InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for preliminary approval of class action settlement and supporting memorandum, in December 2021, the defendant determined that an unauthorized third party gained access to and gathered data from its computer network in June 2021. The plaintiffs further alleged that, “if [the defendant] ‘properly monitor[ed] … [its] computer network and systems that housed the … [PII],’ [the defendant] ‘would have discovered the intrusion sooner.’” Furthermore, the plaintiffs alleged that the defendant failed to provide “timely and adequate notice” to the plaintiff class, and filed claims for negligence, breach of implied contract, and invasion of privacy by intrusion. The settlement also includes a provision for the defendant to pay directly for credit monitoring and identity theft protection services, not limited by the $475,000 cap, along with about $51,000 for settlement administration costs. The plaintiffs would also be able to seek up to $210,000 for attorney fees and costs, and a total $5,000 for service awards to the named plaintiffs.
9th Circuit says district court must reassess statutory damages in TCPA class action
On October 20, the U.S. Court of Appeals for the Ninth Circuit ordered a district court to reassess the constitutionality of a statutory damages award in a TCPA class action. Class members alleged the defendant (a multi-level marketing company) made more than 1.8 million unsolicited automated telemarketing calls featuring artificial or prerecorded voices without receiving prior express consent. The district court certified a class of consumers who received such a call made by or on behalf of the defendant, and agreed with the jury’s verdict that the defendant was responsible for the prerecorded calls at the statutorily mandated damages of $500 per call, resulting in total damages of more than $925 million. Two months later, the FCC granted the defendant a retroactive waiver of the heightened written consent and disclosure requirements, and the defendant filed post-trial motions with the district court seeking to “decertify the class, grant judgment as a matter of law, or grant a new trial on the ground that the FCC’s waiver necessarily meant [defendant] had consent for the calls made.” In the alternative, the defendant challenged the damages award as being “unconstitutionally excessive” under the Due Process Clause of the Fifth Amendment.
On appeal, the 9th Circuit affirmed most of the district court’s ruling, including upholding its decision to certify the class. Among other things, the appellate court determined that the district court correctly held that the defendant waived its express consent defense based on the retroactive FCC waiver because “no intervening change in law excused this waiver of an affirmative defense.” The appellate court found that the defendant “made no effort to assert the defense, develop a record on consent, or seek a stay pending the FCC’s decision,” even though it knew the FCC was likely to grant its petition for a waiver. While the 9th Circuit did not take issue with the $500 congressionally-mandated per call damages figure, and did not disagree with the total number of calls, it stressed that the “due process test applies to aggregated statutory damages awards even where the prescribed per-violation award is constitutionally sound.” Recognizing that Congress “set a floor of statutory damages at $500 for each violation of the TCPA but no ceiling for cumulative damages, in a class action or otherwise,” the appellate court explained that such damages “are subject to constitutional limitation in extreme situations,” and “in the mass communications class action context, vast cumulative damages can be easily incurred, because modern technology permits hundreds of thousands of automated calls and triggers minimum statutory damages with the push of a button.” Accordingly, the 9th Circuit ordered the district court to reassess the damages in light of these concerns.
District Court enters $228 million judgment in BIPA class action
On October 12, the U.S. District Court for the Northern District of Illinois entered a judgment for $228 million after a jury found that a defendant railway company committed 45,600 reckless or intentional violations of the Illinois Biometric Information Privacy Act (BIPA). The jury’s judgment, which does not include pre-judgment interest, was entered against the defendant in the amount of $228 million (BIPA provides for statutory damages of $5,000 for every willful or reckless violation and $1,000 for every negligent violation). Class members consisting of more than 44,000 truck drivers alleged in their second amended complaint that the defendant violated BIPA when it collected, captured, and stored their biometric identifiers and biometric information without obtaining their informed written consent or providing written disclosures explaining the purpose and duration of such use. The defendant countered that it should not be held liable for biometric data collection conducted on its behalf by a third-party contractor because BIPA does not impose liability for the acts of a third party. The court disagreed, ruling, among other things, that BIPA’s language “makes clear that [the defendant] need not have ‘collected’ the data itself to be liable,” and that there is evidence that the defendant “ultimately called the shots on whether and how biometric information is collected.”
District Court grants preliminary approval of class action in robocall suit
On September 28, the U.S. District Court for the District of Utah granted preliminary approval of a TCPA class action settlement with a digital finance company. According to the plaintiff’s unopposed motion for preliminary approval, the plaintiff alleged that the defendant sent unwanted phone calls to approximately 64,845 unique cellular telephone numbers. The plaintiff’s motion noted that the district court granted, in part, the plaintiff’s motion for class certification and appointment of class counsel, and certified that the class consists of: “[a]ll persons throughout the U.S. (1) to whom [defendant] placed, or caused to be placed, a call, (2) directed to a number assigned to a cellular telephone service, but not assigned to a current or former [defendant] accountholder, (3) in connection with which [defendant] used an artificial or prerecorded voice, (4) from September 1, 2019 through September 21, 2021.” The Tenth Circuit Court of Appeals denied the defendant’s petition for permission to appeal the court’s order certifying the class. After that, the district court approved Plaintiff’s Rule 23(c)(2) class notice plan. After more than two years of “vigorously contested litigation, and as a result of extensive arm’s-length negotiations” the parties agreed to resolve this matter on behalf of a settlement class. The order further noted that the parties’ agreement “calls for the creation of a non-reversionary, all-cash common fund in the amount of $5 million, from which participating settlement class members will receive substantial payments.”
District Court grants preliminary approval of data breach class action
On October 3, the U.S. District Court for the Eastern District of Wisconsin granted preliminary approval of a data breach class action settlement. According to the plaintiff’s unopposed motion for preliminary approval, a ransomware attack on the company potentially allowed an unauthorized actor to access the personal information of approximately two million of the company’s patients, employees, employee beneficiaries, and other individuals from May 28, 2021 to June 4, 2021. The company announced the ransomware attack in a data breach notice sent to customers on June 24, 2021. The plaintiff filed her complaint alleging, among other things, that the company “failed to take adequate measures to protect her and other putative Class Members’ Personal Information and failed to disclose that [the company’s] systems were susceptible to a cyberattack.” After other plaintiffs filed suit, the plaintiffs moved to consolidate the actions and alleged several violations, including negligence and breach of implied contract. The settlement provides for a $3.7 million settlement fund. Each class member is eligible to submit a claim for two years of three-bureau credit monitoring and up to $1 million of insurance coverage for identity theft incidents. Additionally, class members can submit a claim for up to $10,000 in documented losses. The settlement also provides class members with lost time payment and cash fund payment options (in the alternative to all the foregoing settlement benefits).
2nd Circuit: NY law on interest payments for escrow accounts is preempted
On September 15, the U.S. Court of Appeals for the Second Circuit held that New York’s interest-on-escrow law impermissibly interferes with the incidentals of national bank lending and is preempted by the National Bank Act (NBA). Plaintiffs in two putative class actions obtained loans from a national bank, one before and the other after certain Dodd-Frank provisions took effect. The loan agreements—governed by New York law—required plaintiffs to deposit money into escrow accounts. After the bank failed to pay interest on the escrowed amounts, plaintiffs sued for breach of contract, alleging, among other things, that under New York General Obligations Law (GOL) § 5-601 (which sets a minimum 2 percent interest rate on mortgage escrow accounts) they were entitled to interest. The bank moved to dismiss both actions, contending that GOL § 5-601 did not apply to federally chartered banks because it is preempted by the NBA. The district court disagreed and denied the bank’s motion, ruling first that RESPA (which regulates the amount of money in an escrow account but not the accruing interest rate) “shares a ‘unity of purpose’ with GOL § 5-601.” This is relevant, the district court said, “because Congress ‘intended mortgage escrow accounts, even those administered by national banks, to be subject to some measure of consumer protection regulation.’” Second, the district court reasoned that even though TILA § 1639d does not specifically govern the loans at issue, it is significant because it “evinces a clear congressional purpose to subject all mortgage lenders to state escrow interest laws.” Finally, with respect to the NBA, the district court determined that “the ‘degree of interference’ of GOL § 5-601 was ‘minimal’ and was not a ‘practical abrogation of the banking power at issue,’” and concluded that Dodd-Frank’s amendment to TILA substantiated a policy judgment showing “there is little incompatibility between requiring mortgage lenders to maintain escrow accounts and requiring them to pay a reasonable rate of interest on sums thereby received.” As such, GOL § 5-601 was not preempted by the NBA, the district court said.
On appeal, the 2nd Circuit concluded that the district court erred in its preemption analysis. According to the appellate court, the important question “is not how much a state law impacts a national bank, but rather whether it purports to ‘control’ the exercise of its powers.” In reversing the ruling and holding that that GOL § 5-601 was preempted by the NBA, the appellate court wrote that the “minimum-interest requirement would exert control over a banking power granted by the federal government, so it would impermissibly interfere with national banks’ exercise of that power.” Notably, the 2nd Circuit’s decision differs from the 9th Circuit’s 2018 holding in Lusnak v. Bank of America, which addressed a California mortgage escrow interest law analogous to New York’s and held that a national bank must comply with the California law requiring mortgage lenders to pay interest on mortgage escrow accounts (covered by InfoBytes here). Among other things, the 2nd Circuit determined that both the district court and the 9th Circuit improperly “concluded that the TILA amendments somehow reflected Congress’s judgment that all escrow accounts, before and after Dodd-Frank, must be subject to such state laws.”
In a concurring opinion, one of the judges stressed that while the panel concluded that the specific state law at issue is preempted, the opinion left “ample room for state regulation of national banks.” The judge noted that the opinion relies on a narrow standard of preempting only those “state laws that directly conflict with enumerated or incidental national bank powers conferred by Congress,” and stressed that the appellate court declined to reach a determination as to whether Congress subjected national banks to state escrow interest laws in cases (unlike the plaintiffs’ actions) where Dodd-Frank’s TILA amendments would apply.
District Court denies defendant summary judgment in data breach suit
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest information database—and that the breach caused that loss—should be admissible. As previously covered by InfoBytes, a consolidated class action suit was filed by consumers after they allegedly learned that the defendant took more than four years to discover the data breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted to provide data security services reported an anomaly pertaining to the defendant’s guest information database. In total, the breach impacted approximately 133.7 million guest records.
Last May, the court granted in part and denied in part certification of eight class actions against the defendant, noting that the plaintiffs did not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendant’s argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”
According to the recent opinion, the City of Chicago alleged that the defendant violated the city’s consumer protection ordinance by failing to safeguard the personal information of city residents and misrepresented that it had reasonable security safeguards in place. The defendant argued that the City of Chicago’s claims exceeded the limit of the city’s authority under the Illinois Constitution, because it attempted to apply its ordinance to a specific data-security incident. The court found that the Illinois Constitution permits the City of Chicago, a “home-rule unit,” to enforce its consumer protection ordinance against the defendant for harm and injuries arising from the data security incident. Additionally, the court found “in order to respect ’the constitutional design’ granting broad home rule authority and permitting concurrent local and state authority, ‘the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.’” The court also found that the City of Chicago has standing to bring claims for monetary fines, citing that “expert opinions establish, by a preponderance of the evidence, that Chicago suffered an injury-in-fact—the loss of tax revenue—that was traceable to the data breach, and that can be redressed by monetary fines paid by [the defendant].”
2nd Circuit requires second look at “design and content” of online user agreement
On September 14, the U.S. Court of Appeals for the Second Circuit reversed a district court’s order denying a credit union’s motion to compel arbitration in a case involving the “unique question” of “whether and how to address incorporation by reference in web-based contracts under New York law.” The plaintiff claimed that the credit union wrongfully assessed and collected overdraft and insufficient funds fees on checking accounts that were not actually overdrawn. After the credit union moved to compel arbitration pursuant to a mandatory arbitration clause and class action waiver provision contained in the account agreement, the plaintiff argued that she was not bound by these provisions because they were not included in the original agreement and the credit union did not notify her when it added them to the agreement. According to the credit union, the plaintiff was on inquiry notice of the modified agreement because she separately agreed to an internet banking agreement that incorporated the modified account agreement by reference, and because the modified account agreement was published on the credit union’s website, which the plaintiff used for online banking. The district court disagreed, finding, among other things, that the hyperlink and language related to the account agreement appeared to be “buried” in the internet banking agreement.
On appeal, the 2nd Circuit held that the district court “erred in engaging in the inquiry notice analysis, which requires an examination of the ‘design and content’ of the webpage, without reviewing the actual screenshots of the web-based contract.” Recognizing that the internet banking agreement was a “clickwrap” or a “scrollwrap” agreement, the appellate court explained that it has “consistently upheld such agreements because the user has affirmatively assented to the terms of the agreement by clicking ‘I agree’ or similar language.” While the plaintiff did not dispute that she signed up for internet banking, this did not end the court’s analysis; according to the 2nd Circuit, when addressing questions concerning digital contract formation, “courts also evaluate visual evidence that demonstrates ‘whether a website user has actual or constructive notice of the conditions.’” The credit union did not provide evidence showing how the internet banking agreement was presented to users—thereby preventing the district court from assessing whether the relevant language and hyperlink were clear and conspicuous. The 2nd Circuit, therefore, instructed the district court to consider on remand the design and content of the internet banking agreement “as it was presented to users” to determine whether the plaintiff agreed to its terms, and to assess whether the account agreements are “clearly identified and available to the users” based on applicable precedents regarding inquiry notice of terms in web-based contracts.
District Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement, the plaintiff alleged that the defendant violated Illinois law by collecting fingerprint scan data from Illinois users of vending machine systems without written notice and consent. According to the settlement, class members include all individuals who scanned their finger(s) in one or more of defendants’ vending systems in Illinois between August 23, 2014 and November 2021, which totals approximately 63,450 individuals. Each class member will receive approximately $413, and the settlement includes roughly $2.2 million in attorney fees for class counsel.
2nd Circuit upholds public service loan relief settlement
On September 7, the U.S. Court of Appeals for the Second Circuit affirmed a class action settlement reached between a student loan servicer and borrowers who claimed the servicer failed to inform them of a loan forgiveness program for public service employees. As previously covered by InfoBytes, the settlement required the servicer—who denied any allegations of wrongful conduct and damages—to put in place enhancements to identify borrowers who may qualify for Public Service Loan Forgiveness (PSLF) and “distribute comprehensive and accurate information about how to qualify, which are meaningful business practice enhancements.” The servicer was also required to fund a $2.25 million non-profit program to provide counseling to borrowers at all stages of the repayment process. The settlement also approved service awards for the named plaintiffs. In affirming the settlement, the appellate court rejected arguments raised by objectors who claimed, among other things, that the cy pres award would not benefit the class and “that the settlement improperly released monetary claims.”
“The cy pres award funds Public Service Promise and thereby assists all class members in navigating PSLF and determining whether they have a viable individual monetary claim against [the servicer],” the panel wrote, acknowledging that other circuit courts have recognized that class members can indirectly benefit from defendants paying appropriate third parties. “[T]he reforms will also benefit the remaining class members who, for example, are no longer with [the servicer] or who no longer have student loans, by providing them accurate information about the PSLF and helping them determine whether they have viable individual claims for damages,” the 2nd Circuit said.