Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court grants final approval to grocery store data breach settlement


    On July 21, the U.S. District Court for the Central District of Illinois granted final approval to a class action data breach settlement, resolving allegations that a grocery chain was responsible for a data breach that exposed the credit card information of consumers. The final settlement (which was preliminarily approved in January) allows class members representing consumers who used a payment card to make a purchase at an impacted point-of-sale device during the security incident to receive reimbursement of up to $225 for out-of-pocket expenses related to the breach, including (i) unreimbursed bank, overdraft, and late fees; (ii) telecommunication charges; (iii) payday loan interest; and (iv) costs related to credit monitoring, identity theft protection, and time spent replacing credit cards and addressing fraudulent charges. Additionally, class members may be awarded up to $5,000 for “extraordinary expenses” resulting from the compromise of personal information. The grocery chain also agreed to “establish and maintain security enhancements that are estimated to cost more than $20 million.” However, the court reduced the attorneys’ fees to $739,000 in the final settlement after determining the initial fee request was too high compared to the overall relief for class members.

    Courts Class Action Settlement Privacy/Cyber Risk & Data Security Data Breach

    Share page with AddThis
  • 9th Circuit partially reverses lower court’s ruling based on tech company's misleading statements


    On June 16, the U.S. Court of Appeals for the Ninth Circuit partially revived a securities fraud action brought by the state of Rhode Island on behalf of its employees’ retirement system against a California-based technology company, its holding company, and several individuals (collectively, “defendants”), reversing a district court’s dismissal. In 2018, investors sued the defendants after the technology company discovered a security glitch that same year on its now-defunct social network site that exposed hundreds of thousands of users’ private data. The suits were consolidated, with the state of Rhode Island as lead plaintiff, alleging the defendants deceived investors and caused the company’s shares to be traded at artificially inflated prices between the discovery of the software glitch and its disclosure. According to the plaintiffs, the defendants omitted material facts on Form 10-Qs filed with the SEC in 2018 by including statements such as “[t]here have been no material changes to our risk factors since our Annual Report on Form 10-K for the year ended December 31, 2017.” The defendants moved to dismiss for failure to state a claim, which the district court granted, stating, among other things, that the plaintiffs failed to adequately allege “falsity, materiality, and scienter” in statements made by the defendants in their April 2018 and July 2018 10-Qs.

    On appeal, the 9th Circuit reviewed the challenged statements, concluded that two statements made by the parent company in its 10-Qs were materially misleading or had omitted facts regarding the software issues, and vacated the dismissal of the plaintiffs’ falsity, materiality, and scienter claims. The appellate court also found that the defendants’ claim that the software problem had been patched by the time the challenged statements were made in their 10-Qs was not enough. “Given that [the company’s] business model is based on trust, the material implications of a bug that improperly exposed user data for three years were not eliminated merely by plugging the hole in [the social network site’s] security,” the appellate court wrote, further concluding that “[t]he market reaction, increased regulatory and governmental scrutiny, both in the United States and abroad, and media coverage alleged by the complaint to have occurred after disclosure all support the materiality of the misleading omission.” The 9th Circuit also referenced a so-called “Privacy Bug Memo” that was supposedly circulated among some of the defendants’ leadership team, which warned that disclosing these security issues “would likely trigger ‘immediate regulatory interest’ and result in the defendants ‘coming into the spotlight[.]’”

    Concerning the remaining 10-Q statements identified in the complaint, the 9th Circuit affirmed the district court’s dismissal of claims based on these statements after concluding that the plaintiffs did not plausibly allege that they were “misleading material misrepresentations.”

    Courts Ninth Circuit Appellate Privacy/Cyber Risk & Data Security Data Breach SEC

    Share page with AddThis
  • Connecticut amends data security breach provisions

    State Issues

    On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection personal identification numbers; (iii) passport and military identification numbers, as well as other government-issued identification numbers; (iv) medical information; (v) health insurance policy numbers or other identifiers used by health insurers; (vi) biometric information; and (vii) user names or email addresses combined with passwords or security questions and answers used to access an individual’s online account.

    The act also requires businesses to notify residents whose personal information was breached or reasonably believed to have been breached within 60 days instead of 90 days after the discovery of the breach. Should a business identify additional affected residents after 60 days, it is required to provide notice as expediently as possible. Additionally, in the event that a resident’s login credentials are breached, a business may provide notice in electronic form (or another form) that directs the individual to take appropriate measures to protect the affected online account and all other online accounts. Businesses that furnish email accounts are also required to either verify that the affected individual received the data breach notice or provide notification through another method. The act also adds provisions related to compliance with privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, and specifies that information provided in response to an investigative demand connected to a data breach will be exempt from public disclosure, but the attorney general may make the information available to third parties in furtherance of the investigation. The act takes effect October 1.

    State Issues State Legislation Privacy/Cyber Risk & Data Security Data Breach Consumer Protection

    Share page with AddThis
  • District Court: Applying Michigan law is contrary to California’s interest in protecting citizens in data breach case


    On June 15, the U.S. District Court for the Eastern District of Michigan denied an e-commerce company’s request to compel arbitration after reviewing whether Michigan or California state law applied to class claims concerning a 2019 data breach. After four actions against the company were consolidated and transferred from California court to Michigan, a separate putative class action was filed in the U.S. District Court for the Northern District of California related to the data breach. Members in this putative class action brought claims against the company for allegedly failing to protect California residents’ confidential and personal information from the 2019 data breach. The class sought public injunctive relief under California’s Consumer Records Act (CRA) and Unfair Competition Law, arguing, among other things, that the potential for “future injury to the general public” remains because the company has not changed its practices.

    The court initially granted the company’s motion to compel arbitration according to its terms of service and privacy policy, which contained a mandatory arbitration clause as well as a clause requiring parties to apply Michigan law to all claims or disputes. However, because the order applied to the originally amended consolidated class action complaint that did not include the newest California putative class action, the court reopened the case in order to determine which state law applied to the California class’s claims. In denying the company’s motion to compel arbitration, the court cited to McGill v. Citibank (covered by a Buckley Special Alert here, which held that a waiver of the plaintiff’s substantive right to seek public injunctive relief is not enforceable) and determined that applying Michigan law is “contrary” to California’s “materially greater interest in protecting its citizens”—particularly because the alleged violations are ongoing. The court rejected the company’s argument that McGill did not apply in this case because the putative class is seeking an injunction that would only benefit a narrow subset of individuals whose data was stolen rather than the general public. According to the court, rejecting the putative class’s claims for this reason would allow the company “to continue engaging in inadequate data protection practices in violation of the Unfair Competition and CRA and leave consumers unable to adjudicate their claims based on those practices on behalf of the public.” The putative class’s proposed 12-point injunction would, among other things, require the company to hire third-party security auditors and implement other reasonable and appropriate security practices and procedures, which would benefit all future customers, not only those harmed in the 2019 data breach, the court stated, adding that the proposed class has “nothing to personally gain from an injunction requiring [the company] to employ safer data practices” because their data was already compromised.

    Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Arbitration State Issues

    Share page with AddThis
  • SEC charges settlement company with cybersecurity disclosure violations


    On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order, an independent cybersecurity journalist warned the company in May 2019 of a vulnerability concerning its system for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, the company allegedly issued a press release for inclusion in the cybersecurity journalist’s report published in May 2019 and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, the company’s senior executives responsible for these kinds of releases “were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” Specifically, the order states that senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier, in January 2019, but failed to remediate the vulnerability in accordance with the company’s policies. The order finds that the company “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.” The SEC charged the company with violating Rule 13a-15(a) of the Exchange Act and ordered the company, who agreed to a cease-and-desist order, to pay a $487,616 penalty.

    Securities Federal Issues SEC Enforcement Courts Cease and Desist Privacy/Cyber Risk & Data Security Data Breach

    Share page with AddThis
  • 11th Circuit affirms majority of $380 million data breach settlement


    On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a data breach of the CRA. (Covered by InfoBytes here.) The 11th Circuit’s opinion resolves challenges brought by objectors to the settlement who argued that plaintiffs lacked Article III standing because they did not have their identities stolen, and challenged, among other things, certain procedural requirements, the appropriateness of class certification given the possibility that some class members may have been able to recover state statutory damages, and the district court’s adoption of an approval order “ghostwritten” by plaintiffs’ counsel. The objectors also argued that the settlement was inadequate given the “unique risks associated with stolen social security numbers,” and disagreed with the award of $77.5 million in attorneys’ fees, as well as the district court’s decision to impose appeal bonds of $2,000 on each objector.

    On appeal, the 11th Circuit rejected almost all of the objectors’ arguments after determining that class members—even if they were not victims of identity theft—faced a material risk of harm. The appellate court also held that the procedural requirements were not particularly burdensome given the roughly 147 million class members involved. Moreover, the appellate court concluded that the fact that class members in a couple of states could have argued for statutory damages did not make the named plaintiffs inadequate class representatives. Furthermore, the appellate court noted that (i) the settlement addressed the seriousness of the stolen social security numbers; (ii) attorneys’ fees (equal to 20.36 percent of the common fund) were within the reasonable range; (iii) objectors failed to show any “practice of uncritically adopting counsel’s proposed orders”; and (iv) the district court did not “abuse its discretion when it imposed the appeal bonds based on its finding that there was a ‘substantial risk that the costs of appeal will not be paid unless a bond is required.’” Moreover, the 11th Circuit noted that “[a]bsent the settlement, the class action could have faced serious hurdles to recovery, and now the class is entitled to significant settlement benefits that may not have even been achieved at trial,” adding that the FTC, CFPB, and state attorneys general for 48 states, the District of Columbia, and Puerto Rico all support the settlement.

    The appellate court, however, did reverse the district court’s award of incentive payments to class representative and remanded the case solely for the purpose of vacating the awards.

    Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Settlement Consumer Reporting Agency Consumer Data Appellate

    Share page with AddThis
  • District Court approves online marketplace data breach settlement


    On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement, resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data breach. The plaintiffs asserted negligence and brought claims under California’s Consumer Privacy Act and Unfair Competition Law after plaintiffs launched an investigation into the cybersecurity incident. The preliminary settlement requires the company to establish a $5 million settlement fund, which would “provide for an estimated $43 payment per participating class member, two years of credit monitoring, and identity restoration services.” The company must also implement several business practice changes to enhance security, including enhancing password protection and implementing a policy regarding minimizing the retention of customers’ personally identifiable information. The settlement also notes that “members subject to identity theft can also obtain fraud resolution assistance to dispute transactions, mediate calls with merchants, and implement fraud alerts.” Class members who do not agree to the settlement may opt out of the settlement by September 16.

    Courts Data Breach Settlement Privacy/Cyber Risk & Data Security Class Action CCPA State Issues

    Share page with AddThis
  • Defendant obligated to indemnify bank in data breach suit


    On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.

    Courts Privacy/Cyber Risk & Data Security Data Breach Payment Processors Credit Cards

    Share page with AddThis
  • Data breach claims against convenience store chain can proceed


    On May 6, the U.S. District Court for the Eastern District of Pennsylvania ruled that a defendant nationwide convenience store chain must face certain claims filed by a group of financial institutions as a result of a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. The financial institutions, in bringing claims for negligence, negligence per se, and declaratory and injunctive relief, asserted, among other things, that the defendant’s “deficient security measures and vulnerable point-of-sale systems led to a data breach that went undetected for almost nine months.” The court ruled that the negligence and declaratory and injunctive relief claims can proceed, but dismissed without prejudice the financial institution’s negligence per se claim so that it can be repleaded under a claim for general negligence. In allowing the negligence claim to survive, the court dismissed the defendant’s argument that the claim should be dismissed under the economic loss doctrine, which bars recovery in tort resulting from an alleged breach of duty under a contract between the parties. The court pointed out that the financial institutions’ claims are protected by a narrow exception to the economic loss doctrine under Pennsylvania law for breach of a common law duty “independent of any potential contractual relationship,” including “the duty to maintain and protect sensitive data with reasonable care.” The court wrote that “the [i]nstitutions have set forth a plausible negligence claim based on the argument that [the defendant] owed them an independent duty in light of” the Pennsylvania Supreme Court’s 2018 ruling in Dittman v. UPMC, which held that the duty “exists independently from any contractual obligations between the parties.” The court further stated that dismissing the declaratory and injunctive relief claims at this stage would curtail the court’s “broad equity powers to fashion the most complete relief possible.”

    As previously covered by InfoBytes, in February, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement with the defendant, which would provide monetary relief to class members totaling up to $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards. The defendant would also be required take additional measures for a period of two years to prevent future unauthorized intrusions.

    Courts Data Breach Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • 2nd Circuit: No standing if PII is uncompromised


    On April 26, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s dismissal of a proposed class action settlement, concluding that although, “in the context of unauthorized data disclosures,” plaintiffs may establish Article III standing on the theory that a data breach increases the risk of identity theft, the appealing plaintiff failed to show that her sensitive personally identifiable information (PII) had been misused or compromised. The plaintiff filed a proposed class action against a former employer after a company employee accidentally sent an email to approximately 65 company employees with an attachment containing PII for roughly 130 current and former workers, including Social Security numbers, home addresses, and birth dates. The plaintiff alleged that the defendant, among other things, violated several state consumer protection statutes, and contended that workers “were ‘at imminent risk of suffering identity theft.’” The plaintiff further claimed that workers had to spend time canceling credit cards, assessing whether to apply for new Social Security numbers, and purchasing credit monitoring and identity theft protection services. While the parties reached a settlement, the court ultimately denied the settlement and dismissed the case for lack of subject-matter jurisdiction after finding the plaintiff lacked Article III standing because she failed to allege “an injury that is concrete and particularized and certainly impending.” According to the district court, it was “arguably a misnomer to even call this case a ‘data breach’ case,” because, “[a]t best, the data was ‘misplaced’” internally rather than accessed by a third party.

    On appeal, the Second Circuit agreed with the district court, concluding that the plaintiff failed to demonstrate an increased risk of identity theft and that the cost of taking proactive measures to prevent future identity theft is insufficient to constitute an injury in fact when the threat is speculative. “This notion stems from the Supreme Court’s guidance in [Clapper v. Amnesty Int’l USA], where it noted that plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’”

    Courts Appellate Second Circuit Data Breach Privacy/Cyber Risk & Data Security Class Action State Issues

    Share page with AddThis