. Each class member is eligible to submit a claim for two years of three-bureau credit monitoring and up to $1 million of insurance coverage for identity theft incidents. Additionally, class members can submit a claim for up to $10,000 in documented losses. The settlement also provides class members with lost time payment and cash fund payment options (in the alternative to all the foregoing settlement benefits).
District Court dismisses ransomware suit alleging negligence
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.
According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.
The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.
District Court approves class action settlement against securities trading platform and broker-dealer
On May 16, the U.S. District Court for the Northern District of California granted final approval of a settlement in a class action against a securities trading platform and broker-dealer (defendant) for allegedly allowing unauthorized users access to customers’ accounts. As described in plaintiffs’ motion for preliminary approval of settlement, class members alleged the defendant “lacked security measures used by other broker-dealer online systems,” which allowed “thousands of [the defendant’s] customer accounts [to be] accessed by unauthorized users.” Based on these allegations, class members brought claims for negligence, breach of contract, and violations of various state consumer privacy, competition, and advertising laws. Under the terms of the settlement, the defendant must provide cash payments of up to $260 each to settlement class members who submit a claim, up to a total amount of $500,000. Additionally, among other things, the defendant must “provide two years of credit monitoring and identity theft protection services to those who elect to receive it,” must “maintain improvements to its security protocols and policies to decrease the risk of unauthorized access to its customers’ accounts,” and must “respond effectively to instances of potential unauthorized access” in the future.
District Court preliminarily approves data breach class action settlement
On August 24, the U.S. District Court for the Southern District of New York preliminarily approved a putative consolidated class action settlement that would reimburse members for out-of-pocket costs or expenditures actually incurred in connection with a February 2020 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach may have exposed the personal financial information (PFI) of approximately 10,300 individuals, including names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information. Class members alleged that defendants failed to adequately protect the PFI of current and former employees and their beneficiaries, and that the resulting data breach “was a direct result of defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect PFI.” If granted final approval, the settlement will provide each class member the opportunity to make a claim for up to $3,500 in reimbursements for out-of-pocket expenses actually incurred, and compensation for up to four hours of lost time spent remedying issues fairly traceable to the data breach at $18 per hour. Additionally, class members will be given 18 months of credit monitoring protections.
District Court grants final approval of data breach settlement
On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final approval of the class action settlement, the defendants notified the SEC, various states’ attorneys general, and thousands of affected customers about two data breaches that occurred through their website on two different occasions. The plaintiffs alleged that the incident allowed hackers to “scrape[]” many of the defendants’ consumers’ names from the website by infecting the ecommerce platform with a “malicious code,” and stole the personally identifiable information of approximately 40,000 customers. According to the settlement, the deal will provide that class members can receive as much as $210 for out-of-pocket expenses such as card replacement fees, overdraft fees, interest, and up to $80 in costs for obtaining credit monitoring and identity theft protection, among other things. The district court also approved $2,500 payments to the lead plaintiffs as service awards.
District Court preliminarily approves $3.7 million data breach settlement
On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.
District Court grants preliminary approval of class action settlement in data breach case
On June 21, the U.S. District Court for the Southern District of New York granted preliminary approval of a class settlement in an action against a cable TV and communications provider (defendant) for failing to protect current and former employees’ (plaintiffs) personal information and prevent a 2019 phishing attack. According to the plaintiffs’ supplemental memorandum in support of preliminary approval of settlement, the defendant notified the plaintiffs (as well as the attorneys general of several states) that a successful phishing campaign was launched against them. The phishing scheme resulted in cybercriminals being able to “access” and “download” a report containing the unencrypted personally identifiable information (PII) of 52,846 plaintiffs. The plaintiffs alleged that as a result of the data security incident they suffered concrete injuries, including, inter alia, identity theft, the exposure of their PII to cybercriminals, a substantial risk of identity theft, and actual losses. Under the terms of the preliminarily approved settlement, class members are eligible to enroll in three years of identity protection and credit monitoring, and may receive reimbursement of out-of-pocket expenses and compensation for up to three hours spent dealing with the security incident.
CFPB sues credit reporter and one of its executives
On April 12, the CFPB sued a credit reporting agency (CRA), two of its subsidiaries (collectively, “corporate defendants"), and a former senior executive for allegedly violating a 2017 enforcement order in connection with alleged deceptive practices related to their marketing and sale of credit scores, credit reports, and credit-monitoring products to consumers. The 2017 consent order required the corporate defendants to pay a $3 million civil penalty and more than $13.9 million in restitution to affected consumers as well as abide by certain conduct provisions (covered by InfoBytes here). The Bureau’s announcement called the corporate defendants “repeat offender[s]” who continued to engage in “digital dark patterns” that caused consumers seeking free credit scores to unknowingly sign up for a credit monitoring service with recurring monthly charges. According to the Bureau’s complaint, the corporate defendants, under the individual defendant’s direction, allegedly violated the 2017 consent order from the day it went into effect instead of implementing agreed-upon policy changes intended to stop consumers from unknowingly signing up for credit monitoring services that charge monthly payments. The Bureau claimed that the corporate defendants’ practices continued even after examiners raised concerns several times. With respect to the individual defendant, the Bureau contended that he had both the “authority and obligation” to ensure compliance with the 2017 consent order but did not do so. Instead, he allowed the corporate defendants to “defy the law and continue engaging in misleading marketing, even in the face of thousands of consumer complaints and refund requests.” The complaint alleges violations of the CFPA, EFTA/ Regulation E, and the FCRA/Regulation V, and seeks a permanent injunction, damages, civil penalties, consumer refunds, restitution, disgorgement and the CFPB’s costs.
CFPB Director Rohit Chopra issued a statement the same day warning the Bureau will continue to bring cases against repeat offenders. Dedicated units within the Bureau’s enforcement and supervision teams will focus on repeat offenders, Chopra stated, adding that the Bureau will also work with other federal and state law enforcement agencies when repeat violations occur. “Agency and court orders are not suggestions, and we are taking steps to ensure that firms under our jurisdiction do not engage in repeat offenses,” Chopra stressed. He also explained that the charges against the individual defendant are appropriate, as he allegedly, among other things, impeded measures to prevent unintended subscription enrollments and failed to comply with the 2017 consent order, which bound company executives and board members to its terms.
The CRA issued a press release following the announcement, stating that it considers the Bureau’s claims to be “meritless” and that as required by the consent order, the CRA “submitted to the CFPB for approval a plan detailing how it would comply with the order. The CFPB ignored the compliance plan, despite being obligated to respond and trigger deadlines for implementation. In the absence of any sort of guidance from the CFPB, [the CRA] took affirmative actions to implement the consent order.” Moreover, the CRA noted that “[r]ather than providing any supervisory guidance on this matter and advising [the CRA] of its concerns – like a responsible regulator would – the CFPB stayed silent and saved their claims for inclusion in a lawsuit, including naming a former executive in the complaint,” and that “CFPB’s current leadership refused to meet with us and were determined to litigate and seek headlines through press releases and tweets.”
District Court grants $5 million settlement for alleged data breach
On November 5, the U.S. District Court for the Northern District of California granted preliminary approval of a class action settlement resolving claims against a grocery store chain after a data breach allegedly compromised personal information in its software. According to the plaintiffs’ notice of motion and motion for preliminary approval of class action settlement, a software vendor notified its clients, including the grocery store, that its software had been breached. As a result of the breach, hackers accessed personally identifiable information (PII) of approximately 3.82 million of the grocery store’s pharmacy customers and employees. Under the preliminary settlement, claimants may choose to receive either (i) a cash payment, with an estimated value between $18 and $91 for non-California residents and between $36 and $182 for California residents; (ii) two years of credit monitoring and insurance services; or (iii) reimbursement of any documented losses of up to $5,000. The proposed settlement also contains “robust injunctive relief,” including requirements that the grocery store chain (i) confirm that class members’ sensitive PII is secured; (ii) monitor the dark web for five years for fraudulent activity related to class members' PII; and (iii) enhance its third-party vendor risk management program. The district court also noted that any class member can appear at the fairness hearing to object to any aspect of the settlement, and that class members have 75 days after being notified of the deal to file their written objections or opt out of the settlement. The proposed settlement would not resolve any claims against the software vendor. Additionally, the court issued an order denying a motion to intervene by a group of objectors finding that they failed to “identify a protectable interest that will be impaired if they are unable to intervene.”