InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court denies class cert in data breach suit
On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private information. Plaintiffs alleged the defendant contracted with a third-party reservation site, which required consumers to provide payment card information and other personally identifying information (PII). The plaintiffs contended that during the data breach, hackers accessed customer data, and argued that “had [the third party] ‘employed multiple levels of authentication,’ rather than ‘single factor authorization,’ the ‘hacker would not . . . have been able to access the system.” Plaintiffs further claimed that the defendant served as the third party’s agent and was therefore responsible for its conduct.
In declining to certify the class, the court ruled that the plaintiffs failed to successfully allege any of their three claims on behalf of the class. The court reviewed the plaintiffs’ breach of contract claims, which alleged that the defendant promised to safeguard class members’ PII but failed to provide notice on its website that a third party was processing the payment information. According to the court, the plaintiffs could not show that all of the proposed class members would have believed they were providing their information to the defendant because the defendant’s “Book Now” button sent the user to the third party’s website and the defendant’s privacy policy disclosed its use of third party websites. The court also rejected the plaintiffs’ assertion that the defendant disclosed personal information in violation of California Civil Code because the information was hacked rather than disclosed by either the defendant or the third party. With respect to the plaintiffs’ Texas Deceptive Trade Practices Act claims, the plaintiffs argued that the defendant’s statements about protective measures were misleading because the third party did not employ multi-layer authentication. The court concluded that class treatment of those claims was improper as it could not determine whether the practice was misleading for the entire class as the question is dependent on whether class members believed they were providing PII to the defendant or to the third party.
Michigan Court of Appeals affirms dismissal of post-judgment interest case, says state court rule precludes class actions
On April 21, the Michigan Court of Appeals affirmed a trial court’s dismissal of a post-judgment interest putative class action after concluding that a court rule that precludes “‘actions’ based on claimed violations of statutes that permit[ ] recovery of statutory damages in lieu of actual damages” necessitated the dismissal of the plaintiff’s class action claim. According to the opinion, after the plaintiff defaulted on her $900 credit card debt, the debt was assigned to the defendant debt collector who calculated the plaintiff’s unpaid balance to be $6,241.20. The defendant sought judgment against the plaintiff in that amount, plus interest, fees, and costs, and obtained a default judgment against the plaintiff after she did not respond. The defendant consequently obtained several writs of garnishment, all of which indicated that post-judgment interest had been added to the debt. Several years later, the plaintiff filed a putative class action alleging the defendant violated the FDCPA and the Michigan Regulation of Collection Practices Act (RCPA) by overstating how much she owed “and by impermissibly inflating [defendant’s] costs and the amount of interest it charged.” The state trial court dismissed the plaintiff’s class action claims with prejudice on the basis that Michigan Court Rules (MCR) preclude her from recovering statutory damages under the RCPA because the RCPA does not explicitly permit class actions. The court also dismissed her individual claims for lack of subject-matter jurisdiction.
On appeal, the plaintiff argued that the trial court erred when it dismissed her class action claims under MCR because she also sought equitable relief and actual damages; however, the Michigan Court of Appeals pointed to a provision in the MCR that states “[a]n action for a penalty or minimum amount of recovery without regard to actual damages imposed or authorized by statute may not be maintained as a class action unless the statute specifically authorizes its recovery in a class action.” The Court of Appeals explained that the RCPA is implicated under this rule because (i) it permits the recovery of statutory damages; and (ii) does not contain a provision explicitly permitting class actions, and as such, “plaintiff’s class action claims must be dismissed irrespective of the fact that she also sought injunctive relief, declaratory relief, and actual damages.” The Court of Appeals further held that even if the plaintiff attempted to plead individual claims, the case would not be allowed to proceed because the actual damages in this case are not high enough to meet the jurisdictional minimum amount in Michigan.
CFPB invokes dormant authority to examine nonbanks
On April 25, the CFPB announced it was invoking a “dormant authority” under the Dodd-Frank Act to conduct supervisory examinations of fintech firms and other nonbank financial services providers based upon a determination of risk. “This authority gives us critical agility to move as quickly as the market, allowing us to conduct examinations of financial companies posing risks to consumers and stop harm before it spreads,” CFPB Director Rohit Chopra explained. The Bureau has direct supervisory authority over banks and credit unions with more than $10 billion in assets, certain nonbanks regardless of size that offer or provide consumer financial products or services, and the service providers for such entities. With this announcement, the Bureau now plans to use a provision under Section 1024 of Dodd-Frank that allows it to examine nonbank financial entities, upon notice and an opportunity to respond, if it has “reasonable cause” to determine that consumer harm is possible.
In tandem with the announcement, the Bureau also issued a request for public comment on an updated version of a procedural rule that implements its statutory authority to supervise nonbanks “whose activities the CFPB has reasonable cause to determine pose risks to consumers,” including potentially unfair, deceptive, or abusive acts or practices. The statute requires that the Bureau “base such reasonable cause determinations on complaints collected by the CFPB, or on information from other sources,” which the Bureau stated may include “judicial opinions and administrative decisions, . . . whistleblower complaints, state partners, federal partners, or news reports.” “Given the rapid growth of consumer offerings by nonbanks, the CFPB is now utilizing a dormant authority to hold nonbanks to the same standards that banks are held to,” Chopra stated.
Among other things, the new rule establishes a disclosure mechanism intended to increase transparency of the Bureau’s risk-determination process. Specifically, the new rule will exempt final decisions and orders by the CFPB director from being considered confidential supervisory information, allowing the Bureau to publish the decisions on their website. Subject companies will be given an opportunity seven days after a final decision is issued to provide input on what information, if any, should be publicly released. According to the Bureau, there “is a public interest in transparency when it comes to these potentially significant rulings by the Director as head of the agency. Also, if a decision or order is publicly released, it would be available as a precedent in future proceedings.”
The procedural rule is effective upon publication in the Federal Register and has a 30-day comment period.
Defendants to pay $5 million for alleged data breach
On April 20, the U.S. District Court for the Southern District of California granted preliminary approval of a proposed class settlement, resolving claims against a medical supplier company after a data breach allegedly compromised personal information of its consumers in its database. According to the order, the plaintiffs’ alleged that between April 2019 and June 2019, hackers gained access to the defendant’s computer systems, which contained personal identifying information and protected health information of tens of thousands of individuals. Under the terms of the settlement, the defendants will pay $5 million, where each class member with a valid claim will receive between $100-$1000 in cash. The settlement also includes $2.3 million in attorneys’ fees and up to $4,000 for each of the class representatives. Additionally, the defendants will “be required to perform specified remedial measures for a minimum of the next two years and ‘perform either improved versions of such recommendations or the new industry standard thereafter for at least three additional years.’” The remedial measures include, among other things, conducting an AICPA and SOC Type 2 audit to be repeated until the defendant passes, engaging an independent third party to perform a HIPAA IT assessment, undergoing at least one cyber incident response test per year starting in 2022, requiring staff trainings about security and privacy at least twice a year, engaging a company to test its phishing and external facing vulnerabilities at least twice a year, and deploying a third-party enterprise SIEM tool with a 400-day look-back on logs.
District Court granted final approval of a $5.7 million class action overdraft fee settlement
On April 22, the U.S. District Court for the Northern District of New York granted final approval of a $5.7 million class action settlement resolving allegations related to overdraft fees applied to certain bank account transactions. According to plaintiffs’ unopposed motion for preliminary approval, the bank was sued in 2020 for allegedly unfairly assessing and collecting overdraft fees on “Authorize Positive, Purportedly Settle Negative Transactions” (APPSN fees) as well as NSF fees. The bank denied the allegations and moved to dismiss, contending that the relevant account agreements are unambiguous, and that even if there were, “extrinsic evidence resolves the ambiguity in its favor on the whether the fees at issue are permitted.” In August 2021, the parties notified the court that they had reached an agreement. Under the terms of the preliminarily approved settlement, the bank will make a $4.25 million cash payment and will “forgive, waive, and agree not to collect an additional” $1.5 million in uncollected overdraft fees. Class members, defined as all current and former bank customers with consumer checking accounts who were charged a relevant fee between December 4, 2013, and November 30, 2021, will automatically receive their pro rata share of the settlement fund without having to prove they were harmed from the bank’s practices. There are no claim forms, and class members will be determined through the bank’s checking account data. A formula will be used to calculate each class member’s distribution. Under the terms of the settlement approximately $2.9 million will go towards customers who were charged APPSN fees, while roughly $1.3 million will be allocated for customers who were charged retry NSF fees.
OCC launches consumer financial health discussion series
On April 22, the OCC announced an upcoming quarterly discussion series focusing on consumer financial wellbeing. The first event in the Financial Health: Vital Signs series will occur on April 28 and focus on minority ownership of cryptocurrency. Future events will feature discussions with acting OCC Comptroller Michael J. Hsu and other academic, community, and industry leaders. The discussion series will be livestreamed and open to the public.
OCC launches Milwaukee REACh
On April 20, the OCC announced the launch of Milwaukee REACh , which expands the OCC’s Project REACh (Roundtable for Economic Access and Change) efforts to Milwaukee, Wisconsin. As previously covered by InfoBytes, in 2020, the OCC launched this initiative to promote greater financial inclusion of underserved populations. According to the OCC, Project REACh brings together leaders from the banking industry, national civil rights organizations, and various businesses and technology organizations who will identify and reduce barriers to accessing capital and credit. Noting that “Milwaukee's residents face socioeconomic challenges including limited access to credit and capital and a lack of opportunity for affordable home ownership,” acting Comptroller Michael J. Hsu stated that Milwaukee REACh “will help address that and other barriers to financial inclusion.”
FTC charges funeral company with deceptive marketing practices
On April 22, the DOJ filed a complaint on behalf of the FTC against certain defendants providing funeral goods and services to consumers throughout the U.S. for alleged violations of Section 5 of the FTC Act and the FTC’s Funeral Rule. (See also FTC press release here.) According to the complaint, the defendants, who arrange third-party cremation services, allegedly (i) misrepresented that they perform local funeral services, which were instead outsourced to unaffiliated third parties; (ii) charged consumers additional undisclosed costs; and (iii) illegally threatened to withhold remains or information about the remains from consumers who refused to pay previously undisclosed fees or the new, higher prices. The complaint seeks injunctive relief, monetary relief, and civil penalties.
HUD announces Massachusetts disaster relief
On April 20, HUD announced disaster assistance for certain areas in Massachusetts impacted by a severe winter storm from January 28 to January 29. The disaster assistance follows President Biden’s major disaster declarations on April 18. According to the announcement, HUD is providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties effective April 18 and is making FHA insurance available to victims whose homes were destroyed or severely damaged, such that “reconstruction or replacement is necessary.” HUD’s Section 203(k) loan program enables individuals who have lost homes to finance a home purchase or to refinance a home to include repair costs through a single mortgage. The program also allows homeowners with damaged property to finance the repair of their existing single-family homes. Furthermore, HUD is allowing administrative flexibilities to community planning and development grantees, as well as to public housing agencies and Tribes.
9th Circuit affirms district court’s ruling in TCPA case
On April 5, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s decision denying a defendants’ motion to compel arbitration in a putative class action under the TCPA. The defendants were a digital marketing company and a debt-relief service company. According to the opinion, the plaintiffs visited the defendants’ websites, but allegedly did not see a notice in fine print stating, “I understand and agree to the Terms & Conditions which includes mandatory arbitration.” The underlined phrases “Terms & Conditions” and “Privacy Policy” were hyperlinks, but they appeared in the same gray font as the rest of the sentence. The marketing company and one of the defendants allegedly used the consumer’s contact information to conduct a telemarketing campaign on behalf of the debt relief companies by allegedly placing unsolicited telephone calls and text messaging consumers. The plaintiffs filed a putative class action, alleging that the calls and text messages were made without their consent, and therefore violated the TCPA. The defendants moved to compel arbitration, arguing that, by clicking on the “continue” buttons, the plaintiffs had agreed to the mandatory arbitration provision hyperlinked in the terms and conditions. The district court denied the defendants’ motion, concluding “that the content and design of the webpages did not conspicuously indicate to users that, by clicking on the ‘continue’ button, they were agreeing to [the service company’s] terms and conditions.”
On appeal, the 9th Circuit agreed with the district court, finding that the digital marketing company’s website did not contain a reasonably conspicuous notice of its terms and conditions. The 9th Circuit ruled that such notice must be expressly displayed in a font size and format where it can be deemed that a reasonable Internet visitor saw it and was aware of it. The appellate court noted that, on the websites at issue, “[t]he text disclosing the existence of the terms and conditions … is the antithesis of conspicuous,” and that “is printed in a tiny gray font considerably smaller than the font used in the surrounding website elements, and indeed in a font so small that it is barely legible to the naked eye. The comparatively larger font used in all of the surrounding text naturally directs the user's attention everywhere else.” The 9th Circuit also held that, “while it is permissible to disclose terms and conditions through a hyperlink, the fact that a hyperlink is present must be readily apparent. …[T]he design of the hyperlinks must put such a user on notice of their existence.”