Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement, resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data breach. The plaintiffs asserted negligence and brought claims under California’s Consumer Privacy Act and Unfair Competition Law after plaintiffs launched an investigation into the cybersecurity incident. The preliminary settlement requires the company to establish a $5 million settlement fund, which would “provide for an estimated $43 payment per participating class member, two years of credit monitoring, and identity restoration services.” The company must also implement several business practice changes to enhance security, including enhancing password protection and implementing a policy regarding minimizing the retention of customers’ personally identifiable information. The settlement also notes that “members subject to identity theft can also obtain fraud resolution assistance to dispute transactions, mediate calls with merchants, and implement fraud alerts.” Class members who do not agree to the settlement may opt out of the settlement by September 16.
On May 13, NYDFS announced a settlement with an insurance company to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to implement multi-factor authentication or reasonably equivalent or more secure access controls. Under Part 500.12(b), covered entities are required to implement such protocols (see FAQs here). NYDFS’s investigation also revealed that the insurance company falsely certified its compliance with the cybersecurity regulation for 2018. Under the terms of the consent order, the company will pay a $1.8 million civil monetary penalty and will undertake improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
On May 11, the U.S. Court of Appeals for the Sixth Circuit affirmed dismissal of a putative class action for lack of subject matter jurisdiction, holding that while a merchant technically violated the Fair and Accurate Credit Transactions Act (FACTA) by including 10 credit card digits on a customer’s receipt, the customer failed to allege any concrete harm sufficient to establish standing. According to the opinion, the named plaintiff filed a class action against the merchant alleging the first six and last four digits of her credit card number were printed on her receipt—a violation of FACTA’s truncation requirement, which only permits the last five digits to be printed on a receipt. The plaintiff argued that this presented “a significant risk of the exact harm that Congress intended to prevent—the display of card information that could be exploited by an identity thief,” and further claimed she did not need to allege any harm beyond the violation of the statute to establish standing. The district court disagreed, ruling that the plaintiff “lacked standing because she alleged merely a threat of future harm that was not certainly impending” and that the merchant’s technical violation demonstrated no material risk of identity theft.
In agreeing with the district court, the 6th Circuit concluded that a “violation of the statute does not automatically create a concrete injury of increased risk of real harm even if Congress designed it so.” Moreover, the appellate court reasoned that the “factual allegations in this complaint do not establish an increased risk of identity theft either because they do not show how, even if [p]laintiff’s receipt fell into the wrong hands, criminals would have a gateway to consumers’ personal and financial data.” The appellate court further concluded, “statutory-injury-for-injury’s sake does not satisfy Article III’s injury in fact requirement” and the court must exercise its constitutional duty to ensure a plaintiff has standing.
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.
On May 6, the U.S. District Court for the Eastern District of Pennsylvania ruled that a defendant nationwide convenience store chain must face certain claims filed by a group of financial institutions as a result of a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. The financial institutions, in bringing claims for negligence, negligence per se, and declaratory and injunctive relief, asserted, among other things, that the defendant’s “deficient security measures and vulnerable point-of-sale systems led to a data breach that went undetected for almost nine months.” The court ruled that the negligence and declaratory and injunctive relief claims can proceed, but dismissed without prejudice the financial institution’s negligence per se claim so that it can be repleaded under a claim for general negligence. In allowing the negligence claim to survive, the court dismissed the defendant’s argument that the claim should be dismissed under the economic loss doctrine, which bars recovery in tort resulting from an alleged breach of duty under a contract between the parties. The court pointed out that the financial institutions’ claims are protected by a narrow exception to the economic loss doctrine under Pennsylvania law for breach of a common law duty “independent of any potential contractual relationship,” including “the duty to maintain and protect sensitive data with reasonable care.” The court wrote that “the [i]nstitutions have set forth a plausible negligence claim based on the argument that [the defendant] owed them an independent duty in light of” the Pennsylvania Supreme Court’s 2018 ruling in Dittman v. UPMC, which held that the duty “exists independently from any contractual obligations between the parties.” The court further stated that dismissing the declaratory and injunctive relief claims at this stage would curtail the court’s “broad equity powers to fashion the most complete relief possible.”
As previously covered by InfoBytes, in February, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement with the defendant, which would provide monetary relief to class members totaling up to $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards. The defendant would also be required take additional measures for a period of two years to prevent future unauthorized intrusions.
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
On April 26, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s dismissal of a proposed class action settlement, concluding that although, “in the context of unauthorized data disclosures,” plaintiffs may establish Article III standing on the theory that a data breach increases the risk of identity theft, the appealing plaintiff failed to show that her sensitive personally identifiable information (PII) had been misused or compromised. The plaintiff filed a proposed class action against a former employer after a company employee accidentally sent an email to approximately 65 company employees with an attachment containing PII for roughly 130 current and former workers, including Social Security numbers, home addresses, and birth dates. The plaintiff alleged that the defendant, among other things, violated several state consumer protection statutes, and contended that workers “were ‘at imminent risk of suffering identity theft.’” The plaintiff further claimed that workers had to spend time canceling credit cards, assessing whether to apply for new Social Security numbers, and purchasing credit monitoring and identity theft protection services. While the parties reached a settlement, the court ultimately denied the settlement and dismissed the case for lack of subject-matter jurisdiction after finding the plaintiff lacked Article III standing because she failed to allege “an injury that is concrete and particularized and certainly impending.” According to the district court, it was “arguably a misnomer to even call this case a ‘data breach’ case,” because, “[a]t best, the data was ‘misplaced’” internally rather than accessed by a third party.
On appeal, the Second Circuit agreed with the district court, concluding that the plaintiff failed to demonstrate an increased risk of identity theft and that the cost of taking proactive measures to prevent future identity theft is insufficient to constitute an injury in fact when the threat is speculative. “This notion stems from the Supreme Court’s guidance in [Clapper v. Amnesty Int’l USA], where it noted that plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’”
On April 23, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s refusal to compel arbitration against a technology company, concluding that children are not bound by arbitration provisions in their parents’ service contracts with the company. The appeals court held that the plaintiff children, who were not signatories to the service contracts, could not be compelled to arbitration because “a party cannot be required to submit to arbitration any dispute which he has not agreed so to submit.”
In their June 2019 suit in the U.S. District Court for the Western District of Washington, the plaintiffs alleged that one of the corporation’s services caught and documented their communications, in violation of state wiretapping law. The defendant asserted that “the children were bound by arbitration provisions in the service contracts signed by their parents because they directly benefited from the agreements.” In affirming the district court’s decision on appeal, the Ninth Circuit agreed that the doctrine of equitable estoppel did not bind the plaintiff children to arbitrate because they “are not asserting any right or looking to enforce any duty created by the contracts between their parents and the corporation. Instead, plaintiffs bring only state statutory claims that do not depend on their parents’ contracts.”
On April 15, the U.S. District Court for the Northern District of California dismissed class claims alleging a software-services provider for a clothing retailer wiretapped consumers’ communication with the retailer in violation of California’s Invasion of Privacy Act and the California Constitution. The software at issue was sold to the service provider’s clients to capture and analyze data so companies can see how website visitors use their sites. The plaintiff alleged that during a visit to one of the retailer’s websites, the defendant’s software captured information including when she visited, the length of her visit, her IP address and location, browser type, and the operating system on her device. The plaintiff further claimed that, in addition to the aforementioned information, the software also captured personally identifiable information such as email, shipping addresses, and payment-card information. The defendant moved to dismiss, which was granted by the court. In dismissing the action, the court referenced its dismissal of virtually identical claims against another software-services provider and ruled that the defendant’s recording of activities such as keystrokes, mouse clicks, and page scrolling does not amount to wiretapping. “[The defendant] is not a third-party eavesdropper,” the court wrote, “[i]t is a vendor that provides a software service that allows its clients to monitor their website traffic.” Moreover, the court determined that information—“such as IP addresses, locations, browser types, and operating systems”—is not “content” under the plaintiff’s Section 631(a) claim.
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Jonice Gray Tucker to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- APPROVED Webcast: Strategy & Technology: A dynamic duo for successful regulatory exams
- Daniel R. Alonso to discuss “Primer on cross-border prosecutions in Argentina, Brazil, Colombia, and Mexico for U.S. criminal lawyers” at a New York City Bar Association webinar
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute