InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NY credit union gets final approval on $2.2M overdraft fee deal
On September 7, the U.S. District Court for the Northern District of New York issued a Final Order approving a more than $2.2 million settlement deal to end a class action over a credit union’s overdraft and insufficient funds fee practices.
The deal includes a $2.1 million settlement fund. After payment of attorneys’ fees to customers’ counsel, 80% of the settlement fund will go to customers who were allegedly charged overdraft fees on debit card transactions that did not overdraw their accounts when the transactions were authorized, and 20% will go to customers who were allegedly hit with multiple insufficient funds fees on a single transaction. In addition, the credit union will forgive, waive and not collect nearly $165,000 in uncollected fees.
On December 7, 2022, plaintiffs filed a putative class action complaint in the United States District Court for the Northern District of New York that consolidated two putative class action cases in which the plaintiffs alleged the credit union’s assessment of more than one insufficient funds fee on a single transaction and assessment of overdraft fees on debit card transactions that did not overdraw the customers’ accounts was a breach of contract, breach of the covenant of good faith and fair dealing, and violative of New York General Business § 349, et seq. Shortly after the actions were consolidated, the parties notified the court that they were working towards a settlement.
California appeals court reverses dismissal of Rosenthal Act class action
On August 30, a California Appeals Court (Appeals Court) reversed a lower court’s ruling that a mere alleged debt, whether or not actually due or owing – as opposed to a debt that is, in fact, actually due or owing – is insufficient to state a claim under the Rosenthal Fair Debt Collection Practices Act (Rosenthal Act). Enacted in 1977, the Rosenthal Act aims “to prohibit debt collectors from engaging in unfair or deceptive acts or practices in the collection of consumer debts.” Plaintiff purchased a home with a previously-installed solar energy system. The previous homeowner and plaintiff reached an agreement whereby the prior homeowner would purchase the energy produced through the system through monthly payments. However, the defendant, the provider of the solar energy system, sent late payment notices to plaintiff demanding that he make monthly payments. Although plaintiff did not engage in a “consumer credit transaction” with the defendant, the Appeals Court found that the plaintiff’s receipt of statements and notices from the defendant constituted money “alleged to be due or owing,” as required to state a claim under the Rosenthal Act. In holding that the plaintiff’s claim “has merit,” the Appeals Court emphasized that the Rosenthal Act was specifically designed to “eliminate the recurring problem of debt collectors dunning the wrong person or attempting to collect debts which the consumer has already paid,” and “[i]t is difficult to conceive of a more unfair debt collection practice than dunning the wrong person”.
7th Circuit affirms dismissal of proposed Driver’s Privacy Protection Act class action
On August 22, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a proposed class action alleging that defendant insurance companies leaked the plaintiffs’ drivers license numbers, holding that the plaintiffs lacked standing to sue the insurance companies. In a split decision, the majority opinion held that plaintiffs failed to establish standing to bring a lawsuit under the Driver’s Privacy Protection Act (DPPA) based on the unauthorized disclosure of their driver’s license numbers through a form on defendant’s website. The majority held that plaintiffs failed to allege a concrete injury, writing that allegations that plaintiffs are worried about future identity theft stemming from the disclosure are insufficient for standing, focusing on legitimate reasons why driver’s license numbers are commonly exposed to third-parties. The majority further held that plaintiffs failed to allege that false unemployment benefit applications submitted in their name were traceable to the disclosure of their driver’s license number, dooming their standing claim. In a dissent, Judge Kenneth Ripple disagreed with the majority’s conclusion that plaintiffs failed to make sufficient allegations to justify standing, reasoning that the DPPA contemplates a private right of action for the types of harms suffered by the plaintiffs and that plaintiffs adequately alleged that they suffered harm from false unemployment benefit applications submitted as a result of the driver’s license number leak.
Judge grants MSJ in class action over disputed debt investigation
On July 28, the U.S. District Court for the Southern District of Alabama granted summary judgment in favor of a defendant third-party debt collector in an FCRA and FDCPA putative class action, holding that the defendant carried out a reasonable investigation following plaintiff’s dispute of the debt it had reported to credit reporting agencies (CRAs) and that the plaintiff failed to establish that the defendant knew or should have known that the debt was inaccurate or invalid. Defendant entered into an asset purchase agreement with another third-party debt collector and reported debts to credit reporting agencies under the name of the non-defendant third-party debt collector, including an account erroneously associated with plaintiff. When defendant received notice that plaintiff disputed the erroneous account information, defendant verified the account information in its system and provided by the CRA, asked the creditor to provide account documentation, and then requested that the CRAs delete their reporting of the account once the creditor failed to provide account documentation within the requested thirty-day period.
In relation to the FCRA claim, the court found that the defendant “did everything required by the FCRA in response to Plaintiff’s dispute” such that the plaintiff “failed to establish how this investigation was not reasonable” or in violation of the FCRA. The court also found that plaintiff “failed to show that any different result would have occurred had [defendant] conducted any part of its investigation differently.” Finally, plaintiff’s claim failed as a matter of law concerning defendant’s initial report of the debt to the CRAs because the defendant was not required under the FCRA to “investigate the validity of a debt before commencing to report on that account to the CRAs.” While the defendant was prohibited from reporting inaccurate consumer information, no private cause of action exists for violations of this initial reporting provision of the FCRA.
For the FDCPA claim, the court held that the plaintiff failed to establish that the defendant had knowledge that the debt it reported was not accurate or was otherwise disputed or invalid. Because the CFPB passed Regulation F in November 2021, after the events at question in this litigation, furnishing information regarding a debt to a CRA before communication with plaintiff was not unlawful at that time. Finally, the court found that plaintiff failed to timely assert that defendant violated the FDCPA provision prohibiting false, deceptive, or misleading representation by using the non-defendant third-party debt collector’s name when reporting the account to the CRAs because this allegation was not present in plaintiff’s complaint.
11th Circuit changes course, says one text message sufficient for TCPA standing
On July 24, the full U.S. Court of Appeals for the Eleventh Circuit unanimously held that a plaintiff who receives a single, unwanted text message has standing to sue the sender of the message under the TCPA. The decision departs from precedent set by the same court in 2019, in which it determined in a different case that receiving one unsolicited text message is not enough of a concrete injury to establish standing under the statute. (Covered by InfoBytes here.) Plaintiff filed a putative class action against a web-hosting company alleging the defendant violated the TCPA by using a prohibited autodialer to send promotional calls and text messages selling services and products. The settlement agreement reached between the parties also resolved claims brought against the defendant by parties in two other actions.
During settlement discussions, the district court cited the aforementioned 2019 11th Circuit decision and asked the parties to brief how their case, which includes individuals who received only one text message, was distinguishable from the 2019 action. The district court ultimately ruled that class members who only received one text message “lacked a viable claim” in the 11th Circuit under the 2019 precedent, but noted that because the case involves a nationwide settlement, “those class members ‘do have a viable claim in their respective Circuit.’” An objector to the settlement appealed the ruling on various grounds to the 11th Circuit, which dismissed the appeal for lack of jurisdiction and held that the class definition did not meet Article III standing requirements, as it included individuals who received a single text message. Plaintiff moved for rehearing en banc, asking the 11th Circuit to reevaluate the 2019 precedent and to clarify the elements necessary to pursue a TCPA claim.
Reviewing de novo the threshold jurisdiction question of whether plaintiffs have standing to sue, the 11th Circuit said that “the harm that underlies a lawsuit for the common-law claim of intrusion upon seclusion” shares a “close relationship” with a “traditional harm.” The appellate court explained that because “[b]oth harms reflect an intrusion into the peace and quiet in a realm that is private and personal[,] [a] plaintiff who receives an unwanted, illegal text message suffers a concrete injury. Because [plaintiff] has endured a concrete injury, we remand this matter to the panel to consider the rest of the appeal.” Recognizing that a single unsolicited text message may not be considered “highly offensive to the ordinary reasonable man” it “is nonetheless offensive to some degree to a reasonable person.” The 11th Circuit also referred to seven other circuit courts that “have declined to consider the degree of offensiveness required to state a claim for intrusion upon seclusion at common law,” and have instead chosen to conclude that “receiving either one or two unwanted texts or phone calls resembles the kind of harm associated with intrusion upon seclusion.” Moreover, the 11th Circuit noted that Congress is given authority under the Constitution “to decide what degree of harm is enough so long as that harm is similar in kind to a traditional harm,” which is “exactly what Congress did in the TCPA when it provided a cause of action to redress the harm that unwanted telemarketing texts and phone calls cause.”
Illinois Supreme Court declines to reconsider BIPA accrual ruling
On July 18, the Illinois Supreme Court declined to reconsider its February ruling, which held that under the state’s Biometric Information Privacy Act (BIPA or the Act), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Three justices, however, dissented from the denial of rehearing, writing that the ruling leaves “a staggering degree of uncertainty” by offering courts and defendants little guidance on how to determine damages. The putative class action stemmed from allegations that the defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting plaintiff’s biometric data and disclosing the data to a third-party vendor without first obtaining her consent. While the defendant challenged the timeliness of the action, the plaintiff asserted that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.”
In February, a split Illinois Supreme Court held that claims accrue under BIPA each time biometric identifiers or biometric information (such as fingerprints) are scanned or transmitted, rather than simply the first time. (Covered by InfoBytes here.) The dissenting judges wrote that they would have granted rehearing because the majority’s determination that BIPA claims accrue with every transmission “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns.” The dissenting judges further maintained that the majority’s February decision is confusing and lacks guidance for courts when determining damages awards. While the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” it also said that it continues “to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature,” and that it “respectfully suggest[s] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
9th Circuit denies en banc hearing on COPPA preemption question
On July 13, a panel of the U.S. Court of Appeals for the Ninth Circuit entered an order amending an opinion filed on December 28, 2022 and denied a petition for rehearing en banc in a putative class action accusing a multinational technology company and search engine and its affiliated video-sharing platform of collecting children’s data and tracking their online behavior surreptitiously without parental consent in violation of state law and the Children’s Online Privacy Protection Act (COPPA). The panel unanimously voted against defendant’s en banc rehearing request, commenting that no other 9th Circuit judge has requested a vote on whether to consider the matter en banc.
Claiming the defendant used “persistent identifiers” — which the FTC’s regulations define as information “that can be used to recognize a user over time and across different Web sites or online services” — class members alleged state law claims arising under the constitutional, statutory, and common laws of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee. Last December, the three-judge panel reversed and remanded the district court’s dismissal of the suit, disagreeing that the allegations were squarely covered, and preempted, by COPPA (covered by InfoBytes here.) On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. The panel determined that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.” The panel further noted that the U.S. Supreme Court and others have long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted.”
The panel, however, amended its prior opinion to note that the FTC supports its conclusion that COPPA does not preempt the asserted state law privacy claims on the basis of either express preemption or conflict preemption. At the end of May, at the 9th Circuit’s request, the FTC filed an amicus brief (covered by InfoBytes here) arguing that COPPA does not preempt state laws that are consistent with the federal statute’s treatment of regulated activities. The panel concluded that neither express preemption nor conflict preemption bar the plaintiffs’ claims.
11th Circuit orders reexamination of breach class boundaries
On July 11, a split U.S. Court of Appeals for the Eleventh Circuit partially vacated the greenlighting of two data breach class actions, holding that a district court must re-analyze the boundaries of the classes. Both the nationwide and California classes are individuals who sued a restaurant chain after their card data and personally identifiable information were compromised in a cyberattack. Plaintiffs claimed that information for roughly 4.5 million cards could be accessed on an online marketplace for stolen payment information. Two of the three named plaintiffs also said they experienced unauthorized charges on their accounts. Plaintiffs moved to certify two classes seeking both injunctive and monetary relief—a nationwide (or alternatively a statewide) class for negligence and a California class for claims based on the state’s unfair business practices laws. The district court certified a nationwide class and a separate California-only class. The restaurant chain’s parent company appealed, arguing that the certification violates court precedent on Article III standing for class actions, that the classes do not meet the commonality requirements for certification, and that the district court erred by finding that a common damages methodology existed for the class.
On appeal, the majority found that at the class certification stage, plaintiffs only had to show that a reliable damages methodology existed. The majority also determined that the district court correctly found that plaintiffs’ expert presented a sufficient methodology for calculating damages and that “it would be a ‘matter for the jury’ to decide actual damages at trial.” However, the majority remanded the case with instructions for the district court to clarify what it meant when it certified classes of individuals who had their “data accessed by cybercriminals.” According to the opinion, the district court meant for this term to encompass individuals who experienced fraudulent charges or whose credit card information was posted on the dark web. The majority expressed concerns that the phrase “accessed by cybercriminals” is broader than the two delineated categories provided by the district court and could include individuals who had their data taken but were otherwise uninjured. The majority also vacated the California class certification after determining that two of the three named plaintiffs lacked standing because they dined at the restaurant outside of the “at-risk” timeframe. The district court’s damages calculation methodology, however, was left undisturbed by the appellate court.
Partially dissenting, one of the judges wrote that while she agreed that one of the named plaintiffs had standing to sue, she disagreed with the majority’s concrete injury analysis. The judge also argued that the district court erred in its damage calculations by “impermissibly permit[ting] plaintiffs to receive an award based on damages that they did not suffer.”
1st Circuit confirms standing for data breach victims
On June 30, the U.S. Court of Appeals for the First Circuit overruled a district court’s dismissal of a putative class action against a home delivery pharmacy service for allegedly failing to prevent a 2021 data breach that exposed the personally identifiable information (PII) of over 75,000 patients. The class action complaint alleged state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, and sought damages and injunctive relief. The putative class was comprised of U.S. residents whose PII was compromised in the data breach. The two named plaintiffs were former or current patients whose PII were compromised in the data breach, and one of the two named plaintiffs had her stolen PII used to file a fraudulent tax return. The district court dismissed the lawsuit for lack of Article III standing.
Affirming in part and reversing in part, the 1st Circuit held that the complaint “plausibly demonstrates” the plaintiffs’ standing to seek damages, applying the principles articulated by the Supreme Court in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here).
First, the court concluded that, with respect to the named plaintiff whose PII was used to file a fraudulent tax return, the complaint’s “plausible allegations of actual misuse” of the stolen PII constituted a “concrete injury in fact” for purposes of Article III standing. According to the 1st Circuit, there existed “an “obvious temporal connection” between the timing of the data breach and the filed return, among other facts. The appellate court also found that the fraudulent tax return could make it probable that more of the named plaintiff’s information could be further misused—changing the risk of future misuse from speculative to “imminent and substantial.”
Second, with respect to the named plaintiff for whom there was no allegation of actual misuse of PII, the court reasoned that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of [plaintiff’s] PII and a concrete harm caused by exposure to this risk.” The appellate court also found that, because the data here was compromised in a “targeted attack,” then “it stands to reason that [such data] is more likely to be misused…and the risk of future misuse is heightened when the compromised data is particularly sensitive.”
Third, the court concluded that the complaint plausibly alleged a “separate concrete, present harm” caused by exposure to the risk of future harm, “based on the allegations of the plaintiffs’ lost time spent taking protective measures [against further identity theft] that would otherwise have been put to some productive use.” “The loss of this time is equivalent to a monetary injury, which is indisputably a concrete injury,” the appellate court wrote, adding that it joins other circuits in holding that time spent responding to a data breach is sufficient to establish standing.
Finally, the court held that plaintiffs lacked standing to pursue injunctive relief “because their desired injunctions would not likely redress their alleged injuries” as any such relief would only safeguard against future breaches and would not protect “plaintiffs from future misuse of their PII by the individuals they allege now possess it.”
Court orders credit union to pay $5 million to settle overdraft allegations
On June 27, the U.S. District Court for the Northern District of New York granted final approval of a class action settlement, resulting in a defendant credit union paying approximately $5.2 million to settle allegations concerning illegal overdraft/non-sufficient funds (NSF) fees and inadequate disclosure practices. As described in plaintiffs’ unopposed motion for preliminary approval, the defendant was sued in 2020 for violating the EFTA (Regulation E) and New York General Business Law (NY GBL) § 349. According to plaintiffs, defendant charged overdraft fees and NSF fees that were not permitted under its contracts with its members or Regulation E. Plaintiffs’ Regulation E and NY GBL liability theories are premised on the argument that defendant’s “opt-in form did not inform members that these fees were charged under the ‘available balance’ metric, rather than the ‘actual’ or ‘ledger’ balance metric”—a violation of Regulation E and NY GBL § 349. The plaintiffs’ liability theory was that defendant’s “contracts did not authorize charging overdraft fees when the ledger or actual balance was positive.”
Under the terms of the settlement, defendant is required to pay $2 million, for which 25 percent of the settlement fund will be allocated to class members’ Regulation E overdraft fees, 62.5 percent will go to class members’ GBL overdraft fees, and 12.5 percent will be allocated to class members’ breach of contract overdraft fees. Defendant is also required to pay $948,812 in attorney’s fees, plus costs, and $10,000 service awards to the two named plaintiffs. Additionally, the defendant has agreed to change its disclosures and will “forgive and release any claims it may have to collect any at-issue fees which were assessed by [defendant] but not collected and subsequently charged-off, totaling approximately $2,300,000.”