InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court rules apps’ terms of service hyperlinks were clear and conspicuous
On February 23, the U.S. District Court for the Eastern District of New York ruled that parties must arbitrate class claims concerning alleged fraudulent transactions on app users’ accounts. Plaintiffs—users of the defendants’ mobile payment platform who claimed that third parties fraudulently withdrew funds from their app accounts—alleged that the defendants’ inadequate dispute resolution process “improperly places the burden on the user to prove that a disputed transaction was unauthorized” in violation of the EFTA and N.Y. Gen. Bus. Law § 349. Defendants, however, countered that the plaintiffs agreed to arbitrate any disputes related to their app accounts, and moved to compel arbitration and dismiss the complaint. The court analyzed the applicable sign-up flows and ruled that in signing up for the apps, users agreed to unambiguous terms of service, which included an arbitration agreement presented in a clickable hyperlinked URL. The court rejected plaintiffs’ assertion that a reasonably prudent smartphone user would not think to click on the terms of service hyperlink, stating that the hyperlink for both apps provided reasonably clear and conspicuous interfaces. The court further found that the claims were subject to arbitration because plaintiffs’ specifically assented to the arbitration provisions and that the parties’ agreed to present any question of arbitrability to an arbitrator.
District Court: Employees are not “customers” under California Customer Records Act in breach lawsuit
On February 24, the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care. Plaintiffs, comprised of current and former employees, sued the company, claiming a 2021 data breach exposed their personal identifiable information (PII) to an unauthorized actor. Several plaintiffs were victims of apparent identity theft, the complaint stated, which alleged negligence, breach of contract and implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and breach of the California Consumer Privacy Act, the state’s Unfair Competition Law, and the California Customer Records Act (CCRA). In dismissing the case, the court concluded, among other things, that the plaintiffs failed to plead facts showing specific measures that the company did or did not take, such as data encryption, to protect employee data. Additionally, the complaint did not “contain any allegations regarding the manner in which their systems were breached.” Moreover, the court determined that the complaint did not plausibly allege that the employees qualify as “customers” under the CCRA (a “customer” under the law is defined as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business,” but in this matter, the court stated the plaintiffs did not allege that they provided their PII to the company in exchange for a product or service; rather, they were required to give their PII as part of their employment). The court also ruled that the plaintiffs did not plausibly allege that the company unreasonably delayed notifying them of the data breach by waiting 24 days after the breach to provide notice.
District Court grants motion to dismiss in privacy suit
On February 17, the U.S. District Court for the District of Delaware granted a motion to dismiss a putative class action suit for lack of Article III standing, in which plaintiffs alleged that the defendant violated their privacy rights by intercepting and recording mouse clicks and other website visit information. According to the memorandum opinion, the plaintiffs alleged defendant’s recording of that information violated, among other things, the California Invasion of Privacy Act (CIPA) and the Federal Wiretap Act. In finding the plaintiffs’ failed to plead a concrete injury, the district court found while the “[p]laintiffs have a legally cognizable interest in controlling their personal information and that intrusion upon that interest would amount to a concrete injury[,]” they failed to identify how any of their personal information was implicated in the complaint. The court explained: “[p]laintiffs fail to explain how either [the defendants] possession of anonymized, non-personal data regarding their browsing activities on [the defendant’s] website harms their privacy interests in any way.” The district court also noted that the plaintiffs did not make any allegations to suggest a risk of imminent or substantial future harm.
11th Circuit affirms $7.5 million settlement on overdraft appeal
On February 16, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s class certification and approval of a $7.5 million settlement, which resolved allegations that, after merging with another national bank, the former bank (defendant) improperly assessed and collected overdraft fees. According to the opinion, a customer accused the bank of “high-to-low” posting that restructured customers’ debit transactions so that high value debits posted before low value ones, increasing the chance of overdrafts. After the defendant merged with the national bank in 2012, the national bank agreed to the $7.5 million settlement to resolve the claims. A class member (interested party-appellant) appealed the order. The interested party-appellant claimed “that the court abused its discretion by finding that the settlement class’s representative … adequately represented her (and her proposed subclass’s) interests and that the settlement class’s claims were typical of hers (and her proposed subclass’s).”
The 11th Circuit disagreed and found that the district court did not abuse its discretion because the plaintiff classes “suffered identical injuries” based on the defendant’s alleged high-to-low restructuring practices. Additionally, the appellate court found that “[t]he district court didn’t abuse its discretion by finding [the settlement class’s representative’s] claims were typical of those of the class.” The court also found that “[t]he district court could reasonably conclude that any difference in the value of the plaintiffs’ claims was too speculative or too small to create a fundamental conflict of interest.”
District Court approves $15 million class action settlement over BIPA violations
On February 18, the U.S. District Court for the Northern District of Illinois granted preliminary approval of a class action settlement, resolving allegations that a workplace management software company (defendant) violated the Illinois Biometric Information Privacy Act (BIPA) by collecting data without providing the requisite disclosures or obtaining informed written consent. According to the plaintiff’s motion for preliminary approval, the settlement class is comprised of nearly 172,000 Illinois employees who used the defendant’s biometric timekeeping devices at work and whose finger-scan data “was hosted” by the defendant. The defendant denied any violation of BIPA. Under the settlement agreement, the defendant will pay approximately $15 million into a non-reversionary settlement fund, and settlement class members, who need to file a valid claim to receive payment, are expected to receive between $290 and $580 each.
District Court approves settlement in data breach suit
On February 22, the U.S. District Court for the Central District of California granted final approval of a class settlement and ordered a final judgment between a plaintiff class and a provider of outpatient imaging (defendant) resolving allegations that the defendant was responsible for failing to establish adequate security measures to protect their customers’ and employees’ data. According to the preliminarily approval order, a third party gained unauthorized access to the defendant’s server which stored the plaintiffs’ sensitive personal identifying information. The order noted that the security incident put the plaintiffs “at a high risk of identity theft and other cybercrimes.” The plaintiffs alleged in the complaint that the defendants violated California's Unfair Competition Law, the California Consumer Privacy Act, and the FTC Act, among other things, by failing “to adequately ensure the privacy, confidentiality, and security of employee data entrusted to it and Defendant’s failure to have adequate data security measures in place.” Under the terms of the order, the defendants are required to establish a $2.6 million settlement fund to provide monetary settlement benefits to class members within forty-five days of a preliminary approval order directing class notice. The plaintiff class will be separated into two separate tiers: a nationwide class consisting of individuals residing in the U.S. who were or may have been impacted in the data breach, and a California subclass, consisting of individuals who resided in California on July 18, 2020, who were or may have been impacted in the data breach. The order also granted $650,000 in class counsel fees and approximately $50,000 in costs and expenses. Each lead plaintiff received $1,500 as part of the settlement.
District Court approves $14.8 million cloud subscription settlement
On August 4, the U.S. District Court for the Northern District of California approved a $14.8 million class action settlement resolving claims that a major technology company allegedly misled users about its cloud storage practices. In 2020, plaintiffs filed an amended complaint alleging the company breached its agreement with customers by hosting user data on third-party servers without providing proper notice, which resulted in overcharges. The plaintiffs alleged that the “selection of a cloud storage provider is a significant and material consideration as it involves entrusting all of a user’s stored data—including sensitive information like photographs, documents of all kinds, and e-mail content—to be stored by the cloud storage provider,” and that “users have an interest in who is offering this storage and taking custody of their data.” Plaintiffs claimed that, while the company assured users that it was the provider of the purchased cloud storage service, it was actually reselling cloud storage space on other third parties’ cloud facilities and charging users a “premium” for believing their data was being stored by the company. Approximately 16.9 million class members will receive individual settlement payments based on the overall payments made by each user for his or her cloud subscription during the class period. In granting final approval of the settlement, the court noted that the deal is fair, reasonable, and adequate.
Consulting firm agrees to $4.95 million settlement to resolve class data breach claims
On February 16, the U.S. District Court for the Southern District of New York granted final approval of a $4.95 million class action settlement, resolving allegations that a consulting firm failed to use reasonable data security measures when designing web-based portals for state employment agencies in Illinois, Colorado, and Ohio. According to the class’s supplemental brief in support of their motion for final approval, the allegedly poorly designed websites were subject to a data breach that resulted in unauthorized access to unemployment seekers’ personally identifiable information. The parties agreed to a nationwide settlement class of 237,675 individuals in Illinois, Colorado, and Ohio. These individuals were notified by their state employment agencies that certain personal information submitted when applying for pandemic-related unemployment claims may have been inadvertently exposed in a data breach. Under the terms of the settlement, the defendant agreed to establish a $4.95 million settlement fund to compensate eligible claimants, and will pay more than $1.6 million in attorneys’ fees and costs, as well as class member service awards.
4th Circuit affirms district court’s decision in lone class member's appeal
On February 10, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s approval of a $3 million class action settlement between a class of consumers (plaintiffs) and a national mortgage lender (defendant), resolving allegations arising from a foreclosure suit. In 2014, the lead plaintiffs alleged that the defendants violated federal and Maryland state law by failing to; (i) timely acknowledge receipt of class members’ loss mitigation applications; (ii) respond to the applications; and (iii) obtain proper documentation. After the case was litigated for six years, a settlement was reached that required the defendant to pay $3 million towards a relief fund. The district court approved the settlement and class counsel’s request for $1.3 million in attorneys’ fees and costs, but an absent class member objected to the settlement, arguing that “the class notice was insufficient; the settlement was unfair, unreasonable, and inadequate; the release was unconstitutionally overbroad; and the attorneys’ fee award was improper.” A magistrate judge overruled the plaintiff’s objections, finding that “both the distribution and content of the notice were sufficient because over 97% of the nearly 350,000 class members received notice,” and that “class members ‘had information to make the necessary decisions and . . . the ability to even get more information if they so desired.’”
On the appeal, the 4th Circuit rejected the class member’s argument that the magistrate judge lacked jurisdiction to approve the settlement where she had not consented to have the magistrate hear the case. The 4th Circuit noted that only “parties” are required to consent to have a magistrate hear a case and held that absent class members are not “parties,” noting that “every other circuit to address the issue has concluded that absent class members aren’t parties.” The appellate court also upheld the adequacy of the class notice, and held that the magistrate judge did not abuse his discretion in finding that the settlement agreement was fair, reasonable, and adequate.
District Court approves settlement of class claiming privacy violations
On February 11, the U.S. District Court for the Central District of California granted approval of a $217 million class action settlement, resolving allegations that the Transportation Corridor Agencies (TCA) and their contractors (collectively, “defendants”) allegedly repeatedly used their access to drivers’ personal information to share data. According to the plaintiffs’ motion for final approval of the settlement, the defendants allegedly provided toll violation information to the California Department of Motor Vehicles so the agency could prevent drivers' vehicle registration renewals until the outstanding tolls were paid, in violation of California law. According to the settlement, the TCA is required to forgive $135 million in penalties and pay $29 million in cash awards. Each class representative will receive $15,000 from TCA, and class counsel will receive $17.5 million. Among other things, TCA must also increase the time to pay unpaid toll citations from five to seven days and update its privacy policies to include a list of the categories of personal identifying information sent to third parties. The toll operator is required to pay $11.95 million in cash to class members as part of the settlement, in addition to $3,000 to each class representative and $3 million to class counsel. Additionally, Orange County Transportation Authorities are required to forgive $40 million in penalties and pay $1 million in cash and will be required to reduce the maximum toll violation.