Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court preliminarily approves $14.8 million cloud subscription settlement

    Privacy, Cyber Risk & Data Security

    On February 17, the U.S. District Court for the Northern District of California preliminarily approved a $14.8 million class action settlement resolving claims that a major technology company allegedly misled users about its cloud storage practices. In 2020, plaintiffs filed an amended complaint alleging the company breached its agreement with customers by hosting user data on third-party servers without providing proper notice, which resulted in overcharges. The plaintiffs alleged that the “selection of a cloud storage provider is a significant and material consideration as it involves entrusting all of a user’s stored data—including sensitive information like photographs, documents of all kinds, and e-mail content—to be stored by the cloud storage provider,” and that “users have an interest in who is offering this storage and taking custody of their data.” Plaintiffs claimed that, while the company assured users that it was the provider of the purchased cloud storage service, it was actually reselling cloud storage space on other third parties’ cloud facilities and charging users a “premium” for believing their data was being stored by the company. Approximately 16.9 million class members will receive individual settlement payments based on the overall payments made by each user for his or her cloud subscription during the class period. In granting preliminary approval of the settlement, the court noted that the deal is fair, reasonable, and adequate.

    Privacy/Cyber Risk & Data Security Courts Settlement Class Action

    Share page with AddThis
  • Consulting firm agrees to $4.95 million settlement to resolve class data breach claims

    Privacy, Cyber Risk & Data Security

    On February 16, the U.S. District Court for the Southern District of New York granted final approval of a $4.95 million class action settlement, resolving allegations that a consulting firm failed to use reasonable data security measures when designing web-based portals for state employment agencies in Illinois, Colorado, and Ohio. According to the class’s supplemental brief in support of their motion for final approval, the allegedly poorly designed websites were subject to a data breach that resulted in unauthorized access to unemployment seekers’ personally identifiable information. The parties agreed to a nationwide settlement class of 237,675 individuals in Illinois, Colorado, and Ohio. These individuals were notified by their state employment agencies that certain personal information submitted when applying for pandemic-related unemployment claims may have been inadvertently exposed in a data breach. Under the terms of the settlement, the defendant agreed to establish a $4.95 million settlement fund to compensate eligible claimants, and will pay more than $1.6 million in attorneys’ fees and costs, as well as class member service awards.

    Privacy/Cyber Risk & Data Security Courts Data Breach Class Action Settlement

    Share page with AddThis
  • 4th Circuit affirms district court’s decision in lone class member's appeal

    Courts

    On February 10, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s approval of a $3 million class action settlement between a class of consumers (plaintiffs) and a national mortgage lender (defendant), resolving allegations arising from a foreclosure suit. In 2014, the lead plaintiffs alleged that the defendants violated federal and Maryland state law by failing to; (i) timely acknowledge receipt of class members’ loss mitigation applications; (ii) respond to the applications; and (iii) obtain proper documentation. After the case was litigated for six years, a settlement was reached that required the defendant to pay $3 million towards a relief fund. The district court approved the settlement and class counsel’s request for $1.3 million in attorneys’ fees and costs, but an absent class member objected to the settlement, arguing that “the class notice was insufficient; the settlement was unfair, unreasonable, and inadequate; the release was unconstitutionally overbroad; and the attorneys’ fee award was improper.” A magistrate judge overruled the plaintiff’s objections, finding that “both the distribution and content of the notice were sufficient because over 97% of the nearly 350,000 class members received notice,” and that “class members ‘had information to make the necessary decisions and . . . the ability to even get more information if they so desired.’”

    On the appeal, the 4th Circuit rejected the class member’s argument that the magistrate judge lacked jurisdiction to approve the settlement where she had not consented to have the magistrate hear the case. The 4th Circuit noted that only “parties” are required to consent to have a magistrate hear a case and held that absent class members are not “parties,” noting that “every other circuit to address the issue has concluded that absent class members aren’t parties.” The appellate court also upheld the adequacy of the class notice, and held that the magistrate judge did not abuse his discretion in finding that the settlement agreement was fair, reasonable, and adequate.

    Courts Class Action Mortgages Fourth Circuit State Issues Maryland Loss Mitigation Appellate Consumer Finance

    Share page with AddThis
  • District Court approves settlement of class claiming privacy violations

    Courts

    On February 11, the U.S. District Court for the Central District of California granted approval of a $217 million class action settlement, resolving allegations that the Transportation Corridor Agencies (TCA) and their contractors (collectively, “defendants”) allegedly repeatedly used their access to drivers’ personal information to share data. According to the plaintiffs’ motion for final approval of the settlement, the defendants allegedly provided toll violation information to the California Department of Motor Vehicles so the agency could prevent drivers' vehicle registration renewals until the outstanding tolls were paid, in violation of California law. According to the settlement, the TCA is required to forgive $135 million in penalties and pay $29 million in cash awards. Each class representative will receive $15,000 from TCA, and class counsel will receive $17.5 million. Among other things, TCA must also increase the time to pay unpaid toll citations from five to seven days and update its privacy policies to include a list of the categories of personal identifying information sent to third parties. The toll operator is required to pay $11.95 million in cash to class members as part of the settlement, in addition to $3,000 to each class representative and $3 million to class counsel. Additionally, Orange County Transportation Authorities are required to forgive $40 million in penalties and pay $1 million in cash and will be required to reduce the maximum toll violation.

    Courts Privacy/Cyber Risk & Data Security California Class Action Settlement

    Share page with AddThis
  • District Court rules transmitting debtor information to third-party violates FDCPA

    Courts

    On February 2, the U.S. District Court for the Eastern District of Pennsylvania denied a defendant’s motion for judgment on the pleadings, ruling that transmitting a debtor’s personal information to a third-party mail vendor for the purposes of sending a debt collection letter constitutes a communication “in connection with the collection of any debt” under the FDCPA. As previously covered by InfoBytes, in Hunstein v. Preferred Collection & Management Services, the U.S. Court of Appeals for the Eleventh Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” The district court found this reasoning “persuasive,” ruling that the plain text of the statute encompasses communications with a third party mail vendor. The district court also rejected the defendant’s arguments that the CFPB and FTC had tacitly endorsed third-party mailers by not pursuing enforcement actions against them: “[B]ecause the agencies tasked with regulating and enforcing the FDCPA have not addressed the use of letter vendors by debt collectors in any legally significant way, and because the statutory language is not subject to a different reading, the Court will afford no deference to the indeterminate actions of the CFPB and FTC.”

    Courts Data Breach Class Action FDCPA Appellate Eleventh Circuit Hunstein Debt Collection

    Share page with AddThis
  • District Court approves class settlement in data breach

    Courts

    On January 28, the U.S. District Court for the Northern District of California granted a plaintiffs’ motion for final approval in a class action settlement alleging an online support services provider (defendant) failed to adequately secure and safeguard the payment card data and other personally identifiable information that it collected while customers shopped and interacted with customer service websites. According to the order, four companies contracted with the defendant to provide sales software, customer service software, and voice and chat agent services for sales support for online shoppers. However, according to the plaintiff class, the defendant was allegedly negligent in securing customers’ data, which permitted hackers to access their names, addresses, and credit card information, in violation of California’s Unfair Competition Law and Illinois' Consumer Fraud and Deceptive Business Practices Act. The plaintiff class also alleged that the defendant did not disclose the breach for a period of approximately six months after the breach was detected and fixed in October 2017. Under the terms of the settlement, class members are eligible to receive reimbursement from the defendant of up to $2,000 if documentation is provided to prove they incurred out-of-pocket expenses resulting from the intrusion, which includes unreimbursed bank fees, long distance calling charges and costs of credit reports or fraud reimbursement services purchased in the wake of the breach. Additionally, class members who assert that they spent three hours or less dealing with the breach can also separately receive compensation at a rate of $20 per hour for that lost time, and may claim an additional two hours of lost time “if they can provide adequate documentation of those additional two hours spent dealing with the [d]ata [i]ncident,” according to the order. The court also awarded class counsel $450,000 in attorney fees and litigation costs and expenses and $2,000 service awards to each of the three lead plaintiffs. 

    Courts Data Breach Class Action Privacy/Cyber Risk & Data Security Settlement

    Share page with AddThis
  • District Court grants class certification in robocall TCPA suit

    Courts

    On January 27, the U.S. District Court for the District of Arizona granted a plaintiff’s renewed motion for class certification in an action against a national bank defendant for allegedly contacting noncustomers with unauthorized robocalls, in violation of the TCPA. According to the plaintiff’s motion for class certification, the defendant allegedly placed calls with an artificial or prerecorded voice to the plaintiff class, who were not the defendant’s customers. The plaintiffs alleged that they did not consent to the calls, which regarded overdue credit card accounts, and sought to certify a nationwide class of those who received these calls since August 2014 despite not being a customer. Among other things, the defendant argued that the common questions of fact did not predominate because individualized determinations needed to be made to determine whether the defendant had consent to call a putative class member, and whether a prerecorded message actually played. The court determined, however, that the plaintiffs’ allegations were not only “typical of the class, they are largely identical.” Additionally, though the court noted that “some persons who otherwise would be class members may have consented to receive [the defendant’s] robocalls,” the court was ultimately “persuaded based on [the plaintiffs’] argument and past caselaw” that “individualized issues of consent can be overcome without resort to a series of minitrials.” The court further noted that “the basic questions in this case are the same for all class members: Did [the defendant] call a putative class member without authorization? And, did a prerecorded or artificial voice play during the call? If the answer to both questions is yes—and all evidence indicates that it will be yes for many putative class members—recovery is appropriate. Precedent ... demonstrates these questions can be litigated as a class.”

    Courts TCPA Class Action Robocalls

    Share page with AddThis
  • District Court grants final approval of $12 million class action settlement

    Courts

    On January 25, the U.S. District Court for the Southern District of Ohio granted final approval to a $12 million class action settlement resolving allegations that a calculation error in a national bank’s (defendant’s) software wrongly assessed the plaintiffs’ eligibility for loan modifications. The settlement class, which includes the defendant’s customers who, between 2010 and 2018, allegedly qualified for a home loan modification or repayment plan as required by government-sponsored enterprises or other federal agency requirements, but did not receive an offer for those services from the defendant. The plaintiff class accused the defendant of failing to “adequately test, audit, and verify that its software was correctly calculating whether customers met threshold requirements for a mortgage modification.” Additionally, the plaintiff alleged the bank discovered the issues in 2013, but did not make the issue public until 2018. According to the plaintiffs’ unopposed motion for preliminary approval, the deal will provide $9.1 million to class members with each class member receiving between $1,000 to $19,000, and 22.7 percent of the total settlement sum going towards attorney costs and fees.

    Courts Class Action Settlement Mortgages Consumer Finance

    Share page with AddThis
  • District Court grants motion to dismiss in CIPA class action

    Privacy, Cyber Risk & Data Security

    On January 25, the U.S. District Court for the Northern District of California granted a motion to dismiss a class action suit, in which plaintiffs alleged that the defendant continued to monitor mobile users’ browsing history even after being asked to cease and desist. In their third amended complaint, the plaintiffs alleged that the defendant violated the California Invasion of Privacy Act (CIPA) because, among other things, although “developers and consumers consented to [the defendant] uploading data to its servers for the developers’ use, … [the defendant] also retained a copy for its own use.” The defendant argued that the plaintiffs’ “conclusory statement that communications are intercepted is not enough to make out a § 631 claim [of the CIPA].”

    The CIPA claims against the defendant were previously dismissed because they “failed to aver simultaneous interception.” The plaintiffs also attempted to revitalize their breach of contract claim by arguing it was a unilateral contract, but the district court noted that “[u]nder this theory, a contract was created by [the defendant’s] provision of a button to adjust privacy settings, text describing what the button supposedly did, and [the plaintiffs’] clicking of that button.” The district court further noted that it is not enough to create a unilateral contract, and that “[the defendant] was not asking [the plaintiffs’] to click the button, let alone bargain for such performance, and [the plaintiffs’] could not have reasonably expected they were entering into a contract simply by adjusting their account settings.”

    Privacy/Cyber Risk & Data Security Courts Class Action CIPA

    Share page with AddThis
  • District Court approves $75 million overdraft settlement

    Courts

    On January 21, the U.S. District Court for the Western District of North Carolina granted final approval to a $75 million class action settlement to resolve allegations that a national bank improperly charged class members overdraft and insufficient fund fees (NSF). Class members include (i) individuals who held consumer checking and/or savings accounts at the bank who paid and were not refunded a retry transaction fee or one or more intrabank transaction fees; and (ii) checking and/or savings account holders who paid and were not refunded an overdraft or NSF fee on a transaction “that would not have been assessed if [the bank] had delayed the posting of previously assessed NSF/[overdraft] fees until the posting of a deposit that was sufficient to cover those fees, all outstanding debit transactions and any additional debit transactions made that day.” Under the terms of the settlement, the bank has agreed to pay $75 million into a settlement fund that will go towards class member payments, notice and administration costs, attorneys’ fee and expenses, and service awards. The bank must also stop assessing certain overdraft and NSF fees, improve its overdraft and NSF disclosures, and improve account disclosures and explanations related to circumstances where an account holder will incur an intrabank transaction fee, as well as disclosures for its fee accrual process.

    Courts Overdraft Settlement Class Action Consumer Finance

    Share page with AddThis

Pages