InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California AG enters into privacy settlement with fertility-tracking mobile app
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy laws. According to the complaint filed in the Superior Court for the County of San Francisco, the company’s app allegedly failed to adequately safeguard and preserve the confidentiality of medical information by, among other things, (i) allowing access to user information without the user’s consent, by failing to “authenticate the legitimacy of the user to whom the medical information was shared”; (ii) allowing a password-change vulnerability to permit unauthorized access and disclosure of information stored in the app without the user’s consent; (iii) making misleading statements concerning implemented security measures and the app’s ability to protect consumers’ sensitive personal and medical information from unauthorized disclosure; and (iv) failing to implement and maintain reasonable security procedures and practices.
Under the terms of the settlement, the company—which does not admit liability—is required to pay a $250,000 civil penalty and incorporate privacy and security design principles into its mobile apps. The company must also obtain affirmative authorization from users before sharing or disclosing sensitive personal and medical information, and must allow users to revoke previously granted consent. Additionally, the company is required to provide ongoing annual employee training concerning the proper handling and protection of sensitive personal and medical information, in addition to training on cyberstalking awareness and prevention. According to the AG’s press release, the settlement also includes “a first-ever injunctive term that requires [the company] to consider how privacy or security lapses may uniquely impact women.”
11th Circuit: Class action incentive fees are unlawful
On September 17, the U.S. Court of Appeals for the Eleventh Circuit reversed and vacated a district court judgment awarding an “incentive payment” to a TCPA class action representative, concluding it violates a U.S. Supreme Court decision prohibiting such awards. Additionally, the 11th Circuit remanded the case so that the district court could adequately explain its findings on the fees and costs issues. According to the opinion, a consumer initiated a TCPA class action against a collection agency for allegedly calling phone numbers that had originally belonged to consenting debtors but were subsequently reassigned to non-debtors. The action quickly moved to settlement and one class member objected, challenging “the district court’s decision to set the objection deadline before the deadline for class counsel to file their attorneys’-fee petition.” Additionally, among other things, the objector argued that the proposed $6,000 incentive award to the class action representative violates the 1880s Supreme Court decisions in Trustees v. Greenough and Central Railroad & Banking Co. v. Pettus. The district court overruled the class member’s objections.
On appeal, the 11th Circuit concluded that the district court “repeated several errors” that “have become commonplace in everyday class-action practice.” Specifically, the appellate court held that the district court “violated the plain terms of Federal Rule of Civil Procedure 23(h)” by setting the settlement objection date more than two weeks before the date class counsel had to file their attorneys’ fee petition. The appellate court also concluded that the district court violated the Supreme Court’s rule from Greenough and Pettus, which provides that “[a] plaintiff suing on behalf of a class can be reimbursed for attorneys’ fees and expenses incurred in carrying on the litigation, but he cannot be paid a salary or be reimbursed for his personal expenses.” The 11th Circuit noted that modern day incentive awards pose even more risks than the concerns from Greenough, promoting “litigation by providing a prize to be won.” Thus, according to the appellate court, although incentive awards may be “commonplace” in class action litigation, they are not lawful and therefore, the district court’s decision must be reversed.
New York AG settles data breach lawsuit with national coffee chain
On September 15, the New York attorney general announced a settlement with a national franchisor of a coffee retail chain to resolve allegations that the company violated New York’s data breach notification statute and several state consumer protection laws by failing to protect thousands of customer accounts from a series of cyberattacks. As previously covered by InfoBytes, the AG claimed that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in more than 20,000 compromised accounts and “tens of thousands” of dollars stolen. Following the attacks, the AG alleged that the company failed to take steps to protect the affected customers or to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. The settlement, subject to court approval, would require the company to (i) notify affected customers, reset their passwords, and refund any stored value cards used without permission; (ii) pay $650,000 in penalties and costs; (iii) maintain safeguards to protect against similar attacks in the future; and (iv) develop and follow appropriate incident response procedures.
Joint settlement requires forgiveness on $330 million of student loans
On September 15, the CFPB filed a complaint and proposed stipulated judgment against a trust, along with three banks acting in their capacity as trustees to the trust, for allegedly providing substantial assistance to a now defunct for-profit educational institution in engaging in unfair acts and practices in violation of the Consumer Financial Protection Act. The Bureau asserted that the trust owned and managed private loans for students attending the defunct institution, even though the trust “allegedly knew or was reckless in not knowing that many student borrowers did not understand the terms and conditions of those loans, could not afford them, or in some cases did not even know they had them.” The Bureau alleged that the defunct institution induced students to take out loans through several unfair practices, including “using aggressive tactics, and in some cases, gaining unauthorized access to student accounts to sign students up for loans without permission.” These loans, the Bureau contended, carried default rates well above what was expected for student loans. According to the Bureau, the trust was allegedly actively involved in the servicing, managing, and collection of these student loans.
If approved by the court, the Bureau’s proposed settlement would require the trust to (i) cease collection efforts on all outstanding loans owned and managed by the trust; (ii) discharge all outstanding loans owned and managed by the trust; (iii) ask all consumer reporting agencies to delete information related to the trust’s loans; and (iv) notify all affected consumers of these actions. The Bureau estimated that the total amount of loan forgiveness is roughly $330 million.
This settlement is the third reached by the Bureau in relation to the defunct institution’s private loan programs. In 2019, the defunct institution reached a settlement with the Bureau (covered by InfoBytes here), which required the payment of a $60 million judgment. Additionally, the Bureau entered into another settlement in 2019 with a different company that managed student loans for the defunct institution’s students, which required the loan management company to comply with similar requirements as the trust (covered by InfoBytes here).
Also on September 15, attorneys general from 47 states plus the District of Columbia reached a national settlement with the trust.
9th Circuit upholds $50 million order in FTC action against publisher
On September 11, the U.S. Court of Appeals for the Ninth Circuit, in a split decision, upheld the district court order requiring a publisher and conference organizer and his three companies (defendants) to pay more than $50.1 million to resolve allegations that the defendants made deceptive claims about the nature of their scientific conferences and online journals and failed to adequately disclose publication fees in violation of the FTC Act. As previously covered by InfoBytes, in an action filed in the U.S. District Court for the District of Nevada, the FTC alleged the defendants misrepresented that their online academic journals underwent rigorous peer reviews; instead, according to the FTC, the defendants did not conduct or follow the scholarly journal industry’s standard review practices and often provided no edits to submitted materials. Additionally, the FTC alleged that the defendants failed to disclose material fees for publishing authors’ work when soliciting authors and that the defendants falsely advertised the attendance and participation of various prominent academics and researchers at conferences without their permission or actual affiliation. The district court agreed with the FTC and, among other things, ordered the defendants to pay more than $50.1 million in consumer redress.
On appeal, the split 9th Circuit agreed with the district court, concluding that the defendants violated the FTC Act, noting that the despite the “overwhelming evidence against them,” the defendants “made only general denials” and did not “create any genuine disputes of material fact as to their liability.” The appellate court emphasized that the misrepresentations made by the defendants were “material” and “did in fact, deceive ordinary customers.” Moreover, among other things, the appellate court held that the defendants failed to meet their burden to show that the FTC “overstated the amount of their unjust gains by including all conference-related revenue.” Specifically, the appellate court determined that conferences were “part of a single scheme of deceptive business practices,” even though the conferences were individual, discrete events. Because the marketing was “widely disseminated,” the court determined that the FTC was entitled to a rebuttable presumption that “all conference consumers were deceived.”
In partial dissent, a judge asserted the FTC “did not reasonably approximate unjust gains” by including all conference-related revenue, because “the FTC’s own evidence indicates that only approximately 60% of the conferences were deceptively marketed.” Thus, according to the dissent, the case should have been remanded to the district court to determine whether the FTC can meet its initial burden.
OFAC reaches $583,000 settlement to resolve Ukrainian sanctions violations
On September 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced two settlements totaling $583,100 with the U.S.-based subsidiary of a global financial institution for apparent violations of the Ukraine-Related Sanctions Regulations. According to OFAC, the financial institution allegedly agreed to process a funds transfer exceeding $28 million through the U.S. related to a series of purchases of fuel oil involving a property interest of an oil company in Cyprus that was previously designated by OFAC. OFAC alleged that at the time the payment was processed, the bank “had reason to know of the designated oil company’s potential interest, but did not conduct sufficient due diligence to determine whether the designated oil company’s interest in the payment had been extinguished.” The bank agreed to pay $157,500 to resolve the apparent violation.
Additionally, OFAC stated the bank also agreed to separately remit $425,600 for apparent violations stemming from the processing of 61 transactions “destined for accounts at a designated financial institution.” The bank allegedly failed to stop these payments because its sanctions screening tool did not include a specific business identifier code assigned to the designated financial institution, OFAC claimed, and its screening tool “was calibrated so that only an exact match to a designated entity would trigger further manual review.”
In arriving at the settlement amount, OFAC considered various mitigating factors, including that (i) the apparent violations were non-egregious; (ii) the bank had in place “an OFAC compliance program at the time of the apparent violations”; and (iii) the bank has undertaken remedial efforts to address the deficiencies, including reviewing the circumstances of the apparent violations with its U.S. sanctions compliance unit, and agreeing to conduct additional training and implement changes to internal procedures as necessary.
OFAC also considered various aggravating factors, including that “several senior managers within the bank’s anti-financial crime division, as well as a representative from its counsel’s office, failed to exercise a minimal degree of caution or care in connection with the conduct that led to the apparent violation,” and had actual knowledge of the alleged conduct.
District court preliminarily approves $650 million biometric privacy class action settlement
On August 19, the U.S. District Court for the Northern District of California granted preliminary approval of a $650 million biometric privacy settlement between a global social media company and a class of Illinois users. If granted final approval, the settlement would resolve consolidated class action claims that the social media company violated the Illinois Biometric Information Privacy Act (BIPA) by allegedly developing a face template that used facial-recognition technology without users’ consent. A lesser $550 million settlement deal filed in May (covered by InfoBytes here), was rejected by the court due to “concerns about an unduly steep discount on statutory damages under the BIPA, a conduct remedy that did not appear to require any meaningful changes by [the social media company], over-broad releases by the class, and the sufficiency of notice to class members.” The preliminarily approved settlement would also require the social medial company to provide nonmonetary injunctive relief by setting all default face recognition user settings to “off” and by deleting all existing and stored face templates for class members unless class members provide their express consent after receiving a separate disclosure on how the face template will be used.
District court: $925 million statutory damages award not constitutionally excessive
On August 14, the U.S. District Court for the District of Oregon refused to reduce a $925 million statutory damages award against a company found to have violated the TCPA by sending almost two million unsolicited robocalls to consumers. The company argued that the statutory damages award violates due process because “it is so severe and oppressive as to be wholly disproportionate to the offense and obviously unreasonable.” The court rejected the company’s argument that the penalty was unconstitutionally excessive, noting that the U.S. Court of Appeals for the Ninth Circuit has not yet answered the question as to “whether due process limits the aggregate statutory damages that can be awarded in a class action lawsuit under the TCPA.” Instead, the district court concluded that the allowance for at least $500 per violation under the TCPA is constitutionally valid and that the penalty’s “large aggregate number comes from simple arithmetic.” Referencing an opinion issued by the U.S. Court of Appeals for the Seventh Circuit, the court reasoned that “[s]omeone whose maximum penalty reaches the mesosphere only because the number of violations reaches the stratosphere can’t complain about the consequences of its own extensive misconduct.” Thus, the court rejected the company’s argument that the aggregate damages award should be reduced, finding that due process does not require the reduction of the aggregate statutory award where the company violated the TCPA nearly two million times.
Bank settles overdraft fee litigation for $7.5 million
On August 10, the U.S. District Court for the Southern District of Florida granted final approval of a $7.5 million settlement, resolving a decade-long multidistrict litigation concerning overdraft fees. The settlement covers allegations that a U.S.-based affiliate of an international bank charged improper assessment and collection of overdraft fees due to “high-to-low posting.” In 2012, the bank was purchased by a U.S. national bank and the national bank inherited the litigation as the successor in interest. The settlement involves over 148,000 class members, “who, from October 10, 2007 through and including March 1, 2012, incurred one or more Overdraft Fees as a result of [the bank]’s High-to-Low Posting.” The $7.5 million settlement includes $10,000 to the sole class representative and over $2.6 million to the class attorneys (representing 35% of the settlement fund).
OFAC settles Iranian sanctions violations
On July 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $824,314 settlement with a Pennsylvania-based cookware coating manufacturer for 74 apparent violations of the Iranian Transactions and Sanctions Regulations. According to OFAC, between November 2012 and December 2015, two of the company’s foreign subsidiaries allegedly sold coatings intended for customers in Iran and engaged in trade-related transactions with Iran, despite changes to OFAC’s Iran sanctions program, which prohibited such transactions. In addition, OFAC stated that in 2013, once the company realized that these sales may be problematic, some of its U.S. employees devised and facilitated a plan to continue sales from the two subsidiaries by using third-party distributers and avoiding referencing Iran on documentation.
In arriving at the settlement amount, OFAC considered various mitigating factors, including that the apparent violations were non-egregious and (i) the company voluntarily disclosed the violations and cooperated with the investigation; and (ii) the company has undertaken significant remedial efforts to address the deficiencies and minimize the risk of similar violations from occurring in the future, including appointing compliance monitors and outside counsel, making changes to its leadership, and adopting compliance and training policies.
OFAC also considered various aggravating factors, including that the company (i) failed to implement appropriate compliance policies “commensurate with selling to a high-risk jurisdiction such as Iran”; (ii) took “affirmative steps” to help the foreign subsidiaries continue to sell to Iran through indirect channels even though it knew the sales were problematic; and (iii) senior management, including U.S. employees, had actual knowledge of the conduct leading to the alleged violations and continued to facilitate transactions with Iran.