InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Defendants to pay $5 million for alleged data breach
On April 20, the U.S. District Court for the Southern District of California granted preliminary approval of a proposed class settlement, resolving claims against a medical supplier company after a data breach allegedly compromised personal information of its consumers in its database. According to the order, the plaintiffs’ alleged that between April 2019 and June 2019, hackers gained access to the defendant’s computer systems, which contained personal identifying information and protected health information of tens of thousands of individuals. Under the terms of the settlement, the defendants will pay $5 million, where each class member with a valid claim will receive between $100-$1000 in cash. The settlement also includes $2.3 million in attorneys’ fees and up to $4,000 for each of the class representatives. Additionally, the defendants will “be required to perform specified remedial measures for a minimum of the next two years and ‘perform either improved versions of such recommendations or the new industry standard thereafter for at least three additional years.’” The remedial measures include, among other things, conducting an AICPA and SOC Type 2 audit to be repeated until the defendant passes, engaging an independent third party to perform a HIPAA IT assessment, undergoing at least one cyber incident response test per year starting in 2022, requiring staff trainings about security and privacy at least twice a year, engaging a company to test its phishing and external facing vulnerabilities at least twice a year, and deploying a third-party enterprise SIEM tool with a 400-day look-back on logs.
District Court granted final approval of a $5.7 million class action overdraft fee settlement
On April 22, the U.S. District Court for the Northern District of New York granted final approval of a $5.7 million class action settlement resolving allegations related to overdraft fees applied to certain bank account transactions. According to plaintiffs’ unopposed motion for preliminary approval, the bank was sued in 2020 for allegedly unfairly assessing and collecting overdraft fees on “Authorize Positive, Purportedly Settle Negative Transactions” (APPSN fees) as well as NSF fees. The bank denied the allegations and moved to dismiss, contending that the relevant account agreements are unambiguous, and that even if there were, “extrinsic evidence resolves the ambiguity in its favor on the whether the fees at issue are permitted.” In August 2021, the parties notified the court that they had reached an agreement. Under the terms of the preliminarily approved settlement, the bank will make a $4.25 million cash payment and will “forgive, waive, and agree not to collect an additional” $1.5 million in uncollected overdraft fees. Class members, defined as all current and former bank customers with consumer checking accounts who were charged a relevant fee between December 4, 2013, and November 30, 2021, will automatically receive their pro rata share of the settlement fund without having to prove they were harmed from the bank’s practices. There are no claim forms, and class members will be determined through the bank’s checking account data. A formula will be used to calculate each class member’s distribution. Under the terms of the settlement approximately $2.9 million will go towards customers who were charged APPSN fees, while roughly $1.3 million will be allocated for customers who were charged retry NSF fees.
FTC charges funeral company with deceptive marketing practices
On April 22, the DOJ filed a complaint on behalf of the FTC against certain defendants providing funeral goods and services to consumers throughout the U.S. for alleged violations of Section 5 of the FTC Act and the FTC’s Funeral Rule. (See also FTC press release here.) According to the complaint, the defendants, who arrange third-party cremation services, allegedly (i) misrepresented that they perform local funeral services, which were instead outsourced to unaffiliated third parties; (ii) charged consumers additional undisclosed costs; and (iii) illegally threatened to withhold remains or information about the remains from consumers who refused to pay previously undisclosed fees or the new, higher prices. The complaint seeks injunctive relief, monetary relief, and civil penalties.
9th Circuit affirms district court’s ruling in TCPA case
On April 5, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s decision denying a defendants’ motion to compel arbitration in a putative class action under the TCPA. The defendants were a digital marketing company and a debt-relief service company. According to the opinion, the plaintiffs visited the defendants’ websites, but allegedly did not see a notice in fine print stating, “I understand and agree to the Terms & Conditions which includes mandatory arbitration.” The underlined phrases “Terms & Conditions” and “Privacy Policy” were hyperlinks, but they appeared in the same gray font as the rest of the sentence. The marketing company and one of the defendants allegedly used the consumer’s contact information to conduct a telemarketing campaign on behalf of the debt relief companies by allegedly placing unsolicited telephone calls and text messaging consumers. The plaintiffs filed a putative class action, alleging that the calls and text messages were made without their consent, and therefore violated the TCPA. The defendants moved to compel arbitration, arguing that, by clicking on the “continue” buttons, the plaintiffs had agreed to the mandatory arbitration provision hyperlinked in the terms and conditions. The district court denied the defendants’ motion, concluding “that the content and design of the webpages did not conspicuously indicate to users that, by clicking on the ‘continue’ button, they were agreeing to [the service company’s] terms and conditions.”
On appeal, the 9th Circuit agreed with the district court, finding that the digital marketing company’s website did not contain a reasonably conspicuous notice of its terms and conditions. The 9th Circuit ruled that such notice must be expressly displayed in a font size and format where it can be deemed that a reasonable Internet visitor saw it and was aware of it. The appellate court noted that, on the websites at issue, “[t]he text disclosing the existence of the terms and conditions … is the antithesis of conspicuous,” and that “is printed in a tiny gray font considerably smaller than the font used in the surrounding website elements, and indeed in a font so small that it is barely legible to the naked eye. The comparatively larger font used in all of the surrounding text naturally directs the user's attention everywhere else.” The 9th Circuit also held that, “while it is permissible to disclose terms and conditions through a hyperlink, the fact that a hyperlink is present must be readily apparent. …[T]he design of the hyperlinks must put such a user on notice of their existence.”
District Court denies motion for corrective notice in class action data breach case
On April 18, the U.S. District Court for the District of South Carolina denied the plaintiffs’ motion for corrective notice in a putative class action, ruling that the defendant cloud computer service provider is not required to issue a corrective notice related to a 2020 data breach. In 2020, a data breach exposed the personal data of individuals whose information was managed by the defendant and provided to the defendant’s clients. The plaintiffs alleged that the defendant’s “deficient” security program led to the data breach, and that the defendant failed to implement security measures to mitigate the risk of unauthorized access, used outdated servers, stored obsolete data, and maintained unencrypted data fields. The judicial panel on multidistrict litigation eventually consolidated several putative class actions arising from the data breach for coordinated pretrial proceedings. Plaintiffs argued that corrective notice to customers was appropriate, claiming the defendant “made numerous misrepresentations” related to the type of data stolen and performed “an unreliable risk of harm analysis that did not actually take into account the harm class members faced as a result of the breach.” The court disagreed, ruling that such corrective notice is improper at this stage. “Ultimately, the Federal Rules of Civil Procedure do not authorize Plaintiffs’ request to widely disseminate a notice endorsing their position on dispositive issues to [Defendant’s] customers, who are not parties or putative class members in this case, where Plaintiffs have not shown that [Defendant] made misleading communications regarding this litigation,” the court ruled.
District Court compels college operator to testify in CFPB CID challenge
On April 20, a magistrate judge for the U.S. District Court for the District of Utah issued a report and recommendation in a CFPB action seeking to compel testimony from a private, non-profit operator of several colleges as part of its petition to enforce a 2019 civil investigative demand (CID). The CID seeks information about (i) the operator’s private student loan program to determine whether its private financing program violated federal consumer financial laws; and (ii) litigation involving the operator’s student loan program in which it has been a party in since 2012. The CID also sought testimony for what it said was an investigation into whether the operator had misled student borrowers about the offered loans or signed them up for loans without their knowledge or consent—a potential UDAAP violation. Former Bureau Director Kathleen Kraninger previously denied a petition to set aside the CID (and ultimately ratified its enforcement), but offered to narrow the CID’s scope to only require testimony regarding the first of these topics on the condition that the operator would testify as scheduled. The Bureau filed a petition to enforce the CID after the operator failed to comply. The operator challenged the Bureau’s single-director structure (which was addressed in rulings issued by the U.S. Supreme Court in Seila Law v. CFPB and Collins v. Yellen, covered by a Buckley Special Alert here and InfoBytes here), and argued, among other things, that the CID was “overly broad” and “burdensome.”
The magistrate judge rejected the majority of the operator’s arguments, which included constitutional arguments, lack of relevance, abuse of process, and that the demand is too indefinite, overly broad and burdensome. The magistrate judge concluded that enforcing the compromise offered by the Bureau back in 2019 would be an equitable solution and give the agency the necessary information without imposing undue burden, explaining that the defendant “has now had multiple years to prepare witnesses for deposition and should not be unduly burdened to answer questions regarding its own private-student-loan program.”
District Court grants final approval to class action data breach settlement against national convenience store chain
On April 20, the U.S. District Court for the Eastern District of Pennsylvania granted final approval to a settlement in a class action against a national convenience store chain (defendant) for a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. As previously covered by InfoBytes, class members claimed that “despite the foreseeability of a data breach” the defendant, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” In May 2021, the court ruled that the defendant must face certain claims filed by a group of financial institutions (covered by InfoBytes here). In August, the court granted preliminary approval of the settlement, which required the defendant to provide monetary relief to class members totaling approximately $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards, in addition to requiring the defendant to take additional measures for a period of two years to prevent future unauthorized intrusions. The settlement includes three tiers of customers, who will receive gift cards for either $5 or $15, or $500 in cash, depending on the level of their injury caused by the data breach.
9th Circuit: Networking site cannot deny data scraping access to publicly available profiles
On April 18, on remand from the U.S. Supreme Court, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order preliminarily enjoining a professional networking site from denying a data analytics company access to publicly available member profiles. At issue are allegations brought by the networking site claiming the data analytics company used automated bots to extract user data from the networking site’s website (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The networking site sent the data analytics company a cease-and-desist letter, asserting violations of state and federal law, including the Computer Fraud and Abuse Act (CFAA). The data analytics company responded that it had a right to access the public pages and later sought a preliminary injunction. In granting the preliminary injunction, the district court ordered the networking site to, among other things, “remove any existing technical barriers to [its] public profiles, and to refrain from putting in place any legal or technical measures” that would block access.
The 9th Circuit previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the data analytics company’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States.
On remand, the appellate court reviewed whether the data analytics company accessed data “without authorization” in violation of the CFAA after it received the cease-and-desist letter. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested that the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. “A defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser,” the appellate court wrote. “In other words, applying the ‘gates’ analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place.” Therefore, the court held, the phrase “without authorization” does not apply to public websites.
In determining that a preliminary injunction was appropriate, the appellate court held that the district court did not abuse its discretion in concluding that the data analytics company met the standard of establishing that the plaintiff is likely to succeed on the merits, is likely to suffer irreparable harm without such relief, that the “balance of equities” is in the favor of the plaintiff, and that the injunction would be in the public interest. The court found that the data analytics company showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” In considering the balance of hardships, the 9th Circuit agreed that the scales “tipped sharply” in favor of the data analytics company “when weighing the likelihood that [the data analytics company] would go out of business against [the networking site’s] assertion that an injunction threatened its members’ privacy” and therefore risked the goodwill it had developed with its members. Finally, the court rejected the networking site’s claims that the data analytics company violated the CFAA, which would have preempted the remaining state law claims.
District Court lowers punitive damages award in FCRA dispute
On April 8, the U.S. District Court for the Southern District of Florida denied in part and granted in part a defendant’s motion for judgment as a matter of law and alternative motion for a new trial, after concluding that the debt collector violated the FCRA by incorrectly reporting medical debts on the plaintiff’s credit reports despite allegedly receiving 31 separate disputes challenging the validity of the debt. The plaintiff contended that the medical debts in question belonged to his father, and that due to the inaccurate reporting, he was denied credit by two lenders. At trial, after finding that the defendant failed to conduct a reasonable investigation into the plaintiff’s FCRA disputes as required by the statute, a jury awarded the plaintiff $80,000 in actual damages and $700,000 in punitive damages for willful violations. The defendant challenged the award and requested a new trial, arguing that the court improperly admitted hearsay testimony, that the plaintiff failed to prove he suffered emotional damage, and that the jury’s punitive damages award was too high.
The court denied defendant’s request for a new trial, finding that the plaintiff suffered emotional damages and that the “verdict could be supported ‘without considering the challenged testimony.’” With respect to the amount of punitive damages awarded, the court concluded that the defendant’s actions were “highly reprehensible” and “callous” in the way it processed consumers’ disputes. However, in comparing the ratio of punitive damages to compensatory damages in other cases, the court determined that $700,000 was too high based on the actual damages award and lowered the punitive damages to $475,000 to be consistent with Eleventh Circuit law. The court concluded, “to be sure, the high punitive damages award likely reflects the jury’s assessment of Defendant’s callous behavior throughout the eighteen months of processing Plaintiff’s approximately thirty disputes, and Defendant’s employees’ testimony which confirmed that such treatment would likely repeatedly occur with countless other consumers,” adding that “given the size of [the defendant], and the number of disputes handled annually, it is not surprising that the jury deemed a high punitive damages award necessary to send the Defendant a deterrence message.”
District Court grants final approval in usury class action settlement
On August 16, the U.S. District Court for the Eastern District of Virginia granted final approval of a class action settlement resolving a purported scheme to unlawfully use tribe-owned firms to make online short-term loans and charge triple-digit interest rates. According to the memorandum of law in support of plaintiffs’ motion for preliminary approval of class action settlement and the stipulation and agreement of settlement, the district court previously approved two class settlements related to the lending enterprise. The first resulted in the purported lender and others: (i) repaying over $53 million dollars in cash; and (ii) forgiving over $380 million dollars of debt owed by consumers who took out loans with three lending companies. However, these settlements did not resolve every claim surrounding the purported scheme, and did not resolve claims with the settling defendant. The plaintiffs claimed that the settling defendant assisted the purported lender’s operations despite a corporate spinoff in May 2014, alleging that “[b]ecause many [of the purported lender’s] employees with institutional knowledge of and involvement in the company’s rent-a-tribe lending business were quickly transferred to [the settling defendant], [the purported lender] required and depended on continued involvement by [the settling defendant] and its employees in operating its rent-a-tribe lending business, which involvement was freely and often provided.” Under the terms of the preliminarily approved settlement, the settling defendant must provide monetary relief to class members totaling approximately $45 million.