Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 12, the FTC announced a settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
In its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The proposed consent order requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the proposed consent order requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
On June 7, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced an approximately $400,000 settlement with a global money services business for alleged violations of the Global Terrorism Sanctions Regulations (GTSR). The settlement resolves potential civil liability for the company’s processing of certain transactions totaling roughly $1.275 million. According to OFAC, the transactions were paid out to third-party, non-designated beneficiaries who collected their remittances from a company sub-agent in The Gambia that OFAC designated pursuant to the GTSR in December 2010. In arriving at the settlement amount, OFAC considered various mitigating and aggravating factors, including the fact that the company voluntarily self-disclosed the issue to OFAC.
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
District court approves final settlement resolving breach of contract and conversion claims related to debit card overdraft fees
On May 28, the U.S. District Court for the Southern District of California granted final approval to a roughly $24.5 million settlement resolving class action allegations that a credit union unfairly charged optional overdraft protection fees on certain debit card transactions. In 2017, the plaintiffs challenged the credit union’s practices, alleging breaches of contract, covenant of good faith and fair dealing, and conversion. Specifically, the plaintiffs challenged whether the language in the accountholder agreements prohibited the credit union from assessing and collecting optional overdraft protection fees on certain debit card transactions that were authorized against positive available account balances. In 2018, the court granted in part and denied in part the credit union’s motion to dismiss, allowing the plaintiffs’ breach of contract and conversion claims to proceed. The parties entered into settlement discussions, and reached an agreement. Under the terms of the settlement, the credit union will provide $24.5 million in relief to class members, along with approximately $6.1 million in attorneys’ fees. However, the court denied a request to reimburse plaintiffs’ expert witness for work completed after the settlement agreement was preliminary approved last year, stating “as a matter of awarding funds from the [s]ettlement [f]und, the [c]ourt cannot find reasonable the $109,100.00 price tag for an exercise that appears to post-date the preliminary approval order and which merely confirmed what the parties already understood to be the class’s potential recovery.”
On May 21, the FTC announced a payment processor, its CEO and owner, and two other officers (collectively, “defendants”) agreed to settle charges that they knowingly processed fraudulent transactions to consumers’ accounts in violation of the FTC Act. According to the FTC’s complaint, the defendants allegedly assisted merchants, who were engaged in fraud, in hiding their activities from banks and credit card networks. The defendants allegedly (i) created fake foreign shell companies to open accounts in their names; (ii) submitted dummy websites and other false information to merchant banks; and (iii) worked to evade card network rules and monitoring designed to prevent fraud. The settlement order against the processing company and its CEO imposes a judgment of over $110 million, which is partially suspended due to the inability to pay. The settlement order against one officer imposes a judgment of over $300,000, which is suspended due to the inability to pay. The settlement order against the second officer, the company’s Chief Operating Officer, imposes a $1 million judgment. Each order imposes a permanent ban on the defendants from, among other things, engaging in payment processing and credit card laundering, whether directly or through an intermediary.
On May 15, the U.S. Court of Appeals for the 7th Circuit held a prevailing consumer’s request for $187,410 in attorney’s fees was unreasonable in a FDCPA action. In 2014, the consumer and a debt collector settled the consumer’s FDCPA related claims for $1,001 plus attorney’s fees of $4,500. Despite the settlement agreement, the debt collector continued to attempt to collect the debt, and the consumer sued a second time alleging violations of the FDCPA and FCRA. The consumer did not respond to multiple settlement offers from the debt collector, including one in March 2015 for $3,051, proceeding to trial on the FDCPA claim, and subsequently rejected a settlement offer from the debt collector of $25,000 and reasonable attorney’s fees. At trial, the jury only awarded the consumer the $1,000 in FDCPA statutory damages, after which he sought to recover $187,410 in attorney’s fees. The district court reduced his request to $10,875, concluding that the consumer’s rejection of “meaningful settlement offers precluded a fee award in such disproportion to his trial recovery.”
On appeal, the appellate court agreed with the district court that the March 2015 settlement offer of $3,051 was reasonable, rejecting the consumer’s argument that the settlement “was not substantial and therefore should have been disregarded by the district court in determining the fee award.” The appellate court also rejected the consumer’s argument that because the settlement offer disclaimed liability for the debt collector, his results at the jury trial were much better than the settlement as it yielded judgment on the merits. The appellate court noted that settlement offers regularly disclaim liability, and by operation, judgment against the debt collector would still have been entered under Rule 68. Therefore, the appellate court concluded the district court did not abuse its discretion when reducing the attorney’s fees to $10,875 based on 29 hours’ worth of work at an hourly rate of $375 prior to the March 2015 settlement offer.
On April 24, the FTC announced separate settlements with the operators of an online rewards website and a dress-up games website to resolve allegations concerning poorly implemented data security measures and Children’s Online Privacy Protection Act (COPPA) violations. According to the FTC, the online rewards website operator collected personal information (PII) from users who participated in their online offerings and made promises that their account information was secure. However, the operator allegedly failed to implement data security measures or utilize encryption techniques, which granted hackers access to the network. In addition, the operator allegedly maintained PII in clear unencrypted text. As a result of the breach, hackers published and offered for sale PII for approximately 2.7 million consumers. Under the terms of the decision and order, the operator is, among other things, prohibited from misrepresenting the measures taken to protect consumers’ PII and is required to implement a comprehensive information security program for future collections of PII.
On the same day, the FTC reached a proposed settlement with a dress-up games website and its operators, who allegedly violated COPPA by failing to obtain parental consent before collecting personal information from children under 13 or provide reasonable and appropriate security for the collected data. According to the FTC, data security failures allowed hackers access to the company’s network, which stored information for roughly 245,000 users under age 13. As part of the proposed settlement filed in the U.S. District Court for the Northern District of California, the company and operators, among other things, (i) have agreed to pay $35,000 in civil penalties; (ii) will change their business practices to comply with COPPA; and (iii) are prohibited from selling, sharing, or collecting personal information until a comprehensive data security program is implemented and undergoes independent biennial assessments.
On May 1, the CFPB announced a $3.9 million settlement with a student loan servicing company. The settlement resolves allegations that the company engaged in unfair practices by failing to make adjustments to loans made under the Federal Family Education Loan Program to account for circumstances such as deferment, forbearance, or entrance into the Income-Based Repayment (IBR) program. According to the consent order, between 2005 and 2015, certain accounts requiring manual adjustments to principal loan balances based on program participation were allegedly placed in “queues” to process the adjustments, which took, in some cases, years to process. The servicer allegedly did not inform affected borrowers that it did not complete the processing of their principal balances associated with the deferment, forbearance, or IBR participation. The queues allegedly resulted in some borrowers paying off incorrect loan amounts and other borrowers experiencing delays in loan consolidation while waiting for the servicer to adjust principal balances. In addition to the $3.9 million civil money penalty, the consent order requires the servicer to make the proper adjustments to the principal balances of the affected accounts or pay restitution to borrowers who paid off loans with inaccurate loan balances. The servicer is also required to comply with certain compliance monitoring, reporting, and recordkeeping requirements.
On April 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $75,375 settlement with a New Jersey corporation for two alleged violations of the Ukraine Related Sanctions Regulations. The settlement resolves potential civil liability for the company’s alleged issuance of two separate invoices for software licensing and software support services to an entity previously identified on OFAC’s Sectoral Sanctions Identification List. According to OFAC, the designated entity’s attempts to remit payment were rejected by financial institutions after it was determined that the transaction by prohibited by OFAC regulations on certain debts. However, the corporation—which allegedly failed to have in place a sanctions compliance program and failed to “recognize that the delayed collection of payment was prohibited”—explored possible options to collect the payment and did not seek guidance or authorization from OFAC.
In arriving at the settlement amount, OFAC considered various aggravating factors, such as the corporation “demonstrated reckless disregard for U.S. economic sanctions requirements by repeatedly ignoring warning signs that its conduct constituted or likely constituted a violation of OFAC’s regulations.” Moreover, OFAC claimed that the corporation did not voluntary self-disclose the apparent violations to OFAC, and that senior management had knowledge of the alleged conduct.
OFAC also considered numerous mitigating factors, including that (i) the alleged violations “resulted in minimal actual harm to the sanctions programs” and constituted a non-egregious case; (ii) the corporation has not received a penalty or finding of a violation in the five years prior to the transactions at issue; and (iii) the corporation has implemented a risk-based compliance program to minimize the risk of recurring conduct.
On April 22, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s ruling that including too many digits of a consumer’s credit card account number on a receipt was sufficient to constitute a concrete injury even if the consumer’s identity was not stolen. Under the Fair and Accurate Credit Transactions Act (FACTA), merchants are prohibited from including more than the final five digits of a consumer’s credit card number on a receipt. According to the opinion, the consumer filed a class action suit against a chocolate company, alleging that one of its stores printed the first six and last four digits of his account number on a receipt, which exposed the class members “to an elevated risk of identity theft.” When the parties sought approval of a proposed settlement, two unnamed class members contested the settlement on the grounds that, among other things, the consumer/class representative lacked standing to sue because he had not suffered a concrete injury as defined in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins. The district court, however, approved the settlement.
On appeal, the 11th Circuit held that an increased risk of identity theft is sufficient to bring claims under FACTA, and that the class representative’s “alleged injury is ‘particularized’ because the heightened risk of identity theft affected him ‘in a personal and individual way’—it was his credit card number that appeared on the receipt.” Moreover, the appellate court noted, “In our view, if Congress adopts procedures designed to minimize the risk of harm to a concrete interest, then a violation of that procedure that causes even a marginal increase in the risk of harm to the interest is sufficient to constitute a concrete injury.”
- APPROVED Webcast: Introducing Mogy — APPROVED’s licensing technology solution
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Christopher M. Witeck and Moorari K. Shah to discuss "The latest in vendor management regulations" at a Mortgage Bankers Association webinar
- Buckley Webcast: Hot topics in debt collection — An analysis of recent federal FDCPA litigation
- Jonice Gray Tucker to discuss "How to succeed in law school" at the SEO Law DC Panel Discussions
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference