Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Ride-Sharing Company Announces Data Breach; State Attorneys General Launch Investigations

    State Issues

    On November 21, a ride-sharing company disclosed via press release a 2016 data breach that exposed the personal data of 57 million riders and drivers. According to the company, an outside forensic investigation revealed that in October 2016 hackers obtained approximately 600,000 driver names and license numbers, along with rider names, email addresses, and mobile phone numbers. The company claimed that hackers did not obtain driver or passenger social security, credit card, bank account, birth date, or trip location information. Though the company stated that it has taken action to address the delay in notifying affected individuals and regulators, lawsuits filed by the State of Washington and the City of Chicago claim that the company capitulated to hackers’ demands and “paid the hackers to delete the consumer data and keep quiet about the breach.”

    According to a letter from the company to the Washington attorney general attached to the state’s complaint, the company “is taking personnel actions with respect to some of those involved in the handling of the incident.” The company further stated that it has “implemented and will implement further technical security measures, including improvements related to both access controls and encryption.”

    According to sources, three separate class action lawsuits have been filed against the company as a result of the 2016 breach (see here, here, and here) and five attorneys general (New York, Illinois, Connecticut, Massachusetts, and Missouri) have launched investigations.

    The 2016 data breach follows a settlement in January of that year with the New York Attorney General related to allegations that the company failed to promptly disclose a 2014 data breach.  The 2014 data breach involved an alleged failure to prevent unauthorized access to the company’s consumer and driver data maintained on a third-party cloud service provider. As previously reported in InfoBytes in August, the company reached a settlement with the FTC related to the 2014 data breach; however, that settlement was entered into before the company disclosed the existence of the 2016 breach.

    In a related development, on November 27, the U.S. District Court for the Northern District of California dismissed without prejudice a putative class action lawsuit against the company related to the 2014 data breach. The court held that the driver’s name, license number, and limited banking information disclosed in the breach was not the type of personally identifiable information that could expose plaintiffs to the risk of identity theft. Accordingly, the court dismissed the case for lack of Article III standing. The court also granted plaintiffs a final opportunity to amend their complaint to address the standing deficiencies.

    State Issues Privacy/Cyber Risk & Data Security Data Breach State AG FTC Class Action Settlement Courts

    Share page with AddThis
  • 50-State Class Action Complaint Filed Against Credit Reporting Company in Response to September Data Breach Announcement

    Privacy, Cyber Risk & Data Security

    On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.

    The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.

    The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.

    Privacy/Cyber Risk & Data Security Data Breach Consumer Finance Class Action State Issues

    Share page with AddThis
  • Seventh Circuit Upholds Ruling That Excludes Insurance Coverage for Overdraft Fees

    Courts

    On October 12, the U.S. Court of Appeals for the Seventh Circuit affirmed an Indiana District Court’s 2016 ruling, agreeing that an insurance company does not bear the responsibility for covering a bank’s $24 million class action settlement under a policy provision that excludes coverage for any case involving fees. In upholding the lower court’s decision, the three judge panel concluded that the insurance company had no duty to defend or indemnify the bank on the basis that the underlying overdraft fee claims fall under “Exclusion 3(n)” in the bank's professional liability insurance policy, which states that the insurance company “shall not be liable for [l]oss on account of any [c]laim . . . based upon, arising from, or in consequence of any fees or charges.” Class claims alleging that the bank manipulated its debit processing to “maximize overdraft revenue” by charging purportedly excessive fees to consumers who overdraw their checking and savings accounts triggered the exclusion. The panel also noted that an insurance company’s decision to include fee exclusions in banking liability policies is designed to prevent the “moral hazard” of allowing banks to “freely create other customer fee schemes” knowing they could easily secure coverage.

    Courts Appellate Seventh Circuit Overdraft Class Action Settlement Litigation

    Share page with AddThis
  • Eleventh Circuit Enforces Binding Arbitration Agreement

    Courts

    On September 26, a three-judge panel of the U.S. Court of Appeals for the Eleventh Circuit held that a customer is bound to a mandatory arbitration clause in his deposit account agreement with a national bank. In doing so, the appellate court reversed the Florida district court’s decision, which denied the national bank’s motion to compel arbitration. In 2010, the customer filed a putative class action over the charging of overdraft fees associated with a bank account he held jointly with his wife. The case concerns an account agreement signed by the customer when he transferred an existing account into the joint account in 2001. The appellate court reasoned that the customer “was on notice that signing the 2001 signature card represented the start of a new contractual relationship” and therefore, subject to the updated arbitration clause.

    The CFPB’s new arbitration rule, which went into effect September 18, does not allow companies subject to the rule to use arbitration clauses to stop consumers from being part of a class action. However, as previously discussed in InfoBytes, the House passed a disapproval resolution under the Congressional Review Act to repeal the rule. A similar measure is expected to be considered by the Senate within the next week.

    Courts Litigation Eleventh Circuit Appellate Class Action Arbitration CFPB CRA

    Share page with AddThis
  • CFPB Publishes Small Entity Compliance Guide on Arbitration Rule

    Agency Rule-Making & Guidance

    On September 15, the CFPB published a small entity compliance guide concerning the Bureau’s final arbitration rule that became effective this month. Compliance is required for “pre-dispute arbitration agreements” entered into on or after March 19, 2018. This guide provides a summary of the rule and highlights the parties and consumer financial products and services covered by the rule, as well as exclusions from the rule’s requirements. In addition, the guide includes descriptions of provisions to be included in pre-dispute arbitration agreements, clarifies the rule’s prohibition on relying on pre-dispute arbitration agreements to block class actions, and explains the record submission requirements under the rule.

    However, as previously discussed in InfoBytes, while the arbitration rule went into effect September 18, the House earlier passed a disapproval resolution, in July, to repeal the rule, with a similar measure set for discussion in the Senate.

    Agency Rule-Making & Guidance CFPB Arbitration Compliance Class Action

    Share page with AddThis
  • District Court Grants Preliminary Settlement Approval in SCRA Class Action Suit

    Courts

    On September 13, the U.S. District Court for the Eastern District of North Carolina granted preliminary approval to settle a class-action suit resolving allegations that a national bank overcharged military families on interest and fees related primarily to mortgage and credit card accounts in violation of the Servicemembers Civil Relief Act (SCRA). The order also, in the context of the proposed settlement only, preliminarily certifies the class, which is comprised of members who—after September 11, 2001—were entitled to “additional compensation related to military reduced interest rate benefits from [the bank].” The plaintiffs filed the complaint against the bank in 2015 claiming alleged violations of the SCRA, TILA, and the North Carolina Unfair and Deceptive Trade Practices Act. In May 2016, the court denied the defendants’ motion to dismiss the first amended complaint, and at the end of 2016, the parties agreed to mediation. A second amended complaint—now the operative complaint—was filed just prior to the motion for preliminary approval. While the bank has not admitted any wrongdoing, it has agreed to refrain from using an “interest subsidy method for interest benefits calculations for a five-year period,” which, plaintiffs pleaded, can lead to higher costs.

    According to the terms of the memorandum in support of the motion for preliminary approval, class members will receive payments based on the strength of their individual claims, considering such factors as: (i) loan type; (ii) whether they previously received remediation from the bank, and how much; and (iii) the eligible period for interest rate refunds. The memorandum further stipulates that approximately $15.4 million of the nearly $42 million overall settlement will be provide to class members who have not received or deposited any payments from the bank. Unclaimed amounts from the first round will be pooled with the remainder of the settlement to be allocated as outlined in the distribution plan. A final approval hearing is scheduled for February of next year.

    Courts SCRA TILA Servicemembers Mortgages Credit Cards Class Action Litigation Settlement

    Share page with AddThis
  • Legislators, State Attorneys General, and Consumers React to Credit Reporting Agency Data Breach

    Privacy, Cyber Risk & Data Security

    As previously reported in InfoBytes, a major credit reporting agency suffered a data breach from mid-May through the end of July that impacted approximately 143 million U.S. consumers. Shortly after the agency disclosed the breach, several Republican and Democratic lawmakers promised legislative action. Senator Brian Schatz (D-Haw.) reintroduced the Stop Errors in Credit Use and Reporting (SECURE) Act to address these issues. In addition, two committees—the House Financial Services Committee and the House Energy and Commerce Committee—both announced plans to hold hearings on the breach (dates still to be released). Separately, Representative Ted Lieu (D-Cal.) sent a letter to the House Judiciary Committee requesting a hearing to investigate how and why the data breach occurred, and what measures can be taken to prevent future incidents.

    At least two class action lawsuits have been filed—in Georgia and Oregon—as a result of the breach, and several state attorneys general, including New York Attorney General Eric T. Schneiderman, have launched investigations into the matter. The CFPB also released a blog post for consumers on ways to identify signs of fraud or identity theft.

    Notably, on September 11, the agency issued an update for consumers announcing that “in response to consumer inquiries,” the arbitration clause and class action waiver included in its terms of use will not “apply to this cybersecurity incident.” The CFPB’s final arbitration rule, which prohibits the use of mandatory pre-disputer arbitration clauses, has been a point of considerable debate this summer, with the House voting to repeal the proposed rule and the Senate introducing a similar measure (see InfoBytes post here), while a coalition of state attorneys general have issued support for the proposed rule (see InfoBytes post here).

    Privacy/Cyber Risk & Data Security Data Breach Class Action State AG

    Share page with AddThis
  • District Court Denies Class Certification for Lack of Temporal Constraint on Proposed Class Definition

    Courts

    On August 30, the U.S. District Court for the Southern District of New York issued an opinion and order denying the certification of a proposed class of investors alleging that a bank failed in its responsibilities as trustee of five residential mortgage-backed securities. The court found that “the proposed class cannot be certified because it is not ‘defined using objective criteria that establish a membership with definite boundaries’ . . . [such as] a fixed date, a window of acquisition, or length or continuity of ownership.” The judge ruled that the lack of a “temporal constraint on the proposed class definition” meant investors who bought and sold the securities before and after the alleged violations occurred could be included in the suit, despite the fact that any losses incurred by these groups would not necessarily be associated with the bank’s alleged misconduct. However, the court ruled that the plaintiff may file an amended motion proposing an alternative class construction within 45 days.

    Courts Class Action Mortgages Securities

    Share page with AddThis
  • Mortgage Company, Real Estate Services Companies Reach $17 Million Class Action Settlement for Alleged RESPA Violations

    Courts

    On August 25, a national mortgage company and a real estate services family of companies (Defendants) together entered into a $17 million settlement to end a putative class action lawsuit accusing them of arranging kickbacks for unlawful referrals of title services in violation of the Real Estate Settlement Procedures Act (RESPA). The complaint, filed in 2015 in the U.S. District Court for the Central District of California, accused Defendants—along with various affiliates—of violating RESPA by allegedly facilitating the exchange of unlawful referral fees and kickbacks through an affiliated business arrangement, while also directing various banks to refer title insurance and other settlement services to a subsidiary in the real estate services family of companies without informing customers of the relationship between the entities. According to a memorandum in support of the motion seeking preliminary approval of the settlement, the real estate services family of companies was “obligated to refer their customers exclusively to [the mortgage company] for mortgage loans, and, in return, [the mortgage company] was required to refer all settlement services back to [the real estate services enterprise’s] subsidiaries.” While a federal judge dismissed the first and second amended complaints “on the basis that Plaintiffs failed to plead sufficient facts for equitable tolling of RESPA’s one-year statute of limitations,” the same judge denied Defendants’ motion to dismiss a third amended complaint because “Defendants’ contention regarding equitable tolling for the statute of limitations was ‘better resolved in either a motion for summary judgment or trial.’” A fourth amended complaint, filed in July 2017, amended certain claims and added additional class plaintiffs, well after settlement discussions had started.

    A stipulation of settlement was filed alongside the motion for preliminary approval, in which Defendants continued “to deny each and all of the claims and contentions alleged in the [a]ction . . . [but] have concluded that the further conduct of the [a]ction against them would be protracted and expensive.” Furthermore, the stipulation noted that “substantial amounts of time, energy and resources have been and, unless this [s]ettlement is made, will continue to be devoted to the defense of the claims asserted in the [a]ction.” The proposed settlement class consists of more than 32,000 transactions related to borrowers who closed on mortgage loans originated by the mortgage company between approximately November 2014 through November 2015, and who paid any title, escrow or closing related charges to the real estate services companies. The proposed settlement stipulates that Defendants must pay $17 million into a settlement fund to be used to provide cash payments to class members, as well as a portion that will go towards class counsel attorney fees and litigation expenses pending court approval.

    Courts Class Action Kickback Settlement RESPA

    Share page with AddThis
  • National Bank, Debt Collection Agency Reach $4.3 Million Class Action Settlement for Alleged FDCPA Violations

    Courts

    On August 21, a national bank and a debt collection agency (Defendants) together entered a $4.3 million settlement in a Fair Debt Collection Practices Act (FDCPA) class action lawsuit brought by borrowers who alleged the Defendants unlawfully attempted to collect certain mortgage payments. The July 2015 complaint, filed in the U.S. District Court for the Southern District of California, accused Defendants of violating the FDCPA, California’s Rosenthal Fair Debt Collection Practices Act, and California’s Unfair Competition Law, Business and Professions Code when they sent more than 20,000 allegedly misleading, unenforceable payment notices to borrowers after the bank had released the liens on the properties securing the mortgage loans.

    According to a memorandum in support of the motion seeking preliminary approval of the settlement, approximately three percent of the 23,376 members of the settlement class members made payments on unenforceable loans. The rest of the class did not make any payments. After three mediation sessions and a series of negotiations, Defendants agreed to award class members amounts based on their placement into one of three tranches: (i) tranche 1: borrowers who made at least one “challenged payment” on a purchase money mortgage; (ii) tranche 2: borrowers who made at least one challenged payment on a non-purchase money mortgage; and (iii) tranche 3: borrowers who received an “allegedly deceptive payment communication” but did not make any challenged payments. The settlement terms stipulate that class members in tranche 1 will receive an initial payment worth 76 percent of the total challenged payments they made, and members in tranche 2 will receive an initial distribution of 38 percent of what they paid. Class members from Tranche 1 and Tranche 2 will be eligible for a second distribution if sufficient funds remain available. An approximately $22 payment will be sent to the majority of the class members (who fall into tranche 3), which will be paid from the $500,000 maximum statutory civil penalty available under the Rosenthal Act. Class members are not required to do anything to receive their award.

    Courts Debt Collection FDCPA Mortgages Class Action Settlement

    Share page with AddThis

Pages