InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Bank and shareholders reach settlement over BSA/AML compliance allegations
On March 30, a regional bank reached a $13 million settlement with a group of its shareholders over allegations of misleading statements and omissions regarding the bank’s compliance with fair lending laws, and Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations. The shareholders—purchasers of the bank’s stock between July 2013 and July 2014—allege that the bank’s misrepresentations regarding their compliance with BSA/AML laws, as well as other laws and regulations, artificially inflated the price of the bank’s stock. According to the settlement, both parties’ decisions to enter into the agreement were partially due to the length and expense of continued litigation, which began in 2014. The shareholders initiated the class action litigation in July 2014; however, the U.S. Court of Appeals for the 6th Circuit vacated the initial class certification in September 2016, remanding to the district court for further proceedings. The class was recertified by the district court in June 2017 with the 6th Circuit denying the bank’s petition for appeal of the recertification. The bank denies all allegations of wrongdoing and liability in the settlement.
Supreme Court rules state courts may hear certain securities class actions brought under federal law
On March 20, the U.S. Supreme Court unanimously affirmed a California state appeals court decision in 2011, which ruled that state courts are permitted to hear certain securities class actions brought under federal law. Justice Kagan delivered the opinion. The decision resolves a question concerning whether the Securities Litigation Uniform Standards Act of 1998 (SLUSA), which made amendments to the Securities Act of 1933 (1933 Act), gave federal courts exclusive jurisdiction over covered class actions alleging only 1933 Act violations. SLUSA “does nothing to deprive state courts of their jurisdiction to decide class actions brought under the 1933 Act,” the Court stated when ruling that SLUSA allowed state courts concurrent jurisdiction over securities claims involving 50 or more plaintiffs. Rather, Section 77p of SLUSA “bars certain securities class actions based on state law,” but it “says nothing, and so does nothing, to deprive state courts of jurisdiction over class actions based on federal law.” And, the Court further opined, “Neither did SLUSA authorize removing such suits from state to federal court.”
9th Circuit reinstates class action data breach lawsuit against online retailer
On March 8, the U.S. Court of Appeals for the 9th Circuit reinstated a putative class action lawsuit against an online retailer, concluding that the increased risk of identity theft resulting from a 2012 data breach affecting over 24 million shoppers gave consumers Article III standing to sue. The three-judge panel held that the district court erred in dismissing claims brought by consumers who did not allege financial losses as a result of the data breach because the stolen information provided hackers the “means to commit fraud or identity theft.” The panel noted that evidence that another group of consumers had suffered financial losses from the same data breach undermined the argument that the data stolen would not lead to fraud or identity theft. In addition, although the defendant asserted that too much time had passed since the data breach for any harm to be considered imminent, the panel found that determining jurisdiction requires an assessment of a plaintiff’s standing at the time the suit was filed, and that the risk of harm was sufficiently imminent at the time of filing. The 9th Circuit remanded the case back to the lower court for review.
The panel also addressed a separate appeal by the class on the district court’s decision not to enforce a purported settlement agreement, affirming the lower court’s decision “because the parties did not have a meeting of the minds on all essential terms of the agreement.”
California district court rules social media company cannot dismiss non-users’ facial scan privacy claims
On March 2, the U.S. District Court for the Northern District of California denied a motion to dismiss an action for lack of standing in a lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA) against a social media company (defendant) for allegedly collecting and storing non-user facial scans. The action was similar to a consolidated class action lawsuit brought by users of the site in 2016. The court found that the factual difference between the two cases (one involving users and one involving non-users) was irrelevant for its Article III analysis. Citing to his February 26 decision (February decision) in the related case, the judge concluded that the abrogation of the plaintiffs’ procedural rights under BIPA, which allow users to control their biometric information, amounted to a concrete injury under Article III. As the court noted in the February decision: “BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent,” and that there is “equally little doubt . . . that a violation of BIPA’s procedures would cause actual and concrete harm.” The court rejected the defendant’s argument that it did not store non-users’ biometric information, stating that such factual evidence, which is disputed by the plaintiffs, goes to the merits of the case and cannot be weighed or resolved at the motion to dismiss stage.
Judge says overdraft fees are not usurious, removes claim from lawsuit
On February 28, the U.S. District Court for the District of South Carolina dismissed a complaint from a consolidated class action against a national bank, which alleged that the bank’s $20 overdraft fee is an interest charge on credit and therefore exceeds usury limits under the National Bank Act (NBA). The plaintiffs in the consolidated class action challenged the bank’s methods for assessing overdraft fees, posting debit transactions, and assessing “sustained” overdraft fees, claiming they violated federal law. In granting the dismissal, the court noted that it had previously rejected a materially identical usury claim in December 2015 and that no new evidence or authority had been brought to light that would change its decision. In addition, the court concluded that “the law is still clear that sustained overdraft fees are not interest, and that assessing such fees cannot violate the usury provision of the NBA.”
Supreme Court denies writ challenging data breach standing
On February 20, the U.S. Supreme Court denied without comment a medical insurance company’s petition for writ of certiorari to challenge an August 2017 D.C. Circuit Court of Appeals decision, which reversed the dismissal of a data breach suit filed by the company’s policyholders in 2015. According to the D.C. Circuit opinion, the policyholders sued the medical insurance company after the company announced that an unauthorized party had accessed personal information for 1.1 million members. The lower court dismissed the policyholder’s case, holding that they did not have standing because they could not show an actual injury based on the data breach. In reversing the lower court’s decision, the D.C. Circuit, citing the Supreme Court ruling in Spokeo, Inc. v. Robins, held that it was plausible that the unauthorized party “has both the intent and the ability to use [the] data for ill.” This was sufficient to show that the policyholders had standing to bring the claims because they alleged a plausible risk of future injury.
Ride-Sharing Company Announces Data Breach; State Attorneys General Launch Investigations
On November 21, a ride-sharing company disclosed via press release a 2016 data breach that exposed the personal data of 57 million riders and drivers. According to the company, an outside forensic investigation revealed that in October 2016 hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. The company claimed that hackers did not obtain driver or passenger social security, credit card, bank account, birth date, or trip location information. Though the company stated that it has taken action to address the delay in notifying affected individuals and regulators, lawsuits filed by the State of Washington and the City of Chicago claim that the company capitulated to hackers’ demands and “paid the hackers to delete the consumer data and keep quiet about the breach.”
According to a letter from the company to the Washington attorney general attached to the state’s complaint, the company “is taking personnel actions with respect to some of those involved in the handling of the incident.” The company further stated that it has “implemented and will implement further technical security measures, including improvements related to both access controls and encryption.”
According to sources, three separate class action lawsuits have been filed against the company as a result of the 2016 breach (see here, here, and here) and five attorneys general (New York, Illinois, Connecticut, Massachusetts, and Missouri) have launched investigations.
The 2016 data breach follows a settlement in January of that year with the New York Attorney General related to allegations that the company failed to promptly disclose a 2014 data breach. The 2014 data breach involved an alleged failure to prevent unauthorized access to the company’s consumer and driver data maintained on a third-party cloud service provider. As previously reported in InfoBytes in August, the company reached a settlement with the FTC related to the 2014 data breach; however, that settlement was entered into before the company disclosed the existence of the 2016 breach.
In a related development, on November 27, the U.S. District Court for the Northern District of California dismissed without prejudice a putative class action lawsuit against the company related to the 2014 data breach. The court held that the driver’s name, license number, and limited banking information disclosed in the breach was not the type of personally identifiable information that could expose plaintiffs to the risk of identity theft. Accordingly, the court dismissed the case for lack of Article III standing. The court also granted plaintiffs a final opportunity to amend their complaint to address the standing deficiencies.
50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement
On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.
The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.
The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.
Seventh Circuit Upholds Ruling That Excludes Insurance Coverage for Overdraft Fees
On October 12, the U.S. Court of Appeals for the Seventh Circuit affirmed an Indiana District Court’s 2016 ruling, agreeing that an insurance company does not bear the responsibility for covering a bank’s $24 million class action settlement under a policy provision that excludes coverage for any case involving fees. In upholding the lower court’s decision, the three judge panel concluded that the insurance company had no duty to defend or indemnify the bank on the basis that the underlying overdraft fee claims fall under “Exclusion 3(n)” in the bank's professional liability insurance policy, which states that the insurance company “shall not be liable for [l]oss on account of any [c]laim . . . based upon, arising from, or in consequence of any fees or charges.” Class claims alleging that the bank manipulated its debit processing to “maximize overdraft revenue” by charging purportedly excessive fees to consumers who overdraw their checking and savings accounts triggered the exclusion. The panel also noted that an insurance company’s decision to include fee exclusions in banking liability policies is designed to prevent the “moral hazard” of allowing banks to “freely create other customer fee schemes” knowing they could easily secure coverage.
Eleventh Circuit Enforces Binding Arbitration Agreement
On September 26, a three-judge panel of the U.S. Court of Appeals for the Eleventh Circuit held that a customer is bound to a mandatory arbitration clause in his deposit account agreement with a national bank. In doing so, the appellate court reversed the Florida district court’s decision, which denied the national bank’s motion to compel arbitration. In 2010, the customer filed a putative class action over the charging of overdraft fees associated with a bank account he held jointly with his wife. The case concerns an account agreement signed by the customer when he transferred an existing account into the joint account in 2001. The appellate court reasoned that the customer “was on notice that signing the 2001 signature card represented the start of a new contractual relationship” and therefore, subject to the updated arbitration clause.
The CFPB’s new arbitration rule, which went into effect September 18, does not allow companies subject to the rule to use arbitration clauses to stop consumers from being part of a class action. However, as previously discussed in InfoBytes, the House passed a disapproval resolution under the Congressional Review Act to repeal the rule. A similar measure is expected to be considered by the Senate within the next week.