Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court: Emotional distress did not cause injury-in-fact

    Courts

    On May 10, the U.S. District Court for the Western District of New York granted a defendant’s motion for summary judgment in a FDCPA class action suit. According to the order, the defendant sent the plaintiff a letter seeking to collect $9,700. The collections letter identified the name of the original creditor and the name of the current creditor to whom the debt was owed. The plaintiff filed suit, claiming he suffered emotional distress, and alleging that the debt was not owed to the defendants, and that the letter “erroneously” claimed that the current creditor to whom the debt was owed was not the owner of the debt, in violation of the FDCPA. The court granted the defendant’s summary judgment, dismissing the claims and finding that the case “is at the summary judgment stage,” which “requires proof of injury-in-fact beyond the sufficiency of Plaintiff’s allegations of an injury.” The court further stated that the “[p]laintiff states in his responding Declaration that his stress came from not knowing how his personal information was learned by Defendant,” but that the “[p]laintiff did not seek medical attention for the emotional distress he suffered.” The court continued that “failure to seek medical treatment is material in establishing the extent of Plaintiff’s injury (in [sic] any) from the emotional distress.” The court found that the plaintiff did “not establish[] that he suffered an injury-in-fact from his emotional distress arising from the dunning letter.”

    Courts Class Action Debt Collection FDCPA Consumer Finance

    Share page with AddThis
  • District Court dismisses privacy class action claims citing absence of jurisdiction

    Privacy, Cyber Risk & Data Security

    On May 5, the U.S. District Court for the Northern District of California granted defendants’ motions to dismiss a putative class action concerning invasion of privacy claims related to the collection of consumer data over an online shopping platform. The Canada-based e-commerce company and two of its wholly-owned subsidiaries operate an e-commerce platform that hosts merchants’ websites and facilitates and verifies customers’ payment information. According to the plaintiff, the defendants’ platform intercepts payment information and collects shoppers’ sensitive personal information through the use of cookies, including names, addresses, and credit card information. The plaintiff alleged that the defendants compile the data into individualized profiles, which is shared with merchants, and also share shoppers' data with other non-merchant third parties. Shoppers are not required to consent to any of these activities and are supposedly unaware that their sensitive information is being tracked and shared, the plaintiff stated, claiming violations of California’s Invasion of Privacy Act, Computer Data Access and Fraud Act, and Unfair Competition Law, among other things. In dismissing the action, the court concluded that the plaintiff’s privacy claims against the defendants are too general and fail to identify which defendant is responsible for the plaintiff’s alleged injuries. The court noted that it would normally permit the plaintiff to amend his complaint to address the issue, but said that in this case the court lacks both general and specific jurisdiction over any of the defendants. The court explained that the plaintiff failed to argue that any of the three entities (based either in Canada or Delaware) are subject to general jurisdiction in California. Simply stating that the platform “enables merchants to sell products online . . . does not represent an intentional act directed at California residents,” the court stated.

    Privacy/Cyber Risk & Data Security Courts Class Action State Issues California Jurisdiction

    Share page with AddThis
  • Defendants to pay $5.7 million for alleged data breach

    Privacy, Cyber Risk & Data Security

    On May 10, the U.S. District Court for the Northern District of Ohio granted preliminary approval of a $5.7 million settlement in a class action against a fast-food chain (defendant) resolving allegations that it acted negligently for failing to protect customers’ data when hackers stole payment card information from more than 700 franchised restaurants. According to the order, in 2017, a data breach compromised the defendant’s customer payment data, which resulted in multiple lawsuits that were settled. In the current case, the plaintiffs sued the defendant for negligence related to insecure systems that led to the data breach. The plaintiffs alleged that the defendant’s negligence required financial institutions to spend resources to respond to the breach. Under the terms of the settlement, the defendant would pay under a per-card formula up to $5.73 million to resolve class member claims, which would include up to $3 million to pay class members’ claims ($1.00 per reissued card and $1.50 per card experiencing fraud within four weeks of the breach). The defendant would also pay up to $500,000 for settlement administration, up to $30,000 for class representative service awards, and up to $2.2 million for attorneys’ fees and expenses.

    Privacy/Cyber Risk & Data Security Courts Class Action Data Breach Settlement

    Share page with AddThis
  • District Court allows data sharing invasion of privacy claims to proceed

    Privacy, Cyber Risk & Data Security

    On May 4, the U.S. District Court for the Central District of California partially dismissed the majority of a putative class action accusing several large retailers and a data analytics company (collectively, “defendants”) of illegally sharing their consumer transaction data, allowing only an invasion of privacy claim to proceed. In 2020, plaintiffs’ claimed the retail defendants shared consumer data without authorization or consent, including “all unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, or passport, e.g., the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code,” with the data analytics company who used the information to create “risk scores” that purportedly calculated a consumer’s likelihood of retail fraud or other criminal activity. The court permanently dismissed the plaintiffs’ California Consumer Privacy Act claims, finding that the state law was not in effect when some of the plaintiffs allegedly attempted returns or exchanges and that the law does not contain an express retroactivity provision. Additionally, while plaintiffs argued that the retail defendants engaged in “a pattern or practice of data sharing,” the court concluded that plaintiffs failed “to allege that they are continuing to return or exchange merchandise at these retailers such that their data is disclosed” to the data analytics company. The court also dismissed the FCRA claims, ruling that the data analytics company’s risk report is not a “consumer report” subject to the FCRA because it does not “bear on Plaintiff’s eligibility for credit.” Plaintiffs’ claims for unjust enrichment and violations of California's Unfair Competition Law were also dismissed. However, the court concluded that the plaintiffs had plausibly alleged a reasonable expectation of privacy against the defendants, pointing to “the wide discrepancy between Plaintiffs’ alleged expectations for Retail Defendants’ use of their data and its actual alleged use.”

    “The court finds dismissing this claim at the pleading stage particularly inappropriate where, as is the case here, defendants are the only party privy to the true extent of the intrusion on Plaintiffs’ privacy,” the court stated. “Reading the Complaint in a light most favorable to Plaintiffs, Plaintiffs sufficiently allege that [] defendants’ intrusion into Plaintiffs’ privacy was highly offensive.”

    Privacy/Cyber Risk & Data Security Courts State Issues Class Action CCPA California

    Share page with AddThis
  • District Court partially certifies data breach suit

    Privacy, Cyber Risk & Data Security

    On May 3, the U.S. District Court for the District of Maryland granted in part and denied in part certification of eight class actions against a hotel corporation (defendant) alleging that it misled consumers regarding a major breach of customers’ personal information. According to the opinion, the plaintiffs filed suit after allegedly learning that the defendant took more than four years to discover the breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted, to provide data security services reported an anomaly pertaining to a guest information database. In total, the breach impacted approximately 133.7 million guest records associated with the U.S., including an estimated 47.7 million records associated with the bellwether states. The defendant argued that certification should be denied because not all of the class members demonstrated that they suffered an injury, which the court rejected, noting that the plaintiffs do not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendants’ argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”

    Privacy/Cyber Risk & Data Security Courts Data Breach Class Action

    Share page with AddThis
  • District Court partially affirms summary judgment in interest case

    Courts

    On April 28, the U.S. District Court for the Southern District of New York granted in part and denied in part parties’ motions for summary judgment in a suit challenging the retroactive application of a New York statute reducing the state’s statutory interest rate on money judgments arising out of consumer debt. In doing so, the court considered S5724A, the Fair Consumer Judgment Interest Act. As previously covered by InfoBytes, the New York governor signed S5724A in December 2021, which amended the civil practice law and rules relating to the rate of interest applicable to money judgments arising out of consumer debt. Specifically, the bill provides that the interest rate that can be charged on unpaid money judgments is 2 percent and applies to judgments involving consumer debt, which is defined as “any obligation or alleged obligation of any natural person to pay money arising out of a transaction in which the money, property, insurance or services which are the subject of the transaction are primarily for personal, family or household purposes […], including, but not limited to, a consumer credit transaction, as defined in [section 105(f) of the civil practice law and rules].” The bill became effective April 30. According to the suit, a group of credit unions (plaintiffs) filed a federal class action lawsuit seeking to enjoin the enforcement or implementation of S5724A. The plaintiffs sought to invalidate the retroactive portion of S.5724A, arguing that it is an unconstitutional taking in violation of the Fifth Amendment and violative of their substantive due process rights guaranteed under the Fourteenth Amendment. The plaintiffs claimed that they are collectively owed about $3.8 million of outstanding consumer judgments, which includes approximately $1 million in interest, and sought a preliminary injunction enjoining the effective date of S572A. The plaintiffs brought suit against the Chief Administrative Judge of the New York State Courts, and the sheriffs of three New York counties in their official capacity on the basis that those parties “will be involved in enforcement of the Amendment.” The district court issued the preliminary injunction with respect to the sheriffs, relying on the credit unions’ arguments that retroactive application will “eradicate millions of dollars from the balance of judgments lawfully due and owing to judgment creditors.” The district court noted that “[r]egulatory takings … involve government regulation of private property [that is] . . . so onerous that its effect is tantamount to a direct appropriation or ouster. Thus, ‘while property may be regulated to a certain extent, if regulation goes too far it will be recognized as a taking.’”

    Courts New York Credit Union Interest State Issues Interest Rate Class Action

    Share page with AddThis
  • District Court approves final class action privacy settlement

    Privacy, Cyber Risk & Data Security

    On April 29, the U.S. District Court for the Western District of New York granted final approval of a class action settlement resolving privacy and data security allegations against a health insurance company and several related health insurance entities (collectively, “defendants”). According to the plaintiffs’ memorandum of support, the plaintiff filed suit in 2015, alleging that the defendants compromised the personal identifying information, Social Security numbers, and medical and financial data of approximately 9.3 million policy holders from a 2013 data breach. After the security incident was announced, 14 lawsuits were filed, which were consolidated with this case. Under the terms of the final settlement, the defendants are required to implement information security and compliance measures, and comprehensively address security risks. The settlement also includes $3.6 million in attorneys’ fees and $700,000 in litigation costs. Class representatives will be awarded service awards that range between $1,000-$7,500 each, which will total approximately $95,500.

    Privacy/Cyber Risk & Data Security Courts Settlement Data Breach Class Action

    Share page with AddThis
  • District Court orders evidence showing customer agreed to arbitration clause in clickwrap agreement

    Courts

    On April 15, the U.S. District Court for the Northern District of California ordered a defendant “teledentristry” practice to file a declaration evidencing a clickwrap agreement that shows that the plaintiff assented to an arbitration agreement in an addendum to a retail installment contract. The plaintiff filed a putative class action claiming the defendant failed to comply with consumer protection licensing requirements and made misleading and false representations to consumers about the scope of its services and the provided dental care. The defendant moved to compel arbitration, stating that when customers create an account on the defendant’s website, they are required to affirmatively check a clickwrap checkbox to provide informed consent and must agree to the defendant’s terms and conditions before finalizing the registration process. The checkbox is not pre-checked, the defendant stated, and customers can view the full terms and conditions when clicking on the hyperlinks for each policy. The defendant maintained that if the plaintiff had clicked on the “Informed Consent” hyperlink, he would have been presented with the arbitration clause. The defendant also claimed that its servers log customers’ electronic assent to the terms and conditions and provided evidence purportedly showing that the plaintiff accepted the terms and conditions. The plaintiff countered that he did not assent to the arbitration agreement.

    The arbitration dispute concerns whether the plaintiff assented to the arbitration agreement, whether the agreement is valid and enforceable, and whether the agreement delegates questions of arbitrability to the arbitrator and not the court. According to the court, the defendant failed to show sufficient evidence that the plaintiff agreed to the arbitration agreement and stated it will issue a ruling once the defendant provides additional evidence showing what the plaintiff would have seen when he allegedly assented to the clickwrap agreement, as well as “the circumstances under which [plaintiff] received and allegedly assented to the addendum to the retail installment contract.” The court’s order also granted plaintiff’s motion to further amend the complaint but denied plaintiff’s motion to remand on the grounds that the Class Action Fairness Act of 2005 conferred subject-matter jurisdiction upon the court.

    Courts Arbitration Clickwrap Agreement Class Action California

    Share page with AddThis
  • District Court grants class certification in FDCPA suit

    Courts

    On April 27, the U.S. District Court for the Western District of Pennsylvania granted a plaintiff’s motion for class certification in an action against a consumer debt buyer (defendant) for allegedly violating the FDCPA by stating that a judgment may be awarded prior to the expiration of a settlement offer, even though a collection lawsuit was not filed. According to the opinion, the plaintiff received a collection letter from the defendant that offered a “discount program” for his “Legal Collections account without any further legal action,” which had to be accepted within a month. The letter also stated that “[a] judgment could be awarded by the court before the expiration of the discount offer listed in this letter,” despite the fact that at the time the letter was received, there were no pending court cases in which a judgment could be entered against the plaintiff. After receiving the letter, the plaintiff filed suit, alleging that the defendant violated the FDCPA by making false, misleading, and deceptive misrepresentations about the debt. Among other things, the defendant argued that the size of the class would be impossible to ascertain because identifying class members would require individualized inquiries into who received a letter and when. By holding that the FDCPA violation occurred when a letter was sent rather than when it was received, the court rejected the defendant’s argument and ruled instead that individualized inquiry is not necessary. According to the district court, “[r]eviewing this information will, of course, require some level of individualized inquiry. But the need for file-by-file review to identify class members is not fatal to class certification.” The district court further noted that “[c]ourts and parties must be able to determine accrual dates with some degree of certainty,” and “[t[he date of receipt may often be impossible to determine, particularly where the recipient is an individual as opposed to a commercial entity.”

    Courts Class Action Debt Collection FDCPA Debt Buyer

    Share page with AddThis
  • District Court dismisses state law claims concerning scanned email allegations

    Privacy, Cyber Risk & Data Security

    On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the amended complaint, the defendant allegedly misrepresented its privacy and security practices in violation of federal and state law by, among other things, sharing customer data with unauthorized third parties (some of which suffered data breaches), using customer data to develop products and services to sell to other companies, and falsely promising it complied with privacy and confidentiality standards. Plaintiffs alleged the company scanned 400 billion customer emails to obtain insights for its API, which it then sold to others.

    In its prior ruling, the court dismissed plaintiffs’ Wiretap Act and Stored Communications Act claims but allowed the WPA claims to proceed. The defendant then filed a motion for partial reconsideration, arguing that the WPA claim is also premised on the same scanned email theory as with the other two claims that were already dismissed. The court agreed that the plaintiffs failed to sufficiently allege that their emails were scanned and dismissed the WPA claims without leave to amend because the “interception or disclosure of a communication” was necessary “in order for the conduct to be actionable.”

    Privacy/Cyber Risk & Data Security Courts State Issues Washington Class Action Data Breach Wiretap Act

    Share page with AddThis

Pages