InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
4th Circuit will not revive investors’ data breach case
On April 21, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s dismissal of a securities suit against a hotel corporation (defendant) alleging that they misled the plaintiffs regarding data vulnerabilities connected to a major breach of customers’ personal information. According to the opinion, two years after merging with another hospitality corporation, the defendant “learned that malware had impacted approximately 500 million guest records in the [hospitality corporation’s] guest reservation database.” An investor filed a putative class action against the defendant and nine of its officers and directors, alleging that its failure to disclose severe vulnerabilities in the hospitality corporation’s IT systems rendered 73 different public statements false or misleading in violation of Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) and SEC Rule 10b-5. The district court granted the defendant’s motion to dismiss with prejudice and concluded that the plaintiffs “‘failed to adequately allege a false or misleading statement or omission, a strong inference of scienter, and loss causation,’ which doomed the claim under Section 10(b) and Rule 10b-5 as well as the secondary liability claim [under Section 20(a) of the Exchange Act].” The investor appealed, dropping its challenge to 55 of the statements but maintaining its challenge to the other 18.
On appeal, the 4th Circuit agreed with the district court that the defendant’s statements about the importance of cybersecurity were not misleading with respect to the quality of its cybersecurity efforts. The appellate court found that “[t]he ‘basic problem’ with the complaint on this point is that ‘the facts it alleges do not contradict [the defendant’s] public disclosures,’” and that reiterating the “basic truth” that data integrity is important does not mislead investors or create a false impression. The appellate court also noted that the complaint “concedes that [the defendant] devoted resources and took steps to strengthen the security of hospitality corporation’s systems,” and that the company included “such sweeping caveats that no reasonable investor could have been misled by them.” The appellate court concluded that the defendant “certainly could have provided more information to the public about its experience with or vulnerability to cyberattacks, but the federal securities laws did not require it to do so.”
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
District Court dismisses state law claims concerning scanned email allegations
On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the amended complaint, the defendant allegedly misrepresented its privacy and security practices in violation of federal and state law by, among other things, sharing customer data with unauthorized third parties (some of which suffered data breaches), using customer data to develop products and services to sell to other companies, and falsely promising it complied with privacy and confidentiality standards. Plaintiffs alleged the company scanned 400 billion customer emails to obtain insights for its API, which it then sold to others.
In its prior ruling, the court dismissed plaintiffs’ Wiretap Act and Stored Communications Act claims but allowed the WPA claims to proceed. The defendant then filed a motion for partial reconsideration, arguing that the WPA claim is also premised on the same scanned email theory as with the other two claims that were already dismissed. The court agreed that the plaintiffs failed to sufficiently allege that their emails were scanned and dismissed the WPA claims without leave to amend because the “interception or disclosure of a communication” was necessary “in order for the conduct to be actionable.”
District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.
In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”
District Court approves final $85 million class action privacy settlement despite objections
On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”
District Court denies class cert in data breach suit
On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private information. Plaintiffs alleged the defendant contracted with a third-party reservation site, which required consumers to provide payment card information and other personally identifying information (PII). The plaintiffs contended that during the data breach, hackers accessed customer data, and argued that “had [the third party] ‘employed multiple levels of authentication,’ rather than ‘single factor authorization,’ the ‘hacker would not . . . have been able to access the system.” Plaintiffs further claimed that the defendant served as the third party’s agent and was therefore responsible for its conduct.
In declining to certify the class, the court ruled that the plaintiffs failed to successfully allege any of their three claims on behalf of the class. The court reviewed the plaintiffs’ breach of contract claims, which alleged that the defendant promised to safeguard class members’ PII but failed to provide notice on its website that a third party was processing the payment information. According to the court, the plaintiffs could not show that all of the proposed class members would have believed they were providing their information to the defendant because the defendant’s “Book Now” button sent the user to the third party’s website and the defendant’s privacy policy disclosed its use of third party websites. The court also rejected the plaintiffs’ assertion that the defendant disclosed personal information in violation of California Civil Code because the information was hacked rather than disclosed by either the defendant or the third party. With respect to the plaintiffs’ Texas Deceptive Trade Practices Act claims, the plaintiffs argued that the defendant’s statements about protective measures were misleading because the third party did not employ multi-layer authentication. The court concluded that class treatment of those claims was improper as it could not determine whether the practice was misleading for the entire class as the question is dependent on whether class members believed they were providing PII to the defendant or to the third party.
Defendants to pay $5 million for alleged data breach
On April 20, the U.S. District Court for the Southern District of California granted preliminary approval of a proposed class settlement, resolving claims against a medical supplier company after a data breach allegedly compromised personal information of its consumers in its database. According to the order, the plaintiffs’ alleged that between April 2019 and June 2019, hackers gained access to the defendant’s computer systems, which contained personal identifying information and protected health information of tens of thousands of individuals. Under the terms of the settlement, the defendants will pay $5 million, where each class member with a valid claim will receive between $100-$1000 in cash. The settlement also includes $2.3 million in attorneys’ fees and up to $4,000 for each of the class representatives. Additionally, the defendants will “be required to perform specified remedial measures for a minimum of the next two years and ‘perform either improved versions of such recommendations or the new industry standard thereafter for at least three additional years.’” The remedial measures include, among other things, conducting an AICPA and SOC Type 2 audit to be repeated until the defendant passes, engaging an independent third party to perform a HIPAA IT assessment, undergoing at least one cyber incident response test per year starting in 2022, requiring staff trainings about security and privacy at least twice a year, engaging a company to test its phishing and external facing vulnerabilities at least twice a year, and deploying a third-party enterprise SIEM tool with a 400-day look-back on logs.
CRS report raises privacy concerns regarding digital wallets
On April 18, the Congressional Research Service released an overview of digital wallet technology and related cybersecurity, data privacy and consumer protection policy considerations. Digital wallets are software applications that store payment or account details to facilitate traditional payments using bank and credit card details, and also cover transfers from consumers’ bank accounts to retailers and peer-to-peer and cryptocurrency transactions. One issue the report identified is that companies that offer digital wallets and payment companies often collect information about users and may share data with affiliates and nonaffiliates unless users opt out. As previously covered by InfoBytes, the CFPB is developing proposed rulemaking around sharing consumer financial data, but it remains unclear whether the rules would apply to digital wallet companies. The report also stressed that because funds stored on digital wallets are not deposits, digital wallets are generally not covered by deposit insurance. And while credit, debit, or prepaid cards stored on a mobile wallet are covered by the EFTA and TILA (and implementing Regulations E and Z), those statutes do not currently cover cryptocurrency wallets. The report explained that “[c]ryptocurrency transactions are not subject to Regulation E primarily because these are not bank products and also because cryptocurrencies are not typically used for consumer payments.”
District Court denies motion for corrective notice in class action data breach case
On April 18, the U.S. District Court for the District of South Carolina denied the plaintiffs’ motion for corrective notice in a putative class action, ruling that the defendant cloud computer service provider is not required to issue a corrective notice related to a 2020 data breach. In 2020, a data breach exposed the personal data of individuals whose information was managed by the defendant and provided to the defendant’s clients. The plaintiffs alleged that the defendant’s “deficient” security program led to the data breach, and that the defendant failed to implement security measures to mitigate the risk of unauthorized access, used outdated servers, stored obsolete data, and maintained unencrypted data fields. The judicial panel on multidistrict litigation eventually consolidated several putative class actions arising from the data breach for coordinated pretrial proceedings. Plaintiffs argued that corrective notice to customers was appropriate, claiming the defendant “made numerous misrepresentations” related to the type of data stolen and performed “an unreliable risk of harm analysis that did not actually take into account the harm class members faced as a result of the breach.” The court disagreed, ruling that such corrective notice is improper at this stage. “Ultimately, the Federal Rules of Civil Procedure do not authorize Plaintiffs’ request to widely disseminate a notice endorsing their position on dispositive issues to [Defendant’s] customers, who are not parties or putative class members in this case, where Plaintiffs have not shown that [Defendant] made misleading communications regarding this litigation,” the court ruled.
District Court grants final approval to class action data breach settlement against national convenience store chain
On April 20, the U.S. District Court for the Eastern District of Pennsylvania granted final approval to a settlement in a class action against a national convenience store chain (defendant) for a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. As previously covered by InfoBytes, class members claimed that “despite the foreseeability of a data breach” the defendant, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” In May 2021, the court ruled that the defendant must face certain claims filed by a group of financial institutions (covered by InfoBytes here). In August, the court granted preliminary approval of the settlement, which required the defendant to provide monetary relief to class members totaling approximately $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards, in addition to requiring the defendant to take additional measures for a period of two years to prevent future unauthorized intrusions. The settlement includes three tiers of customers, who will receive gift cards for either $5 or $15, or $500 in cash, depending on the level of their injury caused by the data breach.