InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court: Applying Michigan law is contrary to California’s interest in protecting citizens in data breach case
On June 15, the U.S. District Court for the Eastern District of Michigan denied an e-commerce company’s request to compel arbitration after reviewing whether Michigan or California state law applied to class claims concerning a 2019 data breach. After four actions against the company were consolidated and transferred from California court to Michigan, a separate putative class action was filed in the U.S. District Court for the Northern District of California related to the data breach. Members in this putative class action brought claims against the company for allegedly failing to protect California residents’ confidential and personal information from the 2019 data breach. The class sought public injunctive relief under California’s Consumer Records Act (CRA) and Unfair Competition Law, arguing, among other things, that the potential for “future injury to the general public” remains because the company has not changed its practices.
The court initially granted the company’s motion to compel arbitration according to its terms of service and privacy policy, which contained a mandatory arbitration clause as well as a clause requiring parties to apply Michigan law to all claims or disputes. However, because the order applied to the originally amended consolidated class action complaint that did not include the newest California putative class action, the court reopened the case in order to determine which state law applied to the California class’s claims. In denying the company’s motion to compel arbitration, the court cited to McGill v. Citibank (covered by a Buckley Special Alert here, which held that a waiver of the plaintiff’s substantive right to seek public injunctive relief is not enforceable) and determined that applying Michigan law is “contrary” to California’s “materially greater interest in protecting its citizens”—particularly because the alleged violations are ongoing. The court rejected the company’s argument that McGill did not apply in this case because the putative class is seeking an injunction that would only benefit a narrow subset of individuals whose data was stolen rather than the general public. According to the court, rejecting the putative class’s claims for this reason would allow the company “to continue engaging in inadequate data protection practices in violation of the Unfair Competition and CRA and leave consumers unable to adjudicate their claims based on those practices on behalf of the public.” The putative class’s proposed 12-point injunction would, among other things, require the company to hire third-party security auditors and implement other reasonable and appropriate security practices and procedures, which would benefit all future customers, not only those harmed in the 2019 data breach, the court stated, adding that the proposed class has “nothing to personally gain from an injunction requiring [the company] to employ safer data practices” because their data was already compromised.
SEC charges settlement company with cybersecurity disclosure violations
On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order, an independent cybersecurity journalist warned the company in May 2019 of a vulnerability concerning its system for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, the company allegedly issued a press release for inclusion in the cybersecurity journalist’s report published in May 2019 and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, the company’s senior executives responsible for these kinds of releases “were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” Specifically, the order states that senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier, in January 2019, but failed to remediate the vulnerability in accordance with the company’s policies. The order finds that the company “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.” The SEC charged the company with violating Rule 13a-15(a) of the Exchange Act and ordered the company, who agreed to a cease-and-desist order, to pay a $487,616 penalty.
11th Circuit affirms majority of $380 million data breach settlement
On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a data breach of the CRA. (Covered by InfoBytes here.) The 11th Circuit’s opinion resolves challenges brought by objectors to the settlement who argued that plaintiffs lacked Article III standing because they did not have their identities stolen, and challenged, among other things, certain procedural requirements, the appropriateness of class certification given the possibility that some class members may have been able to recover state statutory damages, and the district court’s adoption of an approval order “ghostwritten” by plaintiffs’ counsel. The objectors also argued that the settlement was inadequate given the “unique risks associated with stolen social security numbers,” and disagreed with the award of $77.5 million in attorneys’ fees, as well as the district court’s decision to impose appeal bonds of $2,000 on each objector.
On appeal, the 11th Circuit rejected almost all of the objectors’ arguments after determining that class members—even if they were not victims of identity theft—faced a material risk of harm. The appellate court also held that the procedural requirements were not particularly burdensome given the roughly 147 million class members involved. Moreover, the appellate court concluded that the fact that class members in a couple of states could have argued for statutory damages did not make the named plaintiffs inadequate class representatives. Furthermore, the appellate court noted that (i) the settlement addressed the seriousness of the stolen social security numbers; (ii) attorneys’ fees (equal to 20.36 percent of the common fund) were within the reasonable range; (iii) objectors failed to show any “practice of uncritically adopting counsel’s proposed orders”; and (iv) the district court did not “abuse its discretion when it imposed the appeal bonds based on its finding that there was a ‘substantial risk that the costs of appeal will not be paid unless a bond is required.’” Moreover, the 11th Circuit noted that “[a]bsent the settlement, the class action could have faced serious hurdles to recovery, and now the class is entitled to significant settlement benefits that may not have even been achieved at trial,” adding that the FTC, CFPB, and state attorneys general for 48 states, the District of Columbia, and Puerto Rico all support the settlement.
The appellate court, however, did reverse the district court’s award of incentive payments to class representative and remanded the case solely for the purpose of vacating the awards.
District Court approves online marketplace data breach settlement
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement, resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data breach. The plaintiffs asserted negligence and brought claims under California’s Consumer Privacy Act and Unfair Competition Law after plaintiffs launched an investigation into the cybersecurity incident. The preliminary settlement requires the company to establish a $5 million settlement fund, which would “provide for an estimated $43 payment per participating class member, two years of credit monitoring, and identity restoration services.” The company must also implement several business practice changes to enhance security, including enhancing password protection and implementing a policy regarding minimizing the retention of customers’ personally identifiable information. The settlement also notes that “members subject to identity theft can also obtain fraud resolution assistance to dispute transactions, mediate calls with merchants, and implement fraud alerts.” Class members who do not agree to the settlement may opt out of the settlement by September 16.
Defendant obligated to indemnify bank in data breach suit
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.
Data breach claims against convenience store chain can proceed
On May 6, the U.S. District Court for the Eastern District of Pennsylvania ruled that a defendant nationwide convenience store chain must face certain claims filed by a group of financial institutions as a result of a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. The financial institutions, in bringing claims for negligence, negligence per se, and declaratory and injunctive relief, asserted, among other things, that the defendant’s “deficient security measures and vulnerable point-of-sale systems led to a data breach that went undetected for almost nine months.” The court ruled that the negligence and declaratory and injunctive relief claims can proceed, but dismissed without prejudice the financial institution’s negligence per se claim so that it can be repleaded under a claim for general negligence. In allowing the negligence claim to survive, the court dismissed the defendant’s argument that the claim should be dismissed under the economic loss doctrine, which bars recovery in tort resulting from an alleged breach of duty under a contract between the parties. The court pointed out that the financial institutions’ claims are protected by a narrow exception to the economic loss doctrine under Pennsylvania law for breach of a common law duty “independent of any potential contractual relationship,” including “the duty to maintain and protect sensitive data with reasonable care.” The court wrote that “the [i]nstitutions have set forth a plausible negligence claim based on the argument that [the defendant] owed them an independent duty in light of” the Pennsylvania Supreme Court’s 2018 ruling in Dittman v. UPMC, which held that the duty “exists independently from any contractual obligations between the parties.” The court further stated that dismissing the declaratory and injunctive relief claims at this stage would curtail the court’s “broad equity powers to fashion the most complete relief possible.”
As previously covered by InfoBytes, in February, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement with the defendant, which would provide monetary relief to class members totaling up to $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards. The defendant would also be required take additional measures for a period of two years to prevent future unauthorized intrusions.
2nd Circuit: No standing if PII is uncompromised
On April 26, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s dismissal of a proposed class action settlement, concluding that although, “in the context of unauthorized data disclosures,” plaintiffs may establish Article III standing on the theory that a data breach increases the risk of identity theft, the appealing plaintiff failed to show that her sensitive personally identifiable information (PII) had been misused or compromised. The plaintiff filed a proposed class action against a former employer after a company employee accidentally sent an email to approximately 65 company employees with an attachment containing PII for roughly 130 current and former workers, including Social Security numbers, home addresses, and birth dates. The plaintiff alleged that the defendant, among other things, violated several state consumer protection statutes, and contended that workers “were ‘at imminent risk of suffering identity theft.’” The plaintiff further claimed that workers had to spend time canceling credit cards, assessing whether to apply for new Social Security numbers, and purchasing credit monitoring and identity theft protection services. While the parties reached a settlement, the court ultimately denied the settlement and dismissed the case for lack of subject-matter jurisdiction after finding the plaintiff lacked Article III standing because she failed to allege “an injury that is concrete and particularized and certainly impending.” According to the district court, it was “arguably a misnomer to even call this case a ‘data breach’ case,” because, “[a]t best, the data was ‘misplaced’” internally rather than accessed by a third party.
On appeal, the Second Circuit agreed with the district court, concluding that the plaintiff failed to demonstrate an increased risk of identity theft and that the cost of taking proactive measures to prevent future identity theft is insufficient to constitute an injury in fact when the threat is speculative. “This notion stems from the Supreme Court’s guidance in [Clapper v. Amnesty Int’l USA], where it noted that plaintiffs ‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’”
Court certifies two classes in restaurant chain data breach
On April 15, the U.S. District Court for the Middle District of Florida certified a nationwide class and a California-only class of restaurant customers who claim the restaurant chain’s negligence led to a 2018 data breach that compromised their credit card information. The two classes of consumers include those who made credit or debit card purchases at affected restaurants in March and April 2018, when their data was accessed by cybercriminals, and who incurred reasonable expenses or time spent mitigating the consequences of the breach. The judge certified the classes only on the plaintiffs’ negligence and state Unfair Competition Law (California) claims, and deferred ruling on the class certification related to claims that the restaurants’ parent company breached an implied contract with customers by failing to have adequate cybersecurity protocols. Certifying that claim, the judge stated, could require applying 50 different state laws on the breach of implied contracts.
NYDFS, insurance broker reach $3 million cyber breach settlement
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A September 2019 examination revealed that the cyber breaches involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also alleged that the broker failed to implement a multi-factor authentication as required by 23 NYCRR Part 500. Under the terms of the consent order, the broker will pay a $3 million civil monetary penalty and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
NYDFS updates cybersecurity fraud alert
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes, the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities, which described a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. In addition to the techniques previously identified, NYDFS alerts regulated entities of the following additional hacking methods: (i) using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and (ii) credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI. To prevent sensitive data from being stolen from public-facing websites, NYDFS advises financial organizations to circumvent displaying prefilled NPI, even in redacted form, and to guarantee that all portals are being guarded by the “robust access controls required by [NYDFS]’s cybersecurity regulation.” The alert also outlines remediation steps that financial institutions should execute to guarantee basic security.