InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court: Employees are not “customers” under California Customer Records Act in breach lawsuit
On February 24, the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care. Plaintiffs, comprised of current and former employees, sued the company, claiming a 2021 data breach exposed their personal identifiable information (PII) to an unauthorized actor. Several plaintiffs were victims of apparent identity theft, the complaint stated, which alleged negligence, breach of contract and implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and breach of the California Consumer Privacy Act, the state’s Unfair Competition Law, and the California Customer Records Act (CCRA). In dismissing the case, the court concluded, among other things, that the plaintiffs failed to plead facts showing specific measures that the company did or did not take, such as data encryption, to protect employee data. Additionally, the complaint did not “contain any allegations regarding the manner in which their systems were breached.” Moreover, the court determined that the complaint did not plausibly allege that the employees qualify as “customers” under the CCRA (a “customer” under the law is defined as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business,” but in this matter, the court stated the plaintiffs did not allege that they provided their PII to the company in exchange for a product or service; rather, they were required to give their PII as part of their employment). The court also ruled that the plaintiffs did not plausibly allege that the company unreasonably delayed notifying them of the data breach by waiting 24 days after the breach to provide notice.
District Court approves settlement in data breach suit
On February 22, the U.S. District Court for the Central District of California granted final approval of a class settlement and ordered a final judgment between a plaintiff class and a provider of outpatient imaging (defendant) resolving allegations that the defendant was responsible for failing to establish adequate security measures to protect their customers’ and employees’ data. According to the preliminarily approval order, a third party gained unauthorized access to the defendant’s server which stored the plaintiffs’ sensitive personal identifying information. The order noted that the security incident put the plaintiffs “at a high risk of identity theft and other cybercrimes.” The plaintiffs alleged in the complaint that the defendants violated California's Unfair Competition Law, the California Consumer Privacy Act, and the FTC Act, among other things, by failing “to adequately ensure the privacy, confidentiality, and security of employee data entrusted to it and Defendant’s failure to have adequate data security measures in place.” Under the terms of the order, the defendants are required to establish a $2.6 million settlement fund to provide monetary settlement benefits to class members within forty-five days of a preliminary approval order directing class notice. The plaintiff class will be separated into two separate tiers: a nationwide class consisting of individuals residing in the U.S. who were or may have been impacted in the data breach, and a California subclass, consisting of individuals who resided in California on July 18, 2020, who were or may have been impacted in the data breach. The order also granted $650,000 in class counsel fees and approximately $50,000 in costs and expenses. Each lead plaintiff received $1,500 as part of the settlement.
Consulting firm agrees to $4.95 million settlement to resolve class data breach claims
On February 16, the U.S. District Court for the Southern District of New York granted final approval of a $4.95 million class action settlement, resolving allegations that a consulting firm failed to use reasonable data security measures when designing web-based portals for state employment agencies in Illinois, Colorado, and Ohio. According to the class’s supplemental brief in support of their motion for final approval, the allegedly poorly designed websites were subject to a data breach that resulted in unauthorized access to unemployment seekers’ personally identifiable information. The parties agreed to a nationwide settlement class of 237,675 individuals in Illinois, Colorado, and Ohio. These individuals were notified by their state employment agencies that certain personal information submitted when applying for pandemic-related unemployment claims may have been inadvertently exposed in a data breach. Under the terms of the settlement, the defendant agreed to establish a $4.95 million settlement fund to compensate eligible claimants, and will pay more than $1.6 million in attorneys’ fees and costs, as well as class member service awards.
District Court rules transmitting debtor information to third-party violates FDCPA
On February 2, the U.S. District Court for the Eastern District of Pennsylvania denied a defendant’s motion for judgment on the pleadings, ruling that transmitting a debtor’s personal information to a third-party mail vendor for the purposes of sending a debt collection letter constitutes a communication “in connection with the collection of any debt” under the FDCPA. As previously covered by InfoBytes, in Hunstein v. Preferred Collection & Management Services, the U.S. Court of Appeals for the Eleventh Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” The district court found this reasoning “persuasive,” ruling that the plain text of the statute encompasses communications with a third party mail vendor. The district court also rejected the defendant’s arguments that the CFPB and FTC had tacitly endorsed third-party mailers by not pursuing enforcement actions against them: “[B]ecause the agencies tasked with regulating and enforcing the FDCPA have not addressed the use of letter vendors by debt collectors in any legally significant way, and because the statutory language is not subject to a different reading, the Court will afford no deference to the indeterminate actions of the CFPB and FTC.”
District Court partially grants summary judgment to defendants in FCA case
On February 1, the U.S. District Court for the Eastern District of California denied a relator’s (plaintiff’s) motion for summary judgment on an allegation of promissory fraud in violation of the False Claims Act (FCA) in a case against a rocket manufacturer and its subsidy (defendants). The court similarly denied the defendants’ cross-motion for summary judgment on the promissory fraud violation, but granted the defendants’ motion for summary judgment with respect to allegations of false certification in violation of the FCA. According to the opinion, the plaintiff, who was briefly employed by defendants as the senior director for Cyber Security, Compliance, and Controls, alleged that the defendants fraudulently induced the government to contract with the defendants in 18 contracts, while knowingly out of compliance with Defense Federal Acquisition Regulation 48 C.F.R. § 252.204– 7012 and NASA Federal Acquisition Regulation 48 C.F.R. § 1852.204-76, which impose cybersecurity and confidentiality requirements applicable to persons who receive government contracts. The court noted that plaintiff’s claims were based in part on allegations that defendants failed to disclose data breaches when required to do so. Conversely, defendants argued that they had disclosed their non-compliance with the identified regulations to the DoD and to NASA on multiple occasions and had been working with the government to obtain a waiver. In light of this, the court denied summary judgment on the promissory fraud violation, holding that “[a] genuine dispute of material fact exists as to the sufficiency of the disclosures[.]” The court also decreased the number of contracts the court will assess from 18 to 7, holding that the court will only rule on allegations that pertain to events before the case was filed in 2015. Similarly, the court granted defendants’ motion for summary judgment with respect to allegations of false certification on the grounds that “relator’s claim for false certification is based solely on an invoice payment under a NASA contract that was entered into after relator brought this action and is therefore not a proper basis for his false certification claim.”
District Court approves class settlement in data breach
On January 28, the U.S. District Court for the Northern District of California granted a plaintiffs’ motion for final approval in a class action settlement alleging an online support services provider (defendant) failed to adequately secure and safeguard the payment card data and other personally identifiable information that it collected while customers shopped and interacted with customer service websites. According to the order, four companies contracted with the defendant to provide sales software, customer service software, and voice and chat agent services for sales support for online shoppers. However, according to the plaintiff class, the defendant was allegedly negligent in securing customers’ data, which permitted hackers to access their names, addresses, and credit card information, in violation of California’s Unfair Competition Law and Illinois' Consumer Fraud and Deceptive Business Practices Act. The plaintiff class also alleged that the defendant did not disclose the breach for a period of approximately six months after the breach was detected and fixed in October 2017. Under the terms of the settlement, class members are eligible to receive reimbursement from the defendant of up to $2,000 if documentation is provided to prove they incurred out-of-pocket expenses resulting from the intrusion, which includes unreimbursed bank fees, long distance calling charges and costs of credit reports or fraud reimbursement services purchased in the wake of the breach. Additionally, class members who assert that they spent three hours or less dealing with the breach can also separately receive compensation at a rate of $20 per hour for that lost time, and may claim an additional two hours of lost time “if they can provide adequate documentation of those additional two hours spent dealing with the [d]ata [i]ncident,” according to the order. The court also awarded class counsel $450,000 in attorney fees and litigation costs and expenses and $2,000 service awards to each of the three lead plaintiffs.
SEC chair considers updating cybersecurity rules
On January 24, SEC Chair Gary Gensler discussed the agency’s cybersecurity policy work before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. Gensler commented that the SEC is working to improve the overall cybersecurity resiliency of the financial sector with a focus on four groups of entities, including broker-dealers and investment companies, public companies, service providers that are not necessarily registered with the agency but that work with SEC financial sector registrants, and the SEC itself. Areas that may benefit from being “freshen[ed] up” include SEC regulations related to systems compliance and integrity (which focus on reducing the occurrence of system issues and improving resiliency), as well as cyber “hygiene” and incident reporting requirements. With respect to data privacy, Gensler commented that there may be opportunities to modernize and expand Regulation S-P, which requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information. Noting that Regulation S-P was adopted more than two decades ago, Gensler has also asked SEC staff to provide “recommendations about how customers and clients receive notifications about cyber events when their data has been accessed,” including breaches of personally identifiable information. He stated that recommendations could also include changes to the timing and substance of notifications currently required under Regulation S-P. Gensler also asked for recommendations on whether and how to update public companies’ cybersecurity practices and cyber risk disclosures. He also noted that the SEC needs to explore and address cybersecurity risks arising from service providers, adding that measures “could include holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information.”
District Court dismisses data breach class action
On January 19, the U.S. District Court for the Southern District of New York dismissed a class action against a menswear company (defendant) accused of exposing personal information in a December 2020 data breach. According to the opinion, the plaintiff bought items on the defendant’s website in 2013, and more than six years later, hackers allegedly accessed the defendant’s backup cloud database and stole the personal information of the defendant’s online customers, including customers’ addresses, telephone numbers, email addresses, order history, Internet Protocol addresses, encrypted passwords, and partial credit card numbers. The defendant sent notices to affected customers, disclosing that “an unauthorized third party may have been able to view some of your account details, including your contact information and encrypted password.” The notice further explained that users’ encrypted passwords were protected so the actual passwords were not visible, and that users’ payment card information was not affected by the breach. The notice advised that the company was resetting the passwords and had logged users out of their accounts. In response to the message, the plaintiff allegedly changed his password, placed a security freeze on his credit, purchased credit repair and protection services, and purchased a robocall-blocking subscription. The plaintiff alleged that he “spent time dealing with the increased and unwanted spam, text[s], telephone calls, and emails” that he received after the data breach. In dismissing the lawsuit, the court explained that the plaintiff did not show he faced a “substantial” risk of identity theft or fraud. In addition, the court held that “given the nature and age of the data, the likelihood that its exposure would result in harm to [the plaintiff] is too remote to support standing.”
FCC proposes new reporting on telecom data breaches
On January 12, the FCC announced that it shared, among the FCC staff, a notice of proposed rulemaking (NPRM) to strengthen the rules for notifying consumers and federal law enforcement of breaches of customer proprietary network information. According to the FCC, the NPRM “would better align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors,” and “further advances the FCC’s efforts to ensure its rules keep pace with evolving cybersecurity threats and to protect consumers in the face of today’s challenges.” The NPRM outlines certain updates to current FCC rules that address telecommunications carriers’ breach notification requirements, including: (i) “[e]liminating the current seven business day mandatory waiting period for notifying customers of a breach”; (ii) “[e]xpanding customer protections by requiring notification of inadvertent breaches”; and (iii) “[r]equiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.” The NPRM solicits feedback regarding whether the FCC should require customer breach notices to include specific categories of information “to help ensure they contain actionable information useful to the consumer.” According to FCC Chairwoman Jessica Rosenworcel, current laws “need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.”
New Jersey settles CFA and HIPAA violations following 2019 data breach
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”