Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 18, the U.S. District Court for the Northern District of Illinois denied a retailer’s motion to certify for interlocutory appeal the court’s earlier ruling denying, in part, the retailer’s motion to dismiss. This multi-district litigation involves allegations that the retailer used a database containing photographs of individuals and other information to identify people whose images appeared in its surveillance cameras, in violation of the Illinois Biometric Information Privacy Act (BIPA), and California and New York laws. In denying the request for interlocutory appeal, the district court held that its earlier ruling had faithfully applied U.S. Court of Appeals for the Seventh Circuit precedent regarding standing of those who allege invasions of their personal privacy, and that the Supreme Court’s decision in TransUnion v. Ramirez (covered by InfoBytes here) did not undermine that precedent. It also held that the retailer’s disagreement with its prior application of the alleged facts to BIPA and its prior ruling that the plaintiffs had stated claims under California and New York laws did not warrant interlocutory review.
On August 22, the U.S. District Court for the Northern District of Illinois granted final approval of a class action settlement, resolving claims that a China-based technology company and its subsidiaries (collectively, “defendants”) violated Illinois’ Biometric Information Privacy Act (BIPA), among other things, by defying state and federal privacy laws through a social media platform and entertainment application (app). The first of the 21 putative class actions comprising this multidistrict litigation were filed in 2019, and the other 20 putative class actions were filed in 2020 in separate federal districts. Class members, comprised of U.S. residents who used the app prior to preliminary approval, and an Illinois subclass of all Illinois residents who used the app to create videos before preliminary approval, filed a consolidated amended class action complaint in 2020, claiming that the defendants harvested and profited from users’ private information, including their biometric data, geolocation information, personally identifiable information, and unpublished digital recordings. The defendants argued, among other things, that the class members consented to the alleged misconduct by accepting the app’s terms of service.
Under the terms of the settlement, the defendants must pay “$92 million in monetary relief and an array of injunctive relief for the putative settlement class.” The settlement also requires the defendants to, among other things: (i) refrain from using the app to collect or store certain U.S. user data, including biometric data and geolocation information, without making the necessary disclosures; (ii) delete all pre-uploaded user-generated content collected from U.S. users who did not “save” or “post” the content; and (iii) require a new, yearly training program for the defendants’ employees and contractors regarding compliance with data privacy laws.
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’ sensitive information stemming from multiple data breaches. The settlement approval follows a fairness hearing, as the court originally denied preliminary approval due to several identified deficiencies (covered by InfoBytes here), including that the settlement inadequately disclosed the sizes of the settlement fund and class, as well as the scope of non-monetary relief, and “appear[ed] likely to result in an improper reverter of attorneys’ fees.” Last July, the court preliminarily signed off on a revised settlement, conditionally certifying a class of U.S. and Israeli residents and small businesses with accounts between 2012 and 2016 that were affected by the breaches. These class members have been certified in the final approved settlement, which requires the company to provide class members with either two years of credit monitoring services or alternative compensation for members who already have credit monitoring. Among other things, the company will allocate at least $66 million each year to its information security budget until 2022, will increase the number of full-time security employees from current levels, and will “align its information security program with the National Institute of Standards and Technology Cybersecurity Framework” and “undertake annual third-party assessments to ensure compliance” with the framework.
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”
The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.
On February 7, the U.S. District Court for the District of Maryland ruled in a multidistrict litigation action that a proposed class of banks may proceed with negligence claims under Louisiana law and pursue declaratory and injunctive relief against an international hospitality company. In this case, the company’s data breach allegedly required the banks to cancel or reissue credit and debit cards, and issue refunds and credit associated with unauthorized transactions. The Louisiana bank brought the action as the representative of a class of banks that reimbursed customers for fraud on payment card accounts identified as potentially compromised because of the data breach. According to the opinion, the proposed class “has alleged facts sufficient to establish injury and causation under the Article III standing requirements.” The court rejected the company’s argument that the negligence claims are barred by Louisiana’s economic loss doctrine—which precludes recovery when the only alleged damages are economic—stating that Louisiana does not employ the doctrine in the strict sense that is applied in other states, but rather employs “a ‘duty-risk’ analysis.” The court stated that plaintiffs suing for only economic damages “must prove that there is an ‘ease of association between the rule of conduct, the risk of injury, and the loss sought to be recovered.’” The court concluded that “a reasonable trier of fact” may find an association between the company’s data collection practices and economic loss to payment card issuers. Here, the court stated, the banks are attempting to recover economic damages incurred after credit and debit cards were compromised due to the alleged negligent storage of sensitive payment card information. Moreover, the banks alleged they were forced to reimburse cardholders for fraudulent activity and incur costs to prevent future activity on those compromised cards.
On January 24, the U.S. District Court for the District of South Carolina entered final judgment for the approval of a $43 million settlement between a national bank and consumers to resolve multidistrict litigation (MDL) concerning overdraft charges. According to the settlement, since 2013, several groups of consumers have filed putative class action complaints against the bank in multiple jurisdictions alleging improper assessment and collection of overdraft fees, including claims that class members incurred overdraft fees as a result of the bank’s alleged practice of assessing fees based on an account’s available balance rather than its ledger balance. Other claims include allegations that the bank assessed overdraft fees for an ATM or one-time debit card transaction, assessed sustained overdraft fees, or assessed overdraft fees on ride-sharing transactions. In 2015 the Judicial Panel for Multi-District Litigation consolidated the actions for pretrial purposes.
In 2018, as previously covered by InfoBytes, the court dismissed one of the complaints in the MDL action, which alleged that the bank’s $20 overdraft fee is an interest charge on credit and therefore exceeds usury limits under the National Bank Act (NBA). The court noted that it had previously rejected a materially identical usury claim in December 2015 and that no new evidence or authority had been brought to light that would change its decision. In addition, the court concluded that “the law is still clear that sustained overdraft fees are not interest, and that assessing such fees cannot violate the usury provision of the NBA.” In 2019, the parties agreed to settle the action in its entirety, without any admission of liability by the bank. Under the terms of the settlement agreement, six classes of consumers will receive payouts or overdraft fee forgiveness, which will include $27 million “in the form of reductions to the outstanding balances of [class members] whose accounts were closed with amounts owed to the [bank].”
On February 5, the U.S. District Court for the District of Massachusetts issued an order granting a national bank’s motion to dismiss a multidistrict litigation complaint for failure to state a claim. Plaintiffs, in an attempt to recover losses from an internet phone service company’s pyramid scheme that ran from 2012 to 2014, alleged that the bank assisted the company’s pyramid scheme by, among other things, maintaining depository accounts for the company, receiving interest on funds held in the accounts, processing transactions, and receiving fees for wire transfers. However, the court found that the investors failed to adequately allege that the bank had any actual knowledge of the underlying fraud. “The complaint is devoid of any allegation that the fees, interest, and charges received by [the bank] were anything more than payments for banking services,” the court wrote, and thus “have failed to allege that they were ‘unjust.’”