InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
11th Circuit affirms majority of $380 million data breach settlement
On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a data breach of the CRA. (Covered by InfoBytes here.) The 11th Circuit’s opinion resolves challenges brought by objectors to the settlement who argued that plaintiffs lacked Article III standing because they did not have their identities stolen, and challenged, among other things, certain procedural requirements, the appropriateness of class certification given the possibility that some class members may have been able to recover state statutory damages, and the district court’s adoption of an approval order “ghostwritten” by plaintiffs’ counsel. The objectors also argued that the settlement was inadequate given the “unique risks associated with stolen social security numbers,” and disagreed with the award of $77.5 million in attorneys’ fees, as well as the district court’s decision to impose appeal bonds of $2,000 on each objector.
On appeal, the 11th Circuit rejected almost all of the objectors’ arguments after determining that class members—even if they were not victims of identity theft—faced a material risk of harm. The appellate court also held that the procedural requirements were not particularly burdensome given the roughly 147 million class members involved. Moreover, the appellate court concluded that the fact that class members in a couple of states could have argued for statutory damages did not make the named plaintiffs inadequate class representatives. Furthermore, the appellate court noted that (i) the settlement addressed the seriousness of the stolen social security numbers; (ii) attorneys’ fees (equal to 20.36 percent of the common fund) were within the reasonable range; (iii) objectors failed to show any “practice of uncritically adopting counsel’s proposed orders”; and (iv) the district court did not “abuse its discretion when it imposed the appeal bonds based on its finding that there was a ‘substantial risk that the costs of appeal will not be paid unless a bond is required.’” Moreover, the 11th Circuit noted that “[a]bsent the settlement, the class action could have faced serious hurdles to recovery, and now the class is entitled to significant settlement benefits that may not have even been achieved at trial,” adding that the FTC, CFPB, and state attorneys general for 48 states, the District of Columbia, and Puerto Rico all support the settlement.
The appellate court, however, did reverse the district court’s award of incentive payments to class representative and remanded the case solely for the purpose of vacating the awards.
FTC settles with remaining operators of student loan debt-relief scam
On May 17, the FTC announced settlements to resolve litigation against the remaining defendants involved in a student loan debt-relief operation charged with allegedly engaging in deceptive and abusive practices by collecting advance fees and making false promises to consumers that they could lower or eliminate loan payments or balances. As previously covered by InfoBytes, the FTC filed complaints against two groups of defendants involved in the debt-relief operation claiming the defendants, among other things, charged consumers advance fees and enrolled consumers in a high-interest financing program without making required disclosures. These actions, the FTC, contended, violated the FTC Act, TILA, and the Telemarketing Sales Rule (TSR), and stipulated orders were entered against several of the defendants in 2019. The terms of the stipulated final orders reached with the remaining defendants (see here and here) prohibit the defendants from (i) engaging in transactions involving secured or unsecured debt relief products and services; (ii) making misrepresentations and unsubstantiated claims regarding any products and services; (iii) violating the TSR; and (iv) collecting any further payments from consumers who purchased debt-relief services prior to the entry of the order. Additionally, certain defendants are required to pay a more than $24.5 million monetary judgment, which will be partially suspended due to inability to pay. One of the defendants is also required to pay $11,500, which will go towards consumer redress.
CFPB obtains new judgments against debt-relief defendants
On May 11, the U.S. District Court for the Central District of California obtained two additional judgments in an action by the CFPB against a mortgage lender and several related individuals and companies (collectively, “defendants”) for alleged violations of the Consumer Financial Protection Act (CFPA), Telemarketing Sales Rule (TSR), and Fair Credit Reporting Act (FCRA). These are the latest judgments reached with defendants in the ongoing litigation. (See InfoBytes coverage on previously announced settlements here, here, here, and here.)
As previously covered by InfoBytes, the Bureau filed a complaint in January 2020 claiming the defendants violated the FCRA by, among other things, illegally obtaining consumer reports from a credit reporting agency for millions of consumers with student loans by representing that the reports would be used to “make firm offers of credit for mortgage loans” and to market mortgage products, but instead, the defendants allegedly resold or provided the reports to companies engaged in marketing student loan debt-relief services. The defendants also allegedly violated the TSR by charging and collecting advance fees for their debt-relief services. The CFPB further claimed that the defendants violated the TSR and CFPA when they used telemarketing sales calls and direct mail to encourage consumers to consolidate their loans, and falsely represented that consolidation could lower student-loan interest rates, improve borrowers’ credit scores, and change their servicer to the Department of Education.
The May 11 stipulated final judgment entered against a group of corporate defendants, as well as an associated individual, requires the defendants to pay more than $18 million in consumer redress. Payment will be suspended, however, upon satisfaction of certain outlined obligations. The defendants, who neither admitted nor denied the allegations, are also obligated to pay a $125,000 civil money penalty to the Bureau, and are permanently enjoined from offering or providing debt-relief services or from using or obtaining consumer reports for any purpose. Additionally, the individual defendant is banned from using or obtaining benefit from consumer information contained in prescreened consumer reports.
On the same day, a second stipulated final judgment was entered against one of the individual defendants. The judgment requires the individual defendant to pay more than $3.4 million in redress to affected consumers, which will be partially suspended upon satisfaction of certain outlined obligations, along with a $1 civil money penalty. The individual defendant, who also neither admitted nor denied the allegations, is permanently enjoined from offering or providing debt relief services, from participating or engaging in the telemarketing of any consumer financial product or service, or from using or obtaining prescreened consumer reports for any purpose.
District Court approves online marketplace data breach settlement
On May 13, the U.S. District Court for the Northern District California preliminarily approved a class action settlement, resolving allegations that a California-based online designer marketplace failed to protect customers’ personal information from a computer hacking group in a May 2020 data breach. The plaintiffs asserted negligence and brought claims under California’s Consumer Privacy Act and Unfair Competition Law after plaintiffs launched an investigation into the cybersecurity incident. The preliminary settlement requires the company to establish a $5 million settlement fund, which would “provide for an estimated $43 payment per participating class member, two years of credit monitoring, and identity restoration services.” The company must also implement several business practice changes to enhance security, including enhancing password protection and implementing a policy regarding minimizing the retention of customers’ personally identifiable information. The settlement also notes that “members subject to identity theft can also obtain fraud resolution assistance to dispute transactions, mediate calls with merchants, and implement fraud alerts.” Class members who do not agree to the settlement may opt out of the settlement by September 16.
FTC settles with photo app developer over its facial recognition technology
On May 7, the FTC announced a final settlement with the developer of a California-based photo app (defendant) for allegedly deceiving consumers concerning its use of facial recognition technology and its retention of the photos and videos of users who previously deactivated their accounts. The FTC filed a complaint in January claiming, among other things, that the defendant violated the FTC Act by misleading users about their ability to control the face recognition feature and remove photos after account deletion. According to the FTC’s complaint, the defendant automatically activated its face recognition feature for all mobile app users except those consumers who lived in Texas, Illinois, Washington and the European Union. The FTC alleged that the defendant also failed to keep its promise to delete the photos and videos of users who deactivated their accounts and instead retained them indefinitely. Under the terms of the stipulated final order, the defendant must “clearly and conspicuously disclose to the User from whom Respondent has collected the Biometric Information, separate and apart from any ’privacy policy,’ ’terms of use‘ page, or other similar document, all purposes for which Respondent will use, and to the extent applicable, share, the Biometric Information; and obtain the affirmative express consent of the User from whom Respondent collected the Biometric Information.” The settlement also calls for the deletion of all photos and videos that were collected from users who requested deactivation of their accounts.
OFAC reaches $2.1 million settlement with German software company
On April 29, OFAC announced a more than $2.1 million settlement with a Germany-based software company for 190 apparent violations of the Iranian Transactions and Sanctions Regulations. According to OFAC’s website notice, between June 2013 and January 2018, the company “authorized 13 sales of [company] software licenses, 169 sales of related maintenance services and updates, and eight sales of cloud-based subscription services.” Third-party resellers, which the company allegedly referred to as “pass-through entities” in Turkey, the United Arab Emirates (UAE), Germany, and Malaysia, sold the software licenses and related maintenances services and updates, OFAC noted.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that the company (i) demonstrated reckless disregard and failed to exercise sufficient caution or care for U.S. economics sanctions by failing to act on audit findings regarding sanction risk or warnings from compliance, and by ignoring whistleblower complaints; (ii) failed to have an adequate compliance program for a company of its size; (iii) had information to conclude that the software and cloud services were being utilized by entities and end-users in Iran and were supported from the US; and (iv) “is a sophisticated software company with significant international operations and has numerous foreign subsidiaries.”
OFAC also considered various mitigating factors, including that the company (i) cooperated with OFAC’s investigation; (ii) has undertaken remedial measures, including terminating the users connected to the third-country entities, the partners who participated in the sales to Iranian companies, and five employees who were found to have “knowingly engaged in the sale of. . . products to Iran”; (iii) has prohibited downloads of software, support, and maintenance from embargoed countries; (iv) implemented a risk-based export control framework for partners that requires a stringent review of proposed sales by a third-party auditor; (v) created an upgraded compliance program; and (vi) hired new employees responsible for export control and trade sanctions compliance.
Separately, the DOJ announced that the company agreed to pay a $8 million fine and entered into a Non-Prosecution Agreement as a result of its voluntary disclosure to the DOJ and “extensive cooperation and strong remediation.” Pursuant to the agreement, the company “will disgorge $5.14 million of ill-gotten gain.”
OFAC settles with global payments company
On April 29, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a nearly $35,000 settlement between a Texas-based global payments company for 359 apparent violations of multiple sanctions programs. According to OFAC’s website notice, between March 2013 and April 2016, “the company provided money transfer services to the Department of Justice’s Federal Bureau of Prisons (BOP), which allowed inmates to send and receive funds into and out of their personal commissary accounts[]” without screening, or without sufficiently screening, the inmates against the SDN List.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that the company (i) “knew that there could be incarcerated blocked persons that would be receiving payments into their commissary accounts, but did not screen the beneficiaries of the transactions against the SDN List because of an erroneous misunderstanding of itsobligations;” and (ii) is a large and commercially sophisticated international financial institution.
OFAC also considered various mitigating factors, including, among other factors, that the company (i) cooperated with OFAC’s investigation; and (ii) self-disclosed the apparent violations and had already undertaken remedial measures, including retiring its screening system and launching a new system, implementing screening for all BOP-related transactions, implementing additional training to its agent network, and increasing its compliance department staffing.
U.S. steel manufacturer settles with OFAC for violating Iranian sanctions
On April 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $435,003 settlement with an Oklahoma-based steel manufacturer to resolve alleged violations of the Iranian Transactions and Sanctions Regulations. According to OFAC’s accompanying web notice, between 2013 and 2018, the company allegedly engaged with a third-party Iranian engineering company on at least 61 occasions to import engineering services. The company asserted that, while several senior officials “were involved in the process of approving each transaction and issuing checks to the Iranian engineering company,” the company’s “lack of familiarity with U.S. sanctions requirements caused its management to allow the Apparent Violations to continue until a new Chief Executive Officer was hired in October 2018.” Once management learned of the alleged violations, the company stated it ceased working with the Iranian engineering company and took several remedial measures to prevent the conduct from reoccurring.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the company failed to conduct basic due diligence regarding the transactions with the Iranian engineering company; (ii) senior management “had actual knowledge” that the company was outsourcing work to the Iranian engineering company; and (iii) the conduct caused more than $1 million in benefits to Iran.
OFAC also considered various mitigating factors, including that the company (i) had not received a penalty notice from OFAC in the preceding five years; (ii) voluntarily self-disclosed the alleged violations and cooperated with OFAC’s investigation; (iii) ceased the conduct at issue; and (iv) took remedial measures, including terminating the employee responsible for initiating and overseeing the transactions at issue, and developing and implementing an export compliance policy to provide, among other things, staff training and a requirement that all international contracting opportunities be approved by the company’s president.
FINRA fines firm for failing to follow its own AML policies
On April 16, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), which resulted in a $250,000 fine against a New York-based trading firm for allegedly failing to establish an anti-money laundering (AML) compliance program and a tailored Customer Identification Program (CIP) over a four-year period, which permitted potentially suspicious trading out of accounts based in China and other foreign countries. As a result, the firm allegedly failed to detect red flags concerning potentially suspicious activity and failed to investigate or report the activity in a timely manner. According to FINRA, the firm’s failure to set up a “reasonable” AML program and a tailored CIP between September 2016 and September 2020 resulted in the failure to “detect, investigate, and respond” to red flags in four related accounts, including suspicious activity related to: (i) possible trading of low-priced securities and other activity connected to the foreign accounts; (ii) transactions that lacked business sense or apparent investment strategy; (iii) a customer account that had “unexplained or sudden extensive wire activity, especially in accounts that had little or no previous activity”; and (iv) a customer account, which showed an unexplained high level of account activity with very low levels of securities transactions. FINRA stated that although the “firm’s written procedures required the use and review of exception reports to assist with the identification of red flags for suspicious trading and suspicious money movements, they did not identify any exception reports that the firm would use and did not describe how supervisors should use them.” The firm neither admitted nor denied the findings set forth in the AWC letter.
Minnesota AG settles with student debt relief company
On April 13, the Minnesota attorney general announced a settlement with a California-based student loan debt relief company that allegedly: (i) collected illegal fees from customers; (ii) misrepresented its services to cease operations in Minnesota by not providing full refunds to its Minnesota consumers; and (iii) violated Minnesota’s Debt Services Settlement Act, Prevention of Consumer Fraud Act, and Uniform Deceptive Trade Practices Act. The AG alleged that the company “falsely promised consumers student-loan forgiveness, when only the federal government can forgive federal student loans.” Under the terms of the settlement, the company is required to pay the AG $18,190.50, which will be used to provide full restitution to consumers. The settlement also requires the company to cease operations in Minnesota until it becomes registered as a debt-settlement service provider.