InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court approves CCPA class action settlement
On October 27, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement resolving claims against an Illinois-based insurance provider and its subsidiary (collectively, defendants) for allegedly failing to adequately protect plaintiffs’ personal and private information when defendants were the targets of security breach incidents where an unauthorized user’s access to the defendants’ network and computer systems resulted in unauthorized access of personal, private information (PII). According to the memorandum of law in support of the plaintiffs’ motion for preliminary approval, the plaintiffs sued after learning that the defendants were targeted by hackers in December 2020, which affected over 5.8 million customers, and again in March 2021, which affected more than 324,000 customers. This conduct, the plaintiffs contended, violated the California Consumer Privacy Act, the California Consumers Legal Remedies Act, California’s Unfair Competition Law, and various state common laws. While the defendants denied allegations of wrongdoing and liability, and asserted defenses to the individual and class claims, the parties reached a proposed settlement, in which class members (defined as “all natural persons residing in the United States who were sent notice letters notifying them that their PII was compromised in the Data Incidents announced by Defendants on or about March 16, 2021 and on or about May 25, 2021”) will be provided automatic access to 18 months of credit monitoring and financial account protection. Additionally, every class member can make a claim for up to $10,000 in reimbursement for out-of-pocket losses. The preliminarily approved settlement also provides for class counsel fees and expenses not to exceed roughly $2.5 million and class representative service awards of $1,500.
District Court reimposes $5 million restitution award in FTC action
On September 13, the U.S. District Court for the Northern District of Illinois reimposed a more than $5 million restitution award in an action dating back to 2018, this time under Section 19 of the FTC Act. The court originally granted the FTC’s motion for summary judgment against a credit monitoring service and its sole owner in an action filed under Section 13(b) of the FTC Act, after concluding that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge could occur without engaging in unfair or deceptive practices (covered by InfoBytes here). However, as previously covered by InfoBytes, in 2019, the U.S. Court of Appeals for the Seventh Circuit held that Section 13(b) does not grant the FTC authority to order restitution—a position that the U.S. Supreme Court ultimately agreed with when issuing its decision in AMG Capital Management, LLC v. FTC (which unanimously held that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement”—covered by InfoBytes here).
In its current ruling, the court agreed to reimpose the damages under the Restore Online Shopper Confidence Act (ROSCA) and Section 19. The court noted that because ROSCA incorporates all the enforcement tools of the FTC Act, the FTC could seek remedies using Section 19 of the FTC Act instead of relying on Section 18. Further, the court noted that the FTC indicated that the FTC may seek remedies under Section 19 when it brought the action under Section 5(a) of ROSCA, which the court ultimately agreed was correct. “The FTC has the better of this dispute,” the court wrote, adding, among other things, that “the court is unmoved by [the defendant’s] claims of unfair prejudice. Aside from the particular route to an award of restitution, nothing will materially change. The FTC seeks the same remedy, for the same reasons, and for the same victims under section 5(a) via section 19 as it did under section 13(b).”
District Court grants final approval to grocery chain data breach settlement
On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which was preliminarily approved in January) allows class members representing consumers who used a payment card to make a purchase at an impacted point-of-sale device during the security incident to receive reimbursement of up to $225 for out-of-pocket expenses related to the breach, including (i) unreimbursed bank, overdraft, and late fees; (ii) telecommunication charges; (iii) payday loan interest; and (iv) costs related to credit monitoring, identity theft protection, and time spent replacing credit cards and addressing fraudulent charges. Additionally, class members may be awarded up to $5,000 for “extraordinary expenses” resulting from the compromise of personal information. The grocery chain also agreed to “establish and maintain security enhancements that are estimated to cost more than $20 million.” However, the court reduced the attorneys’ fees to $739,000 in the final settlement after determining the initial fee request was too high compared to the overall relief for class members.
District Court rules date on credit monitoring app report insufficient to prove FDCPA violation
On June 24, the U.S. District Court for the Middle District of Tennessee granted a defendant debt collector’s motion for summary judgment in an FDCPA action, holding that the plaintiff did not have enough evidence to prove her claim that the defendant violated FDCPA Section 1692e(8) by failing to communicate that her debts were disputed. According to the order, the plaintiff obtained a copy of her credit report and noticed that the defendant was reporting five debts that she allegedly owed to a healthcare provider. The plaintiff’s counsel sent the defendant a letter disputing the debts. While the defendant did not report to the credit bureaus that the debts were disputed, the defendant received instructions from the healthcare provider to remove all of its consumer debts from the national credit bureaus. The defendant subsequently instructed the credit bureaus to remove all of the accounts from their services. However, the defendant did not verify that the debts were removed, claiming that it did not recall ever having “‘an issue raised as a result of one of the credit bureaus not removing a debt as requested,’” and as such “had ‘no reason to confirm that its instructions to [the credit bureau] had been carried out.’” When the plaintiff checked her credit report nearly three months later using a credit monitoring app, she saw that the debts were still being reported and were not marked as being disputed. The app showed the information to be reported as of a date that was three weeks after the defendant asked to have the debts marked as disputed. The plaintiff alleged that the defendant failed to mark the debts as disputed and alleged that it communicated information to the credit bureaus without identifying the debts as being disputed. The defendant countered, arguing among other things, that it “‘has no control over when or how [the credit bureau] inputs data from [the defendant] or how [the credit bureau] describes the report date of the data that [the defendant] submits to it.’”
In granting the defendant’s motion for summary judgment, the court determined that simply because the app used a date to indicate how current the information was does not mean that information was communicated to the credit bureaus by the defendant on that date. The app report relied upon by the plaintiff “does not indicate that [the defendant] communicated with [the credit bureau] on that date,” the court wrote. “It is simply silent on that question. It certainly gives rise to the possibility that [the defendant] communicated with [the credit bureau] on that date, but a possibility is not the same as probability.” As a result, the court found there was insufficient evidence in the record to support the plaintiff’s claims and it granted summary judgment in the defendant’s favor.
District Court approves online marketplace data breach settlement
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement, resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data breach. The plaintiffs asserted negligence and brought claims under California’s Consumer Privacy Act and Unfair Competition Law after plaintiffs launched an investigation into the cybersecurity incident. The preliminary settlement requires the company to establish a $5 million settlement fund, which would “provide for an estimated $43 payment per participating class member, two years of credit monitoring, and identity restoration services.” The company must also implement several business practice changes to enhance security, including enhancing password protection and implementing a policy regarding minimizing the retention of customers’ personally identifiable information. The settlement also notes that “members subject to identity theft can also obtain fraud resolution assistance to dispute transactions, mediate calls with merchants, and implement fraud alerts.” Class members who do not agree to the settlement may opt out of the settlement by September 16.
2nd Circuit: No standing if PII is uncompromised
On April 26, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s dismissal of a proposed class action settlement, concluding that although, “in the context of unauthorized data disclosures,” plaintiffs may establish Article III standing on the theory that a data breach increases the risk of identity theft, the appealing plaintiff failed to show that her sensitive personally identifiable information (PII) had been misused or compromised. The plaintiff filed a proposed class action against a former employer after a company employee accidentally sent an email to approximately 65 company employees with an attachment containing PII for roughly 130 current and former workers, including Social Security numbers, home addresses, and birth dates. The plaintiff alleged that the defendant, among other things, violated several state consumer protection statutes, and contended that workers “were ‘at imminent risk of suffering identity theft.’” The plaintiff further claimed that workers had to spend time canceling credit cards, assessing whether to apply for new Social Security numbers, and purchasing credit monitoring and identity theft protection services. While the parties reached a settlement, the court ultimately denied the settlement and dismissed the case for lack of subject-matter jurisdiction after finding the plaintiff lacked Article III standing because she failed to allege “an injury that is concrete and particularized and certainly impending.” According to the district court, it was “arguably a misnomer to even call this case a ‘data breach’ case,” because, “[a]t best, the data was ‘misplaced’” internally rather than accessed by a third party.
On appeal, the Second Circuit agreed with the district court, concluding that the plaintiff failed to demonstrate an increased risk of identity theft and that the cost of taking proactive measures to prevent future identity theft is insufficient to constitute an injury in fact when the threat is speculative. “This notion stems from the Supreme Court’s guidance in [Clapper v. Amnesty Int’l USA], where it noted that plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’”
Court approves grocery store data breach settlement
On January 25, the U.S. District Court for the Central District of Illinois preliminarily approved a class action settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The preliminary settlement would allow class members to receive reimbursement of up to $225 for out-of-pocket expenses related to the breach, including (i) unreimbursed bank, overdraft, and late fees; (ii) long distance and cell phone charges; and (iii) costs related to credit monitoring and identity theft protection. Additionally, class members may be awarded up to $5,000 for “extraordinary unreimbursed monetary losses” resulting from the compromise of personal information. Moreover, the grocery chain agreed to “establish and maintain security enhancements that are estimated to cost more than $20 million.” Class members who do not agree to the settlement may keep their right to independently sue if they opt out by May 24.
Health insurer to pay $48 million to resolve 2014 data breach
On September 30, a multistate settlement was reached between a health insurance company and a collation of 42 state attorneys general and the District of Columbia to resolve a 2014 data breach that allegedly comprised the personal information of more than 78 million customers nationwide. According to the states, cyber attackers infiltrated the company’s systems using malware installed through a phishing email. The data breach resulted in the exposure of consumers’ social security numbers, birthdays, and other personal data. Under the terms of the settlement, the health insurer must pay $39.5 million in penalties and fees, and is required to (i) not misrepresent the extent of its privacy and security protections; (ii) implement a comprehensive information security program, including “regular security reporting to the Board of Directors and prompt notice of significant security events to the CEO”; (iii) implement specific security requirements, including “anti-virus maintenance, access controls and two-factor authentication, encryption, risk assessments, penetration testing, and employee training”; and (iv) schedule third-party assessments and audits for three years.
Separately, the California AG reached a $8.69 million settlement, subject to court approval, in a parallel investigation, which requires the health insurer to, among other things, implement changes to its information security program and fix vulnerabilities to prevent future data breaches.
Previously in 2018, the health insurer reached a $115 million class action settlement, which provided for two years of credit monitoring, reimbursement of out-of-pocket costs related to the breach, and alternative cash payment for credit monitoring services already obtained (covered by InfoBytes here).
District court approves MDL data breach settlement
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’ sensitive information stemming from multiple data breaches. The settlement approval follows a fairness hearing, as the court originally denied preliminary approval due to several identified deficiencies (covered by InfoBytes here), including that the settlement inadequately disclosed the sizes of the settlement fund and class, as well as the scope of non-monetary relief, and “appear[ed] likely to result in an improper reverter of attorneys’ fees.” Last July, the court preliminarily signed off on a revised settlement, conditionally certifying a class of U.S. and Israeli residents and small businesses with accounts between 2012 and 2016 that were affected by the breaches. These class members have been certified in the final approved settlement, which requires the company to provide class members with either two years of credit monitoring services or alternative compensation for members who already have credit monitoring. Among other things, the company will allocate at least $66 million each year to its information security budget until 2022, will increase the number of full-time security employees from current levels, and will “align its information security program with the National Institute of Standards and Technology Cybersecurity Framework” and “undertake annual third-party assessments to ensure compliance” with the framework.
Multi-jurisdiction settlement reached with credit reporting agency over 2017 data breach
On April 17, the Massachusetts attorney general announced a settlement with a credit reporting agency (CRA) to resolve a state investigation into a 2017 data breach that reportedly compromised the personal information of nearly three million Massachusetts residents. According to the AG’s 2017 complaint (covered by InfoBytes here), the CRA ignored cybersecurity vulnerabilities for months before the breach occurred and failed to take measures to implement and maintain reasonable safeguards. Under the terms of the proposed settlement, pending final court approval, the CRA will pay Massachusetts $18.2 million and is required to take significant measures to strengthen its security practices to ensure compliance with Massachusetts law. These measures include (i) implementing a comprehensive information security program; (ii) minimizing the collection of sensitive personal information; (iii) managing and implementing specific technical safeguards and controls; (iv) providing consumer-related relief, such as credit monitoring services and security freezes; and (iv) allowing third-party assessments of its data safeguards.
Earlier, on April 14, the Indiana attorney general also announced that the CRA will pay the state $19.5 million to resolve allegations that it failed to protect Indiana residents whose personal information was exposed in the 2017 data breach. Under the terms of the final judgment and consent decree, in addition to paying $19.5 million in restitution, the CRA must take measures similar to those outlined in the Massachusetts settlement.
Massachusetts and Indiana were the only two states that chose not to participate in the 2017 multi-agency settlement that resolved federal and state investigations into the data breach and required the company to pay up to $700 million (covered by InfoBytes here).
Separately, on April 7, the City of Chicago announced a $1.5 million settlement to resolve allegations that the CRA’s failure to employ adequate data-security measures led to the breach.