Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’ sensitive information stemming from multiple data breaches. The settlement approval follows a fairness hearing, as the court originally denied preliminary approval due to several identified deficiencies (covered by InfoBytes here), including that the settlement inadequately disclosed the sizes of the settlement fund and class, as well as the scope of non-monetary relief, and “appear[ed] likely to result in an improper reverter of attorneys’ fees.” Last July, the court preliminarily signed off on a revised settlement, conditionally certifying a class of U.S. and Israeli residents and small businesses with accounts between 2012 and 2016 that were affected by the breaches. These class members have been certified in the final approved settlement, which requires the company to provide class members with either two years of credit monitoring services or alternative compensation for members who already have credit monitoring. Among other things, the company will allocate at least $66 million each year to its information security budget until 2022, will increase the number of full-time security employees from current levels, and will “align its information security program with the National Institute of Standards and Technology Cybersecurity Framework” and “undertake annual third-party assessments to ensure compliance” with the framework.
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”
The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.
On February 7, the U.S. District Court for the District of Maryland ruled in a multidistrict litigation action that a proposed class of banks may proceed with negligence claims under Louisiana law and pursue declaratory and injunctive relief against an international hospitality company. In this case, the company’s data breach allegedly required the banks to cancel or reissue credit and debit cards, and issue refunds and credit associated with unauthorized transactions. The Louisiana bank brought the action as the representative of a class of banks that reimbursed customers for fraud on payment card accounts identified as potentially compromised because of the data breach. According to the opinion, the proposed class “has alleged facts sufficient to establish injury and causation under the Article III standing requirements.” The court rejected the company’s argument that the negligence claims are barred by Louisiana’s economic loss doctrine—which precludes recovery when the only alleged damages are economic—stating that Louisiana does not employ the doctrine in the strict sense that is applied in other states, but rather employs “a ‘duty-risk’ analysis.” The court stated that plaintiffs suing for only economic damages “must prove that there is an ‘ease of association between the rule of conduct, the risk of injury, and the loss sought to be recovered.’” The court concluded that “a reasonable trier of fact” may find an association between the company’s data collection practices and economic loss to payment card issuers. Here, the court stated, the banks are attempting to recover economic damages incurred after credit and debit cards were compromised due to the alleged negligent storage of sensitive payment card information. Moreover, the banks alleged they were forced to reimburse cardholders for fraudulent activity and incur costs to prevent future activity on those compromised cards.
On January 24, the U.S. District Court for the District of South Carolina entered final judgment for the approval of a $43 million settlement between a national bank and consumers to resolve multidistrict litigation (MDL) concerning overdraft charges. According to the settlement, since 2013, several groups of consumers have filed putative class action complaints against the bank in multiple jurisdictions alleging improper assessment and collection of overdraft fees, including claims that class members incurred overdraft fees as a result of the bank’s alleged practice of assessing fees based on an account’s available balance rather than its ledger balance. Other claims include allegations that the bank assessed overdraft fees for an ATM or one-time debit card transaction, assessed sustained overdraft fees, or assessed overdraft fees on ride-sharing transactions. In 2015 the Judicial Panel for Multi-District Litigation consolidated the actions for pretrial purposes.
In 2018, as previously covered by InfoBytes, the court dismissed one of the complaints in the MDL action, which alleged that the bank’s $20 overdraft fee is an interest charge on credit and therefore exceeds usury limits under the National Bank Act (NBA). The court noted that it had previously rejected a materially identical usury claim in December 2015 and that no new evidence or authority had been brought to light that would change its decision. In addition, the court concluded that “the law is still clear that sustained overdraft fees are not interest, and that assessing such fees cannot violate the usury provision of the NBA.” In 2019, the parties agreed to settle the action in its entirety, without any admission of liability by the bank. Under the terms of the settlement agreement, six classes of consumers will receive payouts or overdraft fee forgiveness, which will include $27 million “in the form of reductions to the outstanding balances of [class members] whose accounts were closed with amounts owed to the [bank].”
On February 5, the U.S. District Court for the District of Massachusetts issued an order granting a national bank’s motion to dismiss a multidistrict litigation complaint for failure to state a claim. Plaintiffs, in an attempt to recover losses from an internet phone service company’s pyramid scheme that ran from 2012 to 2014, alleged that the bank assisted the company’s pyramid scheme by, among other things, maintaining depository accounts for the company, receiving interest on funds held in the accounts, processing transactions, and receiving fees for wire transfers. However, the court found that the investors failed to adequately allege that the bank had any actual knowledge of the underlying fraud. “The complaint is devoid of any allegation that the fees, interest, and charges received by [the bank] were anything more than payments for banking services,” the court wrote, and thus “have failed to allege that they were ‘unjust.’”
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable