Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court approves $1.75 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On March 3, the U.S. District Court for the Central District of California granted final approval of a $1.75 million class action settlement resolving allegations related to a 2020 data breach that compromised nearly 100,000 individuals’ personally identifiable information, including financial information, social security numbers, health records, and other personal data. The affected individuals are students, parents, and guardians who were enrolled in a system used to manage student data in a California school district. According to class members, by failing to adequately safeguard users’ login credentials and by failing to timely notify individuals of the breach, the company violated, among other things, California’s unfair competition law, the California Customer Records Act, and the California Consumer Privacy Act.

    Under the terms of the settlement, the company is required to pay a non-reversionary settlement amount of $1.75 million, which will be used to compensate class members and pay for attorney fees and costs, service awards, and administrative expenses. Additionally, as outlined in the motion for preliminary approval of the class action settlement, class members are eligible to submit claims for “ordinary losses” (capped at $1,000 per person), as well as “extraordinary losses” (capped at $10,000 per person). Ordinary losses include expenses such as bank fees, long distance phone charges, certain cell phone charges, postage, gasoline for local travel, “[f]ees for additional credit reports, credit monitoring, or other identity theft insurance products,” and up to 40 hours of time, at $25/hour, for at least one full hour used to deal with the data breach. Extraordinary losses are described as those “arising from financial fraud or identity theft” where the “loss is an actual, documented, and unreimbursed monetary loss” and is “fairly traceable to the data breach” and not already covered by another reimbursement category. Class members must also show that they made “reasonable efforts to avoid, or seek reimbursement for, the loss.” All class members will be offered 12 months of credit monitoring and identity theft protection at no cost, and the company will implement “information security enhancements” to prevent future occurrences.

    Privacy, Cyber Risk & Data Security Courts Settlement Data Breach Class Action State Issues California CCPA

  • 4th Circuit remands privacy suit to state court

    Privacy, Cyber Risk & Data Security

    On February 21, the U.S. Court of Appeals for the Fourth Circuit held that a proposed class action over website login procedures belongs in state court. Plaintiff alleged that after a nonparty credit reporting agency experienced a data breach, it used the defendant subsidiary’s website to inform customers whether their personal data had been compromised. Because the defendant’s website required the plaintiff to enter six digits of his Social Security number to access the information, the plaintiff alleged violations of South Carolina’s Financial Identity Fraud and Identity Theft Protection Act and the state’s common-law right to privacy. Under the state statute, companies are prohibited from requiring consumers to use six digits or more of their Social Security number to access a website unless a password, a unique personal identification number, or another form of authentication is also required. According to the plaintiff, the defendant’s website did not include this requirement.

    The defendant moved the case to federal court under the Class Action Fairness Act and requested that the case be dismissed. Plaintiff filed an amended complaint in federal court, as well as a motion asking the district court to first determine whether it had subject matter jurisdiction, given the U.S. Supreme Court’s ruling in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here). Although the district court held that the plaintiff had alleged “an intangible concrete harm in the manner of an invasion of privacy,” which it said was enough to give it subject-matter jurisdiction “at this early stage of the case,” it dismissed the case after determining the plaintiff had not plausibly stated a claim. 

    In reversing and remanding the action, the 4th Circuit found that the plaintiff alleged only a bare statutory violation and had not pled a concrete injury sufficient to confer Article III standing in federal court. The appellate court vacated the district court’s decision to dismiss the case and ordered the district court to remand the case to state court. The 4th Circuit took the position that an intangible harm, such as a plaintiff “enduring a statutory violation” is insufficient to confer standing unless there is a separate harm “or a materially increased risk of another harm” associated with the violation. “[Plaintiff] hasn’t alleged—even in a speculative or conclusory fashion—that entering six digits of his SSN on [defendant’s] website has somehow raised his risk of identity theft,” the 4th Circuit said. In conclusion, the 4th Circuit wrote: “We offer no opinion about whether the alleged facts state a claim under the Act. Absent Article III jurisdiction, that’s a question for [plaintiff] to take up in state court.”

    Privacy, Cyber Risk & Data Security Courts State Issues Class Action Data Breach Credit Reporting Agency Consumer Protection Appellate Fourth Circuit

  • NCUA approves final cyber incident reporting rule

    Agency Rule-Making & Guidance

    On February 16, the NCUA approved a final rule that requires federally-insured credit unions (FICUs) to notify the agency as soon as possible (and no later than 72 hours) after a FICU “reasonably believes that a reportable cyber incident has occurred.” Specifically, the rule requires FICUs to report cyber incidents that lead “to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.” Under the rule, FICUs must report any cyberattacks that disrupt their business operations, vital member services, or a member information system within 72 hours of the FICU’s “reasonable belief that it has experienced a cyberattack.” The NCUA explained that the 72-hour notification requirement provides an early alert to the agency but that the rule does not require the submission of a detailed incident assessment within this time frame. The final rule takes effect September 1. Additional reporting guidance will be provided prior to the effective date.

    “Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” NCUA Chairman Todd M. Harper said. Harper further explained that “[t]his final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”

    Agency Rule-Making & Guidance Federal Issues Privacy, Cyber Risk & Data Security NCUA Credit Union Data Breach

  • FTC finalizes data-security order with ed tech provider

    Federal Issues

    On January 27, the FTC finalized an order with an education technology (ed tech) provider which claimed that the provider’s lax data security practices led to the exposure of millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. As previously covered by InfoBytes, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Claiming violations of Section 5(a) of the FTC Act, the FTC alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.

    Under the terms of the final decision and order, the company (who neither admitted nor denied any of the allegations) is required to take several measures to address the alleged conduct, including: (i) implementing a data retention and deletion process, which will allow users to request access to and deletion of their data; (ii) providing multi-factor authentication methods for users to secure their accounts; (iii) providing notice to affected individuals; (iv) implementing a comprehensive information security program; and (v) obtaining initial and biennial third-party information security assessments. The company must also submit covered incident reports to the FTC and is prohibited from making any misrepresentations relating to how it collects, maintains, uses, deletes, permits, or denies access to individuals’ covered information.

    Federal Issues FTC Enforcement Privacy, Cyber Risk & Data Security Data Breach FTC Act

  • District Court approves $11 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including names, Social Security numbers, driver’s license numbers, dates of birth, and username/password information. According to plaintiffs’ amended complaint, the defendant insurance software providers failed to notify affected individuals about the data breach until on or after May 10, 2021, despite commencing an investigation in March. Plaintiffs maintained that the defendants’ alleged failure to comply with FTC cybersecurity guidelines and industry data protection standards put at risk their financial and personal records, and said they now face years of constant surveillance to prevent potential identity theft and fraud. Under the terms of the settlement (see also plaintiffs’ memorandum of law in support of the motion for final approval), class members will each receive up to $5,000 for out-of-pocket expenses, including up to eight hours of lost time at $25/hour, as well as 12 months of financial fraud protection. Members of a California subclass will receive additional benefits of between $100 and $300 each. The defendants are also responsible for paying each named plaintiff a $2,000 service award and must pay over $3 million in attorney fees, costs, and expenses.

    Privacy, Cyber Risk & Data Security Courts Settlement Data Breach State Issues Class Action California FTC

  • District Court preliminarily approves data breach suit

    Courts

    On January 9, the U.S. District Court for the District of New Mexico granted preliminary approval of a class action settlement in a data breach suit that allegedly compromised approximately 191,000 individuals’ personally identifiable information (PII). According to the plaintiffs’ motion, the class alleged that their PII and personal health information were compromised when cybercriminals breached the defendant’s systems. If granted final approval, the settlement class would consist of four categories of relief: (i) reimbursement for lost time (up to four hours at $15 per hour) and out-of-pocket expenses up to $500; (ii) reimbursement for extraordinary losses up to $3,500; (iii) two years’ free credit monitoring services; and (iv) equitable relief in the form of security improvements to the defendant’s system.

    Courts Privacy, Cyber Risk & Data Security Data Breach Settlement Class Action

  • FCC proposes new data breach notification requirements

    Agency Rule-Making & Guidance

    On January 6, the FCC announced a notice of proposed rulemaking (NPRM) to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). FCC Chairwoman Jessica Rosenworcel noted that “given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.” She commented that the “new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.” The NPRM, which seeks to improve alignment with recent developments in federal and state data breach laws covering other sectors, would require telecommunications providers to notify impacted customers of CPNI breaches without unreasonable delay, thus eliminating the current seven business day mandatory waiting period for notifying customers of a breach.

    Among other things, the FCC requests feedback on whether to establish a specific timeframe (e.g. a requirement to report breaches of customers’ data within 24 or 72 hours of discovery of a breach) or whether a disclosure deadline should vary based on a graduated scale of severity. The FCC also seeks comments on whether a carrier should “be held to have ‘reasonably determined’ a breach has occurred when it has information indicating that it is more likely than not that there was a breach,” and whether the Commission should publish guidance on what constitutes a reasonable determination or adopt a more definite standard. Feedback is also solicited on topics such as threshold triggers, what should be included in a security breach notification, the delivery method of these notifications, and whether to expand the definition of a data breach to also include inadvertent disclosures. Comments are due 30 days after publication in the Federal Register.

    Agency Rule-Making & Guidance Privacy, Cyber Risk & Data Security FCC Data Breach Consumer Protection

  • 9th Circuit revives data breach class action against French cryptocurrency wallet provider

    Privacy, Cyber Risk & Data Security

    On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.

    On appeal, the 9th Circuit concluded that dismissal was improper because the French wallet provider’s contracts with California were sufficient to establish jurisdiction under the “purposeful availment” framework. The appellate court explained that because the French wallet provider sold roughly 70,000 wallets in the state, collected California sales tax, and shipped wallets directly to California addresses, the “facts suffice to establish purposeful availment because [the French wallet provider’s] contacts with the forum cannot be characterized as ‘random, isolated, or fortuitous.’” However, the 9th Circuit limited the claims to only those brought by California residents under the state’s consumer protection laws. A forum-selection clause in the French wallet provider’s privacy policy and terms of use documents provided that disputes would be subject to the exclusive jurisdiction of French courts, the appellate court said, which was enforceable except with respect to the class claims of California residents brought under California law “because it violated California public policy against waiver of consumer rights under California’s Consumer Legal Remedies Act.”

    The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”

    Privacy, Cyber Risk & Data Security Courts Data Breach Appellate Ninth Circuit Class Action State Issues California Of Interest to Non-US Persons Canada Digital Assets Cryptocurrency France

  • Hair clinic must pay $500,000 to resolve data breach

    Courts

    On November 21, the U.S. District Court for the Central District of California granted final approval to a $500,000 class action settlement resolving allegations that a ransomware attack and data breach exposed the personal information of over 100,000 of the defendant hair-restoration clinic’s customers. According to the order, the plaintiffs alleged that defendant violated California's consumer protection statutes by failing to: (i) protect consumers' personal information; (ii) notify them quickly enough about the breach; and (iii) monitor its network for vulnerabilities and breaches. The order provided attorneys’ fees of $262,500, and awards of $1,250 each to the class representatives.

    Courts Privacy, Cyber Risk & Data Security Data Breach Class Action Settlement

  • States reach multi-million dollar CRA data breach settlement

    Privacy, Cyber Risk & Data Security

    On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers nationwide. According to the announcement, in 2012, an identity thief posing as a private investigator accessed and retrieved sensitive personal information, such as names, Social Security numbers, addresses, and/or phone numbers from a database company that the CRA purchased. The states claimed that the identity thief (who has since pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges) accessed the information prior to the acquisition and continued to do so afterwards. Affected consumers were allegedly never informed of the data breach. Later, in 2015, the CRA reported it experienced a data breach affecting personal information, including consumers’ driver’s license and passport numbers, as well as information used by the telecommunications company to make credit assessments, which the CRA stored on behalf of the telecommunications company. Following the breach, the CRA offered two years of credit monitory services to affected consumers.

    Under the terms of the settlements (see here and here), the CRA has agreed to pay a combined total of $13.67 million to the states in connection with the 2012 and 2015 data breaches, and will strengthen its data security practices. According to the announcement, these measures will require the CRA to (i) maintain comprehensive incident response and data breach notification plans; (ii) strengthen the vetting and oversight of third parties that have access to consumers’ personal information; (iii) develop an Identity Theft Prevention Program to detect potential red flags in customer accounts; (iv) not misrepresent to consumers the extent to which the privacy and security of their personal information is protected; (v) strengthen due diligence provisions to ensure the CRA properly vets acquisitions and evaluates data security concerns prior to integration; and (vi) implement data minimization and disposal requirements, including undertaking specific efforts designed to reduce the use of Social Security numbers as an identifier. The CRA will also offer affected consumers five years of free credit monitoring services, during which time consumers will be able to receive two free copies of their credit report annually.

    Separately, the telecommunications company agreed to pay more than $2.43 million to the states, and will maintain a written information security program, including vendor management provisions to ensure vendors take reasonable security measures to safeguard consumers’ personal information. This will involve, among other things, maintaining a third-party risk management team to oversee vendors’ security, outlining specific security requirements in vendor contracts, and employing a variety of security assessment and monitoring practices to confirm vendor compliance. The telecommunications company will also provide employee training on the requirements of its information security measures and implement a written cyber incident and response plan to prepare for and respond to security events.

    Privacy, Cyber Risk & Data Security Courts Data Breach Settlement State Issues State Attorney General Credit Reporting Agency

Pages

Upcoming Events