InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Social networking apps settle minors' data claims for $1.1 million
On March 25, the U.S. District Court for the Northern District of Illinois granted final approval to a $1.1 million class action settlement resolving claims that the operators of two video social networking apps (defendants) “‘surreptitiously tracked, collected, and disclosed the personally identifiable information and/or viewing data of children under the age of 13,’ ‘without parental consent’” in violation of federal and California privacy law. Specifically, plaintiffs asserted violations of the Video Privacy Protection Act (VPPA), the California constitutional right to privacy, the California Consumers Legal Remedies Act (CLRA), and the Illinois Consumer Fraud and Deceptive Businesses Practices Act. Defendants countered that plaintiffs’ state-law claims were preempted by the Children’s Online Privacy Protection Act, and that, furthermore, the “alleged conduct is not within the scope of VPPA or the cited state consumer protection laws” and “does not amount to a common law invasion of privacy or a violation of Plaintiffs’ rights under the California Constitution.” Moreover, defendants argued that plaintiffs could not recover actual damages. According to plaintiffs’ supplemental motion for final approval, following months-long negotiations, the parties agreed to settle the action on a class-wide basis.
The settlement requires defendants to pay $1.1 million into a non-reversionary settlement fund, to be dispersed pro rata to class members (anyone in the U.S. who, prior to the settlement’s effective date and while under the age of 13, registered for or used the apps) who submit a valid claim after the payment of settlement administration expenses, taxes, fees, and service awards. The court’s order, however, declined to award an objector’s counsel any attorneys’ fees for his efforts to negotiate modified relief because the agreement was negotiated in a separate proceeding in related multidistrict litigation. The court also denied plaintiffs’ motion for sanctions against the objector’s law firm.
Insurers obligated to indemnify retailer’s payment card claims following data breach
On March 22, the U.S. District Court for the District of Minnesota ordered two insurance companies to cover a major retailer’s 2013 data breach settlement liability under commercial general liability policies. As previously covered by InfoBytes, in 2018 the retailer reached a $17 million class action settlement to resolve consumer claims related to a 2013 data breach, which resulted in the compromise of at least 40 million credit cards and theft of personal information of up to 110 million people. The banks that issued the payment cards compromised in the data breach sought compensation from the retailer for costs associated with the cancellation and replacement of the payment cards. The retailer settled the issuing banks’ claims and later sued the insurers in 2019 for refusing to cover the costs, arguing that under the general liability policies, the insurers are obligated to indemnify the retailer with respect to the settlements reached with the issuing banks. The retailer moved for partial summary judgment, seeking a declaration that the general liability policies (which “provide coverage for losses resulting from property damage, including ‘loss of use of tangible property that is not physically injured’”) covered the costs incurred by the retailer when settling the claims for replacing the payment cards. According to the retailer, the insurers’ “refusal to provide coverage for these claims lacked any basis in either the Policies’ language or Minnesota law.” The court reviewed whether the cancellation of the payment cards following the data breach counted as a “loss of use” under the general liability policies. Although the court had previously dismissed the retailer’s coverage claims, the court now determined that the “expense that [the retailer] incurred to settle claims brought by the [i]ssuing [b]anks for the costs of replacing the compromised payment cards was a cost incurred due to the loss of use of the payment cards” because being cancelled “rendered the payment cards inoperable.”
Utah becomes fourth state to enact comprehensive privacy legislation
On March 24, the Utah governor enacted the Utah Consumer Privacy Act (UCPA), which establishes a framework for controlling and processing consumers’ personal data in the state. Utah is now the fourth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, and Virginia (covered by Buckley Special Alerts here and here and InfoBytes here). As previously covered by InfoBytes, under the UCPA, consumers will have rights to, among other things (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their previously provided data; and (iv) opt out of the processing of their data for targeted advertising and the sale of their data. The UCPA also outlines data controller responsibilities, including a requirement that data processors must adhere to a controller’s instructions and enter into a contract with clearly specified instructions for processing personal data. The UCPA also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices. While the UCPA explicitly prohibits its use as the basis for a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of up to $7,500 per violation. Additionally, upon discovering a potential violation of the UCPA, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The UCPA takes effect December 31, 2023.
Biden urges private-sector businesses to strengthen cyber defenses
On March 21, President Biden issued a fact sheet warning private-sector businesses of potential retaliatory Russian cyberattacks. Biden reiterated previous “warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks” against the U.S. in “response to the unprecedented economic costs [] imposed on Russia alongside our allies and partners.” The fact sheet urges companies to execute specific measures to strengthen their cyber defenses such as (i) mandating multi-factor authentication to make it harder for attackers to access systems; (ii) deploying modern security tools on computers and devices to continuously look for and mitigate threats; (iii) patching and protecting systems against known vulnerabilities and changing passwords so previously stolen credentials cannot be used by malicious actors; (iv) backing up and encrypting data so it cannot be used if stolen; (v) educating employees on common tactics used by attackers and encouraging the reporting of “unusual behavior”; and (vi) engaging proactively with the FBI or the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “to establish relationships in advance of any cyber incidents” (see CISA’s “Shields Up” guidance here). “I urge our private-sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year,” Biden stated. “You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.”
District Court denies defendant’s motion to certify an interlocutory appeal in BIPA case
On March 18, the U.S. District Court for the Northern District of Illinois denied a retailer’s motion to certify for interlocutory appeal the court’s earlier ruling denying, in part, the retailer’s motion to dismiss. This multi-district litigation involves allegations that the retailer used a database containing photographs of individuals and other information to identify people whose images appeared in its surveillance cameras, in violation of the Illinois Biometric Information Privacy Act (BIPA), and California and New York laws. In denying the request for interlocutory appeal, the district court held that its earlier ruling had faithfully applied U.S. Court of Appeals for the Seventh Circuit precedent regarding standing of those who allege invasions of their personal privacy, and that the Supreme Court’s decision in TransUnion v. Ramirez (covered by InfoBytes here) did not undermine that precedent. It also held that the retailer’s disagreement with its prior application of the alleged facts to BIPA and its prior ruling that the plaintiffs had stated claims under California and New York laws did not warrant interlocutory review.
District Court grants final approval in data breach case
On January 4, the U.S. District Court for the Eastern District of Texas granted final approval of a settlement in a class action resolving claims that a software company and its subsidiary (collectively, “defendants”) failed to properly safeguard customers' personally identifiable information (PII). According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, the plaintiffs filed suit after a data breach of the defendant’s systems, alleging that defendant violated numerous states’ privacy and other laws by failing to keep their PII confidential and securely maintained. According to the plaintiffs’ motion for preliminary approval, the settlement establishes a settlement class of approximately 4,341,523 members whose PII was potentially compromised by the breach. The settlement would provide $2,000 for each named plaintiff and reimbursement of up to $5,000 of out-of-pocket expenses per class member, including up to eight hours of lost time at $25 per hour and 12 months of financial fraud protection. Additionally, more funds will be given to the California subclass, comprised of 318,091 individuals, who will receive between $100 and $300 in relief each. The defendants are also be required to pay attorneys’ fees and litigation costs and expenses.
Indiana enacts data breach disclosure requirements
On March 18, the Indiana governor signed HB 1351, which provides that in the event of the discovery of a data breach, persons are required to disclose or provide notification “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” The bill provides for specific reasonable delays, including circumstances that are “necessary to restore the integrity of the computer system” or “to discover the scope of the breach,” or in certain instances where the attorney general or a law enforcement agency states that disclosure of the breach will impede a criminal or civil investigation or jeopardize national security. The statute amends an existing provision of Indiana law, IC-24-4.9.3-3, by making clear that notification must be within 45 days. HB 1351 takes effect July 1.
District Court approves $17 million data breach settlement
On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names, addresses, Social Security numbers, and driver’s license numbers, from two data breach and scraping incidents. According to the memorandum of law in support of the plaintiffs’ unopposed motion for final approval, plaintiffs separately filed complaints after learning the defendants were exposed to two separate data breaches in December 2020 and March 2021. The cases were consolidated, and parties engaged in settlement negotiations. Under the terms of the settlement agreement, the defendants will provide settling class members with at least $17.1 million in relief. Class members will also have automatic access to certain financial fraud services and may submit claims to receive compensation for out-of-pocket losses (capped at $10,000 per person) and lost-time losses (up to six hours of lost-time reimbursements at $18 per hour), in addition to receiving $50 per hour if they missed work to address the breaches. Additionally, a California subclass will also be able to file claims for $50 in statutory relief. Under the California Consumer Privacy Act, consumers may seek statutory damages of up to $750 per violation. Defendants are also responsible for a portion of attorneys’ fees and costs.
Irish DPC fines global social media company €17 million for GDPR violations
On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach notifications it received between June 7, 2018 and December 4, 2018, to examine the extent that the company complied with GDPR requirements related to the processing of personal data. Following the inquiry, the DPC found that the company violated GDPR Articles 5(2) and 24(1) by failing “to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.” Article 5 outlines principles related to the processing of personal data and requires companies to ensure that EU residents’ personal data is processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Article 24(1) requires controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR. The DPC noted that because the processing under examination constituted “cross-border” processing, the “decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”
FTC settles action against e-commerce platform for data breach cover up
On March 15, the FTC announced a proposed settlement with two limited liability companies, the former and current owners, of an online customized merchandise platform (collectively, “respondents”) for allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. According to the complaint, the respondents allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect the personal information (PI) of customers against unauthorized access and for misrepresenting that appropriate steps to secure consumer account information following security breaches were taken. The complaint further alleged that respondents failed to apply readily available protections against well-known threats and adequately respond to security incidents, which resulted in the respondents' network being breached multiple times. Notably, one of the breaches involved a hacker gaining access to “millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.” The complaint goes on to allege that the online customized merchandise platform failed to properly investigate the breach for several months despite additional warnings, including failing to promptly notify its customers of the breach. Under the terms of the proposed settlement, the respondents are: (i) ordered to pay $500,000 in redress to victims of the data breaches: (ii) prohibited from making misrepresentations about their privacy and security measures, among other things, and (iii) required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.