InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminary approves $4.3 million data breach settlement
On November 4, the U.S. District Court for the Eastern District of Michigan granted preliminary approval of a $4.3 million class action settlement regarding a data breach, following the filing of the plaintiffs’ unopposed motion for preliminary approval of class action settlement. After a plaintiff consolidated her suit with other similar lawsuits, the plaintiff class sued the defendant for negligence, unjust enrichment, and breach of contract, alleging their personal information was stolen from the defendant during a malware attack due to lack of cybersecurity measures. The settlement provides for, among other things, three years of free credit-monitoring services for the plaintiff class, up to $2,500 per member to cover out-of-pocket expenses related to the breach, up to $80 per member to cover lost time remedying issues related to the breach, $75 per member for California residents for claims under state statutes, and a year of password-managing services. The plaintiffs are seeking service awards of $1,500 for each of the 15 representative plaintiffs. The motion also noted that class counsel will ask the court for just over $1.4 million in attorneys’ fees to be deducted from the settlement fund.
4th Circuit vacates $10.6 million judgment, orders district court to reevaluate class standing
On October 28, the U.S. Court of Appeals for the Fourth Circuit remanded a $10.6 million damages award it had previously approved in light of the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez. As previously covered by InfoBytes, in January, the Supreme Court vacated the judgment against the defendants and ordered the 4th Circuit to reexamine its decision in light of TransUnion (which clarified the type of concrete injury necessary to establish Article III standing, and was covered by InfoBytes here). Previously, a divided 4th Circuit affirmed a district court’s award of $10.6 million in penalties and damages based on a summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act (covered by InfoBytes here). During the appeal, the defendants argued that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones, but the appellate court majority determined, among other things, that there was not a large number of uninjured members within the plaintiffs’ class because plaintiffs paid for independent appraisals and “received appraisals that were tainted.” At the time, the 4th Circuit “concluded that the ‘financial harm’ involved in paying for a product that was ‘never received’ was ‘a classic and paradigmatic form of injury in fact.’” On remand, the 4th Circuit considered questions of standing and ultimately determined that TransUnion requires the district court to reevaluate the standing of class members.
District Court approves data scrape settlement
On October 20, the U.S. District Court for the Northern District of California granted final approval to a class action settlement resolving claims that a social media platform (defendant) scraped consumer data for advertising purposes. According to the plaintiffs’ motion for preliminary approval, the defendant allegedly scraped a group of mobile company users’ call and text logs without consent by exploiting a vulnerability in the permission settings for the defendant’s message application. In its third amended complaint, the plaintiffs argued that consumers granted the defendant permission to access their phones’ contact lists, but did not consent to scraping their call and text logs, which included the date and time of phone calls, the phone numbers dialed, the names of the individuals called and the duration of each call, as well as whether each call was incoming, outgoing or missed. The plaintiffs further alleged that the defendant did not explicitly notify them that their data was being collected prior to the vulnerability being patched in October 2017, when the defendant ceased its scraping practice. The settlement requires the defendant to delete all call and text history data that it is not legally obligated to preserve, and provides for a $1.08 million attorney fee request and $1,500 incentive awards for class representatives.
District Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for preliminary approval of class action settlement and supporting memorandum, in December 2021, the defendant determined that an unauthorized third party gained access to and gathered data from its computer network in June 2021. The plaintiffs further alleged that, “if [the defendant] ‘properly monitor[ed] … [its] computer network and systems that housed the … [PII],’ [the defendant] ‘would have discovered the intrusion sooner.’” Furthermore, the plaintiffs alleged that the defendant failed to provide “timely and adequate notice” to the plaintiff class, and filed claims for negligence, breach of implied contract, and invasion of privacy by intrusion. The settlement also includes a provision for the defendant to pay directly for credit monitoring and identity theft protection services, not limited by the $475,000 cap, along with about $51,000 for settlement administration costs. The plaintiffs would also be able to seek up to $210,000 for attorney fees and costs, and a total $5,000 for service awards to the named plaintiffs.
New Jersey reaches $495 million RMBS settlement with Swiss bank
On October 17, the New Jersey attorney general’s office announced it had reached a $495 million agreement in principle with a Swiss bank to resolve allegations related to its residential mortgage-backed securities (RMBS) practices leading up to the 2008 financial crisis. The AG stated that if finalized, the settlement will be one of the state’s largest civil monetary recoveries in history. According to the AG, the bank violated New Jersey’s securities laws by making material misrepresentations about the risks of the RMBS in offering documents, including by purportedly failing to disclose to investors material defects about the underlying mortgages. The announcement further stated that the bank allegedly sold the RMBS through registration statements, prospectuses, and other offering materials that contained fraudulent representations about the quality of the underlying loans, and allegedly “failed to disclose to investors the wholesale abandonment of underwriting guidelines designed to ensure that the mortgage loans underlying its securities trusts were made in accordance with appropriate lending guidelines; that numerous loan originators had poor track records of defaults and delinquencies; and that some loan originators had even been suspended from doing business with [the bank].” While neither admitting nor denying the allegations, the bank agreed to pay a $100 million civil monetary penalty and will provide approximately $300 million in restitution for affected investors. The bank is also permanently enjoined from future violations of state securities laws.
New York announces $1.9 million data breach settlement with global retailer
On October 12, the New York attorney general announced a $1.9 million settlement with an international e-commerce retailer for failing to properly handle a 2018 data breach. According to the settlement, the e-commerce owns and operates two brands (collectively, “respondents”), which experienced a data breach that caused 39 million accounts to be stolen, including accounts for more than 800,000 New York residents. The AG found, among other things, that the respondents failed to properly safeguard consumers’ information, failed to adhere to requirements for protecting stored credit card data, and misrepresented the extent of the cyberattack to consumers. As a result of the settlement, the respondents are required to pay New York $1.9 million in penalties and costs, and must maintain a comprehensive information security program that includes robust hashing of customer passwords, among other things.
Bank agrees to pay $1.8 billion to settle RMBS bond insurance claims
On October 7, a national bank announced in a regulatory filing that it has agreed to pay $1.84 billion to settle claims brought by a bond insurer concerning policies provided on residential mortgage-backed securities before the 2008 financial crisis. According to the regulatory filing, the agreement will “resolve all pending [bond insurer] lawsuits” (containing damages claims of more than $3 billion) against the bank and its subsidiaries, will cause all pending litigation to be dismissed with prejudice, and will release the bank and its subsidiaries from “all outstanding claims” related to bond insurance policies for certain securitized pools of residential mortgage loans.
District Court grants preliminary approval of class action in robocall suit
On September 28, the U.S. District Court for the District of Utah granted preliminary approval of a TCPA class action settlement with a digital finance company. According to the plaintiff’s unopposed motion for preliminary approval, the plaintiff alleged that the defendant sent unwanted phone calls to approximately 64,845 unique cellular telephone numbers. The plaintiff’s motion noted that the district court granted, in part, the plaintiff’s motion for class certification and appointment of class counsel, and certified that the class consists of: “[a]ll persons throughout the U.S. (1) to whom [defendant] placed, or caused to be placed, a call, (2) directed to a number assigned to a cellular telephone service, but not assigned to a current or former [defendant] accountholder, (3) in connection with which [defendant] used an artificial or prerecorded voice, (4) from September 1, 2019 through September 21, 2021.” The Tenth Circuit Court of Appeals denied the defendant’s petition for permission to appeal the court’s order certifying the class. After that, the district court approved Plaintiff’s Rule 23(c)(2) class notice plan. After more than two years of “vigorously contested litigation, and as a result of extensive arm’s-length negotiations” the parties agreed to resolve this matter on behalf of a settlement class. The order further noted that the parties’ agreement “calls for the creation of a non-reversionary, all-cash common fund in the amount of $5 million, from which participating settlement class members will receive substantial payments.”
District Court grants preliminary approval of data breach class action
On October 3, the U.S. District Court for the Eastern District of Wisconsin granted preliminary approval of a data breach class action settlement. According to the plaintiff’s unopposed motion for preliminary approval, a ransomware attack on the company potentially allowed an unauthorized actor to access the personal information of approximately two million of the company’s patients, employees, employee beneficiaries, and other individuals from May 28, 2021 to June 4, 2021. The company announced the ransomware attack in a data breach notice sent to customers on June 24, 2021. The plaintiff filed her complaint alleging, among other things, that the company “failed to take adequate measures to protect her and other putative Class Members’ Personal Information and failed to disclose that [the company’s] systems were susceptible to a cyberattack.” After other plaintiffs filed suit, the plaintiffs moved to consolidate the actions and alleged several violations, including negligence and breach of implied contract. The settlement provides for a $3.7 million settlement fund. Each class member is eligible to submit a claim for two years of three-bureau credit monitoring and up to $1 million of insurance coverage for identity theft incidents. Additionally, class members can submit a claim for up to $10,000 in documented losses. The settlement also provides class members with lost time payment and cash fund payment options (in the alternative to all the foregoing settlement benefits).
Arizona reaches $85 million settlement in location tracking suit
On October 4, the Arizona attorney general announced an $85 million settlement with an internet technology company to resolve allegations that it collected individuals’ location data for targeted advertising without users’ knowledge or consent or after users opted out of the feature through the platform’s settings. The AG initiated an investigation in 2018 into the company’s practices after sources claimed that the platform surreptitiously collected and sold location information through other settings even though users believed disabling the “Location History” setting would ensure this would not occur. The AG sued the company in 2020, claiming violations of the Arizona Consumer Fraud Act. Among other things, the AG alleged the company’s disclosures misled users into believing these other settings had nothing to do with tracking user location, and that the company used “deceptive and unfair practices to collect as much user information as possible” and made it difficult for users to understand what was being done with their data or opt out of data sharing. Without admitting any wrongdoing, the company agreed to the terms of the settlement agreement and will pay Arizona $85 million, of which the majority will go toward “education, broadband, and [i]nternet privacy efforts and purposes.”