InfoBytes Blog

11th Circuit affirms majority of $380 million data breach settlement

On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a data breach of the CRA. (Covered by InfoBytes here.) The 11th Circuit’s opinion resolves challenges brought by objectors to the settlement who argued that plaintiffs lacked Article III standing because they did not have their identities stolen, and challenged, among other things, certain procedural requirements, the appropriateness of class certification given the possibility that some class members may have been able to recover state statutory damages, and the district court’s adoption of an approval order “ghostwritten” by plaintiffs’ counsel. The objectors also argued that the settlement was inadequate given the “unique risks associated with stolen social security numbers,” and disagreed with the award of $77.5 million in attorneys’ fees, as well as the district court’s decision to impose appeal bonds of $2,000 on each objector.

On appeal, the 11th Circuit rejected almost all of the objectors’ arguments after determining that class members—even if they were not victims of identity theft—faced a material risk of harm. The appellate court also held that the procedural requirements were not particularly burdensome given the roughly 147 million class members involved. Moreover, the appellate court concluded that the fact that class members in a couple of states could have argued for statutory damages did not make the named plaintiffs inadequate class representatives. Furthermore, the appellate court noted that (i) the settlement addressed the seriousness of the stolen social security numbers; (ii) attorneys’ fees (equal to 20.36 percent of the common fund) were within the reasonable range; (iii) objectors failed to show any “practice of uncritically adopting counsel’s proposed orders”; and (iv) the district court did not “abuse its discretion when it imposed the appeal bonds based on its finding that there was a ‘substantial risk that the costs of appeal will not be paid unless a bond is required.’” Moreover, the 11th Circuit noted that “[a]bsent the settlement, the class action could have faced serious hurdles to recovery, and now the class is entitled to significant settlement benefits that may not have even been achieved at trial,” adding that the FTC, CFPB, and state attorneys general for 48 states, the District of Columbia, and Puerto Rico all support the settlement.

The appellate court, however, did reverse the district court’s award of incentive payments to class representative and remanded the case solely for the purpose of vacating the awards.

Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Settlement Consumer Reporting Agency Consumer Data Appellate

CFPB to release ANPR on consumer access to financial records

On July 24, the CFPB announced plans to issue an Advanced Notice of Proposed Rulemaking (ANPR) on consumer-authorized access to financial records later this year. The future ANPR relates to the February Symposium held by the Bureau covering this subject and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. As previously covered by InfoBytes, the purpose of this symposium was “to elicit a variety of perspectives on the current and future state of the market for services based on consumer-authorized use of financial data.” The symposium consisted of three panels: (i) the current landscape and benefits and risks of consumer-authorized data access; (ii) market developments; and (iii) considerations for policymakers. Along with the ANPR announcement, the Bureau released a report summarizing the February symposium.

According to the Bureau, the future ANPR will solicit feedback on (i) how the Bureau can effectively and efficiently implement the financial access rights described in Section 1033 of Dodd-Frank; (ii) the possible scope of data that might be subject to protected access; and (iii) how the Bureau may be able to solve the regulatory uncertainty of Section 1033’s interaction with other statutes, such as the FCRA.

Agency Rule-Making & Guidance CFPB ANPR Dodd-Frank Consumer Data Fintech

CFPB holds symposium on consumer access to financial records

On February 26, the CFPB held a symposium covering consumer access to financial records and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. In her opening remarks, Director Kathy Kraninger pointed out three major changes in data aggregation since the OCC first warned banks about aggregating consumer data in 2001: (i) “the range of actors involved has expanded greatly”; (ii) “the extent to which they are using aggregated data to provide new products and services to millions of American consumers has grown in scope and scale”; and (iii) “technologies that enable safer and more efficient consumer authorized data sharing continue to evolve and proliferate.” According to the CFPB’s press release, the purpose of this symposium was “to elicit a variety of perspectives on the current and future state of the market for services based on consumer-authorized use of financial data.” The symposium consisted of three panels: (i) the current landscape and benefits and risks of consumer-authorized data access; (ii) market developments; and (iii) considerations for policymakers. Panel highlights include:

• Panel #1. The panelists considered potential benefits and risks for consumers around data access as well as the current landscape and benefits and risks of consumer-authorized data access. Panelists agreed that consumers should be given control over their data and also mentioned the need to educate consumers on data security. One panelist suggested that consumers need to understand not only the breadth of data that is accessible, but also what sensitive consumer data is being accessed, stored, and shared. She stressed that entities storing/accessing the data should be subject to the same supervision for cyber security standards as banks.

• Panel #2. The panel, which was comprised of experts in market developments and trends, including in the areas of cash flow underwriting and the business of securing consumer permission to access checking account data, discussed market developments in consumer-authorized data access. One panelist suggested that the U.S. is behind countries like Australia and Canada (where government intervention in the market clarified consumers’ legal right to access their financial data) because of a lack of connectivity and of data field availability in the U.S. Others discussed alternatives to the current screen scraping model—which does not advance transparency or traceability for consumers—such as a model based on an application program interface (API) (APIs can be used to combine data from various sources into one application). The panelists also discussed tokenized authentication as a possible middle phase when going from screen scraping to APIs. Panelists suggested that the market is making significant technological improvements, but lacks guidance from policymakers.

Panel #3. The third panel, focused on “where we are going and how we get there” or the “future of the market” and “considerations for policymakers on how to” ensure consumer data is safeguarded “while ensuring that consumers have continual access to their data.” Among other things, the panel discussed that regulatory intervention in this space has not been common. Many panelists also mentioned areas of uncertainty, including whether banks or consumers should decide the limitations of rights to consumer data. Regarding Section 1033, one panelist suggested that the bank view is that the CFPB does not need to regulate here and should not provide consumers and their agents with access to their information, however, any entities that have access to the data should be regulated. Others believed that banks and other financial institutions do not view Section 1033 correctly. Another area of uncertainty discussed was whether the consumer data right is an ownership right, and whether a bank can decide to whom it will or will not provide consumer data.

Federal Issues Agency Rule-Making & Guidance CFPB FCRA Consumer Data Symposium Consumer Finance Fintech Dodd-Frank

CFPB symposium on consumer access to financial records set for February 26

On February 20, the CFPB announced that its fourth symposium, regarding Consumer Access to Financial Records and Section 1033 of the Dodd-Frank Act, will be held February 26 at 9:30 am EST. The event will be webcast on the Bureau’s website. According to the Bureau, Section 1033 “addresses consumers’ rights to access information about their financial accounts.” The symposium—featuring remarks from Director Kathy Kraninger and consisting of three panels of experts—will solicit a variety of perspectives on the current and future market for services based on consumer-authorized use of financial data. The first panel, moderated by Paul Watkins, Assistant Director in the Bureau’s Office of Innovation, will discuss the current landscape of holders of consumer data and the benefits and risks of consumer-authorized data access. The second panel will examine market developments in consumer-authorized data access and will be moderated by Will Wade-Gery, Senior Advisor in the Bureau’s Office of Innovation. The third panel will assess the future state of the market, as well as considerations for policymakers on safeguarding consumer data while ensuring consumers have continual access to their data. This panel will be moderated by Thomas Devlin, Managing Counsel in the Bureau’s Research, Markets and Regulation Division.

Find prior InfoBytes symposium coverage here.

Federal Issues CFPB Consumer Finance Dodd-Frank Consumer Data

Data breach settlement of $380.5 million approved in consumer reporting agency class action

On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data breach of the company. After the company announced the breach, many consumers filed suit and were eventually joined into a proposed settlement class. As previously covered by InfoBytes, the plaintiffs alleged that the company (i) failed to provide appropriate security to protect stored personal consumer information; (ii) misled consumers regarding the effectiveness and capacity of its security; and (iii) failed to take proper action when vulnerabilities in their security system became known. The company and the plaintiffs later submitted a proposed settlement order to the court.

According to the final order and judgment, the court certified the settlement class of the approximately 147 million affected consumers, finding the class was adequately represented, and approved the “distribution and allocation plan” as fair and reasonable. In the order granting final approval of the settlement the company agreed to, among other things, pay $380.5 million into a settlement fund and potentially up to $125 million more to cover “certain out-of-pocket losses,” $77.5 million for attorneys’ fees, and approximately $1.4 million for reimbursement of expenses. Class members are eligible for additional benefits including up to 10 years of credit monitoring and identity theft protection services or cash compensation if they already have those services, as well as identity restoration services for seven years. The company also agreed to spend at least $1 billion on data security and technology in the next five years.

Privacy/Cyber Risk & Data Security Class Action Settlement Data Breach Consumer Data Class Certification Consumer Reporting Agency

Missouri AG Announces Investigation Into Tech Company’s Privacy Policies and Use of Consumer Data

On November 13, Missouri Attorney General Joshua Hawley announced that his office has issued a civil investigative demand (CID) to a major California-based technology company as part of an investigation into suspected violations of the Missouri Merchandising Practices Act and the state’s antitrust laws. The investigation is focused on certain business practices, including, with respect to privacy issues, the company’s collection, use, retention, storage, sale, and dissemination of information and data about its users and their online activities. The CID requests documents and communications related to, among other things, (i) the company’s privacy policies; (ii) the collection and sharing of data that constitutes “personal information” related to the company’s users; (iii) disclosures concerning the collection of consumers’ credit or debit card transactions; (iv) data the company discloses or shares with third parties, and the identification of third-party partners; and (v) how the company tracks users’ online activities. The company has until January 22, 2018 to comply.

State Issues Privacy/Cyber Risk & Data Security Consumer Data State Attorney General Third-Party