InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court grants final approval in BIPA class action
On September 1, the U.S. District Court for the Northern District of Illinois granted final approval of a $6.8 million class action settlement in a biometric privacy data suit. According to the plaintiff’s memorandum of law in support of her unopposed motion for final approval of the settlement, the plaintiff alleged that the defendant violated Illinois law by collecting fingerprint scan data from Illinois users of vending machine systems without written notice and consent. According to the settlement, class members include all individuals who scanned their finger(s) in one or more of defendants’ vending systems in Illinois between August 23, 2014 and November 2021, which totals approximately 63,450 individuals. Each class member will receive approximately $413, and the settlement includes roughly $2.2 million in attorney fees for class counsel.
FTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes, the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The forum featured remarks by FTC Chair Lina M. Khan, Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, as well as a staff presentation, two panel discussions, and comments from the public. Chair Khan noted in her remarks that the discussion and comments at the forum will be critical in determining the evidentiary basis for proceeding with a rulemaking and whether legal requirements needed for crafting any particular type of rule. However, some observers expressed concern that the FTC’s ANPR could undermine efforts to pass federal privacy legislation. Slaughter noted in her remarks that she “support[s] strong federal privacy legislation, but until there’s a law on the books, the commission has a duty to use all the tools we have to investigate and address unlawful behavior in the market.” Commissioners Slaughter and Bedoya also expressed the need for public engagement to understand commercial surveillance.
The first panel focused on industry perspectives on commercial surveillance and data security. When asked about some of the best practices or potential business models developed by businesses to mitigate consumer harm and protect data, a panelist noted that there are many approaches underway, but the guiding principle is that the process of documentation supports transparency by prompting processes and critical thinking of each step in the mission learning lifecycle. One panelist expressed concerns about businesses tracking personal data, stating that because retailers collect information about their customers when they make purchases online and may recommend related offerings, regulators “should not interfere with these direct relationships.” Another panelist warned against treating all data collection and processes equally, stressing that the FTC should use its enforcement tools against third parties.
The second panel featured consumer advocates discussing interests, concerns, risks, and harms related to commercial surveillance, in addition to mitigating consumer harms and protecting data. The advocates noted, among other things, that the FTC should impose heightened safeguards on sensitive data, such as precise location records and information associated with children. Additionally, the panelists advocated for establishing a regulation and broadening the FTC’s Section 5 unfairness authority that limits widescale tracking. Specifically, one panelist discussed how the FTC should approach a data minimization rule under Section 5, recommending that such a rule should ban secondary use and third-party disclosures. In regard to combating discrimination through data collection and advertising, a panelist noted that shifting data protection responsibilities from individuals onto companies could play an important part to ensure that data-driven algorithms that deliver ads or content are not discriminating against consumers.
11th Circuit says plaintiff lacks standing in collection letter case
On September 8, the U.S. Court of Appeals for the Eleventh Circuit issued an en banc decision in Hunstein v. Preferred Collection & Management Services, dismissing the case after determining the plaintiff lacked standing to sue. The majority determined that “[b]ecause Hunstein has alleged only a legal infraction—a ‘bare procedural violation’—and not a concrete harm, we lack jurisdiction to consider his claim.” In April 2021, the 11th Circuit held that transmitting a consumer’s private data to a commercial mail vendor to generate debt collection letters violates Section 1692c(b) of the FDCPA because it is considered transmitting a consumer’s private data “in connection with the collection of any debt.” The decision revived claims that the debt collector’s use of a third-party mail vendor to write, print, and send requests for medical debt repayment violated privacy rights established in the FDCPA. The 11th Circuit last November, however, voted sua sponte to rehear the case en banc and vacated its earlier opinion. (Covered by InfoBytes here.)
The en banc decision relied heavily on the U.S. Supreme Court’s ruling in TransUnion v. Ramirez (covered by InfoBytes here), which clarified the type of concrete injury necessary to establish Article III standing and directed courts “to consider common-law torts as sources of information on whether a statutory violation had caused a concrete harm.” The majority pointed out that when making a common-law tort comparison, courts “do not look at tort elements in a vacuum” but rather “make the comparison between statutory causes of action and those arising under the common law with an eye toward evaluating commonalities between the harms.”
“What harm did this alleged violation cause?” the majority questioned in its opinion, finding that no tangible injury or loss was identified in the complaint. Rather, the plaintiff analogized to the tort of public disclosure. The majority found that this comparison was inapposite, because “the disclosure alleged here lacks the fundamental element of publicity.” Because there was no public disclosure, there was no invasion of privacy and therefore no cognizable harm.
Four judges dissented, arguing that the plaintiff had standing to sue. They opined that the court’s job is not to determine whether the plaintiff stated a viable common-law tort claim, but rather to “compare the ‘harm’ that Congress targeted in the FDCPA and ‘harm’ that the common law sought to address” and to determine whether those harms bear a sufficiently “close relationship.” The dissenting judges found that the plaintiff’s allegations that the delivery of “intensely private information” to the vendor is the “same sort of harm that common-law invasion-of-privacy torts—and in particular, public disclosure of private facts—aim to remedy.” The dissent also stressed that even if the disclosure alleged by the plaintiff is less extensive than the type of disclosure of private information typically at issue in a common law invasion of privacy claim, that is a question of the degree of harm and not a question of the kind of harm, and therefore should not be the basis for dismissal.
OCC issues expectations for protecting non-public information
On September 7, the OCC issued Bulletin 2022-21, Information Security: Expectations for Protecting Non-public OCC Information on Institution- or Other Non-OCC-Owned or Managed Video Teleconferencing Services, outlining its expectations for protecting non-public OCC information shared on video teleconferencing services that are operated or managed by an institution or any other party. The OCC reiterated that banks and other parties in possession of such information are prohibited from disclosure without the agency’s prior approval, except under certain limited circumstances. Further, the prohibition extends to the disclosure of information displayed, processed, stored, or transmitted by information systems, including video teleconferencing services. The Bulletin states that non-public OCC information is the property of the OCC and includes, among other things: (i) “OCC reports of examination, including ratings such as CAMELS and the Uniform Rating System for Information Technology ratings”; (ii) “supervisory correspondence”; (iii) “institution responses to supervisory correspondence”; (iv) “investigatory files”; and (v) “certain enforcement-related information, including matters requiring attention.” The OCC also listed several security expectations for any videoconference in which non-public OCC information will be communicated, which includes using an encrypted connection, moderating the meetings, making no recordings or transcriptions, and ensuring the videoconference service is securely configured and routinely patched to protect against cyber intrusion and data loss.
11th Circuit affirms denial of title company’s cyber fraud claim
On September 6, the U.S. Court of Appeals for the Eleventh Circuit upheld a district court’s decision to deny insurance coverage to a Florida title company under its Cyber Protection Insurance Policy after it was allegedly “fraudulently induced—by an unknown actor impersonating a mortgage lender—to wire funds to an incorrect account.” The insurance company denied coverage on the basis that the title company did not meet the policy’s requirements. The title company submitted a claim under the cybercrime endorsement of its insurance policy, which includes a deceptive transfer fraud insurance clause that grants coverage provided certain criteria are met, including that the loss resulted from intentionally misleading actions, was done by a person purporting to be an employee, customer, client or vendor, and the authenticity of the wire transfer instructions was verified according to the title company’s internal procedures. The insurance company denied coverage, claiming that: (i) the mortgage lender to whom the funds were intended was not an employee, customer, client or vendor of the title company; and (ii) that the title company failed to verify the transfer request according to its procedures. The district court granted summary judgment in favor of the insurance company, agreeing that coverage did not exist under the plain language of the policy.
On appeal, the 11th Circuit determined that the mortgage lender was not listed as an entity under the plain language of the policy. It further disagreed with the title company’s position that under Florida law, insurance coverage clauses must “be construed as broadly as possible to provide the greatest amount of coverage,” and that the deceptive transfer fraud clause should also include “persons and entities involved in the real estate transaction.” The appellate court noted that “[a]s attractive as that proposition may be, it is simply not what the clause provides,” adding that because the clause “limits coverage to misleading communications ‘sent by a person purporting to be an employee, customer, client or vendor’” it must interpret these terms according to their plain meaning and may not “alter[] the terms bargained to by parties to a contract.”
CARU orders app company to correct violations of children’s privacy rules
On September 7, the Children’s Advertising Review Unit (CARU) announced that the owner of a cartoon-themed app company has agreed to correct alleged violations of the Children’s Online Privacy Protection Act (COPPA) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online Privacy Protection. CARU found that the company served multiple automated ads that could not be stopped—which included interactive features that mimicked the app's gameplay—until users downloaded the advertised app or watched the entire ad. CARU found that these “ads unduly interfered with gameplay, encouraged excessive ad viewing by children through deceptive door openers and other manipulative design techniques, required children to download and install unnecessary apps, and often provided unclear and inconspicuous methods for children to exit the ad and return to the game.” CARU further noted that while its Advertising Guidelines do not require in-app ads to provide an exit method, “they specify that where one is offered it must be clear and conspicuous.” CARU also said that the app “failed to use simple, clear, and conspicuous language to let children know when they were selecting a button that would force them to watch or engage with an ad, and instead used small disclosures in tiny, inconspicuous text.” The company also displayed some ads that were unsafe and inappropriate for children in violation of CARU's Advertising Guidelines.
CARU noted that the company did take proactive steps to address each of CARU's concerns regarding its advertising and privacy practices. Specifically, the company will, among other things, “[u]pdate its age screening mechanism to allow users to freely enter the month and year of their birth and, use technical measures to prevent a child from entering a different age once they initially submit their age,” and “[u]pdate its privacy policy to align with COPPA and better reflect its data practices as a mixed-audience site.” In particular, the app company has already voluntarily updated its age screen to direct users to two different versions of the app, with one directed towards users under age 13 and a separate version for those age 13 and up.
District Court says tech company not liable for app in crypto theft
On September 2, the U.S. District Court for the Northern District of California granted a defendant California tech company’s motion to dismiss a putative class action filed by users who claimed their cryptocurrency was stolen after they downloaded a “phishing” program that posed as a legitimate digital wallet. Plaintiffs alleged that the illegitimate app (developed by a third-party and not the defendant) caused them to lose thousands of dollars in cryptocurrency. Claiming that the app was a spoofing and phishing program that obtained consumers’ cryptocurrency account information and routed that information to hackers’ personal accounts, plaintiffs sued, asserting claims under the federal Computer Fraud and Abuse Act, Electronic Communications Privacy Act, California Consumer Privacy Act, California’s Unfair Competition Law, California Consumer Privacy Act, California Consumer Legal Remedies Act, Maryland Wiretap and Electronic Surveillance Act, Maryland Personal Information Protection Act, and Maryland Consumer Protection Act. The defendant moved to dismiss, arguing that it was immune from liability under § 230(c)(1) of the Communications Decency Act. The court agreed with the defendant, ruling that it is granted protection under the Act because it qualifies as an “interactive computer service provider” within the meaning of the statute, is treated as a publisher, and provides information from another information content provider. “Here, plaintiffs’ computer fraud and privacy claims are based on [defendant’s] reproduction of an app [] intended for public consumption, via the App Store,” the court wrote. “But, as [defendant] notes, its review and authorization of the [] app for distribution on the App Store is inherently publishing activity.” Moreover, the court concluded that, among other things, the defendant’s liability provision contained within its terms, which states that it is not liable for conduct of a third party, is valid and enforceable.
District Court preliminarily approves TCPA class action settlement
On March 3, the U.S. District for the Central District of California granted final approval of a TCPA class action settlement with a satellite TV company. According to a memorandum in support of plaintiff’s motion for preliminary approval of class action settlement and certification, the plaintiff class alleged that the defendant violated the TCPA by using an artificial or prerecorded voice to call cell phones without the prior express consent of class members, consisting of about 22,000 individuals. The settlement class includes all people who received non-emergency calls from the defendant and four of its debt collection companies “regarding a debt allegedly owed to [the defendant], to a cellular telephone through the use of an artificial or prerecorded voice, and who has not been a [defendant] customer at any time since October 1, 2004.” The settlement requires the defendant to pay an all-cash non-reversionary sum of $17 million. The settlement could also approach or exceed $500 in damages per call for class members who make claims and includes an award of attorney fees of up to $5.61 million, or 33 percent of the settlement fund, in addition to litigation costs. Specifically, the settlement would provide $606.06 per call for settlement class members who received calls from two of the defendant’s debt collectors, and those members will get two shares of the pro rata distribution. Settlement class members who received calls from two other of the defendant’s debt collectors will get $303.03 per call and one share of the pro rata distribution.
District Court grants final approval in TCPA class action
On September 1, the U.S. District Court for the Central District of California granted final approval of a class action settlement in a TCPA suit. According to the plaintiffs’ motion for preliminary approval of the class action settlement, the plaintiffs are non-customers who the defendant contacted as part of its efforts to collect on the account of a defendant’s customer and who had not consented to calls from the defendant. The plaintiffs further alleged that the defendant used its autodialer to place those calls and conveyed prerecorded messages to third parties who had not consented to receive such calls, and that through analysis of the defendant’s records, broad notice to class members, and a robust claims verification procedure, it was possible to provide notice to non-customer class members. According to the settlement, the class includes any customer in the U.S. who received automated, non-emergency calls from the defendant on their cell phones from March 2012 through March 2022, and was not a party to an agreement with the defendant. The settlement noted that class members are expected to get between $75 and $250 per person, stating that “this estimated settlement range compares very favorably with other 'wrong number' settlements . . . , and with the $500 penalty for violation of the TCPA.”
3rd Circuit vacates dismissal of data breach suit
On September 2, the U.S. Court of Appeals for the Third Circuit vacated the dismissal of a class action alleging that a defendant pharmaceutical research company’s negligence led to a data breach. According to the opinion, the plaintiff, who is a former employee of the defendant’s subsidiary, provided her sensitive personal and financial information in exchange for the defendant’s agreement, pursuant to the plaintiff’s employment agreement, to “take appropriate measures to protect the confidentiality and security” of this information. After plaintiff ended her employment with the company, a hacking group accessed the defendant’s servers through a phishing attack and stole sensitive information pertaining to current and former employees. In addition to exfiltrating the data, the hackers installed malware to encrypt the data stored on the defendant’s servers and held the decryption tools for ransom. The defendant informed current and former employees of the breach and encouraged them to take precautionary measures. To mitigate potential harm, the plaintiff took immediate action by conducting a review of her financial records and credit reports for unauthorized activity, among other things. As a result of the breach, the plaintiff alleged that she has sustained a variety of injuries—primarily the risk of identity theft and fraud—in addition to the investment of time and money to mitigate potential harm. The district court granted the defendant's motion to dismiss based on lack of Article III standing, concluding “that [the plaintiff's] risk of future harm was not imminent, but ‘speculative,’ because she had not yet experienced actual identity theft or fraud.”
On the appeal, the 3rd Circuit noted that the district court “erred in dismissing [the plaintiff’s] contract claims, which are raised in Counts III (breach of implied contract) and IV (breach of contract),” arising from her employment agreement. The appellate court wrote that the plaintiff “has alleged an injury stemming from the breach—the risk of identity theft or fraud—that is sufficiently imminent and concrete,” because the defendant “expressly contracted to ‘take appropriate measures to protect the confidentiality and security’ of plaintiff’s information in [the plaintiff’s] employment agreement.” The appellate court also noted that in an “increasingly digitalized world, an employer's duty to protect its employees’ sensitive information has significantly broadened.” The 3rd Circuit vacated the judgment on all counts and remanded the dispute to the district court for consideration of the merits of the claims.