InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Data breach settlement of $380.5 million approved in consumer reporting agency class action
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data breach of the company. After the company announced the breach, many consumers filed suit and were eventually joined into a proposed settlement class. As previously covered by InfoBytes, the plaintiffs alleged that the company (i) failed to provide appropriate security to protect stored personal consumer information; (ii) misled consumers regarding the effectiveness and capacity of its security; and (iii) failed to take proper action when vulnerabilities in their security system became known. The company and the plaintiffs later submitted a proposed settlement order to the court.
According to the final order and judgment, the court certified the settlement class of the approximately 147 million affected consumers, finding the class was adequately represented, and approved the “distribution and allocation plan” as fair and reasonable. In the order granting final approval of the settlement the company agreed to, among other things, pay $380.5 million into a settlement fund and potentially up to $125 million more to cover “certain out-of-pocket losses,” $77.5 million for attorneys’ fees, and approximately $1.4 million for reimbursement of expenses. Class members are eligible for additional benefits including up to 10 years of credit monitoring and identity theft protection services or cash compensation if they already have those services, as well as identity restoration services for seven years. The company also agreed to spend at least $1 billion on data security and technology in the next five years.
7th Circuit overturns precedent, rejects restitution under Section 13(b) of FTC Act
On August 21, the U.S. Court of Appeals for the 7th Circuit held that Section 13(b) of the FTC Act does not give the FTC power to order restitution, overruling that court’s 1989 decision in FTC v. Amy Travel Service, Inc. As previously covered by InfoBytes, in June 2018, the U.S. District Court for the Northern District of Illinois granted the FTC’s motion for summary judgment against a credit monitoring service and its sole owner in an action filed under Section 13(b) of the FTC Act. The court concluded that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge could occur without engaging in unfair or deceptive practices. The FTC argued that the defendants’ scheme, which used the promise of a free credit report to enroll the consumers into a monthly credit monitoring program, violated the FTC Act’s ban on deceptive practices. The court agreed, holding that the ad campaign was “rife with material misrepresentations that were likely to deceive a reasonable consumer.” Additionally the court agreed with the FTC that the defendants’ website was materially misrepresentative because it did not give “the net impression that consumers were enrolling in a monthly credit monitoring service” for $29.94 a month, as opposed to defendants’ claim that consumers were obtaining a free credit report. The court also found that the defendants’ websites failed to meet certain disclosure requirements imposed by the Restore Online Shopper Confidence Act. The court entered a permanent injunction and ordered the defendants to pay over $5 million in “equitable monetary relief” to the FTC.
On appeal, the 7th Circuit affirmed the district court’s liability determination, and affirmed the issuance of the permanent injunction. However, the appellate court took issue with the restitution award ordered pursuant to Section 13(b) of the FTC Act. The appellate court noted that the FTC has long viewed Section 13(b) as authorizing awards of restitution, and even acknowledged that the 7th Circuit agreed with the FTC’s position in its decision in Amy Travel. However, subsequent to the Amy Travel decision, the Supreme Court, in Meghrig v. KFC W., Inc., clarified that “courts must consider whether an implied equitable remedy is compatible with a statute’s express remedial scheme.” Applying Meghrig, the 7th Circuit noted that “nothing in the text or structure of the [FTC Act] supports an implied right to restitution in section 13(b), which by its terms authorizes only injunctions.” The panel emphasized that the FTC Act has two other provisions that expressly authorize restitution if the FTC follows certain procedures, but the current reading of Section 13(b), based on Amy Travel, allows the FTC “to circumvent these elaborate enforcement provisions and seek restitution directly through an implied remedy.” Therefore, based on the Supreme Court precedent in Meghrig, the panel concluded that Section 13(b)’s grant of authority to order injunctive relief does not implicitly authorize an award of restitution, overturning its previous decision in Amy Travel and vacating the district court’s award of restitution.
National bank announces data breach
On July 29, a national bank announced a data breach affecting approximately 100 million individuals in the United States and approximately six million in Canada. According to the announcement, the incident occurred on July 19 when an unauthorized individual obtained personal information of credit card customers and people who had applied for credit card products. The bank noted that no credit card account numbers or log-in credentials were compromised and over 99 percent of social security numbers were not compromised. The largest category of information accessed was consumer and small business information from applications submitted from 2005 through early 2019, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Upon discovery of the breach, the bank fixed the vulnerability that allowed for the individual to gain access and worked with the federal authorities, resulting in the arrest of the person allegedly responsible. The bank will notify and make free credit monitoring and identity protection available to those affected.
Credit reporting agency agrees to multi-agency settlement over 2017 data breach
On July 22, the CFPB, FTC, and 48 states, the District of Columbia and Puerto Rico announced a settlement of up to $700 million with a major credit reporting agency to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. According to the complaints (see here and here) filed in the U.S. District Court for the Northern District of Georgia, the company allegedly engaged in unfair and deceptive practices by, among other things, (i) failing to provide reasonable security for the sensitive personal information stored within its network; (ii) deceiving consumers about its data security program capabilities; and (iii) failing to patch its network after being alerted in 2017 to a critical security vulnerability.
Under the terms of the proposed settlements (see here and here), pending final court approval, the company will pay up to $425 million in monetary relief to consumers and provide credit monitoring to affected individuals, as well as six free credit reports each year for seven years to all U.S. consumers. The company must also pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil money penalty to the Bureau. The $425 million fund will also compensate consumers who bought credit- or identity-monitoring services from the company and paid other expenses as a result of the breach. The company must also, among other things, implement a comprehensive information security program that will require annual assessments of security risks and safeguard measures, obtain third-party information security assessments, and acquire annual certifications from the board of directors that the company has complied with the settlements.
FTC finalizes rule providing free credit monitoring for servicemembers
On June 24, the FTC finalized the “Free Electronic Credit Monitoring for Active Duty Military Rule,” which implements the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty military consumers. The proposed rule, issued in November 2018 (covered by InfoBytes here), defined the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify active duty military consumers within 24 hours of any material change. The proposal noted that CRAs may require that active duty military provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibited CRAs from requiring active duty military consumers to purchase a product in order to obtain the free service.
In response to comments on the proposal, the final rule refers to the definition of “active duty military consumer” in the FCRA, which requires that the servicemember be assigned to service away from their usual duty station, or be a member of the National Guard, regardless of whether the National Guard member is stationed away from their normal duty station. The FTC noted that commenters requested the requirement that the servicemember be stationed away from their normal duty station be eliminated but “the statutory language limit[ed] the Commission’s discretion on [the] topic.” However, the FCRA does not apply the same duty station requirement to the National Guard. Additionally, the final rule, among other things (i) requires CRAs to provide free access to a credit file when it notifies an active duty military consumer about a material change to the file; (ii) extends the amount of time the CRAs have to notify an active duty military consumer of a material change from 24 hours to 48 hours; and (iii) prohibits CRAs from requiring that active duty military consumers agree to terms or conditions as a requirement to obtain their free credit file, unless the terms or conditions are necessary to comply with certain legal requirements.
While the final rule goes into effect three months after publication in the Federal Register, CRAs will be allowed to comply with certain portions of the final rule by offering existing credit monitoring services to active duty military consumers for free, for a period of up to one year from the effective date.
New York settles with online retailer over data breach
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
Class settles data breach claims over compromised payment card data
On February 26, the U.S. District Court for the Middle District of Florida granted final approval and class certification, following a final approval hearing, to a settlement resolving class action allegations concerning a data breach involving an international fast-food chain. According to the amended motion for final approval, the data breach occurred in 2016 and involved third-party malware installation on certain franchises’ point of sale systems, which targeted and compromised customer payment card related data. The class ultimately asserted the following claims—breach of implied contract, negligence, and violations of several state consumer laws—and requested reimbursement for (i) costs associated with time spent addressing identity theft or fraud; (ii) losses caused by restricted access to funds; (iii) costs associated with credit reports and credit monitoring; (iv) bank and payment card fees; (v) unauthorized charges; and (vi) documented time spent dealing with the repercussions of the data breach. Under the terms of the settlement, the fast-food chain will pay up to $5,000 per eligible class member as reimbursement for documented out-of-pocket expenses, and up to $15 an hour for up to two hours of undocumented time spent dealing with the repercussions of the data breach. The court also approved $1.02 million in attorneys’ fees and approximately $139,000 in costs to class counsel.
District Court: Approval of data breach settlement denied due to several deficiencies
On January 28, the U.S. District Court for the Northern District of California denied preliminary approval of a proposed class action settlement after identifying several deficiencies with the deal. The proposed settlement was intended to resolve allegations concerning security failures by a global internet company, which led to three data breaches between 2013 and 2016 that exposed consumers’ personal information (previously covered by InfoBytes here). The proposed settlement would have required the internet company to (i) establish a $50 million settlement fund; (ii) pay additional attorneys’ fees of up to $35 million; (iii) pay costs and expenses of up to $2.5 million, as well as service awards of up to $7,500 for each class representative; (iv) provide customers with two years of credit monitoring and identity theft protection services; and (v) improve its data security. However, the court stated that the proposed settlement agreement, among other things, inadequately disclosed the sizes of the settlement fund and class, as well as the scope of non-monetary relief, and “appears likely to result in an improper reverter of attorneys’ fees.” Moreover, the court held that the proposed agreement provided insufficient detail about how much the settlement would cost the defendant in total, and did not disclose the costs of credit monitoring or how much the defendant would budget for data security, thus preventing class members from assessing the reasonableness of the settlement or the attorneys’ fee request—which the court indicated seem “unreasonably high.” The court also noted that “[t]he parties’ lack of disclosure also inhibits the court's ability to assess the reasonableness of the settlement.”
Massachusetts amends legislation protecting consumers from security breaches
On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:
- Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
- Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
- State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
- Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
- Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
- State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
- Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.
FTC proposes rule to implement free credit monitoring for servicemembers
On November 1, the FTC announced a proposed rule, which would implement the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty servicemembers. The proposal defines the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify servicemembers within 24 hours of any material change. The proposal notes that CRAs may require that servicemembers provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibits CRAs from requiring servicemembers to purchase a product in order to obtain the free service or requiring the servicemember to agree to terms and conditions. Comments will be due 60 days after publication in the Federal Register.