Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California Court of Appeal: Including extraneous language in FCRA disclosure may constitute willful violation

    Courts

    On April 19, the California Court of Appeal for the Fourth Appellate District reversed a trial court’s summary judgment order and held that the inclusion of extraneous language in an employer’s FCRA disclosures to job applicants may constitute willful violation of the FCRA. The plaintiff filed a putative class action against the defendant employer, contending that it willfully violated the FCRA by providing job applicants with a disclosure that included extraneous language unrelated to the topic of consumer reports. The plaintiff alleged that the disclosure violated the FCRA’s requirement for providing a standalone disclosure informing the applicant that the employer may obtain the applicant’s consumer report when making a hiring decision upon applicant’s consent. The defendant filed a motion for summary judgment arguing that no reasonable jury could find that the plaintiff’s FCRA violation was willful, because the erroneous disclosure form was the result of a drafting mistake that took place when the defendant modified a sample disclosure provided by a consumer reporting agency to ensure compliance with the FCRA. The trial court granted the defendant’s motion, finding that any non-compliance resulted from a drafting was an inadvertent error.

    On appeal, the Court of Appeal reversed and remanded with instructions that the trial court deny the motion for summary judgment. The appellate court found that “a reasonable jury could find that [the employer] acted willfully because it violated an unambiguous provision of the FCRA.” The Court of Appeal noted that that there’s evidence that at least one of the defendant’s employees was aware that the extraneous language would be included in the disclosure form. In addition, the continuous use of the allegedly problematic disclosure form for nearly two years could signify recklessness. The Court of Appeal reasoned further that the defendant’s “continued and prolonged use” of the “problematic” disclosure form “suggest[ed] that it had no proactive monitoring system in place to ensure its disclosure was FCRA-complaint.”

    Courts State Issues Appellate Class Action California FCRA Disclosures

    Share page with AddThis
  • District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed

    Privacy, Cyber Risk & Data Security

    On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.

    In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”

    Privacy/Cyber Risk & Data Security Courts State Issues California Ohio Indiana CCPA Class Action

    Share page with AddThis
  • District Court approves final $85 million class action privacy settlement despite objections

    Privacy, Cyber Risk & Data Security

    On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.

    The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”

    Privacy/Cyber Risk & Data Security Courts Settlement Class Action Third-Party State Issues California

    Share page with AddThis
  • District Court denies class cert in data breach suit

    Privacy, Cyber Risk & Data Security

    On April 20, the U.S. District Court for the Northern District of California denied plaintiffs’ motion for class certification in a lawsuit alleging a defendant hotel and restaurant group breached its contract when a data breach exposed the plaintiffs’ credit card account numbers and other private information. Plaintiffs alleged the defendant contracted with a third-party reservation site, which required consumers to provide payment card information and other personally identifying information (PII). The plaintiffs contended that during the data breach, hackers accessed customer data, and argued that “had [the third party] ‘employed multiple levels of authentication,’ rather than ‘single factor authorization,’ the ‘hacker would not . . . have been able to access the system.” Plaintiffs further claimed that the defendant served as the third party’s agent and was therefore responsible for its conduct.

    In declining to certify the class, the court ruled that the plaintiffs failed to successfully allege any of their three claims on behalf of the class. The court reviewed the plaintiffs’ breach of contract claims, which alleged that the defendant promised to safeguard class members’ PII but failed to provide notice on its website that a third party was processing the payment information. According to the court, the plaintiffs could not show that all of the proposed class members would have believed they were providing their information to the defendant because the defendant’s “Book Now” button sent the user to the third party’s website and the defendant’s privacy policy disclosed its use of third party websites. The court also rejected the plaintiffs’ assertion that the defendant disclosed personal information in violation of California Civil Code because the information was hacked rather than disclosed by either the defendant or the third party. With respect to the plaintiffs’ Texas Deceptive Trade Practices Act claims, the plaintiffs argued that the defendant’s statements about protective measures were misleading because the third party did not employ multi-layer authentication. The court concluded that class treatment of those claims was improper as it could not determine whether the practice was misleading for the entire class as the question is dependent on whether class members believed they were providing PII to the defendant or to the third party.

    Privacy/Cyber Risk & Data Security Courts Class Action Data Breach State Issues Third-Party

    Share page with AddThis
  • Michigan Court of Appeals affirms dismissal of post-judgment interest case, says state court rule precludes class actions

    Courts

    On April 21, the Michigan Court of Appeals affirmed a trial court’s dismissal of a post-judgment interest putative class action after concluding that a court rule that precludes “‘actions’ based on claimed violations of statutes that permit[ ] recovery of statutory damages in lieu of actual damages” necessitated the dismissal of the plaintiff’s class action claim. According to the opinion, after the plaintiff defaulted on her $900 credit card debt, the debt was assigned to the defendant debt collector who calculated the plaintiff’s unpaid balance to be $6,241.20. The defendant sought judgment against the plaintiff in that amount, plus interest, fees, and costs, and obtained a default judgment against the plaintiff after she did not respond. The defendant consequently obtained several writs of garnishment, all of which indicated that post-judgment interest had been added to the debt. Several years later, the plaintiff filed a putative class action alleging the defendant violated the FDCPA and the Michigan Regulation of Collection Practices Act (RCPA) by overstating how much she owed “and by impermissibly inflating [defendant’s] costs and the amount of interest it charged.” The state trial court dismissed the plaintiff’s class action claims with prejudice on the basis that Michigan Court Rules (MCR) preclude her from recovering statutory damages under the RCPA because the RCPA does not explicitly permit class actions. The court also dismissed her individual claims for lack of subject-matter jurisdiction.

    On appeal, the plaintiff argued that the trial court erred when it dismissed her class action claims under MCR because she also sought equitable relief and actual damages; however, the Michigan Court of Appeals pointed to a provision in the MCR that states “[a]n action for a penalty or minimum amount of recovery without regard to actual damages imposed or authorized by statute may not be maintained as a class action unless the statute specifically authorizes its recovery in a class action.” The Court of Appeals explained that the RCPA is implicated under this rule because (i) it permits the recovery of statutory damages; and (ii) does not contain a provision explicitly permitting class actions, and as such, “plaintiff’s class action claims must be dismissed irrespective of the fact that she also sought injunctive relief, declaratory relief, and actual damages.” The Court of Appeals further held that even if the plaintiff attempted to plead individual claims, the case would not be allowed to proceed because the actual damages in this case are not high enough to meet the jurisdictional minimum amount in Michigan.

    Courts State Issues Michigan Consumer Finance Appellate Debt Collection Class Action

    Share page with AddThis
  • Defendants to pay $5 million for alleged data breach

    Privacy, Cyber Risk & Data Security

    On April 20, the U.S. District Court for the Southern District of California granted preliminary approval of a proposed class settlement, resolving claims against a medical supplier company after a data breach allegedly compromised personal information of its consumers in its database. According to the order, the plaintiffs’ alleged that between April 2019 and June 2019, hackers gained access to the defendant’s computer systems, which contained personal identifying information and protected health information of tens of thousands of individuals. Under the terms of the settlement, the defendants will pay $5 million, where each class member with a valid claim will receive between $100-$1000 in cash. The settlement also includes $2.3 million in attorneys’ fees and up to $4,000 for each of the class representatives. Additionally, the defendants will “be required to perform specified remedial measures for a minimum of the next two years and ‘perform either improved versions of such recommendations or the new industry standard thereafter for at least three additional years.’” The remedial measures include, among other things, conducting an AICPA and SOC Type 2 audit to be repeated until the defendant passes, engaging an independent third party to perform a HIPAA IT assessment, undergoing at least one cyber incident response test per year starting in 2022, requiring staff trainings about security and privacy at least twice a year, engaging a company to test its phishing and external facing vulnerabilities at least twice a year, and deploying a third-party enterprise SIEM tool with a 400-day look-back on logs.

    Privacy/Cyber Risk & Data Security Courts Data Breach California Class Action Settlement

    Share page with AddThis
  • District Court preliminarily approves $5.7 million class action overdraft fee settlement

    Courts

    On April 22, the U.S. District Court for the Northern District of New York preliminarily approved a $5.7 million class action settlement resolving allegations related to overdraft fees applied to certain bank account transactions. According to plaintiffs’ unopposed motion for preliminary approval, the bank was sued in 2020 for allegedly unfairly assessing and collecting overdraft fees on “Authorize Positive, Purportedly Settle Negative Transactions” (APPSN fees) as well as NSF fees. The bank denied the allegations and moved to dismiss, contending that the relevant account agreements are unambiguous, and that even if there were, “extrinsic evidence resolves the ambiguity in its favor on the whether the fees at issue are permitted.” In August 2021, the parties notified the court that they had reached an agreement. Under the terms of the preliminarily approved settlement, the bank will make a $4.25 million cash payment and will “forgive, waive, and agree not to collect an additional” $1.5 million in uncollected overdraft fees. Class members, defined as all current and former bank customers with consumer checking accounts who were charged a relevant fee between December 4, 2013, and November 30, 2021, will automatically receive their pro rata share of the settlement fund without having to prove they were harmed from the bank’s practices. There are no claim forms, and class members will be determined through the bank’s checking account data. A formula will be used to calculate each class member’s distribution. Under the terms of the settlement approximately $2.9 million will go towards customers who were charged APPSN fees, while roughly $1.3 million will be allocated for customers who were charged retry NSF fees.

    Courts Overdraft Fees Consumer Finance Class Action Settlement

    Share page with AddThis
  • 9th Circuit affirms district court’s ruling in TCPA case

    Courts

    On April 5, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s decision denying a defendants’ motion to compel arbitration in a putative class action under the TCPA. The defendants were a digital marketing company and a debt-relief service company. According to the opinion, the plaintiffs visited the defendants’ websites, but allegedly did not see a notice in fine print stating, “I understand and agree to the Terms & Conditions which includes mandatory arbitration.” The underlined phrases “Terms & Conditions” and “Privacy Policy” were hyperlinks, but they appeared in the same gray font as the rest of the sentence. The marketing company and one of the defendants allegedly used the consumer’s contact information to conduct a telemarketing campaign on behalf of the debt relief companies by allegedly placing unsolicited telephone calls and text messaging consumers. The plaintiffs filed a putative class action, alleging that the calls and text messages were made without their consent, and therefore violated the TCPA. The defendants moved to compel arbitration, arguing that, by clicking on the “continue” buttons, the plaintiffs had agreed to the mandatory arbitration provision hyperlinked in the terms and conditions. The district court denied the defendants’ motion, concluding “that the content and design of the webpages did not conspicuously indicate to users that, by clicking on the ‘continue’ button, they were agreeing to [the service company’s] terms and conditions.”

    On appeal, the 9th Circuit agreed with the district court, finding that the digital marketing company’s website did not contain a reasonably conspicuous notice of its terms and conditions. The 9th Circuit ruled that such notice must be expressly displayed in a font size and format where it can be deemed that a reasonable Internet visitor saw it and was aware of it. The appellate court noted that, on the websites at issue, “[t]he text disclosing the existence of the terms and conditions … is the antithesis of conspicuous,” and that “is printed in a tiny gray font considerably smaller than the font used in the surrounding website elements, and indeed in a font so small that it is barely legible to the naked eye. The comparatively larger font used in all of the surrounding text naturally directs the user's attention everywhere else.” The 9th Circuit also held that, “while it is permissible to disclose terms and conditions through a hyperlink, the fact that a hyperlink is present must be readily apparent. …[T]he design of the hyperlinks must put such a user on notice of their existence.”

    Courts Appellate Ninth Circuit TCPA Arbitration Class Action

    Share page with AddThis
  • District Court denies motion for corrective notice in class action data breach case

    Privacy, Cyber Risk & Data Security

    On April 18, the U.S. District Court for the District of South Carolina denied the plaintiffs’ motion for corrective notice in a putative class action, ruling that the defendant cloud computer service provider is not required to issue a corrective notice related to a 2020 data breach. In 2020, a data breach exposed the personal data of individuals whose information was managed by the defendant and provided to the defendant’s clients. The plaintiffs alleged that the defendant’s “deficient” security program led to the data breach, and that the defendant failed to implement security measures to mitigate the risk of unauthorized access, used outdated servers, stored obsolete data, and maintained unencrypted data fields. The judicial panel on multidistrict litigation eventually consolidated several putative class actions arising from the data breach for coordinated pretrial proceedings. Plaintiffs argued that corrective notice to customers was appropriate, claiming the defendant “made numerous misrepresentations” related to the type of data stolen and performed “an unreliable risk of harm analysis that did not actually take into account the harm class members faced as a result of the breach.” The court disagreed, ruling that such corrective notice is improper at this stage. “Ultimately, the Federal Rules of Civil Procedure do not authorize Plaintiffs’ request to widely disseminate a notice endorsing their position on dispositive issues to [Defendant’s] customers, who are not parties or putative class members in this case, where Plaintiffs have not shown that [Defendant] made misleading communications regarding this litigation,” the court ruled.

    Privacy/Cyber Risk & Data Security Courts Data Breach Class Action

    Share page with AddThis
  • District Court grants final approval to class action data breach settlement against national convenience store chain

    Courts

    On April 20, the U.S. District Court for the Eastern District of Pennsylvania granted final approval to a settlement in a class action against a national convenience store chain (defendant) for a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. As previously covered by InfoBytes, class members claimed that “despite the foreseeability of a data breach” the defendant, among other things, “failed to implement adequate measures to protect the sensitive, non-public payment card information entrusted to it by its customers.” In May 2021, the court ruled that the defendant must face certain claims filed by a group of financial institutions (covered by InfoBytes here). In August, the court granted preliminary approval of the settlement, which required the defendant to provide monetary relief to class members totaling approximately $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards, in addition to requiring the defendant to take additional measures for a period of two years to prevent future unauthorized intrusions. The settlement includes three tiers of customers, who will receive gift cards for either $5 or $15, or $500 in cash, depending on the level of their injury caused by the data breach.

    Courts Privacy/Cyber Risk & Data Security Class Action Data Breach Settlement

    Share page with AddThis

Pages