InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court gives final approval in TCPA class action settlement
On June 24, the U.S. District Court for the Eastern District of New York granted final approval of a $38.5 million settlement in a class action against a national gas service company and other gas companies (collectively, defendants) for allegedly violating the TCPA in connection with calls made to cell phones. As previously covered by InfoBytes, the plaintiff’s memorandum of law requested preliminary approval of the class action settlement. The settlement establishes a settlement class of all U.S. residents who “from March 9, 2011 until October 29, 2021, received a telephone call on a cellular telephone using a prerecorded message or artificial voice” regarding several topics including: (i) the payment or status of bills; (ii) an “important matter” regarding current or past bills and other related issues; and (iii) a disconnect notice concerning a current or past utility account. Under the terms of the settlement, the defendants will provide monetary relief to claiming class members in an estimated amount between $50 and $150. The settlement will additionally require the companies to implement new training programs and procedures to prevent any future TCPA violations. The settlement permits counsel for the proposed class to seek up to 33 percent of the settlement fund to cover attorney fees and expenses.
District Court approves $1.4 million FCRA settlement
On June 17, the U.S. District Court for the Southern District of California granted final approval of a class action settlement resolving claims that a hospitality company violated the FCRA and various California laws. According to the order, plaintiffs filed a putative class action alleging that the company violated the FCRA by failing to make proper disclosures and obtain proper authorization during its hiring process. Additionally, the plaintiffs claimed that the company’s background check forms were allegedly defective because they “contained information for multiple states for whom background checks were run” in violation of California’s Investigative Consumer Reporting Agencies Act and other California laws. Under the terms of the settlement, the defendant will pay nearly $1.4 million, of which class members will receive $821,714 in total ($63.29 per class member), $10,127 will go towards settlement administration costs, $349,392 will cover attorneys’ fees, and $5,000 will be paid to each of the two named plaintiffs.
States reach $1.25 million data breach settlement with cruise line
On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”
Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.
District Court certifies class in website accessibility ADA suit
On June 10, the U.S. District Court for the Western District of Pennsylvania certified a putative class action against an online apparel company related to alleged violations of the Americans with Disabilities Act (ADA). The plaintiff claimed that he was unable to access the defendant’s website because the website did not facilitate access to customers using screen readers or other auxiliary aids. This lack of access made the website not fully accessible to individuals who are blind or visually impaired—a “violation of the effective communications and equal access requirements of Title III” of the ADA. The plaintiff sued, seeking to include a class of similarly situated blind and visually impaired individuals who use screen readers or other auxiliary aids to access the defendant’s website and/or mobile app. According to the plaintiff, the defendant failed to have in place adequate policies and practices to ensure its website was fully accessible, and that, although the defendant maintains a single brick-and-mortar location, most of its sales are digital. In certifying the class, the court determined, among other things, that the defendant’s “website and other digital properties affected all members of the class, and thus the class as a whole shares the same interest in obtaining the injunctive relief provided by the settlement—prospective changes to [defendant’s] digital properties.” The court also preliminarily approved the proposed class action settlement, which requires, among other things, that the defendant make several changes to its policies and procedures to ensure accessibility of its digital properties and to make sure it complies with the Web Content Accessibility Guidelines 2.1.
District Court grants preliminary approval of class action settlement in data breach case
On June 21, the U.S. District Court for the Southern District of New York granted preliminary approval of a class settlement in an action against a cable TV and communications provider (defendant) for failing to protect current and former employees’ (plaintiffs) personal information and prevent a 2019 phishing attack. According to the plaintiffs’ supplemental memorandum in support of preliminary approval of settlement, the defendant notified the plaintiffs (as well as the attorneys general of several states) that a successful phishing campaign was launched against them. The phishing scheme resulted in cybercriminals being able to “access” and “download” a report containing the unencrypted personally identifiable information (PII) of 52,846 plaintiffs. The plaintiffs alleged that as a result of the data security incident they suffered concrete injuries, including, inter alia, identity theft, the exposure of their PII to cybercriminals, a substantial risk of identity theft, and actual losses. Under the terms of the preliminarily approved settlement, class members are eligible to enroll in three years of identity protection and credit monitoring, and may receive reimbursement of out-of-pocket expenses and compensation for up to three hours spent dealing with the security incident.
Special Alert: DOJ settles claims of algorithmic bias
On June 21, the United States Department of Justice announced that it had secured a “groundbreaking” settlement resolving claims brought against a large social media platform for allegedly engaging in discriminatory advertising in violation of the Fair Housing Act. The settlement is one of the first significant federal actions involving claims of algorithmic bias and may indicate the complexity of applying “disparate impact” analysis under the anti-discrimination laws to complex algorithms in this area of increasingly intense regulatory focus.
District Court issues judgment against student debt relief operation
On June 10, the U.S. District Court for the Central District of California entered a stipulated final judgment and order against an individual defendant who participated in a deceptive debt-relief operation. As previously covered by InfoBytes, in 2019, the Bureau, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. In the third amended complaint, the Bureau and the states alleged that since at least 2015, the debt relief operation violated the CFPA, TSR, FDCPA, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by, among other things, misrepresenting: (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness for borrowers; and (iii) their ability to actually lower borrowers’ monthly payments. Moreover, the debt relief operation allegedly failed to inform borrowers that it was their practice to request that the loans be placed in forbearance and also submitted false information to student loan servicers to qualify borrowers for lower payments.
Under the terms of the final judgment, in addition to various forms of injunctive relief, the individual defendant must pay a $1 civil money penalty to the Bureau and $5,000 each to Minnesota, North Carolina, and California. The individual defendant is also “liable, jointly and severally, in the amount of $95,057,757, for the purpose of providing redress to Affected Consumers,” although his obligation to pay this amount is “suspended based on [his] inability to pay.”
DOJ: $4.5 million judgment in case targeting Hispanic homeowners
On June 10, the DOJ announced that the U.S. District Court for the Middle District of Florida entered a consent order against several defendants accused of violating the Fair Housing Act by targeting Hispanic homeowners for predatory mortgage loan modification services. After several Hispanic homeowners filed discrimination complaints with HUD, the agency conducted an investigation, issued charges of discrimination, and referred the matter to the DOJ for litigation. According to the DOJ’s complaint, the defendants targeted Hispanic homeowners with deceptive Spanish-language advertising “that falsely promised to cut their mortgage payments in half” and guaranteed “lower payments in a specific timeframe in exchange for thousands of dollars of upfront fees and continuing monthly fees of as much as $550, which defendants claimed were ‘non-refundable.’” The DOJ further contended that many of the targeted Hispanic homeowners (who had limited English proficiency) were told not to communicate with their lenders and were instructed to stop making monthly mortgage payments; however, the defendants allegedly “did little or nothing to obtain the promised loan modifications,” leading to defaults and foreclosures.
The consent order, reached in partnership with the Civil Rights Division’s Housing Section, enters a nearly $4.6 million judgment (which is mostly suspended) against the defendants to compensate harmed homeowners. Of this amount, $95,000 in total will go to three individuals who intervened as plaintiffs in the DOJ’s lawsuit. Defendants must also pay a $5,000 civil penalty. In addition to monetary relief, the consent order permanently enjoins defendants “from providing any mortgage relief assistance services, including, but not limited to, mortgage loan modification, foreclosure rescue, or foreclosure defense services.” The consent order also imposes training and reporting/recordkeeping requirements for defendants’ other real-estate activities.
District Court approves data breach settlement
On June 8, the U.S. District Court for the Southern District of New York granted a plaintiffs’ motion for final approval of a class action settlement resolving claims that several retail businesses failed to establish reasonable safeguards that led to a data breach. According to the opinion, the plaintiff alleged that a syndicate accessed cardholder information and sold it on the so-called dark web. The plaintiffs also claimed that the breach caused them to spend time monitoring their accounts, safeguarding account information, and, for some plaintiffs, resolving fraudulent charges and withdrawals. The settlement provides for two different levels of payments to affected consumers. Tier 1 claimants, who must provide proof of a payment transaction during the period of the breach and confirm that they spent time monitoring account information after the breach, will receive $30. Tier 2 claimants will be reimbursed for documented out-of-pocket expenses incurred as a result of the breach, such as costs and expenses related to identity theft or fraud, late fees, and unauthorized charges and withdrawals, in an amount not to exceed $5,000. The total amount to be paid to class members is approximately $278,000.
District Court preliminarily approves $63 million data breach settlement
On June 7, the U.S. District Court for the District of Columbia granted preliminary approval of a class action settlement resolving claims that a government agency and its contractor (collectively, defendants) did not detect hackers because they failed to establish reasonable safeguards that led to a data breach. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, a data breach occurred in June 2015 that compromised financial records, Social Security numbers, and other personal information of anyone who underwent a background check at the agency since 2000. The agency allegedly controlled numerous electronic systems without valid authorizations, failed to implement multi-factor authentication for accessing systems, failed to patch, segment, and continuously monitor systems, and failed to implement centralized data security protocols. According to the plaintiff’s motion, the settlement (if granted final approval) would require the U.S. government to pay $60 million of the settlement fund and the contractor to pay $3 million. The settlement agreement provides that “[e]ach valid claim will be paid at $700, except that if the actual amount of documented loss exceeds $700, the claim will be paid in that amount, up to $10,000.”
Pages
Upcoming Events
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide “An update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar