Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC orders prison contractor to fix security exposures after data breach

    Privacy, Cyber Risk & Data Security

    On November 16, the FTC issued a proposed order against an integrated technology services company finding a violation of Section 5(a) of the Federal Trade Commission Act. According to the order, the company offered various products and services to jails, prisons, and detention facilities. These products and services included means of communication between incarcerated and non-incarcerated individuals, and, among other things, allowed non-incarcerated individuals to deposit funds into the accounts of incarcerated individuals. According to the complaint, and due to the nature of its operations, the company collected individuals’ sensitive personally identifiable information, including names, addresses, passport numbers, driver’s license numbers, Social Security numbers, and financial account information, some of which was exposed as a result of a data breach in August 2020 due to a misconfiguration in the company’s cloud storage environment.

    In its decision, the FTC ordered the company to, among other things, (i) implement a comprehensive data security program, including “change management” measures and multifactor authentication; (ii) notify users affected by the data breach, who had not yet received notice, and offer credit monitoring and identity protection products; (iii) inform consumers and facilities within 30 days of future data breaches; and (iv) notify the FTC within 10 days of reporting any security incident to local, state, or federal authorities.

    Privacy, Cyber Risk & Data Security Federal Issues FTC Data Enforcement

  • New York reaches settlement with medical management company over patient data

    Privacy, Cyber Risk & Data Security

    On May 23, the New York attorney general announced a settlement with a medical management company, for allegedly failing to protect over 428,000 New Yorkers’ personal and health data from a 2020 ransomware cyberattack affecting roughly 1.2 million consumers nationwide. According to the AG’s investigation, the company implemented a new version of its software in January 2019, but allegedly failed to conduct a series of security tests and scans that could have identified any security problems. Further, the private information maintained by the company was not encrypted. Notably, information for 13 consumers was apparently discovered on the dark web days after the hack. The investigation concluded that the company, amongst the 28 areas where they failed to maintain reasonable data security practices to protect patients’ private and health information, allegedly failed to maintain appropriate patch management processes, conduct regular security testing of its systems, and encrypt the personal information on its servers. Under the terms of the assurance of discontinuance, the company, while neither admitting or denying the allegations, agreed to pay $550,000 in penalties, and will improve its data security practices and offer affected customers free credit monitoring services.

    Privacy, Cyber Risk & Data Security State Issues State Attorney General Data Breach New York

  • District Court won’t stay CFPB litigation with credit reporter

    Courts

    On April 13, the U.S. District Court for the Northern District of Illinois denied a credit reporting agency’s (CRA) bid to stay litigation filed by the CFPB alleging deceptive practices related to the marketing and sale of credit scores, credit reports, and credit-monitoring products to consumers. The Bureau sued the CRA and one of its former senior executives last April (covered by InfoBytes here), claiming the defendants allegedly violated a 2017 consent order by continuing to engage in “digital dark patterns” that caused consumers seeking free credit scores to unknowingly sign up for a credit monitoring service with recurring monthly charges.

    The CRA requested a stay while the U.S. Supreme Court considers whether the Bureau’s funding mechanism is unconstitutional. Earlier this year, the Court agreed to review next term the 5th Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where it found that the CFPB’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause. (Covered by InfoBytes here and a firm article here.) While acknowledging that a ruling against the Bureau may result in the dismissal of the action against the CRA, the court concurred with the Bureau that consumers may be exposed to harm during a stay. “Were I to grant the requested stay, it could last more than one year, depending on when the Supreme Court issues its opinion,” the court wrote. “In that time, if the Bureau’s allegations bear out, consumers will continue to suffer harm because of defendants’ unlawful conduct. That potential cost is too great to outweigh the resource preserving benefits a stay would confer.”

    Courts CFPB Consumer Finance Credit Reporting Agency Enforcement Deceptive UDAAP CFPA U.S. Supreme Court Funding Structure Constitution Dark Patterns

  • District Court approves $1.75 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On March 3, the U.S. District Court for the Central District of California granted final approval of a $1.75 million class action settlement resolving allegations related to a 2020 data breach that compromised nearly 100,000 individuals’ personally identifiable information, including financial information, social security numbers, health records, and other personal data. The affected individuals are students, parents, and guardians who were enrolled in a system used to manage student data in a California school district. According to class members, by failing to adequately safeguard users’ login credentials and by failing to timely notify individuals of the breach, the company violated, among other things, California’s unfair competition law, the California Customer Records Act, and the California Consumer Privacy Act.

    Under the terms of the settlement, the company is required to pay a non-reversionary settlement amount of $1.75 million, which will be used to compensate class members and pay for attorney fees and costs, service awards, and administrative expenses. Additionally, as outlined in the motion for preliminary approval of the class action settlement, class members are eligible to submit claims for “ordinary losses” (capped at $1,000 per person), as well as “extraordinary losses” (capped at $10,000 per person). Ordinary losses include expenses such as bank fees, long distance phone charges, certain cell phone charges, postage, gasoline for local travel, “[f]ees for additional credit reports, credit monitoring, or other identity theft insurance products,” and up to 40 hours of time, at $25/hour, for at least one full hour used to deal with the data breach. Extraordinary losses are described as those “arising from financial fraud or identity theft” where the “loss is an actual, documented, and unreimbursed monetary loss” and is “fairly traceable to the data breach” and not already covered by another reimbursement category. Class members must also show that they made “reasonable efforts to avoid, or seek reimbursement for, the loss.” All class members will be offered 12 months of credit monitoring and identity theft protection at no cost, and the company will implement “information security enhancements” to prevent future occurrences.

    Privacy, Cyber Risk & Data Security Courts Settlement Data Breach Class Action State Issues California CCPA

  • CFPB reports on servicemember identity theft

    Federal Issues

    On January 12, the CFPB released an Issue Spotlight discussing identity theft affecting servicemembers. According to the report, servicemembers, veterans, and military family members are more likely to report identity theft than civilians, with military consumers reporting almost 50,000 cases of identity theft to the FTC in 2021. The Bureau also noted that a steady income could make servicemembers a target for identity thieves looking to create fraudulent credit accounts or tap into bank accounts, and warned that frequent relocation may also increase servicemembers’ risk of identity theft. 

    Many servicemembers and all officers are required to pass a national security clearance check that includes a review of their credit history and ability to meet their financial obligations. The report found that security clearances are “continuously evaluated” with credit checks being part of the process. If a review reveals a history of failing to meet financial obligations, being in excessive debt, or having a high debt-to-income ratio, a servicemember’s security clearance may be revoked. Bad credit can also lead to rejected or higher-cost rental or mortgage applications, limiting housing options the Bureau said.

    The report also found that unrecognized debt is often the first sign of identity theft. Between 2014 and 2022, military consumer complaints to the CFPB about debts that resulted from identity theft increased nearly fivefold, from more than 200 annually in 2014, to more than 1,000 in 2022. The Bureau noted that addressing credit report inaccuracies related to identity theft can be “a particularly complicated process.” The report also provided recommendations for servicemembers on how to protect their credit, such as reviewing credit reports regularly and disputing inaccurate information and taking advantage of free credit monitoring services.

    Federal Issues CFPB Consumer Finance Servicemembers Identity Theft

  • CFPB proposes T&C registry for nonbanks

    Agency Rule-Making & Guidance

    On January 11, the CFPB announced a proposed rule to create a public registry of terms and conditions used in non-negotiable, “take it or leave it” nonbank form contracts that “claim to waive or limit consumer rights and protections.” Under the proposal, supervised nonbank companies would be required to report annually to the Bureau on their use of standard-form contract terms that “seek to waive consumer rights or other legal protections or limit the ability of consumers to enforce or exercise their rights.” The terms and conditions—which would be made publicly available—would include those that address waivers of consumer claims, liability limits, legal action limits, class action bans, arbitration agreements, liquidated damages clauses, as well as other waivers of consumer rights.

    The Bureau explained that its proposal is intended to “facilitate public awareness and oversight” about what nonbanks are putting in form contracts. “Some companies slip terms and conditions into their form contracts that try to take away consumer protections, try to limit how consumers exercise their rights, or try to quiet consumer complaints or criticism,” the Bureau stated in its announcement. “[M]ore broadly, the terms and conditions potentially undermine consumer financial protection law.”

    The Bureau provided several examples of such terms and conditions, including: (i) unlawful mandatory arbitration agreements that are included in servicemember loan contracts; (ii) credit monitoring service agreements that “undermine credit reporting rights” by prohibiting consumers from pursuing legal action, including class action lawsuits, for FCRA violations; (iii) occurrences where lenders use clauses that waive liability for bank fees that borrowers incur due to repeated payment collection attempts; (iii) mortgage contracts that make “deceptive” use of waivers and limitations that are inconsistent with TILA restrictions; and (v) terms and conditions that try to quiet consumer complaints or criticism.

    All supervised nonbanks, including those operating in payday lending, private student loan origination, mortgage lending and servicing, student loan servicing, automobile financing, consumer reporting, consumer debt collection, and international remittances would be subject to the rule. However, the Bureau is proposing certain exemptions for nonbanks with lower levels of receipts. Comments on the proposal are due 30 days after publication in the Federal Register.

    “[T]the registry would help regulators and law enforcement more easily detect when companies are offering products and services using prohibited, void, and restricted contract terms described above. This would be especially useful to state and tribal regulators with limited resources to alert or take action against companies violating the law,” CFPB Director Rohit Chopra said in an accompanying statement, adding that the Bureau plans to “use data from the registry to identify supervised nonbanks and the risks their terms and conditions pose, prioritize which firms to examine, and plan the scope of those exams.”

    House Financial Services Committee Chairman Patrick McHenry (R-NC) slammed the proposal, saying the “proposed registry of terms and conditions will facilitate the naming and shaming of firms to empower progressive activists. Requiring nonbank financial firms to register publicly with the Bureau is unprecedented—no other industry is required to make public such detailed contract information. The days of Congress giving Director Chopra a free pass for his reckless actions have come to an end.”

    The proposed registry follows a proposal announced in December by the Bureau that would create a database of enforcement actions taken against certain nonbank covered entities, which would include all final public written orders and judgments (including any consent and stipulated orders and judgments) obtained or issued by any federal, state, or local government agency for violation of certain consumer protection laws related to unfair, deceptive, or abusive acts or practices. (Covered by InfoBytes here.)

    Agency Rule-Making & Guidance Federal Issues CFPB Nonbank Consumer Finance Consumer Protection Supervision House Financial Services Committee

  • District Court preliminarily approves data breach suit

    Courts

    On January 9, the U.S. District Court for the District of New Mexico granted preliminary approval of a class action settlement in a data breach suit that allegedly compromised approximately 191,000 individuals’ personally identifiable information (PII). According to the plaintiffs’ motion, the class alleged that their PII and personal health information were compromised when cybercriminals breached the defendant’s systems. If granted final approval, the settlement class would consist of four categories of relief: (i) reimbursement for lost time (up to four hours at $15 per hour) and out-of-pocket expenses up to $500; (ii) reimbursement for extraordinary losses up to $3,500; (iii) two years’ free credit monitoring services; and (iv) equitable relief in the form of security improvements to the defendant’s system.

    Courts Privacy, Cyber Risk & Data Security Data Breach Settlement Class Action

  • District Court: Defendants cannot use CFPB funding argument to dismiss deceptive marketing lawsuit

    Courts

    On November 18, the U.S. District Court for the Northern District of Illinois ruled that the CFPB can proceed in its lawsuit against a credit reporting agency, two of its subsidiaries (collectively, “corporate defendants”), and a former senior executive accused of allegedly violating a 2017 enforcement order in connection with alleged deceptive practices related to their marketing and sale of credit scores, credit reports, and credit-monitoring products to consumers. According to the court, a recent decision issued by the U.S. Court of Appeals for the Fifth Circuit, which found that the Bureau’s funding structure violates the Appropriations Clause of the Constitution (covered by a Buckley Special Alert), is a persuasive basis to have the lawsuit dismissed.

    As previously covered by InfoBytes, the Bureau sued the defendants in April claiming the corporate defendants, under the individual defendant’s direction, allegedly violated the 2017 consent order from the day it went into effect instead of implementing agreed-upon policy changes intended to stop consumers from unknowingly signing up for credit monitoring services that charge monthly payments. The Bureau further claimed that the corporate defendants’ practices continued even after examiners raised concerns several times, and that the individual defendant had both the “authority and obligation” to ensure compliance with the 2017 consent order but did not do so.

    The defendants sought to have the lawsuit dismissed for several reasons, including on constitutional grounds. The court disagreed with defendants’ constitutional argument, stating that, other than the 5th Circuit, courts around the country have “uniformly” found that Congress’ choice to provide independent funding for the Bureau conformed with the Constitution. “Courts are ill-equipped to second guess exactly how Congress chooses to structure the funding of financial regulators like the Bureau, so long as the funding remains tethered to a law passed by Congress,” the court wrote. The court also overruled defendants’ other objections to the lawsuit. “[T]his case is only at the pleading stage, and all the Bureau must do is plausibly allege that [the individual defendant] was recklessly indifferent to the wrongfulness of [the corporate defendants’] actions over which he had authority,” the court said, adding that the Bureau “has done so because it alleges that because of financial implications, [the individual defendant] actively ‘created a plan to delay or avoid’ implementing the consent order.”

    The Bureau is currently seeking Supreme Court review of the 5th Circuit’s decision during its current term. (Covered by InfoBytes here.)

    Courts Appellate Fifth Circuit CFPB U.S. Supreme Court Constitution Enforcement Credit Reporting Agency UDAAP Deceptive Consumer Finance Funding Structure

  • States reach multi-million dollar CRA data breach settlement

    Privacy, Cyber Risk & Data Security

    On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers nationwide. According to the announcement, in 2012, an identity thief posing as a private investigator accessed and retrieved sensitive personal information, such as names, Social Security numbers, addresses, and/or phone numbers from a database company that the CRA purchased. The states claimed that the identity thief (who has since pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges) accessed the information prior to the acquisition and continued to do so afterwards. Affected consumers were allegedly never informed of the data breach. Later, in 2015, the CRA reported it experienced a data breach affecting personal information, including consumers’ driver’s license and passport numbers, as well as information used by the telecommunications company to make credit assessments, which the CRA stored on behalf of the telecommunications company. Following the breach, the CRA offered two years of credit monitory services to affected consumers.

    Under the terms of the settlements (see here and here), the CRA has agreed to pay a combined total of $13.67 million to the states in connection with the 2012 and 2015 data breaches, and will strengthen its data security practices. According to the announcement, these measures will require the CRA to (i) maintain comprehensive incident response and data breach notification plans; (ii) strengthen the vetting and oversight of third parties that have access to consumers’ personal information; (iii) develop an Identity Theft Prevention Program to detect potential red flags in customer accounts; (iv) not misrepresent to consumers the extent to which the privacy and security of their personal information is protected; (v) strengthen due diligence provisions to ensure the CRA properly vets acquisitions and evaluates data security concerns prior to integration; and (vi) implement data minimization and disposal requirements, including undertaking specific efforts designed to reduce the use of Social Security numbers as an identifier. The CRA will also offer affected consumers five years of free credit monitoring services, during which time consumers will be able to receive two free copies of their credit report annually.

    Separately, the telecommunications company agreed to pay more than $2.43 million to the states, and will maintain a written information security program, including vendor management provisions to ensure vendors take reasonable security measures to safeguard consumers’ personal information. This will involve, among other things, maintaining a third-party risk management team to oversee vendors’ security, outlining specific security requirements in vendor contracts, and employing a variety of security assessment and monitoring practices to confirm vendor compliance. The telecommunications company will also provide employee training on the requirements of its information security measures and implement a written cyber incident and response plan to prepare for and respond to security events.

    Privacy, Cyber Risk & Data Security Courts Data Breach Settlement State Issues State Attorney General Credit Reporting Agency

  • District Court preliminarily approves $2.35 million settlement for card data breach

    Privacy, Cyber Risk & Data Security

    On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained unauthorized access to the restaurant chain’s computer servers and payment card environment between April 2019 and October 2020, resulting in hundreds of thousands of consumers’ financial information, including credit and debit card numbers, expiration dates, cardholder names, and internal card verification codes, being compromised. Hackers then allegedly advertised the stolen information for sale on the dark web. Several lawsuits were filed alleging violations of numerous state laws that were eventually consolidated with this action. The parties negotiated a settlement prior to class certification, which would require the restaurant chain to provide a $2.35 million all-cash non-reversionary qualified settlement fund and adopt several data-security measures. Class members also would be able to file claims for out-of-pocket losses, elect for a cash payments, and request credit monitoring services.

    The magistrate judge’s report recommended that the proposed class settlement be preliminarily approved as it “will likely be found fair at the final approval stage” and the offered relief “is both procedurally and substantively adequate.” The magistrate judge disagreed with objections raised by certain plaintiffs who argued, among other things, “that the proposed settlement is ‘substantively inadequate’ because the amount of funds available per potential class member is ‘far too low.’” However, according to the magistrate judge’s report, when compared to other settlements approved in other data breach cases, it is “clear that the proposed settlement is at least in line with if not better than what any proposed plaintiff could have expected coming into the litigation.” The magistrate judge also refuted the objecting plaintiffs’ assertion that the proposed settlement treats class members differently by providing plaintiffs who can establish out-of-pocket losses with up to $5,000, California residents without losses with $100, and non-California residents without losses with $50. “The Settling Plaintiffs have adequately demonstrated why this extra recovery for California class members [is] equitable, if not equal. Namely, class members from California could bring California state law claims which provide for $100-$750 in statutory damages,” the report said, adding that “class members from California have a stronger basis for damages than do class members from outside the state—who may only be able to show nominal or incidental damages as a result of [the restaurant chain’s] breach of contract—and so their modestly increased recovery is justified.”

    Privacy, Cyber Risk & Data Security Courts Data Breach Consumer Protection Class Action Settlement State Issues California

Pages

Upcoming Events