InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC settles with bank for alleged Foreign Narcotics Kingpin Sanctions Regulations violations
On July 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $430,500 settlement with a subsidiary of a national bank for allegedly processing transactions in violation of the Foreign Narcotics Kingpin Sanctions Regulations. According to OFAC’s web notice, between May 2018 and July 2018, the bank allegedly processed 214 transactions totaling $155,189, in violation of OFAC’s Kingpin sanctions. Specifically, OFAC noted that the processed transactions were for an account whose supplemental card holder was designated in connection with illegal drug distribution and money laundering.
In arriving at the settlement amount of $430,500, OFAC considered various aggravating factors, including that the bank “is a large and sophisticated financial institution with a global presence,” and “conferred $155,189.42 in economic benefit to an account associated with a [person] who was designated for involvement in illegal drug distribution and money laundering.” OFAC also considered various mitigating factors, including that the bank cooperated with OFAC throughout the investigation, and has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
District Court approves contact tracing suit settlement
On October 31, the U.S. District Court for the Northern District of California granted plaintiffs’ motion for attorneys' fees, expenses, and service awards related to a class action settlement alleging that an internet platform (defendant) violated the California Confidentiality of Medical Information Act, as well as other state laws through its “contact tracing” system that operated on consumers’ mobile devices. According to the motion, the defendant co-designed a digital contact tracing system to combat the spread of COVID-19 on mobile devices using the defendant’s mobile device operating system. The plaintiffs alleged that the defendant unlawfully exposed confidential medical information and personally identifying information through this system. Furthermore, the plaintiffs alleged that the defendant's system was "fundamentally flawed in its design and implementation" because it left users’ private medical and personally identifying information unprotected on mobile device “system logs” to which the defendant and third parties had routine access. Under the terms of the settlement, class counsel will receive approximately $1.95 million in attorneys’ fees and $56,457.44 in expenses. Additionally, the defendant must pay service awards to class representatives.
District Court preliminarily approves $3.7 million data breach settlement
On June 30, the U.S. District Court for the Central District of California preliminarily approved an approximately $3.7 million consolidated class action settlement resolving claims arising from a defendant restaurant chain’s 2021 data breach. According to class members’ memorandum in support of their motion for preliminary approval of the settlement, the data breach exposed current and former employees’ personal identifying information (PII), including names and Social Security numbers. Following an investigation, the defendant sent notices to roughly 103,767 individuals whose PII may have been subject to unauthorized access and offered impacted individuals one year of free credit and identity monitoring services. Putative class actions were filed claiming the defendant failed to adequately safeguard its current and former employees’ (and their family members’) electronically stored PII, and alleging, among other things, violations of California’s Unfair Competition Law, Customer Records Act, and Consumer Privacy Act. If the settlement is granted final approval, each class member will be eligible to make a claim for up to $1,000 in reimbursements for expenses and lost time, and up to $5,000 in reimbursements for extraordinary expenses for identity theft related to the data breach. California settlement subclass members will also be entitled to $100 as a statutory damages award. Additionally, all class members will be eligible to enroll in two-years of three-bureau credit monitoring. The defendant may also be responsible for attorneys’ fees, costs, and service awards.
New York fines supermarket chain $400,000 for mishandled consumer data
On June 30, the New York attorney general announced a settlement with a New York-based supermarket chain (respondent) for allegedly leaving more than three million customers’ personal information in unsecured, misconfigured cloud storage containers, which made the data potentially easy to access. The compromised data included customer account usernames and passwords, as well as customer names, email addresses, mailing addresses, and additional data derived from drivers’ license numbers. According to the assurance of discontinuance, a security researcher informed the respondent in 2021 that one of the cloud storage containers was misconfigured from its creation in January 2018 until April 2021, potentially exposing customers’ personal information. A second misconfigured container was identified in May 2021 that had been publicly accessible since November 2018, the AG said, noting that the respondent “immediately reviewed its cloud environment and identified the container, which had a database backup file with over three million records of customer email addresses and account passwords.” The AG asserted that the respondent also “failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.” Nor did the retailer maintain long-term logs of its cloud assets, thus making it difficult to security incidents, the AG said.
The terms of the settlement require the respondent to pay $400,000 in penalties to the state. The respondent has also agreed to (i) maintain a comprehensive information security program, including reporting security risks to the company's leadership; (ii) establish practices and policies to maintain an inventory of all cloud assets and to ensure all cloud assets containing personal information have appropriate measures to limit access; (iii) develop a penetration testing program and implement centralized logging and monitoring of cloud asset activity; (iv) establish appropriate password policies and procedures for customer accounts; (v) maintain a reasonable vulnerability disclosure program to enable third parties to disclose vulnerabilities; (vi) establish appropriate practices for customer account management and authentication; and (vii) update its data collection and retention practices to ensure it only collects customers’ personal information when there is a reasonable business purpose for the collection and permanently deletes all personal information collected before the agreement for which no reasonable purpose exists.
NYDFS imposes $5 million fine against cruise line for cybersecurity violations
On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.
The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).
District Court approves $2.5 million settlement over prerecorded telemarketing messages
On June 24, the U.S. District Court for the Central District of California granted final approval of a $2.5 million class action settlement resolving claims that an auto dealer group and marketing director (collectively, “defendants”) violated the TCPA by sending “prerecorded telemarketing messages” to consumers’ cell phones without receiving consumers’ express written consent. According to the second amended complaint, the plaintiff sued the defendants after he allegedly received unsolicited prerecorded text messages advertising one of the auto group’s dealerships. Under the terms of the agreement, class members (comprised of consumers who were sent prerecorded messages from the defendants, auto dealerships managed by the defendant, or anyone acting on the defendant’s behalf, including employees, agents, third-party contractors, and sub-contractors) will receive a portion of the $2.5 million settlement. The settlement amount also provides for up to $625,700 in attorneys’ fees, nearly $12,600 for costs, and $125,000 for the settlement administrator. The class representative will be given a $5,000 service award. Additionally, the defendants and dealerships are required to “adopt policies and procedures regarding compliance with the TCPA and the National Do Not Call Registry.”
District Court gives final approval in TCPA class action settlement
On June 24, the U.S. District Court for the Eastern District of New York granted final approval of a $38.5 million settlement in a class action against a national gas service company and other gas companies (collectively, defendants) for allegedly violating the TCPA in connection with calls made to cell phones. As previously covered by InfoBytes, the plaintiff’s memorandum of law requested preliminary approval of the class action settlement. The settlement establishes a settlement class of all U.S. residents who “from March 9, 2011 until October 29, 2021, received a telephone call on a cellular telephone using a prerecorded message or artificial voice” regarding several topics including: (i) the payment or status of bills; (ii) an “important matter” regarding current or past bills and other related issues; and (iii) a disconnect notice concerning a current or past utility account. Under the terms of the settlement, the defendants will provide monetary relief to claiming class members in an estimated amount between $50 and $150. The settlement will additionally require the companies to implement new training programs and procedures to prevent any future TCPA violations. The settlement permits counsel for the proposed class to seek up to 33 percent of the settlement fund to cover attorney fees and expenses.
District Court approves $1.4 million FCRA settlement
On June 17, the U.S. District Court for the Southern District of California granted final approval of a class action settlement resolving claims that a hospitality company violated the FCRA and various California laws. According to the order, plaintiffs filed a putative class action alleging that the company violated the FCRA by failing to make proper disclosures and obtain proper authorization during its hiring process. Additionally, the plaintiffs claimed that the company’s background check forms were allegedly defective because they “contained information for multiple states for whom background checks were run” in violation of California’s Investigative Consumer Reporting Agencies Act and other California laws. Under the terms of the settlement, the defendant will pay nearly $1.4 million, of which class members will receive $821,714 in total ($63.29 per class member), $10,127 will go towards settlement administration costs, $349,392 will cover attorneys’ fees, and $5,000 will be paid to each of the two named plaintiffs.
States reach $1.25 million data breach settlement with cruise line
On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”
Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.
District Court certifies class in website accessibility ADA suit
On June 10, the U.S. District Court for the Western District of Pennsylvania certified a putative class action against an online apparel company related to alleged violations of the Americans with Disabilities Act (ADA). The plaintiff claimed that he was unable to access the defendant’s website because the website did not facilitate access to customers using screen readers or other auxiliary aids. This lack of access made the website not fully accessible to individuals who are blind or visually impaired—a “violation of the effective communications and equal access requirements of Title III” of the ADA. The plaintiff sued, seeking to include a class of similarly situated blind and visually impaired individuals who use screen readers or other auxiliary aids to access the defendant’s website and/or mobile app. According to the plaintiff, the defendant failed to have in place adequate policies and practices to ensure its website was fully accessible, and that, although the defendant maintains a single brick-and-mortar location, most of its sales are digital. In certifying the class, the court determined, among other things, that the defendant’s “website and other digital properties affected all members of the class, and thus the class as a whole shares the same interest in obtaining the injunctive relief provided by the settlement—prospective changes to [defendant’s] digital properties.” The court also preliminarily approved the proposed class action settlement, which requires, among other things, that the defendant make several changes to its policies and procedures to ensure accessibility of its digital properties and to make sure it complies with the Web Content Accessibility Guidelines 2.1.