InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminarily approves $2.35 million settlement for card data breach
On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained unauthorized access to the restaurant chain’s computer servers and payment card environment between April 2019 and October 2020, resulting in hundreds of thousands of consumers’ financial information, including credit and debit card numbers, expiration dates, cardholder names, and internal card verification codes, being compromised. Hackers then allegedly advertised the stolen information for sale on the dark web. Several lawsuits were filed alleging violations of numerous state laws that were eventually consolidated with this action. The parties negotiated a settlement prior to class certification, which would require the restaurant chain to provide a $2.35 million all-cash non-reversionary qualified settlement fund and adopt several data-security measures. Class members also would be able to file claims for out-of-pocket losses, elect for a cash payments, and request credit monitoring services.
The magistrate judge’s report recommended that the proposed class settlement be preliminarily approved as it “will likely be found fair at the final approval stage” and the offered relief “is both procedurally and substantively adequate.” The magistrate judge disagreed with objections raised by certain plaintiffs who argued, among other things, “that the proposed settlement is ‘substantively inadequate’ because the amount of funds available per potential class member is ‘far too low.’” However, according to the magistrate judge’s report, when compared to other settlements approved in other data breach cases, it is “clear that the proposed settlement is at least in line with if not better than what any proposed plaintiff could have expected coming into the litigation.” The magistrate judge also refuted the objecting plaintiffs’ assertion that the proposed settlement treats class members differently by providing plaintiffs who can establish out-of-pocket losses with up to $5,000, California residents without losses with $100, and non-California residents without losses with $50. “The Settling Plaintiffs have adequately demonstrated why this extra recovery for California class members [is] equitable, if not equal. Namely, class members from California could bring California state law claims which provide for $100-$750 in statutory damages,” the report said, adding that “class members from California have a stronger basis for damages than do class members from outside the state—who may only be able to show nominal or incidental damages as a result of [the restaurant chain’s] breach of contract—and so their modestly increased recovery is justified.”
Mortgage servicer must pay $4.5 million in payment service fee suit
On November 7, the U.S. District Court for the Southern District of West Virginia granted final approval of a class action settlement, resolving allegations that a defendant mortgage servicer charged improper fees for optional payment services in connection with mortgage payments made online or over the telephone. The plaintiffs' memorandum of law in support of its motion for final approval of the settlement alleges the defendant engaged in violations of the West Virginia Consumer Credit Protection Act, breach of contract, and unjust enrichment with respect to the fees. According to the memorandum, before deduction of attorneys’ fees and expenses, administrative costs, and any service award, the $4.5 million settlement fund represents approximately $216 per fee paid to the defendant by the putative class members. The court also approved $1.5 million in attorney’s fees, plus $4,519.20 in expenses, along with a $15,000 service award for the settlement class representative.
District Court approves $14 million wireless rates settlement
On November 8, the U.S. District Court for the Northern District of California granted final approval to a $14 million settlement resolving allegations that a telecommunications company made misleading claims regarding its administrative fees. According to the plaintiffs’ memorandum of points and authorities in support of motion for preliminary approval of class settlement, current and former wireless-service customers of the defendant (plaintiffs) with post-paid wireless service plans were charged an improper administrative fee. The plaintiffs alleged, generally, that the defendant’s representations and advertisements regarding the monthly price of its post-paid wireless service plans were misleading because the prices did not include the administrative fee, and that the defendant implemented and charged the administrative fee in a deceptive and unfair manner. According to the terms of the $14 million settlement agreement, $3.5 million of the award will cover attorney fees and costs, with additional funds allocated to cover litigation expenses.
District Court preliminary approves $4.3 million data breach settlement
On November 4, the U.S. District Court for the Eastern District of Michigan granted preliminary approval of a $4.3 million class action settlement regarding a data breach, following the filing of the plaintiffs’ unopposed motion for preliminary approval of class action settlement. After a plaintiff consolidated her suit with other similar lawsuits, the plaintiff class sued the defendant for negligence, unjust enrichment, and breach of contract, alleging their personal information was stolen from the defendant during a malware attack due to lack of cybersecurity measures. The settlement provides for, among other things, three years of free credit-monitoring services for the plaintiff class, up to $2,500 per member to cover out-of-pocket expenses related to the breach, up to $80 per member to cover lost time remedying issues related to the breach, $75 per member for California residents for claims under state statutes, and a year of password-managing services. The plaintiffs are seeking service awards of $1,500 for each of the 15 representative plaintiffs. The motion also noted that class counsel will ask the court for just over $1.4 million in attorneys’ fees to be deducted from the settlement fund.
4th Circuit vacates $10.6 million judgment, orders district court to reevaluate class standing
On October 28, the U.S. Court of Appeals for the Fourth Circuit remanded a $10.6 million damages award it had previously approved in light of the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez. As previously covered by InfoBytes, in January, the Supreme Court vacated the judgment against the defendants and ordered the 4th Circuit to reexamine its decision in light of TransUnion (which clarified the type of concrete injury necessary to establish Article III standing, and was covered by InfoBytes here). Previously, a divided 4th Circuit affirmed a district court’s award of $10.6 million in penalties and damages based on a summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act (covered by InfoBytes here). During the appeal, the defendants argued that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones, but the appellate court majority determined, among other things, that there was not a large number of uninjured members within the plaintiffs’ class because plaintiffs paid for independent appraisals and “received appraisals that were tainted.” At the time, the 4th Circuit “concluded that the ‘financial harm’ involved in paying for a product that was ‘never received’ was ‘a classic and paradigmatic form of injury in fact.’” On remand, the 4th Circuit considered questions of standing and ultimately determined that TransUnion requires the district court to reevaluate the standing of class members.
District Court approves data scrape settlement
On October 20, the U.S. District Court for the Northern District of California granted final approval to a class action settlement resolving claims that a social media platform (defendant) scraped consumer data for advertising purposes. According to the plaintiffs’ motion for preliminary approval, the defendant allegedly scraped a group of mobile company users’ call and text logs without consent by exploiting a vulnerability in the permission settings for the defendant’s message application. In its third amended complaint, the plaintiffs argued that consumers granted the defendant permission to access their phones’ contact lists, but did not consent to scraping their call and text logs, which included the date and time of phone calls, the phone numbers dialed, the names of the individuals called and the duration of each call, as well as whether each call was incoming, outgoing or missed. The plaintiffs further alleged that the defendant did not explicitly notify them that their data was being collected prior to the vulnerability being patched in October 2017, when the defendant ceased its scraping practice. The settlement requires the defendant to delete all call and text history data that it is not legally obligated to preserve, and provides for a $1.08 million attorney fee request and $1,500 incentive awards for class representatives.
District Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for preliminary approval of class action settlement and supporting memorandum, in December 2021, the defendant determined that an unauthorized third party gained access to and gathered data from its computer network in June 2021. The plaintiffs further alleged that, “if [the defendant] ‘properly monitor[ed] … [its] computer network and systems that housed the … [PII],’ [the defendant] ‘would have discovered the intrusion sooner.’” Furthermore, the plaintiffs alleged that the defendant failed to provide “timely and adequate notice” to the plaintiff class, and filed claims for negligence, breach of implied contract, and invasion of privacy by intrusion. The settlement also includes a provision for the defendant to pay directly for credit monitoring and identity theft protection services, not limited by the $475,000 cap, along with about $51,000 for settlement administration costs. The plaintiffs would also be able to seek up to $210,000 for attorney fees and costs, and a total $5,000 for service awards to the named plaintiffs.
New Jersey reaches $495 million RMBS settlement with Swiss bank
On October 17, the New Jersey attorney general’s office announced it had reached a $495 million agreement in principle with a Swiss bank to resolve allegations related to its residential mortgage-backed securities (RMBS) practices leading up to the 2008 financial crisis. The AG stated that if finalized, the settlement will be one of the state’s largest civil monetary recoveries in history. According to the AG, the bank violated New Jersey’s securities laws by making material misrepresentations about the risks of the RMBS in offering documents, including by purportedly failing to disclose to investors material defects about the underlying mortgages. The announcement further stated that the bank allegedly sold the RMBS through registration statements, prospectuses, and other offering materials that contained fraudulent representations about the quality of the underlying loans, and allegedly “failed to disclose to investors the wholesale abandonment of underwriting guidelines designed to ensure that the mortgage loans underlying its securities trusts were made in accordance with appropriate lending guidelines; that numerous loan originators had poor track records of defaults and delinquencies; and that some loan originators had even been suspended from doing business with [the bank].” While neither admitting nor denying the allegations, the bank agreed to pay a $100 million civil monetary penalty and will provide approximately $300 million in restitution for affected investors. The bank is also permanently enjoined from future violations of state securities laws.
New York announces $1.9 million data breach settlement with global retailer
On October 12, the New York attorney general announced a $1.9 million settlement with an international e-commerce retailer for failing to properly handle a 2018 data breach. According to the settlement, the e-commerce owns and operates two brands (collectively, “respondents”), which experienced a data breach that caused 39 million accounts to be stolen, including accounts for more than 800,000 New York residents. The AG found, among other things, that the respondents failed to properly safeguard consumers’ information, failed to adhere to requirements for protecting stored credit card data, and misrepresented the extent of the cyberattack to consumers. As a result of the settlement, the respondents are required to pay New York $1.9 million in penalties and costs, and must maintain a comprehensive information security program that includes robust hashing of customer passwords, among other things.
Bank agrees to pay $1.8 billion to settle RMBS bond insurance claims
On October 7, a national bank announced in a regulatory filing that it has agreed to pay $1.84 billion to settle claims brought by a bond insurer concerning policies provided on residential mortgage-backed securities before the 2008 financial crisis. According to the regulatory filing, the agreement will “resolve all pending [bond insurer] lawsuits” (containing damages claims of more than $3 billion) against the bank and its subsidiaries, will cause all pending litigation to be dismissed with prejudice, and will release the bank and its subsidiaries from “all outstanding claims” related to bond insurance policies for certain securitized pools of residential mortgage loans.