InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court preliminarily approves $2.35 million settlement for card data breach
On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained unauthorized access to the restaurant chain’s computer servers and payment card environment between April 2019 and October 2020, resulting in hundreds of thousands of consumers’ financial information, including credit and debit card numbers, expiration dates, cardholder names, and internal card verification codes, being compromised. Hackers then allegedly advertised the stolen information for sale on the dark web. Several lawsuits were filed alleging violations of numerous state laws that were eventually consolidated with this action. The parties negotiated a settlement prior to class certification, which would require the restaurant chain to provide a $2.35 million all-cash non-reversionary qualified settlement fund and adopt several data-security measures. Class members also would be able to file claims for out-of-pocket losses, elect for a cash payments, and request credit monitoring services.
The magistrate judge’s report recommended that the proposed class settlement be preliminarily approved as it “will likely be found fair at the final approval stage” and the offered relief “is both procedurally and substantively adequate.” The magistrate judge disagreed with objections raised by certain plaintiffs who argued, among other things, “that the proposed settlement is ‘substantively inadequate’ because the amount of funds available per potential class member is ‘far too low.’” However, according to the magistrate judge’s report, when compared to other settlements approved in other data breach cases, it is “clear that the proposed settlement is at least in line with if not better than what any proposed plaintiff could have expected coming into the litigation.” The magistrate judge also refuted the objecting plaintiffs’ assertion that the proposed settlement treats class members differently by providing plaintiffs who can establish out-of-pocket losses with up to $5,000, California residents without losses with $100, and non-California residents without losses with $50. “The Settling Plaintiffs have adequately demonstrated why this extra recovery for California class members [is] equitable, if not equal. Namely, class members from California could bring California state law claims which provide for $100-$750 in statutory damages,” the report said, adding that “class members from California have a stronger basis for damages than do class members from outside the state—who may only be able to show nominal or incidental damages as a result of [the restaurant chain’s] breach of contract—and so their modestly increased recovery is justified.”
District Court: Unclear when networking site became aware of data scraping
On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.
As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.
In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
Mortgage servicer must pay $4.5 million in payment service fee suit
On November 7, the U.S. District Court for the Southern District of West Virginia granted final approval of a class action settlement, resolving allegations that a defendant mortgage servicer charged improper fees for optional payment services in connection with mortgage payments made online or over the telephone. The plaintiffs' memorandum of law in support of its motion for final approval of the settlement alleges the defendant engaged in violations of the West Virginia Consumer Credit Protection Act, breach of contract, and unjust enrichment with respect to the fees. According to the memorandum, before deduction of attorneys’ fees and expenses, administrative costs, and any service award, the $4.5 million settlement fund represents approximately $216 per fee paid to the defendant by the putative class members. The court also approved $1.5 million in attorney’s fees, plus $4,519.20 in expenses, along with a $15,000 service award for the settlement class representative.
District Court approves $14 million wireless rates settlement
On November 8, the U.S. District Court for the Northern District of California granted final approval to a $14 million settlement resolving allegations that a telecommunications company made misleading claims regarding its administrative fees. According to the plaintiffs’ memorandum of points and authorities in support of motion for preliminary approval of class settlement, current and former wireless-service customers of the defendant (plaintiffs) with post-paid wireless service plans were charged an improper administrative fee. The plaintiffs alleged, generally, that the defendant’s representations and advertisements regarding the monthly price of its post-paid wireless service plans were misleading because the prices did not include the administrative fee, and that the defendant implemented and charged the administrative fee in a deceptive and unfair manner. According to the terms of the $14 million settlement agreement, $3.5 million of the award will cover attorney fees and costs, with additional funds allocated to cover litigation expenses.
North Carolina Supreme Court orders appeals court to review HAMP fraud claims
On November 4, the Supreme Court of North Carolina determined that an appeals court erred by remanding a case concerning a defendant bank’s Home Affordable Modification Program to a trial court with instructions to make factual findings and conclusions of law on the defendant’s motion to dismiss. Plaintiffs sued the defendant alleging fraud and other related claims arising out of the bank’s mortgage modification program. The trial court dismissed the claims for failure to state a claim pursuant to North Carolina’s Rule of Civil Procedure 12(b)(6), after concluding that plaintiffs’ claims were time barred and “that ‘the claims of all [p]laintiffs who were parties to foreclosure proceedings [were] barred by the doctrines of res judicata and collateral estoppel.’” Plaintiffs appealed. A divided panel of the Court of Appeals remanded the case to the trial court claiming that “it could not ‘determine the reason behind the grant’ and could not ‘conduct a meaningful review of the trial court’s conclusions of law.’” The North Carolina Supreme Court countered, however, that there exists “no legal basis or practical reason for the Court of Appeals to remand the case to the trial court to make factual findings and conclusions of law” as “a trial court is not required to make factual findings and conclusions of law to support its order unless requested by a party”—a request neither party made. According to the North Carolina Supreme Court, the appeals court erred by not conducting a de novo review of the sufficiency of the plaintiffs’ allegations. The North Carolina Supreme Court ordered the appeals court to address whether the plaintiffs’ allegations, if treated as true, are sufficient to state a claim upon which relief can be granted.
District Court certifies class in FDCPA suit
On November 4, the U.S. District Court for the District of New Jersey granted a plaintiffs’ motion for class certification in an FDCPA suit related to credit reporting language used in collection letters. According to the opinion, the plaintiffs received collection letters from the defendant with a statement that read: “Our records indicate there is still a balance on this past due account. Please respond to this letter within seven days or we may take additional collection efforts. The creditor shown above has authorized us to submit this account to the nationwide credit reporting agencies. As required by law, you are hereby notified that a negative credit report reflecting your credit record may be submitted to a credit reporting agency if you fail to fulfill the terms of your credit obligations.” The plaintiffs alleged FDCPA violations against the defendant, claiming that the letters constituted false and misleading collection efforts because the defendants did not intend to report the debts to credit reporting agencies within seven days of the letters’ receipt, as the defendant’s policy was to report debts “approximately sixty (60) days from placement absent contract instructions from its client.” The court noted that the collection letter in question was sent to 984 individuals, meeting the numerosity component for class certification. The court also held that, because all members of the class share the same FDCPA claim, the commonality and predominance components of certification were satisfied. The court also ruled that typicality, adequacy, ascertainability, and superiority components were met, and certified the class.
District Court preliminary approves $4.3 million data breach settlement
On November 4, the U.S. District Court for the Eastern District of Michigan granted preliminary approval of a $4.3 million class action settlement regarding a data breach, following the filing of the plaintiffs’ unopposed motion for preliminary approval of class action settlement. After a plaintiff consolidated her suit with other similar lawsuits, the plaintiff class sued the defendant for negligence, unjust enrichment, and breach of contract, alleging their personal information was stolen from the defendant during a malware attack due to lack of cybersecurity measures. The settlement provides for, among other things, three years of free credit-monitoring services for the plaintiff class, up to $2,500 per member to cover out-of-pocket expenses related to the breach, up to $80 per member to cover lost time remedying issues related to the breach, $75 per member for California residents for claims under state statutes, and a year of password-managing services. The plaintiffs are seeking service awards of $1,500 for each of the 15 representative plaintiffs. The motion also noted that class counsel will ask the court for just over $1.4 million in attorneys’ fees to be deducted from the settlement fund.
6th Circuit affirms FCRA summary judgment
On November 4, the U.S. Court of Appeals for the Sixth Circuit affirmed a district court’s summary judgment ruling in favor of a credit reporting agency (defendant) accused of violating the FCRA. According to the opinion, a father and son (plaintiff) filed Chapter 7 bankruptcy petitions just over a year apart with the same attorney. Both petitions had their similar names, identical address, and, mistakenly, the plaintiff’s social security number. Although the attorney corrected the social security number on the father’s bankruptcy petition the day after it was filed, the defendant allegedly failed to catch the amendment and erroneously reported the father’s bankruptcy on the plaintiff’s credit report for nine years. When the plaintiff noticed the error, he sent the defendant a letter and demanded a sum in settlement. The defendant removed the father’s bankruptcy filing from the plaintiff’s credit report. The plaintiff sued two credit reporting agencies, alleging they violated the FCRA by failing to “follow reasonable procedures to assure maximum possible accuracy” of his reported information. One of the agencies settled with the plaintiff. A district court granted the other defendant’s motion for summary judgment, which the plaintiff appealed.
On the appeal, the 6th Circuit noted that the plaintiff “has standing to bring this action, but also agree that he cannot establish that [defendant’s] procedures were unreasonable as a matter of law.” The appellate court found that, because the defendant gathered information from reliable sources and because someone “with at least some legal training” would have had to manually review the bankruptcy docket to notice that the Social Security number had been updated, the defendant did not violate the FCRA. The appellate court wrote that the defendant’s “processes strike the right balance between ensuring accuracy and avoiding ‘an enormous burden’ on consumer credit reporting agencies.” Furthermore, the 6th Circuit stated that, “[g]iven the sheer amount of data maintained by these companies, we know that consumers are ‘in a better position . . . to detect errors’ in their credit reports and inquire about a fix.”
4th Circuit says website does not qualify for Section 230 immunity
On November 3, the U.S. Court of Appeals for the Fourth Circuit reversed and remanded a district court’s summary judgment ruling that a public records website, its founder, and two affiliated entities (collectively, “defendants”) could use Section 230 liability protections under the Communications Decency Act (CDA) to shield themselves from credit reporting violations. As previously covered by InfoBytes, plaintiffs alleged, among other things, that because the defendants’ website collects, sorts, summarizes, and assembles public record information into reports that are available for third parties to purchase, it qualifies as a consumer reporting agency (CRA) under the FCRA, and as such, must follow process-oriented requirements that the FCRA imposes on CRAs. However, the district court determined that the immunity afforded by Section 230 of the Communication and Decency Act applied to the FCRA and that the defendants qualified for such immunity and could not be held liable for allegedly disseminating inaccurate information and failing to comply with the law’s disclosure requirements.
On appeal, the 4th Circuit reviewed whether a consumer lawsuit alleging violations of the FCRA’s procedural and disclosure requirements and seeking to hold the defendants liable as the publisher or speaker of information provided by a third party is thereby preempted by Section 230. The appellate court agreed with an amicus brief filed in 2021 by the FTC, CFPB, and the North Carolina Department of Justice, which urged the appellate court to overturn the district court ruling on the basis that the court misconstrued Section 230—which they assert is unrelated to the FCRA—by extending immunity to “claims that do not seek to treat the defendant as the publisher or speaker of any third-party information.” According to the amicus brief, liability turns on the defendants’ alleged failure to comply with FCRA obligations to use reasonable procedures when preparing reports, to provide consumers with a copy of their files, and to obtain certifications and notify consumers when reports are furnished for employment purposes.
The 4th Circuit held that Section 230(c)(1) of the CDA “extends only to bar certain claims, in specific circumstances, against particular types of parties,” and that the four claims raised in this case were not subject to those protections. “Section 230(c)(1) provides protection to interactive computer services,” the appellate court wrote, “[b]ut it does not insulate a company from liability for all conduct that happens to be transmitted through the internet.” Specifically, the appellate court said two of the counts—which allege that the defendants failed to give consumers a copy of their own report when requested and did not follow FCRA requirements when providing reports for employment purposes—do not seek to hold the defendants liable as a speaker or publisher, and therefore fall outside Section 230 protections. As for the remaining two counts related to claims that the defendant failed to ensure records for employment purposes were complete and up-to-date, or adopt procedures to assure maximum possible accuracy when preparing reports, the 4th Circuit concluded that the defendants “made substantive changes to the records’ content that materially contributed to the records’ unlawfulness. That makes [defendants] an information content provider, under the allegations, for the information relevant to Counts Two and Four, meaning that it is not entitled to § 230(c)(1) protection for those claims.”
Plaintiff wins $148,000 in data breach suit
On November 3, the U.S. District Court for the District of Minnesota granted a plaintiff technical consulting and software development company’s motion for summary judgment in a data breach suit. According to the order, an unknown bad actor gained unauthorized access to the email account of a plaintiff’s employee and created multiple “rules” that interfered with the proper receipt of incoming emails. The bad actor sent emails to and from the account, at times impersonating the employee and at times impersonating clients. The plaintiff issued two invoices to a particular client while these rules were in place: one invoice was for $137,000 for the plaintiff’s services, and the other invoice was for an additional $39,962. The bad actor emailed the client, posing as the employee, and wrote that it had “recently changed banks and our previous account . . . has been closed, hence, all payments effective immediately will be made directly to our new bank account in compliance with the policy of the company.” The bad actor requested confirmation as to when the client would pay the first invoice “so we can forward our new bank account details.” The client sent the payment to an account controlled by the bad actor. After discovering the bad actor’s conduct, the plaintiff recovered some of that money with the help of the U.S. Secret Service but sought insurance coverage for nearly $148,000, court records show. The defendant had insured the plaintiff under a technology professional liability (TPL) policy that incorporated a Data Breach Coverage Form, which included a “Cyber Business Interruption and Extra Expense” clause. The plaintiff submitted a claim to the defendant seeking coverage under the policy for the money lost to the bad actor. The defendant denied the plaintiff’s claim for coverage. The plaintiff sued, alleging that the defendant’s denial of coverage breached the TPL policy. The court found that using “‘impairment’ rather than ‘interruption’ in the Clause itself demonstrates that the TPL policy specifically grants coverage when a business suffers something less than a total suspension of operations.” The court further noted that the policy covers the loss, granted summary judgment to the plaintiff on its claim that the defendant breached the policy by denying coverage, and awarded the plaintiff nearly $148,000 in damages.