InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States reach data breach settlement with debt collector
On March 11, a coalition of 41 state attorneys general, led by the New York attorney general, announced a settlement with a bankrupt debt collection agency to resolve a multistate investigation into a 2019 data breach that allegedly exposed the personal information of more than 21 million individuals, including Social Security numbers, payment card information, and in certain instances, medical test names and diagnostic codes. According to the proposed consent order, an unauthorized user accessed the company’s internal system and accessed consumers’ personal information. The AGs claimed that “[d]espite numerous warnings from banks that processed its payments about a potential breach, [the company] failed to detect the intrusion.” Under the terms of the settlement, the company has agreed to implement data security practices to strengthen its information security program and safeguard consumers’ personal information. These measures include: (i) creating and implementing an information security program that includes an incident response plan; (ii) employing a chief information security officer to oversee data safety practices; and (iii) hiring a third-party assessor to conduct an information security assessment. Additionally, should the company fail to honor the injunctive terms of the settlement it may be liable for as much as $21 million.
4th Circuit affirms $10 million penalty for appraisal practices
On March 10, a divided U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act. According to the opinion, a class of borrowers filed a lawsuit against a lender and an appraisal management company, alleging the defendants relayed home value estimates provided by borrowers on their applications to appraisers and allegedly asked appraisers “to take another look” if the appraisal value came in lower than the estimated value. The plaintiffs claimed, among other things, that this practice constituted a breach of contract and unconscionable inducement under West Virginia law. Plaintiffs also filed a civil conspiracy claim against the defendants. The district court conditionally certified the class. It ultimately imposed a $9.6 million statutory penalty and awarded class members the appraisal fees paid as damages for breach of contract in an amount totaling nearly $1 million. However, no damages were awarded for conspiracy. The defendants appealed, arguing that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones.
On appeal, the majority determined, among other things, that the acceptability of the challenged practice “shifted dramatically during the class period,” and that “[w]hat started out as a common (though questionable) practice became one that, in short order, was explicitly forbidden.” The majority determined the plaintiffs established their claim for unconscionable inducement, and that it “was unethical for Defendants to attempt to pressure or influence appraisers.” The majority also affirmed the district court’s ruling on the conspiracy claim. However, the appellate court concluded that the district court improperly granted summary judgment on the breach of contract claim and ordered the district court to reexamine whether breach of contract occurred and whether the plaintiffs suffered resulting damages.
The dissenting judge called the majority opinion “startling,” writing that “[t]his is an unjust punishment indeed for a company that followed a practice that was both customary and legal and only later modified to avoid potentially influencing appraisers.”
HUD approves settlement resolving Fair Housing Act violation
On March 8, HUD released a Conciliation Agreement between an African-American consumer and a mortgage lender to resolve allegations that the consumer’s home was appraised at an amount lower than its actual worth due to her race. Under the Fair Housing Act, a homeowner’s race may not influence the valuation of a home, HUD stated. While the lender denied having engaged in any discriminatory behavior, it agreed to pay $50,000 to the consumer and will provide mandatory training to all of its home lending advisors and client care specialists nationwide on the reconsideration of value (ROV) process and fair lending issues related to appraisals. Training will include information on how to handle complaints of discrimination in the appraisal process and the process for consumers to submit ROV requests.
New York reaches settlement with bank over check-cashing program
On March 1, the New York attorney general entered into an agreement with an Ohio-based bank resolving an investigation into the bank’s alleged deceptive advertising practices. According to the AG, the bank introduced a check-cashing program advertised to consumers in the state as a method to cash government and payroll checks at a low cost. The program, which was intended to assist the underbanked and unbanked in low- and middle-income (LMI) communities, allowed consumers who did not have deposit accounts with the bank to participate in the program. The AG alleged, however, that the program was not being implemented as promoted and was not available in branches where it was advertised, nor was it allegedly available to testers who tried to use the program. While neither admitting nor denying the allegations, the bank has agreed to provide $5 million to be used as down payment and home-closing cost assistance for LMI New Yorkers, and it will apply to become a participating lender with the State of New York Mortgage Agency. The bank has also agreed to originate $145 million in mortgage loans to LMI homebuyers in the state over the next five years and will waive certain fees associated with the loans.
NYDFS, mortgage lender reach $1.5 million cyber breach settlement
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.
Court approves $9.7 million overdraft fee settlement
On February 25, the U.S. District Court for the Northern District of New York approved a roughly $9.7 million class action settlement resolving claims that a New York credit union improperly assessed banking fees, including overdraft fees, when members had sufficient funds in their checking accounts to pay for the transactions presented for payment. The plaintiffs also alleged, among other things, that the credit union (i) improperly charged fees on a variety of transactions for members who did not opt-in to the credit union’s protection programs; (ii) assessed fees in instances where there was no contractual basis to assess the fees; (iii) transferred money from members’ savings accounts into checking accounts to avoid negative balances and resulting fees, but still imposed the fee; and (iv) violated the terms of its contracts and various laws by imposing non-sufficient funds fees more than once on the same transaction. The settlement requires the credit union to pay approximately $5.85 million into a settlement fund, plus nearly $2.53 million in attorneys’ fees, $168,030 in costs, and $15,000 service awards to each of the three named plaintiffs. The settlement amount also includes the value of the policy changes to be made by the credit union.
Court approves $650 million biometric privacy class action settlement
On February 26, the U.S. District Court for the Northern District of California granted final approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. The settlement resolves consolidated class action claims that the social media company violated the Illinois Biometric Information Privacy Act (BIPA) by allegedly developing a face template that used facial-recognition technology without users’ consent. A lesser $550 million settlement deal filed in May (covered by InfoBytes here), was rejected by the court in August due to “concerns about an unduly steep discount on statutory damages under the BIPA, a conduct remedy that did not appear to require any meaningful changes by [the social media company], over-broad releases by the class, and the sufficiency of notice to class members.” (See InfoBytes coverage here.) The final settlement requires the social media company to pay $650 million in a settlement fund, plus $97.5 million for attorneys’ fees and expenses and $5,000 service awards to each of the three named plaintiffs. The social media company is also required to provide nonmonetary injunctive relief by setting all default face recognition user settings to “off” and by deleting all existing and stored face templates for class members unless class members provide their express consent after receiving a separate disclosure on how the face template will be used. Face templates for class members who have not had any activity on the social media platform will also be deleted. The court called the settlement a “landmark result,” noting it is one of the largest settlements ever for a privacy violation, and will provide each claimant at least $345.
Convenience store chain agrees to pay $12 million to resolve data security incident
On February 19, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement in the U.S. District Court for the Eastern District of Pennsylvania to resolve data security incident claims. Class members—comprised of a nationwide group of consumers whose credit and debit card information was compromised in a 2019 data security incident affecting a nationwide convenience store chain—alleged that “despite the foreseeability of a data breach” the convenience store chain, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” The claims also alleged that certain class members continued to experience fraudulent transactions on their payment cards, and that many class members spent time responding to the data security incident, spent money on protective measures, and may experience a heightened risk of future misuse of their payment card information.
Following mediation, the parties agreed to the preliminary settlement terms, which will provide monetary relief to class members through a three-tier system totaling up to $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards. The convenience store chain is also required to take additional measures for a period of two years to prevent future unauthorized intrusions, including (i) retaining a qualified security assessor; (ii) conducting annual tests of its cybersecurity protocols; (iii) operating payment systems that encrypt payment card information and comply with credit card issuers’ security procedures, including systems at point-of-sale fuel pump terminals; and (iv) maintaining information security programs, policies, and procedures.
New York reaches $18.5 million settlement with virtual currency operators
On February 23, the New York attorney general announced a $18.5 million settlement with the operators of a virtual currency trading platform and the “tether” virtual currency issuer, along with their affiliated entities, to resolve allegations that the companies deceived clients by overstating available reserves and hiding $850 million in co-mingled client and corporate funds. According to the AG, one of the companies operated an online trading platform for exchanging and trading virtual currency, which allowed users to store virtual or fiat currency, convert virtual currency into fiat currency, and withdraw funds, while the “tether” virtual currency issuer represented that the “stablecoin” it issued was backed one-to-one by U.S. dollars in reserve. However, an AG investigation found, among other things, that the companies made false statements about the backing of the stablecoin and moved hundreds of millions of dollars between the two companies in an attempt to conceal massive losses, and that the stablecoins were, in fact, no longer backed one-to-one by U.S. dollars in reserve, contrary to the company’s representations. The AG also noted that a national bank, which acted as the correspondent bank for the companies and was used to fill orders for U.S. dollars, elected to stop processing U.S. dollar wire transfers from the companies, forcing the companies to find alternative banking arrangements and ultimately leading to a liquidity crisis. Further, the AG stated that the companies failed to disclose these issues to the public. In 2019, a court order enjoined the companies from engaging in activities that may have defrauded investors trading in cryptocurrency (covered by InfoBytes here).
Under the terms of the settlement agreement, the companies and related entities must, among other things, (i) discontinue any further trading activity in the state; (ii) pay $18.5 million in monetary relief; and (iii) take steps to increase transparency, including maintaining internal controls and procedures designed to ensure that their products and services are not used by New York persons and entities, providing compliance reports to the AG, and providing a list of utilized payment processors.
Digital payment solutions company settles with OFAC for $500k
On February 18, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with a Georgia-based payment processing solutions company for 2,102 apparent violations of multiple sanctions programs. According to OFAC’s web notice, between 2013 and 2018, the company—which offers solutions for merchants to accept digital currency as payment for goods and services—allegedly processed thousands of transactions on behalf of individuals located in sanctioned jurisdictions based on IP addresses and invoice information. Specifically, OFAC alleged that the company “received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then related that currency to its merchants.” While OFAC noted that the company screened its direct merchants against its List of Specially Designated Nationals and Blocked Persons and conducted due diligence to ensure merchants were not located in a sanctioned jurisdiction, the company’s transaction review process allegedly failed to screen identification and location data for its merchants’ buyers, many of whom were located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria. As a result, these buyers, OFAC claimed, were able to make purchases from merchants located in the U.S. and elsewhere using digital currency on the company’s platform in violation of an executive order and multiple sanctions regulations.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that the company (i) “failed to exercise due caution or care for its sanctions compliance obligations” by allowing buyers in sanctioned jurisdictions to transact with merchants despite having “sufficient information to screen those customers”; and (ii) conveyed more than $128,000 in economic benefit to individuals in OFAC sanctioned jurisdictions.
OFAC also considered various mitigating factors, including that the company (i) had implemented certain sanctions compliance controls, including due diligence and sanctions screening; (ii) trained employees—including senior management—that signing up merchants from sanctioned jurisdictions or trading with sanctioned persons is prohibited; (iii) cooperated with OFAC’s investigation; and (iv) terminated the conduct leading to the apparent violations and undertook remedial measures to minimize the risk of similar violations from occurring in the future. The base civil monetary penalty applicable in this action is $2,255,000; however, the lower settlement amount reflects OFAC’s consideration of the general factors under the Economic Sanctions Enforcement Guidelines.