InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court grants class certification in FDCPA suit
On April 27, the U.S. District Court for the Western District of Pennsylvania granted a plaintiff’s motion for class certification in an action against a consumer debt buyer (defendant) for allegedly violating the FDCPA by stating that a judgment may be awarded prior to the expiration of a settlement offer, even though a collection lawsuit was not filed. According to the opinion, the plaintiff received a collection letter from the defendant that offered a “discount program” for his “Legal Collections account without any further legal action,” which had to be accepted within a month. The letter also stated that “[a] judgment could be awarded by the court before the expiration of the discount offer listed in this letter,” despite the fact that at the time the letter was received, there were no pending court cases in which a judgment could be entered against the plaintiff. After receiving the letter, the plaintiff filed suit, alleging that the defendant violated the FDCPA by making false, misleading, and deceptive misrepresentations about the debt. Among other things, the defendant argued that the size of the class would be impossible to ascertain because identifying class members would require individualized inquiries into who received a letter and when. By holding that the FDCPA violation occurred when a letter was sent rather than when it was received, the court rejected the defendant’s argument and ruled instead that individualized inquiry is not necessary. According to the district court, “[r]eviewing this information will, of course, require some level of individualized inquiry. But the need for file-by-file review to identify class members is not fatal to class certification.” The district court further noted that “[c]ourts and parties must be able to determine accrual dates with some degree of certainty,” and “[t[he date of receipt may often be impossible to determine, particularly where the recipient is an individual as opposed to a commercial entity.”
4th Circuit will not revive investors’ data breach case
On April 21, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s dismissal of a securities suit against a hotel corporation (defendant) alleging that they misled the plaintiffs regarding data vulnerabilities connected to a major breach of customers’ personal information. According to the opinion, two years after merging with another hospitality corporation, the defendant “learned that malware had impacted approximately 500 million guest records in the [hospitality corporation’s] guest reservation database.” An investor filed a putative class action against the defendant and nine of its officers and directors, alleging that its failure to disclose severe vulnerabilities in the hospitality corporation’s IT systems rendered 73 different public statements false or misleading in violation of Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) and SEC Rule 10b-5. The district court granted the defendant’s motion to dismiss with prejudice and concluded that the plaintiffs “‘failed to adequately allege a false or misleading statement or omission, a strong inference of scienter, and loss causation,’ which doomed the claim under Section 10(b) and Rule 10b-5 as well as the secondary liability claim [under Section 20(a) of the Exchange Act].” The investor appealed, dropping its challenge to 55 of the statements but maintaining its challenge to the other 18.
On appeal, the 4th Circuit agreed with the district court that the defendant’s statements about the importance of cybersecurity were not misleading with respect to the quality of its cybersecurity efforts. The appellate court found that “[t]he ‘basic problem’ with the complaint on this point is that ‘the facts it alleges do not contradict [the defendant’s] public disclosures,’” and that reiterating the “basic truth” that data integrity is important does not mislead investors or create a false impression. The appellate court also noted that the complaint “concedes that [the defendant] devoted resources and took steps to strengthen the security of hospitality corporation’s systems,” and that the company included “such sweeping caveats that no reasonable investor could have been misled by them.” The appellate court concluded that the defendant “certainly could have provided more information to the public about its experience with or vulnerability to cyberattacks, but the federal securities laws did not require it to do so.”
District Court dismisses state law claims concerning scanned email allegations
On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the amended complaint, the defendant allegedly misrepresented its privacy and security practices in violation of federal and state law by, among other things, sharing customer data with unauthorized third parties (some of which suffered data breaches), using customer data to develop products and services to sell to other companies, and falsely promising it complied with privacy and confidentiality standards. Plaintiffs alleged the company scanned 400 billion customer emails to obtain insights for its API, which it then sold to others.
In its prior ruling, the court dismissed plaintiffs’ Wiretap Act and Stored Communications Act claims but allowed the WPA claims to proceed. The defendant then filed a motion for partial reconsideration, arguing that the WPA claim is also premised on the same scanned email theory as with the other two claims that were already dismissed. The court agreed that the plaintiffs failed to sufficiently allege that their emails were scanned and dismissed the WPA claims without leave to amend because the “interception or disclosure of a communication” was necessary “in order for the conduct to be actionable.”
California Court of Appeal: Including extraneous language in FCRA disclosure may constitute willful violation
On April 19, the California Court of Appeal for the Fourth Appellate District reversed a trial court’s summary judgment order and held that the inclusion of extraneous language in an employer’s FCRA disclosures to job applicants may constitute willful violation of the FCRA. The plaintiff filed a putative class action against the defendant employer, contending that it willfully violated the FCRA by providing job applicants with a disclosure that included extraneous language unrelated to the topic of consumer reports. The plaintiff alleged that the disclosure violated the FCRA’s requirement for providing a standalone disclosure informing the applicant that the employer may obtain the applicant’s consumer report when making a hiring decision upon applicant’s consent. The defendant filed a motion for summary judgment arguing that no reasonable jury could find that the plaintiff’s FCRA violation was willful, because the erroneous disclosure form was the result of a drafting mistake that took place when the defendant modified a sample disclosure provided by a consumer reporting agency to ensure compliance with the FCRA. The trial court granted the defendant’s motion, finding that any non-compliance resulted from a drafting was an inadvertent error.
On appeal, the Court of Appeal reversed and remanded with instructions that the trial court deny the motion for summary judgment. The appellate court found that “a reasonable jury could find that [the employer] acted willfully because it violated an unambiguous provision of the FCRA.” The Court of Appeal noted that that there’s evidence that at least one of the defendant’s employees was aware that the extraneous language would be included in the disclosure form. In addition, the continuous use of the allegedly problematic disclosure form for nearly two years could signify recklessness. The Court of Appeal reasoned further that the defendant’s “continued and prolonged use” of the “problematic” disclosure form “suggest[ed] that it had no proactive monitoring system in place to ensure its disclosure was FCRA-complaint.”
Nevada Supreme Court affirms ruling in default notice suit
On April 7, the Nevada Supreme Court denied a petition for rehearing and reaffirmed its prior conclusion that, under Nevada law, when a notice of rescission is recorded after a notice of default, the rescission cancels the acceleration triggered by the notice of default, and resets a statutory 10-year period for automatically clearing a lien on real property. NRS § 106.240 “provides a means by which liens on real property are automatically cleared from the public records after a certain period of time,” and specifically “provides that 10 years after the debt secured by the lien has become ‘wholly due’ and has remained unpaid, ‘it shall be conclusively presumed that the debt has been regularly satisfied and the lien discharged.’” The specific question before the Nevada Supreme Court was what effect a notice of rescission has on NRS § 106.240’s 10-year period when the notice is recorded after a notice of default. The Nevada Supreme Court upheld the lower court’s decision determining that “because a notice of rescission rescinds a previously recorded notice of default, the notice of rescission ‘effectively cancelled the acceleration’ triggered by the notice of default, such that NRS 106.240’s 10-year period was reset.”
District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.
In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”
Florida court grants sovereign immunity to lender and company officials
On April 11, a Florida county court concluded that a defendant lender and certain company officials were entitled to sovereign immunity in a case concerning alleged usury claims. The plaintiff claimed the lender used its supposed federally-recognized tribal affiliation to escape state usury regulations. The court dismissed the complaint, however, finding that the lender is an “arm of the tribe” under a six-prong test established by the U.S. Court of Appeals for the Tenth Circuit in Breakthrough Management Group, Inc. v. Chukchansi Gold Casino & Resort. The test determines whether sovereign immunity should apply by examining, among other factors, an entity’s creation, the amount of control a tribe has over the entity, and the financial relationship between the tribe and the entity. According to the court, the defendant’s evidence suggests that the tribe created the defendant as a business entity “to generate and contribute revenues” to the tribe’s general fund. The court found that insufficient detail was presented to support the plaintiff’s assertion that the defendant pays a relatively small percentage of its gross revenues to the tribe. The court added that the plaintiff also failed to present evidence proving that large portions of the defendant’s revenue were distributed to non-tribal entities. In dismissing the case with prejudice, the court also dismissed claims against three individual defendants because they were entitled to sovereign immunity. The court concluded that the plaintiff’s allegations demonstrated that the individuals committed the alleged wrongs in their capacities as employees and officers and therefore the “real party in interest” is the lender.
District Court approves final $85 million class action privacy settlement despite objections
On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”
District Court denies class cert in data breach suit
On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private information. Plaintiffs alleged the defendant contracted with a third-party reservation site, which required consumers to provide payment card information and other personally identifying information (PII). The plaintiffs contended that during the data breach, hackers accessed customer data, and argued that “had [the third party] ‘employed multiple levels of authentication,’ rather than ‘single factor authorization,’ the ‘hacker would not . . . have been able to access the system.” Plaintiffs further claimed that the defendant served as the third party’s agent and was therefore responsible for its conduct.
In declining to certify the class, the court ruled that the plaintiffs failed to successfully allege any of their three claims on behalf of the class. The court reviewed the plaintiffs’ breach of contract claims, which alleged that the defendant promised to safeguard class members’ PII but failed to provide notice on its website that a third party was processing the payment information. According to the court, the plaintiffs could not show that all of the proposed class members would have believed they were providing their information to the defendant because the defendant’s “Book Now” button sent the user to the third party’s website and the defendant’s privacy policy disclosed its use of third party websites. The court also rejected the plaintiffs’ assertion that the defendant disclosed personal information in violation of California Civil Code because the information was hacked rather than disclosed by either the defendant or the third party. With respect to the plaintiffs’ Texas Deceptive Trade Practices Act claims, the plaintiffs argued that the defendant’s statements about protective measures were misleading because the third party did not employ multi-layer authentication. The court concluded that class treatment of those claims was improper as it could not determine whether the practice was misleading for the entire class as the question is dependent on whether class members believed they were providing PII to the defendant or to the third party.
Michigan Court of Appeals affirms dismissal of post-judgment interest case, says state court rule precludes class actions
On April 21, the Michigan Court of Appeals affirmed a trial court’s dismissal of a post-judgment interest putative class action after concluding that a court rule that precludes “‘actions’ based on claimed violations of statutes that permit[ ] recovery of statutory damages in lieu of actual damages” necessitated the dismissal of the plaintiff’s class action claim. According to the opinion, after the plaintiff defaulted on her $900 credit card debt, the debt was assigned to the defendant debt collector who calculated the plaintiff’s unpaid balance to be $6,241.20. The defendant sought judgment against the plaintiff in that amount, plus interest, fees, and costs, and obtained a default judgment against the plaintiff after she did not respond. The defendant consequently obtained several writs of garnishment, all of which indicated that post-judgment interest had been added to the debt. Several years later, the plaintiff filed a putative class action alleging the defendant violated the FDCPA and the Michigan Regulation of Collection Practices Act (RCPA) by overstating how much she owed “and by impermissibly inflating [defendant’s] costs and the amount of interest it charged.” The state trial court dismissed the plaintiff’s class action claims with prejudice on the basis that Michigan Court Rules (MCR) preclude her from recovering statutory damages under the RCPA because the RCPA does not explicitly permit class actions. The court also dismissed her individual claims for lack of subject-matter jurisdiction.
On appeal, the plaintiff argued that the trial court erred when it dismissed her class action claims under MCR because she also sought equitable relief and actual damages; however, the Michigan Court of Appeals pointed to a provision in the MCR that states “[a]n action for a penalty or minimum amount of recovery without regard to actual damages imposed or authorized by statute may not be maintained as a class action unless the statute specifically authorizes its recovery in a class action.” The Court of Appeals explained that the RCPA is implicated under this rule because (i) it permits the recovery of statutory damages; and (ii) does not contain a provision explicitly permitting class actions, and as such, “plaintiff’s class action claims must be dismissed irrespective of the fact that she also sought injunctive relief, declaratory relief, and actual damages.” The Court of Appeals further held that even if the plaintiff attempted to plead individual claims, the case would not be allowed to proceed because the actual damages in this case are not high enough to meet the jurisdictional minimum amount in Michigan.