Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • 9th Circuit reinstates class action data breach lawsuit against online retailer


    On March 8, the U.S. Court of Appeals for the 9th Circuit reinstated a putative class action lawsuit against an online retailer, concluding that the increased risk of identity theft resulting from a 2012 data breach affecting over 24 million shoppers gave consumers Article III standing to sue. The three-judge panel held that the district court erred in dismissing claims brought by consumers who did not allege financial losses as a result of the data breach because the stolen information provided hackers the “means to commit fraud or identity theft.” The panel noted that evidence that another group of consumers had suffered financial losses from the same data breach undermined the argument that the data stolen would not lead to fraud or identity theft. In addition, although the defendant asserted that too much time had passed since the data breach for any harm to be considered imminent, the panel found that determining jurisdiction requires an assessment of a plaintiff’s standing at the time the suit was filed, and that the risk of harm was sufficiently imminent at the time of filing. The 9th Circuit remanded the case back to the lower court for review.

    The panel also addressed a separate appeal by the class on the district court’s decision not to enforce a purported settlement agreement, affirming the lower court’s decision “because the parties did not have a meeting of the minds on all essential terms of the agreement.”

    Courts Ninth Circuit Appellate Privacy/Cyber Risk & Data Security Data Breach Class Action

    Share page with AddThis
  • California district court rules social media company cannot dismiss non-users’ facial scan privacy claims


    On March 2, the U.S. District Court for the Northern District of California denied a motion to dismiss an action for lack of standing in a lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA) against a social media company (defendant) for allegedly collecting and storing non-user facial scans. The action was similar to a consolidated class action lawsuit brought by users of the site in 2016. The court found that the factual difference between the two cases (one involving users and one involving non-users) was irrelevant for its Article III analysis. Citing to his February 26 decision (February decision) in the related case, the judge concluded that the abrogation of the plaintiffs’ procedural rights under BIPA, which allow users to control their biometric information, amounted to a concrete injury under Article III. As the court noted in the February decision: “BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent,” and that there is “equally little doubt . . . that a violation of BIPA’s procedures would cause actual and concrete harm.” The court rejected the defendant’s argument that it did not store non-users’ biometric information, stating that such factual evidence, which is disputed by the plaintiffs, goes to the merits of the case and cannot be weighed or resolved at the motion to dismiss stage.

    Courts Privacy/Cyber Risk & Data Security Class Action State Issues

    Share page with AddThis
  • Judge says overdraft fees are not usurious, removes claim from lawsuit


    On February 28, the U.S. District Court for the District of South Carolina dismissed a complaint from a consolidated class action against a national bank, which alleged that the bank’s $20 overdraft fee is an interest charge on credit and therefore exceeds usury limits under the National Bank Act (NBA). The plaintiffs in the consolidated class action challenged the bank’s methods for assessing overdraft fees, posting debit transactions, and assessing “sustained” overdraft fees, claiming they violated federal law. In granting the dismissal, the court noted that it had previously rejected a materially identical usury claim in December 2015 and that no new evidence or authority had been brought to light that would change its decision. In addition, the court concluded that “the law is still clear that sustained overdraft fees are not interest, and that assessing such fees cannot violate the usury provision of the NBA.” 

    Courts Usury Overdraft National Bank Act Class Action

    Share page with AddThis
  • Supreme Court denies writ challenging data breach standing


    On February 20, the U.S. Supreme Court denied without comment a medical insurance company’s petition for writ of certiorari to challenge an August 2017 D.C. Circuit Court of Appeals decision, which reversed the dismissal of a data breach suit filed by the company’s policyholders in 2015. According to the D.C. Circuit opinion, the policyholders sued the medical insurance company after the company announced that an unauthorized party had accessed personal information for 1.1 million members. The lower court dismissed the policyholder’s case, holding that they did not have standing because they could not show an actual injury based on the data breach. In reversing the lower court’s decision, the D.C. Circuit, citing the Supreme Court ruling in Spokeo, Inc. v. Robins, held that it was plausible that the unauthorized party “has both the intent and the ability to use [the] data for ill.” This was sufficient to show that the policyholders had standing to bring the claims because they alleged a plausible risk of future injury.

    Courts Privacy/Cyber Risk & Data Security Spokeo Class Action U.S. Supreme Court Appellate D.C. Circuit

    Share page with AddThis
  • Ride-Sharing Company Announces Data Breach; State Attorneys General Launch Investigations

    State Issues

    On November 21, a ride-sharing company disclosed via press release a 2016 data breach that exposed the personal data of 57 million riders and drivers. According to the company, an outside forensic investigation revealed that in October 2016 hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. The company claimed that hackers did not obtain driver or passenger social security, credit card, bank account, birth date, or trip location information. Though the company stated that it has taken action to address the delay in notifying affected individuals and regulators, lawsuits filed by the State of Washington and the City of Chicago claim that the company capitulated to hackers’ demands and “paid the hackers to delete the consumer data and keep quiet about the breach.”

    According to a letter from the company to the Washington attorney general attached to the state’s complaint, the company “is taking personnel actions with respect to some of those involved in the handling of the incident.” The company further stated that it has “implemented and will implement further technical security measures, including improvements related to both access controls and encryption.”

    According to sources, three separate class action lawsuits have been filed against the company as a result of the 2016 breach (see here, here, and here) and five attorneys general (New York, Illinois, Connecticut, Massachusetts, and Missouri) have launched investigations.

    The 2016 data breach follows a settlement in January of that year with the New York Attorney General related to allegations that the company failed to promptly disclose a 2014 data breach.  The 2014 data breach involved an alleged failure to prevent unauthorized access to the company’s consumer and driver data maintained on a third-party cloud service provider. As previously reported in InfoBytes in August, the company reached a settlement with the FTC related to the 2014 data breach; however, that settlement was entered into before the company disclosed the existence of the 2016 breach.

    In a related development, on November 27, the U.S. District Court for the Northern District of California dismissed without prejudice a putative class action lawsuit against the company related to the 2014 data breach. The court held that the driver’s name, license number, and limited banking information disclosed in the breach was not the type of personally identifiable information that could expose plaintiffs to the risk of identity theft. Accordingly, the court dismissed the case for lack of Article III standing. The court also granted plaintiffs a final opportunity to amend their complaint to address the standing deficiencies.

    State Issues Privacy/Cyber Risk & Data Security Data Breach State Attorney General FTC Class Action Settlement Courts

    Share page with AddThis
  • 50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement

    Privacy, Cyber Risk & Data Security

    On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.

    The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.

    The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.

    Privacy/Cyber Risk & Data Security Data Breach Consumer Finance Class Action State Issues

    Share page with AddThis
  • Seventh Circuit Upholds Ruling That Excludes Insurance Coverage for Overdraft Fees


    On October 12, the U.S. Court of Appeals for the Seventh Circuit affirmed an Indiana District Court’s 2016 ruling, agreeing that an insurance company does not bear the responsibility for covering a bank’s $24 million class action settlement under a policy provision that excludes coverage for any case involving fees. In upholding the lower court’s decision, the three judge panel concluded that the insurance company had no duty to defend or indemnify the bank on the basis that the underlying overdraft fee claims fall under “Exclusion 3(n)” in the bank's professional liability insurance policy, which states that the insurance company “shall not be liable for [l]oss on account of any [c]laim . . . based upon, arising from, or in consequence of any fees or charges.” Class claims alleging that the bank manipulated its debit processing to “maximize overdraft revenue” by charging purportedly excessive fees to consumers who overdraw their checking and savings accounts triggered the exclusion. The panel also noted that an insurance company’s decision to include fee exclusions in banking liability policies is designed to prevent the “moral hazard” of allowing banks to “freely create other customer fee schemes” knowing they could easily secure coverage.

    Courts Appellate Seventh Circuit Overdraft Class Action Settlement Litigation

    Share page with AddThis
  • Eleventh Circuit Enforces Binding Arbitration Agreement


    On September 26, a three-judge panel of the U.S. Court of Appeals for the Eleventh Circuit held that a customer is bound to a mandatory arbitration clause in his deposit account agreement with a national bank. In doing so, the appellate court reversed the Florida district court’s decision, which denied the national bank’s motion to compel arbitration. In 2010, the customer filed a putative class action over the charging of overdraft fees associated with a bank account he held jointly with his wife. The case concerns an account agreement signed by the customer when he transferred an existing account into the joint account in 2001. The appellate court reasoned that the customer “was on notice that signing the 2001 signature card represented the start of a new contractual relationship” and therefore, subject to the updated arbitration clause.

    The CFPB’s new arbitration rule, which went into effect September 18, does not allow companies subject to the rule to use arbitration clauses to stop consumers from being part of a class action. However, as previously discussed in InfoBytes, the House passed a disapproval resolution under the Congressional Review Act to repeal the rule. A similar measure is expected to be considered by the Senate within the next week.

    Courts Litigation Eleventh Circuit Appellate Class Action Arbitration CFPB CRA

    Share page with AddThis
  • CFPB Publishes Small Entity Compliance Guide on Arbitration Rule

    Agency Rule-Making & Guidance

    On September 15, the CFPB published a small entity compliance guide concerning the Bureau’s final arbitration rule that became effective this month. Compliance is required for “pre-dispute arbitration agreements” entered into on or after March 19, 2018. This guide provides a summary of the rule and highlights the parties and consumer financial products and services covered by the rule, as well as exclusions from the rule’s requirements. In addition, the guide includes descriptions of provisions to be included in pre-dispute arbitration agreements, clarifies the rule’s prohibition on relying on pre-dispute arbitration agreements to block class actions, and explains the record submission requirements under the rule.

    However, as previously discussed in InfoBytes, while the arbitration rule went into effect September 18, the House earlier passed a disapproval resolution, in July, to repeal the rule, with a similar measure set for discussion in the Senate.

    Agency Rule-Making & Guidance CFPB Arbitration Compliance Class Action

    Share page with AddThis
  • District Court Grants Preliminary Settlement Approval in SCRA Class Action Suit


    On September 13, the U.S. District Court for the Eastern District of North Carolina granted preliminary approval to settle a class-action suit resolving allegations that a national bank overcharged military families on interest and fees related primarily to mortgage and credit card accounts in violation of the Servicemembers Civil Relief Act (SCRA). The order also, in the context of the proposed settlement only, preliminarily certifies the class, which is comprised of members who—after September 11, 2001—were entitled to “additional compensation related to military reduced interest rate benefits from [the bank].” The plaintiffs filed the complaint against the bank in 2015 claiming alleged violations of the SCRA, TILA, and the North Carolina Unfair and Deceptive Trade Practices Act. In May 2016, the court denied the defendants’ motion to dismiss the first amended complaint, and at the end of 2016, the parties agreed to mediation. A second amended complaint—now the operative complaint—was filed just prior to the motion for preliminary approval. While the bank has not admitted any wrongdoing, it has agreed to refrain from using an “interest subsidy method for interest benefits calculations for a five-year period,” which, plaintiffs pleaded, can lead to higher costs.

    According to the terms of the memorandum in support of the motion for preliminary approval, class members will receive payments based on the strength of their individual claims, considering such factors as: (i) loan type; (ii) whether they previously received remediation from the bank, and how much; and (iii) the eligible period for interest rate refunds. The memorandum further stipulates that approximately $15.4 million of the nearly $42 million overall settlement will be provide to class members who have not received or deposited any payments from the bank. Unclaimed amounts from the first round will be pooled with the remainder of the settlement to be allocated as outlined in the distribution plan. A final approval hearing is scheduled for February of next year.

    Courts SCRA TILA Servicemembers Mortgages Credit Cards Class Action Litigation Settlement

    Share page with AddThis