InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminarily approves $2.25 million settlement resolving credit card upgrade claims
On August 29, the U.S. District Court for the District of New Jersey preliminarily approved a class action settlement in which a national bank agreed to pay $2.25 million to resolve misleading credit card upgrade claims made to secured credit card holders. Plaintiffs alleged in their motion for preliminary approval that they each signed an agreement with the bank that said if they used and maintained a secured credit card account for seven consecutive billing months without defaulting they would be eligible to automatically “graduate” to an unsecured credit card. Transitioning to an unsecured credit card allows customers to regain control of the collateral deposits and receive a prorated refund of the annual fee they paid while they had secured cards, plaintiffs asserted. Plaintiffs claimed that while the bank’s “form contract and promotional materials promised a meaningful review of secured card accounts after seven months in good standing that review, in fact, did not occur in a fashion consistent with the parties’ contract.” The bank denied the claims. According to court documents, this past January the bank amended the graduation provision at issue in its agreement for secured credit cards to “more adequately disclose how a cardholder becomes eligible for an unsecured credit card.” The court deemed the proposed settlement to be “fair, adequate and reasonable to the settlement class,” and granted class certification. If granted final approval, class members would be awarded a portion of the annual fee paid on their secured credit card.
California fines cosmetics chain for privacy violations
On August 24, the California attorney general announced that following an investigative sweep into online retailers, it entered into a $1.2 million settlement with a cosmetics chain for its alleged failure to disclose to consumers that it was selling their personal information, failure to process user requests to opt-out of such sale via user-enabled global privacy controls, and failure to cure such violations within the 30-day period allowed by the California Consumer Privacy Act (CCPA). The action reaffirms the state’s commitment to enforcing the law and protecting consumers’ rights to fight commercial surveillance, AG Bonata said, emphasizing that “today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”
According to a complaint filed in California Superior Court, third parties monitored consumers’ purchases and created profiles to more effectively target potential customers. The company’s arrangement with these third parties constituted a sale of consumer personal information under the CCPA, therefore triggering certain basic obligations, including telling consumers that it is selling their information and allowing consumers to easily opt-out of the sale of their information. According to the complaint, the company failed to take any of these measures.
Under the terms of the settlement, the company is required to pay a $1.2 million penalty and must disclose to California customers that it sells their personal data and provide a mechanism for consumers to opt out of a sale of their information, including through user-enabled global privacy controls like the Global Privacy Control (GPC). Additionally, the company must ensure its service provider agreements meet CCPA requirements and provide reports to the AG related to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.
The press release also announced that notices were sent to several businesses alleging non-compliance concerning their failure to process consumer opt-out requests made via user-enabled global privacy controls. The AG reiterated that under the CCPA, “businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the “Do Not Sell My Personal Information” link. Businesses that received letters today have 30 days to cure the alleged violations or face enforcement action from the Attorney General.”
District Court preliminarily approves data breach class action settlement
On August 24, the U.S. District Court for the Southern District of New York preliminarily approved a putative consolidated class action settlement that would reimburse members for out-of-pocket costs or expenditures actually incurred in connection with a February 2020 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach may have exposed the personal financial information (PFI) of approximately 10,300 individuals, including names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information. Class members alleged that defendants failed to adequately protect the PFI of current and former employees and their beneficiaries, and that the resulting data breach “was a direct result of defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect PFI.” If granted final approval, the settlement will provide each class member the opportunity to make a claim for up to $3,500 in reimbursements for out-of-pocket expenses actually incurred, and compensation for up to four hours of lost time spent remedying issues fairly traceable to the data breach at $18 per hour. Additionally, class members will be given 18 months of credit monitoring protections.
D.C. reaches $2.54 million settlement with online delivery company
On August 17, the Superior Court of the District of Columbia issued a consent order and judgment against an online delivery company resolving claims that it charged consumers millions of dollars in deceptive service fees. According to a press release issued by the D.C. AG, from 2016 until 2018, the company allegedly misled consumers into believing that service fees charged on their orders were tips that went to delivery workers. Instead, these fees went to the company to subsidize operating expenses. Without admitting any wrongdoing, the company agreed to pay $1.8 million to the district to go towards restitution and cover litigation costs. The company also agreed it will not seek refunds of $739,057 in previously disputed sales tax payments and will collect and remit sales tax on the total amount of the sales price it charges consumers going forward. Additionally, the company will cease making any misrepresentations about the nature of fees on consumer orders.
District Court approves $84 million payment processing settlement
On August 17, the U.S. District Court for the District of Nebraska granted final approval of an $84 million class action settlement resolving allegations that a payment processing company’s billing practices overcharged merchants. Class members retained the company to process credit card payments and claimed that the company allegedly charged fees that did not align with the terms of their contracts. Class members accused the company of Racketeer Influenced and Corrupt Organizations Act violations, breach of contract, and fraudulent concealment related to allegations that the company assessed noncompliance fees, increased contractual credit card discount rates, and shifted credit card transactions from lower-cost rate tiers to higher-cost rate tiers. Under the terms of the settlement, the company will pay up to $84 million into a settlement fund, which will provide cash benefits to class members and cover administrative costs, attorney fees, and other expenses.
District Court grants final approval of data breach settlement
On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final approval of the class action settlement, the defendants notified the SEC, various states’ attorneys general, and thousands of affected customers about two data breaches that occurred through their website on two different occasions. The plaintiffs alleged that the incident allowed hackers to “scrape[]” many of the defendants’ consumers’ names from the website by infecting the ecommerce platform with a “malicious code,” and stole the personally identifiable information of approximately 40,000 customers. According to the settlement, the deal will provide that class members can receive as much as $210 for out-of-pocket expenses such as card replacement fees, overdraft fees, interest, and up to $80 in costs for obtaining credit monitoring and identity theft protection, among other things. The district court also approved $2,500 payments to the lead plaintiffs as service awards.
District Court grants final approval to forgive $6 billion in student loans
On November 15, the U.S. District Court for the Northern District of California granted final approval to a class action settlement to forgive certain federal student loan borrower debt. According to the motion for preliminary approval, the plaintiffs are federal student loan borrowers who filed borrower defense (BD) applications with the Department of Education, requesting that the Department discharge their federal student loans because of misconduct committed by their schools. They brought the case to challenge the Department’s delay in making decisions on BD applications. The motion noted that the plaintiffs alleged, “the Department’s inaction was due to a deliberate and uniform policy abandoning BD decision making, a choice that caused a mounting backlog.” In a supplemental complaint filed after discovery, plaintiffs further alleged that the Department “adopted an unlawful policy that presumptively denied BD applications regardless of their merit, and then, pursuant to this policy, sent tens of thousands of legally insufficient denial notices (the ‘Form Denial Notices’) to borrowers, including some of the Named Plaintiffs.” The class consists of approximately 264,000 people who have a BD application pending as of June 22, 2022. The “automatic relief group” consists of applicants who attended one of more than 150 colleges for which the Department found common evidence of institutional misconduct. The motion also noted “it has determined that every class member whose relevant loan debt is associated with those schools should be provided presumptive relief under the settlement due to strong indicia regarding substantial misconduct by the listed schools, whether credibly alleged or in some instances proven, and the high rate of class members with applications related to the listed schools.” Under the terms of the settlement, $6 billion in loans will be canceled for the borrowers.
OFAC sanctions Iranian petrochemical network
On August 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13846 against companies used by one of Iran’s largest petrochemical brokers to facilitate the sale of Iranian petroleum and petrochemical products from Iran to East Asia. The designations follow OFAC sanctions announced on July 6 against a network of individuals and entities for facilitating the delivery and sale of hundreds of millions of dollars’ worth of Iranian petroleum and petrochemical products from Iranian companies to East Asia through a web of Gulf-based front companies (covered by InfoBytes here). As a result of the sanctions, all property and interests in property of the sanctioned persons subject to U.S. jurisdiction, as well as any entities owned 50 percent or more by such persons, are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from entering into transactions with the sanctioned persons. Additionally, OFAC warned that “any foreign financial institution that knowingly facilitates a significant transaction for any of the individuals or entities designated today could be subject to U.S. sanctions.”
State AGs announce settlement to resolve alleged data security breach
On July 26, a coalition of state attorneys general, co-led by the New Jersey AG and Pennsylvania AG, announced a settlement with a Pennsylvania-based convenience store chain related to an alleged data breach that compromised payment cards of consumers. According to the Assurance of Voluntary Compliance, the company experienced a breach of security between April 2019 and December 2019 that exposed consumer payment card data, including customers’ card numbers, expiration dates and cardholder names in New Jersey, Pennsylvania, Florida, Delaware, Maryland, and Virginia, as well as Washington, D.C. The AGs alleged that the company “failed to employ reasonable data security measures,” in violation of the states’ Consumer Protection Acts and Personal Information Protection Acts. Under the terms of the settlement, the company—without admitting to the allegations—has agreed to pay an $8 million fine, of which New Jersey is to receive approximately $2.5 million. The settlement also requires the company to strengthen its network protections and take measures to better protect consumer payment data.
Court grants final approval of privacy class action settlement
On July 20, the U.S. District Court for the Northern District of California granted final approval of a class action settlement in a suit against a fintech company alleged to have accessed the personal banking data of users without first obtaining consent, in violation of California privacy, anti-phishing, and contract laws. As previously covered by InfoBytes, the district court granted preliminary approval of the $58 million settlement in November. In granting final approval of the settlement, the court determined it was adequate, and noted that the plaintiffs’ claim that the defendant’s practices breached California’s anti-phishing law was “relatively untested.” In addition to the $58 million settlement fund, the settlement provides for injunctive relief.