InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Social media company to pay $150 million to settle FTC, DOJ data security probe
On May 25, the DOJ filed a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with ads. (See also FTC press release here.) According to the complaint, the defendant deceived users about the extent to which it maintained and protected the security and privacy of users’ nonpublic contact information. Specifically, from May 2013 to September 2019, the defendant asked users to provide either a phone number or an email address to improve account security. The defendant, however, allegedly failed to inform the more than 140 million users who provided phone numbers or email addresses that their information would also be used for targeted advertising. The FTC claimed the defendant used the collected information to allow advertisers to target specific ads to specific users by matching the phone numbers or email addresses with data they already had or obtained from data brokers. DOJ’s complaint alleged that the defendant’s conduct violated the FTC Act and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which require participating countries to adhere to certain privacy principles in order to legally transfer data from EU countries and Switzerland. This conduct also allegedly violated a 2011 FTC consent order with the defendant stemming from claims that the defendant deceived users and put their privacy at risk by failing to safeguard their personal information. According to DOJ’s complaint, the 2011 order “specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information.”
Under the terms of the proposed order, the defendant would be required to pay a $150 million civil penalty and implement robust compliance measures to improve its data privacy practices. According to the FTC and DOJ announcements, these measures would (i) “allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers”; (ii) require the defendant to “notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about [its] privacy and security controls”; (iii) require the defendant to implement and maintain a comprehensive privacy and information security program, including conducting “a privacy review with a written report prior to implementing any new product or service that collects users’ private information,” regularly testing its data privacy safeguards, and obtaining regular independent assessments of its data privacy program; (iv) limit employee access to users’ personal data; and (v) require the defendant to notify the FTC should it experience a data breach, and provide reports after any data privacy incident affecting 250 or more users. Additionally, the defendant would be banned from profiting from deceptively collected data.
District Court issues judgment against student debt relief operation
On May 24, the U.S. District Court for the Central District of California entered a stipulated final judgment and order against an individual defendant who participated in a deceptive debt-relief enterprise operation. As previously covered by InfoBytes, in 2019, the CFPB, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. In the third amended complaint, the Bureau and the states alleged that since at least 2015 the debt relief operation violated the CFPA, TSR, FDCPA, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by misrepresenting, among other things: (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness for borrowers; and (iii) their ability to actually lower borrowers’ monthly payments. Moreover, the debt relief operation allegedly failed to inform borrowers that it was their practice to request that the loans be placed in forbearance and also submitted false information to student loan servicers to qualify borrowers for lower payments. Under the terms of the final judgment, the individual defendant must pay a $483,662 civil money penalty to the Bureau.
CFPB, New York reach $4 million settlement with debt collection operation
On May 25, the U.S. District Court for the Western District of New York entered a stipulated final judgment and order in an action taken by the CFPB, in partnership with the New York attorney general, resolving allegations that a debt collection operation based near Buffalo, New York, which includes six companies, three owners, and two managers (collectively, “defendants”), engaged in deceptive tactics to induce consumer payments. (See also CFPB press release here.) As previously covered by InfoBytes, the CFPB filed a complaint in 2020 against the defendants for allegedly violating the CFPA, FDCPA, and various New York laws by using illegal tactics to induce consumer payments, such as (i) threatening arrest and imprisonment; (ii) claiming consumers owed more debt than they actually did; (iii) threatening to contact employers about the existence of the debt; (iv) harassing consumers and third parties by using “intimidating, menacing, or belittling language”; and (v) failing to provide debt verification notices. Under the terms of the settlement, the defendants must pay a $2 million penalty to the CFPB and a $2 million penalty to the New York AG. The judgment provides that if the defendants fail to make timely payments, each penalty amount would increase to $2.5 million. The judgment also permanently bans the defendants from engaging in debt collection operations and prohibits them from engaging in deceptive practices in connection with consumer financial products or services.
District Court grants final approval of a $500 million tribal lending settlement
On May 12, the U.S. District Court for the Eastern District of Virginia granted final approval of a nearly $500 million class action settlement resolving allegations that tribal online lending companies charged usurious interest rates. Plaintiffs’ filings outline their class action against tribal entities, as well as several of the entities’ non-tribal business partners (individual defendants), for making and collecting on high-interest loans.
The U.S. Court of Appeals for the Fourth Circuit previously upheld a district court’s denial of defendants’ bid to dismiss or compel arbitration in the case (covered by InfoBytes here). The 4th Circuit concluded that the arbitration clauses in the loan agreements impermissibly forced borrowers to waive their federal substantive rights under federal consumer protection laws, and contained an unenforceable tribal choice-of-law provision because Virginia law caps general interest rates at 12 percent. As such, the appellate court stated that the entire arbitration provision was unenforceable. “The [t]ribal [l]enders drafted an invalid contract that strips borrowers of their substantive federal statutory rights,” the appellate court wrote. “[W]e cannot save that contract by revising it on appeal.”
The 4th Circuit also declined to extend tribal sovereign immunity to the tribal officials, determining that while “the tribe itself retains sovereign immunity, it cannot shroud its officials with immunity in federal court when those officials violate applicable state law.” The appellate court further noted that the “Supreme Court has explicitly blessed suits against tribal officials to enjoin violations of federal and state law.”
Following more than three years of litigation, the parties eventually reached a settlement that will include tribal officials canceling approximately $450 million in debt. As part of the settlement, the tribal officials will eliminate the balance on any outstanding loans on the basis that the debts are disputed, cease all collection activity, and will not sell, transfer, or assign any outstanding loans for collection. Tribal officials will also request deletion of any negative tradelines for loans in the name of tribal officials or tribal corporations, and will pay an additional $1 million to cover the costs of notice and administration for the settlement and $75,000 to go towards service awards. Additionally, the individual defendants will create a $39 million common fund that will go to class members who repaid unlawful amounts on their loans. Class counsel is also seeking attorneys’ fees and costs totaling around $13 million.
District Court settles data scraping lawsuit
On May 9, the U.S. District Court for the Northern District of California issued a final judgment on consent resolving a lawsuit concerning data scraping allegations. A professional networking site (plaintiff) sued a Singapore-based company and three company founders (collectively, “defendants”) claiming the defendants violated the terms of the plaintiff’s user agreement by gaining unauthorized access to areas of the plaintiff’s platform that are only accessible to real logged-in members, scraping millions of member profile pages, and using fake member accounts and prepaid virtual debit card numbers to fraudulently obtain access to a function that provides advanced features. In alleging claims for breach of contract, fraud and deceit, and misappropriation, among others, the plaintiff claimed the defendants’ activities defrauded it out of hundreds of thousands of dollars in revenue. According to the court’s judgment, the defendants have agreed to be permanently restrained and barred from engaging in the aforementioned activities, including using scraping to access the plaintiff’s data, engaging in marketing and advertising about the availability of user data on the defendant’s website, circumventing any technological measures that control access to the plaintiff’s servers, and transferring data to third parties. “Defendants represent that they have destroyed all [plaintiff] member profile data, whether stored in electronic form or otherwise, in their possession, custody, or control and have certified in writing that they have done so,” the judgment stated. While the judgment did not include a monetary penalty, the court noted that violation of the final judgment or consent shall expose the defendants and all other persons bound by the final judgment on consent “to all applicable penalties, including contempt of Court.”
Defendants to pay $5.7 million for alleged data breach
On October 17, the U.S. District Court for the Northern District of Ohio granted final approval of a $5.7 million settlement in a class action against a fast-food chain (defendant) resolving allegations that it acted negligently for failing to protect customers’ data when hackers stole payment card information from more than 700 franchised restaurants. According to the order, in 2017, a data breach compromised the defendant’s customer payment data, which resulted in multiple lawsuits that were settled. In the current case, the plaintiffs sued the defendant for negligence related to insecure systems that led to the data breach. The plaintiffs alleged that the defendant’s negligence required financial institutions to spend resources to respond to the breach. Under the terms of the settlement, the defendant is required to pay under a per-card formula up to $5.73 million to resolve class member claims, which would include up to $3 million to pay class members’ claims ($1.00 per reissued card and $1.50 per card experiencing fraud within four weeks of the breach). The defendant is required to pay up to $500,000 for settlement administration, up to $30,000 for class representative service awards, and up to $2.2 million for attorneys’ fees and expenses.
District Court approves final class action privacy settlement
On April 29, the U.S. District Court for the Western District of New York granted final approval of a class action settlement resolving privacy and data security allegations against a health insurance company and several related health insurance entities (collectively, “defendants”). According to the plaintiffs’ memorandum of support, the plaintiff filed suit in 2015, alleging that the defendants compromised the personal identifying information, Social Security numbers, and medical and financial data of approximately 9.3 million policy holders from a 2013 data breach. After the security incident was announced, 14 lawsuits were filed, which were consolidated with this case. Under the terms of the final settlement, the defendants are required to implement information security and compliance measures, and comprehensively address security risks. The settlement also includes $3.6 million in attorneys’ fees and $700,000 in litigation costs. Class representatives will be awarded service awards that range between $1,000-$7,500 each, which will total approximately $95,500.
National Fair Housing Alliance settles redlining allegations against real estate company
On April 29, the National Fair Housing Alliance (NFHA) announced a settlement agreement with a real estate company resolving allegations that the company perpetuated redlining practices through its policies and procedures. NFHA, along with nine other fair housing organizations, sued the company following an investigation into its practices. The fair housing organizations alleged that the company’s minimum home price policy violated the Fair Housing Act by discriminating against sellers and buyers of homes in communities of color. Limiting or denying services for homes priced under a certain value can “perpetuate racial segregation and contribute to the racial wealth gap” the organizations claimed in the press release. According to the complaint, the company disproportionately withheld its services to homebuyers and sellers in these communities at a higher rate than in White zip codes in multiple major cities across the U.S, thereby disincentivizing homebuying within these communities, reducing housing demand and values, and perpetuating residential segregation. Under the terms of the settlement, the company will make several national operational changes and enhancements, including (i) expanding housing opportunities for consumers in communities of color in major cities throughout the country; (ii) eliminating its minimum housing price policy for a period of five years; and (iii) appointing a fair housing compliance officer, adopting an equal opportunity in housing policy, and developing a fair housing training program. The company will also pay $4 million to go towards expanding homeownership opportunities in the covered cities and to cover conduct monitoring, compliance efforts, litigation fees and costs.
OFAC reaches multiple settlements to resolve Cuban sanctions violations
On April 21, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $141,442 settlement with a Colorado-based multinational mining firm for allegedly violating the Cuban Assets Control Regulations (CACR). According to OFAC’s web notice, between June 2016 to November 2017, a wholly-owned subsidiary of the firm purchased Cuban-origin explosives and explosive accessories from a third-party vendor to be used in a mine construction. The distributor, on the subsidiary’s behalf, imported Cuban-origin explosives and explosive accessories for the mine on at least four separate occasions, despite the subsidiary being “generally prohibited from dealing in Cuban-origin goods.” According to OFAC, shipping documents clearly identified that the goods were sourced from Cuba. In addition, purchase orders failed to contain express statements that items provided to the subsidiary may not originate from embargoed jurisdictions, nor did the subsidiary ask for country-of-origin information for the goods acquired from its suppliers. Additionally, OFAC contended that the subsidiary’s failure to provide appropriate export and trade sanctions training led to the apparent violations.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the parent firm and subsidiary failed to exercise reasonable due diligence to ensure it complied with U.S. Cuba sanctions requirements; and (ii) the firm and its subsidiaries and affiliates are “a large and sophisticated organization operating globally as a leading gold producer with experience and expertise in international transactions.” OFAC also considered various mitigating factors, including that (i) the apparent violations were self-disclosed and constituted a non-egregious case; (ii) the firm and subsidiary have not received a penalty notice from OFAC in the preceding five years; (iii) the amount of payments were not significant compared to the total volume of transactions undertaken on an annual basis; and (iv) the firm and its subsidiary cooperated with the investigation, signed a tolling agreement, and are currently implementing remedial measures to prevent future violations.
Separately, OFAC also announced a $45,908 settlement with a Florida-based company affiliated with a distributor of explosives and accessories for mining operations. According to the web notice issued in this action, on four occasions in 2016 and 2017, the company and certain affiliates procured Cuban-origin explosives and related accessories from a third-party vendor originating from Cuba on behalf of a U.S. company for the U.S. company’s mining project in Suriname in violation of the CACR. OFAC contended that the company was responsible for overseeing the processing of purchase orders and invoices for these transactions, and that in 2018, after the U.S. company customer learned of the goods’ Cuban origins, it was asked to no longer procure goods from Cuba. According to OFAC, the apparent violations occurred primarily because of the company’s failure “to understand U.S. prohibitions on dealings in Cuban property or engaging in transactions related to merchandise of Cuban origin outside the United States,” adding that the company did not have a compliance program in place when the four transactions occurred, nor did it realize the transactions were prohibited until they were flagged by the customer. The company immediately ceased all activities involving Cuba after learning of the sanctions implications but did not voluntarily self-disclose the violations, which OFAC deemed non-egregious.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the company failed to “exercise a minimal degree of caution or care” when procuring Cuban-origin goods from its supplier; (ii) the company “had actual knowledge that it was financing the provision of Cuban-origin goods for export to Suriname”; and (iii) the company’s actions harmed the U.S. sanctions program. Mitigating factors included that the company is (i) small and largely overseen by one individual; (ii) the company has not received a penalty notice from OFAC in the preceding five years; and (iii) the company provided timely information and entered into a tolling agreement. Providing context for the settlement, OFAC stated that “[t]his case illustrates the risks facing companies of any size operating internationally that do not develop or maintain basic awareness of sanctions risks and do not institute appropriate measures to identify and prevent potential violations.”
District Court approves final $85 million class action privacy settlement despite objections
On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”